This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
The source_type field is optional and enables identification of the broad type of this cyber observation source.
Source
<xs:element name="Observable_Package_Source" type="cyboxCommon:MeasureSourceType" minOccurs="0"><xs:annotation><xs:documentation>The Observable_Package_Source field is optional and enables descriptive specification of how this package of Observables was identified and specified.</xs:documentation></xs:annotation></xs:element>
Element cybox:Observable
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The Observable construct represents a description of a single cyber observable.
The idref field specifies a unique id reference to an Observable defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Observable should not hold content unless an extension of the Observable allows it.
The sighting_count field specifies how many different identical instances of the Observable may have been seen/sighted.
Source
<xs:element name="Observable" type="cybox:ObservableType"><xs:annotation><xs:documentation>The Observable construct represents a description of a single cyber observable.</xs:documentation></xs:annotation><xs:unique name="unique-observable-id"><xs:selector xpath=".//*"/><xs:field xpath="@id"/></xs:unique></xs:element>
The Title field provides a mechanism to specify a short title or description for this Observable.
Diagram
Type
xs:string
Source
<xs:element name="Title" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation>The Title field provides a mechanism to specify a short title or description for this Observable.</xs:documentation></xs:annotation></xs:element>
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interfering with XML validation of the CybOX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Description" type="cyboxCommon:StructuredTextType" minOccurs="0"><xs:annotation><xs:documentation>The Description field provides a mechanism to specify a structured text description of this Observable.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Keywords" type="cybox:KeywordsType" minOccurs="0" maxOccurs="1"><xs:annotation><xs:documentation>Keywords enables capture of relevant keywords for this cyber observable.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Keyword" type="xs:string" minOccurs="1" maxOccurs="unbounded"><xs:annotation><xs:documentation>Each keyword element contains one keyword.</xs:documentation></xs:annotation></xs:element>
The source_type field is optional and enables identification of the broad type of this cyber observation source.
Source
<xs:element name="Observable_Source" type="cyboxCommon:MeasureSourceType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Observable_Source field is optional and enables descriptive specification of how this Observable was identified and specified.</xs:documentation></xs:annotation></xs:element>
Element cybox:Object
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The Object construct identifies and specificies the characteristics of a specific cyber-relevant object (e.g. a file, a registry key or a process).
The has_changed field is optional and conveys a targeted observation pattern of whether the associated object specified has changed in some way without requiring further specific detail. This field would be leveraged within a pattern observable triggering on whether the value of an object specification has changed at all. This field is NOT intended to be used for versioning of CybOX content.
The idref field specifies a unique id reference to an Object defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Object should not hold content unless an extension of the Object allows it.
Source
<xs:element name="Object" type="cybox:ObjectType"><xs:annotation><xs:documentation>The Object construct identifies and specificies the characteristics of a specific cyber-relevant object (e.g. a file, a registry key or a process).</xs:documentation></xs:annotation><xs:unique name="unique-object-id"><xs:selector xpath=".//*"/><xs:field xpath="@id"/></xs:unique></xs:element>
The State field enables the description of the current state of the object, through a standardized controlled vocabulary.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ObjectStateVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="State" type="cyboxCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="1"><xs:annotation><xs:documentation>The State field enables the description of the current state of the object, through a standardized controlled vocabulary.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ObjectStateVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.</xs:documentation></xs:annotation></xs:element>
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interfering with XML validation of the CybOX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Description" type="cyboxCommon:StructuredTextType" minOccurs="0"><xs:annotation><xs:documentation>The Description field provides a mechanism to specify a structured text description of this Object.</xs:documentation></xs:annotation></xs:element>
The Properties construct is an abstract placeholder for various predefined Object type schemas (e.g. File, Process or System) that can be instantiated in its place through extension of the ObjectPropertiesType. This mechanism enables the specification of a broad range of Object types with consistent Object Property naming and structure. The set of Properties schemas are maintained independent of the core CybOX schema.
The object_reference field specifies a unique ID reference to an Object defined elsewhere. This construct allows for the re-use of the defined Properties of one Object within another, without the need to embed the full Object in the location from which it is being referenced. Thus, this ID reference is intended to resolve to the Properties of the Object that it points to.
Source
<xs:element name="Properties" type="cyboxCommon:ObjectPropertiesType" minOccurs="0"><xs:annotation><xs:documentation>The Properties construct is an abstract placeholder for various predefined Object type schemas (e.g. File, Process or System) that can be instantiated in its place through extension of the ObjectPropertiesType. This mechanism enables the specification of a broad range of Object types with consistent Object Property naming and structure. The set of Properties schemas are maintained independent of the core CybOX schema.</xs:documentation></xs:annotation></xs:element>
Element cybox:ObjectType / cybox:Domain_Specific_Object_Properties
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The Domain_Specific_Object_Properties construct is of an Abstract type placeholder within the CybOX schema enabling the inclusion of domain-specific metadata for an object through the use of a custom type defined as an extension of this base Abstract type. This enables domains utilizing CybOX such as malware analysis or forensics to incorporate non-generalized object metadata from their domains into CybOX objects.
<xs:element name="Domain_Specific_Object_Properties" type="cybox:DomainSpecificObjectPropertiesType" minOccurs="0"><xs:annotation><xs:documentation>The Domain_Specific_Object_Properties construct is of an Abstract type placeholder within the CybOX schema enabling the inclusion of domain-specific metadata for an object through the use of a custom type defined as an extension of this base Abstract type. This enables domains utilizing CybOX such as malware analysis or forensics to incorporate non-generalized object metadata from their domains into CybOX objects.</xs:documentation></xs:annotation></xs:element>
The Location field specifies a relevant physical location.
This field is implemented through the xsi:type extension mechanism. The default type is CIQAddressInstanceType in the http://cybox.mitre.org/extensions/Identity#CIQAddress-1 namespace. This type is defined in the extensions/location/ciq_address_3.0.xsd file or at the URL http://cybox.mitre.org/XMLSchema/extensions/location/ciq_address/1.0/ciq_address_3.0.xsd.
Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.
Specifies a reference to a unique ID defined elsewhere.
Source
<xs:element name="Location" type="cyboxCommon:LocationType" minOccurs="0"><xs:annotation><xs:documentation>The Location field specifies a relevant physical location.</xs:documentation><xs:documentation>This field is implemented through the xsi:type extension mechanism. The default type is CIQAddressInstanceType in the http://cybox.mitre.org/extensions/Identity#CIQAddress-1 namespace. This type is defined in the extensions/location/ciq_address_3.0.xsd file or at the URL http://cybox.mitre.org/XMLSchema/extensions/location/ciq_address/1.0/ciq_address_3.0.xsd.</xs:documentation><xs:documentation>Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Related_Objects" type="cybox:RelatedObjectsType" minOccurs="0"><xs:annotation><xs:documentation>The Related_Objects construct is optional and enables the identification and/or specification of Objects with relevant relationships with this Object.</xs:documentation></xs:annotation></xs:element>
The Related_Object construct is optional and enables the identification and/or specification of a single Objects with relevant relationships with this Object.
The has_changed field is optional and conveys a targeted observation pattern of whether the associated object specified has changed in some way without requiring further specific detail. This field would be leveraged within a pattern observable triggering on whether the value of an object specification has changed at all. This field is NOT intended to be used for versioning of CybOX content.
The idref field specifies a unique id reference to an Object defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Object should not hold content unless an extension of the Object allows it.
Source
<xs:element name="Related_Object" type="cybox:RelatedObjectType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Related_Object construct is optional and enables the identification and/or specification of a single Objects with relevant relationships with this Object.</xs:documentation></xs:annotation></xs:element>
The Defined_Effect construct is an abstract placeholder for various predefined Object Effect types (e.g. DataReadEffect, ValuesEnumeratedEffect or StateChangeEffect) that can be instantiated in its place through extension of the DefinedEffectType. This mechanism enables the specification of a broad range of types of potential complex action effects on Objects. The set of Defined_Effect types (extending the DefinedEffectType) are maintained as part of the core CybOX schema.
The effect_type field specifies the nature of the Defined Effect instantiated in the place of the Defined_Effect element.
Source
<xs:element name="Defined_Effect" type="cybox:DefinedEffectType" minOccurs="0"><xs:annotation><xs:documentation>The Defined_Effect construct is an abstract placeholder for various predefined Object Effect types (e.g. DataReadEffect, ValuesEnumeratedEffect or StateChangeEffect) that can be instantiated in its place through extension of the DefinedEffectType. This mechanism enables the specification of a broad range of types of potential complex action effects on Objects. The set of Defined_Effect types (extending the DefinedEffectType) are maintained as part of the core CybOX schema.</xs:documentation></xs:annotation></xs:element>
The Discovery_Method field is optional and enables descriptive specification of how this Object was observed (in the case of a Cyber Observable Object instance) or could potentially be observed (in the case of a Cyber Observable Object pattern).
The source_type field is optional and enables identification of the broad type of this cyber observation source.
Source
<xs:element name="Discovery_Method" type="cyboxCommon:MeasureSourceType" minOccurs="0"><xs:annotation><xs:documentation>The Discovery_Method field is optional and enables descriptive specification of how this Object was observed (in the case of a Cyber Observable Object instance) or could potentially be observed (in the case of a Cyber Observable Object pattern).</xs:documentation></xs:annotation></xs:element>
The Relationship field uses a standardized controlled vocabulary to capture the nature of the relationship between this Object and the Related_Object.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ObjectRelationshipVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.
When idref is specified, by design, an instance may declare a Relationship child.
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Relationship" type="cyboxCommon:ControlledVocabularyStringType" minOccurs="0"><xs:annotation><xs:documentation>The Relationship field uses a standardized controlled vocabulary to capture the nature of the relationship between this Object and the Related_Object.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ObjectRelationshipVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.</xs:documentation><xs:documentation>When idref is specified, by design, an instance may declare a Relationship child.</xs:documentation></xs:annotation></xs:element>
Element cybox:Event
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The Event construct enables specification of a cyber observable event that is dynamic in nature with specific action(s) taken against specific cyber relevant objects (e.g. a file is deleted, a registry key is created or an HTTP Get Request is received).
The idref field specifies a unique id reference to an Event defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Event should not hold content unless an extension of the Event allows it.
Source
<xs:element name="Event" type="cybox:EventType"><xs:annotation><xs:documentation>The Event construct enables specification of a cyber observable event that is dynamic in nature with specific action(s) taken against specific cyber relevant objects (e.g. a file is deleted, a registry key is created or an HTTP Get Request is received).</xs:documentation></xs:annotation><xs:unique name="unique-event-id"><xs:selector xpath=".//*"/><xs:field xpath="@id"/></xs:unique></xs:element>
The Type field uses a standardized controlled vocabulary to capture what type of Event this is.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is EventTypeVocab-1.0.1 in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Type" type="cyboxCommon:ControlledVocabularyStringType" minOccurs="0"><xs:annotation><xs:documentation>The Type field uses a standardized controlled vocabulary to capture what type of Event this is.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is EventTypeVocab-1.0.1 in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.</xs:documentation></xs:annotation></xs:element>
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interfering with XML validation of the CybOX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Description" type="cyboxCommon:StructuredTextType" minOccurs="0"><xs:annotation><xs:documentation>The Description field provides a mechanism to specify a structured text description of this Event.</xs:documentation></xs:annotation></xs:element>
The Observation_Method field is optional and enables descriptive specification of how this Event was observed (in the case of a Cyber Observable Event instance) or could potentially be observed (in the case of a Cyber Observable Event pattern).
The source_type field is optional and enables identification of the broad type of this cyber observation source.
Source
<xs:element name="Observation_Method" type="cyboxCommon:MeasureSourceType" minOccurs="0"><xs:annotation><xs:documentation>The Observation_Method field is optional and enables descriptive specification of how this Event was observed (in the case of a Cyber Observable Event instance) or could potentially be observed (in the case of a Cyber Observable Event pattern).</xs:documentation></xs:annotation></xs:element>
<xs:element name="Actions" type="cybox:ActionsType" minOccurs="0"><xs:annotation><xs:documentation>The Actions construct enables description/specification of one or more cyber observable actions.</xs:documentation></xs:annotation></xs:element>
Element cybox:Action
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The Action construct enables description/specification of a single cyber observable action.
The idref field specifies a unique id reference to an Action defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Action should not hold content unless an extension of the Action allows it.
The timestamp field represents the local or relative time at which the action occurred or was observed. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:element name="Action" type="cybox:ActionType"><xs:annotation><xs:documentation>The Action construct enables description/specification of a single cyber observable action.</xs:documentation></xs:annotation><xs:unique name="unique-action-id"><xs:selector xpath=".//*"/><xs:field xpath="@id"/></xs:unique></xs:element>
The Type field is optional and utilizes a standardized controlled vocabulary to specify the basic type of the action that was performed.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ActionTypeVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Type" type="cyboxCommon:ControlledVocabularyStringType" minOccurs="0"><xs:annotation><xs:documentation>The Type field is optional and utilizes a standardized controlled vocabulary to specify the basic type of the action that was performed.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ActionTypeVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.</xs:documentation></xs:annotation></xs:element>
The Name field is optional and utilizes a standardized controlled vocabulary to identify/characterize the specific name of the action that was performed.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ActionNameVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Name" type="cyboxCommon:ControlledVocabularyStringType" minOccurs="0"><xs:annotation><xs:documentation>The Name field is optional and utilizes a standardized controlled vocabulary to identify/characterize the specific name of the action that was performed.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ActionNameVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.</xs:documentation></xs:annotation></xs:element>
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interfering with XML validation of the CybOX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Description" type="cyboxCommon:StructuredTextType" minOccurs="0"><xs:annotation><xs:documentation>The Description field contains a textual description of the action.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Action_Aliases" type="cybox:ActionAliasesType" minOccurs="0"><xs:annotation><xs:documentation>The Action_Aliases field is optional and enables identification of other potentially used names for this Action.</xs:documentation></xs:annotation></xs:element>
The Action_Alias field is optional and enables identification of a single other potentially used name for this Action.
Diagram
Type
xs:string
Source
<xs:element name="Action_Alias" type="xs:string" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Action_Alias field is optional and enables identification of a single other potentially used name for this Action.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Action_Arguments" type="cybox:ActionArgumentsType" minOccurs="0"><xs:annotation><xs:documentation>The Action_Arguments field is optional and enables the specification of relevant arguments/parameters for this Action.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Action_Argument" type="cybox:ActionArgumentType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Action_Argument construct is optional and enables the specification of a single relevant argument/parameter for this Action.</xs:documentation></xs:annotation></xs:element>
The Argument_Name field is optional and utilizes a standardized controlled vocabulary to identify/characterize the specific action argument utilized.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ActionArgumentNameVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Argument_Name" type="cyboxCommon:ControlledVocabularyStringType" minOccurs="0"><xs:annotation><xs:documentation>The Argument_Name field is optional and utilizes a standardized controlled vocabulary to identify/characterize the specific action argument utilized.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ActionArgumentNameVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.</xs:documentation></xs:annotation></xs:element>
The Argument_Value field specifies the value for this action argument/parameter.
Diagram
Type
xs:string
Source
<xs:element name="Argument_Value" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation>The Argument_Value field specifies the value for this action argument/parameter.</xs:documentation></xs:annotation></xs:element>
The Location field specifies a relevant physical location.
This field is implemented through the xsi:type extension mechanism. The default type is CIQAddressInstanceType in the http://cybox.mitre.org/extensions/Identity#CIQAddress-1 namespace. This type is defined in the extensions/location/ciq_address_3.0.xsd file or at the URL http://cybox.mitre.org/XMLSchema/extensions/location/ciq_address/1.0/ciq_address_3.0.xsd.
Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.
Specifies a reference to a unique ID defined elsewhere.
Source
<xs:element name="Location" type="cyboxCommon:LocationType" minOccurs="0"><xs:annotation><xs:documentation>The Location field specifies a relevant physical location.</xs:documentation><xs:documentation>This field is implemented through the xsi:type extension mechanism. The default type is CIQAddressInstanceType in the http://cybox.mitre.org/extensions/Identity#CIQAddress-1 namespace. This type is defined in the extensions/location/ciq_address_3.0.xsd file or at the URL http://cybox.mitre.org/XMLSchema/extensions/location/ciq_address/1.0/ciq_address_3.0.xsd.</xs:documentation><xs:documentation>Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.</xs:documentation></xs:annotation></xs:element>
The Discovery_Method field is optional and enables descriptive specification of how this Action was observed (in the case of a Cyber Observable Action instance) or could potentially be observed (in the case of a Cyber Observable Action pattern).
The source_type field is optional and enables identification of the broad type of this cyber observation source.
Source
<xs:element name="Discovery_Method" type="cyboxCommon:MeasureSourceType" minOccurs="0"><xs:annotation><xs:documentation>The Discovery_Method field is optional and enables descriptive specification of how this Action was observed (in the case of a Cyber Observable Action instance) or could potentially be observed (in the case of a Cyber Observable Action pattern).</xs:documentation></xs:annotation></xs:element>
The Associated_Objects construct is optional and enables the description/specification of cyber Objects relevant (either initiating or affected by) this Action.
<xs:element name="Associated_Objects" type="cybox:AssociatedObjectsType" minOccurs="0"><xs:annotation><xs:documentation>The Associated_Objects construct is optional and enables the description/specification of cyber Objects relevant (either initiating or affected by) this Action.</xs:documentation></xs:annotation></xs:element>
The Associated_Object construct enables the description of cyber Objects associated with this Action. This could include Objects that initiated the action, are the target Objects affected by the Action, are utilized by the Action or are the returned result of the Action.
The has_changed field is optional and conveys a targeted observation pattern of whether the associated object specified has changed in some way without requiring further specific detail. This field would be leveraged within a pattern observable triggering on whether the value of an object specification has changed at all. This field is NOT intended to be used for versioning of CybOX content.
The idref field specifies a unique id reference to an Object defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Object should not hold content unless an extension of the Object allows it.
Source
<xs:element name="Associated_Object" type="cybox:AssociatedObjectType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Associated_Object construct enables the description of cyber Objects associated with this Action. This could include Objects that initiated the action, are the target Objects affected by the Action, are utilized by the Action or are the returned result of the Action.</xs:documentation></xs:annotation></xs:element>
The Association_Type field utilizes a standardized controlled vocabulary to specify the kind of association this Object holds for this Action.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ActionObjectAssociationTypeVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Association_Type" type="cyboxCommon:ControlledVocabularyStringType" minOccurs="0"><xs:annotation><xs:documentation>The Association_Type field utilizes a standardized controlled vocabulary to specify the kind of association this Object holds for this Action.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ActionObjectAssociationTypeVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.</xs:documentation></xs:annotation></xs:element>
The Action_Pertinent_Object_Properties construct is optional and identifies which of the Properties of this Object are specifically pertinent to this Action.
<xs:element name="Action_Pertinent_Object_Properties" type="cybox:ActionPertinentObjectPropertiesType" minOccurs="0"><xs:annotation><xs:documentation>The Action_Pertinent_Object_Properties construct is optional and identifies which of the Properties of this Object are specifically pertinent to this Action.</xs:documentation></xs:annotation></xs:element>
The xpath field specifies the XPath 1.0 expression identifying the pertinent property within the Properties schema for this object type.
Source
<xs:element name="Property" type="cybox:ActionPertinentObjectPropertyType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Property construct identifies a single Object Property that is specifically pertinent to this Action.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Relationships" type="cybox:ActionRelationshipsType" minOccurs="0"><xs:annotation><xs:documentation>The Relationships construct is optional and enables description of other cyber observable actions that are related to this Action.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Relationship" type="cybox:ActionRelationshipType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Relationship construct is required and enables description of a single other cyber observable Action that is related to this Action.</xs:documentation></xs:annotation></xs:element>
The Type field utilizes a standardized controlled vocabulary to describe the nature of the relationship between this Action and the related Action.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ActionRelationshipTypeVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Type" type="cyboxCommon:ControlledVocabularyStringType" minOccurs="0"><xs:annotation><xs:documentation>The Type field utilizes a standardized controlled vocabulary to describe the nature of the relationship between this Action and the related Action.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ActionRelationshipTypeVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.</xs:documentation></xs:annotation></xs:element>
This field is optional and conveys a targeted observation pattern of the nature of any trend in the frequency of the associated event or action. This field would be leveraged within an event or action pattern observable triggering on the matching of a specified trend in the frequency of an event or action.
This field specifies the units for this defined frequency.
Source
<xs:element name="Frequency" type="cybox:FrequencyType" minOccurs="0"><xs:annotation><xs:documentation>The Frequency field conveys a targeted observation pattern of the frequency of the associated event or action.</xs:documentation></xs:annotation></xs:element>
The Location field specifies a relevant physical location.
This field is implemented through the xsi:type extension mechanism. The default type is CIQAddressInstanceType in the http://cybox.mitre.org/extensions/Identity#CIQAddress-1 namespace. This type is defined in the extensions/location/ciq_address_3.0.xsd file or at the URL http://cybox.mitre.org/XMLSchema/extensions/location/ciq_address/1.0/ciq_address_3.0.xsd.
Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.
Specifies a reference to a unique ID defined elsewhere.
Source
<xs:element name="Location" type="cyboxCommon:LocationType" minOccurs="0"><xs:annotation><xs:documentation>The Location field specifies a relevant physical location.</xs:documentation><xs:documentation>This field is implemented through the xsi:type extension mechanism. The default type is CIQAddressInstanceType in the http://cybox.mitre.org/extensions/Identity#CIQAddress-1 namespace. This type is defined in the extensions/location/ciq_address_3.0.xsd file or at the URL http://cybox.mitre.org/XMLSchema/extensions/location/ciq_address/1.0/ciq_address_3.0.xsd.</xs:documentation><xs:documentation>Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.</xs:documentation></xs:annotation></xs:element>
This field is optional and conveys a targeted observation pattern of the nature of any trend in the frequency of the associated event or action. This field would be leveraged within an event or action pattern observable triggering on the matching of a specified trend in the frequency of an event or action.
This field specifies the units for this defined frequency.
Source
<xs:element name="Frequency" type="cybox:FrequencyType" minOccurs="0"><xs:annotation><xs:documentation>The Frequency field conveys a targeted observation pattern of the frequency of the associated event or action.</xs:documentation></xs:annotation></xs:element>
The idref field specifies a unique id reference to an Event defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Event should not hold content unless an extension of the Event allows it.
Source
<xs:element name="Event" type="cybox:EventType"><xs:annotation><xs:documentation>This Event construct is included recursively to enable description/specification of composite Events.</xs:documentation></xs:annotation></xs:element>
The Observable_Composition construct enables specification of composite observables made up of logical constructions of atomic observables or other composite observables (e.g. Obs5 = (Obs1 OR Obs2) AND (Obs3 OR Obs4)).
The operator field enables the specification of complex compositional cyber observables by providing logical operators for defining interrelationships between constituent cyber observables defined utilizing the recursive Observable element.
Source
<xs:element name="Observable_Composition" type="cybox:ObservableCompositionType" minOccurs="0"><xs:annotation><xs:documentation>The Observable_Composition construct enables specification of composite observables made up of logical constructions of atomic observables or other composite observables (e.g. Obs5 = (Obs1 OR Obs2) AND (Obs3 OR Obs4)).</xs:documentation></xs:annotation></xs:element>
The idref field specifies a unique id reference to an Observable defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Observable should not hold content unless an extension of the Observable allows it.
The sighting_count field specifies how many different identical instances of the Observable may have been seen/sighted.
Source
<xs:element name="Observable" type="cybox:ObservableType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Observable construct represents a description of a single cyber observable.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Pattern_Fidelity" type="cybox:PatternFidelityType" minOccurs="0"><xs:annotation><xs:documentation>Pattern_Fidelity contains elements that enable the characterization of the fidelity of this pattern to its purpose.</xs:documentation></xs:annotation></xs:element>
The Noisiness field is optional and enables simple characterization of how noisy this Observable typically could be. In other words, how likely is it to generate false positives.
Specifies that this observable has a high level of noisiness meaning a potentially high level of false positives.
enumeration
Medium
Specifies that this observable has a medium level of noisiness meaning a potentially medium level of false positives.
enumeration
Low
Specifies that this observable has a low level of noisiness meaning a potentially low level of false positives.
Source
<xs:element name="Noisiness" type="cybox:NoisinessEnum" minOccurs="0"><xs:annotation><xs:documentation>The Noisiness field is optional and enables simple characterization of how noisy this Observable typically could be. In other words, how likely is it to generate false positives.</xs:documentation></xs:annotation></xs:element>
The Ease_of_Obfuscation field is optional and enables simple characterization of how easy it would be for an attacker to obfuscate the observability of this Observable.
Specifies that this observable is very easy to obfuscate and hide.
enumeration
Medium
Specifies that this observable is somewhat easy to obfuscate and hide.
enumeration
Low
Specifies that this observable is not very easy to obfuscate and hide.
Source
<xs:element name="Ease_of_Evasion" type="cybox:EaseOfObfuscationEnum" minOccurs="0"><xs:annotation><xs:documentation>The Ease_of_Obfuscation field is optional and enables simple characterization of how easy it would be for an attacker to obfuscate the observability of this Observable.</xs:documentation></xs:annotation></xs:element>
The Obfuscation_Techniques field is optional and enables the description of potential techniques an attacker could leverage to obfuscate the observability of this Observable.
<xs:element name="Evasion_Techniques" type="cybox:ObfuscationTechniquesType" minOccurs="0"><xs:annotation><xs:documentation>The Obfuscation_Techniques field is optional and enables the description of potential techniques an attacker could leverage to obfuscate the observability of this Observable.</xs:documentation></xs:annotation></xs:element>
The Obfuscation_Technique field is optional and enables the description of a single potential technique an attacker could leverage to obfuscate the observability of this Observable.
<xs:element name="Obfuscation_Technique" type="cybox:ObfuscationTechniqueType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Obfuscation_Technique field is optional and enables the description of a single potential technique an attacker could leverage to obfuscate the observability of this Observable.</xs:documentation></xs:annotation></xs:element>
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interfering with XML validation of the CybOX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Description" type="cyboxCommon:StructuredTextType"><xs:annotation><xs:documentation>The Description field captures a structured text description of the obfuscation technique.</xs:documentation></xs:annotation></xs:element>
The Observables construct is optional and enables description of potential cyber observables that could indicate the use of this particular obfuscation technique.
The cybox_update_version field specifies the update version of the CybOX language utilized for this set of Observables. This field MUST be used when using an update version of CybOX.
Source
<xs:element name="Observables" type="cybox:ObservablesType" minOccurs="0"><xs:annotation><xs:documentation>The Observables construct is optional and enables description of potential cyber observables that could indicate the use of this particular obfuscation technique.</xs:documentation></xs:annotation></xs:element>
The Pools construct enables the description of Events, Actions, Objects and Properties in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled elements. This reduces redundancy caused when identical observable elements occur multiple times within a set of defined Observables.
<xs:element name="Pools" type="cybox:PoolsType" minOccurs="0"><xs:annotation><xs:documentation>The Pools construct enables the description of Events, Actions, Objects and Properties in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled elements. This reduces redundancy caused when identical observable elements occur multiple times within a set of defined Observables.</xs:documentation></xs:annotation></xs:element>
The Event_Pool construct enables the description of CybOX Events in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Event elements. This reduces redundancy caused when identical Events occur multiple times within a set of defined Observables.
<xs:element name="Event_Pool" type="cybox:EventPoolType" minOccurs="0"><xs:annotation><xs:documentation>The Event_Pool construct enables the description of CybOX Events in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Event elements. This reduces redundancy caused when identical Events occur multiple times within a set of defined Observables.</xs:documentation></xs:annotation></xs:element>
The Event construct enables specification of a cyber observable event that is dynamic in nature with specific action(s) taken against specific cyber relevant objects (e.g. a file is deleted, a registry key is created or an HTTP Get Request is received).
The idref field specifies a unique id reference to an Event defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Event should not hold content unless an extension of the Event allows it.
Source
<xs:element name="Event" type="cybox:EventType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Event construct enables specification of a cyber observable event that is dynamic in nature with specific action(s) taken against specific cyber relevant objects (e.g. a file is deleted, a registry key is created or an HTTP Get Request is received).</xs:documentation></xs:annotation></xs:element>
The Action_Pool construct enables the description of CybOX Actions in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Action elements. This reduces redundancy caused when identical Actions occur multiple times within a set of defined Observables.
<xs:element name="Action_Pool" type="cybox:ActionPoolType" minOccurs="0"><xs:annotation><xs:documentation>The Action_Pool construct enables the description of CybOX Actions in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Action elements. This reduces redundancy caused when identical Actions occur multiple times within a set of defined Observables.</xs:documentation></xs:annotation></xs:element>
The idref field specifies a unique id reference to an Action defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Action should not hold content unless an extension of the Action allows it.
The timestamp field represents the local or relative time at which the action occurred or was observed. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:element name="Action" type="cybox:ActionType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Action construct enables description/specification of a single cyber observable action.</xs:documentation></xs:annotation></xs:element>
The Object_Pool construct enables the description of CybOX Objects in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Object elements. This reduces redundancy caused when identical Objects occur multiple times within a set of defined Observables.
<xs:element name="Object_Pool" type="cybox:ObjectPoolType" minOccurs="0"><xs:annotation><xs:documentation>The Object_Pool construct enables the description of CybOX Objects in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Object elements. This reduces redundancy caused when identical Objects occur multiple times within a set of defined Observables.</xs:documentation></xs:annotation></xs:element>
The has_changed field is optional and conveys a targeted observation pattern of whether the associated object specified has changed in some way without requiring further specific detail. This field would be leveraged within a pattern observable triggering on whether the value of an object specification has changed at all. This field is NOT intended to be used for versioning of CybOX content.
The idref field specifies a unique id reference to an Object defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Object should not hold content unless an extension of the Object allows it.
Source
<xs:element name="Object" type="cybox:ObjectType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Object construct identifies and specifies the characteristics of a specific cyber-relevant object (e.g. a file, a registry key or a process).</xs:documentation></xs:annotation></xs:element>
The Property_Pool construct enables the description of CybOX Properties in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Properties elements. This reduces redundancy caused when identical Properties occur multiple times within a set of defined Observables.
<xs:element name="Property_Pool" type="cybox:PropertyPoolType" minOccurs="0"><xs:annotation><xs:documentation>The Property_Pool construct enables the description of CybOX Properties in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Properties elements. This reduces redundancy caused when identical Properties occur multiple times within a set of defined Observables.</xs:documentation></xs:annotation></xs:element>
This field is optional and conveys whether the associated object property value appears to somewhat random in nature. An object property with this field set to TRUE need not provide any further information including a value. If more is known about the particular variation of randomness, a regex value could be provided to outline what is known of the structure.
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
This field is optional and conveys a reference to a description of the algorithm used to defang (representation changed to prevent malicious effects of handling/processing) this Object property.
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
The idref field specifies a unique ID reference for this Object Property.
When idref is specified, the id attribute must not be specified, and any instance of this property should not hold content unless an extension of the property allows it.
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
This field is optional and conveys whether the associated Object property has been defanged (representation changed to prevent malicious effects of handling/processing).
This field is optional and specifies the encoding of the string when it is/was observed. This may be different from the encoding used to represent the string within this element.
It is strongly recommended that character set names should be taken from the IANA character set registry (https://www.iana.org/assignments/character-sets/character-sets.xhtml).
This field is intended to be applicable only to fields which contain string values.
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
This field is optional and specifies an automated transform that can be applied to the Object property content in order to refang it to its original format.
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
Source
<xs:element name="Property" type="cyboxCommon:PropertyType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Property construct enables the specification of a single Object Property.</xs:documentation></xs:annotation></xs:element>
Element cybox:Observables
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The Observables construct represents a collection of cyber observables.
The cybox_update_version field specifies the update version of the CybOX language utilized for this set of Observables. This field MUST be used when using an update version of CybOX.
Source
<xs:element name="Observables" type="cybox:ObservablesType"><xs:annotation><xs:documentation>The Observables construct represents a collection of cyber observables.</xs:documentation></xs:annotation><xs:unique name="unique-observables-id"><xs:selector xpath=".//*"/><xs:field xpath="@id"/></xs:unique></xs:element>
The has_changed field is optional and conveys a targeted observation pattern of whether the associated object specified has changed in some way without requiring further specific detail. This field would be leveraged within a pattern observable triggering on whether the value of an object specification has changed at all. This field is NOT intended to be used for versioning of CybOX content.
The idref field specifies a unique id reference to an Object defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Object should not hold content unless an extension of the Object allows it.
Source
<xs:element name="Old_Object" type="cybox:ObjectType" minOccurs="0"><xs:annotation><xs:documentation>The Old_Object construct specifies the object and its properties as they were before the state change effect occurred.</xs:documentation></xs:annotation></xs:element>
The has_changed field is optional and conveys a targeted observation pattern of whether the associated object specified has changed in some way without requiring further specific detail. This field would be leveraged within a pattern observable triggering on whether the value of an object specification has changed at all. This field is NOT intended to be used for versioning of CybOX content.
The idref field specifies a unique id reference to an Object defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Object should not hold content unless an extension of the Object allows it.
Source
<xs:element name="New_Object" type="cybox:ObjectType"><xs:annotation><xs:documentation>The New_Object construct specifies the object and its properties as they are after the state change effect occurred.</xs:documentation></xs:annotation></xs:element>
The id field specifies a unique id for this data segment.
Source
<xs:element name="Data" type="cyboxCommon:DataSegmentType"><xs:annotation><xs:documentation>The Data field specifies the data that was read from the object by the action.</xs:documentation></xs:annotation></xs:element>
The id field specifies a unique id for this data segment.
Source
<xs:element name="Data" type="cyboxCommon:DataSegmentType"><xs:annotation><xs:documentation>The Data field specifies the data that was written to the object by the action.</xs:documentation></xs:annotation></xs:element>
The id field specifies a unique id for this data segment.
Source
<xs:element name="Data" type="cyboxCommon:DataSegmentType"><xs:annotation><xs:documentation>The Data field specifies the data that was sent on the object, or from the object, by the action.</xs:documentation></xs:annotation></xs:element>
The id field specifies a unique id for this data segment.
Source
<xs:element name="Data" type="cyboxCommon:DataSegmentType"><xs:annotation><xs:documentation>The Data field specifies the data that was received on the object, or from the object, by the action.</xs:documentation></xs:annotation></xs:element>
The Name field specifies the Name of the property being read.
Diagram
Type
xs:string
Source
<xs:element name="Name" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation>The Name field specifies the Name of the property being read.</xs:documentation></xs:annotation></xs:element>
The Value field specifies the value of the property being read.
Diagram
Type
xs:string
Source
<xs:element name="Value" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation>The Value field specifies the value of the property being read.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Properties" type="cybox:PropertiesType"><xs:annotation><xs:documentation>The Properties field specifies the properties that were enumerated as a result of the action on the object.</xs:documentation></xs:annotation></xs:element>
The Property element specifies a single property that was enumerated as a result of the action on the object.
Diagram
Type
xs:string
Source
<xs:element name="Property" type="xs:string" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Property element specifies a single property that was enumerated as a result of the action on the object.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Values" type="cybox:ValuesType"><xs:annotation><xs:documentation>The Values field specifies the values that were enumerated as a result of the action on the object.</xs:documentation></xs:annotation></xs:element>
The Value field specifies a single value that was enumerated as a result of the action on the object.
Diagram
Type
xs:string
Source
<xs:element name="Value" type="xs:string" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Value field specifies a single value that was enumerated as a result of the action on the object.</xs:documentation></xs:annotation></xs:element>
The Control_Code field specifies the actual control code that was sent to the object.
Diagram
Type
xs:string
Source
<xs:element name="Control_Code" type="xs:string"><xs:annotation><xs:documentation>The Control_Code field specifies the actual control code that was sent to the object.</xs:documentation></xs:annotation></xs:element>
Element cybox:Property
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The Property element represents the specification of a single Object Property.
This field is optional and conveys whether the associated object property value appears to somewhat random in nature. An object property with this field set to TRUE need not provide any further information including a value. If more is known about the particular variation of randomness, a regex value could be provided to outline what is known of the structure.
This field indicates how a condition should be applied when the field body contains a list of values. (Its value is moot if the field value contains only a single value - both possible values for this field would have the same behavior.) If this field is set to ANY, then a pattern is considered to be matched if the provided condition successfully evaluates for any of the values in the field body. If the field is set to ALL, then the patern only matches if the provided condition successfully evaluates for every value in the field body.
Used to specify a bit_mask in conjunction with one of the defined binary conditions (bitwiseAnd, bitwiseOr, and bitwiseXor). This bitmask is then uses as one operand in the indicated bitwise computation.
This field is optional and conveys a reference to a description of the algorithm used to defang (representation changed to prevent malicious effects of handling/processing) this Object property.
This field is optional and conveys a targeted observation pattern of whether the associated field value has changed. This field would be leveraged within a pattern observable triggering on whether the value of a single field value has changed.
The idref field specifies a unique ID reference for this Object Property.
When idref is specified, the id attribute must not be specified, and any instance of this property should not hold content unless an extension of the property allows it.
The is_case_sensitive field is optional and should be used when specifying the case-sensitivity of a pattern which uses an Equals, DoesNotEqual, Contains, DoesNotContain, StartsWith, EndsWith, or FitsPattern condition. The default value for this field is "true" which indicates that pattern evaluations are to be considered case-sensitive.
This field is optional and conveys whether the associated Object property has been defanged (representation changed to prevent malicious effects of handling/processing).
This field is optional and specifies the encoding of the string when it is/was observed. This may be different from the encoding used to represent the string within this element.
It is strongly recommended that character set names should be taken from the IANA character set registry (https://www.iana.org/assignments/character-sets/character-sets.xhtml).
This field is intended to be applicable only to fields which contain string values.
This field is optional and defines the type of pattern used if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
This field is optional and specifies an automated transform that can be applied to the Object property content in order to refang it to its original format.
This field is optional and defines the syntax format used for a regular expression, if one is specified for the field value. This is applicable only if the Condition field is set to 'FitsPattern'.
Setting this attribute with an empty value (e.g., "") or omitting it entirely notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities, character classes, escapes, and other lexical tokens defined by the CybOX Language Specification.
Setting this attribute with a non-empty value notifies CybOX consumers and pattern evaluators that the corresponding regular expression utilizes capabilities not defined by the CybOX Language Specification. The regular expression must be evaluated through a compatible regular expression engine in this case.
This field is optional and conveys a targeted observation pattern of the nature of any trend in the associated field value. This field would be leveraged within a pattern observable triggering on the matching of a specified trend in the value of a single specified field.
Source
<xs:element name="Property" type="cyboxCommon:PropertyType"><xs:annotation><xs:documentation>The Property element represents the specification of a single Object Property.</xs:documentation></xs:annotation><xs:unique name="unique-property-id"><xs:selector xpath=".//*"/><xs:field xpath="@id"/></xs:unique></xs:element>
Complex Type cybox:ObservablesType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The ObservablesType is a type representing a collection of cyber observables.
The cybox_update_version field specifies the update version of the CybOX language utilized for this set of Observables. This field MUST be used when using an update version of CybOX.
Source
<xs:complexType name="ObservablesType"><xs:annotation><xs:documentation>The ObservablesType is a type representing a collection of cyber observables.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Observable_Package_Source" type="cyboxCommon:MeasureSourceType" minOccurs="0"><xs:annotation><xs:documentation>The Observable_Package_Source field is optional and enables descriptive specification of how this package of Observables was identified and specified.</xs:documentation></xs:annotation></xs:element><xs:element ref="cybox:Observable" maxOccurs="unbounded"/><xs:element name="Pools" type="cybox:PoolsType" minOccurs="0"><xs:annotation><xs:documentation>The Pools construct enables the description of Events, Actions, Objects and Properties in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled elements. This reduces redundancy caused when identical observable elements occur multiple times within a set of defined Observables.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="cybox_major_version" type="xs:string" use="required"><xs:annotation><xs:documentation>The cybox_major_version field specifies the major version of the CybOX language utilized for this set of Observables.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="cybox_minor_version" type="xs:string" use="required"><xs:annotation><xs:documentation>The cybox_minor_version field specifies the minor version of the CybOX language utilized for this set of Observables.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="cybox_update_version" type="xs:string" use="optional"><xs:annotation><xs:documentation>The cybox_update_version field specifies the update version of the CybOX language utilized for this set of Observables. This field MUST be used when using an update version of CybOX.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Complex Type cybox:ObservableType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The ObservableType is a type representing a description of a single cyber observable.
The idref field specifies a unique id reference to an Observable defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Observable should not hold content unless an extension of the Observable allows it.
The sighting_count field specifies how many different identical instances of the Observable may have been seen/sighted.
Source
<xs:complexType name="ObservableType"><xs:annotation><xs:documentation>The ObservableType is a type representing a description of a single cyber observable.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Title" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation>The Title field provides a mechanism to specify a short title or description for this Observable.</xs:documentation></xs:annotation></xs:element><xs:element name="Description" type="cyboxCommon:StructuredTextType" minOccurs="0"><xs:annotation><xs:documentation>The Description field provides a mechanism to specify a structured text description of this Observable.</xs:documentation></xs:annotation></xs:element><xs:element name="Keywords" type="cybox:KeywordsType" minOccurs="0" maxOccurs="1"><xs:annotation><xs:documentation>Keywords enables capture of relevant keywords for this cyber observable.</xs:documentation></xs:annotation></xs:element><xs:element name="Observable_Source" type="cyboxCommon:MeasureSourceType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Observable_Source field is optional and enables descriptive specification of how this Observable was identified and specified.</xs:documentation></xs:annotation></xs:element><xs:choice minOccurs="0"><xs:element ref="cybox:Object" minOccurs="0"><xs:annotation><xs:documentation>The Object construct identifies and specifies the characteristics of a specific cyber-relevant object (e.g. a file, a registry key or a process).</xs:documentation></xs:annotation></xs:element><xs:element ref="cybox:Event" minOccurs="0"><xs:annotation><xs:documentation>The Event construct enables specification of a cyber observable event that is dynamic in nature with specific action(s) taken against specific cyber relevant objects (e.g. a file is deleted, a registry key is created or an HTTP Get Request is received).</xs:documentation></xs:annotation></xs:element><xs:element name="Observable_Composition" type="cybox:ObservableCompositionType" minOccurs="0"><xs:annotation><xs:documentation>The Observable_Composition construct enables specification of composite observables made up of logical constructions of atomic observables or other composite observables (e.g. Obs5 = (Obs1 OR Obs2) AND (Obs3 OR Obs4)).</xs:documentation></xs:annotation></xs:element></xs:choice><xs:element name="Pattern_Fidelity" type="cybox:PatternFidelityType" minOccurs="0"><xs:annotation><xs:documentation>Pattern_Fidelity contains elements that enable the characterization of the fidelity of this pattern to its purpose.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>The id field specifies a unique id for this Observable.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>The idref field specifies a unique id reference to an Observable defined elsewhere.</xs:documentation><xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this Observable should not hold content unless an extension of the Observable allows it.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="negate" type="xs:boolean" default="false"><xs:annotation><xs:documentation>The negate field, when set to true, indicates the absence (rather than the presence) of the given Observable in a CybOX pattern.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="sighting_count" type="xs:positiveInteger"><xs:annotation><xs:documentation>The sighting_count field specifies how many different identical instances of the Observable may have been seen/sighted.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
The has_changed field is optional and conveys a targeted observation pattern of whether the associated object specified has changed in some way without requiring further specific detail. This field would be leveraged within a pattern observable triggering on whether the value of an object specification has changed at all. This field is NOT intended to be used for versioning of CybOX content.
The idref field specifies a unique id reference to an Object defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Object should not hold content unless an extension of the Object allows it.
Source
<xs:complexType name="ObjectType"><xs:annotation><xs:documentation>The ObjectType is a complex type representing the characteristics of a specific cyber-relevant object (e.g. a file, a registry key or a process).</xs:documentation></xs:annotation><xs:sequence><xs:element name="State" type="cyboxCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="1"><xs:annotation><xs:documentation>The State field enables the description of the current state of the object, through a standardized controlled vocabulary.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ObjectStateVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.</xs:documentation></xs:annotation></xs:element><xs:element name="Description" type="cyboxCommon:StructuredTextType" minOccurs="0"><xs:annotation><xs:documentation>The Description field provides a mechanism to specify a structured text description of this Object.</xs:documentation></xs:annotation></xs:element><xs:element name="Properties" type="cyboxCommon:ObjectPropertiesType" minOccurs="0"><xs:annotation><xs:documentation>The Properties construct is an abstract placeholder for various predefined Object type schemas (e.g. File, Process or System) that can be instantiated in its place through extension of the ObjectPropertiesType. This mechanism enables the specification of a broad range of Object types with consistent Object Property naming and structure. The set of Properties schemas are maintained independent of the core CybOX schema.</xs:documentation></xs:annotation></xs:element><xs:element name="Domain_Specific_Object_Properties" type="cybox:DomainSpecificObjectPropertiesType" minOccurs="0"><xs:annotation><xs:documentation>The Domain_Specific_Object_Properties construct is of an Abstract type placeholder within the CybOX schema enabling the inclusion of domain-specific metadata for an object through the use of a custom type defined as an extension of this base Abstract type. This enables domains utilizing CybOX such as malware analysis or forensics to incorporate non-generalized object metadata from their domains into CybOX objects.</xs:documentation></xs:annotation></xs:element><xs:element name="Location" type="cyboxCommon:LocationType" minOccurs="0"><xs:annotation><xs:documentation>The Location field specifies a relevant physical location.</xs:documentation><xs:documentation>This field is implemented through the xsi:type extension mechanism. The default type is CIQAddressInstanceType in the http://cybox.mitre.org/extensions/Identity#CIQAddress-1 namespace. This type is defined in the extensions/location/ciq_address_3.0.xsd file or at the URL http://cybox.mitre.org/XMLSchema/extensions/location/ciq_address/1.0/ciq_address_3.0.xsd.</xs:documentation><xs:documentation>Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.</xs:documentation></xs:annotation></xs:element><xs:element name="Related_Objects" type="cybox:RelatedObjectsType" minOccurs="0"><xs:annotation><xs:documentation>The Related_Objects construct is optional and enables the identification and/or specification of Objects with relevant relationships with this Object.</xs:documentation></xs:annotation></xs:element><xs:element name="Defined_Effect" type="cybox:DefinedEffectType" minOccurs="0"><xs:annotation><xs:documentation>The Defined_Effect construct is an abstract placeholder for various predefined Object Effect types (e.g. DataReadEffect, ValuesEnumeratedEffect or StateChangeEffect) that can be instantiated in its place through extension of the DefinedEffectType. This mechanism enables the specification of a broad range of types of potential complex action effects on Objects. The set of Defined_Effect types (extending the DefinedEffectType) are maintained as part of the core CybOX schema.</xs:documentation></xs:annotation></xs:element><xs:element name="Discovery_Method" type="cyboxCommon:MeasureSourceType" minOccurs="0"><xs:annotation><xs:documentation>The Discovery_Method field is optional and enables descriptive specification of how this Object was observed (in the case of a Cyber Observable Object instance) or could potentially be observed (in the case of a Cyber Observable Object pattern).</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>The id field specifies a unique id for this Object.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>The idref field specifies a unique id reference to an Object defined elsewhere.</xs:documentation><xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this Object should not hold content unless an extension of the Object allows it.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="has_changed" type="xs:boolean"><xs:annotation><xs:documentation>The has_changed field is optional and conveys a targeted observation pattern of whether the associated object specified has changed in some way without requiring further specific detail. This field would be leveraged within a pattern observable triggering on whether the value of an object specification has changed at all. This field is NOT intended to be used for versioning of CybOX content.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Complex Type cybox:DomainSpecificObjectPropertiesType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The DomainSpecificObjectPropertiesType is an abstract type placeholder within the CybOX schema enabling the inclusion of domain-specific metadata for an object through the use of a custom type defined as an extension of this base Abstract type. This enables domains utilizing CybOX such as malware analysis or forensics to incorporate non-generalized object metadata from their domains into CybOX objects.
<xs:complexType name="DomainSpecificObjectPropertiesType" abstract="true"><xs:annotation><xs:documentation>The DomainSpecificObjectPropertiesType is an abstract type placeholder within the CybOX schema enabling the inclusion of domain-specific metadata for an object through the use of a custom type defined as an extension of this base Abstract type. This enables domains utilizing CybOX such as malware analysis or forensics to incorporate non-generalized object metadata from their domains into CybOX objects.</xs:documentation></xs:annotation></xs:complexType>
Complex Type cybox:RelatedObjectsType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The RelatedObjectsType enables the identification and/or specification of Objects with relevant relationships with this Object.
<xs:complexType name="RelatedObjectsType"><xs:annotation><xs:documentation>The RelatedObjectsType enables the identification and/or specification of Objects with relevant relationships with this Object.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Related_Object" type="cybox:RelatedObjectType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Related_Object construct is optional and enables the identification and/or specification of a single Objects with relevant relationships with this Object.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type cybox:RelatedObjectType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The RelatedObjectType enables the identification and/or specification of an Object with a relevant relationship with this Object.
The has_changed field is optional and conveys a targeted observation pattern of whether the associated object specified has changed in some way without requiring further specific detail. This field would be leveraged within a pattern observable triggering on whether the value of an object specification has changed at all. This field is NOT intended to be used for versioning of CybOX content.
The idref field specifies a unique id reference to an Object defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Object should not hold content unless an extension of the Object allows it.
Source
<xs:complexType name="RelatedObjectType"><xs:annotation><xs:documentation>The RelatedObjectType enables the identification and/or specification of an Object with a relevant relationship with this Object.</xs:documentation></xs:annotation><xs:complexContent><xs:extension base="cybox:ObjectType"><xs:sequence><xs:element name="Relationship" type="cyboxCommon:ControlledVocabularyStringType" minOccurs="0"><xs:annotation><xs:documentation>The Relationship field uses a standardized controlled vocabulary to capture the nature of the relationship between this Object and the Related_Object.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ObjectRelationshipVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.</xs:documentation><xs:documentation>When idref is specified, by design, an instance may declare a Relationship child.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
Complex Type cybox:DefinedEffectType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The DefinedEffectType is an abstract placeholder for various predefined Object Effect types (e.g. DataReadEffect, ValuesEnumeratedEffect or StateChangeEffect) that can be instantiated in its place through extension of the DefinedEffectType. This mechanism enables the specification of a broad range of types of potential complex action effects on Objects. The set of Defined_Effect types (extending the DefinedEffectType) are maintained as part of the core CybOX schema.
The effect_type field specifies the nature of the Defined Effect instantiated in the place of the Defined_Effect element.
Source
<xs:complexType name="DefinedEffectType" abstract="true"><xs:annotation><xs:documentation>The DefinedEffectType is an abstract placeholder for various predefined Object Effect types (e.g. DataReadEffect, ValuesEnumeratedEffect or StateChangeEffect) that can be instantiated in its place through extension of the DefinedEffectType. This mechanism enables the specification of a broad range of types of potential complex action effects on Objects. The set of Defined_Effect types (extending the DefinedEffectType) are maintained as part of the core CybOX schema.</xs:documentation></xs:annotation><xs:attribute name="effect_type" type="cybox:EffectTypeEnum"><xs:annotation><xs:documentation>The effect_type field specifies the nature of the Defined Effect instantiated in the place of the Defined_Effect element.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Simple Type cybox:EffectTypeEnum
Namespace
http://cybox.mitre.org/cybox-2
Annotations
EffectTypeEnum is a (non-exhaustive) enumeration of effect types.
Diagram
Type
restriction of xs:string
Facets
enumeration
State_Changed
Specifies that the associated Action had an effect on the Object of changing its state.
enumeration
Data_Read
Specifies that the associated Action had an effect on the Object of reading data from it.
enumeration
Data_Written
Specifies that the associated Action had an effect on the Object of writing data to it.
enumeration
Data_Sent
Specifies that the associated Action had an effect on the Object of sending data to it.
enumeration
Data_Received
Specifies that the associated Action had an effect on the Object of receiving data from it.
enumeration
Properties_Read
Specifies that the associated Action had an effect on the Object of reading properties from it.
enumeration
Properties_Enumerated
Specifies that the associated Action had an effect on the Object of enumerating properties from it.
enumeration
Values_Enumerated
Specifies that the associated Action had an effect on the Object of enumerating values from it.
enumeration
ControlCode_Sent
Specifies that the associated Action had an effect on the Object of having a control code sent to it.
<xs:simpleType name="EffectTypeEnum"><xs:annotation><xs:documentation>EffectTypeEnum is a (non-exhaustive) enumeration of effect types.</xs:documentation></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="State_Changed"><xs:annotation><xs:documentation>Specifies that the associated Action had an effect on the Object of changing its state.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Data_Read"><xs:annotation><xs:documentation>Specifies that the associated Action had an effect on the Object of reading data from it.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Data_Written"><xs:annotation><xs:documentation>Specifies that the associated Action had an effect on the Object of writing data to it.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Data_Sent"><xs:annotation><xs:documentation>Specifies that the associated Action had an effect on the Object of sending data to it.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Data_Received"><xs:annotation><xs:documentation>Specifies that the associated Action had an effect on the Object of receiving data from it.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Properties_Read"><xs:annotation><xs:documentation>Specifies that the associated Action had an effect on the Object of reading properties from it.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Properties_Enumerated"><xs:annotation><xs:documentation>Specifies that the associated Action had an effect on the Object of enumerating properties from it.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Values_Enumerated"><xs:annotation><xs:documentation>Specifies that the associated Action had an effect on the Object of enumerating values from it.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="ControlCode_Sent"><xs:annotation><xs:documentation>Specifies that the associated Action had an effect on the Object of having a control code sent to it.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type cybox:EventType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The EventType is a complex type representing a cyber observable event that is dynamic in nature with specific action(s) taken against specific cyber relevant objects (e.g. a file is deleted, a registry key is created or an HTTP Get Request is received).
The idref field specifies a unique id reference to an Event defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Event should not hold content unless an extension of the Event allows it.
Source
<xs:complexType name="EventType"><xs:annotation><xs:documentation>The EventType is a complex type representing a cyber observable event that is dynamic in nature with specific action(s) taken against specific cyber relevant objects (e.g. a file is deleted, a registry key is created or an HTTP Get Request is received).</xs:documentation></xs:annotation><xs:choice><xs:sequence><xs:element name="Type" type="cyboxCommon:ControlledVocabularyStringType" minOccurs="0"><xs:annotation><xs:documentation>The Type field uses a standardized controlled vocabulary to capture what type of Event this is.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is EventTypeVocab-1.0.1 in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.</xs:documentation></xs:annotation></xs:element><xs:element name="Description" type="cyboxCommon:StructuredTextType" minOccurs="0"><xs:annotation><xs:documentation>The Description field provides a mechanism to specify a structured text description of this Event.</xs:documentation></xs:annotation></xs:element><xs:element name="Observation_Method" type="cyboxCommon:MeasureSourceType" minOccurs="0"><xs:annotation><xs:documentation>The Observation_Method field is optional and enables descriptive specification of how this Event was observed (in the case of a Cyber Observable Event instance) or could potentially be observed (in the case of a Cyber Observable Event pattern).</xs:documentation></xs:annotation></xs:element><xs:element name="Actions" type="cybox:ActionsType" minOccurs="0"><xs:annotation><xs:documentation>The Actions construct enables description/specification of one or more cyber observable actions.</xs:documentation></xs:annotation></xs:element><xs:element name="Location" type="cyboxCommon:LocationType" minOccurs="0"><xs:annotation><xs:documentation>The Location field specifies a relevant physical location.</xs:documentation><xs:documentation>This field is implemented through the xsi:type extension mechanism. The default type is CIQAddressInstanceType in the http://cybox.mitre.org/extensions/Identity#CIQAddress-1 namespace. This type is defined in the extensions/location/ciq_address_3.0.xsd file or at the URL http://cybox.mitre.org/XMLSchema/extensions/location/ciq_address/1.0/ciq_address_3.0.xsd.</xs:documentation><xs:documentation>Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.</xs:documentation></xs:annotation></xs:element><xs:element name="Frequency" type="cybox:FrequencyType" minOccurs="0"><xs:annotation><xs:documentation>The Frequency field conveys a targeted observation pattern of the frequency of the associated event or action.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:sequence maxOccurs="unbounded"><xs:element name="Event" type="cybox:EventType"><xs:annotation><xs:documentation>This Event construct is included recursively to enable description/specification of composite Events.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:choice><xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>The id field specifies a unique id for this Event.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>The idref field specifies a unique id reference to an Event defined elsewhere.</xs:documentation><xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this Event should not hold content unless an extension of the Event allows it.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Complex Type cybox:ActionsType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The ActionsType is a complex type representing a set of cyber observable actions.
<xs:complexType name="ActionsType"><xs:annotation><xs:documentation>The ActionsType is a complex type representing a set of cyber observable actions.</xs:documentation></xs:annotation><xs:sequence><xs:element ref="cybox:Action" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Action construct enables description/specification of a single cyber observable action.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type cybox:ActionType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The ActionType is a complex type representing a single cyber observable action.
The idref field specifies a unique id reference to an Action defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Action should not hold content unless an extension of the Action allows it.
The timestamp field represents the local or relative time at which the action occurred or was observed. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:complexType name="ActionType"><xs:annotation><xs:documentation>The ActionType is a complex type representing a single cyber observable action.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Type" type="cyboxCommon:ControlledVocabularyStringType" minOccurs="0"><xs:annotation><xs:documentation>The Type field is optional and utilizes a standardized controlled vocabulary to specify the basic type of the action that was performed.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ActionTypeVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.</xs:documentation></xs:annotation></xs:element><xs:element name="Name" type="cyboxCommon:ControlledVocabularyStringType" minOccurs="0"><xs:annotation><xs:documentation>The Name field is optional and utilizes a standardized controlled vocabulary to identify/characterize the specific name of the action that was performed.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ActionNameVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.</xs:documentation></xs:annotation></xs:element><xs:element name="Description" type="cyboxCommon:StructuredTextType" minOccurs="0"><xs:annotation><xs:documentation>The Description field contains a textual description of the action.</xs:documentation></xs:annotation></xs:element><xs:element name="Action_Aliases" type="cybox:ActionAliasesType" minOccurs="0"><xs:annotation><xs:documentation>The Action_Aliases field is optional and enables identification of other potentially used names for this Action.</xs:documentation></xs:annotation></xs:element><xs:element name="Action_Arguments" type="cybox:ActionArgumentsType" minOccurs="0"><xs:annotation><xs:documentation>The Action_Arguments field is optional and enables the specification of relevant arguments/parameters for this Action.</xs:documentation></xs:annotation></xs:element><xs:element name="Location" type="cyboxCommon:LocationType" minOccurs="0"><xs:annotation><xs:documentation>The Location field specifies a relevant physical location.</xs:documentation><xs:documentation>This field is implemented through the xsi:type extension mechanism. The default type is CIQAddressInstanceType in the http://cybox.mitre.org/extensions/Identity#CIQAddress-1 namespace. This type is defined in the extensions/location/ciq_address_3.0.xsd file or at the URL http://cybox.mitre.org/XMLSchema/extensions/location/ciq_address/1.0/ciq_address_3.0.xsd.</xs:documentation><xs:documentation>Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.</xs:documentation></xs:annotation></xs:element><xs:element name="Discovery_Method" type="cyboxCommon:MeasureSourceType" minOccurs="0"><xs:annotation><xs:documentation>The Discovery_Method field is optional and enables descriptive specification of how this Action was observed (in the case of a Cyber Observable Action instance) or could potentially be observed (in the case of a Cyber Observable Action pattern).</xs:documentation></xs:annotation></xs:element><xs:element name="Associated_Objects" type="cybox:AssociatedObjectsType" minOccurs="0"><xs:annotation><xs:documentation>The Associated_Objects construct is optional and enables the description/specification of cyber Objects relevant (either initiating or affected by) this Action.</xs:documentation></xs:annotation></xs:element><xs:element name="Relationships" type="cybox:ActionRelationshipsType" minOccurs="0"><xs:annotation><xs:documentation>The Relationships construct is optional and enables description of other cyber observable actions that are related to this Action.</xs:documentation></xs:annotation></xs:element><xs:element name="Frequency" type="cybox:FrequencyType" minOccurs="0"><xs:annotation><xs:documentation>The Frequency field conveys a targeted observation pattern of the frequency of the associated event or action.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>The id field specifies a unique id for this Action.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>The idref field specifies a unique id reference to an Action defined elsewhere.</xs:documentation><xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this Action should not hold content unless an extension of the Action allows it.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="ordinal_position" type="xs:positiveInteger"><xs:annotation><xs:documentation>The ordinal_position field is intended to reference the ordinal position of the action with within a series of actions.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="action_status" type="cybox:ActionStatusTypeEnum"><xs:annotation><xs:documentation>The action_status field enables description of the status of the action being described.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="context" type="cybox:ActionContextTypeEnum"><xs:annotation><xs:documentation>The context field is optional and enables simple characterization of the broad operational context in which the Action is relevant.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>The timestamp field represents the local or relative time at which the action occurred or was observed. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="timestamp_precision" type="cyboxCommon:DateTimePrecisionEnum" default="second"><xs:annotation><xs:documentation>Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Complex Type cybox:ActionAliasesType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The ActionAliasesType enables identification of other potentially used names for this Action.
<xs:complexType name="ActionAliasesType"><xs:annotation><xs:documentation>The ActionAliasesType enables identification of other potentially used names for this Action.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Action_Alias" type="xs:string" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Action_Alias field is optional and enables identification of a single other potentially used name for this Action.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type cybox:ActionArgumentsType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The ActionArgumentsType enables the specification of relevant arguments/parameters for this Action.
<xs:complexType name="ActionArgumentsType"><xs:annotation><xs:documentation>The ActionArgumentsType enables the specification of relevant arguments/parameters for this Action.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Action_Argument" type="cybox:ActionArgumentType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Action_Argument construct is optional and enables the specification of a single relevant argument/parameter for this Action.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type cybox:ActionArgumentType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The ActionArgumentType enables the specification of a single relevant argument/parameter for this Action.
<xs:complexType name="ActionArgumentType"><xs:annotation><xs:documentation>The ActionArgumentType enables the specification of a single relevant argument/parameter for this Action.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Argument_Name" type="cyboxCommon:ControlledVocabularyStringType" minOccurs="0"><xs:annotation><xs:documentation>The Argument_Name field is optional and utilizes a standardized controlled vocabulary to identify/characterize the specific action argument utilized.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ActionArgumentNameVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.</xs:documentation></xs:annotation></xs:element><xs:element name="Argument_Value" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation>The Argument_Value field specifies the value for this action argument/parameter.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type cybox:AssociatedObjectsType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The AssociatedObjectsType enables the description/specification of cyber Objects relevant to an Action.
<xs:complexType name="AssociatedObjectsType"><xs:annotation><xs:documentation>The AssociatedObjectsType enables the description/specification of cyber Objects relevant to an Action.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Associated_Object" type="cybox:AssociatedObjectType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Associated_Object construct enables the description of cyber Objects associated with this Action. This could include Objects that initiated the action, are the target Objects affected by the Action, are utilized by the Action or are the returned result of the Action.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type cybox:AssociatedObjectType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The AssociatedObjectType is a complex type representing the characterization of a cyber observable Object associated with a given cyber observable Action.
The has_changed field is optional and conveys a targeted observation pattern of whether the associated object specified has changed in some way without requiring further specific detail. This field would be leveraged within a pattern observable triggering on whether the value of an object specification has changed at all. This field is NOT intended to be used for versioning of CybOX content.
The idref field specifies a unique id reference to an Object defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Object should not hold content unless an extension of the Object allows it.
Source
<xs:complexType name="AssociatedObjectType"><xs:annotation><xs:documentation>The AssociatedObjectType is a complex type representing the characterization of a cyber observable Object associated with a given cyber observable Action.</xs:documentation></xs:annotation><xs:complexContent><xs:extension base="cybox:ObjectType"><xs:sequence><xs:element name="Association_Type" type="cyboxCommon:ControlledVocabularyStringType" minOccurs="0"><xs:annotation><xs:documentation>The Association_Type field utilizes a standardized controlled vocabulary to specify the kind of association this Object holds for this Action.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ActionObjectAssociationTypeVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.</xs:documentation></xs:annotation></xs:element><xs:element name="Action_Pertinent_Object_Properties" type="cybox:ActionPertinentObjectPropertiesType" minOccurs="0"><xs:annotation><xs:documentation>The Action_Pertinent_Object_Properties construct is optional and identifies which of the Properties of this Object are specifically pertinent to this Action.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
Complex Type cybox:ActionPertinentObjectPropertiesType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The ActionPertinentObjectPropertiesType identifies which of the Properties of this Object are specifically pertinent to this Action.
<xs:complexType name="ActionPertinentObjectPropertiesType"><xs:annotation><xs:documentation>The ActionPertinentObjectPropertiesType identifies which of the Properties of this Object are specifically pertinent to this Action.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Property" type="cybox:ActionPertinentObjectPropertyType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Property construct identifies a single Object Property that is specifically pertinent to this Action.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type cybox:ActionPertinentObjectPropertyType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The ActionPertinentObjectPropertyType identifies one of the Properties of an Object that specifically pertinent to an Action.
The xpath field specifies the XPath 1.0 expression identifying the pertinent property within the Properties schema for this object type.
Source
<xs:complexType name="ActionPertinentObjectPropertyType"><xs:annotation><xs:documentation>The ActionPertinentObjectPropertyType identifies one of the Properties of an Object that specifically pertinent to an Action.</xs:documentation></xs:annotation><xs:attribute name="name" type="xs:string"><xs:annotation><xs:documentation>The name field specifies the field name for the pertinent Object Property.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="xpath" type="xs:string"><xs:annotation><xs:documentation>The xpath field specifies the XPath 1.0 expression identifying the pertinent property within the Properties schema for this object type.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Complex Type cybox:ActionRelationshipsType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The ActionRelationshipsType captures 1-n relationships between an Action and another Action.
<xs:complexType name="ActionRelationshipsType"><xs:annotation><xs:documentation>The ActionRelationshipsType captures 1-n relationships between an Action and another Action.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Relationship" type="cybox:ActionRelationshipType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Relationship construct is required and enables description of a single other cyber observable Action that is related to this Action.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type cybox:ActionRelationshipType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The ActionRelationshipType characterizes a relationship between a specified cyber observable action and another cyber observable action.
<xs:complexType name="ActionRelationshipType"><xs:annotation><xs:documentation>The ActionRelationshipType characterizes a relationship between a specified cyber observable action and another cyber observable action.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Type" type="cyboxCommon:ControlledVocabularyStringType" minOccurs="0"><xs:annotation><xs:documentation>The Type field utilizes a standardized controlled vocabulary to describe the nature of the relationship between this Action and the related Action.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ActionRelationshipTypeVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.</xs:documentation></xs:annotation></xs:element><xs:element name="Action_Reference" type="cybox:ActionReferenceType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Action_Reference construct captures references to other Actions.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type cybox:ActionReferenceType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
ActionReferenceType is intended to serve as a method for linking to actions.
The action_id field refers to the id of the action being referenced.
Source
<xs:complexType name="ActionReferenceType"><xs:annotation><xs:documentation>ActionReferenceType is intended to serve as a method for linking to actions.</xs:documentation></xs:annotation><xs:attribute name="action_id" type="xs:QName" use="required"><xs:annotation><xs:documentation>The action_id field refers to the id of the action being referenced.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Complex Type cybox:FrequencyType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The FrequencyType is a type representing the specification of a frequency for a given action or event.
This field is optional and conveys a targeted observation pattern of the nature of any trend in the frequency of the associated event or action. This field would be leveraged within an event or action pattern observable triggering on the matching of a specified trend in the frequency of an event or action.
This field specifies the units for this defined frequency.
Source
<xs:complexType name="FrequencyType"><xs:annotation><xs:documentation>The FrequencyType is a type representing the specification of a frequency for a given action or event.</xs:documentation></xs:annotation><xs:attribute name="rate" type="xs:float" use="optional"><xs:annotation><xs:documentation>This field specifies the rate for this defined frequency.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="units" type="xs:string" use="optional"><xs:annotation><xs:documentation>This field specifies the units for this defined frequency.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="scale" type="xs:string" use="optional"><xs:annotation><xs:documentation>This field specifies the time scale for this defined frequency.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="trend" type="cybox:TrendEnum"><xs:annotation><xs:documentation>This field is optional and conveys a targeted observation pattern of the nature of any trend in the frequency of the associated event or action. This field would be leveraged within an event or action pattern observable triggering on the matching of a specified trend in the frequency of an event or action.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Simple Type cybox:TrendEnum
Namespace
http://cybox.mitre.org/cybox-2
Annotations
TrendEnum is a (non-exhaustive) enumeration of trend types.
<xs:simpleType name="TrendEnum"><xs:annotation><xs:documentation>TrendEnum is a (non-exhaustive) enumeration of trend types.</xs:documentation></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Increasing"><xs:annotation><xs:documentation>Specifies an increasing trend.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Decreasing"><xs:annotation><xs:documentation>Specifies a decreasing trend.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Simple Type cybox:ActionStatusTypeEnum
Namespace
http://cybox.mitre.org/cybox-2
Annotations
ActionStatusTypeEnum is a (non-exhaustive) enumeration of cyber observable action status types.
Diagram
Type
restriction of xs:string
Facets
enumeration
Success
Specifies a cyber observable action that was successful.
enumeration
Fail
Specifies a cyber observable action that failed.
enumeration
Error
Specifies a cyber observable action that resulted in an error.
enumeration
Complete/Finish
Specifies a cyber observable action that completed or finished. This action status does not specify the result of the action (e.g., Success/Error).
enumeration
Pending
Specifies a cyber observable action is pending.
enumeration
Ongoing
Specifies a cyber observable action that is ongoing.
enumeration
Unknown
Specifies a cyber observable action with an unknown status.
<xs:simpleType name="ActionStatusTypeEnum"><xs:annotation><xs:documentation>ActionStatusTypeEnum is a (non-exhaustive) enumeration of cyber observable action status types.</xs:documentation></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Success"><xs:annotation><xs:documentation>Specifies a cyber observable action that was successful.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Fail"><xs:annotation><xs:documentation>Specifies a cyber observable action that failed.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Error"><xs:annotation><xs:documentation>Specifies a cyber observable action that resulted in an error.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Complete/Finish"><xs:annotation><xs:documentation>Specifies a cyber observable action that completed or finished. This action status does not specify the result of the action (e.g., Success/Error).</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Pending"><xs:annotation><xs:documentation>Specifies a cyber observable action is pending.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Ongoing"><xs:annotation><xs:documentation>Specifies a cyber observable action that is ongoing.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Unknown"><xs:annotation><xs:documentation>Specifies a cyber observable action with an unknown status.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Simple Type cybox:ActionContextTypeEnum
Namespace
http://cybox.mitre.org/cybox-2
Annotations
ActionContextTypeEnum is a (non-exhaustive) enumeration of cyber observable action contexts.
Diagram
Type
restriction of xs:string
Facets
enumeration
Host
Specifies that the cyber observable action occurred on a host.
enumeration
Network
Specifies that the cyber observable action occurred on a network.
<xs:simpleType name="ActionContextTypeEnum"><xs:annotation><xs:documentation>ActionContextTypeEnum is a (non-exhaustive) enumeration of cyber observable action contexts.</xs:documentation></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="Host"><xs:annotation><xs:documentation>Specifies that the cyber observable action occurred on a host.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Network"><xs:annotation><xs:documentation>Specifies that the cyber observable action occurred on a network.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type cybox:ObservableCompositionType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The ObservablesCompositionType enables the specification of higher-order composite observables composed of logical combinations of other observables.
The operator field enables the specification of complex compositional cyber observables by providing logical operators for defining interrelationships between constituent cyber observables defined utilizing the recursive Observable element.
Source
<xs:complexType name="ObservableCompositionType"><xs:annotation><xs:documentation>The ObservablesCompositionType enables the specification of higher-order composite observables composed of logical combinations of other observables.</xs:documentation></xs:annotation><xs:sequence minOccurs="0"><xs:element name="Observable" type="cybox:ObservableType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Observable construct represents a description of a single cyber observable.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="operator" type="cybox:OperatorTypeEnum" use="required"><xs:annotation><xs:documentation>The operator field enables the specification of complex compositional cyber observables by providing logical operators for defining interrelationships between constituent cyber observables defined utilizing the recursive Observable element.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
<xs:complexType name="PatternFidelityType"><xs:sequence><xs:element name="Noisiness" type="cybox:NoisinessEnum" minOccurs="0"><xs:annotation><xs:documentation>The Noisiness field is optional and enables simple characterization of how noisy this Observable typically could be. In other words, how likely is it to generate false positives.</xs:documentation></xs:annotation></xs:element><xs:element name="Ease_of_Evasion" type="cybox:EaseOfObfuscationEnum" minOccurs="0"><xs:annotation><xs:documentation>The Ease_of_Obfuscation field is optional and enables simple characterization of how easy it would be for an attacker to obfuscate the observability of this Observable.</xs:documentation></xs:annotation></xs:element><xs:element name="Evasion_Techniques" type="cybox:ObfuscationTechniquesType" minOccurs="0"><xs:annotation><xs:documentation>The Obfuscation_Techniques field is optional and enables the description of potential techniques an attacker could leverage to obfuscate the observability of this Observable.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Simple Type cybox:NoisinessEnum
Namespace
http://cybox.mitre.org/cybox-2
Annotations
NoisinessEnum is a (non-exhaustive) enumeration of potential levels of noisiness for a given observable pattern.
Diagram
Type
restriction of xs:string
Facets
enumeration
High
Specifies that this observable has a high level of noisiness meaning a potentially high level of false positives.
enumeration
Medium
Specifies that this observable has a medium level of noisiness meaning a potentially medium level of false positives.
enumeration
Low
Specifies that this observable has a low level of noisiness meaning a potentially low level of false positives.
<xs:simpleType name="NoisinessEnum"><xs:annotation><xs:documentation>NoisinessEnum is a (non-exhaustive) enumeration of potential levels of noisiness for a given observable pattern.</xs:documentation></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="High"><xs:annotation><xs:documentation>Specifies that this observable has a high level of noisiness meaning a potentially high level of false positives.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Medium"><xs:annotation><xs:documentation>Specifies that this observable has a medium level of noisiness meaning a potentially medium level of false positives.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Low"><xs:annotation><xs:documentation>Specifies that this observable has a low level of noisiness meaning a potentially low level of false positives.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Simple Type cybox:EaseOfObfuscationEnum
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The EaseOfObfuscationEnum is a (non-exhaustive) enumeration of simple characterizations of how easy it would be for an attacker to obfuscate the observability of this Observable.
Diagram
Type
restriction of xs:string
Facets
enumeration
High
Specifies that this observable is very easy to obfuscate and hide.
enumeration
Medium
Specifies that this observable is somewhat easy to obfuscate and hide.
enumeration
Low
Specifies that this observable is not very easy to obfuscate and hide.
<xs:simpleType name="EaseOfObfuscationEnum"><xs:annotation><xs:documentation>The EaseOfObfuscationEnum is a (non-exhaustive) enumeration of simple characterizations of how easy it would be for an attacker to obfuscate the observability of this Observable.</xs:documentation></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="High"><xs:annotation><xs:documentation>Specifies that this observable is very easy to obfuscate and hide.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Medium"><xs:annotation><xs:documentation>Specifies that this observable is somewhat easy to obfuscate and hide.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="Low"><xs:annotation><xs:documentation>Specifies that this observable is not very easy to obfuscate and hide.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type cybox:ObfuscationTechniquesType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The ObfuscationTechniquesType enables the description of a set of potential techniques an attacker could leverage to obfuscate the observability of this Observable.
<xs:complexType name="ObfuscationTechniquesType"><xs:annotation><xs:documentation>The ObfuscationTechniquesType enables the description of a set of potential techniques an attacker could leverage to obfuscate the observability of this Observable.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Obfuscation_Technique" type="cybox:ObfuscationTechniqueType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Obfuscation_Technique field is optional and enables the description of a single potential technique an attacker could leverage to obfuscate the observability of this Observable.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type cybox:ObfuscationTechniqueType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The ObfuscationTechniqueType enables the description of a single potential technique an attacker could leverage to obfuscate the observability of this Observable.
<xs:complexType name="ObfuscationTechniqueType"><xs:annotation><xs:documentation>The ObfuscationTechniqueType enables the description of a single potential technique an attacker could leverage to obfuscate the observability of this Observable.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Description" type="cyboxCommon:StructuredTextType"><xs:annotation><xs:documentation>The Description field captures a structured text description of the obfuscation technique.</xs:documentation></xs:annotation></xs:element><xs:element name="Observables" type="cybox:ObservablesType" minOccurs="0"><xs:annotation><xs:documentation>The Observables construct is optional and enables description of potential cyber observables that could indicate the use of this particular obfuscation technique.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type cybox:PoolsType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The PoolsType enables the description of Events, Actions, Objects and Properties in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled elements. This reduces redundancy caused when identical observable elements occur multiple times within a set of defined Observables.
<xs:complexType name="PoolsType"><xs:annotation><xs:documentation>The PoolsType enables the description of Events, Actions, Objects and Properties in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled elements. This reduces redundancy caused when identical observable elements occur multiple times within a set of defined Observables.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Event_Pool" type="cybox:EventPoolType" minOccurs="0"><xs:annotation><xs:documentation>The Event_Pool construct enables the description of CybOX Events in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Event elements. This reduces redundancy caused when identical Events occur multiple times within a set of defined Observables.</xs:documentation></xs:annotation></xs:element><xs:element name="Action_Pool" type="cybox:ActionPoolType" minOccurs="0"><xs:annotation><xs:documentation>The Action_Pool construct enables the description of CybOX Actions in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Action elements. This reduces redundancy caused when identical Actions occur multiple times within a set of defined Observables.</xs:documentation></xs:annotation></xs:element><xs:element name="Object_Pool" type="cybox:ObjectPoolType" minOccurs="0"><xs:annotation><xs:documentation>The Object_Pool construct enables the description of CybOX Objects in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Object elements. This reduces redundancy caused when identical Objects occur multiple times within a set of defined Observables.</xs:documentation></xs:annotation></xs:element><xs:element name="Property_Pool" type="cybox:PropertyPoolType" minOccurs="0"><xs:annotation><xs:documentation>The Property_Pool construct enables the description of CybOX Properties in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Properties elements. This reduces redundancy caused when identical Properties occur multiple times within a set of defined Observables.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type cybox:EventPoolType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The EventPoolType enables the description of CybOX Events in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Event elements. This reduces redundancy caused when identical Events occur multiple times within a set of defined Observables.
<xs:complexType name="EventPoolType"><xs:annotation><xs:documentation>The EventPoolType enables the description of CybOX Events in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Event elements. This reduces redundancy caused when identical Events occur multiple times within a set of defined Observables.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Event" type="cybox:EventType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Event construct enables specification of a cyber observable event that is dynamic in nature with specific action(s) taken against specific cyber relevant objects (e.g. a file is deleted, a registry key is created or an HTTP Get Request is received).</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type cybox:ActionPoolType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The ActionPoolType enables the description of CybOX Actions in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Action elements. This reduces redundancy caused when identical Actions occur multiple times within a set of defined Observables.
<xs:complexType name="ActionPoolType"><xs:annotation><xs:documentation>The ActionPoolType enables the description of CybOX Actions in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Action elements. This reduces redundancy caused when identical Actions occur multiple times within a set of defined Observables.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Action" type="cybox:ActionType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Action construct enables description/specification of a single cyber observable action.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type cybox:ObjectPoolType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The ObjectPoolType enables the description of CybOX Objects in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Object elements. This reduces redundancy caused when identical Objects occur multiple times within a set of defined Observables.
<xs:complexType name="ObjectPoolType"><xs:annotation><xs:documentation>The ObjectPoolType enables the description of CybOX Objects in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Object elements. This reduces redundancy caused when identical Objects occur multiple times within a set of defined Observables.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Object" type="cybox:ObjectType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Object construct identifies and specifies the characteristics of a specific cyber-relevant object (e.g. a file, a registry key or a process).</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type cybox:PropertyPoolType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The PropertyPoolType enables the description of CybOX Properties in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Properties elements. This reduces redundancy caused when identical Properties occur multiple times within a set of defined Observables.
<xs:complexType name="PropertyPoolType"><xs:annotation><xs:documentation>The PropertyPoolType enables the description of CybOX Properties in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Properties elements. This reduces redundancy caused when identical Properties occur multiple times within a set of defined Observables.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Property" type="cyboxCommon:PropertyType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Property construct enables the specification of a single Object Property.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Simple Type cybox:OperatorTypeEnum
Namespace
http://cybox.mitre.org/cybox-2
Annotations
OperatorTypeEnum is a (non-exhaustive) enumeration of operators.
<xs:simpleType name="OperatorTypeEnum"><xs:annotation><xs:documentation>OperatorTypeEnum is a (non-exhaustive) enumeration of operators.</xs:documentation></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="AND"><xs:annotation><xs:documentation>Specifies the AND logical composition operation.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="OR"><xs:annotation><xs:documentation>Specifies the OR logical composition operation.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type cybox:StateChangeEffectType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The StateChangeEffectType is intended as a generic way of characterizing the effects of actions upon objects where the some state of the object is changed.
The effect_type field specifies the nature of the Defined Effect instantiated in the place of the Defined_Effect element.
Source
<xs:complexType name="StateChangeEffectType"><xs:annotation><xs:documentation>The StateChangeEffectType is intended as a generic way of characterizing the effects of actions upon objects where the some state of the object is changed.</xs:documentation></xs:annotation><xs:complexContent><xs:extension base="cybox:DefinedEffectType"><xs:sequence><xs:element name="Old_Object" type="cybox:ObjectType" minOccurs="0"><xs:annotation><xs:documentation>The Old_Object construct specifies the object and its properties as they were before the state change effect occurred.</xs:documentation></xs:annotation></xs:element><xs:element name="New_Object" type="cybox:ObjectType"><xs:annotation><xs:documentation>The New_Object construct specifies the object and its properties as they are after the state change effect occurred.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
Complex Type cybox:DataReadEffectType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The DataReadEffectType type is intended to characterize the effects of actions upon objects where some data is read, such as from a file or a pipe.
The effect_type field specifies the nature of the Defined Effect instantiated in the place of the Defined_Effect element.
Source
<xs:complexType name="DataReadEffectType"><xs:annotation><xs:documentation>The DataReadEffectType type is intended to characterize the effects of actions upon objects where some data is read, such as from a file or a pipe.</xs:documentation></xs:annotation><xs:complexContent><xs:extension base="cybox:DefinedEffectType"><xs:sequence><xs:element name="Data" type="cyboxCommon:DataSegmentType"><xs:annotation><xs:documentation>The Data field specifies the data that was read from the object by the action.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
Complex Type cybox:DataWrittenEffectType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The DataWrittenEffectType type is intended to characterize the effects of actions upon objects where some data is written, such as to a file or a pipe.
The effect_type field specifies the nature of the Defined Effect instantiated in the place of the Defined_Effect element.
Source
<xs:complexType name="DataWrittenEffectType"><xs:annotation><xs:documentation>The DataWrittenEffectType type is intended to characterize the effects of actions upon objects where some data is written, such as to a file or a pipe.</xs:documentation></xs:annotation><xs:complexContent><xs:extension base="cybox:DefinedEffectType"><xs:sequence><xs:element name="Data" type="cyboxCommon:DataSegmentType"><xs:annotation><xs:documentation>The Data field specifies the data that was written to the object by the action.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
Complex Type cybox:DataSentEffectType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The DataSentEffectType type is intended to characterize the effects of actions upon objects where some data is sent, such as a byte sequence on a socket.
The effect_type field specifies the nature of the Defined Effect instantiated in the place of the Defined_Effect element.
Source
<xs:complexType name="DataSentEffectType"><xs:annotation><xs:documentation>The DataSentEffectType type is intended to characterize the effects of actions upon objects where some data is sent, such as a byte sequence on a socket.</xs:documentation></xs:annotation><xs:complexContent><xs:extension base="cybox:DefinedEffectType"><xs:sequence><xs:element name="Data" type="cyboxCommon:DataSegmentType"><xs:annotation><xs:documentation>The Data field specifies the data that was sent on the object, or from the object, by the action.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
Complex Type cybox:DataReceivedEffectType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The DataReceivedEffectType type is intended to characterize the effects of actions upon objects where some data is received, such as a byte sequence on a socket.
The effect_type field specifies the nature of the Defined Effect instantiated in the place of the Defined_Effect element.
Source
<xs:complexType name="DataReceivedEffectType"><xs:annotation><xs:documentation>The DataReceivedEffectType type is intended to characterize the effects of actions upon objects where some data is received, such as a byte sequence on a socket.</xs:documentation></xs:annotation><xs:complexContent><xs:extension base="cybox:DefinedEffectType"><xs:sequence><xs:element name="Data" type="cyboxCommon:DataSegmentType"><xs:annotation><xs:documentation>The Data field specifies the data that was received on the object, or from the object, by the action.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
Complex Type cybox:PropertyReadEffectType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The PropertyReadEffectType type is intended to characterize the effects of actions upon objects where some specific property is read from an object, such as the current running state of a process.
The effect_type field specifies the nature of the Defined Effect instantiated in the place of the Defined_Effect element.
Source
<xs:complexType name="PropertyReadEffectType"><xs:annotation><xs:documentation>The PropertyReadEffectType type is intended to characterize the effects of actions upon objects where some specific property is read from an object, such as the current running state of a process.</xs:documentation></xs:annotation><xs:complexContent><xs:extension base="cybox:DefinedEffectType"><xs:sequence><xs:element name="Name" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation>The Name field specifies the Name of the property being read.</xs:documentation></xs:annotation></xs:element><xs:element name="Value" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation>The Value field specifies the value of the property being read.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
Complex Type cybox:PropertiesEnumeratedEffectType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The PropertiesEnumeratedEffectType type is intended to characterize the effects of actions upon objects where some properties of the object are enumerated, such as the startup parameters for a process.
The effect_type field specifies the nature of the Defined Effect instantiated in the place of the Defined_Effect element.
Source
<xs:complexType name="PropertiesEnumeratedEffectType"><xs:annotation><xs:documentation>The PropertiesEnumeratedEffectType type is intended to characterize the effects of actions upon objects where some properties of the object are enumerated, such as the startup parameters for a process.</xs:documentation></xs:annotation><xs:complexContent><xs:extension base="cybox:DefinedEffectType"><xs:sequence><xs:element name="Properties" type="cybox:PropertiesType"><xs:annotation><xs:documentation>The Properties field specifies the properties that were enumerated as a result of the action on the object.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
Complex Type cybox:PropertiesType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The PropertiesType specifies the properties that were enumerated as a result of the action on the object.
<xs:complexType name="PropertiesType"><xs:annotation><xs:documentation>The PropertiesType specifies the properties that were enumerated as a result of the action on the object.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Property" type="xs:string" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Property element specifies a single property that was enumerated as a result of the action on the object.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type cybox:ValuesEnumeratedEffectType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The ValuesEnumeratedEffectType type is intended to characterize the effects of actions upon objects where some values of the object are enumerated, such as the values of a registry key.
The effect_type field specifies the nature of the Defined Effect instantiated in the place of the Defined_Effect element.
Source
<xs:complexType name="ValuesEnumeratedEffectType"><xs:annotation><xs:documentation>The ValuesEnumeratedEffectType type is intended to characterize the effects of actions upon objects where some values of the object are enumerated, such as the values of a registry key.</xs:documentation></xs:annotation><xs:complexContent><xs:extension base="cybox:DefinedEffectType"><xs:sequence><xs:element name="Values" type="cybox:ValuesType"><xs:annotation><xs:documentation>The Values field specifies the values that were enumerated as a result of the action on the object.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
Complex Type cybox:ValuesType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The ValuesType specifies the values that were enumerated as a result of the action on the object.
<xs:complexType name="ValuesType"><xs:annotation><xs:documentation>The ValuesType specifies the values that were enumerated as a result of the action on the object.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Value" type="xs:string" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Value field specifies a single value that was enumerated as a result of the action on the object.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type cybox:SendControlCodeEffectType
Namespace
http://cybox.mitre.org/cybox-2
Annotations
The SendControlCodeEffectType is intended to characterize the effects of actions upon objects where some control code, or other control-oriented communication signal, is sent to the object. For example, an action may send a control code to change the running state of a process.
The effect_type field specifies the nature of the Defined Effect instantiated in the place of the Defined_Effect element.
Source
<xs:complexType name="SendControlCodeEffectType"><xs:annotation><xs:documentation>The SendControlCodeEffectType is intended to characterize the effects of actions upon objects where some control code, or other control-oriented communication signal, is sent to the object. For example, an action may send a control code to change the running state of a process.</xs:documentation></xs:annotation><xs:complexContent><xs:extension base="cybox:DefinedEffectType"><xs:sequence><xs:element name="Control_Code" type="xs:string"><xs:annotation><xs:documentation>The Control_Code field specifies the actual control code that was sent to the object.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
<xs:attribute name="effect_type" type="cybox:EffectTypeEnum"><xs:annotation><xs:documentation>The effect_type field specifies the nature of the Defined Effect instantiated in the place of the Defined_Effect element.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>The id field specifies a unique id for this Object.</xs:documentation></xs:annotation></xs:attribute>
The idref field specifies a unique id reference to an Object defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Object should not hold content unless an extension of the Object allows it.
<xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>The idref field specifies a unique id reference to an Object defined elsewhere.</xs:documentation><xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this Object should not hold content unless an extension of the Object allows it.</xs:documentation></xs:annotation></xs:attribute>
The has_changed field is optional and conveys a targeted observation pattern of whether the associated object specified has changed in some way without requiring further specific detail. This field would be leveraged within a pattern observable triggering on whether the value of an object specification has changed at all. This field is NOT intended to be used for versioning of CybOX content.
<xs:attribute name="has_changed" type="xs:boolean"><xs:annotation><xs:documentation>The has_changed field is optional and conveys a targeted observation pattern of whether the associated object specified has changed in some way without requiring further specific detail. This field would be leveraged within a pattern observable triggering on whether the value of an object specification has changed at all. This field is NOT intended to be used for versioning of CybOX content.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="name" type="xs:string"><xs:annotation><xs:documentation>The name field specifies the field name for the pertinent Object Property.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="xpath" type="xs:string"><xs:annotation><xs:documentation>The xpath field specifies the XPath 1.0 expression identifying the pertinent property within the Properties schema for this object type.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="action_id" type="xs:QName" use="required"><xs:annotation><xs:documentation>The action_id field refers to the id of the action being referenced.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="rate" type="xs:float" use="optional"><xs:annotation><xs:documentation>This field specifies the rate for this defined frequency.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="units" type="xs:string" use="optional"><xs:annotation><xs:documentation>This field specifies the units for this defined frequency.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="scale" type="xs:string" use="optional"><xs:annotation><xs:documentation>This field specifies the time scale for this defined frequency.</xs:documentation></xs:annotation></xs:attribute>
This field is optional and conveys a targeted observation pattern of the nature of any trend in the frequency of the associated event or action. This field would be leveraged within an event or action pattern observable triggering on the matching of a specified trend in the frequency of an event or action.
<xs:attribute name="trend" type="cybox:TrendEnum"><xs:annotation><xs:documentation>This field is optional and conveys a targeted observation pattern of the nature of any trend in the frequency of the associated event or action. This field would be leveraged within an event or action pattern observable triggering on the matching of a specified trend in the frequency of an event or action.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>The id field specifies a unique id for this Action.</xs:documentation></xs:annotation></xs:attribute>
The idref field specifies a unique id reference to an Action defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Action should not hold content unless an extension of the Action allows it.
<xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>The idref field specifies a unique id reference to an Action defined elsewhere.</xs:documentation><xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this Action should not hold content unless an extension of the Action allows it.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="ordinal_position" type="xs:positiveInteger"><xs:annotation><xs:documentation>The ordinal_position field is intended to reference the ordinal position of the action with within a series of actions.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="action_status" type="cybox:ActionStatusTypeEnum"><xs:annotation><xs:documentation>The action_status field enables description of the status of the action being described.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="context" type="cybox:ActionContextTypeEnum"><xs:annotation><xs:documentation>The context field is optional and enables simple characterization of the broad operational context in which the Action is relevant.</xs:documentation></xs:annotation></xs:attribute>
The timestamp field represents the local or relative time at which the action occurred or was observed. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.
<xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>The timestamp field represents the local or relative time at which the action occurred or was observed. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.</xs:documentation></xs:annotation></xs:attribute>
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
<xs:attribute name="timestamp_precision" type="cyboxCommon:DateTimePrecisionEnum" default="second"><xs:annotation><xs:documentation>Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>The id field specifies a unique id for this Event.</xs:documentation></xs:annotation></xs:attribute>
The idref field specifies a unique id reference to an Event defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Event should not hold content unless an extension of the Event allows it.
<xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>The idref field specifies a unique id reference to an Event defined elsewhere.</xs:documentation><xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this Event should not hold content unless an extension of the Event allows it.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="cybox_major_version" type="xs:string" use="required"><xs:annotation><xs:documentation>The cybox_major_version field specifies the major version of the CybOX language utilized for this set of Observables.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="cybox_minor_version" type="xs:string" use="required"><xs:annotation><xs:documentation>The cybox_minor_version field specifies the minor version of the CybOX language utilized for this set of Observables.</xs:documentation></xs:annotation></xs:attribute>
The cybox_update_version field specifies the update version of the CybOX language utilized for this set of Observables. This field MUST be used when using an update version of CybOX.
<xs:attribute name="cybox_update_version" type="xs:string" use="optional"><xs:annotation><xs:documentation>The cybox_update_version field specifies the update version of the CybOX language utilized for this set of Observables. This field MUST be used when using an update version of CybOX.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>The id field specifies a unique id for this Observable.</xs:documentation></xs:annotation></xs:attribute>
The idref field specifies a unique id reference to an Observable defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Observable should not hold content unless an extension of the Observable allows it.
<xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>The idref field specifies a unique id reference to an Observable defined elsewhere.</xs:documentation><xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this Observable should not hold content unless an extension of the Observable allows it.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="negate" type="xs:boolean" default="false"><xs:annotation><xs:documentation>The negate field, when set to true, indicates the absence (rather than the presence) of the given Observable in a CybOX pattern.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="sighting_count" type="xs:positiveInteger"><xs:annotation><xs:documentation>The sighting_count field specifies how many different identical instances of the Observable may have been seen/sighted.</xs:documentation></xs:annotation></xs:attribute>
The operator field enables the specification of complex compositional cyber observables by providing logical operators for defining interrelationships between constituent cyber observables defined utilizing the recursive Observable element.
<xs:attribute name="operator" type="cybox:OperatorTypeEnum" use="required"><xs:annotation><xs:documentation>The operator field enables the specification of complex compositional cyber observables by providing logical operators for defining interrelationships between constituent cyber observables defined utilizing the recursive Observable element.</xs:documentation></xs:annotation></xs:attribute>
