This schema was originally developed by The MITRE Corporation. The STIX XML Schema implementation is maintained by The MITRE Corporation and developed by the open STIX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the STIX website at http://stix.mitre.org.
Element indicator:Indicator
Namespace
http://stix.mitre.org/Indicator-2
Annotations
The Indicator field characterizes a cyber threat indicator made up of a pattern identifying certain observable conditions as well as contextual information about the patterns meaning, how and when it should be acted on, etc.
Specifies a timestamp for the definition of a specific version of an Indicator. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Indicator. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Indicator defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Specifies the relevant STIX-Indicator schema version for this content.
Source
<xs:element name="Indicator" type="indicator:IndicatorType"><xs:annotation><xs:documentation>The Indicator field characterizes a cyber threat indicator made up of a pattern identifying certain observable conditions as well as contextual information about the patterns meaning, how and when it should be acted on, etc.</xs:documentation></xs:annotation><xs:unique name="unique-indicator-id"><xs:selector xpath=".//stixCommon:*|.//stix:*|.//cybox:*|.//cyboxCommon:*|.//campaign:*|.//coa:*|.//et:*|.//incident:*|.//indicator:*|.//ta:*|.//ttp:*|.//marking:*"/><xs:field xpath="@id"/></xs:unique></xs:element>
The Title field provides a simple title for this Indicator.
Diagram
Type
xs:string
Source
<xs:element name="Title" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation>The Title field provides a simple title for this Indicator.</xs:documentation></xs:annotation></xs:element>
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is IndicatorTypeVocabularyType in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Type" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>Specifies the type or types for this Indicator.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is IndicatorTypeVocabularyType in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1/stix_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation></xs:annotation></xs:element>
Specifies an alternative identifier (or alias) for the cyber threat Indicator.
Diagram
Type
xs:string
Source
<xs:element name="Alternative_ID" type="xs:string" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>Specifies an alternative identifier (or alias) for the cyber threat Indicator.</xs:documentation></xs:annotation></xs:element>
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0"><xs:annotation><xs:documentation>The Description field is optional and provides an unstructured, text description for this Indicator.</xs:documentation></xs:annotation></xs:element>
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Short_Description" type="stixCommon:StructuredTextType" minOccurs="0"><xs:annotation><xs:documentation>The Short_Description field is optional and provides an unstructured, text description for this Indicator.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Valid_Time_Position" type="indicator:ValidTimeType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>Specifies the time window for which this Indicator is valid.</xs:documentation></xs:annotation></xs:element>
The precision of the associated dateTime. If omitted, the default is "second", meaning the full field value (including fractional seconds).
Source
<xs:element name="Start_Time" type="stixCommon:DateTimeWithPrecisionType" minOccurs="0"><xs:annotation><xs:documentation>If not present, the valid time position of the indicator does not have a lower bound (i.e., temporal window is only bounded by the end-time).</xs:documentation><xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation></xs:annotation></xs:element>
The precision of the associated dateTime. If omitted, the default is "second", meaning the full field value (including fractional seconds).
Source
<xs:element name="End_Time" type="stixCommon:DateTimeWithPrecisionType" minOccurs="0"><xs:annotation><xs:documentation>If not present, the valid time position of the indicator does not have an upper bound (i.e., temporal window is only bounded by the start-time).</xs:documentation><xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation></xs:annotation></xs:element>
The idref field specifies a unique id reference to an Observable defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Observable should not hold content unless an extension of the Observable allows it.
The sighting_count field specifies how many different identical instances of the Observable may have been seen/sighted.
Source
<xs:element name="Observable" type="cybox:ObservableType" minOccurs="0"><xs:annotation><xs:documentation>Specifies a relevant cyber observable for this Indicator.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Indicated_TTP" type="stixCommon:RelatedTTPType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>Specifies the relevant TTP indicated by this Indicator.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Test_Mechanisms" type="indicator:TestMechanismsType" minOccurs="0"><xs:annotation><xs:documentation>The TestMechanisms field specifies Test Mechanisms effective at identifying the cyber Observables specified in this cyber threat Indicator.</xs:documentation></xs:annotation></xs:element>
The TestMechanism field specifies a non-standard Test Mechanism effective at identifying the cyber Observables specified in this cyber threat Indicator. This field is defined as of type TestMechanismType which is an abstract type enabling the extension and inclusion of various formats of Test Mechanism specifications.
Specifies a reference to the ID of a Test Mechanism specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Test Mechanism should not hold content.
Source
<xs:element name="Test_Mechanism" type="indicator:TestMechanismType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The TestMechanism field specifies a non-standard Test Mechanism effective at identifying the cyber Observables specified in this cyber threat Indicator. This field is defined as of type TestMechanismType which is an abstract type enabling the extension and inclusion of various formats of Test Mechanism specifications.</xs:documentation></xs:annotation></xs:element>
The Efficacy field provides an assertion of likely effectiveness of this TestMechanism to detect the targeted cyber Observables. The field includes a description of the asserted efficacy of this TestMechanism and a confidence held in the asserted efficacy of this TestMechanism to detect the targeted cyber Observables.
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:element name="Efficacy" type="stixCommon:StatementType" minOccurs="0"><xs:annotation><xs:documentation>The Efficacy field provides an assertion of likely effectiveness of this TestMechanism to detect the targeted cyber Observables. The field includes a description of the asserted efficacy of this TestMechanism and a confidence held in the asserted efficacy of this TestMechanism to detect the targeted cyber Observables.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Producer" type="stixCommon:InformationSourceType" minOccurs="0"><xs:annotation><xs:documentation>The Producer field details the source of this entry.</xs:documentation></xs:annotation></xs:element>
Specifies the likely potential impact within the relevant context if this Indicator were to occur. This is typically local to an Indicator consumer and not typically shared. This field includes a Description of the likely potential impact within the relevant context if this Indicator were to occur and a Confidence held in the accuracy of this assertion. NOTE: This structure potentially still needs to be fleshed out more for structured characterization of impact.
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:element name="Likely_Impact" type="stixCommon:StatementType" minOccurs="0"><xs:annotation><xs:documentation>Specifies the likely potential impact within the relevant context if this Indicator were to occur. This is typically local to an Indicator consumer and not typically shared. This field includes a Description of the likely potential impact within the relevant context if this Indicator were to occur and a Confidence held in the accuracy of this assertion. NOTE: This structure potentially still needs to be fleshed out more for structured characterization of impact.</xs:documentation></xs:annotation></xs:element>
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
<xs:element name="Suggested_COAs" type="indicator:SuggestedCOAsType" minOccurs="0"><xs:annotation><xs:documentation>The Suggested_COAs field specifies suggested Courses of Action for this cyber threat Indicator.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Suggested_COA" type="stixCommon:RelatedCourseOfActionType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Suggested_COA field specifies a suggested Course of Action for this cyber threat Indicator.</xs:documentation></xs:annotation></xs:element>
Specifies the relevant handling guidance for this Indicator. The valid marking scope is the nearest IndicatorBaseType ancestor of this Handling element and all its descendants.
<xs:element name="Handling" type="marking:MarkingType" minOccurs="0"><xs:annotation><xs:documentation>Specifies the relevant handling guidance for this Indicator. The valid marking scope is the nearest IndicatorBaseType ancestor of this Handling element and all its descendants.</xs:documentation></xs:annotation></xs:element>
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:element name="Confidence" type="stixCommon:ConfidenceType" minOccurs="0"><xs:annotation><xs:documentation>Specifies a level of confidence held in the accuracy of this Indicator.</xs:documentation></xs:annotation></xs:element>
The total number of times this Indicator was reported as sighted.
Source
<xs:element name="Sightings" type="indicator:SightingsType" minOccurs="0"><xs:annotation><xs:documentation>Characterizes a set of sighting reports for this Indicator.</xs:documentation></xs:annotation></xs:element>
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:element name="Sighting" type="indicator:SightingType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>This field characterizes a single sighting report for this Indicator.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Source" type="stixCommon:InformationSourceType" minOccurs="0"><xs:annotation><xs:documentation>This field provides a name or description of the sighting source.</xs:documentation></xs:annotation></xs:element>
This field provides a formal reference to the sighting source.
Diagram
Type
xs:anyURI
Source
<xs:element name="Reference" type="xs:anyURI" minOccurs="0"><xs:annotation><xs:documentation>This field provides a formal reference to the sighting source.</xs:documentation></xs:annotation></xs:element>
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:element name="Confidence" type="stixCommon:ConfidenceType" minOccurs="0"><xs:annotation><xs:documentation>This field provides a confidence assertion in the accuracy of this sighting.</xs:documentation></xs:annotation></xs:element>
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0"><xs:annotation><xs:documentation>The Description field is optional and enables an unstructured, text description of this Sighting.</xs:documentation></xs:annotation></xs:element>
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
<xs:element name="Related_Observables" type="indicator:RelatedObservablesType" minOccurs="0"><xs:annotation><xs:documentation>The Related_Observable field identifies or characterizes one or more cyber observables related to this sighting.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Related_Observable" type="stixCommon:RelatedObservableType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Related_Observable field captures a relationship to a cyber observable related to this sighting.</xs:documentation></xs:annotation></xs:element>
The Related_Indicators field is optional and enables content producers to express a relationship between the enclosing indicator (i.e., the subject of the relationship) and a disparate indicator (i.e., the object side of the relationship).
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
<xs:element name="Related_Indicators" type="indicator:RelatedIndicatorsType" minOccurs="0"><xs:annotation><xs:documentation>The Related_Indicators field is optional and enables content producers to express a relationship between the enclosing indicator (i.e., the subject of the relationship) and a disparate indicator (i.e., the object side of the relationship).</xs:documentation></xs:annotation></xs:element>
The Related_Indicator field is optional and enables content producers to express a relationship between the enclosing indicator (i.e., the subject of the relationship) and a disparate indicator (i.e., the object side of the relationship).
<xs:element name="Related_Indicator" type="stixCommon:RelatedIndicatorType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Related_Indicator field is optional and enables content producers to express a relationship between the enclosing indicator (i.e., the subject of the relationship) and a disparate indicator (i.e., the object side of the relationship).</xs:documentation></xs:annotation></xs:element>
The Related_Campaigns field captures references to related campaigns. Note that unlike most other relationship types, Related_Campaigns does not allow campaigns to be embedded, only referenced via name or ID.
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
<xs:element name="Related_Campaigns" type="indicator:RelatedCampaignReferencesType" minOccurs="0"><xs:annotation><xs:documentation>The Related_Campaigns field captures references to related campaigns. Note that unlike most other relationship types, Related_Campaigns does not allow campaigns to be embedded, only referenced via name or ID.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Related_Campaign" type="stixCommon:RelatedCampaignReferenceType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Related_Campaign field captures a single relationship to a related campaign.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Related_Packages" type="stixCommon:RelatedPackageRefsType" minOccurs="0"><xs:annotation><xs:documentation>The Related_Packages field identifies or characterizes relationships to set of related Packages.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Producer" type="stixCommon:InformationSourceType" minOccurs="0"><xs:annotation><xs:documentation>The Producer field details the source of this entry.</xs:documentation></xs:annotation></xs:element>
Complex Type indicator:IndicatorType
Namespace
http://stix.mitre.org/Indicator-2
Annotations
The IndicatorType characterizes a cyber threat indicator made up of a pattern identifying certain observable conditions as well as contextual information about the patterns meaning, how and when it should be acted on, etc.
Specifies a timestamp for the definition of a specific version of an Indicator. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Indicator. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Indicator defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Specifies the relevant STIX-Indicator schema version for this content.
Source
<xs:complexType name="IndicatorType"><xs:annotation><xs:documentation>The IndicatorType characterizes a cyber threat indicator made up of a pattern identifying certain observable conditions as well as contextual information about the patterns meaning, how and when it should be acted on, etc.</xs:documentation></xs:annotation><xs:complexContent><xs:extension base="stixCommon:IndicatorBaseType"><xs:sequence><xs:element name="Title" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation>The Title field provides a simple title for this Indicator.</xs:documentation></xs:annotation></xs:element><xs:element name="Type" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>Specifies the type or types for this Indicator.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is IndicatorTypeVocabularyType in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1/stix_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation></xs:annotation></xs:element><xs:element name="Alternative_ID" type="xs:string" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>Specifies an alternative identifier (or alias) for the cyber threat Indicator.</xs:documentation></xs:annotation></xs:element><xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0"><xs:annotation><xs:documentation>The Description field is optional and provides an unstructured, text description for this Indicator.</xs:documentation></xs:annotation></xs:element><xs:element name="Short_Description" type="stixCommon:StructuredTextType" minOccurs="0"><xs:annotation><xs:documentation>The Short_Description field is optional and provides an unstructured, text description for this Indicator.</xs:documentation></xs:annotation></xs:element><xs:element name="Valid_Time_Position" type="indicator:ValidTimeType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>Specifies the time window for which this Indicator is valid.</xs:documentation></xs:annotation></xs:element><xs:choice><xs:annotation><xs:documentation>Content creators should either create a "simple indicator" containing one observable, or a "composite indicator" containing multiple indicators.</xs:documentation></xs:annotation><xs:element name="Observable" type="cybox:ObservableType" minOccurs="0"><xs:annotation><xs:documentation>Specifies a relevant cyber observable for this Indicator.</xs:documentation></xs:annotation></xs:element><xs:element name="Composite_Indicator_Expression" type="indicator:CompositeIndicatorExpressionType" minOccurs="0"><xs:annotation><xs:documentation>Specifies a multipartite composite Indicator.</xs:documentation></xs:annotation></xs:element></xs:choice><xs:element name="Indicated_TTP" type="stixCommon:RelatedTTPType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>Specifies the relevant TTP indicated by this Indicator.</xs:documentation></xs:annotation></xs:element><xs:element name="Kill_Chain_Phases" type="stixCommon:KillChainPhasesReferenceType" minOccurs="0"><xs:annotation><xs:documentation>Specifies relevant kill chain phases indicated by this Indicator.</xs:documentation></xs:annotation></xs:element><xs:element name="Test_Mechanisms" type="indicator:TestMechanismsType" minOccurs="0"><xs:annotation><xs:documentation>The TestMechanisms field specifies Test Mechanisms effective at identifying the cyber Observables specified in this cyber threat Indicator.</xs:documentation></xs:annotation></xs:element><xs:element name="Likely_Impact" type="stixCommon:StatementType" minOccurs="0"><xs:annotation><xs:documentation>Specifies the likely potential impact within the relevant context if this Indicator were to occur. This is typically local to an Indicator consumer and not typically shared. This field includes a Description of the likely potential impact within the relevant context if this Indicator were to occur and a Confidence held in the accuracy of this assertion. NOTE: This structure potentially still needs to be fleshed out more for structured characterization of impact.</xs:documentation></xs:annotation></xs:element><xs:element name="Suggested_COAs" type="indicator:SuggestedCOAsType" minOccurs="0"><xs:annotation><xs:documentation>The Suggested_COAs field specifies suggested Courses of Action for this cyber threat Indicator.</xs:documentation></xs:annotation></xs:element><xs:element name="Handling" type="marking:MarkingType" minOccurs="0"><xs:annotation><xs:documentation>Specifies the relevant handling guidance for this Indicator. The valid marking scope is the nearest IndicatorBaseType ancestor of this Handling element and all its descendants.</xs:documentation></xs:annotation></xs:element><xs:element name="Confidence" type="stixCommon:ConfidenceType" minOccurs="0"><xs:annotation><xs:documentation>Specifies a level of confidence held in the accuracy of this Indicator.</xs:documentation></xs:annotation></xs:element><xs:element name="Sightings" type="indicator:SightingsType" minOccurs="0"><xs:annotation><xs:documentation>Characterizes a set of sighting reports for this Indicator.</xs:documentation></xs:annotation></xs:element><xs:element name="Related_Indicators" type="indicator:RelatedIndicatorsType" minOccurs="0"><xs:annotation><xs:documentation>The Related_Indicators field is optional and enables content producers to express a relationship between the enclosing indicator (i.e., the subject of the relationship) and a disparate indicator (i.e., the object side of the relationship).</xs:documentation></xs:annotation></xs:element><xs:element name="Related_Campaigns" type="indicator:RelatedCampaignReferencesType" minOccurs="0"><xs:annotation><xs:documentation>The Related_Campaigns field captures references to related campaigns. Note that unlike most other relationship types, Related_Campaigns does not allow campaigns to be embedded, only referenced via name or ID.</xs:documentation></xs:annotation></xs:element><xs:element name="Related_Packages" type="stixCommon:RelatedPackageRefsType" minOccurs="0"><xs:annotation><xs:documentation>The Related_Packages field identifies or characterizes relationships to set of related Packages.</xs:documentation></xs:annotation></xs:element><xs:element name="Producer" type="stixCommon:InformationSourceType" minOccurs="0"><xs:annotation><xs:documentation>The Producer field details the source of this entry.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="version" type="indicator:IndicatorVersionType"><xs:annotation><xs:documentation>Specifies the relevant STIX-Indicator schema version for this content.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="negate" type="xs:boolean" default="false"><xs:annotation><xs:documentation>The negate field specifies the absence of the pattern.</xs:documentation></xs:annotation></xs:attribute></xs:extension></xs:complexContent></xs:complexType>
Complex Type indicator:ValidTimeType
Namespace
http://stix.mitre.org/Indicator-2
Annotations
A basic representation of a temporal window when the thing (e.g., indicator) is valid.
<xs:complexType name="ValidTimeType"><xs:annotation><!-- NOTE: this is a very simple representation, if desired, the schema could import something more expressive like gml temporal semantics (see gml:timeposition here: http://schemas.opengis.net/gml/3.1.1/base/temporal.xsd). --><xs:documentation>A basic representation of a temporal window when the thing (e.g., indicator) is valid.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Start_Time" type="stixCommon:DateTimeWithPrecisionType" minOccurs="0"><xs:annotation><xs:documentation>If not present, the valid time position of the indicator does not have a lower bound (i.e., temporal window is only bounded by the end-time).</xs:documentation><xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation></xs:annotation></xs:element><xs:element name="End_Time" type="stixCommon:DateTimeWithPrecisionType" minOccurs="0"><xs:annotation><xs:documentation>If not present, the valid time position of the indicator does not have an upper bound (i.e., temporal window is only bounded by the start-time).</xs:documentation><xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type indicator:CompositeIndicatorExpressionType
Namespace
http://stix.mitre.org/Indicator-2
Annotations
Type for allowing content creators to create composite indicator expressions using basic boolean logic.
Specifies the logical composition operator for this composite cyber threat Indicator.
Source
<xs:complexType name="CompositeIndicatorExpressionType"><xs:annotation><xs:documentation>Type for allowing content creators to create composite indicator expressions using basic boolean logic.</xs:documentation></xs:annotation><xs:sequence><xs:element ref="indicator:Indicator" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The indicator field specifies one cyber threat indicator made up of a pattern identifying certain observable conditions as well as contextual information about the patterns meaning, how and when it should be acted on, etc.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="operator" type="indicator:OperatorTypeEnum" use="required"><xs:annotation><xs:documentation>Specifies the logical composition operator for this composite cyber threat Indicator.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Simple Type indicator:OperatorTypeEnum
Namespace
http://stix.mitre.org/Indicator-2
Annotations
OperatorTypeEnum is an enumeration of valid operators.
<xs:simpleType name="OperatorTypeEnum"><xs:annotation><xs:documentation>OperatorTypeEnum is an enumeration of valid operators.</xs:documentation></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="AND"/><xs:enumeration value="OR"/></xs:restriction></xs:simpleType>
<xs:complexType name="TestMechanismsType"><xs:sequence><xs:element name="Test_Mechanism" type="indicator:TestMechanismType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The TestMechanism field specifies a non-standard Test Mechanism effective at identifying the cyber Observables specified in this cyber threat Indicator. This field is defined as of type TestMechanismType which is an abstract type enabling the extension and inclusion of various formats of Test Mechanism specifications.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type indicator:TestMechanismType
Namespace
http://stix.mitre.org/Indicator-2
Annotations
The TestMechanismType specifies a non-standard Test Mechanism effective at identifying the cyber Observables specified in this cyber threat Indicator.
This type is defined as abstract and is intended to be extended to enable the expression of any structured or unstructured test mechanism. STIX provides five default options, Generic, OpenIOC, OVAL, Snort, and YARA. Additionally, those who wish to use another format may do so by using either the existing Generic test mechanism and putting the mechanism specification in the CDATA block or by defining a new extension to this type. The information for the STIX-provided extensions is:
1. Generic: The Generic test mechanism allows for the specification of any generic test mechanism through the use of a raw CDATA section. The type is named GenericTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#Generic-1 namespace. The extension is defined in the file extensions/test_mechanism/generic_test_mechanism.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/generic/1.1.1/generic_test_mechanism.xsd.
2. OpenIOC: The OpenIOC test mechanism allows for the specification of an OpenIOC test by importing the OpenIOC schema. The type is named IOCTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#OpenIOC-1 namespace. The extension is defined in the file extensions/test_mechanism/openioc_2010_test_mechanism.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/openioc_2010/1.1.1/openioc_2010_test_mechanism.xsd.
3. OVAL: The OVAL test mechanism allows for the specification of an OVAL definition through importing the OVAL schemas. The type is named OVALTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#OVAL-1 namespace. The extension is defined in the file extensions/test_mechanism/oval-5.10.1_test_mechanism.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/oval-5.10.1/1.1.1/oval-5.10.1_test_mechanism.xsd.
4. Snort: The Snort test mechanism allows for the specification of a snort signature through the use of a raw CDATA section. The type is named SnortTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#Snort-1 namespace. The extension is defined in the file extensions/test_mechanism/snort_test_mechanism.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/snort/1.1.1/snort_test_mechanism.xsd.
5. YARA: The YARA test mechanism allows for the specification of a YARA test through the use of a raw CDATA section. The type is named YaraTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#YARA-1 namespace. The extension is defined in the file extensions/test_mechanism/yara_test_mechanism.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/yara/1.1.1/yara_test_mechanism.xsd.
Specifies a reference to the ID of a Test Mechanism specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Test Mechanism should not hold content.
Source
<xs:complexType name="TestMechanismType" abstract="true"><xs:annotation><xs:documentation>The TestMechanismType specifies a non-standard Test Mechanism effective at identifying the cyber Observables specified in this cyber threat Indicator.</xs:documentation><xs:documentation>This type is defined as abstract and is intended to be extended to enable the expression of any structured or unstructured test mechanism. STIX provides five default options, Generic, OpenIOC, OVAL, Snort, and YARA. Additionally, those who wish to use another format may do so by using either the existing Generic test mechanism and putting the mechanism specification in the CDATA block or by defining a new extension to this type. The information for the STIX-provided extensions is:</xs:documentation><xs:documentation>1. Generic: The Generic test mechanism allows for the specification of any generic test mechanism through the use of a raw CDATA section. The type is named GenericTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#Generic-1 namespace. The extension is defined in the file extensions/test_mechanism/generic_test_mechanism.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/generic/1.1.1/generic_test_mechanism.xsd.</xs:documentation><xs:documentation>2. OpenIOC: The OpenIOC test mechanism allows for the specification of an OpenIOC test by importing the OpenIOC schema. The type is named IOCTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#OpenIOC-1 namespace. The extension is defined in the file extensions/test_mechanism/openioc_2010_test_mechanism.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/openioc_2010/1.1.1/openioc_2010_test_mechanism.xsd.</xs:documentation><xs:documentation>3. OVAL: The OVAL test mechanism allows for the specification of an OVAL definition through importing the OVAL schemas. The type is named OVALTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#OVAL-1 namespace. The extension is defined in the file extensions/test_mechanism/oval-5.10.1_test_mechanism.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/oval-5.10.1/1.1.1/oval-5.10.1_test_mechanism.xsd.</xs:documentation><xs:documentation>4. Snort: The Snort test mechanism allows for the specification of a snort signature through the use of a raw CDATA section. The type is named SnortTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#Snort-1 namespace. The extension is defined in the file extensions/test_mechanism/snort_test_mechanism.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/snort/1.1.1/snort_test_mechanism.xsd.</xs:documentation><xs:documentation>5. YARA: The YARA test mechanism allows for the specification of a YARA test through the use of a raw CDATA section. The type is named YaraTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#YARA-1 namespace. The extension is defined in the file extensions/test_mechanism/yara_test_mechanism.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/yara/1.1.1/yara_test_mechanism.xsd.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Efficacy" type="stixCommon:StatementType" minOccurs="0"><xs:annotation><xs:documentation>The Efficacy field provides an assertion of likely effectiveness of this TestMechanism to detect the targeted cyber Observables. The field includes a description of the asserted efficacy of this TestMechanism and a confidence held in the asserted efficacy of this TestMechanism to detect the targeted cyber Observables.</xs:documentation></xs:annotation></xs:element><xs:element name="Producer" type="stixCommon:InformationSourceType" minOccurs="0"><xs:annotation><xs:documentation>The Producer field details the source of this entry.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>Specifies a unique ID for this Test Mechanism.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a reference to the ID of a Test Mechanism specified elsewhere.</xs:documentation><xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this Test Mechanism should not hold content.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
<xs:complexType name="SuggestedCOAsType"><xs:complexContent><xs:extension base="stixCommon:GenericRelationshipListType"><xs:sequence><xs:element name="Suggested_COA" type="stixCommon:RelatedCourseOfActionType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Suggested_COA field specifies a suggested Course of Action for this cyber threat Indicator.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
The total number of times this Indicator was reported as sighted.
Source
<xs:complexType name="SightingsType"><xs:sequence><xs:element name="Sighting" type="indicator:SightingType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>This field characterizes a single sighting report for this Indicator.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="sightings_count" type="xs:integer"><xs:annotation><xs:documentation>The total number of times this Indicator was reported as sighted.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:complexType name="SightingType"><xs:annotation><xs:documentation>Describes a single sighting of an indicator.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Source" type="stixCommon:InformationSourceType" minOccurs="0"><xs:annotation><xs:documentation>This field provides a name or description of the sighting source.</xs:documentation></xs:annotation></xs:element><xs:element name="Reference" type="xs:anyURI" minOccurs="0"><xs:annotation><xs:documentation>This field provides a formal reference to the sighting source.</xs:documentation></xs:annotation></xs:element><xs:element name="Confidence" type="stixCommon:ConfidenceType" minOccurs="0"><xs:annotation><xs:documentation>This field provides a confidence assertion in the accuracy of this sighting.</xs:documentation></xs:annotation></xs:element><xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0"><xs:annotation><xs:documentation>The Description field is optional and enables an unstructured, text description of this Sighting.</xs:documentation></xs:annotation></xs:element><xs:element name="Related_Observables" type="indicator:RelatedObservablesType" minOccurs="0"><xs:annotation><xs:documentation>The Related_Observable field identifies or characterizes one or more cyber observables related to this sighting.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>This field provides the date and time of the Indicator sighting.</xs:documentation><xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="timestamp_precision" type="stixCommon:DateTimePrecisionEnum" default="second"><xs:annotation><xs:documentation>Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
<xs:complexType name="RelatedObservablesType"><xs:complexContent><xs:extension base="stixCommon:GenericRelationshipListType"><xs:sequence><xs:element name="Related_Observable" type="stixCommon:RelatedObservableType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Related_Observable field captures a relationship to a cyber observable related to this sighting.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
<xs:complexType name="RelatedIndicatorsType"><xs:complexContent><xs:extension base="stixCommon:GenericRelationshipListType"><xs:sequence><xs:element name="Related_Indicator" type="stixCommon:RelatedIndicatorType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Related_Indicator field is optional and enables content producers to express a relationship between the enclosing indicator (i.e., the subject of the relationship) and a disparate indicator (i.e., the object side of the relationship).</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
Complex Type indicator:RelatedCampaignReferencesType
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
<xs:complexType name="RelatedCampaignReferencesType"><xs:complexContent><xs:extension base="stixCommon:GenericRelationshipListType"><xs:sequence><xs:element name="Related_Campaign" type="stixCommon:RelatedCampaignReferenceType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Related_Campaign field captures a single relationship to a related campaign.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
Simple Type indicator:IndicatorVersionType
Namespace
http://stix.mitre.org/Indicator-2
Annotations
An enumeration of all versions of the Indicator type valid in the current release of STIX.
<xs:simpleType name="IndicatorVersionType"><xs:annotation><xs:documentation>An enumeration of all versions of the Indicator type valid in the current release of STIX.</xs:documentation></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="2.0"/><xs:enumeration value="2.0.1"/><xs:enumeration value="2.1"/><xs:enumeration value="2.1.1"/></xs:restriction></xs:simpleType>
<xs:attribute name="operator" type="indicator:OperatorTypeEnum" use="required"><xs:annotation><xs:documentation>Specifies the logical composition operator for this composite cyber threat Indicator.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>Specifies a unique ID for this Test Mechanism.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a reference to the ID of a Test Mechanism specified elsewhere.</xs:documentation><xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this Test Mechanism should not hold content.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>This field provides the date and time of the Indicator sighting.</xs:documentation><xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation></xs:annotation></xs:attribute>
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
<xs:attribute name="timestamp_precision" type="stixCommon:DateTimePrecisionEnum" default="second"><xs:annotation><xs:documentation>Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="sightings_count" type="xs:integer"><xs:annotation><xs:documentation>The total number of times this Indicator was reported as sighted.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="version" type="indicator:IndicatorVersionType"><xs:annotation><xs:documentation>Specifies the relevant STIX-Indicator schema version for this content.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="negate" type="xs:boolean" default="false"><xs:annotation><xs:documentation>The negate field specifies the absence of the pattern.</xs:documentation></xs:annotation></xs:attribute>
