Showing:

Annotations
Attributes
Diagrams
Facets
Identity Constraints
Source
Used by
Main schema indicator.xsd
Namespace http://stix.mitre.org/Indicator-2
Annotations
This schema was originally developed by The MITRE Corporation. The STIX XML Schema implementation is maintained by The MITRE Corporation and developed by the open STIX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the STIX website at http://stix.mitre.org.
Element indicator:Indicator
Namespace http://stix.mitre.org/Indicator-2
Annotations
The Indicator field characterizes a cyber threat indicator made up of a pattern identifying certain observable conditions as well as contextual information about the patterns meaning, how and when it should be acted on, etc.
Diagram
Diagram stix_common_xsd.tmp#IndicatorBaseType_id stix_common_xsd.tmp#IndicatorBaseType_idref stix_common_xsd.tmp#IndicatorBaseType_timestamp stix_common_xsd.tmp#IndicatorBaseType indicator_xsd.tmp#IndicatorType_version indicator_xsd.tmp#IndicatorType_negate indicator_xsd.tmp#IndicatorType_Title indicator_xsd.tmp#IndicatorType_Type indicator_xsd.tmp#IndicatorType_Alternative_ID indicator_xsd.tmp#IndicatorType_Description indicator_xsd.tmp#IndicatorType_Short_Description indicator_xsd.tmp#IndicatorType_Valid_Time_Position indicator_xsd.tmp#IndicatorType_Observable indicator_xsd.tmp#IndicatorType_Composite_Indicator_Expression indicator_xsd.tmp#IndicatorType_Indicated_TTP indicator_xsd.tmp#IndicatorType_Kill_Chain_Phases indicator_xsd.tmp#IndicatorType_Test_Mechanisms indicator_xsd.tmp#IndicatorType_Likely_Impact indicator_xsd.tmp#IndicatorType_Suggested_COAs indicator_xsd.tmp#IndicatorType_Handling indicator_xsd.tmp#IndicatorType_Confidence indicator_xsd.tmp#IndicatorType_Sightings indicator_xsd.tmp#IndicatorType_Related_Indicators indicator_xsd.tmp#IndicatorType_Related_Campaigns indicator_xsd.tmp#IndicatorType_Related_Packages indicator_xsd.tmp#IndicatorType_Producer indicator_xsd.tmp#IndicatorType
Type indicator:IndicatorType
Type hierarchy
Used by
Children indicator:Alternative_ID, indicator:Composite_Indicator_Expression, indicator:Confidence, indicator:Description, indicator:Handling, indicator:Indicated_TTP, indicator:Kill_Chain_Phases, indicator:Likely_Impact, indicator:Observable, indicator:Producer, indicator:Related_Campaigns, indicator:Related_Indicators, indicator:Related_Packages, indicator:Short_Description, indicator:Sightings, indicator:Suggested_COAs, indicator:Test_Mechanisms, indicator:Title, indicator:Type, indicator:Valid_Time_Position
Attributes
QName Type Default Use Annotation
id xs:QName optional
Specifies a unique ID for this Indicator.
idref xs:QName optional
Specifies a reference to the ID of an Indicator specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Indicator should not hold content.
negate xs:boolean false optional
The negate field specifies the absence of the pattern.
timestamp xs:dateTime optional
Specifies a timestamp for the definition of a specific version of an Indicator. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Indicator. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Indicator defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
version indicator:IndicatorVersionType optional
Specifies the relevant STIX-Indicator schema version for this content.
Source
<xs:element name="Indicator" type="indicator:IndicatorType">
  <xs:annotation>
    <xs:documentation>The Indicator field characterizes a cyber threat indicator made up of a pattern identifying certain observable conditions as well as contextual information about the patterns meaning, how and when it should be acted on, etc.</xs:documentation>
  </xs:annotation>
  <xs:unique name="unique-indicator-id">
    <xs:selector xpath=".//stixCommon:*|.//stix:*|.//cybox:*|.//cyboxCommon:*|.//campaign:*|.//coa:*|.//et:*|.//incident:*|.//indicator:*|.//ta:*|.//ttp:*|.//marking:*"/>
    <xs:field xpath="@id"/>
  </xs:unique>
</xs:element>
Element indicator:IndicatorType / indicator:Title
Namespace http://stix.mitre.org/Indicator-2
Annotations
The Title field provides a simple title for this Indicator.
Diagram
Diagram
Type xs:string
Source
<xs:element name="Title" type="xs:string" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Title field provides a simple title for this Indicator.</xs:documentation>
  </xs:annotation>
</xs:element>
Element indicator:IndicatorType / indicator:Type
Namespace http://stix.mitre.org/Indicator-2
Annotations
Specifies the type or types for this Indicator.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is IndicatorTypeVocabularyType in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType
Type stixCommon:ControlledVocabularyStringType
Attributes
QName Type Use Annotation
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Type" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>Specifies the type or types for this Indicator.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is IndicatorTypeVocabularyType in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1/stix_default_vocabularies.xsd.</xs:documentation>
    <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element indicator:IndicatorType / indicator:Alternative_ID
Namespace http://stix.mitre.org/Indicator-2
Annotations
Specifies an alternative identifier (or alias) for the cyber threat Indicator.
Diagram
Diagram
Type xs:string
Source
<xs:element name="Alternative_ID" type="xs:string" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>Specifies an alternative identifier (or alias) for the cyber threat Indicator.</xs:documentation>
  </xs:annotation>
</xs:element>
Element indicator:IndicatorType / indicator:Description
Namespace http://stix.mitre.org/Indicator-2
Annotations
The Description field is optional and provides an unstructured, text description for this Indicator.
Diagram
Diagram stix_common_xsd.tmp#StructuredTextType_structuring_format stix_common_xsd.tmp#StructuredTextType
Type stixCommon:StructuredTextType
Attributes
QName Type Use Annotation
structuring_format xs:string optional
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Description field is optional and provides an unstructured, text description for this Indicator.</xs:documentation>
  </xs:annotation>
</xs:element>
Element indicator:IndicatorType / indicator:Short_Description
Namespace http://stix.mitre.org/Indicator-2
Annotations
The Short_Description field is optional and provides an unstructured, text description for this Indicator.
Diagram
Diagram stix_common_xsd.tmp#StructuredTextType_structuring_format stix_common_xsd.tmp#StructuredTextType
Type stixCommon:StructuredTextType
Attributes
QName Type Use Annotation
structuring_format xs:string optional
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Short_Description" type="stixCommon:StructuredTextType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Short_Description field is optional and provides an unstructured, text description for this Indicator.</xs:documentation>
  </xs:annotation>
</xs:element>
Element indicator:IndicatorType / indicator:Valid_Time_Position
Namespace http://stix.mitre.org/Indicator-2
Annotations
Specifies the time window for which this Indicator is valid.
Diagram
Diagram indicator_xsd.tmp#ValidTimeType_Start_Time indicator_xsd.tmp#ValidTimeType_End_Time indicator_xsd.tmp#ValidTimeType
Type indicator:ValidTimeType
Children indicator:End_Time, indicator:Start_Time
Source
<xs:element name="Valid_Time_Position" type="indicator:ValidTimeType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>Specifies the time window for which this Indicator is valid.</xs:documentation>
  </xs:annotation>
</xs:element>
Element indicator:ValidTimeType / indicator:Start_Time
Namespace http://stix.mitre.org/Indicator-2
Annotations
If not present, the valid time position of the indicator does not have a lower bound (i.e., temporal window is only bounded by the end-time).
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
Diagram
Diagram stix_common_xsd.tmp#DateTimeWithPrecisionType_precision stix_common_xsd.tmp#DateTimeWithPrecisionType
Type stixCommon:DateTimeWithPrecisionType
Attributes
QName Type Default Use Annotation
precision stixCommon:DateTimePrecisionEnum second optional
The precision of the associated dateTime. If omitted, the default is "second", meaning the full field value (including fractional seconds).
Source
<xs:element name="Start_Time" type="stixCommon:DateTimeWithPrecisionType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>If not present, the valid time position of the indicator does not have a lower bound (i.e., temporal window is only bounded by the end-time).</xs:documentation>
    <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
  </xs:annotation>
</xs:element>
Element indicator:ValidTimeType / indicator:End_Time
Namespace http://stix.mitre.org/Indicator-2
Annotations
If not present, the valid time position of the indicator does not have an upper bound (i.e., temporal window is only bounded by the start-time).
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
Diagram
Diagram stix_common_xsd.tmp#DateTimeWithPrecisionType_precision stix_common_xsd.tmp#DateTimeWithPrecisionType
Type stixCommon:DateTimeWithPrecisionType
Attributes
QName Type Default Use Annotation
precision stixCommon:DateTimePrecisionEnum second optional
The precision of the associated dateTime. If omitted, the default is "second", meaning the full field value (including fractional seconds).
Source
<xs:element name="End_Time" type="stixCommon:DateTimeWithPrecisionType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>If not present, the valid time position of the indicator does not have an upper bound (i.e., temporal window is only bounded by the start-time).</xs:documentation>
    <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
  </xs:annotation>
</xs:element>
Element indicator:IndicatorType / indicator:Observable
Namespace http://stix.mitre.org/Indicator-2
Annotations
Specifies a relevant cyber observable for this Indicator.
Diagram
Diagram cybox_core_xsd.tmp#ObservableType_id cybox_core_xsd.tmp#ObservableType_idref cybox_core_xsd.tmp#ObservableType_negate cybox_core_xsd.tmp#ObservableType_sighting_count cybox_core_xsd.tmp#ObservableType_Title cybox_core_xsd.tmp#ObservableType_Description cybox_core_xsd.tmp#ObservableType_Keywords cybox_core_xsd.tmp#ObservableType_Observable_Source cybox_core_xsd.tmp#Object cybox_core_xsd.tmp#Event cybox_core_xsd.tmp#ObservableType_Observable_Composition cybox_core_xsd.tmp#ObservableType_Pattern_Fidelity cybox_core_xsd.tmp#ObservableType
Type cybox:ObservableType
Children cybox:Description, cybox:Event, cybox:Keywords, cybox:Object, cybox:Observable_Composition, cybox:Observable_Source, cybox:Pattern_Fidelity, cybox:Title
Attributes
QName Type Default Use Annotation
id xs:QName optional
The id field specifies a unique id for this Observable.
idref xs:QName optional
The idref field specifies a unique id reference to an Observable defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Observable should not hold content unless an extension of the Observable allows it.
negate xs:boolean false optional
The negate field, when set to true, indicates the absence (rather than the presence) of the given Observable in a CybOX pattern.
sighting_count xs:positiveInteger optional
The sighting_count field specifies how many different identical instances of the Observable may have been seen/sighted.
Source
<xs:element name="Observable" type="cybox:ObservableType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Specifies a relevant cyber observable for this Indicator.</xs:documentation>
  </xs:annotation>
</xs:element>
Element indicator:IndicatorType / indicator:Composite_Indicator_Expression
Namespace http://stix.mitre.org/Indicator-2
Annotations
Specifies a multipartite composite Indicator.
Diagram
Diagram indicator_xsd.tmp#CompositeIndicatorExpressionType_operator indicator_xsd.tmp#Indicator indicator_xsd.tmp#CompositeIndicatorExpressionType
Type indicator:CompositeIndicatorExpressionType
Children indicator:Indicator
Attributes
QName Type Use Annotation
operator indicator:OperatorTypeEnum required
Specifies the logical composition operator for this composite cyber threat Indicator.
Source
<xs:element name="Composite_Indicator_Expression" type="indicator:CompositeIndicatorExpressionType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Specifies a multipartite composite Indicator.</xs:documentation>
  </xs:annotation>
</xs:element>
Element indicator:IndicatorType / indicator:Indicated_TTP
Namespace http://stix.mitre.org/Indicator-2
Annotations
Specifies the relevant TTP indicated by this Indicator.
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipType_Confidence stix_common_xsd.tmp#GenericRelationshipType_Information_Source stix_common_xsd.tmp#GenericRelationshipType_Relationship stix_common_xsd.tmp#GenericRelationshipType stix_common_xsd.tmp#RelatedTTPType_TTP stix_common_xsd.tmp#RelatedTTPType
Type stixCommon:RelatedTTPType
Type hierarchy
Children stixCommon:Confidence, stixCommon:Information_Source, stixCommon:Relationship, stixCommon:TTP
Source
<xs:element name="Indicated_TTP" type="stixCommon:RelatedTTPType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>Specifies the relevant TTP indicated by this Indicator.</xs:documentation>
  </xs:annotation>
</xs:element>
Element indicator:IndicatorType / indicator:Kill_Chain_Phases
Namespace http://stix.mitre.org/Indicator-2
Annotations
Specifies relevant kill chain phases indicated by this Indicator.
Diagram
Diagram stix_common_xsd.tmp#KillChainPhasesReferenceType_Kill_Chain_Phase stix_common_xsd.tmp#KillChainPhasesReferenceType
Type stixCommon:KillChainPhasesReferenceType
Children stixCommon:Kill_Chain_Phase
Source
<xs:element name="Kill_Chain_Phases" type="stixCommon:KillChainPhasesReferenceType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Specifies relevant kill chain phases indicated by this Indicator.</xs:documentation>
  </xs:annotation>
</xs:element>
Element indicator:IndicatorType / indicator:Test_Mechanisms
Namespace http://stix.mitre.org/Indicator-2
Annotations
The TestMechanisms field specifies Test Mechanisms effective at identifying the cyber Observables specified in this cyber threat Indicator.
Diagram
Diagram indicator_xsd.tmp#TestMechanismsType_Test_Mechanism indicator_xsd.tmp#TestMechanismsType
Type indicator:TestMechanismsType
Children indicator:Test_Mechanism
Source
<xs:element name="Test_Mechanisms" type="indicator:TestMechanismsType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The TestMechanisms field specifies Test Mechanisms effective at identifying the cyber Observables specified in this cyber threat Indicator.</xs:documentation>
  </xs:annotation>
</xs:element>
Element indicator:TestMechanismsType / indicator:Test_Mechanism
Namespace http://stix.mitre.org/Indicator-2
Annotations
The TestMechanism field specifies a non-standard Test Mechanism effective at identifying the cyber Observables specified in this cyber threat Indicator. This field is defined as of type TestMechanismType which is an abstract type enabling the extension and inclusion of various formats of Test Mechanism specifications.
Diagram
Diagram indicator_xsd.tmp#TestMechanismType_id indicator_xsd.tmp#TestMechanismType_idref indicator_xsd.tmp#TestMechanismType_Efficacy indicator_xsd.tmp#TestMechanismType_Producer indicator_xsd.tmp#TestMechanismType
Type indicator:TestMechanismType
Children indicator:Efficacy, indicator:Producer
Attributes
QName Type Use Annotation
id xs:QName optional
Specifies a unique ID for this Test Mechanism.
idref xs:QName optional
Specifies a reference to the ID of a Test Mechanism specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Test Mechanism should not hold content.
Source
<xs:element name="Test_Mechanism" type="indicator:TestMechanismType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The TestMechanism field specifies a non-standard Test Mechanism effective at identifying the cyber Observables specified in this cyber threat Indicator. This field is defined as of type TestMechanismType which is an abstract type enabling the extension and inclusion of various formats of Test Mechanism specifications.</xs:documentation>
  </xs:annotation>
</xs:element>
Element indicator:TestMechanismType / indicator:Efficacy
Namespace http://stix.mitre.org/Indicator-2
Annotations
The Efficacy field provides an assertion of likely effectiveness of this TestMechanism to detect the targeted cyber Observables. The field includes a description of the asserted efficacy of this TestMechanism and a confidence held in the asserted efficacy of this TestMechanism to detect the targeted cyber Observables.
Diagram
Diagram stix_common_xsd.tmp#StatementType_timestamp stix_common_xsd.tmp#StatementType_timestamp_precision stix_common_xsd.tmp#StatementType_Value stix_common_xsd.tmp#StatementType_Description stix_common_xsd.tmp#StatementType_Source stix_common_xsd.tmp#StatementType_Confidence stix_common_xsd.tmp#StatementType
Type stixCommon:StatementType
Children stixCommon:Confidence, stixCommon:Description, stixCommon:Source, stixCommon:Value
Attributes
QName Type Default Use Annotation
timestamp xs:dateTime optional
Specifies the time this statement was asserted.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
timestamp_precision stixCommon:DateTimePrecisionEnum second optional
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:element name="Efficacy" type="stixCommon:StatementType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Efficacy field provides an assertion of likely effectiveness of this TestMechanism to detect the targeted cyber Observables. The field includes a description of the asserted efficacy of this TestMechanism and a confidence held in the asserted efficacy of this TestMechanism to detect the targeted cyber Observables.</xs:documentation>
  </xs:annotation>
</xs:element>
Element indicator:TestMechanismType / indicator:Producer
Namespace http://stix.mitre.org/Indicator-2
Annotations
The Producer field details the source of this entry.
Diagram
Diagram stix_common_xsd.tmp#InformationSourceType_Description stix_common_xsd.tmp#InformationSourceType_Identity stix_common_xsd.tmp#InformationSourceType_Role stix_common_xsd.tmp#InformationSourceType_Contributing_Sources stix_common_xsd.tmp#InformationSourceType_Time stix_common_xsd.tmp#InformationSourceType_Tools stix_common_xsd.tmp#InformationSourceType_References stix_common_xsd.tmp#InformationSourceType
Type stixCommon:InformationSourceType
Children stixCommon:Contributing_Sources, stixCommon:Description, stixCommon:Identity, stixCommon:References, stixCommon:Role, stixCommon:Time, stixCommon:Tools
Source
<xs:element name="Producer" type="stixCommon:InformationSourceType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Producer field details the source of this entry.</xs:documentation>
  </xs:annotation>
</xs:element>
Element indicator:IndicatorType / indicator:Likely_Impact
Namespace http://stix.mitre.org/Indicator-2
Annotations
Specifies the likely potential impact within the relevant context if this Indicator were to occur. This is typically local to an Indicator consumer and not typically shared. This field includes a Description of the likely potential impact within the relevant context if this Indicator were to occur and a Confidence held in the accuracy of this assertion. NOTE: This structure potentially still needs to be fleshed out more for structured characterization of impact.
Diagram
Diagram stix_common_xsd.tmp#StatementType_timestamp stix_common_xsd.tmp#StatementType_timestamp_precision stix_common_xsd.tmp#StatementType_Value stix_common_xsd.tmp#StatementType_Description stix_common_xsd.tmp#StatementType_Source stix_common_xsd.tmp#StatementType_Confidence stix_common_xsd.tmp#StatementType
Type stixCommon:StatementType
Children stixCommon:Confidence, stixCommon:Description, stixCommon:Source, stixCommon:Value
Attributes
QName Type Default Use Annotation
timestamp xs:dateTime optional
Specifies the time this statement was asserted.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
timestamp_precision stixCommon:DateTimePrecisionEnum second optional
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:element name="Likely_Impact" type="stixCommon:StatementType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Specifies the likely potential impact within the relevant context if this Indicator were to occur. This is typically local to an Indicator consumer and not typically shared. This field includes a Description of the likely potential impact within the relevant context if this Indicator were to occur and a Confidence held in the accuracy of this assertion. NOTE: This structure potentially still needs to be fleshed out more for structured characterization of impact.</xs:documentation>
  </xs:annotation>
</xs:element>
Element indicator:IndicatorType / indicator:Suggested_COAs
Namespace http://stix.mitre.org/Indicator-2
Annotations
The Suggested_COAs field specifies suggested Courses of Action for this cyber threat Indicator.
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipListType_scope stix_common_xsd.tmp#GenericRelationshipListType indicator_xsd.tmp#SuggestedCOAsType_Suggested_COA indicator_xsd.tmp#SuggestedCOAsType
Type indicator:SuggestedCOAsType
Type hierarchy
Children indicator:Suggested_COA
Attributes
QName Type Default Use Annotation
scope stixCommon:RelationshipScopeEnum exclusive optional
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
<xs:element name="Suggested_COAs" type="indicator:SuggestedCOAsType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Suggested_COAs field specifies suggested Courses of Action for this cyber threat Indicator.</xs:documentation>
  </xs:annotation>
</xs:element>
Element indicator:SuggestedCOAsType / indicator:Suggested_COA
Namespace http://stix.mitre.org/Indicator-2
Annotations
The Suggested_COA field specifies a suggested Course of Action for this cyber threat Indicator.
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipType_Confidence stix_common_xsd.tmp#GenericRelationshipType_Information_Source stix_common_xsd.tmp#GenericRelationshipType_Relationship stix_common_xsd.tmp#GenericRelationshipType stix_common_xsd.tmp#RelatedCourseOfActionType_Course_Of_Action stix_common_xsd.tmp#RelatedCourseOfActionType
Type stixCommon:RelatedCourseOfActionType
Type hierarchy
Children stixCommon:Confidence, stixCommon:Course_Of_Action, stixCommon:Information_Source, stixCommon:Relationship
Source
<xs:element name="Suggested_COA" type="stixCommon:RelatedCourseOfActionType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Suggested_COA field specifies a suggested Course of Action for this cyber threat Indicator.</xs:documentation>
  </xs:annotation>
</xs:element>
Element indicator:IndicatorType / indicator:Handling
Namespace http://stix.mitre.org/Indicator-2
Annotations
Specifies the relevant handling guidance for this Indicator. The valid marking scope is the nearest IndicatorBaseType ancestor of this Handling element and all its descendants.
Diagram
Diagram data_marking_xsd.tmp#MarkingType_Marking data_marking_xsd.tmp#MarkingType
Type marking:MarkingType
Children marking:Marking
Source
<xs:element name="Handling" type="marking:MarkingType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Specifies the relevant handling guidance for this Indicator. The valid marking scope is the nearest IndicatorBaseType ancestor of this Handling element and all its descendants.</xs:documentation>
  </xs:annotation>
</xs:element>
Element indicator:IndicatorType / indicator:Confidence
Namespace http://stix.mitre.org/Indicator-2
Annotations
Specifies a level of confidence held in the accuracy of this Indicator.
Diagram
Diagram stix_common_xsd.tmp#ConfidenceType_timestamp stix_common_xsd.tmp#ConfidenceType_timestamp_precision stix_common_xsd.tmp#ConfidenceType_Value stix_common_xsd.tmp#ConfidenceType_Description stix_common_xsd.tmp#ConfidenceType_Source stix_common_xsd.tmp#ConfidenceType_Confidence_Assertion_Chain stix_common_xsd.tmp#ConfidenceType
Type stixCommon:ConfidenceType
Children stixCommon:Confidence_Assertion_Chain, stixCommon:Description, stixCommon:Source, stixCommon:Value
Attributes
QName Type Default Use Annotation
timestamp xs:dateTime optional
Specifies the time of this Confidence assertion.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
timestamp_precision stixCommon:DateTimePrecisionEnum second optional
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:element name="Confidence" type="stixCommon:ConfidenceType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Specifies a level of confidence held in the accuracy of this Indicator.</xs:documentation>
  </xs:annotation>
</xs:element>
Element indicator:IndicatorType / indicator:Sightings
Namespace http://stix.mitre.org/Indicator-2
Annotations
Characterizes a set of sighting reports for this Indicator.
Diagram
Diagram indicator_xsd.tmp#SightingsType_sightings_count indicator_xsd.tmp#SightingsType_Sighting indicator_xsd.tmp#SightingsType
Type indicator:SightingsType
Children indicator:Sighting
Attributes
QName Type Use Annotation
sightings_count xs:integer optional
The total number of times this Indicator was reported as sighted.
Source
<xs:element name="Sightings" type="indicator:SightingsType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Characterizes a set of sighting reports for this Indicator.</xs:documentation>
  </xs:annotation>
</xs:element>
Element indicator:SightingsType / indicator:Sighting
Namespace http://stix.mitre.org/Indicator-2
Annotations
This field characterizes a single sighting report for this Indicator.
Diagram
Diagram indicator_xsd.tmp#SightingType_timestamp indicator_xsd.tmp#SightingType_timestamp_precision indicator_xsd.tmp#SightingType_Source indicator_xsd.tmp#SightingType_Reference indicator_xsd.tmp#SightingType_Confidence indicator_xsd.tmp#SightingType_Description indicator_xsd.tmp#SightingType_Related_Observables indicator_xsd.tmp#SightingType
Type indicator:SightingType
Children indicator:Confidence, indicator:Description, indicator:Reference, indicator:Related_Observables, indicator:Source
Attributes
QName Type Default Use Annotation
timestamp xs:dateTime optional
This field provides the date and time of the Indicator sighting.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
timestamp_precision stixCommon:DateTimePrecisionEnum second optional
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:element name="Sighting" type="indicator:SightingType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>This field characterizes a single sighting report for this Indicator.</xs:documentation>
  </xs:annotation>
</xs:element>
Element indicator:SightingType / indicator:Source
Namespace http://stix.mitre.org/Indicator-2
Annotations
This field provides a name or description of the sighting source.
Diagram
Diagram stix_common_xsd.tmp#InformationSourceType_Description stix_common_xsd.tmp#InformationSourceType_Identity stix_common_xsd.tmp#InformationSourceType_Role stix_common_xsd.tmp#InformationSourceType_Contributing_Sources stix_common_xsd.tmp#InformationSourceType_Time stix_common_xsd.tmp#InformationSourceType_Tools stix_common_xsd.tmp#InformationSourceType_References stix_common_xsd.tmp#InformationSourceType
Type stixCommon:InformationSourceType
Children stixCommon:Contributing_Sources, stixCommon:Description, stixCommon:Identity, stixCommon:References, stixCommon:Role, stixCommon:Time, stixCommon:Tools
Source
<xs:element name="Source" type="stixCommon:InformationSourceType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>This field provides a name or description of the sighting source.</xs:documentation>
  </xs:annotation>
</xs:element>
Element indicator:SightingType / indicator:Reference
Namespace http://stix.mitre.org/Indicator-2
Annotations
This field provides a formal reference to the sighting source.
Diagram
Diagram
Type xs:anyURI
Source
<xs:element name="Reference" type="xs:anyURI" minOccurs="0">
  <xs:annotation>
    <xs:documentation>This field provides a formal reference to the sighting source.</xs:documentation>
  </xs:annotation>
</xs:element>
Element indicator:SightingType / indicator:Confidence
Namespace http://stix.mitre.org/Indicator-2
Annotations
This field provides a confidence assertion in the accuracy of this sighting.
Diagram
Diagram stix_common_xsd.tmp#ConfidenceType_timestamp stix_common_xsd.tmp#ConfidenceType_timestamp_precision stix_common_xsd.tmp#ConfidenceType_Value stix_common_xsd.tmp#ConfidenceType_Description stix_common_xsd.tmp#ConfidenceType_Source stix_common_xsd.tmp#ConfidenceType_Confidence_Assertion_Chain stix_common_xsd.tmp#ConfidenceType
Type stixCommon:ConfidenceType
Children stixCommon:Confidence_Assertion_Chain, stixCommon:Description, stixCommon:Source, stixCommon:Value
Attributes
QName Type Default Use Annotation
timestamp xs:dateTime optional
Specifies the time of this Confidence assertion.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
timestamp_precision stixCommon:DateTimePrecisionEnum second optional
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:element name="Confidence" type="stixCommon:ConfidenceType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>This field provides a confidence assertion in the accuracy of this sighting.</xs:documentation>
  </xs:annotation>
</xs:element>
Element indicator:SightingType / indicator:Description
Namespace http://stix.mitre.org/Indicator-2
Annotations
The Description field is optional and enables an unstructured, text description of this Sighting.
Diagram
Diagram stix_common_xsd.tmp#StructuredTextType_structuring_format stix_common_xsd.tmp#StructuredTextType
Type stixCommon:StructuredTextType
Attributes
QName Type Use Annotation
structuring_format xs:string optional
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Description field is optional and enables an unstructured, text description of this Sighting.</xs:documentation>
  </xs:annotation>
</xs:element>
Element indicator:SightingType / indicator:Related_Observables
Namespace http://stix.mitre.org/Indicator-2
Annotations
Diagram
Type indicator:RelatedObservablesType
Type hierarchy
Children indicator:Related_Observable
Attributes
Source
Element indicator:RelatedObservablesType / indicator:Related_Observable
Namespace http://stix.mitre.org/Indicator-2
Annotations
Diagram
Type stixCommon:RelatedObservableType
Type hierarchy
Children stixCommon:Confidence, stixCommon:Information_Source, stixCommon:Observable, stixCommon:Relationship
Source
Element indicator:IndicatorType / indicator:Related_Indicators
Namespace http://stix.mitre.org/Indicator-2
Annotations
Diagram
Type indicator:RelatedIndicatorsType
Type hierarchy
Children indicator:Related_Indicator
Attributes
Source
Element indicator:RelatedIndicatorsType / indicator:Related_Indicator
Namespace http://stix.mitre.org/Indicator-2
Annotations
Diagram
Type stixCommon:RelatedIndicatorType
Type hierarchy
Children stixCommon:Confidence, stixCommon:Indicator, stixCommon:Information_Source, stixCommon:Relationship
Source
Element indicator:IndicatorType / indicator:Related_Campaigns
Namespace http://stix.mitre.org/Indicator-2
Annotations
Diagram
Type indicator:RelatedCampaignReferencesType
Type hierarchy
Children indicator:Related_Campaign
Attributes
Source
Element indicator:RelatedCampaignReferencesType / indicator:Related_Campaign
Namespace http://stix.mitre.org/Indicator-2
Annotations
Diagram
Type stixCommon:RelatedCampaignReferenceType
Type hierarchy
Children stixCommon:Campaign, stixCommon:Confidence, stixCommon:Information_Source, stixCommon:Relationship
Source
Element indicator:IndicatorType / indicator:Related_Packages
Namespace http://stix.mitre.org/Indicator-2
Annotations
Diagram
Type stixCommon:RelatedPackageRefsType
Children stixCommon:Package_Reference
Source
Element indicator:IndicatorType / indicator:Producer
Namespace http://stix.mitre.org/Indicator-2
Annotations
The Producer field details the source of this entry.
Diagram
Diagram stix_common_xsd.tmp#InformationSourceType_Description stix_common_xsd.tmp#InformationSourceType_Identity stix_common_xsd.tmp#InformationSourceType_Role stix_common_xsd.tmp#InformationSourceType_Contributing_Sources stix_common_xsd.tmp#InformationSourceType_Time stix_common_xsd.tmp#InformationSourceType_Tools stix_common_xsd.tmp#InformationSourceType_References stix_common_xsd.tmp#InformationSourceType
Type stixCommon:InformationSourceType
Children stixCommon:Contributing_Sources, stixCommon:Description, stixCommon:Identity, stixCommon:References, stixCommon:Role, stixCommon:Time, stixCommon:Tools
Source
<xs:element name="Producer" type="stixCommon:InformationSourceType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Producer field details the source of this entry.</xs:documentation>
  </xs:annotation>
</xs:element>
Complex Type indicator:IndicatorType
Namespace http://stix.mitre.org/Indicator-2
Annotations
The IndicatorType characterizes a cyber threat indicator made up of a pattern identifying certain observable conditions as well as contextual information about the patterns meaning, how and when it should be acted on, etc.
Diagram
Diagram stix_common_xsd.tmp#IndicatorBaseType_id stix_common_xsd.tmp#IndicatorBaseType_idref stix_common_xsd.tmp#IndicatorBaseType_timestamp stix_common_xsd.tmp#IndicatorBaseType indicator_xsd.tmp#IndicatorType_version indicator_xsd.tmp#IndicatorType_negate indicator_xsd.tmp#IndicatorType_Title indicator_xsd.tmp#IndicatorType_Type indicator_xsd.tmp#IndicatorType_Alternative_ID indicator_xsd.tmp#IndicatorType_Description indicator_xsd.tmp#IndicatorType_Short_Description indicator_xsd.tmp#IndicatorType_Valid_Time_Position indicator_xsd.tmp#IndicatorType_Observable indicator_xsd.tmp#IndicatorType_Composite_Indicator_Expression indicator_xsd.tmp#IndicatorType_Indicated_TTP indicator_xsd.tmp#IndicatorType_Kill_Chain_Phases indicator_xsd.tmp#IndicatorType_Test_Mechanisms indicator_xsd.tmp#IndicatorType_Likely_Impact indicator_xsd.tmp#IndicatorType_Suggested_COAs indicator_xsd.tmp#IndicatorType_Handling indicator_xsd.tmp#IndicatorType_Confidence indicator_xsd.tmp#IndicatorType_Sightings indicator_xsd.tmp#IndicatorType_Related_Indicators indicator_xsd.tmp#IndicatorType_Related_Campaigns indicator_xsd.tmp#IndicatorType_Related_Packages indicator_xsd.tmp#IndicatorType_Producer
Type extension of stixCommon:IndicatorBaseType
Type hierarchy
Used by
Children indicator:Alternative_ID, indicator:Composite_Indicator_Expression, indicator:Confidence, indicator:Description, indicator:Handling, indicator:Indicated_TTP, indicator:Kill_Chain_Phases, indicator:Likely_Impact, indicator:Observable, indicator:Producer, indicator:Related_Campaigns, indicator:Related_Indicators, indicator:Related_Packages, indicator:Short_Description, indicator:Sightings, indicator:Suggested_COAs, indicator:Test_Mechanisms, indicator:Title, indicator:Type, indicator:Valid_Time_Position
Attributes
QName Type Default Use Annotation
id xs:QName optional
Specifies a unique ID for this Indicator.
idref xs:QName optional
Specifies a reference to the ID of an Indicator specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Indicator should not hold content.
negate xs:boolean false optional
The negate field specifies the absence of the pattern.
timestamp xs:dateTime optional
Specifies a timestamp for the definition of a specific version of an Indicator. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Indicator. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Indicator defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
version indicator:IndicatorVersionType optional
Specifies the relevant STIX-Indicator schema version for this content.
Source
<xs:complexType name="IndicatorType">
  <xs:annotation>
    <xs:documentation>The IndicatorType characterizes a cyber threat indicator made up of a pattern identifying certain observable conditions as well as contextual information about the patterns meaning, how and when it should be acted on, etc.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="stixCommon:IndicatorBaseType">
      <xs:sequence>
        <xs:element name="Title" type="xs:string" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Title field provides a simple title for this Indicator.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Type" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded">
          <xs:annotation>
            <xs:documentation>Specifies the type or types for this Indicator.</xs:documentation>
            <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is IndicatorTypeVocabularyType in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1/stix_default_vocabularies.xsd.</xs:documentation>
            <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Alternative_ID" type="xs:string" minOccurs="0" maxOccurs="unbounded">
          <xs:annotation>
            <xs:documentation>Specifies an alternative identifier (or alias) for the cyber threat Indicator.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Description field is optional and provides an unstructured, text description for this Indicator.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Short_Description" type="stixCommon:StructuredTextType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Short_Description field is optional and provides an unstructured, text description for this Indicator.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Valid_Time_Position" type="indicator:ValidTimeType" minOccurs="0" maxOccurs="unbounded">
          <xs:annotation>
            <xs:documentation>Specifies the time window for which this Indicator is valid.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:choice>
          <xs:annotation>
            <xs:documentation>Content creators should either create a "simple indicator" containing one observable, or a "composite indicator" containing multiple indicators.</xs:documentation>
          </xs:annotation>
          <xs:element name="Observable" type="cybox:ObservableType" minOccurs="0">
            <xs:annotation>
              <xs:documentation>Specifies a relevant cyber observable for this Indicator.</xs:documentation>
            </xs:annotation>
          </xs:element>
          <xs:element name="Composite_Indicator_Expression" type="indicator:CompositeIndicatorExpressionType" minOccurs="0">
            <xs:annotation>
              <xs:documentation>Specifies a multipartite composite Indicator.</xs:documentation>
            </xs:annotation>
          </xs:element>
        </xs:choice>
        <xs:element name="Indicated_TTP" type="stixCommon:RelatedTTPType" minOccurs="0" maxOccurs="unbounded">
          <xs:annotation>
            <xs:documentation>Specifies the relevant TTP indicated by this Indicator.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Kill_Chain_Phases" type="stixCommon:KillChainPhasesReferenceType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>Specifies relevant kill chain phases indicated by this Indicator.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Test_Mechanisms" type="indicator:TestMechanismsType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The TestMechanisms field specifies Test Mechanisms effective at identifying the cyber Observables specified in this cyber threat Indicator.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Likely_Impact" type="stixCommon:StatementType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>Specifies the likely potential impact within the relevant context if this Indicator were to occur. This is typically local to an Indicator consumer and not typically shared. This field includes a Description of the likely potential impact within the relevant context if this Indicator were to occur and a Confidence held in the accuracy of this assertion. NOTE: This structure potentially still needs to be fleshed out more for structured characterization of impact.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Suggested_COAs" type="indicator:SuggestedCOAsType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Suggested_COAs field specifies suggested Courses of Action for this cyber threat Indicator.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Handling" type="marking:MarkingType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>Specifies the relevant handling guidance for this Indicator. The valid marking scope is the nearest IndicatorBaseType ancestor of this Handling element and all its descendants.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Confidence" type="stixCommon:ConfidenceType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>Specifies a level of confidence held in the accuracy of this Indicator.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Sightings" type="indicator:SightingsType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>Characterizes a set of sighting reports for this Indicator.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Related_Indicators" type="indicator:RelatedIndicatorsType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Related_Indicators field is optional and enables content producers to express a relationship between the enclosing indicator (i.e., the subject of the relationship) and a disparate indicator (i.e., the object side of the relationship).</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Related_Campaigns" type="indicator:RelatedCampaignReferencesType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Related_Campaigns field captures references to related campaigns. Note that unlike most other relationship types, Related_Campaigns does not allow campaigns to be embedded, only referenced via name or ID.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Related_Packages" type="stixCommon:RelatedPackageRefsType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Related_Packages field identifies or characterizes relationships to set of related Packages.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Producer" type="stixCommon:InformationSourceType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Producer field details the source of this entry.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
      <xs:attribute name="version" type="indicator:IndicatorVersionType">
        <xs:annotation>
          <xs:documentation>Specifies the relevant STIX-Indicator schema version for this content.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
      <xs:attribute name="negate" type="xs:boolean" default="false">
        <xs:annotation>
          <xs:documentation>The negate field specifies the absence of the pattern.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type indicator:ValidTimeType
Namespace http://stix.mitre.org/Indicator-2
Annotations
A basic representation of a temporal window when the thing (e.g., indicator) is valid.
Diagram
Diagram indicator_xsd.tmp#ValidTimeType_Start_Time indicator_xsd.tmp#ValidTimeType_End_Time
Used by
Children indicator:End_Time, indicator:Start_Time
Source
<xs:complexType name="ValidTimeType">
  <xs:annotation>
    <!-- NOTE: this is a very simple representation, if desired, the schema could import something more expressive like gml temporal semantics (see gml:timeposition here: http://schemas.opengis.net/gml/3.1.1/base/temporal.xsd). -->
    <xs:documentation>A basic representation of a temporal window when the thing (e.g., indicator) is valid.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Start_Time" type="stixCommon:DateTimeWithPrecisionType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>If not present, the valid time position of the indicator does not have a lower bound (i.e., temporal window is only bounded by the end-time).</xs:documentation>
        <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="End_Time" type="stixCommon:DateTimeWithPrecisionType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>If not present, the valid time position of the indicator does not have an upper bound (i.e., temporal window is only bounded by the start-time).</xs:documentation>
        <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type indicator:CompositeIndicatorExpressionType
Namespace http://stix.mitre.org/Indicator-2
Annotations
Type for allowing content creators to create composite indicator expressions using basic boolean logic.
Diagram
Diagram indicator_xsd.tmp#CompositeIndicatorExpressionType_operator indicator_xsd.tmp#Indicator
Used by
Children indicator:Indicator
Attributes
QName Type Use Annotation
operator indicator:OperatorTypeEnum required
Specifies the logical composition operator for this composite cyber threat Indicator.
Source
<xs:complexType name="CompositeIndicatorExpressionType">
  <xs:annotation>
    <xs:documentation>Type for allowing content creators to create composite indicator expressions using basic boolean logic.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element ref="indicator:Indicator" minOccurs="0" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The indicator field specifies one cyber threat indicator made up of a pattern identifying certain observable conditions as well as contextual information about the patterns meaning, how and when it should be acted on, etc.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="operator" type="indicator:OperatorTypeEnum" use="required">
    <xs:annotation>
      <xs:documentation>Specifies the logical composition operator for this composite cyber threat Indicator.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Simple Type indicator:OperatorTypeEnum
Namespace http://stix.mitre.org/Indicator-2
Annotations
OperatorTypeEnum is an enumeration of valid operators.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration AND
enumeration OR
Used by
Source
<xs:simpleType name="OperatorTypeEnum">
  <xs:annotation>
    <xs:documentation>OperatorTypeEnum is an enumeration of valid operators.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="AND"/>
    <xs:enumeration value="OR"/>
  </xs:restriction>
</xs:simpleType>
Complex Type indicator:TestMechanismsType
Namespace http://stix.mitre.org/Indicator-2
Diagram
Diagram indicator_xsd.tmp#TestMechanismsType_Test_Mechanism
Used by
Children indicator:Test_Mechanism
Source
<xs:complexType name="TestMechanismsType">
  <xs:sequence>
    <xs:element name="Test_Mechanism" type="indicator:TestMechanismType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The TestMechanism field specifies a non-standard Test Mechanism effective at identifying the cyber Observables specified in this cyber threat Indicator. This field is defined as of type TestMechanismType which is an abstract type enabling the extension and inclusion of various formats of Test Mechanism specifications.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type indicator:TestMechanismType
Namespace http://stix.mitre.org/Indicator-2
Annotations
The TestMechanismType specifies a non-standard Test Mechanism effective at identifying the cyber Observables specified in this cyber threat Indicator.
This type is defined as abstract and is intended to be extended to enable the expression of any structured or unstructured test mechanism. STIX provides five default options, Generic, OpenIOC, OVAL, Snort, and YARA. Additionally, those who wish to use another format may do so by using either the existing Generic test mechanism and putting the mechanism specification in the CDATA block or by defining a new extension to this type. The information for the STIX-provided extensions is:
1. Generic: The Generic test mechanism allows for the specification of any generic test mechanism through the use of a raw CDATA section. The type is named GenericTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#Generic-1 namespace. The extension is defined in the file extensions/test_mechanism/generic_test_mechanism.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/generic/1.1.1/generic_test_mechanism.xsd.
2. OpenIOC: The OpenIOC test mechanism allows for the specification of an OpenIOC test by importing the OpenIOC schema. The type is named IOCTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#OpenIOC-1 namespace. The extension is defined in the file extensions/test_mechanism/openioc_2010_test_mechanism.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/openioc_2010/1.1.1/openioc_2010_test_mechanism.xsd.
3. OVAL: The OVAL test mechanism allows for the specification of an OVAL definition through importing the OVAL schemas. The type is named OVALTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#OVAL-1 namespace. The extension is defined in the file extensions/test_mechanism/oval-5.10.1_test_mechanism.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/oval-5.10.1/1.1.1/oval-5.10.1_test_mechanism.xsd.
4. Snort: The Snort test mechanism allows for the specification of a snort signature through the use of a raw CDATA section. The type is named SnortTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#Snort-1 namespace. The extension is defined in the file extensions/test_mechanism/snort_test_mechanism.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/snort/1.1.1/snort_test_mechanism.xsd.
5. YARA: The YARA test mechanism allows for the specification of a YARA test through the use of a raw CDATA section. The type is named YaraTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#YARA-1 namespace. The extension is defined in the file extensions/test_mechanism/yara_test_mechanism.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/yara/1.1.1/yara_test_mechanism.xsd.
Diagram
Diagram indicator_xsd.tmp#TestMechanismType_id indicator_xsd.tmp#TestMechanismType_idref indicator_xsd.tmp#TestMechanismType_Efficacy indicator_xsd.tmp#TestMechanismType_Producer
Used by
Children indicator:Efficacy, indicator:Producer
Attributes
QName Type Use Annotation
id xs:QName optional
Specifies a unique ID for this Test Mechanism.
idref xs:QName optional
Specifies a reference to the ID of a Test Mechanism specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Test Mechanism should not hold content.
Source
<xs:complexType name="TestMechanismType" abstract="true">
  <xs:annotation>
    <xs:documentation>The TestMechanismType specifies a non-standard Test Mechanism effective at identifying the cyber Observables specified in this cyber threat Indicator.</xs:documentation>
    <xs:documentation>This type is defined as abstract and is intended to be extended to enable the expression of any structured or unstructured test mechanism. STIX provides five default options, Generic, OpenIOC, OVAL, Snort, and YARA. Additionally, those who wish to use another format may do so by using either the existing Generic test mechanism and putting the mechanism specification in the CDATA block or by defining a new extension to this type. The information for the STIX-provided extensions is:</xs:documentation>
    <xs:documentation>1. Generic: The Generic test mechanism allows for the specification of any generic test mechanism through the use of a raw CDATA section. The type is named GenericTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#Generic-1 namespace. The extension is defined in the file extensions/test_mechanism/generic_test_mechanism.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/generic/1.1.1/generic_test_mechanism.xsd.</xs:documentation>
    <xs:documentation>2. OpenIOC: The OpenIOC test mechanism allows for the specification of an OpenIOC test by importing the OpenIOC schema. The type is named IOCTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#OpenIOC-1 namespace. The extension is defined in the file extensions/test_mechanism/openioc_2010_test_mechanism.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/openioc_2010/1.1.1/openioc_2010_test_mechanism.xsd.</xs:documentation>
    <xs:documentation>3. OVAL: The OVAL test mechanism allows for the specification of an OVAL definition through importing the OVAL schemas. The type is named OVALTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#OVAL-1 namespace. The extension is defined in the file extensions/test_mechanism/oval-5.10.1_test_mechanism.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/oval-5.10.1/1.1.1/oval-5.10.1_test_mechanism.xsd.</xs:documentation>
    <xs:documentation>4. Snort: The Snort test mechanism allows for the specification of a snort signature through the use of a raw CDATA section. The type is named SnortTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#Snort-1 namespace. The extension is defined in the file extensions/test_mechanism/snort_test_mechanism.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/snort/1.1.1/snort_test_mechanism.xsd.</xs:documentation>
    <xs:documentation>5. YARA: The YARA test mechanism allows for the specification of a YARA test through the use of a raw CDATA section. The type is named YaraTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#YARA-1 namespace. The extension is defined in the file extensions/test_mechanism/yara_test_mechanism.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/yara/1.1.1/yara_test_mechanism.xsd.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Efficacy" type="stixCommon:StatementType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Efficacy field provides an assertion of likely effectiveness of this TestMechanism to detect the targeted cyber Observables. The field includes a description of the asserted efficacy of this TestMechanism and a confidence held in the asserted efficacy of this TestMechanism to detect the targeted cyber Observables.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Producer" type="stixCommon:InformationSourceType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Producer field details the source of this entry.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="id" type="xs:QName">
    <xs:annotation>
      <xs:documentation>Specifies a unique ID for this Test Mechanism.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="idref" type="xs:QName">
    <xs:annotation>
      <xs:documentation>Specifies a reference to the ID of a Test Mechanism specified elsewhere.</xs:documentation>
      <xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this Test Mechanism should not hold content.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type indicator:SuggestedCOAsType
Namespace http://stix.mitre.org/Indicator-2
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipListType_scope stix_common_xsd.tmp#GenericRelationshipListType indicator_xsd.tmp#SuggestedCOAsType_Suggested_COA
Type extension of stixCommon:GenericRelationshipListType
Type hierarchy
Used by
Children indicator:Suggested_COA
Attributes
QName Type Default Use Annotation
scope stixCommon:RelationshipScopeEnum exclusive optional
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
<xs:complexType name="SuggestedCOAsType">
  <xs:complexContent>
    <xs:extension base="stixCommon:GenericRelationshipListType">
      <xs:sequence>
        <xs:element name="Suggested_COA" type="stixCommon:RelatedCourseOfActionType" maxOccurs="unbounded">
          <xs:annotation>
            <xs:documentation>The Suggested_COA field specifies a suggested Course of Action for this cyber threat Indicator.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type indicator:SightingsType
Namespace http://stix.mitre.org/Indicator-2
Diagram
Diagram indicator_xsd.tmp#SightingsType_sightings_count indicator_xsd.tmp#SightingsType_Sighting
Used by
Children indicator:Sighting
Attributes
QName Type Use Annotation
sightings_count xs:integer optional
The total number of times this Indicator was reported as sighted.
Source
<xs:complexType name="SightingsType">
  <xs:sequence>
    <xs:element name="Sighting" type="indicator:SightingType" minOccurs="0" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>This field characterizes a single sighting report for this Indicator.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="sightings_count" type="xs:integer">
    <xs:annotation>
      <xs:documentation>The total number of times this Indicator was reported as sighted.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type indicator:SightingType
Namespace http://stix.mitre.org/Indicator-2
Annotations
Describes a single sighting of an indicator.
Diagram
Diagram indicator_xsd.tmp#SightingType_timestamp indicator_xsd.tmp#SightingType_timestamp_precision indicator_xsd.tmp#SightingType_Source indicator_xsd.tmp#SightingType_Reference indicator_xsd.tmp#SightingType_Confidence indicator_xsd.tmp#SightingType_Description indicator_xsd.tmp#SightingType_Related_Observables
Used by
Children indicator:Confidence, indicator:Description, indicator:Reference, indicator:Related_Observables, indicator:Source
Attributes
QName Type Default Use Annotation
timestamp xs:dateTime optional
This field provides the date and time of the Indicator sighting.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
timestamp_precision stixCommon:DateTimePrecisionEnum second optional
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:complexType name="SightingType">
  <xs:annotation>
    <xs:documentation>Describes a single sighting of an indicator.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Source" type="stixCommon:InformationSourceType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>This field provides a name or description of the sighting source.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Reference" type="xs:anyURI" minOccurs="0">
      <xs:annotation>
        <xs:documentation>This field provides a formal reference to the sighting source.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Confidence" type="stixCommon:ConfidenceType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>This field provides a confidence assertion in the accuracy of this sighting.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Description field is optional and enables an unstructured, text description of this Sighting.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Related_Observables" type="indicator:RelatedObservablesType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Related_Observable field identifies or characterizes one or more cyber observables related to this sighting.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="timestamp" type="xs:dateTime">
    <xs:annotation>
      <xs:documentation>This field provides the date and time of the Indicator sighting.</xs:documentation>
      <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="timestamp_precision" type="stixCommon:DateTimePrecisionEnum" default="second">
    <xs:annotation>
      <xs:documentation>Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type indicator:RelatedObservablesType
Namespace http://stix.mitre.org/Indicator-2
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipListType_scope stix_common_xsd.tmp#GenericRelationshipListType indicator_xsd.tmp#RelatedObservablesType_Related_Observable
Type extension of stixCommon:GenericRelationshipListType
Type hierarchy
Used by
Children indicator:Related_Observable
Attributes
QName Type Default Use Annotation
scope stixCommon:RelationshipScopeEnum exclusive optional
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
<xs:complexType name="RelatedObservablesType">
  <xs:complexContent>
    <xs:extension base="stixCommon:GenericRelationshipListType">
      <xs:sequence>
        <xs:element name="Related_Observable" type="stixCommon:RelatedObservableType" maxOccurs="unbounded">
          <xs:annotation>
            <xs:documentation>The Related_Observable field captures a relationship to a cyber observable related to this sighting.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type indicator:RelatedIndicatorsType
Namespace http://stix.mitre.org/Indicator-2
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipListType_scope stix_common_xsd.tmp#GenericRelationshipListType indicator_xsd.tmp#RelatedIndicatorsType_Related_Indicator
Type extension of stixCommon:GenericRelationshipListType
Type hierarchy
Used by
Children indicator:Related_Indicator
Attributes
QName Type Default Use Annotation
scope stixCommon:RelationshipScopeEnum exclusive optional
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
<xs:complexType name="RelatedIndicatorsType">
  <xs:complexContent>
    <xs:extension base="stixCommon:GenericRelationshipListType">
      <xs:sequence>
        <xs:element name="Related_Indicator" type="stixCommon:RelatedIndicatorType" maxOccurs="unbounded">
          <xs:annotation>
            <xs:documentation>The Related_Indicator field is optional and enables content producers to express a relationship between the enclosing indicator (i.e., the subject of the relationship) and a disparate indicator (i.e., the object side of the relationship).</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type indicator:RelatedCampaignReferencesType
Namespace http://stix.mitre.org/Indicator-2
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipListType_scope stix_common_xsd.tmp#GenericRelationshipListType indicator_xsd.tmp#RelatedCampaignReferencesType_Related_Campaign
Type extension of stixCommon:GenericRelationshipListType
Type hierarchy
Used by
Children indicator:Related_Campaign
Attributes
QName Type Default Use Annotation
scope stixCommon:RelationshipScopeEnum exclusive optional
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
<xs:complexType name="RelatedCampaignReferencesType">
  <xs:complexContent>
    <xs:extension base="stixCommon:GenericRelationshipListType">
      <xs:sequence>
        <xs:element name="Related_Campaign" type="stixCommon:RelatedCampaignReferenceType" maxOccurs="unbounded">
          <xs:annotation>
            <xs:documentation>The Related_Campaign field captures a single relationship to a related campaign.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Simple Type indicator:IndicatorVersionType
Namespace http://stix.mitre.org/Indicator-2
Annotations
An enumeration of all versions of the Indicator type valid in the current release of STIX.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration 2.0
enumeration 2.0.1
enumeration 2.1
enumeration 2.1.1
Used by
Source
<xs:simpleType name="IndicatorVersionType">
  <xs:annotation>
    <xs:documentation>An enumeration of all versions of the Indicator type valid in the current release of STIX.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="2.0"/>
    <xs:enumeration value="2.0.1"/>
    <xs:enumeration value="2.1"/>
    <xs:enumeration value="2.1.1"/>
  </xs:restriction>
</xs:simpleType>
Attribute indicator:CompositeIndicatorExpressionType / @operator
Namespace No namespace
Annotations
Specifies the logical composition operator for this composite cyber threat Indicator.
Type indicator:OperatorTypeEnum
Facets
enumeration AND
enumeration OR
Used by
Source
<xs:attribute name="operator" type="indicator:OperatorTypeEnum" use="required">
  <xs:annotation>
    <xs:documentation>Specifies the logical composition operator for this composite cyber threat Indicator.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute indicator:TestMechanismType / @id
Namespace No namespace
Annotations
Specifies a unique ID for this Test Mechanism.
Type xs:QName
Used by
Source
<xs:attribute name="id" type="xs:QName">
  <xs:annotation>
    <xs:documentation>Specifies a unique ID for this Test Mechanism.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute indicator:TestMechanismType / @idref
Namespace No namespace
Annotations
Specifies a reference to the ID of a Test Mechanism specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Test Mechanism should not hold content.
Type xs:QName
Used by
Source
<xs:attribute name="idref" type="xs:QName">
  <xs:annotation>
    <xs:documentation>Specifies a reference to the ID of a Test Mechanism specified elsewhere.</xs:documentation>
    <xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this Test Mechanism should not hold content.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute indicator:SightingType / @timestamp
Namespace No namespace
Annotations
This field provides the date and time of the Indicator sighting.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
Type xs:dateTime
Used by
Complex Type indicator:SightingType
Source
<xs:attribute name="timestamp" type="xs:dateTime">
  <xs:annotation>
    <xs:documentation>This field provides the date and time of the Indicator sighting.</xs:documentation>
    <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute indicator:SightingType / @timestamp_precision
Namespace No namespace
Annotations
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Type stixCommon:DateTimePrecisionEnum
Facets
enumeration year
DateTime is precise to the given year.
enumeration month
DateTime is precise to the given month.
enumeration day
DateTime is precise to the given day.
enumeration hour
DateTime is precise to the given hour.
enumeration minute
DateTime is precise to the given minute.
enumeration second
DateTime is precise to the given second (including fractional seconds).
Used by
Complex Type indicator:SightingType
Source
<xs:attribute name="timestamp_precision" type="stixCommon:DateTimePrecisionEnum" default="second">
  <xs:annotation>
    <xs:documentation>Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute indicator:SightingsType / @sightings_count
Namespace No namespace
Annotations
The total number of times this Indicator was reported as sighted.
Type xs:integer
Used by
Source
<xs:attribute name="sightings_count" type="xs:integer">
  <xs:annotation>
    <xs:documentation>The total number of times this Indicator was reported as sighted.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute indicator:IndicatorType / @version
Namespace No namespace
Annotations
Specifies the relevant STIX-Indicator schema version for this content.
Type indicator:IndicatorVersionType
Facets
enumeration 2.0
enumeration 2.0.1
enumeration 2.1
enumeration 2.1.1
Used by
Source
<xs:attribute name="version" type="indicator:IndicatorVersionType">
  <xs:annotation>
    <xs:documentation>Specifies the relevant STIX-Indicator schema version for this content.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute indicator:IndicatorType / @negate
Namespace No namespace
Annotations
The negate field specifies the absence of the pattern.
Type xs:boolean
Used by
Source
<xs:attribute name="negate" type="xs:boolean" default="false">
  <xs:annotation>
    <xs:documentation>The negate field specifies the absence of the pattern.</xs:documentation>
  </xs:annotation>
</xs:attribute>