Showing:

Annotations
Attributes
Diagrams
Facets
Source
Used by
Imported schema stix_common.xsd
Namespace http://stix.mitre.org/common-1
Annotations
This schema was originally developed by The MITRE Corporation. The STIX XML Schema implementation is maintained by The MITRE Corporation and developed by the open STIX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the STIX website at http://stix.mitre.org.
Element stixCommon:GenericRelationshipType / stixCommon:Confidence
Namespace http://stix.mitre.org/common-1
Annotations
The confidence field specifies the level of confidence in the assertion of the relationship between the two components.
Diagram
Diagram stix_common_xsd.tmp#ConfidenceType_timestamp stix_common_xsd.tmp#ConfidenceType_timestamp_precision stix_common_xsd.tmp#ConfidenceType_Value stix_common_xsd.tmp#ConfidenceType_Description stix_common_xsd.tmp#ConfidenceType_Source stix_common_xsd.tmp#ConfidenceType_Confidence_Assertion_Chain stix_common_xsd.tmp#ConfidenceType
Type stixCommon:ConfidenceType
Children stixCommon:Confidence_Assertion_Chain, stixCommon:Description, stixCommon:Source, stixCommon:Value
Attributes
QName Type Default Use Annotation
timestamp xs:dateTime optional
Specifies the time of this Confidence assertion.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
timestamp_precision stixCommon:DateTimePrecisionEnum second optional
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:element name="Confidence" type="stixCommon:ConfidenceType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The confidence field specifies the level of confidence in the assertion of the relationship between the two components.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:ConfidenceType / stixCommon:Value
Namespace http://stix.mitre.org/common-1
Annotations
Specifies the level of confidence held in this direct assertion.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is HighMediumLowVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType
Type stixCommon:ControlledVocabularyStringType
Attributes
QName Type Use Annotation
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Value" type="stixCommon:ControlledVocabularyStringType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Specifies the level of confidence held in this direct assertion.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is HighMediumLowVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1/stix_default_vocabularies.xsd.</xs:documentation>
    <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:ConfidenceType / stixCommon:Description
Namespace http://stix.mitre.org/common-1
Annotations
The Description field provides a description of the confidence value and how it was derived.
Diagram
Diagram stix_common_xsd.tmp#StructuredTextType_structuring_format stix_common_xsd.tmp#StructuredTextType
Type stixCommon:StructuredTextType
Attributes
QName Type Use Annotation
structuring_format xs:string optional
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Description field provides a description of the confidence value and how it was derived.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:ConfidenceType / stixCommon:Source
Namespace http://stix.mitre.org/common-1
Annotations
The Source field specifies the source of this confidence assertion. An optional vocabulary name and reference allows the expression of the source name in some given vocabulary context.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.1.1. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.
Diagram
Diagram stix_common_xsd.tmp#InformationSourceType_Description stix_common_xsd.tmp#InformationSourceType_Identity stix_common_xsd.tmp#InformationSourceType_Role stix_common_xsd.tmp#InformationSourceType_Contributing_Sources stix_common_xsd.tmp#InformationSourceType_Time stix_common_xsd.tmp#InformationSourceType_Tools stix_common_xsd.tmp#InformationSourceType_References stix_common_xsd.tmp#InformationSourceType
Type stixCommon:InformationSourceType
Children stixCommon:Contributing_Sources, stixCommon:Description, stixCommon:Identity, stixCommon:References, stixCommon:Role, stixCommon:Time, stixCommon:Tools
Source
<xs:element name="Source" type="stixCommon:InformationSourceType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Source field specifies the source of this confidence assertion. An optional vocabulary name and reference allows the expression of the source name in some given vocabulary context.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.1.1. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:InformationSourceType / stixCommon:Description
Namespace http://stix.mitre.org/common-1
Annotations
The Description field provides a description of this information source.
Diagram
Diagram stix_common_xsd.tmp#StructuredTextType_structuring_format stix_common_xsd.tmp#StructuredTextType
Type stixCommon:StructuredTextType
Attributes
QName Type Use Annotation
structuring_format xs:string optional
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Description field provides a description of this information source.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:InformationSourceType / stixCommon:Identity
Namespace http://stix.mitre.org/common-1
Annotations
The Identity field is optional and specifies the identity of the information source.
This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity/1.1.1/ciq_identity.xsd.
Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.
Diagram
Diagram stix_common_xsd.tmp#IdentityType_id stix_common_xsd.tmp#IdentityType_idref stix_common_xsd.tmp#IdentityType_Name stix_common_xsd.tmp#IdentityType_Related_Identities stix_common_xsd.tmp#IdentityType
Type stixCommon:IdentityType
Children stixCommon:Name, stixCommon:Related_Identities
Attributes
QName Type Use Annotation
id xs:QName optional
Specifies a unique ID for this Identity.
idref xs:QName optional
Specifies a reference to a unique ID defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Identity should not hold content.
Source
<xs:element name="Identity" type="stixCommon:IdentityType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Identity field is optional and specifies the identity of the information source.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity/1.1.1/ciq_identity.xsd.</xs:documentation>
    <xs:documentation>Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:IdentityType / stixCommon:Name
Namespace http://stix.mitre.org/common-1
Annotations
The Name field allows for expression of an identity through a simple name.
Diagram
Diagram
Type xs:string
Source
<xs:element name="Name" type="xs:string" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Name field allows for expression of an identity through a simple name.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:IdentityType / stixCommon:Related_Identities
Namespace http://stix.mitre.org/common-1
Annotations
Diagram
Type stixCommon:RelatedIdentitiesType
Children stixCommon:Related_Identity
Source
Element stixCommon:RelatedIdentitiesType / stixCommon:Related_Identity
Namespace http://stix.mitre.org/common-1
Annotations
Diagram
Type stixCommon:RelatedIdentityType
Type hierarchy
Children stixCommon:Confidence, stixCommon:Identity, stixCommon:Information_Source, stixCommon:Relationship
Source
Element stixCommon:GenericRelationshipType / stixCommon:Information_Source
Namespace http://stix.mitre.org/common-1
Annotations
The Information_Source field specifies the source of the information about the relationship between the two components.
Diagram
Diagram stix_common_xsd.tmp#InformationSourceType_Description stix_common_xsd.tmp#InformationSourceType_Identity stix_common_xsd.tmp#InformationSourceType_Role stix_common_xsd.tmp#InformationSourceType_Contributing_Sources stix_common_xsd.tmp#InformationSourceType_Time stix_common_xsd.tmp#InformationSourceType_Tools stix_common_xsd.tmp#InformationSourceType_References stix_common_xsd.tmp#InformationSourceType
Type stixCommon:InformationSourceType
Children stixCommon:Contributing_Sources, stixCommon:Description, stixCommon:Identity, stixCommon:References, stixCommon:Role, stixCommon:Time, stixCommon:Tools
Source
<xs:element name="Information_Source" type="stixCommon:InformationSourceType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Information_Source field specifies the source of the information about the relationship between the two components.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:InformationSourceType / stixCommon:Role
Namespace http://stix.mitre.org/common-1
Annotations
The Role field is optional and enables characterization of the sourcing Role played by this Information Source.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType
Type stixCommon:ControlledVocabularyStringType
Attributes
QName Type Use Annotation
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Role" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Role field is optional and enables characterization of the sourcing Role played by this Information Source.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:InformationSourceType / stixCommon:Contributing_Sources
Namespace http://stix.mitre.org/common-1
Annotations
The Contributing_Sources field is optional and enables description of the individual contributing sources involved in this instance.
Diagram
Diagram stix_common_xsd.tmp#ContributingSourcesType_Source stix_common_xsd.tmp#ContributingSourcesType
Type stixCommon:ContributingSourcesType
Children stixCommon:Source
Source
<xs:element name="Contributing_Sources" type="stixCommon:ContributingSourcesType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Contributing_Sources field is optional and enables description of the individual contributing sources involved in this instance.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:ContributingSourcesType / stixCommon:Source
Namespace http://stix.mitre.org/common-1
Annotations
The Source field contains information describing the identity, resources and timing of involvement for a single contributing Source.
This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity/1.1.1/ciq_identity.xsd.
Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.
Diagram
Diagram stix_common_xsd.tmp#InformationSourceType_Description stix_common_xsd.tmp#InformationSourceType_Identity stix_common_xsd.tmp#InformationSourceType_Role stix_common_xsd.tmp#InformationSourceType_Contributing_Sources stix_common_xsd.tmp#InformationSourceType_Time stix_common_xsd.tmp#InformationSourceType_Tools stix_common_xsd.tmp#InformationSourceType_References stix_common_xsd.tmp#InformationSourceType
Type stixCommon:InformationSourceType
Children stixCommon:Contributing_Sources, stixCommon:Description, stixCommon:Identity, stixCommon:References, stixCommon:Role, stixCommon:Time, stixCommon:Tools
Source
<xs:element name="Source" type="stixCommon:InformationSourceType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Source field contains information describing the identity, resources and timing of involvement for a single contributing Source.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity/1.1.1/ciq_identity.xsd.</xs:documentation>
    <xs:documentation>Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:InformationSourceType / stixCommon:Time
Namespace http://stix.mitre.org/common-1
Annotations
The Time element is optional and enables description of various time-related attributes for this instance.
Diagram
Diagram cybox_common_xsd.tmp#TimeType_Start_Time cybox_common_xsd.tmp#TimeType_End_Time cybox_common_xsd.tmp#TimeType_Produced_Time cybox_common_xsd.tmp#TimeType_Received_Time cybox_common_xsd.tmp#TimeType
Type cyboxCommon:TimeType
Children cyboxCommon:End_Time, cyboxCommon:Produced_Time, cyboxCommon:Received_Time, cyboxCommon:Start_Time
Source
<xs:element name="Time" type="cyboxCommon:TimeType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Time element is optional and enables description of various time-related attributes for this instance.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:InformationSourceType / stixCommon:Tools
Namespace http://stix.mitre.org/common-1
Annotations
The Tools element is optional and enables description of the tools utilized for this instance.
Diagram
Diagram cybox_common_xsd.tmp#ToolsInformationType_Tool cybox_common_xsd.tmp#ToolsInformationType
Type cyboxCommon:ToolsInformationType
Children cyboxCommon:Tool
Source
<xs:element name="Tools" type="cyboxCommon:ToolsInformationType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Tools element is optional and enables description of the tools utilized for this instance.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:InformationSourceType / stixCommon:References
Namespace http://stix.mitre.org/common-1
Annotations
The References field is optional and enables specification of references to information source material for this instance.
Diagram
Diagram stix_common_xsd.tmp#ReferencesType_Reference stix_common_xsd.tmp#ReferencesType
Type stixCommon:ReferencesType
Children stixCommon:Reference
Source
<xs:element name="References" type="stixCommon:ReferencesType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The References field is optional and enables specification of references to information source material for this instance.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:ReferencesType / stixCommon:Reference
Namespace http://stix.mitre.org/common-1
Annotations
The Reference field is optional and enables specification of a reference to an information source material.
Diagram
Diagram
Type xs:anyURI
Source
<xs:element name="Reference" type="xs:anyURI" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Reference field is optional and enables specification of a reference to an information source material.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:GenericRelationshipType / stixCommon:Relationship
Namespace http://stix.mitre.org/common-1
Annotations
The relationship field characterizes the type of the relationship between the two components.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.1.1. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType
Type stixCommon:ControlledVocabularyStringType
Attributes
QName Type Use Annotation
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Relationship" type="stixCommon:ControlledVocabularyStringType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The relationship field characterizes the type of the relationship between the two components.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.1.1. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:RelatedIdentityType / stixCommon:Identity
Namespace http://stix.mitre.org/common-1
Annotations
A reference to or representation of the related Identity.
This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity_3.0.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity_3.0/1.1.1/ciq_identity_3.0.xsd.
Diagram
Diagram stix_common_xsd.tmp#IdentityType_id stix_common_xsd.tmp#IdentityType_idref stix_common_xsd.tmp#IdentityType_Name stix_common_xsd.tmp#IdentityType_Related_Identities stix_common_xsd.tmp#IdentityType
Type stixCommon:IdentityType
Children stixCommon:Name, stixCommon:Related_Identities
Attributes
QName Type Use Annotation
id xs:QName optional
Specifies a unique ID for this Identity.
idref xs:QName optional
Specifies a reference to a unique ID defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Identity should not hold content.
Source
<xs:element name="Identity" type="stixCommon:IdentityType" minOccurs="1">
  <xs:annotation>
    <xs:documentation>A reference to or representation of the related Identity.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity_3.0.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity_3.0/1.1.1/ciq_identity_3.0.xsd.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:ConfidenceType / stixCommon:Confidence_Assertion_Chain
Namespace http://stix.mitre.org/common-1
Annotations
The Confidence_Assertion_Chain field specifies a set of related confidence levels in this assertion along with who made them, when they were made and how they were made.
Diagram
Diagram stix_common_xsd.tmp#ConfidenceAssertionChainType_Confidence_Assertion stix_common_xsd.tmp#ConfidenceAssertionChainType
Type stixCommon:ConfidenceAssertionChainType
Children stixCommon:Confidence_Assertion
Source
<xs:element name="Confidence_Assertion_Chain" type="stixCommon:ConfidenceAssertionChainType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Confidence_Assertion_Chain field specifies a set of related confidence levels in this assertion along with who made them, when they were made and how they were made.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:ConfidenceAssertionChainType / stixCommon:Confidence_Assertion
Namespace http://stix.mitre.org/common-1
Annotations
The Confidence_Assertion field specifies a related confidence level in this assertion along with who made it, when it was made and how it was made.
Diagram
Diagram stix_common_xsd.tmp#ConfidenceType_timestamp stix_common_xsd.tmp#ConfidenceType_timestamp_precision stix_common_xsd.tmp#ConfidenceType_Value stix_common_xsd.tmp#ConfidenceType_Description stix_common_xsd.tmp#ConfidenceType_Source stix_common_xsd.tmp#ConfidenceType_Confidence_Assertion_Chain stix_common_xsd.tmp#ConfidenceType
Type stixCommon:ConfidenceType
Children stixCommon:Confidence_Assertion_Chain, stixCommon:Description, stixCommon:Source, stixCommon:Value
Attributes
QName Type Default Use Annotation
timestamp xs:dateTime optional
Specifies the time of this Confidence assertion.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
timestamp_precision stixCommon:DateTimePrecisionEnum second optional
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:element name="Confidence_Assertion" type="stixCommon:ConfidenceType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Confidence_Assertion field specifies a related confidence level in this assertion along with who made it, when it was made and how it was made.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:RelatedTTPType / stixCommon:TTP
Namespace http://stix.mitre.org/common-1
Annotations
A reference to or representation of the related TTP.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is TTPType in the http://stix.mitre.org/TTP-1 namespace. This type is defined in the ttp.xsd file or at the URL http://stix.mitre.org/XMLSchema/ttp/1.1.1/ttp.xsd.
Diagram
Diagram stix_common_xsd.tmp#TTPBaseType_id stix_common_xsd.tmp#TTPBaseType_idref stix_common_xsd.tmp#TTPBaseType_timestamp stix_common_xsd.tmp#TTPBaseType
Type stixCommon:TTPBaseType
Attributes
QName Type Use Annotation
id xs:QName optional
Specifies a globally unique identifier for this TTP item.
idref xs:QName optional
Specifies a globally unique identifier of a TTP item specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this TTP item should not hold content.
timestamp xs:dateTime optional
Specifies a timestamp for the definition of a specific version of a TTP item. When used in conjunction with the id, this field is specifying the definition time for the specific version of the TTP item. When used in conjunction with the idref, this field is specifying a reference to a specific version of a TTP item defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
<xs:element name="TTP" type="stixCommon:TTPBaseType" minOccurs="1">
  <xs:annotation>
    <xs:documentation>A reference to or representation of the related TTP.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is TTPType in the http://stix.mitre.org/TTP-1 namespace. This type is defined in the ttp.xsd file or at the URL http://stix.mitre.org/XMLSchema/ttp/1.1.1/ttp.xsd.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:KillChainPhasesReferenceType / stixCommon:Kill_Chain_Phase
Namespace http://stix.mitre.org/common-1
Annotations
The Kill_Chain_Phase field specifies a single Kill Chain phase associated with this item.
Diagram
Diagram stix_common_xsd.tmp#KillChainPhaseType_phase_id stix_common_xsd.tmp#KillChainPhaseType_name stix_common_xsd.tmp#KillChainPhaseType_ordinality stix_common_xsd.tmp#KillChainPhaseType stix_common_xsd.tmp#KillChainPhaseReferenceType_kill_chain_id stix_common_xsd.tmp#KillChainPhaseReferenceType_kill_chain_name stix_common_xsd.tmp#KillChainPhaseReferenceType
Type stixCommon:KillChainPhaseReferenceType
Type hierarchy
Attributes
QName Type Use Annotation
kill_chain_id xs:QName optional
This field specifies the ID for the relevant defined kill chain.
kill_chain_name xs:string optional
This field specifies the descriptive name of the relevant kill chain. If a kill chain is being referenced (via the kill_chain_id field), this field should be omitted or, if present, must match the kill chain name of the kill chain referenced by the @kill_chain_id attribute.
name xs:string optional
This field specifies the descriptive name of the relevant kill chain phase.
When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the name used in the kill chain phase definition that this field references.
ordinality xs:int optional
This field specifies the ordinality (e.g. 1, 2 or 3) of this phase within this kill chain definition.
When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the ordinality used in the kill chain phase definition that this field references.
phase_id xs:QName optional
A globally unique identifier for this kill chain phase.
When used directly within a kill chain definition, this attribute must be globally unique and serves to identify the kill chain phase being defined. When used within a kill chain reference, this attribute must reference an existing kill chain phase phase_id and serves as a reference (similar to @idref elsewhere in STIX).
Source
<xs:element name="Kill_Chain_Phase" type="stixCommon:KillChainPhaseReferenceType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Kill_Chain_Phase field specifies a single Kill Chain phase associated with this item.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:StatementType / stixCommon:Value
Namespace http://stix.mitre.org/common-1
Annotations
Specifies a value characterizing the statement within some vocabulary.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary may be provided by the field using this construct. If that's the case, the schema annotations on that element will describe which vocabulary to use. If not, the default vocabulary is HighMediumLowVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType
Type stixCommon:ControlledVocabularyStringType
Attributes
QName Type Use Annotation
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Value" type="stixCommon:ControlledVocabularyStringType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Specifies a value characterizing the statement within some vocabulary.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary may be provided by the field using this construct. If that's the case, the schema annotations on that element will describe which vocabulary to use. If not, the default vocabulary is HighMediumLowVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1/stix_default_vocabularies.xsd.</xs:documentation>
    <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:StatementType / stixCommon:Description
Namespace http://stix.mitre.org/common-1
Annotations
Specifies a prose description of the statement.
Diagram
Diagram stix_common_xsd.tmp#StructuredTextType_structuring_format stix_common_xsd.tmp#StructuredTextType
Type stixCommon:StructuredTextType
Attributes
QName Type Use Annotation
structuring_format xs:string optional
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Specifies a prose description of the statement.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:StatementType / stixCommon:Source
Namespace http://stix.mitre.org/common-1
Annotations
The Source field captures the source of this statement. An optional vocabulary name and reference allows the expression of the source name in some given vocabulary context.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.1.1. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.
Diagram
Diagram stix_common_xsd.tmp#InformationSourceType_Description stix_common_xsd.tmp#InformationSourceType_Identity stix_common_xsd.tmp#InformationSourceType_Role stix_common_xsd.tmp#InformationSourceType_Contributing_Sources stix_common_xsd.tmp#InformationSourceType_Time stix_common_xsd.tmp#InformationSourceType_Tools stix_common_xsd.tmp#InformationSourceType_References stix_common_xsd.tmp#InformationSourceType
Type stixCommon:InformationSourceType
Children stixCommon:Contributing_Sources, stixCommon:Description, stixCommon:Identity, stixCommon:References, stixCommon:Role, stixCommon:Time, stixCommon:Tools
Source
<xs:element name="Source" type="stixCommon:InformationSourceType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Source field captures the source of this statement. An optional vocabulary name and reference allows the expression of the source name in some given vocabulary context.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.1.1. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:StatementType / stixCommon:Confidence
Namespace http://stix.mitre.org/common-1
Annotations
The Confidence field characterizes the level of confidence held in the statement.
Diagram
Diagram stix_common_xsd.tmp#ConfidenceType_timestamp stix_common_xsd.tmp#ConfidenceType_timestamp_precision stix_common_xsd.tmp#ConfidenceType_Value stix_common_xsd.tmp#ConfidenceType_Description stix_common_xsd.tmp#ConfidenceType_Source stix_common_xsd.tmp#ConfidenceType_Confidence_Assertion_Chain stix_common_xsd.tmp#ConfidenceType
Type stixCommon:ConfidenceType
Children stixCommon:Confidence_Assertion_Chain, stixCommon:Description, stixCommon:Source, stixCommon:Value
Attributes
QName Type Default Use Annotation
timestamp xs:dateTime optional
Specifies the time of this Confidence assertion.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
timestamp_precision stixCommon:DateTimePrecisionEnum second optional
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:element name="Confidence" type="stixCommon:ConfidenceType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Confidence field characterizes the level of confidence held in the statement.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:RelatedCourseOfActionType / stixCommon:Course_Of_Action
Namespace http://stix.mitre.org/common-1
Annotations
A reference or representation of the related course of action.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CourseOfActionType in the http://stix.mitre.org/CourseOfAction-1 namespace. This type is defined in the course_of_action.xsd file or at the URL http://stix.mitre.org/XMLSchema/course_of_action/1.1.1/course_of_action.xsd.
Diagram
Diagram stix_common_xsd.tmp#CourseOfActionBaseType_id stix_common_xsd.tmp#CourseOfActionBaseType_idref stix_common_xsd.tmp#CourseOfActionBaseType_timestamp stix_common_xsd.tmp#CourseOfActionBaseType
Type stixCommon:CourseOfActionBaseType
Attributes
QName Type Use Annotation
id xs:QName optional
Specifies a globally unique identifier for this COA.
idref xs:QName optional
Specifies a globally unique identifier of a COA specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this COA should not hold content.
timestamp xs:dateTime optional
Specifies a timestamp for the definition of a specific version of a COA. When used in conjunction with the id, this field is specifying the definition time for the specific version of the COA. When used in conjunction with the idref, this field is specifying a reference to a specific version of a COA defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
<xs:element name="Course_Of_Action" type="stixCommon:CourseOfActionBaseType" minOccurs="1">
  <xs:annotation>
    <xs:documentation>A reference or representation of the related course of action.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CourseOfActionType in the http://stix.mitre.org/CourseOfAction-1 namespace. This type is defined in the course_of_action.xsd file or at the URL http://stix.mitre.org/XMLSchema/course_of_action/1.1.1/course_of_action.xsd.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:RelatedObservableType / stixCommon:Observable
Namespace http://stix.mitre.org/common-1
Annotations
A reference to or representation of the related cyber observable.
Diagram
Diagram cybox_core_xsd.tmp#ObservableType_id cybox_core_xsd.tmp#ObservableType_idref cybox_core_xsd.tmp#ObservableType_negate cybox_core_xsd.tmp#ObservableType_sighting_count cybox_core_xsd.tmp#ObservableType_Title cybox_core_xsd.tmp#ObservableType_Description cybox_core_xsd.tmp#ObservableType_Keywords cybox_core_xsd.tmp#ObservableType_Observable_Source cybox_core_xsd.tmp#Object cybox_core_xsd.tmp#Event cybox_core_xsd.tmp#ObservableType_Observable_Composition cybox_core_xsd.tmp#ObservableType_Pattern_Fidelity cybox_core_xsd.tmp#ObservableType
Type cybox:ObservableType
Children cybox:Description, cybox:Event, cybox:Keywords, cybox:Object, cybox:Observable_Composition, cybox:Observable_Source, cybox:Pattern_Fidelity, cybox:Title
Attributes
QName Type Default Use Annotation
id xs:QName optional
The id field specifies a unique id for this Observable.
idref xs:QName optional
The idref field specifies a unique id reference to an Observable defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Observable should not hold content unless an extension of the Observable allows it.
negate xs:boolean false optional
The negate field, when set to true, indicates the absence (rather than the presence) of the given Observable in a CybOX pattern.
sighting_count xs:positiveInteger optional
The sighting_count field specifies how many different identical instances of the Observable may have been seen/sighted.
Source
<xs:element name="Observable" type="cybox:ObservableType" minOccurs="1">
  <xs:annotation>
    <xs:documentation>A reference to or representation of the related cyber observable.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:RelatedIndicatorType / stixCommon:Indicator
Namespace http://stix.mitre.org/common-1
Annotations
A reference to or representation of the related indicator.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IndicatorType in the http://stix.mitre.org/Indicator-2 namespace. This type is defined in the indicator.xsd file or at the URL http://stix.mitre.org/XMLSchema/indicator/2.1.1/indicator.xsd.
Diagram
Diagram stix_common_xsd.tmp#IndicatorBaseType_id stix_common_xsd.tmp#IndicatorBaseType_idref stix_common_xsd.tmp#IndicatorBaseType_timestamp stix_common_xsd.tmp#IndicatorBaseType
Type stixCommon:IndicatorBaseType
Attributes
QName Type Use Annotation
id xs:QName optional
Specifies a unique ID for this Indicator.
idref xs:QName optional
Specifies a reference to the ID of an Indicator specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Indicator should not hold content.
timestamp xs:dateTime optional
Specifies a timestamp for the definition of a specific version of an Indicator. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Indicator. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Indicator defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
<xs:element name="Indicator" type="stixCommon:IndicatorBaseType" minOccurs="1">
  <xs:annotation>
    <xs:documentation>A reference to or representation of the related indicator.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IndicatorType in the http://stix.mitre.org/Indicator-2 namespace. This type is defined in the indicator.xsd file or at the URL http://stix.mitre.org/XMLSchema/indicator/2.1.1/indicator.xsd.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:RelatedCampaignReferenceType / stixCommon:Campaign
Namespace http://stix.mitre.org/common-1
Annotations
A reference to the related campaign.
Diagram
Diagram stix_common_xsd.tmp#CampaignReferenceType_idref stix_common_xsd.tmp#CampaignReferenceType_timestamp stix_common_xsd.tmp#CampaignReferenceType_Names stix_common_xsd.tmp#CampaignReferenceType
Type stixCommon:CampaignReferenceType
Children stixCommon:Names
Attributes
QName Type Use Annotation
idref xs:QName optional
Specifies a globally unique identifier for a cyber threat campaign defined elsewhere.
timestamp xs:dateTime optional
In conjunction with the idref, this field may be used to reference a specific version of a campaign defined elsewhere.
Source
<xs:element name="Campaign" type="stixCommon:CampaignReferenceType">
  <xs:annotation>
    <xs:documentation>A reference to the related campaign.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:CampaignReferenceType / stixCommon:Names
Namespace http://stix.mitre.org/common-1
Annotations
Specifies one or more campaign names for a cyber threat campaign defined elsewhere.
Diagram
Diagram stix_common_xsd.tmp#NamesType_Name stix_common_xsd.tmp#NamesType
Type stixCommon:NamesType
Children stixCommon:Name
Source
<xs:element name="Names" type="stixCommon:NamesType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Specifies one or more campaign names for a cyber threat campaign defined elsewhere.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:NamesType / stixCommon:Name
Namespace http://stix.mitre.org/common-1
Annotations
The Name field specifies a Name used to identify a Campaign. This field can be used to capture various aliases used to identify this Campaign.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.1.1. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference stix_common_xsd.tmp#ControlledVocabularyStringType
Type stixCommon:ControlledVocabularyStringType
Attributes
QName Type Use Annotation
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Name" type="stixCommon:ControlledVocabularyStringType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Name field specifies a Name used to identify a Campaign. This field can be used to capture various aliases used to identify this Campaign.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.1.1. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:RelatedPackageRefsType / stixCommon:Package_Reference
Namespace http://stix.mitre.org/common-1
Annotations
Identifies or characterizes a relationship to a related Package defined elsewhere
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipType_Confidence stix_common_xsd.tmp#GenericRelationshipType_Information_Source stix_common_xsd.tmp#GenericRelationshipType_Relationship stix_common_xsd.tmp#GenericRelationshipType stix_common_xsd.tmp#RelatedPackageRefType_idref stix_common_xsd.tmp#RelatedPackageRefType_timestamp stix_common_xsd.tmp#RelatedPackageRefType
Type stixCommon:RelatedPackageRefType
Type hierarchy
Children stixCommon:Confidence, stixCommon:Information_Source, stixCommon:Relationship
Attributes
QName Type Use Annotation
idref xs:QName optional
Specifies a globally unique identifier of a STIX Package specified elsewhere.
timestamp xs:dateTime optional
In conjunction with the idref, this field may be used to reference a specific version of a STIX Package defined elsewhere.
Source
<xs:element name="Package_Reference" type="stixCommon:RelatedPackageRefType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>Identifies or characterizes a relationship to a related Package defined elsewhere</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:ActivityType / stixCommon:Date_Time
Namespace http://stix.mitre.org/common-1
Annotations
The Date_Time field specifies the date and time at which the activity occured.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
Diagram
Diagram stix_common_xsd.tmp#DateTimeWithPrecisionType_precision stix_common_xsd.tmp#DateTimeWithPrecisionType
Type stixCommon:DateTimeWithPrecisionType
Attributes
QName Type Default Use Annotation
precision stixCommon:DateTimePrecisionEnum second optional
The precision of the associated dateTime. If omitted, the default is "second", meaning the full field value (including fractional seconds).
Source
<xs:element name="Date_Time" type="stixCommon:DateTimeWithPrecisionType">
  <xs:annotation>
    <xs:documentation>The Date_Time field specifies the date and time at which the activity occured.</xs:documentation>
    <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:ActivityType / stixCommon:Description
Namespace http://stix.mitre.org/common-1
Annotations
The Description field provides a description of the activity.
Diagram
Diagram stix_common_xsd.tmp#StructuredTextType_structuring_format stix_common_xsd.tmp#StructuredTextType
Type stixCommon:StructuredTextType
Attributes
QName Type Use Annotation
structuring_format xs:string optional
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Description field provides a description of the activity.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:KillChainsType / stixCommon:Kill_Chain
Namespace http://stix.mitre.org/common-1
Annotations
This field specifies a single kill chain definition for reference within specific TTP entries, Indicators and elsewhere.
Diagram
Diagram stix_common_xsd.tmp#KillChainType_id stix_common_xsd.tmp#KillChainType_name stix_common_xsd.tmp#KillChainType_definer stix_common_xsd.tmp#KillChainType_reference stix_common_xsd.tmp#KillChainType_number_of_phases stix_common_xsd.tmp#KillChainType_Kill_Chain_Phase stix_common_xsd.tmp#KillChainType
Type stixCommon:KillChainType
Children stixCommon:Kill_Chain_Phase
Attributes
QName Type Use Annotation
definer optional
The organization or individual responsible for this kill chain definition.
id xs:QName optional
A globally unique identifier for this kill chain definition.
name xs:string optional
A descriptive name for this kill chain definition.
number_of_phases optional
The number of phases in this kill chain definition.
reference xs:anyURI optional
A resource reference for this kill chain definition.
Source
<xs:element name="Kill_Chain" type="stixCommon:KillChainType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>This field specifies a single kill chain definition for reference within specific TTP entries, Indicators and elsewhere.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:KillChainType / stixCommon:Kill_Chain_Phase
Namespace http://stix.mitre.org/common-1
Annotations
This field specifies the name of an individual phase within this kill chain definition.
Diagram
Diagram stix_common_xsd.tmp#KillChainPhaseType_phase_id stix_common_xsd.tmp#KillChainPhaseType_name stix_common_xsd.tmp#KillChainPhaseType_ordinality stix_common_xsd.tmp#KillChainPhaseType
Type stixCommon:KillChainPhaseType
Attributes
QName Type Use Annotation
name xs:string optional
This field specifies the descriptive name of the relevant kill chain phase.
When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the name used in the kill chain phase definition that this field references.
ordinality xs:int optional
This field specifies the ordinality (e.g. 1, 2 or 3) of this phase within this kill chain definition.
When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the ordinality used in the kill chain phase definition that this field references.
phase_id xs:QName optional
A globally unique identifier for this kill chain phase.
When used directly within a kill chain definition, this attribute must be globally unique and serves to identify the kill chain phase being defined. When used within a kill chain reference, this attribute must reference an existing kill chain phase phase_id and serves as a reference (similar to @idref elsewhere in STIX).
Source
<xs:element name="Kill_Chain_Phase" type="stixCommon:KillChainPhaseType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>This field specifies the name of an individual phase within this kill chain definition.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:RelatedCampaignType / stixCommon:Campaign
Namespace http://stix.mitre.org/common-1
Annotations
A reference to or representation of the related campaign.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CampaignType in the http://stix.mitre.org/Campaign-1 namespace. This type is defined in the campaign.xsd file or at the URL http://stix.mitre.org/XMLSchema/campaign/1.1.1/campaign.xsd.
Diagram
Diagram stix_common_xsd.tmp#CampaignBaseType_id stix_common_xsd.tmp#CampaignBaseType_idref stix_common_xsd.tmp#CampaignBaseType_timestamp stix_common_xsd.tmp#CampaignBaseType
Type stixCommon:CampaignBaseType
Attributes
QName Type Use Annotation
id xs:QName optional
Specifies a globally unique identifier for this cyber threat Campaign.
idref xs:QName optional
Specifies a globally unique identifier for a cyber threat Campaign specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Campaign should not hold content.
timestamp xs:dateTime optional
Specifies a timestamp for the definition of a specific version of a Campaign. When used in conjunction with the id, this field is specifying the definition time for the specific version of the  Campaign. When used in conjunction with the idref, this field is specifying a reference to a specific version of a Campaign defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
<xs:element name="Campaign" type="stixCommon:CampaignBaseType" minOccurs="1">
  <xs:annotation>
    <xs:documentation>A reference to or representation of the related campaign.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CampaignType in the http://stix.mitre.org/Campaign-1 namespace. This type is defined in the campaign.xsd file or at the URL http://stix.mitre.org/XMLSchema/campaign/1.1.1/campaign.xsd.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:RelatedExploitTargetType / stixCommon:Exploit_Target
Namespace http://stix.mitre.org/common-1
Annotations
A reference to or representation of the related exploit target.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ExploitTargetType in the http://stix.mitre.org/ExploitTarget-1 namespace. This type is defined in the exploit_target.xsd file or at the URL http://stix.mitre.org/XMLSchema/exploit_target/1.1.1/exploit_target.xsd.
Diagram
Diagram stix_common_xsd.tmp#ExploitTargetBaseType_id stix_common_xsd.tmp#ExploitTargetBaseType_idref stix_common_xsd.tmp#ExploitTargetBaseType_timestamp stix_common_xsd.tmp#ExploitTargetBaseType
Type stixCommon:ExploitTargetBaseType
Attributes
QName Type Use Annotation
id xs:QName optional
Specifies a globally unique identifier for this ExploitTarget.
idref xs:QName optional
Specifies a globally unique identifier of an ExploitTarget specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this ExploitTarget should not hold content.
timestamp xs:dateTime optional
Specifies a timestamp for the definition of a specific version of an ExploitTarget When used in conjunction with the id, this field is specifying the definition time for the specific version of the  ExploitTarget. When used in conjunction with the idref, this field is specifying a reference to a specific version of an ExploitTarget defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
<xs:element name="Exploit_Target" type="stixCommon:ExploitTargetBaseType" minOccurs="1">
  <xs:annotation>
    <xs:documentation>A reference to or representation of the related exploit target.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ExploitTargetType in the http://stix.mitre.org/ExploitTarget-1 namespace. This type is defined in the exploit_target.xsd file or at the URL http://stix.mitre.org/XMLSchema/exploit_target/1.1.1/exploit_target.xsd.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:RelatedIncidentType / stixCommon:Incident
Namespace http://stix.mitre.org/common-1
Annotations
A reference to or representation of the related incident.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IncidentType in the http://stix.mitre.org/Incident-1 namespace. This type is defined in the incident.xsd file or at the URL http://stix.mitre.org/XMLSchema/incident/1.1.1/incident.xsd.
Diagram
Diagram stix_common_xsd.tmp#IncidentBaseType_id stix_common_xsd.tmp#IncidentBaseType_idref stix_common_xsd.tmp#IncidentBaseType_timestamp stix_common_xsd.tmp#IncidentBaseType
Type stixCommon:IncidentBaseType
Attributes
QName Type Use Annotation
id xs:QName optional
Specifies a globally unique identifier for this cyber threat Incident.
idref xs:QName optional
Specifies a globally unique identifier for a cyber threat Incident specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Incident should not hold content.
timestamp xs:dateTime optional
Specifies a timestamp for the definition of a specific version of an Incident. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Incident. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Incident defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
<xs:element name="Incident" type="stixCommon:IncidentBaseType" minOccurs="1">
  <xs:annotation>
    <xs:documentation>A reference to or representation of the related incident.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IncidentType in the http://stix.mitre.org/Incident-1 namespace. This type is defined in the incident.xsd file or at the URL http://stix.mitre.org/XMLSchema/incident/1.1.1/incident.xsd.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:RelatedThreatActorType / stixCommon:Threat_Actor
Namespace http://stix.mitre.org/common-1
Annotations
A reference or representation of the related threat actor.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ThreatActorType in the http://stix.mitre.org/ThreatActor-1 namespace. This type is defined in the threat_actor.xsd file or at the URL http://stix.mitre.org/XMLSchema/threat_actor/1.1.1/threat_actor.xsd.
Diagram
Diagram stix_common_xsd.tmp#ThreatActorBaseType_id stix_common_xsd.tmp#ThreatActorBaseType_idref stix_common_xsd.tmp#ThreatActorBaseType_timestamp stix_common_xsd.tmp#ThreatActorBaseType
Type stixCommon:ThreatActorBaseType
Attributes
QName Type Use Annotation
id xs:QName optional
Specifies a globally unique identifier for this ThreatActor.
idref xs:QName optional
Specifies a globally unique identifier of a ThreatActor specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this ThreatActor should not hold content.
timestamp xs:dateTime optional
Specifies a timestamp for the definition of a specific version of a ThreatActor. When used in conjunction with the id, this field is specifying the definition time for the specific version of the ThreatActor. When used in conjunction with the idref, this field is specifying a reference to a specific version of a ThreatActor defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
<xs:element name="Threat_Actor" type="stixCommon:ThreatActorBaseType" minOccurs="1">
  <xs:annotation>
    <xs:documentation>A reference or representation of the related threat actor.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ThreatActorType in the http://stix.mitre.org/ThreatActor-1 namespace. This type is defined in the threat_actor.xsd file or at the URL http://stix.mitre.org/XMLSchema/threat_actor/1.1.1/threat_actor.xsd.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:ExploitTargetsType / stixCommon:Exploit_Target
Namespace http://stix.mitre.org/common-1
Annotations
The Exploit_Target field characterizes a potential vulnerability, weakness or configuration target for exploitation.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ExploitTargetType in the http://stix.mitre.org/ExploitTarget-1 namespace. This type is defined in the exploit_target.xsd file or at the URL http://stix.mitre.org/XMLSchema/exploit_target/1.1/exploit_target.xsd.
Diagram
Diagram stix_common_xsd.tmp#ExploitTargetBaseType_id stix_common_xsd.tmp#ExploitTargetBaseType_idref stix_common_xsd.tmp#ExploitTargetBaseType_timestamp stix_common_xsd.tmp#ExploitTargetBaseType
Type stixCommon:ExploitTargetBaseType
Attributes
QName Type Use Annotation
id xs:QName optional
Specifies a globally unique identifier for this ExploitTarget.
idref xs:QName optional
Specifies a globally unique identifier of an ExploitTarget specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this ExploitTarget should not hold content.
timestamp xs:dateTime optional
Specifies a timestamp for the definition of a specific version of an ExploitTarget When used in conjunction with the id, this field is specifying the definition time for the specific version of the  ExploitTarget. When used in conjunction with the idref, this field is specifying a reference to a specific version of an ExploitTarget defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
<xs:element name="Exploit_Target" type="stixCommon:ExploitTargetBaseType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Exploit_Target field characterizes a potential vulnerability, weakness or configuration target for exploitation.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ExploitTargetType in the http://stix.mitre.org/ExploitTarget-1 namespace. This type is defined in the exploit_target.xsd file or at the URL http://stix.mitre.org/XMLSchema/exploit_target/1.1/exploit_target.xsd.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:ProfilesType / stixCommon:Profile
Namespace http://stix.mitre.org/common-1
Annotations
The Profile field represents a reference to one STIX Profile. The profile is referenced as a URI and should include components for: the creator of the profile, the name of the profile, and the version of the profile. When publishing a profile, this URI should be published alongside the profile such that it can be referred to from this field.
Diagram
Diagram
Type xs:anyURI
Source
<xs:element name="Profile" type="xs:anyURI" minOccurs="1" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Profile field represents a reference to one STIX Profile. The profile is referenced as a URI and should include components for: the creator of the profile, the name of the profile, and the version of the profile. When publishing a profile, this URI should be published alongside the profile such that it can be referred to from this field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:ToolInformationType / stixCommon:Title
Namespace http://stix.mitre.org/common-1
Annotations
The Title field provides a simple title for a single tool leveraged by this TTP item.
Diagram
Diagram
Type xs:string
Source
<xs:element name="Title" type="xs:string" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Title field provides a simple title for a single tool leveraged by this TTP item.</xs:documentation>
  </xs:annotation>
</xs:element>
Element stixCommon:ToolInformationType / stixCommon:Short_Description
Namespace http://stix.mitre.org/common-1
Annotations
The Short_Description field is optional and provides a short, unstructured, text description of a single tool leveraged by this TTP item.
Diagram
Diagram stix_common_xsd.tmp#StructuredTextType_structuring_format stix_common_xsd.tmp#StructuredTextType
Type stixCommon:StructuredTextType
Attributes
QName Type Use Annotation
structuring_format xs:string optional
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Short_Description" type="stixCommon:StructuredTextType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Short_Description field is optional and provides a short, unstructured, text description of a single tool leveraged by this TTP item.</xs:documentation>
  </xs:annotation>
</xs:element>
Complex Type stixCommon:IndicatorBaseType
Namespace http://stix.mitre.org/common-1
Annotations
This type represents the STIX Indicator component. It is extended using the XML Schema Extension feature by the STIX Indicator type itself. Users of this type who wish to express a full indicator using STIX must do so using the xsi:type extension feature. The STIX-defined Indicator type is IndicatorType in the http://stix.mitre.org/Indicator-1 namespace. This type is defined in the indicator.xsd file or at the URL http://stix.mitre.org/XMLSchema/indicator/1.2.1/indicator.xsd.
Alternatively, uses that require simply specifying an idref as a reference to an indicator defined elsewhere can do so without specifying an xsi:type.
Diagram
Diagram stix_common_xsd.tmp#IndicatorBaseType_id stix_common_xsd.tmp#IndicatorBaseType_idref stix_common_xsd.tmp#IndicatorBaseType_timestamp
Used by
Attributes
QName Type Use Annotation
id xs:QName optional
Specifies a unique ID for this Indicator.
idref xs:QName optional
Specifies a reference to the ID of an Indicator specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Indicator should not hold content.
timestamp xs:dateTime optional
Specifies a timestamp for the definition of a specific version of an Indicator. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Indicator. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Indicator defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
<xs:complexType name="IndicatorBaseType">
  <xs:annotation>
    <xs:documentation>This type represents the STIX Indicator component. It is extended using the XML Schema Extension feature by the STIX Indicator type itself. Users of this type who wish to express a full indicator using STIX must do so using the xsi:type extension feature. The STIX-defined Indicator type is IndicatorType in the http://stix.mitre.org/Indicator-1 namespace. This type is defined in the indicator.xsd file or at the URL http://stix.mitre.org/XMLSchema/indicator/1.2.1/indicator.xsd.</xs:documentation>
    <xs:documentation>Alternatively, uses that require simply specifying an idref as a reference to an indicator defined elsewhere can do so without specifying an xsi:type.</xs:documentation>
  </xs:annotation>
  <xs:attribute name="id" type="xs:QName" use="optional">
    <xs:annotation>
      <xs:documentation>Specifies a unique ID for this Indicator.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="idref" type="xs:QName">
    <xs:annotation>
      <xs:documentation>Specifies a reference to the ID of an Indicator specified elsewhere.</xs:documentation>
      <xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this Indicator should not hold content.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="timestamp" type="xs:dateTime">
    <xs:annotation>
      <xs:documentation>Specifies a timestamp for the definition of a specific version of an Indicator. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Indicator. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Indicator defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type stixCommon:ControlledVocabularyStringType
Namespace http://stix.mitre.org/common-1
Annotations
The ControlledVocabularyStringType is used as the basis for defining controlled vocabularies.
Diagram
Diagram stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_name stix_common_xsd.tmp#ControlledVocabularyStringType_vocab_reference
Type extension of xs:anySimpleType
Used by
Attributes
QName Type Use Annotation
vocab_name xs:string optional
The vocab_name field specifies the name of the controlled vocabulary.
vocab_reference xs:anyURI optional
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:complexType name="ControlledVocabularyStringType">
  <xs:annotation>
    <xs:documentation>The ControlledVocabularyStringType is used as the basis for defining controlled vocabularies.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:extension base="xs:anySimpleType">
      <xs:attribute name="vocab_name" type="xs:string" use="optional">
        <xs:annotation>
          <xs:documentation>The vocab_name field specifies the name of the controlled vocabulary.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
      <xs:attribute name="vocab_reference" type="xs:anyURI" use="optional">
        <xs:annotation>
          <xs:documentation>The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
    </xs:extension>
  </xs:simpleContent>
</xs:complexType>
Complex Type stixCommon:StructuredTextType
Namespace http://stix.mitre.org/common-1
Annotations
The StructuredTextType is a type representing a generalized structure for capturing structured or unstructured textual information such as descriptions of things.
Diagram
Diagram stix_common_xsd.tmp#StructuredTextType_structuring_format
Type extension of xs:string
Used by
Attributes
QName Type Use Annotation
structuring_format xs:string optional
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:complexType name="StructuredTextType">
  <xs:annotation>
    <xs:documentation>The StructuredTextType is a type representing a generalized structure for capturing structured or unstructured textual information such as descriptions of things.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:extension base="xs:string">
      <xs:attribute name="structuring_format" type="xs:string" use="optional">
        <xs:annotation>
          <xs:documentation>Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
    </xs:extension>
  </xs:simpleContent>
</xs:complexType>
Complex Type stixCommon:DateTimeWithPrecisionType
Namespace http://stix.mitre.org/common-1
Annotations
This type is used as a replacement for the standard xs:dateTime type but allows for the representation of the precision of the dateTime.  If the precision is given, consumers must ignore the portions of this field that is more precise than the given precision. Producers should zero-out (fill with zeros) digits in the dateTime that are required by the xs:dateTime datatype but are beyond the specified precision.
In order to avoid ambiguity, it is strongly suggested that all dateTimes include a specification of the timezone if it is known.
Diagram
Diagram stix_common_xsd.tmp#DateTimeWithPrecisionType_precision
Type extension of xs:dateTime
Used by
Attributes
QName Type Default Use Annotation
precision stixCommon:DateTimePrecisionEnum second optional
The precision of the associated dateTime. If omitted, the default is "second", meaning the full field value (including fractional seconds).
Source
<xs:complexType name="DateTimeWithPrecisionType">
  <xs:annotation>
    <xs:documentation>This type is used as a replacement for the standard xs:dateTime type but allows for the representation of the precision of the dateTime. If the precision is given, consumers must ignore the portions of this field that is more precise than the given precision. Producers should zero-out (fill with zeros) digits in the dateTime that are required by the xs:dateTime datatype but are beyond the specified precision.</xs:documentation>
    <xs:documentation>In order to avoid ambiguity, it is strongly suggested that all dateTimes include a specification of the timezone if it is known.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:extension base="xs:dateTime">
      <xs:attribute name="precision" type="stixCommon:DateTimePrecisionEnum" default="second">
        <xs:annotation>
          <xs:documentation>The precision of the associated dateTime. If omitted, the default is "second", meaning the full field value (including fractional seconds).</xs:documentation>
        </xs:annotation>
      </xs:attribute>
    </xs:extension>
  </xs:simpleContent>
</xs:complexType>
Simple Type stixCommon:DateTimePrecisionEnum
Namespace http://stix.mitre.org/common-1
Annotations
Possible values for representing time precision.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration year
DateTime is precise to the given year.
enumeration month
DateTime is precise to the given month.
enumeration day
DateTime is precise to the given day.
enumeration hour
DateTime is precise to the given hour.
enumeration minute
DateTime is precise to the given minute.
enumeration second
DateTime is precise to the given second (including fractional seconds).
Used by
Source
<xs:simpleType name="DateTimePrecisionEnum">
  <xs:annotation>
    <xs:documentation>Possible values for representing time precision.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="year">
      <xs:annotation>
        <xs:documentation>DateTime is precise to the given year.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="month">
      <xs:annotation>
        <xs:documentation>DateTime is precise to the given month.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="day">
      <xs:annotation>
        <xs:documentation>DateTime is precise to the given day.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="hour">
      <xs:annotation>
        <xs:documentation>DateTime is precise to the given hour.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="minute">
      <xs:annotation>
        <xs:documentation>DateTime is precise to the given minute.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="second">
      <xs:annotation>
        <xs:documentation>DateTime is precise to the given second (including fractional seconds).</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type stixCommon:RelatedTTPType
Namespace http://stix.mitre.org/common-1
Annotations
Identifies or characterizes a relationship to an TTP.
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipType_Confidence stix_common_xsd.tmp#GenericRelationshipType_Information_Source stix_common_xsd.tmp#GenericRelationshipType_Relationship stix_common_xsd.tmp#GenericRelationshipType stix_common_xsd.tmp#RelatedTTPType_TTP
Type extension of stixCommon:GenericRelationshipType
Type hierarchy
Used by
Children stixCommon:Confidence, stixCommon:Information_Source, stixCommon:Relationship, stixCommon:TTP
Source
<xs:complexType name="RelatedTTPType">
  <xs:annotation>
    <xs:documentation>Identifies or characterizes a relationship to an TTP.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="stixCommon:GenericRelationshipType">
      <xs:sequence>
        <xs:element name="TTP" type="stixCommon:TTPBaseType" minOccurs="1">
          <xs:annotation>
            <xs:documentation>A reference to or representation of the related TTP.</xs:documentation>
            <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is TTPType in the http://stix.mitre.org/TTP-1 namespace. This type is defined in the ttp.xsd file or at the URL http://stix.mitre.org/XMLSchema/ttp/1.1.1/ttp.xsd.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type stixCommon:GenericRelationshipType
Namespace http://stix.mitre.org/common-1
Annotations
Allows the expression of relationships between STIX components. It is extended by each component relationship type to add the component itself.
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipType_Confidence stix_common_xsd.tmp#GenericRelationshipType_Information_Source stix_common_xsd.tmp#GenericRelationshipType_Relationship
Used by
Children stixCommon:Confidence, stixCommon:Information_Source, stixCommon:Relationship
Source
<xs:complexType name="GenericRelationshipType" abstract="true">
  <xs:annotation>
    <xs:documentation>Allows the expression of relationships between STIX components. It is extended by each component relationship type to add the component itself.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Confidence" type="stixCommon:ConfidenceType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The confidence field specifies the level of confidence in the assertion of the relationship between the two components.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Information_Source" type="stixCommon:InformationSourceType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Information_Source field specifies the source of the information about the relationship between the two components.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Relationship" type="stixCommon:ControlledVocabularyStringType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The relationship field characterizes the type of the relationship between the two components.</xs:documentation>
        <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.1.1. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type stixCommon:ConfidenceType
Namespace http://stix.mitre.org/common-1
Annotations
The ConfidenceType specifies a level of Confidence held in some assertion.
Diagram
Diagram stix_common_xsd.tmp#ConfidenceType_timestamp stix_common_xsd.tmp#ConfidenceType_timestamp_precision stix_common_xsd.tmp#ConfidenceType_Value stix_common_xsd.tmp#ConfidenceType_Description stix_common_xsd.tmp#ConfidenceType_Source stix_common_xsd.tmp#ConfidenceType_Confidence_Assertion_Chain
Used by
Children stixCommon:Confidence_Assertion_Chain, stixCommon:Description, stixCommon:Source, stixCommon:Value
Attributes
QName Type Default Use Annotation
timestamp xs:dateTime optional
Specifies the time of this Confidence assertion.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
timestamp_precision stixCommon:DateTimePrecisionEnum second optional
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:complexType name="ConfidenceType">
  <xs:annotation>
    <xs:documentation>The ConfidenceType specifies a level of Confidence held in some assertion.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Value" type="stixCommon:ControlledVocabularyStringType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>Specifies the level of confidence held in this direct assertion.</xs:documentation>
        <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is HighMediumLowVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1/stix_default_vocabularies.xsd.</xs:documentation>
        <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Description field provides a description of the confidence value and how it was derived.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Source" type="stixCommon:InformationSourceType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Source field specifies the source of this confidence assertion. An optional vocabulary name and reference allows the expression of the source name in some given vocabulary context.</xs:documentation>
        <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.1.1. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Confidence_Assertion_Chain" type="stixCommon:ConfidenceAssertionChainType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Confidence_Assertion_Chain field specifies a set of related confidence levels in this assertion along with who made them, when they were made and how they were made.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="timestamp" type="xs:dateTime">
    <xs:annotation>
      <xs:documentation>Specifies the time of this Confidence assertion.</xs:documentation>
      <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="timestamp_precision" type="stixCommon:DateTimePrecisionEnum" default="second">
    <xs:annotation>
      <xs:documentation>Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type stixCommon:InformationSourceType
Namespace http://stix.mitre.org/common-1
Annotations
The InformationSourceType details the source of a given data entry.
Diagram
Diagram stix_common_xsd.tmp#InformationSourceType_Description stix_common_xsd.tmp#InformationSourceType_Identity stix_common_xsd.tmp#InformationSourceType_Role stix_common_xsd.tmp#InformationSourceType_Contributing_Sources stix_common_xsd.tmp#InformationSourceType_Time stix_common_xsd.tmp#InformationSourceType_Tools stix_common_xsd.tmp#InformationSourceType_References
Used by
Children stixCommon:Contributing_Sources, stixCommon:Description, stixCommon:Identity, stixCommon:References, stixCommon:Role, stixCommon:Time, stixCommon:Tools
Source
<xs:complexType name="InformationSourceType">
  <xs:annotation>
    <xs:documentation>The InformationSourceType details the source of a given data entry.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Description field provides a description of this information source.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Identity" type="stixCommon:IdentityType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Identity field is optional and specifies the identity of the information source.</xs:documentation>
        <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity/1.1.1/ciq_identity.xsd.</xs:documentation>
        <xs:documentation>Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Role" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Role field is optional and enables characterization of the sourcing Role played by this Information Source.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Contributing_Sources" type="stixCommon:ContributingSourcesType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Contributing_Sources field is optional and enables description of the individual contributing sources involved in this instance.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Time" type="cyboxCommon:TimeType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Time element is optional and enables description of various time-related attributes for this instance.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Tools" type="cyboxCommon:ToolsInformationType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Tools element is optional and enables description of the tools utilized for this instance.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="References" type="stixCommon:ReferencesType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The References field is optional and enables specification of references to information source material for this instance.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type stixCommon:IdentityType
Namespace http://stix.mitre.org/common-1
Annotations
The IdentityType is used to express identity information for both individuals and organizations.
This type is extended through the xsi:type mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_3.0_identity.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_3.0/1.1.1/ciq_3.0_identity.xsd.
Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field of this type.
Diagram
Diagram stix_common_xsd.tmp#IdentityType_id stix_common_xsd.tmp#IdentityType_idref stix_common_xsd.tmp#IdentityType_Name stix_common_xsd.tmp#IdentityType_Related_Identities
Used by
Children stixCommon:Name, stixCommon:Related_Identities
Attributes
QName Type Use Annotation
id xs:QName optional
Specifies a unique ID for this Identity.
idref xs:QName optional
Specifies a reference to a unique ID defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Identity should not hold content.
Source
<xs:complexType name="IdentityType">
  <xs:annotation>
    <xs:documentation>The IdentityType is used to express identity information for both individuals and organizations.</xs:documentation>
    <xs:documentation>This type is extended through the xsi:type mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_3.0_identity.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_3.0/1.1.1/ciq_3.0_identity.xsd.</xs:documentation>
    <xs:documentation>Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field of this type.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Name" type="xs:string" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Name field allows for expression of an identity through a simple name.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Related_Identities" type="stixCommon:RelatedIdentitiesType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Related_Identities field identifies other entity Identities related to this entity Identity.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="id" type="xs:QName">
    <xs:annotation>
      <xs:documentation>Specifies a unique ID for this Identity.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="idref" type="xs:QName">
    <xs:annotation>
      <xs:documentation>Specifies a reference to a unique ID defined elsewhere.</xs:documentation>
      <xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this Identity should not hold content.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type stixCommon:RelatedIdentitiesType
Namespace http://stix.mitre.org/common-1
Diagram
Diagram stix_common_xsd.tmp#RelatedIdentitiesType_Related_Identity
Used by
Children stixCommon:Related_Identity
Source
<xs:complexType name="RelatedIdentitiesType">
  <xs:sequence>
    <xs:element name="Related_Identity" type="stixCommon:RelatedIdentityType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Related_Identity field identifies a single other entity Identity related to this entity Identity.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type stixCommon:RelatedIdentityType
Namespace http://stix.mitre.org/common-1
Annotations
Identifies or characterizes a relationship to an Identity.
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipType_Confidence stix_common_xsd.tmp#GenericRelationshipType_Information_Source stix_common_xsd.tmp#GenericRelationshipType_Relationship stix_common_xsd.tmp#GenericRelationshipType stix_common_xsd.tmp#RelatedIdentityType_Identity
Type extension of stixCommon:GenericRelationshipType
Type hierarchy
Used by
Children stixCommon:Confidence, stixCommon:Identity, stixCommon:Information_Source, stixCommon:Relationship
Source
<xs:complexType name="RelatedIdentityType">
  <xs:annotation>
    <xs:documentation>Identifies or characterizes a relationship to an Identity.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="stixCommon:GenericRelationshipType">
      <xs:sequence>
        <xs:element name="Identity" type="stixCommon:IdentityType" minOccurs="1">
          <xs:annotation>
            <xs:documentation>A reference to or representation of the related Identity.</xs:documentation>
            <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity_3.0.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity_3.0/1.1.1/ciq_identity_3.0.xsd.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type stixCommon:ContributingSourcesType
Namespace http://stix.mitre.org/common-1
Diagram
Diagram stix_common_xsd.tmp#ContributingSourcesType_Source
Used by
Children stixCommon:Source
Source
<xs:complexType name="ContributingSourcesType">
  <xs:sequence>
    <xs:element name="Source" type="stixCommon:InformationSourceType" minOccurs="0" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Source field contains information describing the identity, resources and timing of involvement for a single contributing Source.</xs:documentation>
        <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity/1.1.1/ciq_identity.xsd.</xs:documentation>
        <xs:documentation>Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type stixCommon:ReferencesType
Namespace http://stix.mitre.org/common-1
Diagram
Diagram stix_common_xsd.tmp#ReferencesType_Reference
Used by
Children stixCommon:Reference
Source
<xs:complexType name="ReferencesType">
  <xs:sequence>
    <xs:element name="Reference" type="xs:anyURI" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Reference field is optional and enables specification of a reference to an information source material.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type stixCommon:ConfidenceAssertionChainType
Namespace http://stix.mitre.org/common-1
Diagram
Diagram stix_common_xsd.tmp#ConfidenceAssertionChainType_Confidence_Assertion
Used by
Children stixCommon:Confidence_Assertion
Source
<xs:complexType name="ConfidenceAssertionChainType">
  <xs:sequence>
    <xs:element name="Confidence_Assertion" type="stixCommon:ConfidenceType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Confidence_Assertion field specifies a related confidence level in this assertion along with who made it, when it was made and how it was made.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type stixCommon:TTPBaseType
Namespace http://stix.mitre.org/common-1
Annotations
This type represents the STIX TTP component. It is extended using the XML Schema Extension feature by the STIX TTP type itself. Users of this type who wish to express a full TTP using STIX must do so using the xsi:type extension feature. The STIX-defined TTP type is TTPType in the http://stix.mitre.org/TTP-1 namespace. This type is defined in the ttp.xsd file or at the URL http://stix.mitre.org/XMLSchema/ttp/1.1.1/ttp.xsd.
Alternatively, uses that require simply specifying an idref as a reference to a TTP defined elsewhere can do so without specifying an xsi:type.
Diagram
Diagram stix_common_xsd.tmp#TTPBaseType_id stix_common_xsd.tmp#TTPBaseType_idref stix_common_xsd.tmp#TTPBaseType_timestamp
Used by
Attributes
QName Type Use Annotation
id xs:QName optional
Specifies a globally unique identifier for this TTP item.
idref xs:QName optional
Specifies a globally unique identifier of a TTP item specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this TTP item should not hold content.
timestamp xs:dateTime optional
Specifies a timestamp for the definition of a specific version of a TTP item. When used in conjunction with the id, this field is specifying the definition time for the specific version of the TTP item. When used in conjunction with the idref, this field is specifying a reference to a specific version of a TTP item defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
<xs:complexType name="TTPBaseType">
  <xs:annotation>
    <xs:documentation>This type represents the STIX TTP component. It is extended using the XML Schema Extension feature by the STIX TTP type itself. Users of this type who wish to express a full TTP using STIX must do so using the xsi:type extension feature. The STIX-defined TTP type is TTPType in the http://stix.mitre.org/TTP-1 namespace. This type is defined in the ttp.xsd file or at the URL http://stix.mitre.org/XMLSchema/ttp/1.1.1/ttp.xsd.</xs:documentation>
    <xs:documentation>Alternatively, uses that require simply specifying an idref as a reference to a TTP defined elsewhere can do so without specifying an xsi:type.</xs:documentation>
  </xs:annotation>
  <xs:attribute name="id" type="xs:QName">
    <xs:annotation>
      <xs:documentation>Specifies a globally unique identifier for this TTP item.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="idref" type="xs:QName">
    <xs:annotation>
      <xs:documentation>Specifies a globally unique identifier of a TTP item specified elsewhere.</xs:documentation>
      <xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this TTP item should not hold content.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="timestamp" type="xs:dateTime">
    <xs:annotation>
      <xs:documentation>Specifies a timestamp for the definition of a specific version of a TTP item. When used in conjunction with the id, this field is specifying the definition time for the specific version of the TTP item. When used in conjunction with the idref, this field is specifying a reference to a specific version of a TTP item defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type stixCommon:KillChainPhasesReferenceType
Namespace http://stix.mitre.org/common-1
Diagram
Diagram stix_common_xsd.tmp#KillChainPhasesReferenceType_Kill_Chain_Phase
Used by
Children stixCommon:Kill_Chain_Phase
Source
<xs:complexType name="KillChainPhasesReferenceType">
  <xs:sequence>
    <xs:element name="Kill_Chain_Phase" type="stixCommon:KillChainPhaseReferenceType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Kill_Chain_Phase field specifies a single Kill Chain phase associated with this item.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type stixCommon:KillChainPhaseReferenceType
Namespace http://stix.mitre.org/common-1
Annotations
The KillChainPhaseReferenceType is used to reference kill chains that are defined elsewhere.
This type extends from stixCommon:KillChainPhaseType and contains several attributes that are redundant to the original kill chain definition: @kill_chain_name, @ordinality, and @name. These attributes should not be used to redefine attributes in the referenced kill chain. Instead, it is strongly suggested that they either be omitted or, if they are present, they must contain the same values as the kill chain definition. This ensures data consistency across the kill chain itself and all references to it.
Diagram
Diagram stix_common_xsd.tmp#KillChainPhaseType_phase_id stix_common_xsd.tmp#KillChainPhaseType_name stix_common_xsd.tmp#KillChainPhaseType_ordinality stix_common_xsd.tmp#KillChainPhaseType stix_common_xsd.tmp#KillChainPhaseReferenceType_kill_chain_id stix_common_xsd.tmp#KillChainPhaseReferenceType_kill_chain_name
Type extension of stixCommon:KillChainPhaseType
Type hierarchy
Used by
Attributes
QName Type Use Annotation
kill_chain_id xs:QName optional
This field specifies the ID for the relevant defined kill chain.
kill_chain_name xs:string optional
This field specifies the descriptive name of the relevant kill chain. If a kill chain is being referenced (via the kill_chain_id field), this field should be omitted or, if present, must match the kill chain name of the kill chain referenced by the @kill_chain_id attribute.
name xs:string optional
This field specifies the descriptive name of the relevant kill chain phase.
When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the name used in the kill chain phase definition that this field references.
ordinality xs:int optional
This field specifies the ordinality (e.g. 1, 2 or 3) of this phase within this kill chain definition.
When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the ordinality used in the kill chain phase definition that this field references.
phase_id xs:QName optional
A globally unique identifier for this kill chain phase.
When used directly within a kill chain definition, this attribute must be globally unique and serves to identify the kill chain phase being defined. When used within a kill chain reference, this attribute must reference an existing kill chain phase phase_id and serves as a reference (similar to @idref elsewhere in STIX).
Source
<xs:complexType name="KillChainPhaseReferenceType">
  <xs:annotation>
    <xs:documentation>The KillChainPhaseReferenceType is used to reference kill chains that are defined elsewhere.</xs:documentation>
    <xs:documentation>This type extends from stixCommon:KillChainPhaseType and contains several attributes that are redundant to the original kill chain definition: @kill_chain_name, @ordinality, and @name. These attributes should not be used to redefine attributes in the referenced kill chain. Instead, it is strongly suggested that they either be omitted or, if they are present, they must contain the same values as the kill chain definition. This ensures data consistency across the kill chain itself and all references to it.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="stixCommon:KillChainPhaseType">
      <xs:attribute name="kill_chain_id" type="xs:QName">
        <xs:annotation>
          <xs:documentation>This field specifies the ID for the relevant defined kill chain.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
      <xs:attribute name="kill_chain_name" type="xs:string">
        <xs:annotation>
          <xs:documentation>This field specifies the descriptive name of the relevant kill chain. If a kill chain is being referenced (via the kill_chain_id field), this field should be omitted or, if present, must match the kill chain name of the kill chain referenced by the @kill_chain_id attribute.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type stixCommon:KillChainPhaseType
Namespace http://stix.mitre.org/common-1
Annotations
The KillChainPhaseType characterizes an individual phase within a kill chain definition.
Diagram
Diagram stix_common_xsd.tmp#KillChainPhaseType_phase_id stix_common_xsd.tmp#KillChainPhaseType_name stix_common_xsd.tmp#KillChainPhaseType_ordinality
Used by
Attributes
QName Type Use Annotation
name xs:string optional
This field specifies the descriptive name of the relevant kill chain phase.
When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the name used in the kill chain phase definition that this field references.
ordinality xs:int optional
This field specifies the ordinality (e.g. 1, 2 or 3) of this phase within this kill chain definition.
When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the ordinality used in the kill chain phase definition that this field references.
phase_id xs:QName optional
A globally unique identifier for this kill chain phase.
When used directly within a kill chain definition, this attribute must be globally unique and serves to identify the kill chain phase being defined. When used within a kill chain reference, this attribute must reference an existing kill chain phase phase_id and serves as a reference (similar to @idref elsewhere in STIX).
Source
<xs:complexType name="KillChainPhaseType">
  <xs:annotation>
    <xs:documentation>The KillChainPhaseType characterizes an individual phase within a kill chain definition.</xs:documentation>
  </xs:annotation>
  <xs:attribute name="phase_id" type="xs:QName">
    <xs:annotation>
      <xs:documentation>A globally unique identifier for this kill chain phase.</xs:documentation>
      <xs:documentation>When used directly within a kill chain definition, this attribute must be globally unique and serves to identify the kill chain phase being defined. When used within a kill chain reference, this attribute must reference an existing kill chain phase phase_id and serves as a reference (similar to @idref elsewhere in STIX).</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="name" type="xs:string">
    <xs:annotation>
      <xs:documentation>This field specifies the descriptive name of the relevant kill chain phase.</xs:documentation>
      <xs:documentation>When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the name used in the kill chain phase definition that this field references.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="ordinality" type="xs:int">
    <xs:annotation>
      <xs:documentation>This field specifies the ordinality (e.g. 1, 2 or 3) of this phase within this kill chain definition.</xs:documentation>
      <xs:documentation>When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the ordinality used in the kill chain phase definition that this field references.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type stixCommon:StatementType
Namespace http://stix.mitre.org/common-1
Annotations
StatementType allows the expression of a statement with an associated value, description, source, confidence, and timestamp.
Diagram
Diagram stix_common_xsd.tmp#StatementType_timestamp stix_common_xsd.tmp#StatementType_timestamp_precision stix_common_xsd.tmp#StatementType_Value stix_common_xsd.tmp#StatementType_Description stix_common_xsd.tmp#StatementType_Source stix_common_xsd.tmp#StatementType_Confidence
Used by
Children stixCommon:Confidence, stixCommon:Description, stixCommon:Source, stixCommon:Value
Attributes
QName Type Default Use Annotation
timestamp xs:dateTime optional
Specifies the time this statement was asserted.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
timestamp_precision stixCommon:DateTimePrecisionEnum second optional
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:complexType name="StatementType">
  <xs:annotation>
    <xs:documentation>StatementType allows the expression of a statement with an associated value, description, source, confidence, and timestamp.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Value" type="stixCommon:ControlledVocabularyStringType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>Specifies a value characterizing the statement within some vocabulary.</xs:documentation>
        <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary may be provided by the field using this construct. If that's the case, the schema annotations on that element will describe which vocabulary to use. If not, the default vocabulary is HighMediumLowVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1/stix_default_vocabularies.xsd.</xs:documentation>
        <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>Specifies a prose description of the statement.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Source" type="stixCommon:InformationSourceType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Source field captures the source of this statement. An optional vocabulary name and reference allows the expression of the source name in some given vocabulary context.</xs:documentation>
        <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.1.1. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Confidence" type="stixCommon:ConfidenceType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Confidence field characterizes the level of confidence held in the statement.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="timestamp" type="xs:dateTime">
    <xs:annotation>
      <xs:documentation>Specifies the time this statement was asserted.</xs:documentation>
      <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="timestamp_precision" type="stixCommon:DateTimePrecisionEnum" default="second">
    <xs:annotation>
      <xs:documentation>Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type stixCommon:GenericRelationshipListType
Namespace http://stix.mitre.org/common-1
Annotations
Allows the expression of a list of relationships between STIX components. It's extended throughout STIX and should not be used directly.
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipListType_scope
Used by
Attributes
QName Type Default Use Annotation
scope stixCommon:RelationshipScopeEnum exclusive optional
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
<xs:complexType name="GenericRelationshipListType" abstract="true">
  <xs:annotation>
    <xs:documentation>Allows the expression of a list of relationships between STIX components. It's extended throughout STIX and should not be used directly.</xs:documentation>
  </xs:annotation>
  <xs:attribute name="scope" type="stixCommon:RelationshipScopeEnum" default="exclusive">
    <xs:annotation>
      <xs:documentation>Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Simple Type stixCommon:RelationshipScopeEnum
Namespace http://stix.mitre.org/common-1
Annotations
ScopeEnum is an enumeration of potential assertions on how a group of relationships should be treated.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration inclusive
A single relationship is being defined between the subject and the collection of objects indicated by the related items.
enumeration exclusive
Multiple relationships are being defined between the specific subject and each object individually.
Used by
Source
<xs:simpleType name="RelationshipScopeEnum">
  <xs:annotation>
    <xs:documentation>ScopeEnum is an enumeration of potential assertions on how a group of relationships should be treated.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="inclusive">
      <xs:annotation>
        <xs:documentation>A single relationship is being defined between the subject and the collection of objects indicated by the related items.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
    <xs:enumeration value="exclusive">
      <xs:annotation>
        <xs:documentation>Multiple relationships are being defined between the specific subject and each object individually.</xs:documentation>
      </xs:annotation>
    </xs:enumeration>
  </xs:restriction>
</xs:simpleType>
Complex Type stixCommon:RelatedCourseOfActionType
Namespace http://stix.mitre.org/common-1
Annotations
Identifies or characterizes a relationship to a course of action.
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipType_Confidence stix_common_xsd.tmp#GenericRelationshipType_Information_Source stix_common_xsd.tmp#GenericRelationshipType_Relationship stix_common_xsd.tmp#GenericRelationshipType stix_common_xsd.tmp#RelatedCourseOfActionType_Course_Of_Action
Type extension of stixCommon:GenericRelationshipType
Type hierarchy
Used by
Children stixCommon:Confidence, stixCommon:Course_Of_Action, stixCommon:Information_Source, stixCommon:Relationship
Source
<xs:complexType name="RelatedCourseOfActionType">
  <xs:annotation>
    <xs:documentation>Identifies or characterizes a relationship to a course of action.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="stixCommon:GenericRelationshipType">
      <xs:sequence>
        <xs:element name="Course_Of_Action" type="stixCommon:CourseOfActionBaseType" minOccurs="1">
          <xs:annotation>
            <xs:documentation>A reference or representation of the related course of action.</xs:documentation>
            <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CourseOfActionType in the http://stix.mitre.org/CourseOfAction-1 namespace. This type is defined in the course_of_action.xsd file or at the URL http://stix.mitre.org/XMLSchema/course_of_action/1.1.1/course_of_action.xsd.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type stixCommon:CourseOfActionBaseType
Namespace http://stix.mitre.org/common-1
Annotations
This type represents the STIX Course of Action component. It is extended using the XML Schema Extension feature by the STIX Course of Action type itself. Users of this type who wish to express a full course of action using STIX must do so using the xsi:type extension feature. The STIX-defined Course of Action type is CourseOfActionType in the http://stix.mitre.org/CourseOfAction-1 namespace. This type is defined in the course_of_action.xsd file or at the URL http://stix.mitre.org/XMLSchema/course_of_action/1.1.1/course_of_action.xsd.
Alternatively, uses that require simply specifying an idref as a reference to a course of action defined elsewhere can do so without specifying an xsi:type.
Diagram
Diagram stix_common_xsd.tmp#CourseOfActionBaseType_id stix_common_xsd.tmp#CourseOfActionBaseType_idref stix_common_xsd.tmp#CourseOfActionBaseType_timestamp
Used by
Attributes
QName Type Use Annotation
id xs:QName optional
Specifies a globally unique identifier for this COA.
idref xs:QName optional
Specifies a globally unique identifier of a COA specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this COA should not hold content.
timestamp xs:dateTime optional
Specifies a timestamp for the definition of a specific version of a COA. When used in conjunction with the id, this field is specifying the definition time for the specific version of the COA. When used in conjunction with the idref, this field is specifying a reference to a specific version of a COA defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
<xs:complexType name="CourseOfActionBaseType">
  <xs:annotation>
    <xs:documentation>This type represents the STIX Course of Action component. It is extended using the XML Schema Extension feature by the STIX Course of Action type itself. Users of this type who wish to express a full course of action using STIX must do so using the xsi:type extension feature. The STIX-defined Course of Action type is CourseOfActionType in the http://stix.mitre.org/CourseOfAction-1 namespace. This type is defined in the course_of_action.xsd file or at the URL http://stix.mitre.org/XMLSchema/course_of_action/1.1.1/course_of_action.xsd.</xs:documentation>
    <xs:documentation>Alternatively, uses that require simply specifying an idref as a reference to a course of action defined elsewhere can do so without specifying an xsi:type.</xs:documentation>
  </xs:annotation>
  <xs:attribute name="id" type="xs:QName">
    <xs:annotation>
      <xs:documentation>Specifies a globally unique identifier for this COA.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="idref" type="xs:QName">
    <xs:annotation>
      <xs:documentation>Specifies a globally unique identifier of a COA specified elsewhere.</xs:documentation>
      <xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this COA should not hold content.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="timestamp" type="xs:dateTime">
    <xs:annotation>
      <xs:documentation>Specifies a timestamp for the definition of a specific version of a COA. When used in conjunction with the id, this field is specifying the definition time for the specific version of the COA. When used in conjunction with the idref, this field is specifying a reference to a specific version of a COA defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type stixCommon:RelatedObservableType
Namespace http://stix.mitre.org/common-1
Annotations
Identifies or characterizes a relationship to a cyber observable.
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipType_Confidence stix_common_xsd.tmp#GenericRelationshipType_Information_Source stix_common_xsd.tmp#GenericRelationshipType_Relationship stix_common_xsd.tmp#GenericRelationshipType stix_common_xsd.tmp#RelatedObservableType_Observable
Type extension of stixCommon:GenericRelationshipType
Type hierarchy
Used by
Children stixCommon:Confidence, stixCommon:Information_Source, stixCommon:Observable, stixCommon:Relationship
Source
<xs:complexType name="RelatedObservableType">
  <xs:annotation>
    <xs:documentation>Identifies or characterizes a relationship to a cyber observable.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="stixCommon:GenericRelationshipType">
      <xs:sequence>
        <xs:element name="Observable" type="cybox:ObservableType" minOccurs="1">
          <xs:annotation>
            <xs:documentation>A reference to or representation of the related cyber observable.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type stixCommon:RelatedIndicatorType
Namespace http://stix.mitre.org/common-1
Annotations
Identifies or characterizes a relationship to an indicator.
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipType_Confidence stix_common_xsd.tmp#GenericRelationshipType_Information_Source stix_common_xsd.tmp#GenericRelationshipType_Relationship stix_common_xsd.tmp#GenericRelationshipType stix_common_xsd.tmp#RelatedIndicatorType_Indicator
Type extension of stixCommon:GenericRelationshipType
Type hierarchy
Used by
Children stixCommon:Confidence, stixCommon:Indicator, stixCommon:Information_Source, stixCommon:Relationship
Source
<xs:complexType name="RelatedIndicatorType">
  <xs:annotation>
    <xs:documentation>Identifies or characterizes a relationship to an indicator.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="stixCommon:GenericRelationshipType">
      <xs:sequence>
        <xs:element name="Indicator" type="stixCommon:IndicatorBaseType" minOccurs="1">
          <xs:annotation>
            <xs:documentation>A reference to or representation of the related indicator.</xs:documentation>
            <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IndicatorType in the http://stix.mitre.org/Indicator-2 namespace. This type is defined in the indicator.xsd file or at the URL http://stix.mitre.org/XMLSchema/indicator/2.1.1/indicator.xsd.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type stixCommon:RelatedCampaignReferenceType
Namespace http://stix.mitre.org/common-1
Annotations
Identifies or characterizes a relationship by reference to a campaign.
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipType_Confidence stix_common_xsd.tmp#GenericRelationshipType_Information_Source stix_common_xsd.tmp#GenericRelationshipType_Relationship stix_common_xsd.tmp#GenericRelationshipType stix_common_xsd.tmp#RelatedCampaignReferenceType_Campaign
Type extension of stixCommon:GenericRelationshipType
Type hierarchy
Used by
Children stixCommon:Campaign, stixCommon:Confidence, stixCommon:Information_Source, stixCommon:Relationship
Source
<xs:complexType name="RelatedCampaignReferenceType">
  <xs:annotation>
    <xs:documentation>Identifies or characterizes a relationship by reference to a campaign.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="stixCommon:GenericRelationshipType">
      <xs:sequence>
        <xs:element name="Campaign" type="stixCommon:CampaignReferenceType">
          <xs:annotation>
            <xs:documentation>A reference to the related campaign.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type stixCommon:CampaignReferenceType
Namespace http://stix.mitre.org/common-1
Annotations
Characterizes a reference to a campaign.
Diagram
Diagram stix_common_xsd.tmp#CampaignReferenceType_idref stix_common_xsd.tmp#CampaignReferenceType_timestamp stix_common_xsd.tmp#CampaignReferenceType_Names
Used by
Children stixCommon:Names
Attributes
QName Type Use Annotation
idref xs:QName optional
Specifies a globally unique identifier for a cyber threat campaign defined elsewhere.
timestamp xs:dateTime optional
In conjunction with the idref, this field may be used to reference a specific version of a campaign defined elsewhere.
Source
<xs:complexType name="CampaignReferenceType">
  <xs:annotation>
    <xs:documentation>Characterizes a reference to a campaign.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Names" type="stixCommon:NamesType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>Specifies one or more campaign names for a cyber threat campaign defined elsewhere.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="idref" type="xs:QName">
    <xs:annotation>
      <xs:documentation>Specifies a globally unique identifier for a cyber threat campaign defined elsewhere.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="timestamp" type="xs:dateTime">
    <xs:annotation>
      <xs:documentation>In conjunction with the idref, this field may be used to reference a specific version of a campaign defined elsewhere.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type stixCommon:NamesType
Namespace http://stix.mitre.org/common-1
Diagram
Diagram stix_common_xsd.tmp#NamesType_Name
Used by
Children stixCommon:Name
Source
<xs:complexType name="NamesType">
  <xs:sequence>
    <xs:element name="Name" type="stixCommon:ControlledVocabularyStringType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Name field specifies a Name used to identify a Campaign. This field can be used to capture various aliases used to identify this Campaign.</xs:documentation>
        <xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.1.1. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type stixCommon:RelatedPackageRefsType
Namespace http://stix.mitre.org/common-1
Annotations
Identifies or characterizes relationships to set of related Packages.
Diagram
Diagram stix_common_xsd.tmp#RelatedPackageRefsType_Package_Reference
Used by
Children stixCommon:Package_Reference
Source
<xs:complexType name="RelatedPackageRefsType">
  <xs:annotation>
    <xs:documentation>Identifies or characterizes relationships to set of related Packages.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Package_Reference" type="stixCommon:RelatedPackageRefType" minOccurs="0" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>Identifies or characterizes a relationship to a related Package defined elsewhere</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type stixCommon:RelatedPackageRefType
Namespace http://stix.mitre.org/common-1
Annotations
Identifies or characterizes a relationship to a Package.
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipType_Confidence stix_common_xsd.tmp#GenericRelationshipType_Information_Source stix_common_xsd.tmp#GenericRelationshipType_Relationship stix_common_xsd.tmp#GenericRelationshipType stix_common_xsd.tmp#RelatedPackageRefType_idref stix_common_xsd.tmp#RelatedPackageRefType_timestamp
Type extension of stixCommon:GenericRelationshipType
Type hierarchy
Used by
Children stixCommon:Confidence, stixCommon:Information_Source, stixCommon:Relationship
Attributes
QName Type Use Annotation
idref xs:QName optional
Specifies a globally unique identifier of a STIX Package specified elsewhere.
timestamp xs:dateTime optional
In conjunction with the idref, this field may be used to reference a specific version of a STIX Package defined elsewhere.
Source
<xs:complexType name="RelatedPackageRefType">
  <xs:annotation>
    <xs:documentation>Identifies or characterizes a relationship to a Package.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="stixCommon:GenericRelationshipType">
      <xs:attribute name="idref" type="xs:QName">
        <xs:annotation>
          <xs:documentation>Specifies a globally unique identifier of a STIX Package specified elsewhere.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
      <xs:attribute name="timestamp" type="xs:dateTime">
        <xs:annotation>
          <xs:documentation>In conjunction with the idref, this field may be used to reference a specific version of a STIX Package defined elsewhere.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type stixCommon:ActivityType
Namespace http://stix.mitre.org/common-1
Diagram
Diagram stix_common_xsd.tmp#ActivityType_Date_Time stix_common_xsd.tmp#ActivityType_Description
Children stixCommon:Date_Time, stixCommon:Description
Source
<xs:complexType name="ActivityType" abstract="true">
  <xs:sequence>
    <xs:element name="Date_Time" type="stixCommon:DateTimeWithPrecisionType">
      <xs:annotation>
        <xs:documentation>The Date_Time field specifies the date and time at which the activity occured.</xs:documentation>
        <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0">
      <xs:annotation>
        <xs:documentation>The Description field provides a description of the activity.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type stixCommon:KillChainsType
Namespace http://stix.mitre.org/common-1
Diagram
Diagram stix_common_xsd.tmp#KillChainsType_Kill_Chain
Children stixCommon:Kill_Chain
Source
<xs:complexType name="KillChainsType">
  <xs:sequence>
    <xs:element name="Kill_Chain" type="stixCommon:KillChainType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>This field specifies a single kill chain definition for reference within specific TTP entries, Indicators and elsewhere.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type stixCommon:KillChainType
Namespace http://stix.mitre.org/common-1
Annotations
The KillChainType characterizes a specific Kill Chain definition for reference within specific TTP entries, Indicators and elsewhere.
Diagram
Diagram stix_common_xsd.tmp#KillChainType_id stix_common_xsd.tmp#KillChainType_name stix_common_xsd.tmp#KillChainType_definer stix_common_xsd.tmp#KillChainType_reference stix_common_xsd.tmp#KillChainType_number_of_phases stix_common_xsd.tmp#KillChainType_Kill_Chain_Phase
Used by
Children stixCommon:Kill_Chain_Phase
Attributes
QName Type Use Annotation
definer optional
The organization or individual responsible for this kill chain definition.
id xs:QName optional
A globally unique identifier for this kill chain definition.
name xs:string optional
A descriptive name for this kill chain definition.
number_of_phases optional
The number of phases in this kill chain definition.
reference xs:anyURI optional
A resource reference for this kill chain definition.
Source
<xs:complexType name="KillChainType">
  <xs:annotation>
    <xs:documentation>The KillChainType characterizes a specific Kill Chain definition for reference within specific TTP entries, Indicators and elsewhere.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Kill_Chain_Phase" type="stixCommon:KillChainPhaseType" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>This field specifies the name of an individual phase within this kill chain definition.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
  <xs:attribute name="id" type="xs:QName">
    <xs:annotation>
      <xs:documentation>A globally unique identifier for this kill chain definition.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="name" type="xs:string">
    <xs:annotation>
      <xs:documentation>A descriptive name for this kill chain definition.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="definer">
    <xs:annotation>
      <xs:documentation>The organization or individual responsible for this kill chain definition.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="reference" type="xs:anyURI">
    <xs:annotation>
      <xs:documentation>A resource reference for this kill chain definition.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="number_of_phases">
    <xs:annotation>
      <xs:documentation>The number of phases in this kill chain definition.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type stixCommon:RelatedCampaignType
Namespace http://stix.mitre.org/common-1
Annotations
Identifies or characterizes a relationship to a campaign.
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipType_Confidence stix_common_xsd.tmp#GenericRelationshipType_Information_Source stix_common_xsd.tmp#GenericRelationshipType_Relationship stix_common_xsd.tmp#GenericRelationshipType stix_common_xsd.tmp#RelatedCampaignType_Campaign
Type extension of stixCommon:GenericRelationshipType
Type hierarchy
Children stixCommon:Campaign, stixCommon:Confidence, stixCommon:Information_Source, stixCommon:Relationship
Source
<xs:complexType name="RelatedCampaignType">
  <xs:annotation>
    <xs:documentation>Identifies or characterizes a relationship to a campaign.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="stixCommon:GenericRelationshipType">
      <xs:sequence>
        <xs:element name="Campaign" type="stixCommon:CampaignBaseType" minOccurs="1">
          <xs:annotation>
            <xs:documentation>A reference to or representation of the related campaign.</xs:documentation>
            <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CampaignType in the http://stix.mitre.org/Campaign-1 namespace. This type is defined in the campaign.xsd file or at the URL http://stix.mitre.org/XMLSchema/campaign/1.1.1/campaign.xsd.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type stixCommon:CampaignBaseType
Namespace http://stix.mitre.org/common-1
Annotations
This type represents the STIX Campaign component. It is extended using the XML Schema Extension feature by the STIX Campaign type itself. Users of this type who wish to express a full campaign using STIX must do so using the xsi:type extension feature. The STIX-defined Campaign type is CampaignType in the http://stix.mitre.org/Campaign-1 namespace. This type is defined in the campaign.xsd file or at the URL http://stix.mitre.org/XMLSchema/campaign/1.1.1/campaign.xsd.
Alternatively, uses that require simply specifying an idref as a reference to a campaign defined elsewhere can do so without specifying an xsi:type.
Diagram
Diagram stix_common_xsd.tmp#CampaignBaseType_id stix_common_xsd.tmp#CampaignBaseType_idref stix_common_xsd.tmp#CampaignBaseType_timestamp
Used by
Attributes
QName Type Use Annotation
id xs:QName optional
Specifies a globally unique identifier for this cyber threat Campaign.
idref xs:QName optional
Specifies a globally unique identifier for a cyber threat Campaign specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Campaign should not hold content.
timestamp xs:dateTime optional
Specifies a timestamp for the definition of a specific version of a Campaign. When used in conjunction with the id, this field is specifying the definition time for the specific version of the  Campaign. When used in conjunction with the idref, this field is specifying a reference to a specific version of a Campaign defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
<xs:complexType name="CampaignBaseType">
  <xs:annotation>
    <xs:documentation>This type represents the STIX Campaign component. It is extended using the XML Schema Extension feature by the STIX Campaign type itself. Users of this type who wish to express a full campaign using STIX must do so using the xsi:type extension feature. The STIX-defined Campaign type is CampaignType in the http://stix.mitre.org/Campaign-1 namespace. This type is defined in the campaign.xsd file or at the URL http://stix.mitre.org/XMLSchema/campaign/1.1.1/campaign.xsd.</xs:documentation>
    <xs:documentation>Alternatively, uses that require simply specifying an idref as a reference to a campaign defined elsewhere can do so without specifying an xsi:type.</xs:documentation>
  </xs:annotation>
  <xs:attribute name="id" type="xs:QName">
    <xs:annotation>
      <xs:documentation>Specifies a globally unique identifier for this cyber threat Campaign.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="idref" type="xs:QName">
    <xs:annotation>
      <xs:documentation>Specifies a globally unique identifier for a cyber threat Campaign specified elsewhere.</xs:documentation>
      <xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this Campaign should not hold content.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="timestamp" type="xs:dateTime">
    <xs:annotation>
      <xs:documentation>Specifies a timestamp for the definition of a specific version of a Campaign. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Campaign. When used in conjunction with the idref, this field is specifying a reference to a specific version of a Campaign defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type stixCommon:RelatedExploitTargetType
Namespace http://stix.mitre.org/common-1
Annotations
Identifies or characterizes a relationship to an exploit target.
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipType_Confidence stix_common_xsd.tmp#GenericRelationshipType_Information_Source stix_common_xsd.tmp#GenericRelationshipType_Relationship stix_common_xsd.tmp#GenericRelationshipType stix_common_xsd.tmp#RelatedExploitTargetType_Exploit_Target
Type extension of stixCommon:GenericRelationshipType
Type hierarchy
Children stixCommon:Confidence, stixCommon:Exploit_Target, stixCommon:Information_Source, stixCommon:Relationship
Source
<xs:complexType name="RelatedExploitTargetType">
  <xs:annotation>
    <xs:documentation>Identifies or characterizes a relationship to an exploit target.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="stixCommon:GenericRelationshipType">
      <xs:sequence>
        <xs:element name="Exploit_Target" type="stixCommon:ExploitTargetBaseType" minOccurs="1">
          <xs:annotation>
            <xs:documentation>A reference to or representation of the related exploit target.</xs:documentation>
            <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ExploitTargetType in the http://stix.mitre.org/ExploitTarget-1 namespace. This type is defined in the exploit_target.xsd file or at the URL http://stix.mitre.org/XMLSchema/exploit_target/1.1.1/exploit_target.xsd.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type stixCommon:ExploitTargetBaseType
Namespace http://stix.mitre.org/common-1
Annotations
This type represents the STIX Exploit Target component. It is extended using the XML Schema Extension feature by the STIX Exploit Target type itself. Users of this type who wish to express a full exploit target using STIX must do so using the xsi:type extension feature. The STIX-defined Exploit Target type is ExploitTargetType in the http://stix.mitre.org/ExploitTarget-1 namespace. This type is defined in the exploit_target.xsd file or at the URL http://stix.mitre.org/XMLSchema/exploit_target/1.1.1/exploit_target.xsd.
Alternatively, uses that require simply specifying an idref as a reference to an exploit target defined elsewhere can do so without specifying an xsi:type.
Diagram
Diagram stix_common_xsd.tmp#ExploitTargetBaseType_id stix_common_xsd.tmp#ExploitTargetBaseType_idref stix_common_xsd.tmp#ExploitTargetBaseType_timestamp
Used by
Attributes
QName Type Use Annotation
id xs:QName optional
Specifies a globally unique identifier for this ExploitTarget.
idref xs:QName optional
Specifies a globally unique identifier of an ExploitTarget specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this ExploitTarget should not hold content.
timestamp xs:dateTime optional
Specifies a timestamp for the definition of a specific version of an ExploitTarget When used in conjunction with the id, this field is specifying the definition time for the specific version of the  ExploitTarget. When used in conjunction with the idref, this field is specifying a reference to a specific version of an ExploitTarget defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
<xs:complexType name="ExploitTargetBaseType">
  <xs:annotation>
    <xs:documentation>This type represents the STIX Exploit Target component. It is extended using the XML Schema Extension feature by the STIX Exploit Target type itself. Users of this type who wish to express a full exploit target using STIX must do so using the xsi:type extension feature. The STIX-defined Exploit Target type is ExploitTargetType in the http://stix.mitre.org/ExploitTarget-1 namespace. This type is defined in the exploit_target.xsd file or at the URL http://stix.mitre.org/XMLSchema/exploit_target/1.1.1/exploit_target.xsd.</xs:documentation>
    <xs:documentation>Alternatively, uses that require simply specifying an idref as a reference to an exploit target defined elsewhere can do so without specifying an xsi:type.</xs:documentation>
  </xs:annotation>
  <xs:attribute name="id" type="xs:QName">
    <xs:annotation>
      <xs:documentation>Specifies a globally unique identifier for this ExploitTarget.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="idref" type="xs:QName">
    <xs:annotation>
      <xs:documentation>Specifies a globally unique identifier of an ExploitTarget specified elsewhere.</xs:documentation>
      <xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this ExploitTarget should not hold content.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="timestamp" type="xs:dateTime">
    <xs:annotation>
      <xs:documentation>Specifies a timestamp for the definition of a specific version of an ExploitTarget When used in conjunction with the id, this field is specifying the definition time for the specific version of the ExploitTarget. When used in conjunction with the idref, this field is specifying a reference to a specific version of an ExploitTarget defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type stixCommon:RelatedIncidentType
Namespace http://stix.mitre.org/common-1
Annotations
Identifies or characterizes a relationship to an incident.
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipType_Confidence stix_common_xsd.tmp#GenericRelationshipType_Information_Source stix_common_xsd.tmp#GenericRelationshipType_Relationship stix_common_xsd.tmp#GenericRelationshipType stix_common_xsd.tmp#RelatedIncidentType_Incident
Type extension of stixCommon:GenericRelationshipType
Type hierarchy
Children stixCommon:Confidence, stixCommon:Incident, stixCommon:Information_Source, stixCommon:Relationship
Source
<xs:complexType name="RelatedIncidentType">
  <xs:annotation>
    <xs:documentation>Identifies or characterizes a relationship to an incident.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="stixCommon:GenericRelationshipType">
      <xs:sequence>
        <xs:element name="Incident" type="stixCommon:IncidentBaseType" minOccurs="1">
          <xs:annotation>
            <xs:documentation>A reference to or representation of the related incident.</xs:documentation>
            <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IncidentType in the http://stix.mitre.org/Incident-1 namespace. This type is defined in the incident.xsd file or at the URL http://stix.mitre.org/XMLSchema/incident/1.1.1/incident.xsd.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type stixCommon:IncidentBaseType
Namespace http://stix.mitre.org/common-1
Annotations
This type represents the STIX Incident component. It is extended using the XML Schema Extension feature by the STIX Incident type itself. Users of this type who wish to express a full incident using STIX must do so using the xsi:type extension feature. The STIX-defined Incident type is IncidentType in the http://stix.mitre.org/Incident-1 namespace. This type is defined in the incident.xsd file or at the URL http://stix.mitre.org/XMLSchema/incident/1.1.1/incident.xsd.
Alternatively, uses that require simply specifying an idref as a reference to an incident defined elsewhere can do so without specifying an xsi:type.
Diagram
Diagram stix_common_xsd.tmp#IncidentBaseType_id stix_common_xsd.tmp#IncidentBaseType_idref stix_common_xsd.tmp#IncidentBaseType_timestamp
Used by
Attributes
QName Type Use Annotation
id xs:QName optional
Specifies a globally unique identifier for this cyber threat Incident.
idref xs:QName optional
Specifies a globally unique identifier for a cyber threat Incident specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Incident should not hold content.
timestamp xs:dateTime optional
Specifies a timestamp for the definition of a specific version of an Incident. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Incident. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Incident defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
<xs:complexType name="IncidentBaseType">
  <xs:annotation>
    <xs:documentation>This type represents the STIX Incident component. It is extended using the XML Schema Extension feature by the STIX Incident type itself. Users of this type who wish to express a full incident using STIX must do so using the xsi:type extension feature. The STIX-defined Incident type is IncidentType in the http://stix.mitre.org/Incident-1 namespace. This type is defined in the incident.xsd file or at the URL http://stix.mitre.org/XMLSchema/incident/1.1.1/incident.xsd.</xs:documentation>
    <xs:documentation>Alternatively, uses that require simply specifying an idref as a reference to an incident defined elsewhere can do so without specifying an xsi:type.</xs:documentation>
  </xs:annotation>
  <xs:attribute name="id" type="xs:QName">
    <xs:annotation>
      <xs:documentation>Specifies a globally unique identifier for this cyber threat Incident.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="idref" type="xs:QName">
    <xs:annotation>
      <xs:documentation>Specifies a globally unique identifier for a cyber threat Incident specified elsewhere.</xs:documentation>
      <xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this Incident should not hold content.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="timestamp" type="xs:dateTime">
    <xs:annotation>
      <xs:documentation>Specifies a timestamp for the definition of a specific version of an Incident. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Incident. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Incident defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type stixCommon:RelatedThreatActorType
Namespace http://stix.mitre.org/common-1
Annotations
Identifies or characterizes a relationship to a threat actor.
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipType_Confidence stix_common_xsd.tmp#GenericRelationshipType_Information_Source stix_common_xsd.tmp#GenericRelationshipType_Relationship stix_common_xsd.tmp#GenericRelationshipType stix_common_xsd.tmp#RelatedThreatActorType_Threat_Actor
Type extension of stixCommon:GenericRelationshipType
Type hierarchy
Children stixCommon:Confidence, stixCommon:Information_Source, stixCommon:Relationship, stixCommon:Threat_Actor
Source
<xs:complexType name="RelatedThreatActorType">
  <xs:annotation>
    <xs:documentation>Identifies or characterizes a relationship to a threat actor.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="stixCommon:GenericRelationshipType">
      <xs:sequence>
        <xs:element name="Threat_Actor" type="stixCommon:ThreatActorBaseType" minOccurs="1">
          <xs:annotation>
            <xs:documentation>A reference or representation of the related threat actor.</xs:documentation>
            <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ThreatActorType in the http://stix.mitre.org/ThreatActor-1 namespace. This type is defined in the threat_actor.xsd file or at the URL http://stix.mitre.org/XMLSchema/threat_actor/1.1.1/threat_actor.xsd.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type stixCommon:ThreatActorBaseType
Namespace http://stix.mitre.org/common-1
Annotations
This type represents the STIX Threat Actor component. It is extended using the XML Schema Extension feature by the STIX Threat Actor type itself. Users of this type who wish to express a full threat actor using STIX must do so using the xsi:type extension feature. The STIX-defined Threat Actor type is ThreatActorType in the http://stix.mitre.org/ThreatActor-1 namespace. This type is defined in the threat_actor.xsd file or at the URL http://stix.mitre.org/XMLSchema/threat_actor/1.1.1/threat_actor.xsd.
Alternatively, uses that require simply specifying an idref as a reference to a threat actor defined elsewhere can do so without specifying an xsi:type.
Diagram
Diagram stix_common_xsd.tmp#ThreatActorBaseType_id stix_common_xsd.tmp#ThreatActorBaseType_idref stix_common_xsd.tmp#ThreatActorBaseType_timestamp
Used by
Attributes
QName Type Use Annotation
id xs:QName optional
Specifies a globally unique identifier for this ThreatActor.
idref xs:QName optional
Specifies a globally unique identifier of a ThreatActor specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this ThreatActor should not hold content.
timestamp xs:dateTime optional
Specifies a timestamp for the definition of a specific version of a ThreatActor. When used in conjunction with the id, this field is specifying the definition time for the specific version of the ThreatActor. When used in conjunction with the idref, this field is specifying a reference to a specific version of a ThreatActor defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
<xs:complexType name="ThreatActorBaseType">
  <xs:annotation>
    <xs:documentation>This type represents the STIX Threat Actor component. It is extended using the XML Schema Extension feature by the STIX Threat Actor type itself. Users of this type who wish to express a full threat actor using STIX must do so using the xsi:type extension feature. The STIX-defined Threat Actor type is ThreatActorType in the http://stix.mitre.org/ThreatActor-1 namespace. This type is defined in the threat_actor.xsd file or at the URL http://stix.mitre.org/XMLSchema/threat_actor/1.1.1/threat_actor.xsd.</xs:documentation>
    <xs:documentation>Alternatively, uses that require simply specifying an idref as a reference to a threat actor defined elsewhere can do so without specifying an xsi:type.</xs:documentation>
  </xs:annotation>
  <xs:attribute name="id" type="xs:QName">
    <xs:annotation>
      <xs:documentation>Specifies a globally unique identifier for this ThreatActor.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="idref" type="xs:QName">
    <xs:annotation>
      <xs:documentation>Specifies a globally unique identifier of a ThreatActor specified elsewhere.</xs:documentation>
      <xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this ThreatActor should not hold content.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
  <xs:attribute name="timestamp" type="xs:dateTime">
    <xs:annotation>
      <xs:documentation>Specifies a timestamp for the definition of a specific version of a ThreatActor. When used in conjunction with the id, this field is specifying the definition time for the specific version of the ThreatActor. When used in conjunction with the idref, this field is specifying a reference to a specific version of a ThreatActor defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.</xs:documentation>
    </xs:annotation>
  </xs:attribute>
</xs:complexType>
Complex Type stixCommon:ExploitTargetsType
Namespace http://stix.mitre.org/common-1
Diagram
Diagram stix_common_xsd.tmp#ExploitTargetsType_Exploit_Target
Children stixCommon:Exploit_Target
Source
<xs:complexType name="ExploitTargetsType">
  <xs:sequence>
    <xs:element name="Exploit_Target" type="stixCommon:ExploitTargetBaseType" minOccurs="0" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Exploit_Target field characterizes a potential vulnerability, weakness or configuration target for exploitation.</xs:documentation>
        <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ExploitTargetType in the http://stix.mitre.org/ExploitTarget-1 namespace. This type is defined in the exploit_target.xsd file or at the URL http://stix.mitre.org/XMLSchema/exploit_target/1.1/exploit_target.xsd.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type stixCommon:AddressAbstractType
Namespace http://stix.mitre.org/common-1
Annotations
The AddressAbstractType is used to express geographic address information.
This type is intended to be extended through the xsi:type mechanism. The default type is CIQAddress3.0InstanceType in the http://stix.mitre.org/extensions/Address#CIQAddress3.0-1 namespace. This type is defined in the extensions/identity/ciq_3.0_address.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/address/ciq_3.0/1.1.1/ciq_3.0_address.xsd.
Diagram
Diagram
Source
<xs:complexType name="AddressAbstractType" abstract="true">
  <xs:annotation>
    <xs:documentation>The AddressAbstractType is used to express geographic address information.</xs:documentation>
    <xs:documentation>This type is intended to be extended through the xsi:type mechanism. The default type is CIQAddress3.0InstanceType in the http://stix.mitre.org/extensions/Address#CIQAddress3.0-1 namespace. This type is defined in the extensions/identity/ciq_3.0_address.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/address/ciq_3.0/1.1.1/ciq_3.0_address.xsd.</xs:documentation>
  </xs:annotation>
</xs:complexType>
Complex Type stixCommon:EncodedCDATAType
Namespace http://stix.mitre.org/common-1
Annotations
This type is used to represent data in an XML CDATA block. Data in a CDATA block may either be represented as-is or, in cases where it may contain characters that are not valid in CDATA, it may be encoded in Base64 per RFC4648. Data encoded in Base64 must be denoted as such using the encoded attribute.
Diagram
Diagram stix_common_xsd.tmp#EncodedCDATAType_encoded
Type extension of xs:string
Attributes
QName Type Default Use Annotation
encoded xs:boolean false optional
If true, specifies that the content encoded in the element is encoded using Base64 per RFC4648.
Source
<xs:complexType name="EncodedCDATAType">
  <xs:annotation>
    <xs:documentation>This type is used to represent data in an XML CDATA block. Data in a CDATA block may either be represented as-is or, in cases where it may contain characters that are not valid in CDATA, it may be encoded in Base64 per RFC4648. Data encoded in Base64 must be denoted as such using the encoded attribute.</xs:documentation>
  </xs:annotation>
  <xs:simpleContent>
    <xs:extension base="xs:string">
      <xs:attribute name="encoded" type="xs:boolean" default="false">
        <xs:annotation>
          <xs:documentation>If true, specifies that the content encoded in the element is encoded using Base64 per RFC4648.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
    </xs:extension>
  </xs:simpleContent>
</xs:complexType>
Complex Type stixCommon:ProfilesType
Namespace http://stix.mitre.org/common-1
Annotations
The ProfilesType represents a list of STIX Profiles
Diagram
Diagram stix_common_xsd.tmp#ProfilesType_Profile
Children stixCommon:Profile
Source
<xs:complexType name="ProfilesType">
  <xs:annotation>
    <xs:documentation>The ProfilesType represents a list of STIX Profiles</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Profile" type="xs:anyURI" minOccurs="1" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The Profile field represents a reference to one STIX Profile. The profile is referenced as a URI and should include components for: the creator of the profile, the name of the profile, and the version of the profile. When publishing a profile, this URI should be published alongside the profile such that it can be referred to from this field.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type stixCommon:ToolInformationType
Namespace http://stix.mitre.org/common-1
Annotations
The ToolInformationType is intended to characterize the properties of a hardware or software tool, including those related to instances of its use. It is extended from an identically-named type in CybOX and adds standard STIX descriptive fields.
Diagram
Diagram cybox_common_xsd.tmp#ToolInformationType_id cybox_common_xsd.tmp#ToolInformationType_idref cybox_common_xsd.tmp#ToolInformationType_Name cybox_common_xsd.tmp#ToolInformationType_Type cybox_common_xsd.tmp#ToolInformationType_Description cybox_common_xsd.tmp#ToolInformationType_References cybox_common_xsd.tmp#ToolInformationType_Vendor cybox_common_xsd.tmp#ToolInformationType_Version cybox_common_xsd.tmp#ToolInformationType_Service_Pack cybox_common_xsd.tmp#ToolInformationType_Tool_Specific_Data cybox_common_xsd.tmp#ToolInformationType_Tool_Hashes cybox_common_xsd.tmp#ToolInformationType_Tool_Configuration cybox_common_xsd.tmp#ToolInformationType_Execution_Environment cybox_common_xsd.tmp#ToolInformationType_Errors cybox_common_xsd.tmp#ToolInformationType_Metadata cybox_common_xsd.tmp#ToolInformationType_Compensation_Model cybox_common_xsd.tmp#ToolInformationType stix_common_xsd.tmp#http___stix.mitre.org_common-1_ToolInformationType_Title stix_common_xsd.tmp#http___stix.mitre.org_common-1_ToolInformationType_Short_Description
Type extension of cyboxCommon:ToolInformationType
Type hierarchy
Children cyboxCommon:Compensation_Model, cyboxCommon:Description, cyboxCommon:Errors, cyboxCommon:Execution_Environment, cyboxCommon:Metadata, cyboxCommon:Name, cyboxCommon:References, cyboxCommon:Service_Pack, cyboxCommon:Tool_Configuration, cyboxCommon:Tool_Hashes, cyboxCommon:Tool_Specific_Data, cyboxCommon:Type, cyboxCommon:Vendor, cyboxCommon:Version, stixCommon:Short_Description, stixCommon:Title
Attributes
QName Type Use Annotation
id xs:QName optional
The id field specifies a unique ID for this Tool.
idref xs:QName optional
The idref field specifies reference to a unique ID for this Tool.
When idref is specified, the id attribute must not be specified, and any instance of this type should not hold content unless an extension of the type allows it.
Source
<xs:complexType name="ToolInformationType">
  <xs:annotation>
    <xs:documentation>The ToolInformationType is intended to characterize the properties of a hardware or software tool, including those related to instances of its use. It is extended from an identically-named type in CybOX and adds standard STIX descriptive fields.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="cyboxCommon:ToolInformationType">
      <xs:sequence>
        <xs:element name="Title" type="xs:string" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Title field provides a simple title for a single tool leveraged by this TTP item.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Short_Description" type="stixCommon:StructuredTextType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Short_Description field is optional and provides a short, unstructured, text description of a single tool leveraged by this TTP item.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Attribute stixCommon:IndicatorBaseType / @id
Namespace No namespace
Annotations
Specifies a unique ID for this Indicator.
Type xs:QName
Used by
Source
<xs:attribute name="id" type="xs:QName" use="optional">
  <xs:annotation>
    <xs:documentation>Specifies a unique ID for this Indicator.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:IndicatorBaseType / @idref
Namespace No namespace
Annotations
Specifies a reference to the ID of an Indicator specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Indicator should not hold content.
Type xs:QName
Used by
Source
<xs:attribute name="idref" type="xs:QName">
  <xs:annotation>
    <xs:documentation>Specifies a reference to the ID of an Indicator specified elsewhere.</xs:documentation>
    <xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this Indicator should not hold content.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:IndicatorBaseType / @timestamp
Namespace No namespace
Annotations
Specifies a timestamp for the definition of a specific version of an Indicator. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Indicator. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Indicator defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Type xs:dateTime
Used by
Source
<xs:attribute name="timestamp" type="xs:dateTime">
  <xs:annotation>
    <xs:documentation>Specifies a timestamp for the definition of a specific version of an Indicator. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Indicator. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Indicator defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:ControlledVocabularyStringType / @vocab_name
Namespace No namespace
Annotations
The vocab_name field specifies the name of the controlled vocabulary.
Type xs:string
Used by
Source
<xs:attribute name="vocab_name" type="xs:string" use="optional">
  <xs:annotation>
    <xs:documentation>The vocab_name field specifies the name of the controlled vocabulary.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:ControlledVocabularyStringType / @vocab_reference
Namespace No namespace
Annotations
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Type xs:anyURI
Used by
Source
<xs:attribute name="vocab_reference" type="xs:anyURI" use="optional">
  <xs:annotation>
    <xs:documentation>The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:StructuredTextType / @structuring_format
Namespace No namespace
Annotations
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Type xs:string
Used by
Source
<xs:attribute name="structuring_format" type="xs:string" use="optional">
  <xs:annotation>
    <xs:documentation>Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:DateTimeWithPrecisionType / @precision
Namespace No namespace
Annotations
The precision of the associated dateTime. If omitted, the default is "second", meaning the full field value (including fractional seconds).
Type stixCommon:DateTimePrecisionEnum
Facets
enumeration year
DateTime is precise to the given year.
enumeration month
DateTime is precise to the given month.
enumeration day
DateTime is precise to the given day.
enumeration hour
DateTime is precise to the given hour.
enumeration minute
DateTime is precise to the given minute.
enumeration second
DateTime is precise to the given second (including fractional seconds).
Used by
Source
<xs:attribute name="precision" type="stixCommon:DateTimePrecisionEnum" default="second">
  <xs:annotation>
    <xs:documentation>The precision of the associated dateTime. If omitted, the default is "second", meaning the full field value (including fractional seconds).</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:IdentityType / @id
Namespace No namespace
Annotations
Specifies a unique ID for this Identity.
Type xs:QName
Used by
Source
<xs:attribute name="id" type="xs:QName">
  <xs:annotation>
    <xs:documentation>Specifies a unique ID for this Identity.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:IdentityType / @idref
Namespace No namespace
Annotations
Specifies a reference to a unique ID defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Identity should not hold content.
Type xs:QName
Used by
Source
<xs:attribute name="idref" type="xs:QName">
  <xs:annotation>
    <xs:documentation>Specifies a reference to a unique ID defined elsewhere.</xs:documentation>
    <xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this Identity should not hold content.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:ConfidenceType / @timestamp
Namespace No namespace
Annotations
Specifies the time of this Confidence assertion.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
Type xs:dateTime
Used by
Source
<xs:attribute name="timestamp" type="xs:dateTime">
  <xs:annotation>
    <xs:documentation>Specifies the time of this Confidence assertion.</xs:documentation>
    <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:ConfidenceType / @timestamp_precision
Namespace No namespace
Annotations
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Type stixCommon:DateTimePrecisionEnum
Facets
enumeration year
DateTime is precise to the given year.
enumeration month
DateTime is precise to the given month.
enumeration day
DateTime is precise to the given day.
enumeration hour
DateTime is precise to the given hour.
enumeration minute
DateTime is precise to the given minute.
enumeration second
DateTime is precise to the given second (including fractional seconds).
Used by
Source
<xs:attribute name="timestamp_precision" type="stixCommon:DateTimePrecisionEnum" default="second">
  <xs:annotation>
    <xs:documentation>Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:TTPBaseType / @id
Namespace No namespace
Annotations
Specifies a globally unique identifier for this TTP item.
Type xs:QName
Used by
Complex Type stixCommon:TTPBaseType
Source
<xs:attribute name="id" type="xs:QName">
  <xs:annotation>
    <xs:documentation>Specifies a globally unique identifier for this TTP item.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:TTPBaseType / @idref
Namespace No namespace
Annotations
Specifies a globally unique identifier of a TTP item specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this TTP item should not hold content.
Type xs:QName
Used by
Complex Type stixCommon:TTPBaseType
Source
<xs:attribute name="idref" type="xs:QName">
  <xs:annotation>
    <xs:documentation>Specifies a globally unique identifier of a TTP item specified elsewhere.</xs:documentation>
    <xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this TTP item should not hold content.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:TTPBaseType / @timestamp
Namespace No namespace
Annotations
Specifies a timestamp for the definition of a specific version of a TTP item. When used in conjunction with the id, this field is specifying the definition time for the specific version of the TTP item. When used in conjunction with the idref, this field is specifying a reference to a specific version of a TTP item defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Type xs:dateTime
Used by
Complex Type stixCommon:TTPBaseType
Source
<xs:attribute name="timestamp" type="xs:dateTime">
  <xs:annotation>
    <xs:documentation>Specifies a timestamp for the definition of a specific version of a TTP item. When used in conjunction with the id, this field is specifying the definition time for the specific version of the TTP item. When used in conjunction with the idref, this field is specifying a reference to a specific version of a TTP item defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:KillChainPhaseType / @phase_id
Namespace No namespace
Annotations
A globally unique identifier for this kill chain phase.
When used directly within a kill chain definition, this attribute must be globally unique and serves to identify the kill chain phase being defined. When used within a kill chain reference, this attribute must reference an existing kill chain phase phase_id and serves as a reference (similar to @idref elsewhere in STIX).
Type xs:QName
Used by
Source
<xs:attribute name="phase_id" type="xs:QName">
  <xs:annotation>
    <xs:documentation>A globally unique identifier for this kill chain phase.</xs:documentation>
    <xs:documentation>When used directly within a kill chain definition, this attribute must be globally unique and serves to identify the kill chain phase being defined. When used within a kill chain reference, this attribute must reference an existing kill chain phase phase_id and serves as a reference (similar to @idref elsewhere in STIX).</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:KillChainPhaseType / @name
Namespace No namespace
Annotations
This field specifies the descriptive name of the relevant kill chain phase.
When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the name used in the kill chain phase definition that this field references.
Type xs:string
Used by
Source
<xs:attribute name="name" type="xs:string">
  <xs:annotation>
    <xs:documentation>This field specifies the descriptive name of the relevant kill chain phase.</xs:documentation>
    <xs:documentation>When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the name used in the kill chain phase definition that this field references.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:KillChainPhaseType / @ordinality
Namespace No namespace
Annotations
This field specifies the ordinality (e.g. 1, 2 or 3) of this phase within this kill chain definition.
When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the ordinality used in the kill chain phase definition that this field references.
Type xs:int
Used by
Source
<xs:attribute name="ordinality" type="xs:int">
  <xs:annotation>
    <xs:documentation>This field specifies the ordinality (e.g. 1, 2 or 3) of this phase within this kill chain definition.</xs:documentation>
    <xs:documentation>When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the ordinality used in the kill chain phase definition that this field references.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:KillChainPhaseReferenceType / @kill_chain_id
Namespace No namespace
Annotations
This field specifies the ID for the relevant defined kill chain.
Type xs:QName
Used by
Source
<xs:attribute name="kill_chain_id" type="xs:QName">
  <xs:annotation>
    <xs:documentation>This field specifies the ID for the relevant defined kill chain.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:KillChainPhaseReferenceType / @kill_chain_name
Namespace No namespace
Annotations
This field specifies the descriptive name of the relevant kill chain. If a kill chain is being referenced (via the kill_chain_id field), this field should be omitted or, if present, must match the kill chain name of the kill chain referenced by the @kill_chain_id attribute.
Type xs:string
Used by
Source
<xs:attribute name="kill_chain_name" type="xs:string">
  <xs:annotation>
    <xs:documentation>This field specifies the descriptive name of the relevant kill chain. If a kill chain is being referenced (via the kill_chain_id field), this field should be omitted or, if present, must match the kill chain name of the kill chain referenced by the @kill_chain_id attribute.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:StatementType / @timestamp
Namespace No namespace
Annotations
Specifies the time this statement was asserted.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
Type xs:dateTime
Used by
Source
<xs:attribute name="timestamp" type="xs:dateTime">
  <xs:annotation>
    <xs:documentation>Specifies the time this statement was asserted.</xs:documentation>
    <xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:StatementType / @timestamp_precision
Namespace No namespace
Annotations
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Type stixCommon:DateTimePrecisionEnum
Facets
enumeration year
DateTime is precise to the given year.
enumeration month
DateTime is precise to the given month.
enumeration day
DateTime is precise to the given day.
enumeration hour
DateTime is precise to the given hour.
enumeration minute
DateTime is precise to the given minute.
enumeration second
DateTime is precise to the given second (including fractional seconds).
Used by
Source
<xs:attribute name="timestamp_precision" type="stixCommon:DateTimePrecisionEnum" default="second">
  <xs:annotation>
    <xs:documentation>Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:GenericRelationshipListType / @scope
Namespace No namespace
Annotations
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Type stixCommon:RelationshipScopeEnum
Facets
enumeration inclusive
A single relationship is being defined between the subject and the collection of objects indicated by the related items.
enumeration exclusive
Multiple relationships are being defined between the specific subject and each object individually.
Used by
Source
<xs:attribute name="scope" type="stixCommon:RelationshipScopeEnum" default="exclusive">
  <xs:annotation>
    <xs:documentation>Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:CourseOfActionBaseType / @id
Namespace No namespace
Annotations
Specifies a globally unique identifier for this COA.
Type xs:QName
Used by
Source
<xs:attribute name="id" type="xs:QName">
  <xs:annotation>
    <xs:documentation>Specifies a globally unique identifier for this COA.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:CourseOfActionBaseType / @idref
Namespace No namespace
Annotations
Specifies a globally unique identifier of a COA specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this COA should not hold content.
Type xs:QName
Used by
Source
<xs:attribute name="idref" type="xs:QName">
  <xs:annotation>
    <xs:documentation>Specifies a globally unique identifier of a COA specified elsewhere.</xs:documentation>
    <xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this COA should not hold content.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:CourseOfActionBaseType / @timestamp
Namespace No namespace
Annotations
Specifies a timestamp for the definition of a specific version of a COA. When used in conjunction with the id, this field is specifying the definition time for the specific version of the COA. When used in conjunction with the idref, this field is specifying a reference to a specific version of a COA defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Type xs:dateTime
Used by
Source
<xs:attribute name="timestamp" type="xs:dateTime">
  <xs:annotation>
    <xs:documentation>Specifies a timestamp for the definition of a specific version of a COA. When used in conjunction with the id, this field is specifying the definition time for the specific version of the COA. When used in conjunction with the idref, this field is specifying a reference to a specific version of a COA defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:CampaignReferenceType / @idref
Namespace No namespace
Annotations
Specifies a globally unique identifier for a cyber threat campaign defined elsewhere.
Type xs:QName
Used by
Source
<xs:attribute name="idref" type="xs:QName">
  <xs:annotation>
    <xs:documentation>Specifies a globally unique identifier for a cyber threat campaign defined elsewhere.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:CampaignReferenceType / @timestamp
Namespace No namespace
Annotations
In conjunction with the idref, this field may be used to reference a specific version of a campaign defined elsewhere.
Type xs:dateTime
Used by
Source
<xs:attribute name="timestamp" type="xs:dateTime">
  <xs:annotation>
    <xs:documentation>In conjunction with the idref, this field may be used to reference a specific version of a campaign defined elsewhere.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:RelatedPackageRefType / @idref
Namespace No namespace
Annotations
Specifies a globally unique identifier of a STIX Package specified elsewhere.
Type xs:QName
Used by
Source
<xs:attribute name="idref" type="xs:QName">
  <xs:annotation>
    <xs:documentation>Specifies a globally unique identifier of a STIX Package specified elsewhere.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:RelatedPackageRefType / @timestamp
Namespace No namespace
Annotations
In conjunction with the idref, this field may be used to reference a specific version of a STIX Package defined elsewhere.
Type xs:dateTime
Used by
Source
<xs:attribute name="timestamp" type="xs:dateTime">
  <xs:annotation>
    <xs:documentation>In conjunction with the idref, this field may be used to reference a specific version of a STIX Package defined elsewhere.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:KillChainType / @id
Namespace No namespace
Annotations
A globally unique identifier for this kill chain definition.
Type xs:QName
Used by
Source
<xs:attribute name="id" type="xs:QName">
  <xs:annotation>
    <xs:documentation>A globally unique identifier for this kill chain definition.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:KillChainType / @name
Namespace No namespace
Annotations
A descriptive name for this kill chain definition.
Type xs:string
Used by
Source
<xs:attribute name="name" type="xs:string">
  <xs:annotation>
    <xs:documentation>A descriptive name for this kill chain definition.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:KillChainType / @definer
Namespace No namespace
Annotations
The organization or individual responsible for this kill chain definition.
Used by
Source
<xs:attribute name="definer">
  <xs:annotation>
    <xs:documentation>The organization or individual responsible for this kill chain definition.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:KillChainType / @reference
Namespace No namespace
Annotations
A resource reference for this kill chain definition.
Type xs:anyURI
Used by
Source
<xs:attribute name="reference" type="xs:anyURI">
  <xs:annotation>
    <xs:documentation>A resource reference for this kill chain definition.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:KillChainType / @number_of_phases
Namespace No namespace
Annotations
The number of phases in this kill chain definition.
Used by
Source
<xs:attribute name="number_of_phases">
  <xs:annotation>
    <xs:documentation>The number of phases in this kill chain definition.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:CampaignBaseType / @id
Namespace No namespace
Annotations
Specifies a globally unique identifier for this cyber threat Campaign.
Type xs:QName
Used by
Source
<xs:attribute name="id" type="xs:QName">
  <xs:annotation>
    <xs:documentation>Specifies a globally unique identifier for this cyber threat Campaign.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:CampaignBaseType / @idref
Namespace No namespace
Annotations
Specifies a globally unique identifier for a cyber threat Campaign specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Campaign should not hold content.
Type xs:QName
Used by
Source
<xs:attribute name="idref" type="xs:QName">
  <xs:annotation>
    <xs:documentation>Specifies a globally unique identifier for a cyber threat Campaign specified elsewhere.</xs:documentation>
    <xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this Campaign should not hold content.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:CampaignBaseType / @timestamp
Namespace No namespace
Annotations
Specifies a timestamp for the definition of a specific version of a Campaign. When used in conjunction with the id, this field is specifying the definition time for the specific version of the  Campaign. When used in conjunction with the idref, this field is specifying a reference to a specific version of a Campaign defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Type xs:dateTime
Used by
Source
<xs:attribute name="timestamp" type="xs:dateTime">
  <xs:annotation>
    <xs:documentation>Specifies a timestamp for the definition of a specific version of a Campaign. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Campaign. When used in conjunction with the idref, this field is specifying a reference to a specific version of a Campaign defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:ExploitTargetBaseType / @id
Namespace No namespace
Annotations
Specifies a globally unique identifier for this ExploitTarget.
Type xs:QName
Used by
Source
<xs:attribute name="id" type="xs:QName">
  <xs:annotation>
    <xs:documentation>Specifies a globally unique identifier for this ExploitTarget.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:ExploitTargetBaseType / @idref
Namespace No namespace
Annotations
Specifies a globally unique identifier of an ExploitTarget specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this ExploitTarget should not hold content.
Type xs:QName
Used by
Source
<xs:attribute name="idref" type="xs:QName">
  <xs:annotation>
    <xs:documentation>Specifies a globally unique identifier of an ExploitTarget specified elsewhere.</xs:documentation>
    <xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this ExploitTarget should not hold content.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:ExploitTargetBaseType / @timestamp
Namespace No namespace
Annotations
Specifies a timestamp for the definition of a specific version of an ExploitTarget When used in conjunction with the id, this field is specifying the definition time for the specific version of the  ExploitTarget. When used in conjunction with the idref, this field is specifying a reference to a specific version of an ExploitTarget defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Type xs:dateTime
Used by
Source
<xs:attribute name="timestamp" type="xs:dateTime">
  <xs:annotation>
    <xs:documentation>Specifies a timestamp for the definition of a specific version of an ExploitTarget When used in conjunction with the id, this field is specifying the definition time for the specific version of the ExploitTarget. When used in conjunction with the idref, this field is specifying a reference to a specific version of an ExploitTarget defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:IncidentBaseType / @id
Namespace No namespace
Annotations
Specifies a globally unique identifier for this cyber threat Incident.
Type xs:QName
Used by
Source
<xs:attribute name="id" type="xs:QName">
  <xs:annotation>
    <xs:documentation>Specifies a globally unique identifier for this cyber threat Incident.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:IncidentBaseType / @idref
Namespace No namespace
Annotations
Specifies a globally unique identifier for a cyber threat Incident specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Incident should not hold content.
Type xs:QName
Used by
Source
<xs:attribute name="idref" type="xs:QName">
  <xs:annotation>
    <xs:documentation>Specifies a globally unique identifier for a cyber threat Incident specified elsewhere.</xs:documentation>
    <xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this Incident should not hold content.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:IncidentBaseType / @timestamp
Namespace No namespace
Annotations
Specifies a timestamp for the definition of a specific version of an Incident. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Incident. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Incident defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Type xs:dateTime
Used by
Source
<xs:attribute name="timestamp" type="xs:dateTime">
  <xs:annotation>
    <xs:documentation>Specifies a timestamp for the definition of a specific version of an Incident. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Incident. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Incident defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:ThreatActorBaseType / @id
Namespace No namespace
Annotations
Specifies a globally unique identifier for this ThreatActor.
Type xs:QName
Used by
Source
<xs:attribute name="id" type="xs:QName">
  <xs:annotation>
    <xs:documentation>Specifies a globally unique identifier for this ThreatActor.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:ThreatActorBaseType / @idref
Namespace No namespace
Annotations
Specifies a globally unique identifier of a ThreatActor specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this ThreatActor should not hold content.
Type xs:QName
Used by
Source
<xs:attribute name="idref" type="xs:QName">
  <xs:annotation>
    <xs:documentation>Specifies a globally unique identifier of a ThreatActor specified elsewhere.</xs:documentation>
    <xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this ThreatActor should not hold content.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:ThreatActorBaseType / @timestamp
Namespace No namespace
Annotations
Specifies a timestamp for the definition of a specific version of a ThreatActor. When used in conjunction with the id, this field is specifying the definition time for the specific version of the ThreatActor. When used in conjunction with the idref, this field is specifying a reference to a specific version of a ThreatActor defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Type xs:dateTime
Used by
Source
<xs:attribute name="timestamp" type="xs:dateTime">
  <xs:annotation>
    <xs:documentation>Specifies a timestamp for the definition of a specific version of a ThreatActor. When used in conjunction with the id, this field is specifying the definition time for the specific version of the ThreatActor. When used in conjunction with the idref, this field is specifying a reference to a specific version of a ThreatActor defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.</xs:documentation>
  </xs:annotation>
</xs:attribute>
Attribute stixCommon:EncodedCDATAType / @encoded
Namespace No namespace
Annotations
If true, specifies that the content encoded in the element is encoded using Base64 per RFC4648.
Type xs:boolean
Used by
Source
<xs:attribute name="encoded" type="xs:boolean" default="false">
  <xs:annotation>
    <xs:documentation>If true, specifies that the content encoded in the element is encoded using Base64 per RFC4648.</xs:documentation>
  </xs:annotation>
</xs:attribute>