This schema was originally developed by The MITRE Corporation. The STIX XML Schema implementation is maintained by The MITRE Corporation and developed by the open STIX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the STIX website at http://stix.mitre.org.
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:element name="Confidence" type="stixCommon:ConfidenceType" minOccurs="0"><xs:annotation><xs:documentation>The confidence field specifies the level of confidence in the assertion of the relationship between the two components.</xs:documentation></xs:annotation></xs:element>
Specifies the level of confidence held in this direct assertion.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is HighMediumLowVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Value" type="stixCommon:ControlledVocabularyStringType" minOccurs="0"><xs:annotation><xs:documentation>Specifies the level of confidence held in this direct assertion.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is HighMediumLowVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1/stix_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation></xs:annotation></xs:element>
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0"><xs:annotation><xs:documentation>The Description field provides a description of the confidence value and how it was derived.</xs:documentation></xs:annotation></xs:element>
The Source field specifies the source of this confidence assertion. An optional vocabulary name and reference allows the expression of the source name in some given vocabulary context.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.1.1. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.
<xs:element name="Source" type="stixCommon:InformationSourceType" minOccurs="0"><xs:annotation><xs:documentation>The Source field specifies the source of this confidence assertion. An optional vocabulary name and reference allows the expression of the source name in some given vocabulary context.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.1.1. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.</xs:documentation></xs:annotation></xs:element>
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0"><xs:annotation><xs:documentation>The Description field provides a description of this information source.</xs:documentation></xs:annotation></xs:element>
The Identity field is optional and specifies the identity of the information source.
This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity/1.1.1/ciq_identity.xsd.
Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.
Specifies a reference to a unique ID defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Identity should not hold content.
Source
<xs:element name="Identity" type="stixCommon:IdentityType" minOccurs="0"><xs:annotation><xs:documentation>The Identity field is optional and specifies the identity of the information source.</xs:documentation><xs:documentation>This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity/1.1.1/ciq_identity.xsd.</xs:documentation><xs:documentation>Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.</xs:documentation></xs:annotation></xs:element>
The Name field allows for expression of an identity through a simple name.
Diagram
Type
xs:string
Source
<xs:element name="Name" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation>The Name field allows for expression of an identity through a simple name.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Related_Identities" type="stixCommon:RelatedIdentitiesType" minOccurs="0"><xs:annotation><xs:documentation>The Related_Identities field identifies other entity Identities related to this entity Identity.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Related_Identity" type="stixCommon:RelatedIdentityType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Related_Identity field identifies a single other entity Identity related to this entity Identity.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Information_Source" type="stixCommon:InformationSourceType" minOccurs="0"><xs:annotation><xs:documentation>The Information_Source field specifies the source of the information about the relationship between the two components.</xs:documentation></xs:annotation></xs:element>
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Role" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Role field is optional and enables characterization of the sourcing Role played by this Information Source.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Contributing_Sources" type="stixCommon:ContributingSourcesType" minOccurs="0"><xs:annotation><xs:documentation>The Contributing_Sources field is optional and enables description of the individual contributing sources involved in this instance.</xs:documentation></xs:annotation></xs:element>
The Source field contains information describing the identity, resources and timing of involvement for a single contributing Source.
This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity/1.1.1/ciq_identity.xsd.
Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.
<xs:element name="Source" type="stixCommon:InformationSourceType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Source field contains information describing the identity, resources and timing of involvement for a single contributing Source.</xs:documentation><xs:documentation>This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity/1.1.1/ciq_identity.xsd.</xs:documentation><xs:documentation>Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Time" type="cyboxCommon:TimeType" minOccurs="0"><xs:annotation><xs:documentation>The Time element is optional and enables description of various time-related attributes for this instance.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Tools" type="cyboxCommon:ToolsInformationType" minOccurs="0"><xs:annotation><xs:documentation>The Tools element is optional and enables description of the tools utilized for this instance.</xs:documentation></xs:annotation></xs:element>
<xs:element name="References" type="stixCommon:ReferencesType" minOccurs="0"><xs:annotation><xs:documentation>The References field is optional and enables specification of references to information source material for this instance.</xs:documentation></xs:annotation></xs:element>
The Reference field is optional and enables specification of a reference to an information source material.
Diagram
Type
xs:anyURI
Source
<xs:element name="Reference" type="xs:anyURI" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Reference field is optional and enables specification of a reference to an information source material.</xs:documentation></xs:annotation></xs:element>
The relationship field characterizes the type of the relationship between the two components.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.1.1. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Relationship" type="stixCommon:ControlledVocabularyStringType" minOccurs="0"><xs:annotation><xs:documentation>The relationship field characterizes the type of the relationship between the two components.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.1.1. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.</xs:documentation></xs:annotation></xs:element>
A reference to or representation of the related Identity.
This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity_3.0.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity_3.0/1.1.1/ciq_identity_3.0.xsd.
Specifies a reference to a unique ID defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Identity should not hold content.
Source
<xs:element name="Identity" type="stixCommon:IdentityType" minOccurs="1"><xs:annotation><xs:documentation>A reference to or representation of the related Identity.</xs:documentation><xs:documentation>This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity_3.0.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity_3.0/1.1.1/ciq_identity_3.0.xsd.</xs:documentation></xs:annotation></xs:element>
The Confidence_Assertion_Chain field specifies a set of related confidence levels in this assertion along with who made them, when they were made and how they were made.
<xs:element name="Confidence_Assertion_Chain" type="stixCommon:ConfidenceAssertionChainType" minOccurs="0"><xs:annotation><xs:documentation>The Confidence_Assertion_Chain field specifies a set of related confidence levels in this assertion along with who made them, when they were made and how they were made.</xs:documentation></xs:annotation></xs:element>
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:element name="Confidence_Assertion" type="stixCommon:ConfidenceType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Confidence_Assertion field specifies a related confidence level in this assertion along with who made it, when it was made and how it was made.</xs:documentation></xs:annotation></xs:element>
A reference to or representation of the related TTP.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is TTPType in the http://stix.mitre.org/TTP-1 namespace. This type is defined in the ttp.xsd file or at the URL http://stix.mitre.org/XMLSchema/ttp/1.1.1/ttp.xsd.
Specifies a timestamp for the definition of a specific version of a TTP item. When used in conjunction with the id, this field is specifying the definition time for the specific version of the TTP item. When used in conjunction with the idref, this field is specifying a reference to a specific version of a TTP item defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
<xs:element name="TTP" type="stixCommon:TTPBaseType" minOccurs="1"><xs:annotation><xs:documentation>A reference to or representation of the related TTP.</xs:documentation><xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is TTPType in the http://stix.mitre.org/TTP-1 namespace. This type is defined in the ttp.xsd file or at the URL http://stix.mitre.org/XMLSchema/ttp/1.1.1/ttp.xsd.</xs:documentation></xs:annotation></xs:element>
This field specifies the descriptive name of the relevant kill chain. If a kill chain is being referenced (via the kill_chain_id field), this field should be omitted or, if present, must match the kill chain name of the kill chain referenced by the @kill_chain_id attribute.
This field specifies the descriptive name of the relevant kill chain phase.
When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the name used in the kill chain phase definition that this field references.
This field specifies the ordinality (e.g. 1, 2 or 3) of this phase within this kill chain definition.
When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the ordinality used in the kill chain phase definition that this field references.
A globally unique identifier for this kill chain phase.
When used directly within a kill chain definition, this attribute must be globally unique and serves to identify the kill chain phase being defined. When used within a kill chain reference, this attribute must reference an existing kill chain phase phase_id and serves as a reference (similar to @idref elsewhere in STIX).
Source
<xs:element name="Kill_Chain_Phase" type="stixCommon:KillChainPhaseReferenceType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Kill_Chain_Phase field specifies a single Kill Chain phase associated with this item.</xs:documentation></xs:annotation></xs:element>
Specifies a value characterizing the statement within some vocabulary.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary may be provided by the field using this construct. If that's the case, the schema annotations on that element will describe which vocabulary to use. If not, the default vocabulary is HighMediumLowVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Value" type="stixCommon:ControlledVocabularyStringType" minOccurs="0"><xs:annotation><xs:documentation>Specifies a value characterizing the statement within some vocabulary.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary may be provided by the field using this construct. If that's the case, the schema annotations on that element will describe which vocabulary to use. If not, the default vocabulary is HighMediumLowVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1/stix_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation></xs:annotation></xs:element>
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0"><xs:annotation><xs:documentation>Specifies a prose description of the statement.</xs:documentation></xs:annotation></xs:element>
The Source field captures the source of this statement. An optional vocabulary name and reference allows the expression of the source name in some given vocabulary context.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.1.1. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.
<xs:element name="Source" type="stixCommon:InformationSourceType" minOccurs="0"><xs:annotation><xs:documentation>The Source field captures the source of this statement. An optional vocabulary name and reference allows the expression of the source name in some given vocabulary context.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.1.1. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.</xs:documentation></xs:annotation></xs:element>
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:element name="Confidence" type="stixCommon:ConfidenceType" minOccurs="0"><xs:annotation><xs:documentation>The Confidence field characterizes the level of confidence held in the statement.</xs:documentation></xs:annotation></xs:element>
A reference or representation of the related course of action.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CourseOfActionType in the http://stix.mitre.org/CourseOfAction-1 namespace. This type is defined in the course_of_action.xsd file or at the URL http://stix.mitre.org/XMLSchema/course_of_action/1.1.1/course_of_action.xsd.
Specifies a timestamp for the definition of a specific version of a COA. When used in conjunction with the id, this field is specifying the definition time for the specific version of the COA. When used in conjunction with the idref, this field is specifying a reference to a specific version of a COA defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
<xs:element name="Course_Of_Action" type="stixCommon:CourseOfActionBaseType" minOccurs="1"><xs:annotation><xs:documentation>A reference or representation of the related course of action.</xs:documentation><xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CourseOfActionType in the http://stix.mitre.org/CourseOfAction-1 namespace. This type is defined in the course_of_action.xsd file or at the URL http://stix.mitre.org/XMLSchema/course_of_action/1.1.1/course_of_action.xsd.</xs:documentation></xs:annotation></xs:element>
The idref field specifies a unique id reference to an Observable defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Observable should not hold content unless an extension of the Observable allows it.
The sighting_count field specifies how many different identical instances of the Observable may have been seen/sighted.
Source
<xs:element name="Observable" type="cybox:ObservableType" minOccurs="1"><xs:annotation><xs:documentation>A reference to or representation of the related cyber observable.</xs:documentation></xs:annotation></xs:element>
A reference to or representation of the related indicator.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IndicatorType in the http://stix.mitre.org/Indicator-2 namespace. This type is defined in the indicator.xsd file or at the URL http://stix.mitre.org/XMLSchema/indicator/2.1.1/indicator.xsd.
Specifies a timestamp for the definition of a specific version of an Indicator. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Indicator. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Indicator defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
<xs:element name="Indicator" type="stixCommon:IndicatorBaseType" minOccurs="1"><xs:annotation><xs:documentation>A reference to or representation of the related indicator.</xs:documentation><xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IndicatorType in the http://stix.mitre.org/Indicator-2 namespace. This type is defined in the indicator.xsd file or at the URL http://stix.mitre.org/XMLSchema/indicator/2.1.1/indicator.xsd.</xs:documentation></xs:annotation></xs:element>
In conjunction with the idref, this field may be used to reference a specific version of a campaign defined elsewhere.
Source
<xs:element name="Campaign" type="stixCommon:CampaignReferenceType"><xs:annotation><xs:documentation>A reference to the related campaign.</xs:documentation></xs:annotation></xs:element>
<xs:element name="Names" type="stixCommon:NamesType" minOccurs="0"><xs:annotation><xs:documentation>Specifies one or more campaign names for a cyber threat campaign defined elsewhere.</xs:documentation></xs:annotation></xs:element>
The Name field specifies a Name used to identify a Campaign. This field can be used to capture various aliases used to identify this Campaign.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.1.1. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:element name="Name" type="stixCommon:ControlledVocabularyStringType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Name field specifies a Name used to identify a Campaign. This field can be used to capture various aliases used to identify this Campaign.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.1.1. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.</xs:documentation></xs:annotation></xs:element>
In conjunction with the idref, this field may be used to reference a specific version of a STIX Package defined elsewhere.
Source
<xs:element name="Package_Reference" type="stixCommon:RelatedPackageRefType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>Identifies or characterizes a relationship to a related Package defined elsewhere</xs:documentation></xs:annotation></xs:element>
The precision of the associated dateTime. If omitted, the default is "second", meaning the full field value (including fractional seconds).
Source
<xs:element name="Date_Time" type="stixCommon:DateTimeWithPrecisionType"><xs:annotation><xs:documentation>The Date_Time field specifies the date and time at which the activity occured.</xs:documentation><xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation></xs:annotation></xs:element>
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0"><xs:annotation><xs:documentation>The Description field provides a description of the activity.</xs:documentation></xs:annotation></xs:element>
A resource reference for this kill chain definition.
Source
<xs:element name="Kill_Chain" type="stixCommon:KillChainType" maxOccurs="unbounded"><xs:annotation><xs:documentation>This field specifies a single kill chain definition for reference within specific TTP entries, Indicators and elsewhere.</xs:documentation></xs:annotation></xs:element>
This field specifies the descriptive name of the relevant kill chain phase.
When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the name used in the kill chain phase definition that this field references.
This field specifies the ordinality (e.g. 1, 2 or 3) of this phase within this kill chain definition.
When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the ordinality used in the kill chain phase definition that this field references.
A globally unique identifier for this kill chain phase.
When used directly within a kill chain definition, this attribute must be globally unique and serves to identify the kill chain phase being defined. When used within a kill chain reference, this attribute must reference an existing kill chain phase phase_id and serves as a reference (similar to @idref elsewhere in STIX).
Source
<xs:element name="Kill_Chain_Phase" type="stixCommon:KillChainPhaseType" maxOccurs="unbounded"><xs:annotation><xs:documentation>This field specifies the name of an individual phase within this kill chain definition.</xs:documentation></xs:annotation></xs:element>
A reference to or representation of the related campaign.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CampaignType in the http://stix.mitre.org/Campaign-1 namespace. This type is defined in the campaign.xsd file or at the URL http://stix.mitre.org/XMLSchema/campaign/1.1.1/campaign.xsd.
Specifies a timestamp for the definition of a specific version of a Campaign. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Campaign. When used in conjunction with the idref, this field is specifying a reference to a specific version of a Campaign defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
<xs:element name="Campaign" type="stixCommon:CampaignBaseType" minOccurs="1"><xs:annotation><xs:documentation>A reference to or representation of the related campaign.</xs:documentation><xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CampaignType in the http://stix.mitre.org/Campaign-1 namespace. This type is defined in the campaign.xsd file or at the URL http://stix.mitre.org/XMLSchema/campaign/1.1.1/campaign.xsd.</xs:documentation></xs:annotation></xs:element>
A reference to or representation of the related exploit target.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ExploitTargetType in the http://stix.mitre.org/ExploitTarget-1 namespace. This type is defined in the exploit_target.xsd file or at the URL http://stix.mitre.org/XMLSchema/exploit_target/1.1.1/exploit_target.xsd.
Specifies a timestamp for the definition of a specific version of an ExploitTarget When used in conjunction with the id, this field is specifying the definition time for the specific version of the ExploitTarget. When used in conjunction with the idref, this field is specifying a reference to a specific version of an ExploitTarget defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
<xs:element name="Exploit_Target" type="stixCommon:ExploitTargetBaseType" minOccurs="1"><xs:annotation><xs:documentation>A reference to or representation of the related exploit target.</xs:documentation><xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ExploitTargetType in the http://stix.mitre.org/ExploitTarget-1 namespace. This type is defined in the exploit_target.xsd file or at the URL http://stix.mitre.org/XMLSchema/exploit_target/1.1.1/exploit_target.xsd.</xs:documentation></xs:annotation></xs:element>
A reference to or representation of the related incident.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IncidentType in the http://stix.mitre.org/Incident-1 namespace. This type is defined in the incident.xsd file or at the URL http://stix.mitre.org/XMLSchema/incident/1.1.1/incident.xsd.
Specifies a timestamp for the definition of a specific version of an Incident. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Incident. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Incident defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
<xs:element name="Incident" type="stixCommon:IncidentBaseType" minOccurs="1"><xs:annotation><xs:documentation>A reference to or representation of the related incident.</xs:documentation><xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IncidentType in the http://stix.mitre.org/Incident-1 namespace. This type is defined in the incident.xsd file or at the URL http://stix.mitre.org/XMLSchema/incident/1.1.1/incident.xsd.</xs:documentation></xs:annotation></xs:element>
A reference or representation of the related threat actor.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ThreatActorType in the http://stix.mitre.org/ThreatActor-1 namespace. This type is defined in the threat_actor.xsd file or at the URL http://stix.mitre.org/XMLSchema/threat_actor/1.1.1/threat_actor.xsd.
Specifies a timestamp for the definition of a specific version of a ThreatActor. When used in conjunction with the id, this field is specifying the definition time for the specific version of the ThreatActor. When used in conjunction with the idref, this field is specifying a reference to a specific version of a ThreatActor defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
<xs:element name="Threat_Actor" type="stixCommon:ThreatActorBaseType" minOccurs="1"><xs:annotation><xs:documentation>A reference or representation of the related threat actor.</xs:documentation><xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ThreatActorType in the http://stix.mitre.org/ThreatActor-1 namespace. This type is defined in the threat_actor.xsd file or at the URL http://stix.mitre.org/XMLSchema/threat_actor/1.1.1/threat_actor.xsd.</xs:documentation></xs:annotation></xs:element>
The Exploit_Target field characterizes a potential vulnerability, weakness or configuration target for exploitation.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ExploitTargetType in the http://stix.mitre.org/ExploitTarget-1 namespace. This type is defined in the exploit_target.xsd file or at the URL http://stix.mitre.org/XMLSchema/exploit_target/1.1/exploit_target.xsd.
Specifies a timestamp for the definition of a specific version of an ExploitTarget When used in conjunction with the id, this field is specifying the definition time for the specific version of the ExploitTarget. When used in conjunction with the idref, this field is specifying a reference to a specific version of an ExploitTarget defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
<xs:element name="Exploit_Target" type="stixCommon:ExploitTargetBaseType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Exploit_Target field characterizes a potential vulnerability, weakness or configuration target for exploitation.</xs:documentation><xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ExploitTargetType in the http://stix.mitre.org/ExploitTarget-1 namespace. This type is defined in the exploit_target.xsd file or at the URL http://stix.mitre.org/XMLSchema/exploit_target/1.1/exploit_target.xsd.</xs:documentation></xs:annotation></xs:element>
The Profile field represents a reference to one STIX Profile. The profile is referenced as a URI and should include components for: the creator of the profile, the name of the profile, and the version of the profile. When publishing a profile, this URI should be published alongside the profile such that it can be referred to from this field.
Diagram
Type
xs:anyURI
Source
<xs:element name="Profile" type="xs:anyURI" minOccurs="1" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Profile field represents a reference to one STIX Profile. The profile is referenced as a URI and should include components for: the creator of the profile, the name of the profile, and the version of the profile. When publishing a profile, this URI should be published alongside the profile such that it can be referred to from this field.</xs:documentation></xs:annotation></xs:element>
The Title field provides a simple title for a single tool leveraged by this TTP item.
Diagram
Type
xs:string
Source
<xs:element name="Title" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation>The Title field provides a simple title for a single tool leveraged by this TTP item.</xs:documentation></xs:annotation></xs:element>
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:element name="Short_Description" type="stixCommon:StructuredTextType" minOccurs="0"><xs:annotation><xs:documentation>The Short_Description field is optional and provides a short, unstructured, text description of a single tool leveraged by this TTP item.</xs:documentation></xs:annotation></xs:element>
Complex Type stixCommon:IndicatorBaseType
Namespace
http://stix.mitre.org/common-1
Annotations
This type represents the STIX Indicator component. It is extended using the XML Schema Extension feature by the STIX Indicator type itself. Users of this type who wish to express a full indicator using STIX must do so using the xsi:type extension feature. The STIX-defined Indicator type is IndicatorType in the http://stix.mitre.org/Indicator-1 namespace. This type is defined in the indicator.xsd file or at the URL http://stix.mitre.org/XMLSchema/indicator/1.2.1/indicator.xsd.
Alternatively, uses that require simply specifying an idref as a reference to an indicator defined elsewhere can do so without specifying an xsi:type.
Specifies a timestamp for the definition of a specific version of an Indicator. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Indicator. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Indicator defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
<xs:complexType name="IndicatorBaseType"><xs:annotation><xs:documentation>This type represents the STIX Indicator component. It is extended using the XML Schema Extension feature by the STIX Indicator type itself. Users of this type who wish to express a full indicator using STIX must do so using the xsi:type extension feature. The STIX-defined Indicator type is IndicatorType in the http://stix.mitre.org/Indicator-1 namespace. This type is defined in the indicator.xsd file or at the URL http://stix.mitre.org/XMLSchema/indicator/1.2.1/indicator.xsd.</xs:documentation><xs:documentation>Alternatively, uses that require simply specifying an idref as a reference to an indicator defined elsewhere can do so without specifying an xsi:type.</xs:documentation></xs:annotation><xs:attribute name="id" type="xs:QName" use="optional"><xs:annotation><xs:documentation>Specifies a unique ID for this Indicator.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a reference to the ID of an Indicator specified elsewhere.</xs:documentation><xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this Indicator should not hold content.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>Specifies a timestamp for the definition of a specific version of an Indicator. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Indicator. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Indicator defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Complex Type stixCommon:ControlledVocabularyStringType
Namespace
http://stix.mitre.org/common-1
Annotations
The ControlledVocabularyStringType is used as the basis for defining controlled vocabularies.
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
Source
<xs:complexType name="ControlledVocabularyStringType"><xs:annotation><xs:documentation>The ControlledVocabularyStringType is used as the basis for defining controlled vocabularies.</xs:documentation></xs:annotation><xs:simpleContent><xs:extension base="xs:anySimpleType"><xs:attribute name="vocab_name" type="xs:string" use="optional"><xs:annotation><xs:documentation>The vocab_name field specifies the name of the controlled vocabulary.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="vocab_reference" type="xs:anyURI" use="optional"><xs:annotation><xs:documentation>The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.</xs:documentation></xs:annotation></xs:attribute></xs:extension></xs:simpleContent></xs:complexType>
Complex Type stixCommon:StructuredTextType
Namespace
http://stix.mitre.org/common-1
Annotations
The StructuredTextType is a type representing a generalized structure for capturing structured or unstructured textual information such as descriptions of things.
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
<xs:complexType name="StructuredTextType"><xs:annotation><xs:documentation>The StructuredTextType is a type representing a generalized structure for capturing structured or unstructured textual information such as descriptions of things.</xs:documentation></xs:annotation><xs:simpleContent><xs:extension base="xs:string"><xs:attribute name="structuring_format" type="xs:string" use="optional"><xs:annotation><xs:documentation>Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.</xs:documentation></xs:annotation></xs:attribute></xs:extension></xs:simpleContent></xs:complexType>
Complex Type stixCommon:DateTimeWithPrecisionType
Namespace
http://stix.mitre.org/common-1
Annotations
This type is used as a replacement for the standard xs:dateTime type but allows for the representation of the precision of the dateTime. If the precision is given, consumers must ignore the portions of this field that is more precise than the given precision. Producers should zero-out (fill with zeros) digits in the dateTime that are required by the xs:dateTime datatype but are beyond the specified precision.
In order to avoid ambiguity, it is strongly suggested that all dateTimes include a specification of the timezone if it is known.
The precision of the associated dateTime. If omitted, the default is "second", meaning the full field value (including fractional seconds).
Source
<xs:complexType name="DateTimeWithPrecisionType"><xs:annotation><xs:documentation>This type is used as a replacement for the standard xs:dateTime type but allows for the representation of the precision of the dateTime. If the precision is given, consumers must ignore the portions of this field that is more precise than the given precision. Producers should zero-out (fill with zeros) digits in the dateTime that are required by the xs:dateTime datatype but are beyond the specified precision.</xs:documentation><xs:documentation>In order to avoid ambiguity, it is strongly suggested that all dateTimes include a specification of the timezone if it is known.</xs:documentation></xs:annotation><xs:simpleContent><xs:extension base="xs:dateTime"><xs:attribute name="precision" type="stixCommon:DateTimePrecisionEnum" default="second"><xs:annotation><xs:documentation>The precision of the associated dateTime. If omitted, the default is "second", meaning the full field value (including fractional seconds).</xs:documentation></xs:annotation></xs:attribute></xs:extension></xs:simpleContent></xs:complexType>
Simple Type stixCommon:DateTimePrecisionEnum
Namespace
http://stix.mitre.org/common-1
Annotations
Possible values for representing time precision.
Diagram
Type
restriction of xs:string
Facets
enumeration
year
DateTime is precise to the given year.
enumeration
month
DateTime is precise to the given month.
enumeration
day
DateTime is precise to the given day.
enumeration
hour
DateTime is precise to the given hour.
enumeration
minute
DateTime is precise to the given minute.
enumeration
second
DateTime is precise to the given second (including fractional seconds).
<xs:simpleType name="DateTimePrecisionEnum"><xs:annotation><xs:documentation>Possible values for representing time precision.</xs:documentation></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="year"><xs:annotation><xs:documentation>DateTime is precise to the given year.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="month"><xs:annotation><xs:documentation>DateTime is precise to the given month.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="day"><xs:annotation><xs:documentation>DateTime is precise to the given day.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="hour"><xs:annotation><xs:documentation>DateTime is precise to the given hour.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="minute"><xs:annotation><xs:documentation>DateTime is precise to the given minute.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="second"><xs:annotation><xs:documentation>DateTime is precise to the given second (including fractional seconds).</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixCommon:RelatedTTPType
Namespace
http://stix.mitre.org/common-1
Annotations
Identifies or characterizes a relationship to an TTP.
<xs:complexType name="RelatedTTPType"><xs:annotation><xs:documentation>Identifies or characterizes a relationship to an TTP.</xs:documentation></xs:annotation><xs:complexContent><xs:extension base="stixCommon:GenericRelationshipType"><xs:sequence><xs:element name="TTP" type="stixCommon:TTPBaseType" minOccurs="1"><xs:annotation><xs:documentation>A reference to or representation of the related TTP.</xs:documentation><xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is TTPType in the http://stix.mitre.org/TTP-1 namespace. This type is defined in the ttp.xsd file or at the URL http://stix.mitre.org/XMLSchema/ttp/1.1.1/ttp.xsd.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
Complex Type stixCommon:GenericRelationshipType
Namespace
http://stix.mitre.org/common-1
Annotations
Allows the expression of relationships between STIX components. It is extended by each component relationship type to add the component itself.
<xs:complexType name="GenericRelationshipType" abstract="true"><xs:annotation><xs:documentation>Allows the expression of relationships between STIX components. It is extended by each component relationship type to add the component itself.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Confidence" type="stixCommon:ConfidenceType" minOccurs="0"><xs:annotation><xs:documentation>The confidence field specifies the level of confidence in the assertion of the relationship between the two components.</xs:documentation></xs:annotation></xs:element><xs:element name="Information_Source" type="stixCommon:InformationSourceType" minOccurs="0"><xs:annotation><xs:documentation>The Information_Source field specifies the source of the information about the relationship between the two components.</xs:documentation></xs:annotation></xs:element><xs:element name="Relationship" type="stixCommon:ControlledVocabularyStringType" minOccurs="0"><xs:annotation><xs:documentation>The relationship field characterizes the type of the relationship between the two components.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.1.1. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type stixCommon:ConfidenceType
Namespace
http://stix.mitre.org/common-1
Annotations
The ConfidenceType specifies a level of Confidence held in some assertion.
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:complexType name="ConfidenceType"><xs:annotation><xs:documentation>The ConfidenceType specifies a level of Confidence held in some assertion.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Value" type="stixCommon:ControlledVocabularyStringType" minOccurs="0"><xs:annotation><xs:documentation>Specifies the level of confidence held in this direct assertion.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is HighMediumLowVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1/stix_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation></xs:annotation></xs:element><xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0"><xs:annotation><xs:documentation>The Description field provides a description of the confidence value and how it was derived.</xs:documentation></xs:annotation></xs:element><xs:element name="Source" type="stixCommon:InformationSourceType" minOccurs="0"><xs:annotation><xs:documentation>The Source field specifies the source of this confidence assertion. An optional vocabulary name and reference allows the expression of the source name in some given vocabulary context.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.1.1. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.</xs:documentation></xs:annotation></xs:element><xs:element name="Confidence_Assertion_Chain" type="stixCommon:ConfidenceAssertionChainType" minOccurs="0"><xs:annotation><xs:documentation>The Confidence_Assertion_Chain field specifies a set of related confidence levels in this assertion along with who made them, when they were made and how they were made.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>Specifies the time of this Confidence assertion.</xs:documentation><xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="timestamp_precision" type="stixCommon:DateTimePrecisionEnum" default="second"><xs:annotation><xs:documentation>Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Complex Type stixCommon:InformationSourceType
Namespace
http://stix.mitre.org/common-1
Annotations
The InformationSourceType details the source of a given data entry.
<xs:complexType name="InformationSourceType"><xs:annotation><xs:documentation>The InformationSourceType details the source of a given data entry.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0"><xs:annotation><xs:documentation>The Description field provides a description of this information source.</xs:documentation></xs:annotation></xs:element><xs:element name="Identity" type="stixCommon:IdentityType" minOccurs="0"><xs:annotation><xs:documentation>The Identity field is optional and specifies the identity of the information source.</xs:documentation><xs:documentation>This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity/1.1.1/ciq_identity.xsd.</xs:documentation><xs:documentation>Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.</xs:documentation></xs:annotation></xs:element><xs:element name="Role" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Role field is optional and enables characterization of the sourcing Role played by this Information Source.</xs:documentation></xs:annotation></xs:element><xs:element name="Contributing_Sources" type="stixCommon:ContributingSourcesType" minOccurs="0"><xs:annotation><xs:documentation>The Contributing_Sources field is optional and enables description of the individual contributing sources involved in this instance.</xs:documentation></xs:annotation></xs:element><xs:element name="Time" type="cyboxCommon:TimeType" minOccurs="0"><xs:annotation><xs:documentation>The Time element is optional and enables description of various time-related attributes for this instance.</xs:documentation></xs:annotation></xs:element><xs:element name="Tools" type="cyboxCommon:ToolsInformationType" minOccurs="0"><xs:annotation><xs:documentation>The Tools element is optional and enables description of the tools utilized for this instance.</xs:documentation></xs:annotation></xs:element><xs:element name="References" type="stixCommon:ReferencesType" minOccurs="0"><xs:annotation><xs:documentation>The References field is optional and enables specification of references to information source material for this instance.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type stixCommon:IdentityType
Namespace
http://stix.mitre.org/common-1
Annotations
The IdentityType is used to express identity information for both individuals and organizations.
This type is extended through the xsi:type mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_3.0_identity.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_3.0/1.1.1/ciq_3.0_identity.xsd.
Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field of this type.
Specifies a reference to a unique ID defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Identity should not hold content.
Source
<xs:complexType name="IdentityType"><xs:annotation><xs:documentation>The IdentityType is used to express identity information for both individuals and organizations.</xs:documentation><xs:documentation>This type is extended through the xsi:type mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_3.0_identity.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_3.0/1.1.1/ciq_3.0_identity.xsd.</xs:documentation><xs:documentation>Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field of this type.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Name" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation>The Name field allows for expression of an identity through a simple name.</xs:documentation></xs:annotation></xs:element><xs:element name="Related_Identities" type="stixCommon:RelatedIdentitiesType" minOccurs="0"><xs:annotation><xs:documentation>The Related_Identities field identifies other entity Identities related to this entity Identity.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>Specifies a unique ID for this Identity.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a reference to a unique ID defined elsewhere.</xs:documentation><xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this Identity should not hold content.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
<xs:complexType name="RelatedIdentitiesType"><xs:sequence><xs:element name="Related_Identity" type="stixCommon:RelatedIdentityType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Related_Identity field identifies a single other entity Identity related to this entity Identity.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type stixCommon:RelatedIdentityType
Namespace
http://stix.mitre.org/common-1
Annotations
Identifies or characterizes a relationship to an Identity.
<xs:complexType name="RelatedIdentityType"><xs:annotation><xs:documentation>Identifies or characterizes a relationship to an Identity.</xs:documentation></xs:annotation><xs:complexContent><xs:extension base="stixCommon:GenericRelationshipType"><xs:sequence><xs:element name="Identity" type="stixCommon:IdentityType" minOccurs="1"><xs:annotation><xs:documentation>A reference to or representation of the related Identity.</xs:documentation><xs:documentation>This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity_3.0.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity_3.0/1.1.1/ciq_identity_3.0.xsd.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
<xs:complexType name="ContributingSourcesType"><xs:sequence><xs:element name="Source" type="stixCommon:InformationSourceType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Source field contains information describing the identity, resources and timing of involvement for a single contributing Source.</xs:documentation><xs:documentation>This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity/1.1.1/ciq_identity.xsd.</xs:documentation><xs:documentation>Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
<xs:complexType name="ReferencesType"><xs:sequence><xs:element name="Reference" type="xs:anyURI" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Reference field is optional and enables specification of a reference to an information source material.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type stixCommon:ConfidenceAssertionChainType
<xs:complexType name="ConfidenceAssertionChainType"><xs:sequence><xs:element name="Confidence_Assertion" type="stixCommon:ConfidenceType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Confidence_Assertion field specifies a related confidence level in this assertion along with who made it, when it was made and how it was made.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type stixCommon:TTPBaseType
Namespace
http://stix.mitre.org/common-1
Annotations
This type represents the STIX TTP component. It is extended using the XML Schema Extension feature by the STIX TTP type itself. Users of this type who wish to express a full TTP using STIX must do so using the xsi:type extension feature. The STIX-defined TTP type is TTPType in the http://stix.mitre.org/TTP-1 namespace. This type is defined in the ttp.xsd file or at the URL http://stix.mitre.org/XMLSchema/ttp/1.1.1/ttp.xsd.
Alternatively, uses that require simply specifying an idref as a reference to a TTP defined elsewhere can do so without specifying an xsi:type.
Specifies a timestamp for the definition of a specific version of a TTP item. When used in conjunction with the id, this field is specifying the definition time for the specific version of the TTP item. When used in conjunction with the idref, this field is specifying a reference to a specific version of a TTP item defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
<xs:complexType name="TTPBaseType"><xs:annotation><xs:documentation>This type represents the STIX TTP component. It is extended using the XML Schema Extension feature by the STIX TTP type itself. Users of this type who wish to express a full TTP using STIX must do so using the xsi:type extension feature. The STIX-defined TTP type is TTPType in the http://stix.mitre.org/TTP-1 namespace. This type is defined in the ttp.xsd file or at the URL http://stix.mitre.org/XMLSchema/ttp/1.1.1/ttp.xsd.</xs:documentation><xs:documentation>Alternatively, uses that require simply specifying an idref as a reference to a TTP defined elsewhere can do so without specifying an xsi:type.</xs:documentation></xs:annotation><xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>Specifies a globally unique identifier for this TTP item.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a globally unique identifier of a TTP item specified elsewhere.</xs:documentation><xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this TTP item should not hold content.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>Specifies a timestamp for the definition of a specific version of a TTP item. When used in conjunction with the id, this field is specifying the definition time for the specific version of the TTP item. When used in conjunction with the idref, this field is specifying a reference to a specific version of a TTP item defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Complex Type stixCommon:KillChainPhasesReferenceType
<xs:complexType name="KillChainPhasesReferenceType"><xs:sequence><xs:element name="Kill_Chain_Phase" type="stixCommon:KillChainPhaseReferenceType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Kill_Chain_Phase field specifies a single Kill Chain phase associated with this item.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type stixCommon:KillChainPhaseReferenceType
Namespace
http://stix.mitre.org/common-1
Annotations
The KillChainPhaseReferenceType is used to reference kill chains that are defined elsewhere.
This type extends from stixCommon:KillChainPhaseType and contains several attributes that are redundant to the original kill chain definition: @kill_chain_name, @ordinality, and @name. These attributes should not be used to redefine attributes in the referenced kill chain. Instead, it is strongly suggested that they either be omitted or, if they are present, they must contain the same values as the kill chain definition. This ensures data consistency across the kill chain itself and all references to it.
This field specifies the descriptive name of the relevant kill chain. If a kill chain is being referenced (via the kill_chain_id field), this field should be omitted or, if present, must match the kill chain name of the kill chain referenced by the @kill_chain_id attribute.
This field specifies the descriptive name of the relevant kill chain phase.
When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the name used in the kill chain phase definition that this field references.
This field specifies the ordinality (e.g. 1, 2 or 3) of this phase within this kill chain definition.
When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the ordinality used in the kill chain phase definition that this field references.
A globally unique identifier for this kill chain phase.
When used directly within a kill chain definition, this attribute must be globally unique and serves to identify the kill chain phase being defined. When used within a kill chain reference, this attribute must reference an existing kill chain phase phase_id and serves as a reference (similar to @idref elsewhere in STIX).
Source
<xs:complexType name="KillChainPhaseReferenceType"><xs:annotation><xs:documentation>The KillChainPhaseReferenceType is used to reference kill chains that are defined elsewhere.</xs:documentation><xs:documentation>This type extends from stixCommon:KillChainPhaseType and contains several attributes that are redundant to the original kill chain definition: @kill_chain_name, @ordinality, and @name. These attributes should not be used to redefine attributes in the referenced kill chain. Instead, it is strongly suggested that they either be omitted or, if they are present, they must contain the same values as the kill chain definition. This ensures data consistency across the kill chain itself and all references to it.</xs:documentation></xs:annotation><xs:complexContent><xs:extension base="stixCommon:KillChainPhaseType"><xs:attribute name="kill_chain_id" type="xs:QName"><xs:annotation><xs:documentation>This field specifies the ID for the relevant defined kill chain.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="kill_chain_name" type="xs:string"><xs:annotation><xs:documentation>This field specifies the descriptive name of the relevant kill chain. If a kill chain is being referenced (via the kill_chain_id field), this field should be omitted or, if present, must match the kill chain name of the kill chain referenced by the @kill_chain_id attribute.</xs:documentation></xs:annotation></xs:attribute></xs:extension></xs:complexContent></xs:complexType>
Complex Type stixCommon:KillChainPhaseType
Namespace
http://stix.mitre.org/common-1
Annotations
The KillChainPhaseType characterizes an individual phase within a kill chain definition.
This field specifies the descriptive name of the relevant kill chain phase.
When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the name used in the kill chain phase definition that this field references.
This field specifies the ordinality (e.g. 1, 2 or 3) of this phase within this kill chain definition.
When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the ordinality used in the kill chain phase definition that this field references.
A globally unique identifier for this kill chain phase.
When used directly within a kill chain definition, this attribute must be globally unique and serves to identify the kill chain phase being defined. When used within a kill chain reference, this attribute must reference an existing kill chain phase phase_id and serves as a reference (similar to @idref elsewhere in STIX).
Source
<xs:complexType name="KillChainPhaseType"><xs:annotation><xs:documentation>The KillChainPhaseType characterizes an individual phase within a kill chain definition.</xs:documentation></xs:annotation><xs:attribute name="phase_id" type="xs:QName"><xs:annotation><xs:documentation>A globally unique identifier for this kill chain phase.</xs:documentation><xs:documentation>When used directly within a kill chain definition, this attribute must be globally unique and serves to identify the kill chain phase being defined. When used within a kill chain reference, this attribute must reference an existing kill chain phase phase_id and serves as a reference (similar to @idref elsewhere in STIX).</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="name" type="xs:string"><xs:annotation><xs:documentation>This field specifies the descriptive name of the relevant kill chain phase.</xs:documentation><xs:documentation>When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the name used in the kill chain phase definition that this field references.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="ordinality" type="xs:int"><xs:annotation><xs:documentation>This field specifies the ordinality (e.g. 1, 2 or 3) of this phase within this kill chain definition.</xs:documentation><xs:documentation>When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the ordinality used in the kill chain phase definition that this field references.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Complex Type stixCommon:StatementType
Namespace
http://stix.mitre.org/common-1
Annotations
StatementType allows the expression of a statement with an associated value, description, source, confidence, and timestamp.
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
<xs:complexType name="StatementType"><xs:annotation><xs:documentation>StatementType allows the expression of a statement with an associated value, description, source, confidence, and timestamp.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Value" type="stixCommon:ControlledVocabularyStringType" minOccurs="0"><xs:annotation><xs:documentation>Specifies a value characterizing the statement within some vocabulary.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary may be provided by the field using this construct. If that's the case, the schema annotations on that element will describe which vocabulary to use. If not, the default vocabulary is HighMediumLowVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1/stix_default_vocabularies.xsd.</xs:documentation><xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation></xs:annotation></xs:element><xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0"><xs:annotation><xs:documentation>Specifies a prose description of the statement.</xs:documentation></xs:annotation></xs:element><xs:element name="Source" type="stixCommon:InformationSourceType" minOccurs="0"><xs:annotation><xs:documentation>The Source field captures the source of this statement. An optional vocabulary name and reference allows the expression of the source name in some given vocabulary context.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.1.1. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.</xs:documentation></xs:annotation></xs:element><xs:element name="Confidence" type="stixCommon:ConfidenceType" minOccurs="0"><xs:annotation><xs:documentation>The Confidence field characterizes the level of confidence held in the statement.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>Specifies the time this statement was asserted.</xs:documentation><xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="timestamp_precision" type="stixCommon:DateTimePrecisionEnum" default="second"><xs:annotation><xs:documentation>Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Complex Type stixCommon:GenericRelationshipListType
Namespace
http://stix.mitre.org/common-1
Annotations
Allows the expression of a list of relationships between STIX components. It's extended throughout STIX and should not be used directly.
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
<xs:complexType name="GenericRelationshipListType" abstract="true"><xs:annotation><xs:documentation>Allows the expression of a list of relationships between STIX components. It's extended throughout STIX and should not be used directly.</xs:documentation></xs:annotation><xs:attribute name="scope" type="stixCommon:RelationshipScopeEnum" default="exclusive"><xs:annotation><xs:documentation>Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Simple Type stixCommon:RelationshipScopeEnum
Namespace
http://stix.mitre.org/common-1
Annotations
ScopeEnum is an enumeration of potential assertions on how a group of relationships should be treated.
Diagram
Type
restriction of xs:string
Facets
enumeration
inclusive
A single relationship is being defined between the subject and the collection of objects indicated by the related items.
enumeration
exclusive
Multiple relationships are being defined between the specific subject and each object individually.
<xs:simpleType name="RelationshipScopeEnum"><xs:annotation><xs:documentation>ScopeEnum is an enumeration of potential assertions on how a group of relationships should be treated.</xs:documentation></xs:annotation><xs:restriction base="xs:string"><xs:enumeration value="inclusive"><xs:annotation><xs:documentation>A single relationship is being defined between the subject and the collection of objects indicated by the related items.</xs:documentation></xs:annotation></xs:enumeration><xs:enumeration value="exclusive"><xs:annotation><xs:documentation>Multiple relationships are being defined between the specific subject and each object individually.</xs:documentation></xs:annotation></xs:enumeration></xs:restriction></xs:simpleType>
Complex Type stixCommon:RelatedCourseOfActionType
Namespace
http://stix.mitre.org/common-1
Annotations
Identifies or characterizes a relationship to a course of action.
<xs:complexType name="RelatedCourseOfActionType"><xs:annotation><xs:documentation>Identifies or characterizes a relationship to a course of action.</xs:documentation></xs:annotation><xs:complexContent><xs:extension base="stixCommon:GenericRelationshipType"><xs:sequence><xs:element name="Course_Of_Action" type="stixCommon:CourseOfActionBaseType" minOccurs="1"><xs:annotation><xs:documentation>A reference or representation of the related course of action.</xs:documentation><xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CourseOfActionType in the http://stix.mitre.org/CourseOfAction-1 namespace. This type is defined in the course_of_action.xsd file or at the URL http://stix.mitre.org/XMLSchema/course_of_action/1.1.1/course_of_action.xsd.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
Complex Type stixCommon:CourseOfActionBaseType
Namespace
http://stix.mitre.org/common-1
Annotations
This type represents the STIX Course of Action component. It is extended using the XML Schema Extension feature by the STIX Course of Action type itself. Users of this type who wish to express a full course of action using STIX must do so using the xsi:type extension feature. The STIX-defined Course of Action type is CourseOfActionType in the http://stix.mitre.org/CourseOfAction-1 namespace. This type is defined in the course_of_action.xsd file or at the URL http://stix.mitre.org/XMLSchema/course_of_action/1.1.1/course_of_action.xsd.
Alternatively, uses that require simply specifying an idref as a reference to a course of action defined elsewhere can do so without specifying an xsi:type.
Specifies a timestamp for the definition of a specific version of a COA. When used in conjunction with the id, this field is specifying the definition time for the specific version of the COA. When used in conjunction with the idref, this field is specifying a reference to a specific version of a COA defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
<xs:complexType name="CourseOfActionBaseType"><xs:annotation><xs:documentation>This type represents the STIX Course of Action component. It is extended using the XML Schema Extension feature by the STIX Course of Action type itself. Users of this type who wish to express a full course of action using STIX must do so using the xsi:type extension feature. The STIX-defined Course of Action type is CourseOfActionType in the http://stix.mitre.org/CourseOfAction-1 namespace. This type is defined in the course_of_action.xsd file or at the URL http://stix.mitre.org/XMLSchema/course_of_action/1.1.1/course_of_action.xsd.</xs:documentation><xs:documentation>Alternatively, uses that require simply specifying an idref as a reference to a course of action defined elsewhere can do so without specifying an xsi:type.</xs:documentation></xs:annotation><xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>Specifies a globally unique identifier for this COA.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a globally unique identifier of a COA specified elsewhere.</xs:documentation><xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this COA should not hold content.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>Specifies a timestamp for the definition of a specific version of a COA. When used in conjunction with the id, this field is specifying the definition time for the specific version of the COA. When used in conjunction with the idref, this field is specifying a reference to a specific version of a COA defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Complex Type stixCommon:RelatedObservableType
Namespace
http://stix.mitre.org/common-1
Annotations
Identifies or characterizes a relationship to a cyber observable.
<xs:complexType name="RelatedObservableType"><xs:annotation><xs:documentation>Identifies or characterizes a relationship to a cyber observable.</xs:documentation></xs:annotation><xs:complexContent><xs:extension base="stixCommon:GenericRelationshipType"><xs:sequence><xs:element name="Observable" type="cybox:ObservableType" minOccurs="1"><xs:annotation><xs:documentation>A reference to or representation of the related cyber observable.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
Complex Type stixCommon:RelatedIndicatorType
Namespace
http://stix.mitre.org/common-1
Annotations
Identifies or characterizes a relationship to an indicator.
<xs:complexType name="RelatedIndicatorType"><xs:annotation><xs:documentation>Identifies or characterizes a relationship to an indicator.</xs:documentation></xs:annotation><xs:complexContent><xs:extension base="stixCommon:GenericRelationshipType"><xs:sequence><xs:element name="Indicator" type="stixCommon:IndicatorBaseType" minOccurs="1"><xs:annotation><xs:documentation>A reference to or representation of the related indicator.</xs:documentation><xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IndicatorType in the http://stix.mitre.org/Indicator-2 namespace. This type is defined in the indicator.xsd file or at the URL http://stix.mitre.org/XMLSchema/indicator/2.1.1/indicator.xsd.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
Complex Type stixCommon:RelatedCampaignReferenceType
Namespace
http://stix.mitre.org/common-1
Annotations
Identifies or characterizes a relationship by reference to a campaign.
<xs:complexType name="RelatedCampaignReferenceType"><xs:annotation><xs:documentation>Identifies or characterizes a relationship by reference to a campaign.</xs:documentation></xs:annotation><xs:complexContent><xs:extension base="stixCommon:GenericRelationshipType"><xs:sequence><xs:element name="Campaign" type="stixCommon:CampaignReferenceType"><xs:annotation><xs:documentation>A reference to the related campaign.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
In conjunction with the idref, this field may be used to reference a specific version of a campaign defined elsewhere.
Source
<xs:complexType name="CampaignReferenceType"><xs:annotation><xs:documentation>Characterizes a reference to a campaign.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Names" type="stixCommon:NamesType" minOccurs="0"><xs:annotation><xs:documentation>Specifies one or more campaign names for a cyber threat campaign defined elsewhere.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a globally unique identifier for a cyber threat campaign defined elsewhere.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>In conjunction with the idref, this field may be used to reference a specific version of a campaign defined elsewhere.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
<xs:complexType name="NamesType"><xs:sequence><xs:element name="Name" type="stixCommon:ControlledVocabularyStringType" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Name field specifies a Name used to identify a Campaign. This field can be used to capture various aliases used to identify this Campaign.</xs:documentation><xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.1.1. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type stixCommon:RelatedPackageRefsType
Namespace
http://stix.mitre.org/common-1
Annotations
Identifies or characterizes relationships to set of related Packages.
<xs:complexType name="RelatedPackageRefsType"><xs:annotation><xs:documentation>Identifies or characterizes relationships to set of related Packages.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Package_Reference" type="stixCommon:RelatedPackageRefType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>Identifies or characterizes a relationship to a related Package defined elsewhere</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type stixCommon:RelatedPackageRefType
Namespace
http://stix.mitre.org/common-1
Annotations
Identifies or characterizes a relationship to a Package.
In conjunction with the idref, this field may be used to reference a specific version of a STIX Package defined elsewhere.
Source
<xs:complexType name="RelatedPackageRefType"><xs:annotation><xs:documentation>Identifies or characterizes a relationship to a Package.</xs:documentation></xs:annotation><xs:complexContent><xs:extension base="stixCommon:GenericRelationshipType"><xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a globally unique identifier of a STIX Package specified elsewhere.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>In conjunction with the idref, this field may be used to reference a specific version of a STIX Package defined elsewhere.</xs:documentation></xs:annotation></xs:attribute></xs:extension></xs:complexContent></xs:complexType>
<xs:complexType name="ActivityType" abstract="true"><xs:sequence><xs:element name="Date_Time" type="stixCommon:DateTimeWithPrecisionType"><xs:annotation><xs:documentation>The Date_Time field specifies the date and time at which the activity occured.</xs:documentation><xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation></xs:annotation></xs:element><xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0"><xs:annotation><xs:documentation>The Description field provides a description of the activity.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
<xs:complexType name="KillChainsType"><xs:sequence><xs:element name="Kill_Chain" type="stixCommon:KillChainType" maxOccurs="unbounded"><xs:annotation><xs:documentation>This field specifies a single kill chain definition for reference within specific TTP entries, Indicators and elsewhere.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type stixCommon:KillChainType
Namespace
http://stix.mitre.org/common-1
Annotations
The KillChainType characterizes a specific Kill Chain definition for reference within specific TTP entries, Indicators and elsewhere.
A resource reference for this kill chain definition.
Source
<xs:complexType name="KillChainType"><xs:annotation><xs:documentation>The KillChainType characterizes a specific Kill Chain definition for reference within specific TTP entries, Indicators and elsewhere.</xs:documentation></xs:annotation><xs:sequence><xs:element name="Kill_Chain_Phase" type="stixCommon:KillChainPhaseType" maxOccurs="unbounded"><xs:annotation><xs:documentation>This field specifies the name of an individual phase within this kill chain definition.</xs:documentation></xs:annotation></xs:element></xs:sequence><xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>A globally unique identifier for this kill chain definition.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="name" type="xs:string"><xs:annotation><xs:documentation>A descriptive name for this kill chain definition.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="definer"><xs:annotation><xs:documentation>The organization or individual responsible for this kill chain definition.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="reference" type="xs:anyURI"><xs:annotation><xs:documentation>A resource reference for this kill chain definition.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="number_of_phases"><xs:annotation><xs:documentation>The number of phases in this kill chain definition.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Complex Type stixCommon:RelatedCampaignType
Namespace
http://stix.mitre.org/common-1
Annotations
Identifies or characterizes a relationship to a campaign.
<xs:complexType name="RelatedCampaignType"><xs:annotation><xs:documentation>Identifies or characterizes a relationship to a campaign.</xs:documentation></xs:annotation><xs:complexContent><xs:extension base="stixCommon:GenericRelationshipType"><xs:sequence><xs:element name="Campaign" type="stixCommon:CampaignBaseType" minOccurs="1"><xs:annotation><xs:documentation>A reference to or representation of the related campaign.</xs:documentation><xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CampaignType in the http://stix.mitre.org/Campaign-1 namespace. This type is defined in the campaign.xsd file or at the URL http://stix.mitre.org/XMLSchema/campaign/1.1.1/campaign.xsd.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
Complex Type stixCommon:CampaignBaseType
Namespace
http://stix.mitre.org/common-1
Annotations
This type represents the STIX Campaign component. It is extended using the XML Schema Extension feature by the STIX Campaign type itself. Users of this type who wish to express a full campaign using STIX must do so using the xsi:type extension feature. The STIX-defined Campaign type is CampaignType in the http://stix.mitre.org/Campaign-1 namespace. This type is defined in the campaign.xsd file or at the URL http://stix.mitre.org/XMLSchema/campaign/1.1.1/campaign.xsd.
Alternatively, uses that require simply specifying an idref as a reference to a campaign defined elsewhere can do so without specifying an xsi:type.
Specifies a timestamp for the definition of a specific version of a Campaign. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Campaign. When used in conjunction with the idref, this field is specifying a reference to a specific version of a Campaign defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
<xs:complexType name="CampaignBaseType"><xs:annotation><xs:documentation>This type represents the STIX Campaign component. It is extended using the XML Schema Extension feature by the STIX Campaign type itself. Users of this type who wish to express a full campaign using STIX must do so using the xsi:type extension feature. The STIX-defined Campaign type is CampaignType in the http://stix.mitre.org/Campaign-1 namespace. This type is defined in the campaign.xsd file or at the URL http://stix.mitre.org/XMLSchema/campaign/1.1.1/campaign.xsd.</xs:documentation><xs:documentation>Alternatively, uses that require simply specifying an idref as a reference to a campaign defined elsewhere can do so without specifying an xsi:type.</xs:documentation></xs:annotation><xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>Specifies a globally unique identifier for this cyber threat Campaign.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a globally unique identifier for a cyber threat Campaign specified elsewhere.</xs:documentation><xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this Campaign should not hold content.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>Specifies a timestamp for the definition of a specific version of a Campaign. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Campaign. When used in conjunction with the idref, this field is specifying a reference to a specific version of a Campaign defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Complex Type stixCommon:RelatedExploitTargetType
Namespace
http://stix.mitre.org/common-1
Annotations
Identifies or characterizes a relationship to an exploit target.
<xs:complexType name="RelatedExploitTargetType"><xs:annotation><xs:documentation>Identifies or characterizes a relationship to an exploit target.</xs:documentation></xs:annotation><xs:complexContent><xs:extension base="stixCommon:GenericRelationshipType"><xs:sequence><xs:element name="Exploit_Target" type="stixCommon:ExploitTargetBaseType" minOccurs="1"><xs:annotation><xs:documentation>A reference to or representation of the related exploit target.</xs:documentation><xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ExploitTargetType in the http://stix.mitre.org/ExploitTarget-1 namespace. This type is defined in the exploit_target.xsd file or at the URL http://stix.mitre.org/XMLSchema/exploit_target/1.1.1/exploit_target.xsd.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
Complex Type stixCommon:ExploitTargetBaseType
Namespace
http://stix.mitre.org/common-1
Annotations
This type represents the STIX Exploit Target component. It is extended using the XML Schema Extension feature by the STIX Exploit Target type itself. Users of this type who wish to express a full exploit target using STIX must do so using the xsi:type extension feature. The STIX-defined Exploit Target type is ExploitTargetType in the http://stix.mitre.org/ExploitTarget-1 namespace. This type is defined in the exploit_target.xsd file or at the URL http://stix.mitre.org/XMLSchema/exploit_target/1.1.1/exploit_target.xsd.
Alternatively, uses that require simply specifying an idref as a reference to an exploit target defined elsewhere can do so without specifying an xsi:type.
Specifies a timestamp for the definition of a specific version of an ExploitTarget When used in conjunction with the id, this field is specifying the definition time for the specific version of the ExploitTarget. When used in conjunction with the idref, this field is specifying a reference to a specific version of an ExploitTarget defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
<xs:complexType name="ExploitTargetBaseType"><xs:annotation><xs:documentation>This type represents the STIX Exploit Target component. It is extended using the XML Schema Extension feature by the STIX Exploit Target type itself. Users of this type who wish to express a full exploit target using STIX must do so using the xsi:type extension feature. The STIX-defined Exploit Target type is ExploitTargetType in the http://stix.mitre.org/ExploitTarget-1 namespace. This type is defined in the exploit_target.xsd file or at the URL http://stix.mitre.org/XMLSchema/exploit_target/1.1.1/exploit_target.xsd.</xs:documentation><xs:documentation>Alternatively, uses that require simply specifying an idref as a reference to an exploit target defined elsewhere can do so without specifying an xsi:type.</xs:documentation></xs:annotation><xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>Specifies a globally unique identifier for this ExploitTarget.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a globally unique identifier of an ExploitTarget specified elsewhere.</xs:documentation><xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this ExploitTarget should not hold content.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>Specifies a timestamp for the definition of a specific version of an ExploitTarget When used in conjunction with the id, this field is specifying the definition time for the specific version of the ExploitTarget. When used in conjunction with the idref, this field is specifying a reference to a specific version of an ExploitTarget defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Complex Type stixCommon:RelatedIncidentType
Namespace
http://stix.mitre.org/common-1
Annotations
Identifies or characterizes a relationship to an incident.
<xs:complexType name="RelatedIncidentType"><xs:annotation><xs:documentation>Identifies or characterizes a relationship to an incident.</xs:documentation></xs:annotation><xs:complexContent><xs:extension base="stixCommon:GenericRelationshipType"><xs:sequence><xs:element name="Incident" type="stixCommon:IncidentBaseType" minOccurs="1"><xs:annotation><xs:documentation>A reference to or representation of the related incident.</xs:documentation><xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IncidentType in the http://stix.mitre.org/Incident-1 namespace. This type is defined in the incident.xsd file or at the URL http://stix.mitre.org/XMLSchema/incident/1.1.1/incident.xsd.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
Complex Type stixCommon:IncidentBaseType
Namespace
http://stix.mitre.org/common-1
Annotations
This type represents the STIX Incident component. It is extended using the XML Schema Extension feature by the STIX Incident type itself. Users of this type who wish to express a full incident using STIX must do so using the xsi:type extension feature. The STIX-defined Incident type is IncidentType in the http://stix.mitre.org/Incident-1 namespace. This type is defined in the incident.xsd file or at the URL http://stix.mitre.org/XMLSchema/incident/1.1.1/incident.xsd.
Alternatively, uses that require simply specifying an idref as a reference to an incident defined elsewhere can do so without specifying an xsi:type.
Specifies a timestamp for the definition of a specific version of an Incident. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Incident. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Incident defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
<xs:complexType name="IncidentBaseType"><xs:annotation><xs:documentation>This type represents the STIX Incident component. It is extended using the XML Schema Extension feature by the STIX Incident type itself. Users of this type who wish to express a full incident using STIX must do so using the xsi:type extension feature. The STIX-defined Incident type is IncidentType in the http://stix.mitre.org/Incident-1 namespace. This type is defined in the incident.xsd file or at the URL http://stix.mitre.org/XMLSchema/incident/1.1.1/incident.xsd.</xs:documentation><xs:documentation>Alternatively, uses that require simply specifying an idref as a reference to an incident defined elsewhere can do so without specifying an xsi:type.</xs:documentation></xs:annotation><xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>Specifies a globally unique identifier for this cyber threat Incident.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a globally unique identifier for a cyber threat Incident specified elsewhere.</xs:documentation><xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this Incident should not hold content.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>Specifies a timestamp for the definition of a specific version of an Incident. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Incident. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Incident defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
Complex Type stixCommon:RelatedThreatActorType
Namespace
http://stix.mitre.org/common-1
Annotations
Identifies or characterizes a relationship to a threat actor.
<xs:complexType name="RelatedThreatActorType"><xs:annotation><xs:documentation>Identifies or characterizes a relationship to a threat actor.</xs:documentation></xs:annotation><xs:complexContent><xs:extension base="stixCommon:GenericRelationshipType"><xs:sequence><xs:element name="Threat_Actor" type="stixCommon:ThreatActorBaseType" minOccurs="1"><xs:annotation><xs:documentation>A reference or representation of the related threat actor.</xs:documentation><xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ThreatActorType in the http://stix.mitre.org/ThreatActor-1 namespace. This type is defined in the threat_actor.xsd file or at the URL http://stix.mitre.org/XMLSchema/threat_actor/1.1.1/threat_actor.xsd.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
Complex Type stixCommon:ThreatActorBaseType
Namespace
http://stix.mitre.org/common-1
Annotations
This type represents the STIX Threat Actor component. It is extended using the XML Schema Extension feature by the STIX Threat Actor type itself. Users of this type who wish to express a full threat actor using STIX must do so using the xsi:type extension feature. The STIX-defined Threat Actor type is ThreatActorType in the http://stix.mitre.org/ThreatActor-1 namespace. This type is defined in the threat_actor.xsd file or at the URL http://stix.mitre.org/XMLSchema/threat_actor/1.1.1/threat_actor.xsd.
Alternatively, uses that require simply specifying an idref as a reference to a threat actor defined elsewhere can do so without specifying an xsi:type.
Specifies a timestamp for the definition of a specific version of a ThreatActor. When used in conjunction with the id, this field is specifying the definition time for the specific version of the ThreatActor. When used in conjunction with the idref, this field is specifying a reference to a specific version of a ThreatActor defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
Source
<xs:complexType name="ThreatActorBaseType"><xs:annotation><xs:documentation>This type represents the STIX Threat Actor component. It is extended using the XML Schema Extension feature by the STIX Threat Actor type itself. Users of this type who wish to express a full threat actor using STIX must do so using the xsi:type extension feature. The STIX-defined Threat Actor type is ThreatActorType in the http://stix.mitre.org/ThreatActor-1 namespace. This type is defined in the threat_actor.xsd file or at the URL http://stix.mitre.org/XMLSchema/threat_actor/1.1.1/threat_actor.xsd.</xs:documentation><xs:documentation>Alternatively, uses that require simply specifying an idref as a reference to a threat actor defined elsewhere can do so without specifying an xsi:type.</xs:documentation></xs:annotation><xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>Specifies a globally unique identifier for this ThreatActor.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a globally unique identifier of a ThreatActor specified elsewhere.</xs:documentation><xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this ThreatActor should not hold content.</xs:documentation></xs:annotation></xs:attribute><xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>Specifies a timestamp for the definition of a specific version of a ThreatActor. When used in conjunction with the id, this field is specifying the definition time for the specific version of the ThreatActor. When used in conjunction with the idref, this field is specifying a reference to a specific version of a ThreatActor defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.</xs:documentation></xs:annotation></xs:attribute></xs:complexType>
<xs:complexType name="ExploitTargetsType"><xs:sequence><xs:element name="Exploit_Target" type="stixCommon:ExploitTargetBaseType" minOccurs="0" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Exploit_Target field characterizes a potential vulnerability, weakness or configuration target for exploitation.</xs:documentation><xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ExploitTargetType in the http://stix.mitre.org/ExploitTarget-1 namespace. This type is defined in the exploit_target.xsd file or at the URL http://stix.mitre.org/XMLSchema/exploit_target/1.1/exploit_target.xsd.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type stixCommon:AddressAbstractType
Namespace
http://stix.mitre.org/common-1
Annotations
The AddressAbstractType is used to express geographic address information.
This type is intended to be extended through the xsi:type mechanism. The default type is CIQAddress3.0InstanceType in the http://stix.mitre.org/extensions/Address#CIQAddress3.0-1 namespace. This type is defined in the extensions/identity/ciq_3.0_address.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/address/ciq_3.0/1.1.1/ciq_3.0_address.xsd.
Diagram
Source
<xs:complexType name="AddressAbstractType" abstract="true"><xs:annotation><xs:documentation>The AddressAbstractType is used to express geographic address information.</xs:documentation><xs:documentation>This type is intended to be extended through the xsi:type mechanism. The default type is CIQAddress3.0InstanceType in the http://stix.mitre.org/extensions/Address#CIQAddress3.0-1 namespace. This type is defined in the extensions/identity/ciq_3.0_address.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/address/ciq_3.0/1.1.1/ciq_3.0_address.xsd.</xs:documentation></xs:annotation></xs:complexType>
Complex Type stixCommon:EncodedCDATAType
Namespace
http://stix.mitre.org/common-1
Annotations
This type is used to represent data in an XML CDATA block. Data in a CDATA block may either be represented as-is or, in cases where it may contain characters that are not valid in CDATA, it may be encoded in Base64 per RFC4648. Data encoded in Base64 must be denoted as such using the encoded attribute.
If true, specifies that the content encoded in the element is encoded using Base64 per RFC4648.
Source
<xs:complexType name="EncodedCDATAType"><xs:annotation><xs:documentation>This type is used to represent data in an XML CDATA block. Data in a CDATA block may either be represented as-is or, in cases where it may contain characters that are not valid in CDATA, it may be encoded in Base64 per RFC4648. Data encoded in Base64 must be denoted as such using the encoded attribute.</xs:documentation></xs:annotation><xs:simpleContent><xs:extension base="xs:string"><xs:attribute name="encoded" type="xs:boolean" default="false"><xs:annotation><xs:documentation>If true, specifies that the content encoded in the element is encoded using Base64 per RFC4648.</xs:documentation></xs:annotation></xs:attribute></xs:extension></xs:simpleContent></xs:complexType>
Complex Type stixCommon:ProfilesType
Namespace
http://stix.mitre.org/common-1
Annotations
The ProfilesType represents a list of STIX Profiles
<xs:complexType name="ProfilesType"><xs:annotation><xs:documentation>The ProfilesType represents a list of STIX Profiles</xs:documentation></xs:annotation><xs:sequence><xs:element name="Profile" type="xs:anyURI" minOccurs="1" maxOccurs="unbounded"><xs:annotation><xs:documentation>The Profile field represents a reference to one STIX Profile. The profile is referenced as a URI and should include components for: the creator of the profile, the name of the profile, and the version of the profile. When publishing a profile, this URI should be published alongside the profile such that it can be referred to from this field.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:complexType>
Complex Type stixCommon:ToolInformationType
Namespace
http://stix.mitre.org/common-1
Annotations
The ToolInformationType is intended to characterize the properties of a hardware or software tool, including those related to instances of its use. It is extended from an identically-named type in CybOX and adds standard STIX descriptive fields.
The idref field specifies reference to a unique ID for this Tool.
When idref is specified, the id attribute must not be specified, and any instance of this type should not hold content unless an extension of the type allows it.
Source
<xs:complexType name="ToolInformationType"><xs:annotation><xs:documentation>The ToolInformationType is intended to characterize the properties of a hardware or software tool, including those related to instances of its use. It is extended from an identically-named type in CybOX and adds standard STIX descriptive fields.</xs:documentation></xs:annotation><xs:complexContent><xs:extension base="cyboxCommon:ToolInformationType"><xs:sequence><xs:element name="Title" type="xs:string" minOccurs="0"><xs:annotation><xs:documentation>The Title field provides a simple title for a single tool leveraged by this TTP item.</xs:documentation></xs:annotation></xs:element><xs:element name="Short_Description" type="stixCommon:StructuredTextType" minOccurs="0"><xs:annotation><xs:documentation>The Short_Description field is optional and provides a short, unstructured, text description of a single tool leveraged by this TTP item.</xs:documentation></xs:annotation></xs:element></xs:sequence></xs:extension></xs:complexContent></xs:complexType>
<xs:attribute name="id" type="xs:QName" use="optional"><xs:annotation><xs:documentation>Specifies a unique ID for this Indicator.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a reference to the ID of an Indicator specified elsewhere.</xs:documentation><xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this Indicator should not hold content.</xs:documentation></xs:annotation></xs:attribute>
Specifies a timestamp for the definition of a specific version of an Indicator. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Indicator. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Indicator defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
<xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>Specifies a timestamp for the definition of a specific version of an Indicator. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Indicator. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Indicator defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="vocab_name" type="xs:string" use="optional"><xs:annotation><xs:documentation>The vocab_name field specifies the name of the controlled vocabulary.</xs:documentation></xs:annotation></xs:attribute>
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
<xs:attribute name="vocab_reference" type="xs:anyURI" use="optional"><xs:annotation><xs:documentation>The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.</xs:documentation></xs:annotation></xs:attribute>
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
<xs:attribute name="structuring_format" type="xs:string" use="optional"><xs:annotation><xs:documentation>Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="precision" type="stixCommon:DateTimePrecisionEnum" default="second"><xs:annotation><xs:documentation>The precision of the associated dateTime. If omitted, the default is "second", meaning the full field value (including fractional seconds).</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>Specifies a unique ID for this Identity.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a reference to a unique ID defined elsewhere.</xs:documentation><xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this Identity should not hold content.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>Specifies the time of this Confidence assertion.</xs:documentation><xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation></xs:annotation></xs:attribute>
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
<xs:attribute name="timestamp_precision" type="stixCommon:DateTimePrecisionEnum" default="second"><xs:annotation><xs:documentation>Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>Specifies a globally unique identifier for this TTP item.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a globally unique identifier of a TTP item specified elsewhere.</xs:documentation><xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this TTP item should not hold content.</xs:documentation></xs:annotation></xs:attribute>
Specifies a timestamp for the definition of a specific version of a TTP item. When used in conjunction with the id, this field is specifying the definition time for the specific version of the TTP item. When used in conjunction with the idref, this field is specifying a reference to a specific version of a TTP item defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
<xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>Specifies a timestamp for the definition of a specific version of a TTP item. When used in conjunction with the id, this field is specifying the definition time for the specific version of the TTP item. When used in conjunction with the idref, this field is specifying a reference to a specific version of a TTP item defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.</xs:documentation></xs:annotation></xs:attribute>
A globally unique identifier for this kill chain phase.
When used directly within a kill chain definition, this attribute must be globally unique and serves to identify the kill chain phase being defined. When used within a kill chain reference, this attribute must reference an existing kill chain phase phase_id and serves as a reference (similar to @idref elsewhere in STIX).
<xs:attribute name="phase_id" type="xs:QName"><xs:annotation><xs:documentation>A globally unique identifier for this kill chain phase.</xs:documentation><xs:documentation>When used directly within a kill chain definition, this attribute must be globally unique and serves to identify the kill chain phase being defined. When used within a kill chain reference, this attribute must reference an existing kill chain phase phase_id and serves as a reference (similar to @idref elsewhere in STIX).</xs:documentation></xs:annotation></xs:attribute>
This field specifies the descriptive name of the relevant kill chain phase.
When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the name used in the kill chain phase definition that this field references.
<xs:attribute name="name" type="xs:string"><xs:annotation><xs:documentation>This field specifies the descriptive name of the relevant kill chain phase.</xs:documentation><xs:documentation>When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the name used in the kill chain phase definition that this field references.</xs:documentation></xs:annotation></xs:attribute>
This field specifies the ordinality (e.g. 1, 2 or 3) of this phase within this kill chain definition.
When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the ordinality used in the kill chain phase definition that this field references.
<xs:attribute name="ordinality" type="xs:int"><xs:annotation><xs:documentation>This field specifies the ordinality (e.g. 1, 2 or 3) of this phase within this kill chain definition.</xs:documentation><xs:documentation>When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the ordinality used in the kill chain phase definition that this field references.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="kill_chain_id" type="xs:QName"><xs:annotation><xs:documentation>This field specifies the ID for the relevant defined kill chain.</xs:documentation></xs:annotation></xs:attribute>
This field specifies the descriptive name of the relevant kill chain. If a kill chain is being referenced (via the kill_chain_id field), this field should be omitted or, if present, must match the kill chain name of the kill chain referenced by the @kill_chain_id attribute.
<xs:attribute name="kill_chain_name" type="xs:string"><xs:annotation><xs:documentation>This field specifies the descriptive name of the relevant kill chain. If a kill chain is being referenced (via the kill_chain_id field), this field should be omitted or, if present, must match the kill chain name of the kill chain referenced by the @kill_chain_id attribute.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>Specifies the time this statement was asserted.</xs:documentation><xs:documentation>In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.</xs:documentation></xs:annotation></xs:attribute>
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
<xs:attribute name="timestamp_precision" type="stixCommon:DateTimePrecisionEnum" default="second"><xs:annotation><xs:documentation>Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.</xs:documentation></xs:annotation></xs:attribute>
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
<xs:attribute name="scope" type="stixCommon:RelationshipScopeEnum" default="exclusive"><xs:annotation><xs:documentation>Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>Specifies a globally unique identifier for this COA.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a globally unique identifier of a COA specified elsewhere.</xs:documentation><xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this COA should not hold content.</xs:documentation></xs:annotation></xs:attribute>
Specifies a timestamp for the definition of a specific version of a COA. When used in conjunction with the id, this field is specifying the definition time for the specific version of the COA. When used in conjunction with the idref, this field is specifying a reference to a specific version of a COA defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
<xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>Specifies a timestamp for the definition of a specific version of a COA. When used in conjunction with the id, this field is specifying the definition time for the specific version of the COA. When used in conjunction with the idref, this field is specifying a reference to a specific version of a COA defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a globally unique identifier for a cyber threat campaign defined elsewhere.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>In conjunction with the idref, this field may be used to reference a specific version of a campaign defined elsewhere.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a globally unique identifier of a STIX Package specified elsewhere.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>In conjunction with the idref, this field may be used to reference a specific version of a STIX Package defined elsewhere.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="name" type="xs:string"><xs:annotation><xs:documentation>A descriptive name for this kill chain definition.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="definer"><xs:annotation><xs:documentation>The organization or individual responsible for this kill chain definition.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="reference" type="xs:anyURI"><xs:annotation><xs:documentation>A resource reference for this kill chain definition.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="number_of_phases"><xs:annotation><xs:documentation>The number of phases in this kill chain definition.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>Specifies a globally unique identifier for this cyber threat Campaign.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a globally unique identifier for a cyber threat Campaign specified elsewhere.</xs:documentation><xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this Campaign should not hold content.</xs:documentation></xs:annotation></xs:attribute>
Specifies a timestamp for the definition of a specific version of a Campaign. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Campaign. When used in conjunction with the idref, this field is specifying a reference to a specific version of a Campaign defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
<xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>Specifies a timestamp for the definition of a specific version of a Campaign. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Campaign. When used in conjunction with the idref, this field is specifying a reference to a specific version of a Campaign defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>Specifies a globally unique identifier for this ExploitTarget.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a globally unique identifier of an ExploitTarget specified elsewhere.</xs:documentation><xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this ExploitTarget should not hold content.</xs:documentation></xs:annotation></xs:attribute>
Specifies a timestamp for the definition of a specific version of an ExploitTarget When used in conjunction with the id, this field is specifying the definition time for the specific version of the ExploitTarget. When used in conjunction with the idref, this field is specifying a reference to a specific version of an ExploitTarget defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
<xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>Specifies a timestamp for the definition of a specific version of an ExploitTarget When used in conjunction with the id, this field is specifying the definition time for the specific version of the ExploitTarget. When used in conjunction with the idref, this field is specifying a reference to a specific version of an ExploitTarget defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>Specifies a globally unique identifier for this cyber threat Incident.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a globally unique identifier for a cyber threat Incident specified elsewhere.</xs:documentation><xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this Incident should not hold content.</xs:documentation></xs:annotation></xs:attribute>
Specifies a timestamp for the definition of a specific version of an Incident. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Incident. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Incident defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
<xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>Specifies a timestamp for the definition of a specific version of an Incident. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Incident. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Incident defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="id" type="xs:QName"><xs:annotation><xs:documentation>Specifies a globally unique identifier for this ThreatActor.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="idref" type="xs:QName"><xs:annotation><xs:documentation>Specifies a globally unique identifier of a ThreatActor specified elsewhere.</xs:documentation><xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this ThreatActor should not hold content.</xs:documentation></xs:annotation></xs:attribute>
Specifies a timestamp for the definition of a specific version of a ThreatActor. When used in conjunction with the id, this field is specifying the definition time for the specific version of the ThreatActor. When used in conjunction with the idref, this field is specifying a reference to a specific version of a ThreatActor defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
<xs:attribute name="timestamp" type="xs:dateTime"><xs:annotation><xs:documentation>Specifies a timestamp for the definition of a specific version of a ThreatActor. When used in conjunction with the id, this field is specifying the definition time for the specific version of the ThreatActor. When used in conjunction with the idref, this field is specifying a reference to a specific version of a ThreatActor defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.</xs:documentation></xs:annotation></xs:attribute>
<xs:attribute name="encoded" type="xs:boolean" default="false"><xs:annotation><xs:documentation>If true, specifies that the content encoded in the element is encoded using Base64 per RFC4648.</xs:documentation></xs:annotation></xs:attribute>