Showing:

Annotations
Attributes
Diagrams
Facets
Identity Constraints
Source
Used by
Main schema threat_actor.xsd
Namespace http://stix.mitre.org/ThreatActor-1
Annotations
 
This schema was originally developed by The MITRE Corporation. The STIX XML Schema implementation is maintained by The MITRE Corporation and developed by the open STIX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the STIX website at http://stix.mitre.org.
Element ta:Threat_Actor
Namespace http://stix.mitre.org/ThreatActor-1
Annotations
 
Identification or characterization of the adversary
Diagram
Diagram stix_common_xsd.tmp#ThreatActorBaseType_id stix_common_xsd.tmp#ThreatActorBaseType_idref stix_common_xsd.tmp#ThreatActorBaseType_timestamp stix_common_xsd.tmp#ThreatActorBaseType threat_actor_xsd.tmp#ThreatActorType_version threat_actor_xsd.tmp#ThreatActorType_Title threat_actor_xsd.tmp#ThreatActorType_Description threat_actor_xsd.tmp#ThreatActorType_Short_Description threat_actor_xsd.tmp#ThreatActorType_Identity threat_actor_xsd.tmp#ThreatActorType_Type threat_actor_xsd.tmp#ThreatActorType_Motivation threat_actor_xsd.tmp#ThreatActorType_Sophistication threat_actor_xsd.tmp#ThreatActorType_Intended_Effect threat_actor_xsd.tmp#ThreatActorType_Planning_And_Operational_Support threat_actor_xsd.tmp#ThreatActorType_Observed_TTPs threat_actor_xsd.tmp#ThreatActorType_Associated_Campaigns threat_actor_xsd.tmp#ThreatActorType_Associated_Actors threat_actor_xsd.tmp#ThreatActorType_Handling threat_actor_xsd.tmp#ThreatActorType_Confidence threat_actor_xsd.tmp#ThreatActorType_Information_Source threat_actor_xsd.tmp#ThreatActorType_Related_Packages threat_actor_xsd.tmp#ThreatActorType
Type ta:ThreatActorType
Type hierarchy
Children ta:Associated_Actors, ta:Associated_Campaigns, ta:Confidence, ta:Description, ta:Handling, ta:Identity, ta:Information_Source, ta:Intended_Effect, ta:Motivation, ta:Observed_TTPs, ta:Planning_And_Operational_Support, ta:Related_Packages, ta:Short_Description, ta:Sophistication, ta:Title, ta:Type
Attributes
QName Type Use Annotation
id xs:QName optional 
Specifies a globally unique identifier for this ThreatActor.
idref xs:QName optional 
Specifies a globally unique identifier of a ThreatActor specified elsewhere.
 
When idref is specified, the id attribute must not be specified, and any instance of this ThreatActor should not hold content.
timestamp xs:dateTime optional 
Specifies a timestamp for the definition of a specific version of a ThreatActor. When used in conjunction with the id, this field is specifying the definition time for the specific version of the ThreatActor. When used in conjunction with the idref, this field is specifying a reference to a specific version of a ThreatActor defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
 
This field must only be used in conjunction with the idref field.
version ta:ThreatActorVersionType optional 
Specifies the relevant STIX-ThreatActor schema version for this content.
Source
 
<xs:element name="Threat_Actor" type="ta:ThreatActorType">
  <xs:annotation>
    <xs:documentation>Identification or characterization of the adversary</xs:documentation>
  </xs:annotation>
  <xs:unique name="unique-ta-id">
    <xs:selector xpath=".//stixCommon:*|.//stix:*|.//cybox:*|.//cyboxCommon:*|.//campaign:*|.//coa:*|.//et:*|.//incident:*|.//indicator:*|.//ta:*|.//ttp:*|.//marking:*"/>
    <xs:field xpath="@id"/>
  </xs:unique>
</xs:element>
Element ta:ThreatActorType / ta:Title
Namespace http://stix.mitre.org/ThreatActor-1
Annotations
 
The Title field provides a simple title for this ThreatActor.
Diagram
Diagram
Type xs:string
Source
 
<xs:element name="Title" type="xs:string" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Title field provides a simple title for this ThreatActor.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ta:ThreatActorType / ta:Description
Namespace http://stix.mitre.org/ThreatActor-1
Annotations
 
The Description field is optional and provides an unstructured, text description of this ThreatActor.
Diagram
Diagram stix_common_xsd.tmp#StructuredTextType_structuring_format stix_common_xsd.tmp#StructuredTextType
Type stixCommon:StructuredTextType
Attributes
QName Type Use Annotation
structuring_format xs:string optional 
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
 
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Description field is optional and provides an unstructured, text description of this ThreatActor.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ta:ThreatActorType / ta:Short_Description
Namespace http://stix.mitre.org/ThreatActor-1
Annotations
 
The Short_Description field is optional and provides a short, unstructured, text description of this ThreatActor.
Diagram
Diagram stix_common_xsd.tmp#StructuredTextType_structuring_format stix_common_xsd.tmp#StructuredTextType
Type stixCommon:StructuredTextType
Attributes
QName Type Use Annotation
structuring_format xs:string optional 
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
Source
 
<xs:element name="Short_Description" type="stixCommon:StructuredTextType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Short_Description field is optional and provides a short, unstructured, text description of this ThreatActor.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ta:ThreatActorType / ta:Identity
Namespace http://stix.mitre.org/ThreatActor-1
Annotations
 
The Identity field characterizes the identity of this Threat Actor.
 
This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity/1.1/ciq_identity.xsd.
 
Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.
Diagram
Diagram stix_common_xsd.tmp#IdentityType_id stix_common_xsd.tmp#IdentityType_idref stix_common_xsd.tmp#IdentityType_Name stix_common_xsd.tmp#IdentityType_Related_Identities stix_common_xsd.tmp#IdentityType
Type stixCommon:IdentityType
Children stixCommon:Name, stixCommon:Related_Identities
Attributes
QName Type Use Annotation
id xs:QName optional 
Specifies a unique ID for this Identity.
idref xs:QName optional 
Specifies a reference to a unique ID defined elsewhere.
 
When idref is specified, the id attribute must not be specified, and any instance of this Identity should not hold content.
Source
 
<xs:element name="Identity" type="stixCommon:IdentityType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Identity field characterizes the identity of this Threat Actor.</xs:documentation>
    <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity/1.1/ciq_identity.xsd.</xs:documentation>
    <xs:documentation>Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ta:ThreatActorType / ta:Type
Namespace http://stix.mitre.org/ThreatActor-1
Annotations
 
The Type field characterizes the type(s) of this threat actor. It may be used multiple times to capture multiple types.
 
It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is ThreatActorTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.0/stix_default_vocabularies.xsd.
 
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#StatementType_timestamp stix_common_xsd.tmp#StatementType_timestamp_precision stix_common_xsd.tmp#StatementType_Value stix_common_xsd.tmp#StatementType_Description stix_common_xsd.tmp#StatementType_Source stix_common_xsd.tmp#StatementType_Confidence stix_common_xsd.tmp#StatementType
Type stixCommon:StatementType
Children stixCommon:Confidence, stixCommon:Description, stixCommon:Source, stixCommon:Value
Attributes
QName Type Default Use Annotation
timestamp xs:dateTime optional 
Specifies the time this statement was asserted.
 
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
timestamp_precision stixCommon:DateTimePrecisionEnum second optional 
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
 
<xs:element name="Type" type="stixCommon:StatementType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Type field characterizes the type(s) of this threat actor. It may be used multiple times to capture multiple types.</xs:documentation>
    <xs:documentation>It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is ThreatActorTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.0/stix_default_vocabularies.xsd.</xs:documentation>
    <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ta:ThreatActorType / ta:Motivation
Namespace http://stix.mitre.org/ThreatActor-1
Annotations
 
The Type field characterizes the motivations of this threat actor. It may be used multiple times to capture multiple motivations.
 
It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is MotivationVocab-1.1 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.0/stix_default_vocabularies.xsd.
 
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#StatementType_timestamp stix_common_xsd.tmp#StatementType_timestamp_precision stix_common_xsd.tmp#StatementType_Value stix_common_xsd.tmp#StatementType_Description stix_common_xsd.tmp#StatementType_Source stix_common_xsd.tmp#StatementType_Confidence stix_common_xsd.tmp#StatementType
Type stixCommon:StatementType
Children stixCommon:Confidence, stixCommon:Description, stixCommon:Source, stixCommon:Value
Attributes
QName Type Default Use Annotation
timestamp xs:dateTime optional 
Specifies the time this statement was asserted.
 
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
timestamp_precision stixCommon:DateTimePrecisionEnum second optional 
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
 
<xs:element name="Motivation" type="stixCommon:StatementType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Type field characterizes the motivations of this threat actor. It may be used multiple times to capture multiple motivations.</xs:documentation>
    <xs:documentation>It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is MotivationVocab-1.1 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.0/stix_default_vocabularies.xsd.</xs:documentation>
    <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ta:ThreatActorType / ta:Sophistication
Namespace http://stix.mitre.org/ThreatActor-1
Annotations
 
The Sophistication field specifies the sophistication of this Threat Actor.
 
It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is ThreatActorSophisticationVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.0/stix_default_vocabularies.xsd .
 
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#StatementType_timestamp stix_common_xsd.tmp#StatementType_timestamp_precision stix_common_xsd.tmp#StatementType_Value stix_common_xsd.tmp#StatementType_Description stix_common_xsd.tmp#StatementType_Source stix_common_xsd.tmp#StatementType_Confidence stix_common_xsd.tmp#StatementType
Type stixCommon:StatementType
Children stixCommon:Confidence, stixCommon:Description, stixCommon:Source, stixCommon:Value
Attributes
QName Type Default Use Annotation
timestamp xs:dateTime optional 
Specifies the time this statement was asserted.
 
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
timestamp_precision stixCommon:DateTimePrecisionEnum second optional 
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
 
<xs:element name="Sophistication" type="stixCommon:StatementType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Sophistication field specifies the sophistication of this Threat Actor.</xs:documentation>
    <xs:documentation>It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is ThreatActorSophisticationVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.0/stix_default_vocabularies.xsd .</xs:documentation>
    <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ta:ThreatActorType / ta:Intended_Effect
Namespace http://stix.mitre.org/ThreatActor-1
Annotations
 
The Intended_Effect field specifies the suspected intended effect for this Threat Actor.
 
It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is IntendedEffectVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.0/stix_default_vocabularies.xsd.
 
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#StatementType_timestamp stix_common_xsd.tmp#StatementType_timestamp_precision stix_common_xsd.tmp#StatementType_Value stix_common_xsd.tmp#StatementType_Description stix_common_xsd.tmp#StatementType_Source stix_common_xsd.tmp#StatementType_Confidence stix_common_xsd.tmp#StatementType
Type stixCommon:StatementType
Children stixCommon:Confidence, stixCommon:Description, stixCommon:Source, stixCommon:Value
Attributes
QName Type Default Use Annotation
timestamp xs:dateTime optional 
Specifies the time this statement was asserted.
 
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
timestamp_precision stixCommon:DateTimePrecisionEnum second optional 
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
 
<xs:element name="Intended_Effect" type="stixCommon:StatementType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Intended_Effect field specifies the suspected intended effect for this Threat Actor.</xs:documentation>
    <xs:documentation>It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is IntendedEffectVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.0/stix_default_vocabularies.xsd.</xs:documentation>
    <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ta:ThreatActorType / ta:Planning_And_Operational_Support
Namespace http://stix.mitre.org/ThreatActor-1
Annotations
 
The Planning_And_Operational_Support field specifies the suspected planning and operational support performed by this threat actor.
 
It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is PlanningAndOperationalSupportVocab-1.0.1 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.0/stix_default_vocabularies.xsd.
 
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Diagram
Diagram stix_common_xsd.tmp#StatementType_timestamp stix_common_xsd.tmp#StatementType_timestamp_precision stix_common_xsd.tmp#StatementType_Value stix_common_xsd.tmp#StatementType_Description stix_common_xsd.tmp#StatementType_Source stix_common_xsd.tmp#StatementType_Confidence stix_common_xsd.tmp#StatementType
Type stixCommon:StatementType
Children stixCommon:Confidence, stixCommon:Description, stixCommon:Source, stixCommon:Value
Attributes
QName Type Default Use Annotation
timestamp xs:dateTime optional 
Specifies the time this statement was asserted.
 
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
timestamp_precision stixCommon:DateTimePrecisionEnum second optional 
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
 
<xs:element name="Planning_And_Operational_Support" type="stixCommon:StatementType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Planning_And_Operational_Support field specifies the suspected planning and operational support performed by this threat actor.</xs:documentation>
    <xs:documentation>It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is PlanningAndOperationalSupportVocab-1.0.1 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.0/stix_default_vocabularies.xsd.</xs:documentation>
    <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ta:ThreatActorType / ta:Observed_TTPs
Namespace http://stix.mitre.org/ThreatActor-1
Annotations
 
The Observed_TTPs field specifies the TTPs that this Threat Actor has been observed to leverage.
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipListType_scope stix_common_xsd.tmp#GenericRelationshipListType threat_actor_xsd.tmp#ObservedTTPsType_Observed_TTP threat_actor_xsd.tmp#ObservedTTPsType
Type ta:ObservedTTPsType
Type hierarchy
Children ta:Observed_TTP
Attributes
QName Type Default Use Annotation
scope stixCommon:RelationshipScopeEnum exclusive optional 
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
 
<xs:element name="Observed_TTPs" type="ta:ObservedTTPsType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Observed_TTPs field specifies the TTPs that this Threat Actor has been observed to leverage.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ta:ObservedTTPsType / ta:Observed_TTP
Namespace http://stix.mitre.org/ThreatActor-1
Annotations
 
The Observed_TTP field specifies a TTP that this Threat Actor has been observed to leverage.
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipType_Confidence stix_common_xsd.tmp#GenericRelationshipType_Information_Source stix_common_xsd.tmp#GenericRelationshipType_Relationship stix_common_xsd.tmp#GenericRelationshipType stix_common_xsd.tmp#RelatedTTPType_TTP stix_common_xsd.tmp#RelatedTTPType
Type stixCommon:RelatedTTPType
Type hierarchy
Children stixCommon:Confidence, stixCommon:Information_Source, stixCommon:Relationship, stixCommon:TTP
Source
 
<xs:element name="Observed_TTP" type="stixCommon:RelatedTTPType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Observed_TTP field specifies a TTP that this Threat Actor has been observed to leverage.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ta:ThreatActorType / ta:Associated_Campaigns
Namespace http://stix.mitre.org/ThreatActor-1
Annotations
 
The Associated_Campaigns field specifies any known Campaigns attributed to this Threat Actor.
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipListType_scope stix_common_xsd.tmp#GenericRelationshipListType threat_actor_xsd.tmp#AssociatedCampaignsType_Associated_Campaign threat_actor_xsd.tmp#AssociatedCampaignsType
Type ta:AssociatedCampaignsType
Type hierarchy
Children ta:Associated_Campaign
Attributes
QName Type Default Use Annotation
scope stixCommon:RelationshipScopeEnum exclusive optional 
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
 
<xs:element name="Associated_Campaigns" type="ta:AssociatedCampaignsType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Associated_Campaigns field specifies any known Campaigns attributed to this Threat Actor.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ta:AssociatedCampaignsType / ta:Associated_Campaign
Namespace http://stix.mitre.org/ThreatActor-1
Annotations
 
The Associated_Campaign field specifies a known Campaign attributed to this Threat Actor.
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipType_Confidence stix_common_xsd.tmp#GenericRelationshipType_Information_Source stix_common_xsd.tmp#GenericRelationshipType_Relationship stix_common_xsd.tmp#GenericRelationshipType stix_common_xsd.tmp#RelatedCampaignType_Campaign stix_common_xsd.tmp#RelatedCampaignType
Type stixCommon:RelatedCampaignType
Type hierarchy
Children stixCommon:Campaign, stixCommon:Confidence, stixCommon:Information_Source, stixCommon:Relationship
Source
 
<xs:element name="Associated_Campaign" type="stixCommon:RelatedCampaignType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Associated_Campaign field specifies a known Campaign attributed to this Threat Actor.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ta:ThreatActorType / ta:Associated_Actors
Namespace http://stix.mitre.org/ThreatActor-1
Annotations
 
The Associated_Actors field specifies other Threat Actors asserted to be associated with this Threat Actor.
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipListType_scope stix_common_xsd.tmp#GenericRelationshipListType threat_actor_xsd.tmp#AssociatedActorsType_Associated_Actor threat_actor_xsd.tmp#AssociatedActorsType
Type ta:AssociatedActorsType
Type hierarchy
Children ta:Associated_Actor
Attributes
QName Type Default Use Annotation
scope stixCommon:RelationshipScopeEnum exclusive optional 
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
 
<xs:element name="Associated_Actors" type="ta:AssociatedActorsType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Associated_Actors field specifies other Threat Actors asserted to be associated with this Threat Actor.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ta:AssociatedActorsType / ta:Associated_Actor
Namespace http://stix.mitre.org/ThreatActor-1
Annotations
 
The Associated_Actor field specifies another Threat Actor asserted to be associated with this Threat Actor.
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipType_Confidence stix_common_xsd.tmp#GenericRelationshipType_Information_Source stix_common_xsd.tmp#GenericRelationshipType_Relationship stix_common_xsd.tmp#GenericRelationshipType stix_common_xsd.tmp#RelatedThreatActorType_Threat_Actor stix_common_xsd.tmp#RelatedThreatActorType
Type stixCommon:RelatedThreatActorType
Type hierarchy
Children stixCommon:Confidence, stixCommon:Information_Source, stixCommon:Relationship, stixCommon:Threat_Actor
Source
 
<xs:element name="Associated_Actor" type="stixCommon:RelatedThreatActorType" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The Associated_Actor field specifies another Threat Actor asserted to be associated with this Threat Actor.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ta:ThreatActorType / ta:Handling
Namespace http://stix.mitre.org/ThreatActor-1
Annotations
 
The Handling field specifies the appropriate data handling markings for the elements of this Threat Actor characterization. The valid marking scope is the nearest ThreatActorBaseType ancestor of this Handling element and all its descendants.
Diagram
Diagram data_marking_xsd.tmp#MarkingType_Marking data_marking_xsd.tmp#MarkingType
Type marking:MarkingType
Children marking:Marking
Source
 
<xs:element name="Handling" type="marking:MarkingType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Handling field specifies the appropriate data handling markings for the elements of this Threat Actor characterization. The valid marking scope is the nearest ThreatActorBaseType ancestor of this Handling element and all its descendants.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ta:ThreatActorType / ta:Confidence
Namespace http://stix.mitre.org/ThreatActor-1
Annotations
 
The Confidence field characterizes the level of confidence held in the characterization of this Threat Actor.
Diagram
Diagram stix_common_xsd.tmp#ConfidenceType_timestamp stix_common_xsd.tmp#ConfidenceType_timestamp_precision stix_common_xsd.tmp#ConfidenceType_Value stix_common_xsd.tmp#ConfidenceType_Description stix_common_xsd.tmp#ConfidenceType_Source stix_common_xsd.tmp#ConfidenceType_Confidence_Assertion_Chain stix_common_xsd.tmp#ConfidenceType
Type stixCommon:ConfidenceType
Children stixCommon:Confidence_Assertion_Chain, stixCommon:Description, stixCommon:Source, stixCommon:Value
Attributes
QName Type Default Use Annotation
timestamp xs:dateTime optional 
Specifies the time of this Confidence assertion.
 
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
timestamp_precision stixCommon:DateTimePrecisionEnum second optional 
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
Source
 
<xs:element name="Confidence" type="stixCommon:ConfidenceType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Confidence field characterizes the level of confidence held in the characterization of this Threat Actor.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ta:ThreatActorType / ta:Information_Source
Namespace http://stix.mitre.org/ThreatActor-1
Annotations
 
The Information_Source field details the source of this entry.
Diagram
Diagram stix_common_xsd.tmp#InformationSourceType_Description stix_common_xsd.tmp#InformationSourceType_Identity stix_common_xsd.tmp#InformationSourceType_Role stix_common_xsd.tmp#InformationSourceType_Contributing_Sources stix_common_xsd.tmp#InformationSourceType_Time stix_common_xsd.tmp#InformationSourceType_Tools stix_common_xsd.tmp#InformationSourceType_References stix_common_xsd.tmp#InformationSourceType
Type stixCommon:InformationSourceType
Children stixCommon:Contributing_Sources, stixCommon:Description, stixCommon:Identity, stixCommon:References, stixCommon:Role, stixCommon:Time, stixCommon:Tools
Source
 
<xs:element name="Information_Source" type="stixCommon:InformationSourceType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The Information_Source field details the source of this entry.</xs:documentation>
  </xs:annotation>
</xs:element>
Element ta:ThreatActorType / ta:Related_Packages
Namespace http://stix.mitre.org/ThreatActor-1
Annotations
Diagram
Type stixCommon:RelatedPackageRefsType
Children stixCommon:Package_Reference
Source
Complex Type ta:ThreatActorType
Namespace http://stix.mitre.org/ThreatActor-1
Diagram
Diagram stix_common_xsd.tmp#ThreatActorBaseType_id stix_common_xsd.tmp#ThreatActorBaseType_idref stix_common_xsd.tmp#ThreatActorBaseType_timestamp stix_common_xsd.tmp#ThreatActorBaseType threat_actor_xsd.tmp#ThreatActorType_version threat_actor_xsd.tmp#ThreatActorType_Title threat_actor_xsd.tmp#ThreatActorType_Description threat_actor_xsd.tmp#ThreatActorType_Short_Description threat_actor_xsd.tmp#ThreatActorType_Identity threat_actor_xsd.tmp#ThreatActorType_Type threat_actor_xsd.tmp#ThreatActorType_Motivation threat_actor_xsd.tmp#ThreatActorType_Sophistication threat_actor_xsd.tmp#ThreatActorType_Intended_Effect threat_actor_xsd.tmp#ThreatActorType_Planning_And_Operational_Support threat_actor_xsd.tmp#ThreatActorType_Observed_TTPs threat_actor_xsd.tmp#ThreatActorType_Associated_Campaigns threat_actor_xsd.tmp#ThreatActorType_Associated_Actors threat_actor_xsd.tmp#ThreatActorType_Handling threat_actor_xsd.tmp#ThreatActorType_Confidence threat_actor_xsd.tmp#ThreatActorType_Information_Source threat_actor_xsd.tmp#ThreatActorType_Related_Packages
Type extension of stixCommon:ThreatActorBaseType
Type hierarchy
Used by
Element ta:Threat_Actor
Children ta:Associated_Actors, ta:Associated_Campaigns, ta:Confidence, ta:Description, ta:Handling, ta:Identity, ta:Information_Source, ta:Intended_Effect, ta:Motivation, ta:Observed_TTPs, ta:Planning_And_Operational_Support, ta:Related_Packages, ta:Short_Description, ta:Sophistication, ta:Title, ta:Type
Attributes
QName Type Use Annotation
id xs:QName optional 
Specifies a globally unique identifier for this ThreatActor.
idref xs:QName optional 
Specifies a globally unique identifier of a ThreatActor specified elsewhere.
 
When idref is specified, the id attribute must not be specified, and any instance of this ThreatActor should not hold content.
timestamp xs:dateTime optional 
Specifies a timestamp for the definition of a specific version of a ThreatActor. When used in conjunction with the id, this field is specifying the definition time for the specific version of the ThreatActor. When used in conjunction with the idref, this field is specifying a reference to a specific version of a ThreatActor defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
 
This field must only be used in conjunction with the idref field.
version ta:ThreatActorVersionType optional 
Specifies the relevant STIX-ThreatActor schema version for this content.
Source
 
<xs:complexType name="ThreatActorType">
  <xs:complexContent>
    <xs:extension base="stixCommon:ThreatActorBaseType">
      <xs:sequence>
        <xs:element name="Title" type="xs:string" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Title field provides a simple title for this ThreatActor.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Description field is optional and provides an unstructured, text description of this ThreatActor.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Short_Description" type="stixCommon:StructuredTextType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Short_Description field is optional and provides a short, unstructured, text description of this ThreatActor.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Identity" type="stixCommon:IdentityType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Identity field characterizes the identity of this Threat Actor.</xs:documentation>
            <xs:documentation>This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity/1.1/ciq_identity.xsd.</xs:documentation>
            <xs:documentation>Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Type" type="stixCommon:StatementType" minOccurs="0" maxOccurs="unbounded">
          <xs:annotation>
            <xs:documentation>The Type field characterizes the type(s) of this threat actor. It may be used multiple times to capture multiple types.</xs:documentation>
            <xs:documentation>It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is ThreatActorTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.0/stix_default_vocabularies.xsd.</xs:documentation>
            <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Motivation" type="stixCommon:StatementType" minOccurs="0" maxOccurs="unbounded">
          <xs:annotation>
            <xs:documentation>The Type field characterizes the motivations of this threat actor. It may be used multiple times to capture multiple motivations.</xs:documentation>
            <xs:documentation>It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is MotivationVocab-1.1 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.0/stix_default_vocabularies.xsd.</xs:documentation>
            <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Sophistication" type="stixCommon:StatementType" minOccurs="0" maxOccurs="unbounded">
          <xs:annotation>
            <xs:documentation>The Sophistication field specifies the sophistication of this Threat Actor.</xs:documentation>
            <xs:documentation>It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is ThreatActorSophisticationVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.0/stix_default_vocabularies.xsd .</xs:documentation>
            <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Intended_Effect" type="stixCommon:StatementType" minOccurs="0" maxOccurs="unbounded">
          <xs:annotation>
            <xs:documentation>The Intended_Effect field specifies the suspected intended effect for this Threat Actor.</xs:documentation>
            <xs:documentation>It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is IntendedEffectVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.0/stix_default_vocabularies.xsd.</xs:documentation>
            <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Planning_And_Operational_Support" type="stixCommon:StatementType" minOccurs="0" maxOccurs="unbounded">
          <xs:annotation>
            <xs:documentation>The Planning_And_Operational_Support field specifies the suspected planning and operational support performed by this threat actor.</xs:documentation>
            <xs:documentation>It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is PlanningAndOperationalSupportVocab-1.0.1 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.0/stix_default_vocabularies.xsd.</xs:documentation>
            <xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Observed_TTPs" type="ta:ObservedTTPsType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Observed_TTPs field specifies the TTPs that this Threat Actor has been observed to leverage.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Associated_Campaigns" type="ta:AssociatedCampaignsType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Associated_Campaigns field specifies any known Campaigns attributed to this Threat Actor.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Associated_Actors" type="ta:AssociatedActorsType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Associated_Actors field specifies other Threat Actors asserted to be associated with this Threat Actor.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Handling" type="marking:MarkingType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Handling field specifies the appropriate data handling markings for the elements of this Threat Actor characterization. The valid marking scope is the nearest ThreatActorBaseType ancestor of this Handling element and all its descendants.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Confidence" type="stixCommon:ConfidenceType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Confidence field characterizes the level of confidence held in the characterization of this Threat Actor.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Information_Source" type="stixCommon:InformationSourceType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Information_Source field details the source of this entry.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Related_Packages" type="stixCommon:RelatedPackageRefsType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The Related_Packages field identifies or characterizes relationships to set of related Packages.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
      <xs:attribute name="version" type="ta:ThreatActorVersionType">
        <xs:annotation>
          <xs:documentation>Specifies the relevant STIX-ThreatActor schema version for this content.</xs:documentation>
        </xs:annotation>
      </xs:attribute>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type ta:ObservedTTPsType
Namespace http://stix.mitre.org/ThreatActor-1
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipListType_scope stix_common_xsd.tmp#GenericRelationshipListType threat_actor_xsd.tmp#ObservedTTPsType_Observed_TTP
Type extension of stixCommon:GenericRelationshipListType
Type hierarchy
Used by
Children ta:Observed_TTP
Attributes
QName Type Default Use Annotation
scope stixCommon:RelationshipScopeEnum exclusive optional 
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
 
<xs:complexType name="ObservedTTPsType">
  <xs:complexContent>
    <xs:extension base="stixCommon:GenericRelationshipListType">
      <xs:sequence>
        <xs:element name="Observed_TTP" type="stixCommon:RelatedTTPType" maxOccurs="unbounded">
          <xs:annotation>
            <xs:documentation>The Observed_TTP field specifies a TTP that this Threat Actor has been observed to leverage.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type ta:AssociatedCampaignsType
Namespace http://stix.mitre.org/ThreatActor-1
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipListType_scope stix_common_xsd.tmp#GenericRelationshipListType threat_actor_xsd.tmp#AssociatedCampaignsType_Associated_Campaign
Type extension of stixCommon:GenericRelationshipListType
Type hierarchy
Used by
Children ta:Associated_Campaign
Attributes
QName Type Default Use Annotation
scope stixCommon:RelationshipScopeEnum exclusive optional 
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
 
<xs:complexType name="AssociatedCampaignsType">
  <xs:complexContent>
    <xs:extension base="stixCommon:GenericRelationshipListType">
      <xs:sequence>
        <xs:element name="Associated_Campaign" type="stixCommon:RelatedCampaignType" maxOccurs="unbounded">
          <xs:annotation>
            <xs:documentation>The Associated_Campaign field specifies a known Campaign attributed to this Threat Actor.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type ta:AssociatedActorsType
Namespace http://stix.mitre.org/ThreatActor-1
Diagram
Diagram stix_common_xsd.tmp#GenericRelationshipListType_scope stix_common_xsd.tmp#GenericRelationshipListType threat_actor_xsd.tmp#AssociatedActorsType_Associated_Actor
Type extension of stixCommon:GenericRelationshipListType
Type hierarchy
Used by
Children ta:Associated_Actor
Attributes
QName Type Default Use Annotation
scope stixCommon:RelationshipScopeEnum exclusive optional 
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
Source
 
<xs:complexType name="AssociatedActorsType">
  <xs:complexContent>
    <xs:extension base="stixCommon:GenericRelationshipListType">
      <xs:sequence>
        <xs:element name="Associated_Actor" type="stixCommon:RelatedThreatActorType" maxOccurs="unbounded">
          <xs:annotation>
            <xs:documentation>The Associated_Actor field specifies another Threat Actor asserted to be associated with this Threat Actor.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Simple Type ta:ThreatActorVersionType
Namespace http://stix.mitre.org/ThreatActor-1
Annotations
 
An enumeration of all versions of the Threat Actor type valid in the current release of STIX.
Diagram
Diagram
Type restriction of xs:string
Facets
enumeration 1.0
enumeration 1.0.1
enumeration 1.1
Used by
Source
 
<xs:simpleType name="ThreatActorVersionType">
  <xs:annotation>
    <xs:documentation>An enumeration of all versions of the Threat Actor type valid in the current release of STIX.</xs:documentation>
  </xs:annotation>
  <xs:restriction base="xs:string">
    <xs:enumeration value="1.0"/>
    <xs:enumeration value="1.0.1"/>
    <xs:enumeration value="1.1"/>
  </xs:restriction>
</xs:simpleType>
Attribute ta:ThreatActorType / @version
Namespace No namespace
Annotations
 
Specifies the relevant STIX-ThreatActor schema version for this content.
Type ta:ThreatActorVersionType
Facets
enumeration 1.0
enumeration 1.0.1
enumeration 1.1
Used by
Complex Type ta:ThreatActorType
Source
 
<xs:attribute name="version" type="ta:ThreatActorVersionType">
  <xs:annotation>
    <xs:documentation>Specifies the relevant STIX-ThreatActor schema version for this content.</xs:documentation>
  </xs:annotation>
</xs:attribute>
XML Schema documentation generated by ® XML Editor.