schemas.v1.1.1.indicator.xsd Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of stix Show documentation
Show all versions of stix Show documentation
The Java bindings for STIX v.1.2.0.2
This schema was originally developed by The MITRE Corporation. The STIX XML Schema implementation is maintained by The MITRE Corporation and developed by the open STIX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the STIX website at http://stix.mitre.org.
STIX Indicator
2.1.1
05/08/2014 9:00:00 AM
Structured Threat Information eXpression (STIX) - Indicator - Schematic implementation for the Indicator construct within the STIX structured cyber threat expression language architecture.
Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the STIX License located at http://stix.mitre.org/about/termsofuse.html. See the STIX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the STIX Schema, this license header must be included.
The Indicator field characterizes a cyber threat indicator made up of a pattern identifying certain observable conditions as well as contextual information about the patterns meaning, how and when it should be acted on, etc.
The IndicatorType characterizes a cyber threat indicator made up of a pattern identifying certain observable conditions as well as contextual information about the patterns meaning, how and when it should be acted on, etc.
The Title field provides a simple title for this Indicator.
Specifies the type or types for this Indicator.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is IndicatorTypeVocabularyType in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.1/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Specifies an alternative identifier (or alias) for the cyber threat Indicator.
The Description field is optional and provides an unstructured, text description for this Indicator.
The Short_Description field is optional and provides an unstructured, text description for this Indicator.
Specifies the time window for which this Indicator is valid.
Content creators should either create a "simple indicator" containing one observable, or a "composite indicator" containing multiple indicators.
Specifies a relevant cyber observable for this Indicator.
Specifies a multipartite composite Indicator.
Specifies the relevant TTP indicated by this Indicator.
Specifies relevant kill chain phases indicated by this Indicator.
The TestMechanisms field specifies Test Mechanisms effective at identifying the cyber Observables specified in this cyber threat Indicator.
Specifies the likely potential impact within the relevant context if this Indicator were to occur. This is typically local to an Indicator consumer and not typically shared. This field includes a Description of the likely potential impact within the relevant context if this Indicator were to occur and a Confidence held in the accuracy of this assertion. NOTE: This structure potentially still needs to be fleshed out more for structured characterization of impact.
The Suggested_COAs field specifies suggested Courses of Action for this cyber threat Indicator.
Specifies the relevant handling guidance for this Indicator. The valid marking scope is the nearest IndicatorBaseType ancestor of this Handling element and all its descendants.
Specifies a level of confidence held in the accuracy of this Indicator.
Characterizes a set of sighting reports for this Indicator.
The Related_Indicators field is optional and enables content producers to express a relationship between the enclosing indicator (i.e., the subject of the relationship) and a disparate indicator (i.e., the object side of the relationship).
The Related_Campaigns field captures references to related campaigns. Note that unlike most other relationship types, Related_Campaigns does not allow campaigns to be embedded, only referenced via name or ID.
The Related_Packages field identifies or characterizes relationships to set of related Packages.
The Producer field details the source of this entry.
Specifies the relevant STIX-Indicator schema version for this content.
The negate field specifies the absence of the pattern.
An enumeration of all versions of the Indicator type valid in the current release of STIX.
A basic representation of a temporal window when the thing (e.g., indicator) is valid.
If not present, the valid time position of the indicator does not have a lower bound (i.e., temporal window is only bounded by the end-time).
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
If not present, the valid time position of the indicator does not have an upper bound (i.e., temporal window is only bounded by the start-time).
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
Type for allowing content creators to create composite indicator expressions using basic boolean logic.
The indicator field specifies one cyber threat indicator made up of a pattern identifying certain observable conditions as well as contextual information about the patterns meaning, how and when it should be acted on, etc.
Specifies the logical composition operator for this composite cyber threat Indicator.
OperatorTypeEnum is an enumeration of valid operators.
The TestMechanismType specifies a non-standard Test Mechanism effective at identifying the cyber Observables specified in this cyber threat Indicator.
This type is defined as abstract and is intended to be extended to enable the expression of any structured or unstructured test mechanism. STIX provides five default options, Generic, OpenIOC, OVAL, Snort, and YARA. Additionally, those who wish to use another format may do so by using either the existing Generic test mechanism and putting the mechanism specification in the CDATA block or by defining a new extension to this type. The information for the STIX-provided extensions is:
1. Generic: The Generic test mechanism allows for the specification of any generic test mechanism through the use of a raw CDATA section. The type is named GenericTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#Generic-1 namespace. The extension is defined in the file extensions/test_mechanism/generic_test_mechanism.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/generic/1.1.1/generic_test_mechanism.xsd.
2. OpenIOC: The OpenIOC test mechanism allows for the specification of an OpenIOC test by importing the OpenIOC schema. The type is named IOCTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#OpenIOC-1 namespace. The extension is defined in the file extensions/test_mechanism/openioc_2010_test_mechanism.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/openioc_2010/1.1.1/openioc_2010_test_mechanism.xsd.
3. OVAL: The OVAL test mechanism allows for the specification of an OVAL definition through importing the OVAL schemas. The type is named OVALTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#OVAL-1 namespace. The extension is defined in the file extensions/test_mechanism/oval-5.10.1_test_mechanism.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/oval-5.10.1/1.1.1/oval-5.10.1_test_mechanism.xsd.
4. Snort: The Snort test mechanism allows for the specification of a snort signature through the use of a raw CDATA section. The type is named SnortTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#Snort-1 namespace. The extension is defined in the file extensions/test_mechanism/snort_test_mechanism.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/snort/1.1.1/snort_test_mechanism.xsd.
5. YARA: The YARA test mechanism allows for the specification of a YARA test through the use of a raw CDATA section. The type is named YaraTestMechanismType and is in the http://stix.mitre.org/extensions/TestMechanism#YARA-1 namespace. The extension is defined in the file extensions/test_mechanism/yara_test_mechanism.xsd or at the URL http://stix.mitre.org/XMLSchema/extensions/test_mechanism/yara/1.1.1/yara_test_mechanism.xsd.
The Efficacy field provides an assertion of likely effectiveness of this TestMechanism to detect the targeted cyber Observables. The field includes a description of the asserted efficacy of this TestMechanism and a confidence held in the asserted efficacy of this TestMechanism to detect the targeted cyber Observables.
The Producer field details the source of this entry.
Specifies a unique ID for this Test Mechanism.
Specifies a reference to the ID of a Test Mechanism specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Test Mechanism should not hold content.
This field characterizes a single sighting report for this Indicator.
The total number of times this Indicator was reported as sighted.
Describes a single sighting of an indicator.
This field provides a name or description of the sighting source.
This field provides a formal reference to the sighting source.
This field provides a confidence assertion in the accuracy of this sighting.
The Description field is optional and enables an unstructured, text description of this Sighting.
The Related_Observable field identifies or characterizes one or more cyber observables related to this sighting.
This field provides the date and time of the Indicator sighting.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
The Related_Indicator field is optional and enables content producers to express a relationship between the enclosing indicator (i.e., the subject of the relationship) and a disparate indicator (i.e., the object side of the relationship).
The Suggested_COA field specifies a suggested Course of Action for this cyber threat Indicator.
The TestMechanism field specifies a non-standard Test Mechanism effective at identifying the cyber Observables specified in this cyber threat Indicator. This field is defined as of type TestMechanismType which is an abstract type enabling the extension and inclusion of various formats of Test Mechanism specifications.
The Related_Campaign field captures a single relationship to a related campaign.
The Related_Observable field captures a relationship to a cyber observable related to this sighting.