schemas.v1.2.0.campaign.xsd Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of stix Show documentation
Show all versions of stix Show documentation
The Java bindings for STIX v.1.2.0.2
This schema was originally developed by The MITRE Corporation. The STIX XML Schema implementation is maintained by The MITRE Corporation and developed by the open STIX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the STIX website at http://stix.mitre.org.
STIX Campaign
1.2
05/15/2015 9:00:00 AM
Structured Threat Information eXpression (STIX) - Campaign - Schematic implementation for the Campaign construct within the STIX structured cyber threat expression language architecture.
Copyright (c) 2012-2015, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the STIX License located at http://stix.mitre.org/about/termsofuse.html. See the STIX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the STIX Schema, this license header must be included.
The Campaign field characterizes a single cyber threat Campaign.
Represents a single STIX Campaign.
Campaigns are instances of ThreatActors pursuing an intent, as observed through sets of Incidents and/or TTP, potentially across organizations. In a structured sense, Campaigns may consist of the suspected intended effect of the adversary, the related TTP leveraged within the Campaign, the related Incidents believed to be part of the Campaign, attribution to the ThreatActors believed responsible for the Campaign, other Campaigns believed related to the Campaign, confidence in the assertion of aggregated intent and characterization of the Campaign, activity taken in response to the Campaign, source of the Campaign information, handling guidance, etc.
The Title field provides a simple title for this Campaign.
The Description field is optional and provides an unstructured, text description of this Campaign.
The Short_Description field is optional and provides a short, unstructured, text description of this Campaign.
The Names field specifies Names used to identify this Campaign. These may be either internal or external names.
The Intended_Effect field characterizes the intended effect of this cyber threat Campaign.
It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is IntendedEffectVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The status of this Campaign. For example, is the Campaign ongoing, historical, future, etc.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is CampaignStatusType in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The Related_TTPs field specifies TTPs asserted to be related to this cyber threat Campaign.
The Related_Incidents field identifies or characterizes one or more Incidents related to this cyber threat Campaign.
The Related_Indicators field identifies or characterizes one or more cyber threat Indicators related to this cyber threat Campaign.
NOTE: As of STIX Version 1.1, this field is deprecated and is scheduled to be removed in STIX Version 2.0. Relationships between indicators and campaigns should be represented using the Related_Campaigns field on IndicatorType unless legacy code or content requires the use of this field.
true
The Attribution field specifies assertions of attibuted Threat Actors for this cyber threat Campaign.
The Associated_Campaigns field specifies other cyber threat Campaigns asserted to be associated with this cyber threat Campaign.
The Confidence field characterizes the level of confidence held in the characterization of this Campaign.
The Activity field characterizes actions taken in regards to this Campaign. This field is defined as of type ActivityType which is an abstract type enabling the extension and inclusion of various formats of Activity characterization.
The Information_Source field details the source of this entry.
The Handling field specifies the appropriate data handling markings for the elements of this Campaign. The valid marking scope is the nearest CampaignBaseType ancestor of this Handling element and all its descendants.
The Related_Packages field identifies or characterizes relationships to set of related Packages.
DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.
true
Specifies the relevant STIX-Campaign schema version for this content.
An enumeration of all versions of the Campaign type valid in the current release of STIX.
AttributionType specifies suspected Threat Actors attributed to a given Campaign.
The Attributed_Threat_Actor field specifies a Threat Actor asserted to be attributed for a Campaign. The specification of multiple ThreatActor entries for a single Attribution entry would be interpreted as a logical AND composition of the set of specified ThreatActors with a shared Confidence and Information Source. This would be used to assert attribution to a combined set of ThreatActors.
The Related_TTP field specifies a single TTP asserted to be related to this cyber threat Campaign.
The Name field specifies a Name used to identify this Campaign. This field can be used to capture various aliases used to identify this Campaign.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.2. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.
Identifies or characterizes an Incident related to this Campaign.
The Related_Indicator field identifies or characterizes a cyber threat Indicator related to this Campaign. Such loose associations between Campaigns and Indicators are typically part of the early phases of Campaign identification and characterization. As the Campaign characterization matures these associations are often used to identify relevant TTPs and/or Incidents associated with the Campaign.
The Associated_Campaign field specifies a single other cyber threat Campaign asserted to be associated with this cyber threat Campaign.