schemas.v1.2.0.incident.xsd Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of stix Show documentation
Show all versions of stix Show documentation
The Java bindings for STIX v.1.2.0.2
This schema was originally developed by The MITRE Corporation. The STIX XML Schema implementation is maintained by The MITRE Corporation and developed by the open STIX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the STIX website at http://stix.mitre.org.
STIX Incident
1.2
05/15/2015 9:00:00 AM
Structured Threat Information eXpression (STIX) - Incident - Schematic implementation for the Incident construct within the STIX structured cyber threat expression language architecture.
Copyright (c) 2012-2015, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the STIX License located at http://stix.mitre.org/about/termsofuse.html. See the STIX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the STIX Schema, this license header must be included.
This field characterizes a single cyber threat Incident.
Represents a single STIX Incident.
Incidents are discrete instances of Indicators affecting an organization along with information discovered or decided during an incident response investigation. They consist of data such as time-related information, parties involved, assets affected, impact assessment, related Indicators, related Observables, leveraged TTP, attributed Threat Actors, intended effects, nature of compromise, response Course of Action requested, response Course of Action taken, confidence in characterization, handling guidance, source of the Incident information, log of actions taken, etc.
The Title field provides a simple title for this Incident.
The External_ID field provides a reference to an ID of an incident in a remote system.
The Time field specifies relevant time values associated with this Incident.
The Description field is optional and provides an unstructured, text description of this Incident.
The Short_Description field is optional and provides a short, unstructured, text description of this Incident.
The Categories field provides a set of categories for this incident.
The Reporter field details information about the reporting source of this Incident.
The Responder field is optional and details information about the assigned responder for this Incident.
The Coordinator field is optional and details information about the assigned coordinator for this Incident.
The Victim field is optional and details information about a victim of this Incident.
This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity/1.1/ciq_identity.xsd.
Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.
The Affected_Assets field is optional and characterizes the particular assets affected during the Incident.
The Impact_Assessment field specifies a summary assessment of impact for this cyber threat Incident.
Status describes the current status (sometimes called "state" or "disposition") of the incident.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is IncidentStatusVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The Related_Indicators field identifies or characterizes one or more cyber threat Indicators related to this cyber threat Incident.
The Related_Observables field identifies or characterizes one or more cyber observables related to this cyber threat incident.
The Leveraged_TTPs field specifies TTPs asserted to be related to this cyber threat Incident.
The Attributed_Threat_Actors field identifies ThreatActors asserted to be attributed for this Incident.
The Intended_Effect field specifies the suspected intended effect of this incident.
It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is IntendedEffectVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Specifies knowledge of whether the Incident involved a compromise of security properties.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is SecurityCompromiseVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The Discovery_Method field identifies how the incident was discovered.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is DiscoveryMethodVocab-2.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The Related_Incidents field identifies or characterizes one or more other Incidents related to this cyber threat Incident.
The COA_Requested field specifies and characterizes a requested CourseOfAction for this Incident as specified by the Producer for the Consumer of the Incident Report
The COA_Taken field specifies and characterizes a CourseOfAction taken for this Incident.
The Confidence field characterizes the level of confidence held in the characterization of this Incident.
The Contact field identifies and characterizes organizations or personnel involved in this Incident.
The History field provides a log of events or actions taken during the handling of the Incident.
The Information_Source field details the source of this entry.
The Handling field specifies the appropriate data handling markings for the elements of this Incident. The valid marking scope is the nearest IncidentBaseType ancestor of this Handling element and all its descendants.
The Related_Packages field identifies or characterizes relationships to set of related Packages.
DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.
true
Specifies the relevant STIX-Incident schema version for this content.
Specifies a URL referencing the location for the Incident specification.
An enumeration of all versions of the Incident type valid in the current release of STIX.
The security property that was affected by the incident.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is LossPropertyVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The Description_Of_Effect field is optional and provides a brief prose description of how the security property was affected.
The Type_Of_Availability_Loss field is optional and characterizes in what manner the availability of this asset was affected (e.g. Destruction, Deletion, Interruption).
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is AvailabilityLossTypeVocab-1.1.1 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The Duration_Of_Availability_Loss field is optional and specifies the approximate length of time availability was affected (e.g. Permanent, Seconds, Minutes, Hours, Days).
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is LossDurationVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
This field specifies whether non-public data was compromised or exposed and whether that data was encrypted or not.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is SecurityCompromiseVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The Type field is optional and specifies the type of the asset impacted by the incident (a security attribute was negatively affected).
The Description field is optional and provides an unstructured, text description of the asset.
The Business_Function_Or_Role field is optional and provides a brief description of the asset's role, mission, and importance within the organization.
The Ownership_Class field is optional and gives a high-level characterization of who owns (or controls) this asset (e.g. Internally-owned, Employee-owned, Partner-owned, Customer-owned).
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is OwnershipClassVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The Management_Class field is optional and gives a high-level characterization of who is responsible for the day-to-day management and administration of this asset (e.g. Managed Internally, Managed by External Party, Co-managed).
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ManagementClassVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The Location_Class field is optional and gives a high-level characterization of where this asset is physically located (e.g. Internal location, External location, Co-located, Mobile).
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is LocationClassVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The Location field specifies the physical location of the affected asset.
This field is implemented through the xsi:type extension mechanism. The default type is CIQAddressInstanceType in the http://stix.mitre.org/extensions/Identity#CIQAddress-1 namespace. This type is defined in the extensions/address/ciq_3.0_address.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/address/ciq/1.1/ciq_3.0_address.xsd.
Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.
The Nature_Of_Security_Effect field is optional and characterizes how the security properties of the Asset were affected.
The Structured_Description field is optional and provides a structured description of the asset.
The ImpactAssessmentType specifies a summary assessment of impact for this cyber threat Incident.
The Direct_Impact_Summary field is optional and characterizes (at a high level) losses directly resulting from the ThreatActor's actions against organizational assets within the Incident.
The Indirect_Impact_Summary field is optional and characterizes (at a high level) losses from other stakeholder reactions to the Incident.
The Total_Loss_Estimation field is optional and specifies the total estimated financial loss for the Incident.
The Impact_Qualification field is optional and summarizes the subjective level of impact of the Incident.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ImpactQualificationVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The Effects field captures a list of effects of this incident from a controlled vocabulary.
The External_Impact_Assessment_Model field is optional and characterizes impact assessment details utilizing impact assessment characterization models defined external to STIX. It is defined utilizing an abstract type enabling the definition through extension of incident impact assessment models external to STIX.
The ExternalImpactAssessmentModelType is an abstract type enabling the definition through extension of incident impact assessment models external to STIX.
Specifies the name of the externally defined impact assessment model.
Specifies a URL reference for the externally defined impact assessment model.
The Time field specifies the relative time criteria for this taken CourseOfAction.
The Contributors field specifies contributing actors for the CourseOfAction taken.
The Course_Of_Action field specifies the actual CourseOfAction taken.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CourseOfActionType in the http://stix.mitre.org/CourseOfAction-1 namespace. This type is defined in the course_of_action.xsd file or at the URL http://stix.mitre.org/XMLSchema/course_of_action/1.1/course_of_action.xsd.
The JournalEntryType is optional and provides journal notes for information discovered during the handling of the Incident.
Specifies the author of the JournalEntry note.
Specifies the date and time that the JournalEntry note was written.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
Represents the precision of the associated time value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
The ExternalIDType provides a reference to an ID of an incident in a remote system.
Specifies the source of the External ID.
Specifies a suggested level of priority to be applied to this requested COA.
The Start field specifies the time at which the CourseOfAction was begun.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
The End field specifies the time at which the CourseOfAction was completed.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
Specifies the estimated financial loss for the Incident.
Specifies the ISO 4217 currency code if other than USD
The Initial_Reported_Total_Loss_Estimation field is optional and specifies the initially reported level of total estimated financial loss for the Incident.
The Actual_Total_Loss_Estimation field is optional and specifies the actual level of total estimated financial loss for the Incident.
The Loss_Of_Competitive_Advantage field is optional and characterizes (at a high level) the level of impact based on loss of competitive advantage that occured in the Incident including loss/damage/exposure of IP, corporate wisdom, ability to compete, key personnel, etc.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is SecurityCompromiseVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The Brand_And_Market_Damage field is optional and characterizes (at a high level) the level of impact based on brand or market damage that occured in the Incident including lost customers or partners, decrease in market value or share, advertising, rebranding, etc.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is SecurityCompromiseVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The Increased_Operating_Costs field is optional and characterizes (at a high level) the level of impact based on increased operating costs that occured in the Incident including cost of additional audits, new hires or training, mandatory action, higher insurance, etc.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is SecurityCompromiseVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The Legal_And_Regulatory_Costs field is optional and characterizes (at a high level) the level of impact based on legal and regulatory costs that occured in the Incident including legal fees, lawsuits, customer damages, contract violations, etc.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is SecurityCompromiseVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The Asset_Losses field is optional and characterizes (at a high level) the level of asset-related losses that occured in the Incident, including lost or damaged assets, stolen funds, cash outlays, etc.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ImpactRatingVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The Business-Mission_Disruption field is optional and characterizes (at a high level) the level of business or mission disruption impact that occured in the Incident including unproductive man-hours, lost revenue from system downtime, etc.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ImpactRatingVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The Response_And_Recovery_Costs field is optional and characterizes (at a high level) the level of response and recovery related costs that occured in the Incident including cost of response, investigation, remediation, restoration, etc.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ImpactRatingVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The Property_Affected field is optional and characterizes how a particular security property of the Asset was affected.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is AssetTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
This field specifies the number of assets of this type affected.
The Action_Entry field is optional and provides a record of actions taken during the handling of the Incident.
The Journal_Entry field is optional and provides journal notes for information discovered during the handling of the Incident.
The History_Item field provides a log entry of an event or action taken during the handling of the Incident.
The Related_Incident field identifies or characterizes another Incident related to this Incident.
The Leveraged_TTP field specifies a single TTP asserted to be related to this cyber threat Incident.
The Related_Observable field identifies or characterizes a cyber threat observable related to this Incident.
The Related_Indicator field identifies or characterizes a cyber threat Indicator related to this Incident.
The AttributedThreatActorsType specifies a Threat Actor asserted to be attributed for this Incident.
The Threat_Actor field specifies details of a Threat Actor asserted to be attributed for this Incident.
The Affected_Asset field is optional and characterizes a particular asset affected during the Incident.
The First_Malicious_Action field specifies the time that the first malicious action related to this Incident occured.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
The Initial_Compromise field specifies the time that the initial compromise occured for this Incident.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
The First_Data_Exfiltration field specifies the first time at which non-public data was taken from the victim environment
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
The Incident_Discovery field specifies the first time at which the organization learned the incident had occurred.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
The Incident_Opened field specifies the time at which the Incident was officially opened.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
The Containment_Achieved field specifies the first time at which the incident is contained (e.g., the “bleeding is stopped”).
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
The Restoration_Achieved field specifies the first time at which the incident's assets are restored (e.g., fully functional)”.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
The Incident_Reported field specifies the time at which the Incident was reported.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
The Incident_Closed field specifies the time at which the Incident was officially closed.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
Represents a list of incident categories that an incident is tagged with.
Represents a single category that this incident is tagged with.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is IncidentCategoryVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Represents a list of incident effects that an incident is tagged with.
Represents a single effect that this incident is tagged with.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is IncidentEffectVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
This type represents whether non-public data was compromised or exposed and whether that data was encrypted or not.
Indicates whether the data that was compromised was encrypted or not.