schemas.v1.2.0.cybox.cybox_core.xsd Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of stix Show documentation
Show all versions of stix Show documentation
The Java bindings for STIX v.1.2.0.2
The newest version!
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
CybOX Core
2.1
01/22/2014
The following specifies the fields and types that compose this defined CybOX Core.
Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included.
The Observables construct represents a collection of cyber observables.
The ObservablesType is a type representing a collection of cyber observables.
The Observable_Package_Source field is optional and enables descriptive specification of how this package of Observables was identified and specified.
The Pools construct enables the description of Events, Actions, Objects and Properties in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled elements. This reduces redundancy caused when identical observable elements occur multiple times within a set of defined Observables.
The cybox_major_version field specifies the major version of the CybOX language utilized for this set of Observables.
The cybox_minor_version field specifies the minor version of the CybOX language utilized for this set of Observables.
The cybox_update_version field specifies the update version of the CybOX language utilized for this set of Observables. This field MUST be used when using an update version of CybOX.
The Observable construct represents a description of a single cyber observable.
The ObservableType is a type representing a description of a single cyber observable.
The Title field provides a mechanism to specify a short title or description for this Observable.
The Description field provides a mechanism to specify a structured text description of this Observable.
Keywords enables capture of relevant keywords for this cyber observable.
The Observable_Source field is optional and enables descriptive specification of how this Observable was identified and specified.
The Object construct identifies and specifies the characteristics of a specific cyber-relevant object (e.g. a file, a registry key or a process).
The Event construct enables specification of a cyber observable event that is dynamic in nature with specific action(s) taken against specific cyber relevant objects (e.g. a file is deleted, a registry key is created or an HTTP Get Request is received).
The Observable_Composition construct enables specification of composite observables made up of logical constructions of atomic observables or other composite observables (e.g. Obs5 = (Obs1 OR Obs2) AND (Obs3 OR Obs4)).
Pattern_Fidelity contains elements that enable the characterization of the fidelity of this pattern to its purpose.
The id field specifies a unique id for this Observable.
The idref field specifies a unique id reference to an Observable defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Observable should not hold content unless an extension of the Observable allows it.
The negate field, when set to true, indicates the absence (rather than the presence) of the given Observable in a CybOX pattern.
The sighting_count field specifies how many different identical instances of the Observable may have been seen/sighted.
TrendEnum is a (non-exhaustive) enumeration of trend types.
Specifies an increasing trend.
Specifies a decreasing trend.
The Event construct enables specification of a cyber observable event that is dynamic in nature with specific action(s) taken against specific cyber relevant objects (e.g. a file is deleted, a registry key is created or an HTTP Get Request is received).
The EventType is a complex type representing a cyber observable event that is dynamic in nature with specific action(s) taken against specific cyber relevant objects (e.g. a file is deleted, a registry key is created or an HTTP Get Request is received).
The Type field uses a standardized controlled vocabulary to capture what type of Event this is.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is EventTypeVocab-1.0.1 in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.
The Description field provides a mechanism to specify a structured text description of this Event.
The Observation_Method field is optional and enables descriptive specification of how this Event was observed (in the case of a Cyber Observable Event instance) or could potentially be observed (in the case of a Cyber Observable Event pattern).
The Actions construct enables description/specification of one or more cyber observable actions.
The Location field specifies a relevant physical location.
This field is implemented through the xsi:type extension mechanism. The default type is CIQAddressInstanceType in the http://cybox.mitre.org/extensions/Identity#CIQAddress-1 namespace. This type is defined in the extensions/location/ciq_address_3.0.xsd file or at the URL http://cybox.mitre.org/XMLSchema/extensions/location/ciq_address/1.0/ciq_address_3.0.xsd.
Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.
The Frequency field conveys a targeted observation pattern of the frequency of the associated event or action.
This Event construct is included recursively to enable description/specification of composite Events.
The id field specifies a unique id for this Event.
The idref field specifies a unique id reference to an Event defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Event should not hold content unless an extension of the Event allows it.
The FrequencyType is a type representing the specification of a frequency for a given action or event.
This field specifies the rate for this defined frequency.
This field specifies the units for this defined frequency.
This field specifies the time scale for this defined frequency.
This field is optional and conveys a targeted observation pattern of the nature of any trend in the frequency of the associated event or action. This field would be leveraged within an event or action pattern observable triggering on the matching of a specified trend in the frequency of an event or action.
The Action construct enables description/specification of a single cyber observable action.
The ActionsType is a complex type representing a set of cyber observable actions.
The Action construct enables description/specification of a single cyber observable action.
The ActionType is a complex type representing a single cyber observable action.
The Type field is optional and utilizes a standardized controlled vocabulary to specify the basic type of the action that was performed.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ActionTypeVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.
The Name field is optional and utilizes a standardized controlled vocabulary to identify/characterize the specific name of the action that was performed.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ActionNameVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.
The Description field contains a textual description of the action.
The Action_Aliases field is optional and enables identification of other potentially used names for this Action.
The Action_Arguments field is optional and enables the specification of relevant arguments/parameters for this Action.
The Location field specifies a relevant physical location.
This field is implemented through the xsi:type extension mechanism. The default type is CIQAddressInstanceType in the http://cybox.mitre.org/extensions/Identity#CIQAddress-1 namespace. This type is defined in the extensions/location/ciq_address_3.0.xsd file or at the URL http://cybox.mitre.org/XMLSchema/extensions/location/ciq_address/1.0/ciq_address_3.0.xsd.
Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.
The Discovery_Method field is optional and enables descriptive specification of how this Action was observed (in the case of a Cyber Observable Action instance) or could potentially be observed (in the case of a Cyber Observable Action pattern).
The Associated_Objects construct is optional and enables the description/specification of cyber Objects relevant (either initiating or affected by) this Action.
The Relationships construct is optional and enables description of other cyber observable actions that are related to this Action.
The Frequency field conveys a targeted observation pattern of the frequency of the associated event or action.
The id field specifies a unique id for this Action.
The idref field specifies a unique id reference to an Action defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Action should not hold content unless an extension of the Action allows it.
The ordinal_position field is intended to reference the ordinal position of the action with within a series of actions.
The action_status field enables description of the status of the action being described.
The context field is optional and enables simple characterization of the broad operational context in which the Action is relevant.
The timestamp field represents the local or relative time at which the action occurred or was observed. In order to avoid ambiguity, it is strongly suggest that all timestamps in this field include a specification of the timezone if it is known.
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
ActionStatusTypeEnum is a (non-exhaustive) enumeration of cyber observable action status types.
Specifies a cyber observable action that was successful.
Specifies a cyber observable action that failed.
Specifies a cyber observable action that resulted in an error.
Specifies a cyber observable action that completed or finished. This action status does not specify the result of the action (e.g., Success/Error).
Specifies a cyber observable action is pending.
Specifies a cyber observable action that is ongoing.
Specifies a cyber observable action with an unknown status.
ActionContextTypeEnum is a (non-exhaustive) enumeration of cyber observable action contexts.
Specifies that the cyber observable action occurred on a host.
Specifies that the cyber observable action occurred on a network.
The ActionAliasesType enables identification of other potentially used names for this Action.
The Action_Alias field is optional and enables identification of a single other potentially used name for this Action.
The ActionArgumentsType enables the specification of relevant arguments/parameters for this Action.
The Action_Argument construct is optional and enables the specification of a single relevant argument/parameter for this Action.
The ActionArgumentType enables the specification of a single relevant argument/parameter for this Action.
The Argument_Name field is optional and utilizes a standardized controlled vocabulary to identify/characterize the specific action argument utilized.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ActionArgumentNameVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.
The Argument_Value field specifies the value for this action argument/parameter.
The AssociatedObjectsType enables the description/specification of cyber Objects relevant to an Action.
The Associated_Object construct enables the description of cyber Objects associated with this Action. This could include Objects that initiated the action, are the target Objects affected by the Action, are utilized by the Action or are the returned result of the Action.
The AssociatedObjectType is a complex type representing the characterization of a cyber observable Object associated with a given cyber observable Action.
The Association_Type field utilizes a standardized controlled vocabulary to specify the kind of association this Object holds for this Action.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ActionObjectAssociationTypeVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.
The Action_Pertinent_Object_Properties construct is optional and identifies which of the Properties of this Object are specifically pertinent to this Action.
The ActionPertinentObjectPropertiesType identifies which of the Properties of this Object are specifically pertinent to this Action.
The Property construct identifies a single Object Property that is specifically pertinent to this Action.
The ActionPertinentObjectPropertyType identifies one of the Properties of an Object that specifically pertinent to an Action.
The name field specifies the field name for the pertinent Object Property.
The xpath field specifies the XPath 1.0 expression identifying the pertinent property within the Properties schema for this object type.
The ActionRelationshipsType captures 1-n relationships between an Action and another Action.
The Relationship construct is required and enables description of a single other cyber observable Action that is related to this Action.
The ActionRelationshipType characterizes a relationship between a specified cyber observable action and another cyber observable action.
The Type field utilizes a standardized controlled vocabulary to describe the nature of the relationship between this Action and the related Action.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ActionRelationshipTypeVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.
The Action_Reference construct captures references to other Actions.
ActionReferenceType is intended to serve as a method for linking to actions.
The action_id field refers to the id of the action being referenced.
The Object construct identifies and specificies the characteristics of a specific cyber-relevant object (e.g. a file, a registry key or a process).
The ObjectType is a complex type representing the characteristics of a specific cyber-relevant object (e.g. a file, a registry key or a process).
The State field enables the description of the current state of the object, through a standardized controlled vocabulary.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ObjectStateVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.
The Description field provides a mechanism to specify a structured text description of this Object.
The Properties construct is an abstract placeholder for various predefined Object type schemas (e.g. File, Process or System) that can be instantiated in its place through extension of the ObjectPropertiesType. This mechanism enables the specification of a broad range of Object types with consistent Object Property naming and structure. The set of Properties schemas are maintained independent of the core CybOX schema.
The Domain_Specific_Object_Properties construct is of an Abstract type placeholder within the CybOX schema enabling the inclusion of domain-specific metadata for an object through the use of a custom type defined as an extension of this base Abstract type. This enables domains utilizing CybOX such as malware analysis or forensics to incorporate non-generalized object metadata from their domains into CybOX objects.
The Location field specifies a relevant physical location.
This field is implemented through the xsi:type extension mechanism. The default type is CIQAddressInstanceType in the http://cybox.mitre.org/extensions/Identity#CIQAddress-1 namespace. This type is defined in the extensions/location/ciq_address_3.0.xsd file or at the URL http://cybox.mitre.org/XMLSchema/extensions/location/ciq_address/1.0/ciq_address_3.0.xsd.
Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.
The Related_Objects construct is optional and enables the identification and/or specification of Objects with relevant relationships with this Object.
The Defined_Effect construct is an abstract placeholder for various predefined Object Effect types (e.g. DataReadEffect, ValuesEnumeratedEffect or StateChangeEffect) that can be instantiated in its place through extension of the DefinedEffectType. This mechanism enables the specification of a broad range of types of potential complex action effects on Objects. The set of Defined_Effect types (extending the DefinedEffectType) are maintained as part of the core CybOX schema.
The Discovery_Method field is optional and enables descriptive specification of how this Object was observed (in the case of a Cyber Observable Object instance) or could potentially be observed (in the case of a Cyber Observable Object pattern).
The id field specifies a unique id for this Object.
The idref field specifies a unique id reference to an Object defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Object should not hold content unless an extension of the Object allows it.
The has_changed field is optional and conveys a targeted observation pattern of whether the associated object specified has changed in some way without requiring further specific detail. This field would be leveraged within a pattern observable triggering on whether the value of an object specification has changed at all. This field is NOT intended to be used for versioning of CybOX content.
The DomainSpecificObjectPropertiesType is an abstract type placeholder within the CybOX schema enabling the inclusion of domain-specific metadata for an object through the use of a custom type defined as an extension of this base Abstract type. This enables domains utilizing CybOX such as malware analysis or forensics to incorporate non-generalized object metadata from their domains into CybOX objects.
The RelatedObjectsType enables the identification and/or specification of Objects with relevant relationships with this Object.
The Related_Object construct is optional and enables the identification and/or specification of a single Objects with relevant relationships with this Object.
The RelatedObjectType enables the identification and/or specification of an Object with a relevant relationship with this Object.
The Relationship field uses a standardized controlled vocabulary to capture the nature of the relationship between this Object and the Related_Object.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ObjectRelationshipVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.
When idref is specified, by design, an instance may declare a Relationship child.
The DefinedEffectType is an abstract placeholder for various predefined Object Effect types (e.g. DataReadEffect, ValuesEnumeratedEffect or StateChangeEffect) that can be instantiated in its place through extension of the DefinedEffectType. This mechanism enables the specification of a broad range of types of potential complex action effects on Objects. The set of Defined_Effect types (extending the DefinedEffectType) are maintained as part of the core CybOX schema.
The effect_type field specifies the nature of the Defined Effect instantiated in the place of the Defined_Effect element.
EffectTypeEnum is a (non-exhaustive) enumeration of effect types.
Specifies that the associated Action had an effect on the Object of changing its state.
Specifies that the associated Action had an effect on the Object of reading data from it.
Specifies that the associated Action had an effect on the Object of writing data to it.
Specifies that the associated Action had an effect on the Object of sending data to it.
Specifies that the associated Action had an effect on the Object of receiving data from it.
Specifies that the associated Action had an effect on the Object of reading properties from it.
Specifies that the associated Action had an effect on the Object of enumerating properties from it.
Specifies that the associated Action had an effect on the Object of enumerating values from it.
Specifies that the associated Action had an effect on the Object of having a control code sent to it.
The StateChangeEffectType is intended as a generic way of characterizing the effects of actions upon objects where the some state of the object is changed.
The Old_Object construct specifies the object and its properties as they were before the state change effect occurred.
The New_Object construct specifies the object and its properties as they are after the state change effect occurred.
The DataReadEffectType type is intended to characterize the effects of actions upon objects where some data is read, such as from a file or a pipe.
The Data field specifies the data that was read from the object by the action.
The DataWrittenEffectType type is intended to characterize the effects of actions upon objects where some data is written, such as to a file or a pipe.
The Data field specifies the data that was written to the object by the action.
The DataSentEffectType type is intended to characterize the effects of actions upon objects where some data is sent, such as a byte sequence on a socket.
The Data field specifies the data that was sent on the object, or from the object, by the action.
The DataReceivedEffectType type is intended to characterize the effects of actions upon objects where some data is received, such as a byte sequence on a socket.
The Data field specifies the data that was received on the object, or from the object, by the action.
The PropertyReadEffectType type is intended to characterize the effects of actions upon objects where some specific property is read from an object, such as the current running state of a process.
The Name field specifies the Name of the property being read.
The Value field specifies the value of the property being read.
The PropertiesEnumeratedEffectType type is intended to characterize the effects of actions upon objects where some properties of the object are enumerated, such as the startup parameters for a process.
The Properties field specifies the properties that were enumerated as a result of the action on the object.
The PropertiesType specifies the properties that were enumerated as a result of the action on the object.
The Property element specifies a single property that was enumerated as a result of the action on the object.
The ValuesEnumeratedEffectType type is intended to characterize the effects of actions upon objects where some values of the object are enumerated, such as the values of a registry key.
The Values field specifies the values that were enumerated as a result of the action on the object.
The ValuesType specifies the values that were enumerated as a result of the action on the object.
The Value field specifies a single value that was enumerated as a result of the action on the object.
The SendControlCodeEffectType is intended to characterize the effects of actions upon objects where some control code, or other control-oriented communication signal, is sent to the object. For example, an action may send a control code to change the running state of a process.
The Control_Code field specifies the actual control code that was sent to the object.
The Property element represents the specification of a single Object Property.
The ObservablesCompositionType enables the specification of higher-order composite observables composed of logical combinations of other observables.
The Observable construct represents a description of a single cyber observable.
The operator field enables the specification of complex compositional cyber observables by providing logical operators for defining interrelationships between constituent cyber observables defined utilizing the recursive Observable element.
OperatorTypeEnum is a (non-exhaustive) enumeration of operators.
Specifies the AND logical composition operation.
Specifies the OR logical composition operation.
The PoolsType enables the description of Events, Actions, Objects and Properties in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled elements. This reduces redundancy caused when identical observable elements occur multiple times within a set of defined Observables.
The Event_Pool construct enables the description of CybOX Events in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Event elements. This reduces redundancy caused when identical Events occur multiple times within a set of defined Observables.
The Action_Pool construct enables the description of CybOX Actions in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Action elements. This reduces redundancy caused when identical Actions occur multiple times within a set of defined Observables.
The Object_Pool construct enables the description of CybOX Objects in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Object elements. This reduces redundancy caused when identical Objects occur multiple times within a set of defined Observables.
The Property_Pool construct enables the description of CybOX Properties in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Properties elements. This reduces redundancy caused when identical Properties occur multiple times within a set of defined Observables.
The EventPoolType enables the description of CybOX Events in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Event elements. This reduces redundancy caused when identical Events occur multiple times within a set of defined Observables.
The Event construct enables specification of a cyber observable event that is dynamic in nature with specific action(s) taken against specific cyber relevant objects (e.g. a file is deleted, a registry key is created or an HTTP Get Request is received).
The ActionPoolType enables the description of CybOX Actions in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Action elements. This reduces redundancy caused when identical Actions occur multiple times within a set of defined Observables.
The Action construct enables description/specification of a single cyber observable action.
The ObjectPoolType enables the description of CybOX Objects in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Object elements. This reduces redundancy caused when identical Objects occur multiple times within a set of defined Observables.
The Object construct identifies and specifies the characteristics of a specific cyber-relevant object (e.g. a file, a registry key or a process).
The PropertyPoolType enables the description of CybOX Properties in a space-efficient pooled manner with the actual Observable structures defined in the CybOX schema containing references to the pooled Properties elements. This reduces redundancy caused when identical Properties occur multiple times within a set of defined Observables.
The Property construct enables the specification of a single Object Property.
NoisinessEnum is a (non-exhaustive) enumeration of potential levels of noisiness for a given observable pattern.
Specifies that this observable has a high level of noisiness meaning a potentially high level of false positives.
Specifies that this observable has a medium level of noisiness meaning a potentially medium level of false positives.
Specifies that this observable has a low level of noisiness meaning a potentially low level of false positives.
The ObfuscationTechniquesType enables the description of a set of potential techniques an attacker could leverage to obfuscate the observability of this Observable.
The Obfuscation_Technique field is optional and enables the description of a single potential technique an attacker could leverage to obfuscate the observability of this Observable.
The ObfuscationTechniqueType enables the description of a single potential technique an attacker could leverage to obfuscate the observability of this Observable.
The Description field captures a structured text description of the obfuscation technique.
The Observables construct is optional and enables description of potential cyber observables that could indicate the use of this particular obfuscation technique.
The EaseOfObfuscationEnum is a (non-exhaustive) enumeration of simple characterizations of how easy it would be for an attacker to obfuscate the observability of this Observable.
Specifies that this observable is very easy to obfuscate and hide.
Specifies that this observable is somewhat easy to obfuscate and hide.
Specifies that this observable is not very easy to obfuscate and hide.
Each keyword element contains one keyword.
The Noisiness field is optional and enables simple characterization of how noisy this Observable typically could be. In other words, how likely is it to generate false positives.
The Ease_of_Obfuscation field is optional and enables simple characterization of how easy it would be for an attacker to obfuscate the observability of this Observable.
The Obfuscation_Techniques field is optional and enables the description of potential techniques an attacker could leverage to obfuscate the observability of this Observable.