schemas.v1.2.0.stix_common.xsd Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of stix Show documentation
Show all versions of stix Show documentation
The Java bindings for STIX v.1.2.0.2
The newest version!
This schema was originally developed by The MITRE Corporation. The STIX XML Schema implementation is maintained by The MITRE Corporation and developed by the open STIX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the STIX website at http://stix.mitre.org.
STIX Common
1.2
05/15/2015 9:00:00 AM
Structured Threat Information eXpression (STIX) - Common - Schematic implementation for the common types of a structured cyber threat expression language architecture.
Copyright (c) 2012-2015, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the STIX License located at http://stix.mitre.org/about/termsofuse.html. See the STIX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the STIX Schema, this license header must be included.
The InformationSourceType details the source of a given data entry.
The Description field provides a description of this information source.
The Identity field is optional and specifies the identity of the information source.
This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity/1.2/ciq_identity.xsd.
Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.
The Role field is optional and enables characterization of the sourcing Role played by this Information Source.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is InformationSourceRoleVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
The Contributing_Sources field is optional and enables description of the individual contributing sources involved in this instance.
The Time element is optional and enables description of various time-related attributes for this instance.
The Tools element is optional and enables description of the tools utilized for this instance.
The References field is optional and enables specification of references to information source material for this instance.
The ConfidenceType specifies a level of Confidence held in some assertion.
Specifies the level of confidence held in this direct assertion.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is HighMediumLowVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
The Description field provides a description of the confidence value and how it was derived.
The Source field specifies the source of this confidence assertion. An optional vocabulary name and reference allows the expression of the source name in some given vocabulary context.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.2. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.
The Confidence_Assertion_Chain field specifies a set of related confidence levels in this assertion along with who made them, when they were made and how they were made.
Specifies the time of this Confidence assertion.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
The Date_Time field specifies the date and time at which the activity occured.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
The Description field provides a description of the activity.
This field specifies a single kill chain definition for reference within specific TTP entries, Indicators and elsewhere.
The KillChainType characterizes a specific Kill Chain definition for reference within specific TTP entries, Indicators and elsewhere.
This field specifies the name of an individual phase within this kill chain definition.
A globally unique identifier for this kill chain definition.
A descriptive name for this kill chain definition.
The organization or individual responsible for this kill chain definition.
A resource reference for this kill chain definition.
The number of phases in this kill chain definition.
The KillChainPhaseType characterizes an individual phase within a kill chain definition.
A globally unique identifier for this kill chain phase.
When used directly within a kill chain definition, this attribute must be globally unique and serves to identify the kill chain phase being defined. When used within a kill chain reference, this attribute must reference an existing kill chain phase phase_id and serves as a reference (similar to @idref elsewhere in STIX).
This field specifies the descriptive name of the relevant kill chain phase.
When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the name used in the kill chain phase definition that this field references.
This field specifies the ordinality (e.g. 1, 2 or 3) of this phase within this kill chain definition.
When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the ordinality used in the kill chain phase definition that this field references.
The Kill_Chain_Phase field specifies a single Kill Chain phase associated with this item.
The KillChainPhaseReferenceType is used to reference kill chains that are defined elsewhere.
This type extends from stixCommon:KillChainPhaseType and contains several attributes that are redundant to the original kill chain definition: @kill_chain_name, @ordinality, and @name. These attributes should not be used to redefine attributes in the referenced kill chain. Instead, it is strongly suggested that they either be omitted or, if they are present, they must contain the same values as the kill chain definition. This ensures data consistency across the kill chain itself and all references to it.
This field specifies the ID for the relevant defined kill chain.
This field specifies the descriptive name of the relevant kill chain. If a kill chain is being referenced (via the kill_chain_id field), this field should be omitted or, if present, must match the kill chain name of the kill chain referenced by the @kill_chain_id attribute.
The IdentityType is used to express identity information for both individuals and organizations.
This type is extended through the xsi:type mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_3.0_identity.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_3.0/1.2/ciq_3.0_identity.xsd.
Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field of this type.
The Name field allows for expression of an identity through a simple name.
The Related_Identities field identifies other entity Identities related to this entity Identity.
Specifies a unique ID for this Identity.
Specifies a reference to a unique ID defined elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Identity should not hold content.
Allows the expression of a list of relationships between STIX components. It's extended throughout STIX and should not be used directly.
Indicates how multiple related items should be interpreted in this relationship. If "inclusive" is specified, then a single conceptual relationship is being defined between the subject and the collection of objects indicated by the related items (i.e. the relationship is not necessarily relevant for any one particular object being referenced, but for the aggregated collection of objects referenced). If "exclusive" is specified, then multiple relationships are being defined between the specific subject and each object individually.
ScopeEnum is an enumeration of potential assertions on how a group of relationships should be treated.
A single relationship is being defined between the subject and the collection of objects indicated by the related items.
Multiple relationships are being defined between the specific subject and each object individually.
Allows the expression of relationships between STIX components. It is extended by each component relationship type to add the component itself.
The confidence field specifies the level of confidence in the assertion of the relationship between the two components.
The Information_Source field specifies the source of the information about the relationship between the two components.
The relationship field characterizes the type of the relationship between the two components.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.2. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.
Identifies or characterizes a relationship to a campaign.
A reference to or representation of the related campaign.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CampaignType in the http://stix.mitre.org/Campaign-1 namespace. This type is defined in the campaign.xsd file or at the URL http://stix.mitre.org/XMLSchema/campaign/1.2/campaign.xsd.
Identifies or characterizes a relationship by reference to a campaign.
A reference to the related campaign.
Characterizes a reference to a campaign.
Specifies one or more campaign names for a cyber threat campaign defined elsewhere.
Specifies a globally unique identifier for a cyber threat campaign defined elsewhere.
In conjunction with the idref, this field may be used to reference a specific version of a campaign defined elsewhere.
The Name field specifies a Name used to identify a Campaign. This field can be used to capture various aliases used to identify this Campaign.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.2. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.
Identifies or characterizes a relationship to a course of action.
A reference or representation of the related course of action.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CourseOfActionType in the http://stix.mitre.org/CourseOfAction-1 namespace. This type is defined in the course_of_action.xsd file or at the URL http://stix.mitre.org/XMLSchema/course_of_action/1.2/course_of_action.xsd.
Identifies or characterizes a relationship to an exploit target.
A reference to or representation of the related exploit target.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ExploitTargetType in the http://stix.mitre.org/ExploitTarget-1 namespace. This type is defined in the exploit_target.xsd file or at the URL http://stix.mitre.org/XMLSchema/exploit_target/1.2/exploit_target.xsd.
Identifies or characterizes a relationship to an incident.
A reference to or representation of the related incident.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IncidentType in the http://stix.mitre.org/Incident-1 namespace. This type is defined in the incident.xsd file or at the URL http://stix.mitre.org/XMLSchema/incident/1.2/incident.xsd.
Identifies or characterizes a relationship to an indicator.
A reference to or representation of the related indicator.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IndicatorType in the http://stix.mitre.org/Indicator-2 namespace. This type is defined in the indicator.xsd file or at the URL http://stix.mitre.org/XMLSchema/indicator/2.1.1/indicator.xsd.
Identifies or characterizes a relationship to a cyber observable.
A reference to or representation of the related cyber observable.
Identifies or characterizes a relationship to a threat actor.
A reference or representation of the related threat actor.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ThreatActorType in the http://stix.mitre.org/ThreatActor-1 namespace. This type is defined in the threat_actor.xsd file or at the URL http://stix.mitre.org/XMLSchema/threat_actor/1.2/threat_actor.xsd.
Identifies or characterizes a relationship to an TTP.
A reference to or representation of the related TTP.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is TTPType in the http://stix.mitre.org/TTP-1 namespace. This type is defined in the ttp.xsd file or at the URL http://stix.mitre.org/XMLSchema/ttp/1.2/ttp.xsd.
Identifies or characterizes a relationship to a report.
A reference or representation of the related report.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ReportType in the http://stix.mitre.org/Report-1 namespace. This type is defined in the report.xsd file or at the URL http://stix.mitre.org/XMLSchema/report/1.2/report.xsd.
Identifies or characterizes a relationship to an Identity.
A reference to or representation of the related Identity.
This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity_3.0.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity_3.0/1.2/ciq_identity_3.0.xsd.
This type represents the STIX Indicator component. It is extended using the XML Schema Extension feature by the STIX Indicator type itself. Users of this type who wish to express a full indicator using STIX must do so using the xsi:type extension feature. The STIX-defined Indicator type is IndicatorType in the http://stix.mitre.org/Indicator-1 namespace. This type is defined in the indicator.xsd file or at the URL http://stix.mitre.org/XMLSchema/indicator/1.2.1/indicator.xsd.
Alternatively, uses that require simply specifying an idref as a reference to an indicator defined elsewhere can do so without specifying an xsi:type.
Specifies a unique ID for this Indicator.
Specifies a reference to the ID of an Indicator specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Indicator should not hold content.
Specifies a timestamp for the definition of a specific version of an Indicator. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Indicator. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Indicator defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
This type represents the STIX Incident component. It is extended using the XML Schema Extension feature by the STIX Incident type itself. Users of this type who wish to express a full incident using STIX must do so using the xsi:type extension feature. The STIX-defined Incident type is IncidentType in the http://stix.mitre.org/Incident-1 namespace. This type is defined in the incident.xsd file or at the URL http://stix.mitre.org/XMLSchema/incident/1.2/incident.xsd.
Alternatively, uses that require simply specifying an idref as a reference to an incident defined elsewhere can do so without specifying an xsi:type.
Specifies a globally unique identifier for this cyber threat Incident.
Specifies a globally unique identifier for a cyber threat Incident specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Incident should not hold content.
Specifies a timestamp for the definition of a specific version of an Incident. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Incident. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Incident defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
This type represents the STIX TTP component. It is extended using the XML Schema Extension feature by the STIX TTP type itself. Users of this type who wish to express a full TTP using STIX must do so using the xsi:type extension feature. The STIX-defined TTP type is TTPType in the http://stix.mitre.org/TTP-1 namespace. This type is defined in the ttp.xsd file or at the URL http://stix.mitre.org/XMLSchema/ttp/1.2/ttp.xsd.
Alternatively, uses that require simply specifying an idref as a reference to a TTP defined elsewhere can do so without specifying an xsi:type.
Specifies a globally unique identifier for this TTP item.
Specifies a globally unique identifier of a TTP item specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this TTP item should not hold content.
Specifies a timestamp for the definition of a specific version of a TTP item. When used in conjunction with the id, this field is specifying the definition time for the specific version of the TTP item. When used in conjunction with the idref, this field is specifying a reference to a specific version of a TTP item defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
This type represents the STIX Exploit Target component. It is extended using the XML Schema Extension feature by the STIX Exploit Target type itself. Users of this type who wish to express a full exploit target using STIX must do so using the xsi:type extension feature. The STIX-defined Exploit Target type is ExploitTargetType in the http://stix.mitre.org/ExploitTarget-1 namespace. This type is defined in the exploit_target.xsd file or at the URL http://stix.mitre.org/XMLSchema/exploit_target/1.2/exploit_target.xsd.
Alternatively, uses that require simply specifying an idref as a reference to an exploit target defined elsewhere can do so without specifying an xsi:type.
Specifies a globally unique identifier for this ExploitTarget.
Specifies a globally unique identifier of an ExploitTarget specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this ExploitTarget should not hold content.
Specifies a timestamp for the definition of a specific version of an ExploitTarget When used in conjunction with the id, this field is specifying the definition time for the specific version of the ExploitTarget. When used in conjunction with the idref, this field is specifying a reference to a specific version of an ExploitTarget defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
This type represents the STIX Course of Action component. It is extended using the XML Schema Extension feature by the STIX Course of Action type itself. Users of this type who wish to express a full course of action using STIX must do so using the xsi:type extension feature. The STIX-defined Course of Action type is CourseOfActionType in the http://stix.mitre.org/CourseOfAction-1 namespace. This type is defined in the course_of_action.xsd file or at the URL http://stix.mitre.org/XMLSchema/course_of_action/1.2/course_of_action.xsd.
Alternatively, uses that require simply specifying an idref as a reference to a course of action defined elsewhere can do so without specifying an xsi:type.
Specifies a globally unique identifier for this COA.
Specifies a globally unique identifier of a COA specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this COA should not hold content.
Specifies a timestamp for the definition of a specific version of a COA. When used in conjunction with the id, this field is specifying the definition time for the specific version of the COA. When used in conjunction with the idref, this field is specifying a reference to a specific version of a COA defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
This type represents the STIX Campaign component. It is extended using the XML Schema Extension feature by the STIX Campaign type itself. Users of this type who wish to express a full campaign using STIX must do so using the xsi:type extension feature. The STIX-defined Campaign type is CampaignType in the http://stix.mitre.org/Campaign-1 namespace. This type is defined in the campaign.xsd file or at the URL http://stix.mitre.org/XMLSchema/campaign/1.2/campaign.xsd.
Alternatively, uses that require simply specifying an idref as a reference to a campaign defined elsewhere can do so without specifying an xsi:type.
Specifies a globally unique identifier for this cyber threat Campaign.
Specifies a globally unique identifier for a cyber threat Campaign specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Campaign should not hold content.
Specifies a timestamp for the definition of a specific version of a Campaign. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Campaign. When used in conjunction with the idref, this field is specifying a reference to a specific version of a Campaign defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
This type represents the STIX Threat Actor component. It is extended using the XML Schema Extension feature by the STIX Threat Actor type itself. Users of this type who wish to express a full threat actor using STIX must do so using the xsi:type extension feature. The STIX-defined Threat Actor type is ThreatActorType in the http://stix.mitre.org/ThreatActor-1 namespace. This type is defined in the threat_actor.xsd file or at the URL http://stix.mitre.org/XMLSchema/threat_actor/1.2/threat_actor.xsd.
Alternatively, uses that require simply specifying an idref as a reference to a threat actor defined elsewhere can do so without specifying an xsi:type.
Specifies a globally unique identifier for this ThreatActor.
Specifies a globally unique identifier of a ThreatActor specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this ThreatActor should not hold content.
Specifies a timestamp for the definition of a specific version of a ThreatActor. When used in conjunction with the id, this field is specifying the definition time for the specific version of the ThreatActor. When used in conjunction with the idref, this field is specifying a reference to a specific version of a ThreatActor defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
This type represents the STIX Report component. It is extended using the XML Schema Extension feature by the STIX Report type itself. Users of this type who wish to express a full report using STIX must do so using the xsi:type extension feature. The STIX-defined Report type is ReportType in the http://stix.mitre.org/Report-1 namespace. This type is defined in the report.xsd file or at the URL http://stix.mitre.org/XMLSchema/report/1.2/report.xsd.
Alternatively, uses that require simply specifying an idref as a reference to a report defined elsewhere can do so without specifying an xsi:type.
Specifies a globally unique identifier for this Report.
Specifies a globally unique identifier of a Report specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Report should not hold content.
Specifies a timestamp for the definition of a specific version of a Report. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Report. When used in conjunction with the idref, this field is specifying a reference to a specific version of a Report defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
The Exploit_Target field characterizes a potential vulnerability, weakness or configuration target for exploitation.
This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ExploitTargetType in the http://stix.mitre.org/ExploitTarget-1 namespace. This type is defined in the exploit_target.xsd file or at the URL http://stix.mitre.org/XMLSchema/exploit_target/1.2/exploit_target.xsd.
The AddressAbstractType is used to express geographic address information.
This type is intended to be extended through the xsi:type mechanism. The default type is CIQAddress3.0InstanceType in the http://stix.mitre.org/extensions/Address#CIQAddress3.0-1 namespace. This type is defined in the extensions/identity/ciq_3.0_address.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/address/ciq_3.0/1.2/ciq_3.0_address.xsd.
The Source field contains information describing the identity, resources and timing of involvement for a single contributing Source.
This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity/1.2/ciq_identity.xsd.
Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.
The Reference field is optional and enables specification of a reference to an information source material.
The Related_Identity field identifies a single other entity Identity related to this entity Identity.
The Confidence_Assertion field specifies a related confidence level in this assertion along with who made it, when it was made and how it was made.
StatementType allows the expression of a statement with an associated value, description, source, confidence, and timestamp.
Specifies a value characterizing the statement within some vocabulary.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary may be provided by the field using this construct. If that's the case, the schema annotations on that element will describe which vocabulary to use. If not, the default vocabulary is HighMediumLowVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Specifies a prose description of the statement.
The Source field captures the source of this statement. An optional vocabulary name and reference allows the expression of the source name in some given vocabulary context.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. No default vocabulary type has been defined for STIX 1.2. Users may either define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a free string field.
The Confidence field characterizes the level of confidence held in the statement.
Specifies the time this statement was asserted.
In order to avoid ambiguity, it is strongly suggest that all timestamps include a specification of the timezone if it is known.
Represents the precision of the associated timestamp value. If omitted, the default is "second", meaning the timestamp is precise to the full field value. Digits in the timestamp that are required by the xs:dateTime datatype but are beyond the specified precision should be zeroed out.
The StructuredTextType is a type representing a generalized structure for capturing structured or unstructured textual information such as descriptions of things.
Specifies a globally unique identifier for this Description.
Specifies the intended order position of this construct instance (e.g. Description) within a set of potentially multiple peer construct instances. If only a single construct instance is present its ordinality can be assumed to be 1. If multiple construct instances are present, the ordinality field should be specified with unique values for each instance.
Used to indicate a particular structuring format (e.g., HTML5) used within an instance of StructuredTextType. Note that if the markup tags used by this format would be interpreted as XML information (such as the bracket-based tags of HTML) the text area should be enclosed in a CDATA section to prevent the markup from interferring with XML validation of the STIX document. If this attribute is absent, the implication is that no markup is being used.
This type is used to represent data in an XML CDATA block. Data in a CDATA block may either be represented as-is or, in cases where it may contain characters that are not valid in CDATA, it may be encoded in Base64 per RFC4648. Data encoded in Base64 must be denoted as such using the encoded attribute.
If true, specifies that the content encoded in the element is encoded using Base64 per RFC4648.
The ControlledVocabularyStringType is used as the basis for defining controlled vocabularies.
The vocab_name field specifies the name of the controlled vocabulary.
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.
This type is used as a replacement for the standard xs:dateTime type but allows for the representation of the precision of the dateTime. If the precision is given, consumers must ignore the portions of this field that is more precise than the given precision. Producers should zero-out (fill with zeros) digits in the dateTime that are required by the xs:dateTime datatype but are beyond the specified precision.
In order to avoid ambiguity, it is strongly suggested that all dateTimes include a specification of the timezone if it is known.
The precision of the associated dateTime. If omitted, the default is "second", meaning the full field value (including fractional seconds).
Possible values for representing time precision.
DateTime is precise to the given year.
DateTime is precise to the given month.
DateTime is precise to the given day.
DateTime is precise to the given hour.
DateTime is precise to the given minute.
DateTime is precise to the given second (including fractional seconds).
The ProfilesType represents a list of STIX Profiles
The Profile field represents a reference to one STIX Profile. The profile is referenced as a URI and should include components for: the creator of the profile, the name of the profile, and the version of the profile. When publishing a profile, this URI should be published alongside the profile such that it can be referred to from this field.
Identifies or characterizes a relationship to a Package.
Specifies a globally unique identifier of a STIX Package specified elsewhere.
In conjunction with the idref, this field may be used to reference a specific version of a STIX Package defined elsewhere.
Identifies or characterizes relationships to set of related Packages.
Identifies or characterizes a relationship to a related Package defined elsewhere
The ToolInformationType is intended to characterize the properties of a hardware or software tool, including those related to instances of its use. It is extended from an identically-named type in CybOX and adds standard STIX descriptive fields.
The Title field provides a simple title for a single tool leveraged by this TTP item.
The Short_Description field is optional and provides a short, unstructured, text description of a single tool leveraged by this TTP item.