Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance. Project price only 1 $
You can buy this project and download/modify it how often you want.
This schema was originally developed by The MITRE Corporation. The STIX XML Schema implementation is maintained by The MITRE Corporation and developed by the open STIX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the STIX website at http://stix.mitre.org. STIX Default Vocabularies1.2.005/15/2015 9:00:00 AMStructured Threat Information eXpression (STIX) - Schematic implementation for controlled vocabularies used in the Structured Threat Information eXchange format.Copyright (c) 2012-2015, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the STIX License located at http://stix.mitre.org/about/termsofuse.html. See the STIX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the STIX Schema, this license header must be included.
The ReportIntentVocab is the default STIX vocabulary for the ReportType Intent field.
Note that this vocabulary is under development. Feedback is appreciated and should be sent to the STIX discussion list.
The default set of values to use for a report intent in STIX.1.0Report is intended to describe a broad characterization of a threat across multiple facets.Report is intended to describe a broad characterization of a threat across multiple facets expressed as a cohesive report.Report is intended to describe mainly indicators.Report is intended to describe mainly phishing indicators.Report is intended to describe mainly network watchlist indicators.Report is intended to describe mainly malware artifact indicators.Report is intended to describe mainly network activity indicators.Report is intended to describe mainly endpoint characteristics (hashes, registry values, installed software, known vulnerabilities, etc.) indicators.Report is intended to describe mainly a characterization of one or more campaigns.Report is intended to describe mainly a characterization of one or more threat actors.Report is intended to describe mainly a characterization of one or more exploits.Report is intended to describe mainly a characterization of one or more attack patterns.Report is intended to describe mainly a characterization of one or more malware instances.Report is intended to describe mainly a characterization of attacker infrastructure.Report is intended to describe mainly a characterization of attacker tools.Report is intended to describe mainly a set of courses of action.Report is intended to describe mainly information about one or more incidents.Report is intended to describe mainly information about instantial observations (cyber observables).Report is intended to describe mainly information about instantial email observations (email cyber observables).Report is intended to describe a set of malware samples.
The PackageIntentVocab is the default STIX vocabulary for Package Intent.
NOTE: As of STIX Version 1.2, the PackageIntentVocab is deprecated and should only be used with the deprecated STIXHeaderType/Package_Intent field. Please use a Report and ReportIntentVocab-1.0 instead.trueThe default set of values to use for a package intent in STIX.NOTE: As of STIX Version 1.2, the PackageIntentEnum is deprecated and should only be used with the deprecated STIXHeaderType/Package_Intent field. Please use a Report and ReportIntentEnum-1.0 instead.1.0truePackage is intended to convey a broad characterization of a threat across multiple facets.Package is intended to convey a broad characterization of a threat across multiple facets expressed as a cohesive report.Package is intended to convey mainly indicators.Package is intended to convey mainly phishing indicators.Package is intended to convey mainly network watchlist indicators.Package is intended to convey mainly malware artifact indicators.Package is intended to convey mainly network activity indicators.Package is intended to convey mainly endpoint characteristics (hashes, registry values, installed software, known vulnerabilities, etc.) indicators.Package is intended to convey mainly a characterization of one or more campaigns.Package is intended to convey mainly a characterization of one or more threat actors.Package is intended to convey mainly a characterization of one or more exploits.Package is intended to convey mainly a characterization of one or more attack patterns.Package is intended to convey mainly a characterization of one or more malware instances.Package is intended to convey mainly a characterization of attacker infrastructure.Package is intended to convey mainly a characterization of attacker tools.Package is intended to convey mainly a set of courses of action.Package is intended to convey mainly information about one or more incidents.Package is intended to convey mainly information about instantial observations (cyber observables).Package is intended to convey mainly information about instantial email observations (email cyber observables).Package is intended to convey a set of malware samples.The HighMediumLowVocab is the default STIX vocabulary for expressing basic values that may be high, medium, low, none, or unknown.The default set of values to use for expressing a high/medium/low statement in STIX.1.0
The MalwareTypeVocab is the default STIX vocabulary for expressing types of malware instances.
Note that this vocabulary is under development. Feedback is appreciated and should be sent to the STIX discussion list.
The default set of malware types to use for characterizing a malware instance in STIX.
1.0The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.
The IndicatorTypeVocab is the default STIX vocabulary for expressing indicator types.
Note that this vocabulary is under development. Feedback is appreciated and should be sent to the STIX discussion list.
The default set of Indicator types to use for characterizing Indicators in STIX.1.1Indicator describes suspected malicious e-mail (phishing, spear phishing, infected, etc.).Indicator describes a set of suspected malicious IP addresses or IP blocks.Indicator describes a set of hashes for suspected malicious files.Indicator describes a set of suspected malicious domains.Indicator describes a set of suspected malicious URLS.Indicator describes the effects of suspected malware.Indicator describes suspected command and control activity or static indications.Indicator describes suspected anonymization techniques (Proxy, TOR, VPN, etc.).Indicator describes suspected exfiltration techniques or behavior.Indicator describes suspected malicious host characteristics.Indicator describes a compromised PKI Certificate.Indicator describes a compromised Login Name.Indicator describes a watchlist for IMEI (handset) identifiers.Indicator describes a watchlist for IMSI (SIM card) identifiers.
The IndicatorTypeVocab is the default STIX vocabulary for expressing indicator types.
NOTE: As of STIX Version 1.1, this version of the IndicatorTypeVocab is deprecated. Please use IndicatorTypeVocab-1.1 instead.trueThe default set of Indicator types to use for characterizing Indicators in STIX.NOTE: As of STIX Version 1.1, this version of the IndicatorTypeEnum is deprecated. Please use IndicatorTypeEnum-1.1 instead.1.0trueIndicator describes suspected malicious e-mail (phishing, spear phishing, infected, etc.).Indicator describes a set of suspected malicious IP addresses or IP blocks.Indicator describes a set of hashes for suspected malicious files.Indicator describes a set of suspected malicious domains.Indicator describes a set of suspected malicious URLS.Indicator describes the effects of suspected malware.Indicator describes suspected command and control activity or static indications.Indicator describes suspected anonymization techniques (Proxy, TOR, VPN, etc.).Indicator describes suspected exfiltration techniques or behavior.Indicator describes suspected malicious host characteristics.The COAStageVocab is the default STIX vocabulary for expressing the stages of the threat management lifecycle that a COA is applicable to.The default set of stages of the threat management lifecycle that a COA may be applicable to.1.0This COA is applicable to the "Remedy" stage of the threat management lifecycle, meaning it may be applied proactively to prevent future threats.This COA is applicable to the "Response" stage of the threat management lifecycle, meaning it may be applied as an immediate reaction to an ongoing threat.The CampaignStatusVocab is the default STIX vocabulary for expressing the status of a campaign.The default list of possible statuses that a campaign might have.1.0This campaign is currently taking place.This campaign occurred in the past and is currently not taking place.This campaign is expected to take place in the future.The IncidentStatusVocab is the default STIX vocabulary for expressing the status of an incident.The default list of possible statuses that an incident might have.1.0The SecurityCompromiseVocab is the default STIX vocabulary for expressing whether or not an incident resulted in a security compromise.
The possible values for expressing whether an incident resulted in a security compromise.
1.0This vocabulary is a part of the VERIS framework and is used with their permission.It has been confirmed that this incident resulted in a security compromise.It is suspected that this incident resulted in a security compromise.It has been confirmed that this incident did not result in a security compromise.It is not known whether this incident resulted in a security compromise.The DiscoveryMethodVocab is the default STIX vocabulary for expressing how an incident was discovered.
The possible values for expressing how an incident was discovered.
2.0This vocabulary is a part of the VERIS framework and is used with their permission.This incident was disclosed by the threat agent (e.g. public brag, private blackmail).This incident was discovered through external fraud detection means (e.g. CPP).This incident was reported by a managed security event monitoring service.This incident was reported by law enforcement.This incident was reported by a customer or partner affected by the incident.This incident was reported by an unrelated third party.This incident was discovered during an external security audit or scan.This incident was discovered by an antivirus system.This incident was discovered in the course of investigating a separate incident.This incident was discovered in the course of a financial audit and/or reconciliation process.This incident was discovered through internal fraud detection means.This incident was discovered a host-based IDS or file integrity monitoring.This incident was discovered by an internal IT audit or scan.This incident was discovered during a log review process or by a SIEM.This incident was discovered by a network-based intrustion detection/prevention system.This incident was discovered by a physical security alarm.This incident was reported by a user.It is not known how this incident was discovered.The DiscoveryMethodVocab is the default STIX vocabulary for expressing how an incident was discovered.
The possible values for expressing how an incident was discovered.
1.0This vocabulary is a part of the VERIS framework and is used with their permission.This incident was disclosed by the threat agent (e.g. public brag, private blackmail).This incident was discovered through external fraud detection means (e.g. CPP).This incident was reported by a managed security event monitoring service.This incident was reported by law enforcement.This incident was reported by a customer or partner affected by the incident.This incident was reported by an unrelated third party.This incident was discovered during an external security audit or scan.This incident was discovered by an antivirus system.This incident was discovered in the course of investigating a separate incident.This incident was discovered in the course of a financial audit and/or reconciliation process.This incident was discovered through internal fraud detection means.This incident was discovered a host-based IDS or file integrity monitoring.This incident was discovered by an internal IT audit or scan.This incident was discovered during a log review process or by a SIEM.This incident was discovered by a network-based intrustion detection/prevention system.This incident was discovered by a physical security alarm.This incident was reported by a user.It is not known how this incident was discovered.The AvailabilityLossTypeVocab is the default STIX vocabulary for expressing the type of availability that was lost due to an incident.
The possible values for expressing the type of availability that was lost due to an incident.
1.1.1This vocabulary is a part of the VERIS framework and is used with their permission.The information was destroyed or wiped.Availability to the information was lost.Availability to the information was interrupted.Availability to the information was degraded.Availability loss type is acceleration.Availability to the information is obscured.The availability loss type is not known.The AvailabilityLossTypeVocab is the default STIX vocabulary for expressing the type of availability that was lost due to an incident.NOTE: As of STIX Version 1.1.1, this version of the AvailabilityLossTypeVocab is deprecated. Please use AvailabilityLossTypeVocab-1.1.1 instead.true
The possible values for expressing the type of availability that was lost due to an incident.
1.0This vocabulary is a part of the VERIS framework and is used with their permission.The information was destroyed or wiped.Availability to the information was lost.Availability to the information was interrupted.Availability to the information was degraded.Availability loss type is acceleration.Availability to the information is obscured.The availability loss type is not known.The LossDurationVocab is the default STIX vocabulary for expressing the approximate length of time of a loss due to an incident.
The possible values for expressing the type of availability that was lost due to an incident.
1.0The loss is permanent.The loss lasted for weeks.The loss lasted for days.The loss lasted for hours.The loss lasted for minutes.The loss lasted for seconds.The loss duration is not known.The OwnershipClassVocab is the default STIX vocabulary for expressing the type of ownership of an asset.
The possible values for expressing the ownership class of an object.
1.0The asset is owned internally.The asset is owned by an employee.The asset is owned by a partner.The asset is owned by a customer.The asset ownership class is unknown.The ManagementClassVocab is the default STIX vocabulary for expressing the type of management of an asset.
The possible values for expressing the management class of an object.
1.0The asset is managed internally.The asset is managed externally.The asset is co-managed.The asset management class is unknown.The LocationClassVocab is the default STIX vocabulary for expressing the location of an asset.
The possible values for expressing the location class of an object.
1.0The asset is located internally.The asset is located externally.The asset is co-located.The asset is mobile.The asset location is unknown.The ImpactQualificationVocab is the default STIX vocabulary for expressing the subjective level of impact of an incident.
The possible values for expressing the impact level of an incident.
1.0This vocabulary is a part of the VERIS framework and is used with their permission.The impact is absorbed by normal activities.There are limited “hard costs”, but the impact is felt through having to deal with the incident rather than conducting normal duties.Real, somewhat serious effect on the "bottom line".Real and serious effect on the “bottom line” and/or long-term ability to generate revenue.A business-ending event.The impact qualification is unknown.The ImpactRatingVocab is the default STIX vocabulary for expressing the level of impact due to an incident.
The possible values for expressing the level of impact due to a loss.
1.0This vocabulary is a part of the VERIS framework and is used with their permission.There was no impact.There was a minor impact.There was a moderate impact.There was a major impact.The impact is not known.The AssetTypeVocab is the default STIX vocabulary for expressing the type of an asset.
The possible values for types of assets.
1.0This vocabulary is a part of the VERIS framework and is used with their permission.The AttackerInfrastructureTypeVocab is the default STIX vocabulary for expressing the type of infrastructure an attacker uses.
The possible values for types of attacker infrastructure.
1.0The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.The SystemTypeVocab is the default STIX vocabulary for expressing the type of a system.
The possible values for types of systems.
1.0The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.The InformationTypeVocab is the default STIX vocabulary for expressing the type of information.
The possible values for types of information.
1.0The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.The ThreatActorTypeVocab is the default STIX vocabulary for expressing the type of a threat actor.
The possible values for types of threat actors.
1.0The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.The MotivationVocab is the default STIX vocabulary for expressing the motivation of a threat actor.
The possible values for motivations of a threat actor.
1.1The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.The MotivationVocab is the default STIX vocabulary for expressing the motivation of a threat actor.NOTE: As of STIX Version 1.1, this version of the MotivationVocab is deprecated. Please use MotivationVocab-1.1 instead.true
The possible values for motivations of a threat actor.
NOTE: As of STIX Version 1.1, this version of the MotivationEnum is deprecated. Please use MotivationEnum-1.1 instead.1.0.1trueThe initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.The MotivationVocab is the default STIX vocabulary for expressing the motivation of a threat actor.NOTE: As of STIX Version 1.0.1, this version of the MotivationVocab is deprecated. Please use MotivationVocab-1.0.1 instead.trueThe possible values for motivations of a threat actor.NOTE: As of STIX Version 1.0.1, this version of the MotivationEnum is deprecated. Please use MotivationEnum-1.0.1 instead.1.0The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.trueThe IntendedEffectVocab is the default STIX vocabulary for expressing the intended effect of a threat actor.The possible values for effects intended by a threat actor.1.0The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.The PlanningAndOperationalSupportVocab is the default STIX vocabulary for expressing the planning and operational support functions of a threat actor.The possible values for types of planning and operational support functions of a threat actor.1.0.1The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.The PlanningAndOperationalSupportVocab is the default STIX vocabulary for expressing the planning and operational support functions of a threat actor.NOTE: As of STIX Version 1.0.1, this version of the PlanningAndOperationalSupportVocab is deprecated. Please use PlanningAndOperationalSupportVocab-1.0.1 instead.trueThe possible values for types of planning and operational support functions of a threat actor.NOTE: As of STIX Version 1.0.1, this version of the PlanningAndOperationalSupportEnumType is deprecated. Please use PlanningAndOperationalSupportEnum-1.0.1 instead.1.0The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.trueThe IncidentEffectVocab is the default STIX vocabulary for expressing the possible effects of an incident.The possible values for types of possible effects of an incident.1.0The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.The AttackerToolTypeVocab-1.0 is the default STIX vocabulary for expressing types of attacker tools.Note that this vocabulary is under development. Feedback is appreciated and should be sent to the STIX discussion list.
The possible values for types of attacker tools.
1.0The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.The IncidentCategoryVocab is the default STIX vocabulary for expressing the possible categories of an incident.The possible values for types of possible categories of an incident.1.0This vocabulary is taken from the US-CERT Federal Incident Reporting Guidelines Incident Categories.This category is used during state, federal, national, international exercises and approved activity testing of internal/external network defenses or responses.In this category an individual gains logical or physical access without permission to a federal agency network, system, application, data, or other resource.An attack that successfully prevents or impairs the normal authorized functionality of networks, systems or applications by exhausting resources. This activity includes being the victim or participating in the DoS.Installation of malicious software (e.g., virus, worm, Trojan horse, or other code-based malicious entity) that infects an operating system or application. Agencies are NOT required to report malicious logic that has been successfully quarantined by antivirus (AV) software.A person violates acceptable computing use policies.This category includes any activity that seeks to access or identify a federal agency computer, open ports, protocols, service, or any combination for later exploit. This activity does not directly result in a compromise or denial of service.Unconfirmed incidents that are potentially malicious or anomalous activity deemed by the reporting entity to warrant further review.The LossPropertyVocab is the default STIX vocabulary for expressing the possible properties of a loss.The possible values for properties of a loss.1.0The CourseOfActionTypeVocab is the default STIX vocabulary for expressing types of courses of action.The default set of values to use for expressing a type of course of action in STIX.1.0Perimeter-based blocking of traffic from a compromised source.Host-based blocking of traffic from an internal compromised source.Re-routing of suspicious or known malicious traffic away from the intended target to an area where the threat can be more safely observed and analyzed.Setting up a decoy parallel network that is intended to attract adversaries to the honey pot and away from the real network assets.Securing a system by reducing its surface of unnecessary software, usernames or logins, and running services.A specific form of hardening, patching involves applying a code fix directly to the software with the vulnerability.Identifying, locating, and eliminating malware from the network.Re-installing a computing resource from a known safe source in order to ensure that the malware is no longer present on the previously compromised resource.Training users and administrators on how to identify and mitigate this type of threat.Setting up network or host-based sensors to detected the presence of this threat.Activities associated with restricting physical access to computing resources.Activities associated with restricting logical access to computing resources.Informing the public of the existence and characteristics of the threat or threat actor to influence positive change in adversary behavior.Engaging in communications and relationship building with threat actors to influence positive changes in behavior.Modifications to policy that reduce the attack surface or infection vectors of malware.Other actions not covered in this list.The ThreatActorSophisticationVocab is the default STIX vocabulary for expressing the level of sophistication of a threat actor.
The possible values for threat actor sophistication.
1.0The initial version of this enumeration was contributed by iSight Partners, Inc. and is used with their permission.Demonstrates sophisticated capability. An innovator has the ability to create and script unique programs and codes targeting virtually any form of technology. At this level, this actor has a deep knowledge of networks, operating systems, programming languages, firmware, and infrastructure topologies and will demonstrate operational security when conducting his activities. Innovators are largely responsible for the discovery of 0-day vulnerabilities and the development of new attack techniques.Demonstrates advanced capability. An actor possessing expert capability has the ability to modify existing programs or codes but does not have the capability to script sophisticated programs from scratch. The expert has a working knowledge of networks, operating systems, and possibly even defensive techniques and will typically exhibit some operational security.Has a demonstrated, albeit low, capability. A practitioner possesses low sophistication capability. He does not have the ability to identify or exploit known vulnerabilities without the use of automated tools. He is proficient in the basic uses of publicly available hacking tools, but is unable to write or alter such programs on his own.Demonstrates a nascent capability. A novice has basic computer skills and likely requires the assistance of a Practitioner or higher to engage in hacking activity. He uses existing and frequently well known and easy-to-find techniques and programs or scripts to search for and exploit weaknesses in other computers on the Internet and lacks the ability to conduct his own reconnaissance and targeting research.Demonstrates no capability.The InformationSourceRoleVocab is the default STIX vocabulary for characterizing roles played by given entities as information sources.The default set of values to use for characterizing roles played by given entities as information sources in STIX.1.0A party acting as the initial author/creator of a set of information.A party that enhances or refines a preexisting set of information.A party that aggregates multiple different sets of information into one new set of information.A party that transforms or translates a preexisting set of information into a different representation (e.g., translating an unstructured prose threat analysis report into STIX).The VersioningVocab is the default STIX vocabulary for representing versioning of STIX content.The default set of values to use for representing versioning of STIX content.1.0The new content represents a modified or expanded form of the previous content with existing information refined for improved quality or confidence.The new content represents a modified form of the previous content with corrections to errors in the existing information. The previous content should be considered invalid and the new content should be used in its place.The previous content is asserted to be invalid and should not be considered for operational purposes.
