The IndicatorType characterizes a cyber threat indicator made up of a pattern identifying certain observable conditions as well as contextual information about the patterns meaning, how and when it should be acted on, etc.
| Field Name | Type | Description | 
|---|---|---|
| @idoptional | QName | Specifies a unique ID for this Indicator. | 
| @idrefoptional | QName | Specifies a reference to the ID of an Indicator specified elsewhere. | 
| @versionoptional | IndicatorVersionType | Specifies the relevant STIX-Indicator schema version for this content. | 
| @negateoptional | boolean | The negate field applies when using an Indicator as a pattern and specifies the absence of the pattern. | 
| Title0..1 | string | The Title field provides a simple title for this Indicator. | 
| Type0..1 | ControlledVocabularyStringType | Specifies the type for this Indicator. 
 This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is IndicatorTypeVocabularyType in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.0/stix_default_vocabularies.xsd . Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field. 
 | 
| Alternative_ID0..n | string | Specifies an alternative identifier (or alias) for the cyber threat Indicator. | 
| Description0..1 | StructuredTextType | Specifies a description for this Indicator. | 
| Valid_Time_Position0..n | ValidTimeType | Specifies the time window for which this Indicator is valid. | 
| Observable0..1 | ObservableType | Specifies a relevant cyber observable for this Indicator. | 
| Composite_Indicator_Expression0..1 | CompositeIndicatorExpressionType | Specifies a multipartite composite Indicator. | 
| Indicated_TTP0..n | RelatedTTPType | Specifies the relevant TTP indicated by this Indicator. | 
| Kill_Chain_Phases0..1 | KillChainPhasesReferenceType | Specifies relevant kill chain phases indicated by this Indicator. | 
| Test_Mechanisms0..1 | TestMechanismsType | The TestMechanisms field specifies Test Mechanisms effective at identifying the cyber Observables specified in this cyber threat Indicator. | 
| Likely_Impact0..1 | StatementType | Specifies the likely potential impact within the relevant context if this Indicator were to occur. This is typically local to an Indicator consumer and not typically shared. This field includes a Description of the likely potential impact within the relevant context if this Indicator were to occur and a Confidence held in the accuracy of this assertion. NOTE: This structure potentially still needs to be fleshed out more for structured characterization of impact. | 
| Suggested_COAs0..1 | SuggestedCOAsType | The Suggested_COAs field specifies suggested Courses of Action for this cyber threat Indicator. | 
| Handling0..1 | MarkingType | Specifies the relevant handling guidance for this Indicator. The valid marking scope is the nearest IndicatorBaseType ancestor of this Handling element and all its descendants. | 
| Confidence0..1 | ConfidenceType | Specifies a level of confidence held in the accuracy of this Indicator. | 
| Sightings0..1 | SightingsType | Characterizes a set of sighting reports for this Indicator. | 
| Related_Indicators0..1 | RelatedIndicatorsType | The Related_Indicators field is optional and enables content producers to express a relationship between the enclosing indicator (i.e., the subject of the relationship) and a disparate indicator (i.e., the object side of the relationship). | 
| Producer0..1 | InformationSourceType | The Producer field details the source of this entry. |