The IndicatorType characterizes a cyber threat indicator made up of a pattern identifying certain observable conditions as well as contextual information about the patterns meaning, how and when it should be acted on, etc.
Specifies a unique ID for this Indicator.
Specifies a reference to the ID of an Indicator specified elsewhere.
Specifies the relevant STIX-Indicator schema version for this content.
The negate field applies when using an Indicator as a pattern and specifies the absence of the pattern.
The Title field provides a simple title for this Indicator.
Specifies the type for this Indicator.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is IndicatorTypeVocabularyType in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.0/stix_default_vocabularies.xsd .
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Specifies an alternative identifier (or alias) for the cyber threat Indicator.
Specifies a description for this Indicator.
Specifies the time window for which this Indicator is valid.
Specifies a relevant cyber observable for this Indicator.
Specifies a multipartite composite Indicator.
Specifies the relevant TTP indicated by this Indicator.
Specifies relevant kill chain phases indicated by this Indicator.
The TestMechanisms field specifies Test Mechanisms effective at identifying the cyber Observables specified in this cyber threat Indicator.
Specifies the likely potential impact within the relevant context if this Indicator were to occur. This is typically local to an Indicator consumer and not typically shared. This field includes a Description of the likely potential impact within the relevant context if this Indicator were to occur and a Confidence held in the accuracy of this assertion. NOTE: This structure potentially still needs to be fleshed out more for structured characterization of impact.
The Suggested_COAs field specifies suggested Courses of Action for this cyber threat Indicator.
Specifies the relevant handling guidance for this Indicator. The valid marking scope is the nearest IndicatorBaseType ancestor of this Handling element and all its descendants.
Specifies a level of confidence held in the accuracy of this Indicator.
Characterizes a set of sighting reports for this Indicator.
The Related_Indicators field is optional and enables content producers to express a relationship between the enclosing indicator (i.e., the subject of the relationship) and a disparate indicator (i.e., the object side of the relationship).
The Producer field details the source of this entry.