KillChainPhaseReferenceTypeSTIX Common Schema

The KillChainPhaseReferenceType is used to reference kill chains that are defined elsewhere.

This type extends from stixCommon:KillChainPhaseType and contains several attributes that are redundant to the original kill chain definition: @kill_chain_name, @ordinality, and @name. These attributes should not be used to redefine attributes in the referenced kill chain. Instead, it is strongly suggested that they either be omitted or, if they are present, they must contain the same values as the kill chain definition. This ensures data consistency across the kill chain itself and all references to it.

API support

Fields

Field Name	Type	Description
@phase_idoptional	QName	A globally unique identifier for this kill chain phase. When used directly within a kill chain definition, this attribute must be globally unique and serves to identify the kill chain phase being defined. When used within a kill chain reference, this attribute must reference an existing kill chain phase phase_id and serves as a reference (similar to @idref elsewhere in STIX).
@nameoptional	string	This field specifies the descriptive name of the relevant kill chain phase. When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the name used in the kill chain phase definition that this field references.
@ordinalityoptional	int	This field specifies the ordinality (e.g. 1, 2 or 3) of this phase within this kill chain definition. When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the ordinality used in the kill chain phase definition that this field references.
@kill_chain_idoptional	QName	This field specifies the ID for the relevant defined kill chain.
@kill_chain_nameoptional	string	This field specifies the descriptive name of the relevant kill chain. If a kill chain is being referenced (via the kill_chain_id field), this field should be omitted or, if present, must match the kill chain name of the kill chain referenced by the @kill_chain_id attribute.

Field Name

Type

Description

@phase_idoptional

QName

A globally unique identifier for this kill chain phase.

When used directly within a kill chain definition, this attribute must be globally unique and serves to identify the kill chain phase being defined. When used within a kill chain reference, this attribute must reference an existing kill chain phase phase_id and serves as a reference (similar to @idref elsewhere in STIX).

@nameoptional

string

This field specifies the descriptive name of the relevant kill chain phase.

When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the name used in the kill chain phase definition that this field references.

@ordinalityoptional

int

This field specifies the ordinality (e.g. 1, 2 or 3) of this phase within this kill chain definition.

When used within a kill chain reference, this attribute should be omitted or, if it is present, must match the ordinality used in the kill chain phase definition that this field references.

@kill_chain_idoptional

QName

This field specifies the ID for the relevant defined kill chain.

@kill_chain_nameoptional

string

This field specifies the descriptive name of the relevant kill chain. If a kill chain is being referenced (via the kill_chain_id field), this field should be omitted or, if present, must match the kill chain name of the kill chain referenced by the @kill_chain_id attribute.