The IndicatorType characterizes a cyber threat indicator made up of a pattern identifying certain observable conditions as well as contextual information about the patterns meaning, how and when it should be acted on, etc.
Specifies a unique ID for this Indicator.
Specifies a reference to the ID of an Indicator specified elsewhere.
When idref is specified, the id attribute must not be specified, and any instance of this Indicator should not hold content.
Specifies a timestamp for the definition of a specific version of an Indicator. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Indicator. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Indicator defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.
This field must only be used in conjunction with the idref field.
Specifies the relevant STIX-Indicator schema version for this content.
The negate field specifies the absence of the pattern.
The Title field provides a simple title for this Indicator.
Specifies the type or types for this Indicator.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is IndicatorTypeVocabularyType in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.0/stix_default_vocabularies.xsd.
Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
Specifies an alternative identifier (or alias) for the cyber threat Indicator.
The Description field is optional and provides an unstructured, text description for this Indicator.
The Short_Description field is optional and provides an unstructured, text description for this Indicator.
Specifies the time window for which this Indicator is valid.
Specifies a relevant cyber observable for this Indicator.
Specifies a multipartite composite Indicator.
Specifies the relevant TTP indicated by this Indicator.
Specifies relevant kill chain phases indicated by this Indicator.
The TestMechanisms field specifies Test Mechanisms effective at identifying the cyber Observables specified in this cyber threat Indicator.
Specifies the likely potential impact within the relevant context if this Indicator were to occur. This is typically local to an Indicator consumer and not typically shared. This field includes a Description of the likely potential impact within the relevant context if this Indicator were to occur and a Confidence held in the accuracy of this assertion. NOTE: This structure potentially still needs to be fleshed out more for structured characterization of impact.
The Suggested_COAs field specifies suggested Courses of Action for this cyber threat Indicator.
Specifies the relevant handling guidance for this Indicator. The valid marking scope is the nearest IndicatorBaseType ancestor of this Handling element and all its descendants.
Specifies a level of confidence held in the accuracy of this Indicator.
Characterizes a set of sighting reports for this Indicator.
The Related_Indicators field is optional and enables content producers to express a relationship between the enclosing indicator (i.e., the subject of the relationship) and a disparate indicator (i.e., the object side of the relationship).
The Related_Campaigns field captures references to related campaigns. Note that unlike most other relationship types, Related_Campaigns does not allow campaigns to be embedded, only referenced via name or ID.
The Related_Packages field identifies or characterizes relationships to set of related Packages.
The Producer field details the source of this entry.