CampaignTypeCampaign Schema

Represents a single STIX Campaign.

Campaigns are instances of ThreatActors pursuing an intent, as observed through sets of Incidents and/or TTP, potentially across organizations. In a structured sense, Campaigns may consist of the suspected intended effect of the adversary, the related TTP leveraged within the Campaign, the related Incidents believed to be part of the Campaign, attribution to the ThreatActors believed responsible for the Campaign, other Campaigns believed related to the Campaign, confidence in the assertion of aggregated intent and characterization of the Campaign, activity taken in response to the Campaign, source of the Campaign information, handling guidance, etc.


Fields

Field Name Type Description
@idoptional QName

Specifies a globally unique identifier for this cyber threat Campaign.

@idrefoptional QName

Specifies a globally unique identifier for a cyber threat Campaign specified elsewhere.

When idref is specified, the id attribute must not be specified, and any instance of this Campaign should not hold content.

@timestampoptional dateTime

Specifies a timestamp for the definition of a specific version of a Campaign. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Campaign. When used in conjunction with the idref, this field is specifying a reference to a specific version of a Campaign defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.

@versionoptional CampaignVersionType

Specifies the relevant STIX-Campaign schema version for this content.

Title0..1 string

The Title field provides a simple title for this Campaign.

Description0..n StructuredTextType

The Description field is optional and provides an unstructured, text description of this Campaign.

Short_Description0..n StructuredTextType

The Short_Description field is optional and provides a short, unstructured, text description of this Campaign.

Names0..1 NamesType

The Names field specifies Names used to identify this Campaign. These may be either internal or external names.

Intended_Effect0..n StatementType

The Intended_Effect field characterizes the intended effect of this cyber threat Campaign.

It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is IntendedEffectVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.

Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.

Status0..1 ControlledVocabularyStringType

The status of this Campaign. For example, is the Campaign ongoing, historical, future, etc.

This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is CampaignStatusType in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.

Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.

Related_TTPs0..1 RelatedTTPsType

The Related_TTPs field specifies TTPs asserted to be related to this cyber threat Campaign.

Related_Incidents0..1 RelatedIncidentsType

The Related_Incidents field identifies or characterizes one or more Incidents related to this cyber threat Campaign.

Related_Indicators0..1 RelatedIndicatorsType

The Related_Indicators field identifies or characterizes one or more cyber threat Indicators related to this cyber threat Campaign.

NOTE: As of STIX Version 1.1, this field is deprecated and is scheduled to be removed in STIX Version 2.0. Relationships between indicators and campaigns should be represented using the Related_Campaigns field on IndicatorType unless legacy code or content requires the use of this field.

Attribution0..n AttributionType

The Attribution field specifies assertions of attibuted Threat Actors for this cyber threat Campaign.

Associated_Campaigns0..1 AssociatedCampaignsType

The Associated_Campaigns field specifies other cyber threat Campaigns asserted to be associated with this cyber threat Campaign.

Confidence0..1 ConfidenceType

The Confidence field characterizes the level of confidence held in the characterization of this Campaign.

Activity0..n ActivityType

The Activity field characterizes actions taken in regards to this Campaign. This field is defined as of type ActivityType which is an abstract type enabling the extension and inclusion of various formats of Activity characterization.

Information_Source0..1 InformationSourceType

The Information_Source field details the source of this entry.

Handling0..1 MarkingType

The Handling field specifies the appropriate data handling markings for the elements of this Campaign. The valid marking scope is the nearest CampaignBaseType ancestor of this Handling element and all its descendants.

Related_Packages0..1 RelatedPackageRefsType

The Related_Packages field identifies or characterizes relationships to set of related Packages.

DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.