ObjectTypeCybOX Core Schema

The ObjectType is a complex type representing the characteristics of a specific cyber-relevant object (e.g. a file, a registry key or a process).


Fields

Field Name Type Description
@idoptional QName

The id field specifies a unique id for this Object.

@idrefoptional QName

The idref field specifies a unique id reference to an Object defined elsewhere.

When idref is specified, the id attribute must not be specified, and any instance of this Object should not hold content unless an extension of the Object allows it.

@has_changedoptional boolean

The has_changed field is optional and conveys a targeted observation pattern of whether the associated object specified has changed in some way without requiring further specific detail. This field would be leveraged within a pattern observable triggering on whether the value of an object specification has changed at all. This field is NOT intended to be used for versioning of CybOX content.

State0..1 ControlledVocabularyStringType

The State field enables the description of the current state of the object, through a standardized controlled vocabulary.

This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ObjectStateVocab in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.

Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.

Description0..1 StructuredTextType

The Description field provides a mechanism to specify a structured text description of this Object.

Properties0..1 ObjectPropertiesType

The Properties construct is an abstract placeholder for various predefined Object type schemas (e.g. File, Process or System) that can be instantiated in its place through extension of the ObjectPropertiesType. This mechanism enables the specification of a broad range of Object types with consistent Object Property naming and structure. The set of Properties schemas are maintained independent of the core CybOX schema.

Domain_Specific_Object_Properties0..1 DomainSpecificObjectPropertiesType

The Domain_Specific_Object_Properties construct is of an Abstract type placeholder within the CybOX schema enabling the inclusion of domain-specific metadata for an object through the use of a custom type defined as an extension of this base Abstract type. This enables domains utilizing CybOX such as malware analysis or forensics to incorporate non-generalized object metadata from their domains into CybOX objects.

Location0..1 LocationType

The Location field specifies a relevant physical location.

This field is implemented through the xsi:type extension mechanism. The default type is CIQAddressInstanceType in the http://cybox.mitre.org/extensions/Identity#CIQAddress-1 namespace. This type is defined in the extensions/location/ciq_address_3.0.xsd file or at the URL http://cybox.mitre.org/XMLSchema/extensions/location/ciq_address/1.0/ciq_address_3.0.xsd.

Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.

Related_Objects0..1 RelatedObjectsType

The Related_Objects construct is optional and enables the identification and/or specification of Objects with relevant relationships with this Object.

Defined_Effect0..1 DefinedEffectType

The Defined_Effect construct is an abstract placeholder for various predefined Object Effect types (e.g. DataReadEffect, ValuesEnumeratedEffect or StateChangeEffect) that can be instantiated in its place through extension of the DefinedEffectType. This mechanism enables the specification of a broad range of types of potential complex action effects on Objects. The set of Defined_Effect types (extending the DefinedEffectType) are maintained as part of the core CybOX schema.

Discovery_Method0..1 MeasureSourceType

The Discovery_Method field is optional and enables descriptive specification of how this Object was observed (in the case of a Cyber Observable Object instance) or could potentially be observed (in the case of a Cyber Observable Object pattern).