IncidentTypeIncident Schema

Represents a single STIX Incident.

Incidents are discrete instances of Indicators affecting an organization along with information discovered or decided during an incident response investigation. They consist of data such as time-related information, parties involved, assets affected, impact assessment, related Indicators, related Observables, leveraged TTP, attributed Threat Actors, intended effects, nature of compromise, response Course of Action requested, response Course of Action taken, confidence in characterization, handling guidance, source of the Incident information, log of actions taken, etc.


Fields

Field Name Type Description
@idoptional QName

Specifies a globally unique identifier for this cyber threat Incident.

@idrefoptional QName

Specifies a globally unique identifier for a cyber threat Incident specified elsewhere.

When idref is specified, the id attribute must not be specified, and any instance of this Incident should not hold content.

@timestampoptional dateTime

Specifies a timestamp for the definition of a specific version of an Incident. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Incident. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Incident defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.

@versionoptional IncidentVersionType

Specifies the relevant STIX-Incident schema version for this content.

@URLoptional

Specifies a URL referencing the location for the Incident specification.

Title0..1 string

The Title field provides a simple title for this Incident.

External_ID0..n ExternalIDType

The External_ID field provides a reference to an ID of an incident in a remote system.

Time0..1 TimeType

The Time field specifies relevant time values associated with this Incident.

Description0..n StructuredTextType

The Description field is optional and provides an unstructured, text description of this Incident.

Short_Description0..n StructuredTextType

The Short_Description field is optional and provides a short, unstructured, text description of this Incident.

Categories0..1 CategoriesType

The Categories field provides a set of categories for this incident.

Reporter0..1 InformationSourceType

The Reporter field details information about the reporting source of this Incident.

Responder0..n InformationSourceType

The Responder field is optional and details information about the assigned responder for this Incident.

Coordinator0..n InformationSourceType

The Coordinator field is optional and details information about the assigned coordinator for this Incident.

Victim0..n IdentityType

The Victim field is optional and details information about a victim of this Incident.

This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity/1.1/ciq_identity.xsd.

Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.

Affected_Assets0..1 AffectedAssetsType

The Affected_Assets field is optional and characterizes the particular assets affected during the Incident.

Impact_Assessment0..1 ImpactAssessmentType

The Impact_Assessment field specifies a summary assessment of impact for this cyber threat Incident.

Status0..1 ControlledVocabularyStringType

Status describes the current status (sometimes called "state" or "disposition") of the incident.

This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is IncidentStatusVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.

Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.

Related_Indicators0..1 RelatedIndicatorsType

The Related_Indicators field identifies or characterizes one or more cyber threat Indicators related to this cyber threat Incident.

Related_Observables0..1 RelatedObservablesType

The Related_Observables field identifies or characterizes one or more cyber observables related to this cyber threat incident.

Leveraged_TTPs0..1 LeveragedTTPsType

The Leveraged_TTPs field specifies TTPs asserted to be related to this cyber threat Incident.

Attributed_Threat_Actors0..1 AttributedThreatActorsType

The Attributed_Threat_Actors field identifies ThreatActors asserted to be attributed for this Incident.

Intended_Effect0..n StatementType

The Intended_Effect field specifies the suspected intended effect of this incident.

It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is IntendedEffectVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.

Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.

Security_Compromise0..1 ControlledVocabularyStringType

Specifies knowledge of whether the Incident involved a compromise of security properties.

This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is SecurityCompromiseVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.

Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.

Discovery_Method0..n ControlledVocabularyStringType

The Discovery_Method field identifies how the incident was discovered.

This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is DiscoveryMethodVocab-2.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.

Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.

Related_Incidents0..1 RelatedIncidentsType

The Related_Incidents field identifies or characterizes one or more other Incidents related to this cyber threat Incident.

COA_Requested0..n COARequestedType

The COA_Requested field specifies and characterizes a requested CourseOfAction for this Incident as specified by the Producer for the Consumer of the Incident Report

COA_Taken0..n COATakenType

The COA_Taken field specifies and characterizes a CourseOfAction taken for this Incident.

Confidence0..1 ConfidenceType

The Confidence field characterizes the level of confidence held in the characterization of this Incident.

Contact0..n InformationSourceType

The Contact field identifies and characterizes organizations or personnel involved in this Incident.

History0..1 HistoryType

The History field provides a log of events or actions taken during the handling of the Incident.

Information_Source0..1 InformationSourceType

The Information_Source field details the source of this entry.

Handling0..1 MarkingType

The Handling field specifies the appropriate data handling markings for the elements of this Incident. The valid marking scope is the nearest IncidentBaseType ancestor of this Handling element and all its descendants.

Related_Packages0..1 RelatedPackageRefsType

The Related_Packages field identifies or characterizes relationships to set of related Packages.

DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.