Heads up! These docs are for STIX 1.0.1, which is not the latest version (1.2). View the latest!

EventTypeCybOX Core Schema

The EventType is a complex type representing a cyber observable event that is dynamic in nature with specific action(s) taken against specific cyber relevant objects (e.g. a file is deleted, a registry key is created or an HTTP Get Request is received).

Fields

Field Name	Type	Description
@idoptional	QName	The id field specifies a unique id for this Event.
@idrefoptional	QName	The idref field specifies a unique id reference to an Event defined elsewhere.
Type0..1	ControlledVocabularyStringType	The Type field uses a standardized controlled vocabulary to capture what type of Event this is. This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is EventTypeVocab-1.0.1 in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd. Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.
Description0..1	StructuredTextType	The Description field provides a mechanism to specify a structured text description of this Event.
Observation_Method0..1	MeasureSourceType	The Observation_Method field is optional and enables descriptive specification of how this Event was observed (in the case of a Cyber Observable Event instance) or could potentially be observed (in the case of a Cyber Observable Event pattern).
Actions0..1	ActionsType	The Actions construct enables description/specification of one or more cyber observable actions.
Frequency0..1	FrequencyType	The Frequency field conveys a targeted observation pattern of the frequency of the associated event or action.
Event1..1	EventType	This Event construct is included recursively to enable description/specification of composite Events.

Field Name

Type

Description

@idoptional

QName

The id field specifies a unique id for this Event.

@idrefoptional

QName

The idref field specifies a unique id reference to an Event defined elsewhere.

Type0..1

ControlledVocabularyStringType

The Type field uses a standardized controlled vocabulary to capture what type of Event this is.

This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is EventTypeVocab-1.0.1 in the http://cybox.mitre.org/default_vocabularies-2 namespace. This type is defined in the cybox_default_vocabularies.xsd file or at the URL http://cybox.mitre.org/XMLSchema/default_vocabularies/2.0.1/cybox_default_vocabularies.xsd.

Users may also define their own vocabulary using the type extension mechanism (by specifying a vocabulary name and/or reference using the vocab_name and vocab_reference attributes, respectively) or simply use this as a string field.

Description0..1

StructuredTextType

The Description field provides a mechanism to specify a structured text description of this Event.

Observation_Method0..1

MeasureSourceType

The Observation_Method field is optional and enables descriptive specification of how this Event was observed (in the case of a Cyber Observable Event instance) or could potentially be observed (in the case of a Cyber Observable Event pattern).

Actions0..1

ActionsType

The Actions construct enables description/specification of one or more cyber observable actions.

Frequency0..1

FrequencyType

The Frequency field conveys a targeted observation pattern of the frequency of the associated event or action.

Event1..1

EventType

This Event construct is included recursively to enable description/specification of composite Events.