The IndicatorType characterizes a cyber threat indicator made up of a pattern identifying certain observable conditions as well as contextual information about the patterns meaning, how and when it should be acted on, etc.
| Field Name | Type | Description |
|---|---|---|
| @idoptional | QName |
Specifies a unique ID for this Indicator. |
| @idrefoptional | QName |
Specifies a reference to the ID of an Indicator specified elsewhere. |
| @versionoptional | IndicatorVersionType |
Specifies the relevant STIX-Indicator schema version for this content. |
| @negateoptional | boolean |
The negate field applies when using an Indicator as a pattern and specifies the absence of the pattern. |
| Title0..1 | string |
The Title field provides a simple title for this Indicator. |
| Type0..1 | ControlledVocabularyStringType |
Specifies the type for this Indicator.
This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is IndicatorTypeVocabularyType in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.1/stix_default_vocabularies.xsd . Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.
|
| Alternative_ID0..n | string |
Specifies an alternative identifier (or alias) for the cyber threat Indicator. |
| Description0..1 | StructuredTextType |
Specifies a description for this Indicator. |
| Valid_Time_Position0..n | ValidTimeType |
Specifies the time window for which this Indicator is valid. |
| Observable0..1 | ObservableType |
Specifies a relevant cyber observable for this Indicator. |
| Composite_Indicator_Expression0..1 | CompositeIndicatorExpressionType |
Specifies a multipartite composite Indicator. |
| Indicated_TTP0..n | RelatedTTPType |
Specifies the relevant TTP indicated by this Indicator. |
| Kill_Chain_Phases0..1 | KillChainPhasesReferenceType |
Specifies relevant kill chain phases indicated by this Indicator. |
| Test_Mechanisms0..1 | TestMechanismsType |
The TestMechanisms field specifies Test Mechanisms effective at identifying the cyber Observables specified in this cyber threat Indicator. |
| Likely_Impact0..1 | StatementType |
Specifies the likely potential impact within the relevant context if this Indicator were to occur. This is typically local to an Indicator consumer and not typically shared. This field includes a Description of the likely potential impact within the relevant context if this Indicator were to occur and a Confidence held in the accuracy of this assertion. NOTE: This structure potentially still needs to be fleshed out more for structured characterization of impact. |
| Suggested_COAs0..1 | SuggestedCOAsType |
The Suggested_COAs field specifies suggested Courses of Action for this cyber threat Indicator. |
| Handling0..1 | MarkingType |
Specifies the relevant handling guidance for this Indicator. The valid marking scope is the nearest IndicatorBaseType ancestor of this Handling element and all its descendants. |
| Confidence0..1 | ConfidenceType |
Specifies a level of confidence held in the accuracy of this Indicator. |
| Sightings0..1 | SightingsType |
Characterizes a set of sighting reports for this Indicator. |
| Related_Indicators0..1 | RelatedIndicatorsType |
The Related_Indicators field is optional and enables content producers to express a relationship between the enclosing indicator (i.e., the subject of the relationship) and a disparate indicator (i.e., the object side of the relationship). |
| Producer0..1 | InformationSourceType |
The Producer field details the source of this entry. |