Heads up! These docs are for STIX 1.0.1, which is not the latest version (1.2). View the latest!

TTPTypeTTP Schema

TTPType characterizes an individual adversary TTP.


Field Name Type Description
@idoptional QName

Specifies a globally unique identifier for this TTP item.

@idrefoptional QName

Specifies a globally unique identifier of a TTP item specified elsewhere.

@versionoptional TTPVersionType

Specifies the relevant STIX-TTP schema version for this content.

Title0..1 string

The Title field provides a simple title for this TTP.

Description0..1 StructuredTextType

The Description field provides an unstructured description of the TTP.

Intended_Effect0..n StatementType

The Intended_Effect field specifies the suspected intended effect for this TTP.

It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is IntendedEffectVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.1/stix_default_vocabularies.xsd .

Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.

Behavior0..1 BehaviorType

Behavior describes the attack patterns, malware, or exploits that the attacker leverages to execute this TTP.

Resources0..1 ResourceType

Resources describe the infrastructure or tools that the adversary uses to execute this TTP.

Victim_Targeting0..1 VictimTargetingType

The Victim_Targeting field characterizes the people, organizations, information or access being targeted.

Exploit_Targets0..1 ExploitTargetsType

The Exploit_Targets field characterizes potential vulnerability, weakness or configuration targets for exploitation by this TTP.

Related_TTPs0..1 RelatedTTPsType

The Related_TTPs field specifies other TTPs asserted to be related to this cyber threat TTP.

Kill_Chain_Phases0..1 KillChainPhasesReferenceType

The Kill_Chain_Phases field specifies one or more Kill Chain phases associated with this TTP item.

Information_Source0..1 InformationSourceType

The Information_Source field details the source of this entry.

Kill_Chains0..1 KillChainsType

The Kill_Chains field characterizes specific Kill Chain definitions for reference within specific TTP entries, Indicators and elsewhere.

Handling0..1 MarkingType

Specifies the relevant handling guidance for this TTP. The valid marking scope is the nearest TTPBaseType ancestor of this Handling element and all its descendants.