Heads up! These docs are for STIX 1.0, which is not the latest version (1.2). View the latest!

IndicatorTypeIndicator Schema

The IndicatorType characterizes a cyber threat indicator made up of a pattern identifying certain observable conditions as well as contextual information about the patterns meaning, how and when it should be acted on, etc.


Field Name Type Description
@idoptional QName

Specifies a unique ID for this Indicator.

@idrefoptional QName

Specifies a reference to the ID of an Indicator specified elsewhere.

@versionoptional IndicatorVersionType

Specifies the relevant STIX-Indicator schema version for this content.

@negateoptional boolean

The negate field applies when using an Indicator as a pattern and specifies the absence of the pattern.

Title0..1 string

The Title field provides a simple title for this Indicator.

Type0..1 ControlledVocabularyStringType

Specifies the type for this Indicator.

This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is IndicatorTypeVocabularyType in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.0.0/stix_default_vocabularies.xsd .

Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.

Alternative_ID0..n string

Specifies an alternative identifier (or alias) for the cyber threat Indicator.

Description0..1 StructuredTextType

Specifies a description for this Indicator.

Valid_Time_Position0..n ValidTimeType

Specifies the time window for which this Indicator is valid.

Observable0..1 ObservableType

Specifies a relevant cyber observable for this Indicator.

Composite_Indicator_Expression0..1 CompositeIndicatorExpressionType

Specifies a multipartite composite Indicator.

Indicated_TTP0..n RelatedTTPType

Specifies the relevant TTP indicated by this Indicator.

Kill_Chain_Phases0..1 KillChainPhasesReferenceType

Specifies relevant kill chain phases indicated by this Indicator.

Test_Mechanisms0..1 TestMechanismsType

The TestMechanisms field specifies Test Mechanisms effective at identifying the cyber Observables specified in this cyber threat Indicator.

Likely_Impact0..1 StatementType

Specifies the likely potential impact within the relevant context if this Indicator were to occur. This is typically local to an Indicator consumer and not typically shared. This field includes a Description of the likely potential impact within the relevant context if this Indicator were to occur and a Confidence held in the accuracy of this assertion. NOTE: This structure potentially still needs to be fleshed out more for structured characterization of impact.

Suggested_COAs0..1 SuggestedCOAsType

The Suggested_COAs field specifies suggested Courses of Action for this cyber threat Indicator.

Handling0..1 MarkingType

Specifies the relevant handling guidance for this Indicator. The valid marking scope is the nearest IndicatorBaseType ancestor of this Handling element and all its descendants.

Confidence0..1 ConfidenceType

Specifies a level of confidence held in the accuracy of this Indicator.

Sightings0..1 SightingsType

Characterizes a set of sighting reports for this Indicator.

Related_Indicators0..1 RelatedIndicatorsType

The Related_Indicators field is optional and enables content producers to express a relationship between the enclosing indicator (i.e., the subject of the relationship) and a disparate indicator (i.e., the object side of the relationship).

Producer0..1 InformationSourceType

The Producer field details the source of this entry.