Heads up! These docs are for STIX 1.1.1, which is not the latest version (1.2). View the latest!

ObservableTypeCybOX Core Schema

The ObservableType is a type representing a description of a single cyber observable.


Fields

Field Name Type Description
@idoptional QName

The id field specifies a unique id for this Observable.

@idrefoptional QName

The idref field specifies a unique id reference to an Observable defined elsewhere.

When idref is specified, the id attribute must not be specified, and any instance of this Observable should not hold content unless an extension of the Observable allows it.

@negateoptional boolean

The negate field, when set to true, indicates the absence (rather than the presence) of the given Observable in a CybOX pattern.

@sighting_countoptional positiveInteger

The sighting_count field specifies how many different identical instances of the Observable may have been seen/sighted.

Title0..1 string

The Title field provides a mechanism to specify a short title or description for this Observable.

Description0..1 StructuredTextType

The Description field provides a mechanism to specify a structured text description of this Observable.

Keywords0..1 KeywordsType

Keywords enables capture of relevant keywords for this cyber observable.

Observable_Source0..n MeasureSourceType

The Observable_Source field is optional and enables descriptive specification of how this Observable was identified and specified.

Object0..1 ObjectType

The Object construct identifies and specifies the characteristics of a specific cyber-relevant object (e.g. a file, a registry key or a process).

Event0..1 EventType

The Event construct enables specification of a cyber observable event that is dynamic in nature with specific action(s) taken against specific cyber relevant objects (e.g. a file is deleted, a registry key is created or an HTTP Get Request is received).

Observable_Composition0..1 ObservableCompositionType

The Observable_Composition construct enables specification of composite observables made up of logical constructions of atomic observables or other composite observables (e.g. Obs5 = (Obs1 OR Obs2) AND (Obs3 OR Obs4)).

Pattern_Fidelity0..1 PatternFidelityType

Pattern_Fidelity contains elements that enable the characterization of the fidelity of this pattern to its purpose.