Heads up! These docs are for STIX 1.1, which is not the latest version (1.2). View the latest!

CourseOfActionTypeCourse of Action Schema

The CourseOfActionType characterizes a Course of Action to be taken in regards to one of more cyber threats. NOTE: This construct is still in its early stages of maturity and will require a good deal of review and refinement.


Fields

Field Name Type Description
@idoptional QName

Specifies a globally unique identifier for this COA.

@idrefoptional QName

Specifies a globally unique identifier of a COA specified elsewhere.

When idref is specified, the id attribute must not be specified, and any instance of this COA should not hold content.

@timestampoptional dateTime

Specifies a timestamp for the definition of a specific version of a COA. When used in conjunction with the id, this field is specifying the definition time for the specific version of the COA. When used in conjunction with the idref, this field is specifying a reference to a specific version of a COA defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.

This field must only be used in conjunction with the idref field.

@versionoptional CourseOfActionVersionType

Specifies the relevant STIX-COA schema version for this content.

Title0..1 string

The Title field provides a simple title for this CourseOfAction.

Stage0..1 ControlledVocabularyStringType

The Stage field specifies what stage in the cyber threat management lifecycle this CourseOfAction is relevant to (e.g. Remedy or Response).

This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is COAStageVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.0/stix_default_vocabularies.xsd.

Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.

Type0..1 ControlledVocabularyStringType

The Type field specifies the type of this CourseOfAction.

This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is CourseOfActionTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.0/stix_default_vocabularies.xsd.

Description0..1 StructuredTextType

The Description field is optional and provides an unstructured, text description of this CourseOfAction.

Short_Description0..1 StructuredTextType

The Short_Description field is optional and provides a short, unstructured, text description of this CourseOfAction.

Objective0..1 ObjectiveType

The Objective field characterizes the objective of this CourseOfAction.

Parameter_Observables0..1 ObservablesType

The Parameter_Observables field enables the specification of technical parameters to this Course of Action expressed using the CybOX Language. It is intended that the combination of the Course of Action Type and the Parameter_Observables could be used to define automated courses of action.

Structured_COA0..1 StructuredCOAType

The Structured_COA field enables the specification of an actionable structured representation for the CourseOfAction potentially for automated consumption and implementation.

This field is implemented through the xsi:type extension mechanism. While STIX has not defined a default type, it has provided support for passing proprietary or externally defined structured courses of action using the Generic Structured COA extension. The Generic Structured COA extension is captured in the GenericStructuredCOAType in the http://stix.mitre.org/extensions/StructuredCOA#Generic-1 namespace. This type is defined in the extensions/structured_coa/generic_structured_coa.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/structured_coa/generic/1.1/generic_structured_coa.xsd.

Impact0..1 StatementType

The Impact field characterizes the estimated impact of applying this CourseOfAction.

It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is HighMediumLowVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.0/stix_default_vocabularies.xsd.

Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.

Cost0..1 StatementType

The Cost field characterizes the estimated cost for applying this CourseOfAction.

It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is HighMediumLowVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.0/stix_default_vocabularies.xsd.

Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.

Efficacy0..1 StatementType

The Efficacy field characterizes the effectiveness of this CourseOfAction in achieving its targeted Objective.

It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is HighMediumLowVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.1.0/stix_default_vocabularies.xsd.

Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.

Information_Source0..1 InformationSourceType

The Information_Source field details the source of this entry.

Handling0..1 MarkingType

The Handling field specifies the appropriate data handling markings for the elements of this COA. The valid marking scope is the nearest CourseOfActionBaseType ancestor of this Handling element and all its descendants.

Related_COAs0..1 RelatedCOAsType

The Related_COAs field identifies or characterizes relationships to one or more related courses of action.

Related_Packages0..1 RelatedPackageRefsType

The Related_Packages field identifies or characterizes relationships to set of related Packages.