Represents a single STIX Campaign.
Campaigns are instances of ThreatActors pursuing an intent, as observed through sets of Incidents and/or TTP, potentially across organizations. In a structured sense, Campaigns may consist of the suspected intended effect of the adversary, the related TTP leveraged within the Campaign, the related Incidents believed to be part of the Campaign, attribution to the ThreatActors believed responsible for the Campaign, other Campaigns believed related to the Campaign, confidence in the assertion of aggregated intent and characterization of the Campaign, activity taken in response to the Campaign, source of the Campaign information, handling guidance, etc.
| Field Name | Type | Description |
|---|---|---|
| @idoptional | QName |
Specifies a globally unique identifier for this cyber threat Campaign. |
| @idrefoptional | QName |
Specifies a globally unique identifier for a cyber threat Campaign specified elsewhere. When idref is specified, the id attribute must not be specified, and any instance of this Campaign should not hold content. |
| @timestampoptional | dateTime |
Specifies a timestamp for the definition of a specific version of a Campaign. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Campaign. When used in conjunction with the idref, this field is specifying a reference to a specific version of a Campaign defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields. |
| @versionoptional | CampaignVersionType |
Specifies the relevant STIX-Campaign schema version for this content. |
| Title0..1 | string |
The Title field provides a simple title for this Campaign. |
| Description0..n | StructuredTextType |
The Description field is optional and provides an unstructured, text description of this Campaign. |
| Short_Description0..n | StructuredTextType |
The Short_Description field is optional and provides a short, unstructured, text description of this Campaign. |
| Names0..1 | NamesType |
The Names field specifies Names used to identify this Campaign. These may be either internal or external names. |
| Intended_Effect0..n | StatementType |
The Intended_Effect field characterizes the intended effect of this cyber threat Campaign. It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is IntendedEffectVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd. Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field. |
| Status0..1 | ControlledVocabularyStringType |
The status of this Campaign. For example, is the Campaign ongoing, historical, future, etc. This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is CampaignStatusType in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd. Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field. |
| Related_TTPs0..1 | RelatedTTPsType |
The Related_TTPs field specifies TTPs asserted to be related to this cyber threat Campaign. |
| Related_Incidents0..1 | RelatedIncidentsType |
The Related_Incidents field identifies or characterizes one or more Incidents related to this cyber threat Campaign. |
| Related_Indicators0..1 | RelatedIndicatorsType |
The Related_Indicators field identifies or characterizes one or more cyber threat Indicators related to this cyber threat Campaign. NOTE: As of STIX Version 1.1, this field is deprecated and is scheduled to be removed in STIX Version 2.0. Relationships between indicators and campaigns should be represented using the Related_Campaigns field on IndicatorType unless legacy code or content requires the use of this field. |
| Attribution0..n | AttributionType |
The Attribution field specifies assertions of attibuted Threat Actors for this cyber threat Campaign. |
| Associated_Campaigns0..1 | AssociatedCampaignsType |
The Associated_Campaigns field specifies other cyber threat Campaigns asserted to be associated with this cyber threat Campaign. |
| Confidence0..1 | ConfidenceType |
The Confidence field characterizes the level of confidence held in the characterization of this Campaign. |
| Activity0..n | ActivityType |
The Activity field characterizes actions taken in regards to this Campaign. This field is defined as of type ActivityType which is an abstract type enabling the extension and inclusion of various formats of Activity characterization. |
| Information_Source0..1 | InformationSourceType |
The Information_Source field details the source of this entry. |
| Handling0..1 | MarkingType |
The Handling field specifies the appropriate data handling markings for the elements of this Campaign. The valid marking scope is the nearest CampaignBaseType ancestor of this Handling element and all its descendants. |
| Related_Packages0..1 | RelatedPackageRefsType |
The Related_Packages field identifies or characterizes relationships to set of related Packages. DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. |
