Represents a single STIX Incident.
Incidents are discrete instances of Indicators affecting an organization along with information discovered or decided during an incident response investigation. They consist of data such as time-related information, parties involved, assets affected, impact assessment, related Indicators, related Observables, leveraged TTP, attributed Threat Actors, intended effects, nature of compromise, response Course of Action requested, response Course of Action taken, confidence in characterization, handling guidance, source of the Incident information, log of actions taken, etc.
Field Name | Type | Description |
---|---|---|
@idoptional | QName |
Specifies a globally unique identifier for this cyber threat Incident. |
@idrefoptional | QName |
Specifies a globally unique identifier for a cyber threat Incident specified elsewhere. When idref is specified, the id attribute must not be specified, and any instance of this Incident should not hold content. |
@timestampoptional | dateTime |
Specifies a timestamp for the definition of a specific version of an Incident. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Incident. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Incident defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields. |
@versionoptional | IncidentVersionType |
Specifies the relevant STIX-Incident schema version for this content. |
@URLoptional |
Specifies a URL referencing the location for the Incident specification. |
|
Title0..1 | string |
The Title field provides a simple title for this Incident. |
External_ID0..n | ExternalIDType |
The External_ID field provides a reference to an ID of an incident in a remote system. |
Time0..1 | TimeType |
The Time field specifies relevant time values associated with this Incident. |
Description0..n | StructuredTextType |
The Description field is optional and provides an unstructured, text description of this Incident. |
Short_Description0..n | StructuredTextType |
The Short_Description field is optional and provides a short, unstructured, text description of this Incident. |
Categories0..1 | CategoriesType |
The Categories field provides a set of categories for this incident. |
Reporter0..1 | InformationSourceType |
The Reporter field details information about the reporting source of this Incident. |
Responder0..n | InformationSourceType |
The Responder field is optional and details information about the assigned responder for this Incident. |
Coordinator0..n | InformationSourceType |
The Coordinator field is optional and details information about the assigned coordinator for this Incident. |
Victim0..n | IdentityType |
The Victim field is optional and details information about a victim of this Incident. This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity/1.1/ciq_identity.xsd. Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field. |
Affected_Assets0..1 | AffectedAssetsType |
The Affected_Assets field is optional and characterizes the particular assets affected during the Incident. |
Impact_Assessment0..1 | ImpactAssessmentType |
The Impact_Assessment field specifies a summary assessment of impact for this cyber threat Incident. |
Status0..1 | ControlledVocabularyStringType |
Status describes the current status (sometimes called "state" or "disposition") of the incident. This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is IncidentStatusVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd. Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field. |
Related_Indicators0..1 | RelatedIndicatorsType |
The Related_Indicators field identifies or characterizes one or more cyber threat Indicators related to this cyber threat Incident. |
Related_Observables0..1 | RelatedObservablesType |
The Related_Observables field identifies or characterizes one or more cyber observables related to this cyber threat incident. |
Leveraged_TTPs0..1 | LeveragedTTPsType |
The Leveraged_TTPs field specifies TTPs asserted to be related to this cyber threat Incident. |
Attributed_Threat_Actors0..1 | AttributedThreatActorsType |
The Attributed_Threat_Actors field identifies ThreatActors asserted to be attributed for this Incident. |
Intended_Effect0..n | StatementType |
The Intended_Effect field specifies the suspected intended effect of this incident. It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is IntendedEffectVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd. Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field. |
Security_Compromise0..1 | ControlledVocabularyStringType |
Specifies knowledge of whether the Incident involved a compromise of security properties. This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is SecurityCompromiseVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd. Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field. |
Discovery_Method0..n | ControlledVocabularyStringType |
The Discovery_Method field identifies how the incident was discovered. This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is DiscoveryMethodVocab-2.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd. Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field. |
Related_Incidents0..1 | RelatedIncidentsType |
The Related_Incidents field identifies or characterizes one or more other Incidents related to this cyber threat Incident. |
COA_Requested0..n | COARequestedType |
The COA_Requested field specifies and characterizes a requested CourseOfAction for this Incident as specified by the Producer for the Consumer of the Incident Report |
COA_Taken0..n | COATakenType |
The COA_Taken field specifies and characterizes a CourseOfAction taken for this Incident. |
Confidence0..1 | ConfidenceType |
The Confidence field characterizes the level of confidence held in the characterization of this Incident. |
Contact0..n | InformationSourceType |
The Contact field identifies and characterizes organizations or personnel involved in this Incident. |
History0..1 | HistoryType |
The History field provides a log of events or actions taken during the handling of the Incident. |
Information_Source0..1 | InformationSourceType |
The Information_Source field details the source of this entry. |
Handling0..1 | MarkingType |
The Handling field specifies the appropriate data handling markings for the elements of this Incident. The valid marking scope is the nearest IncidentBaseType ancestor of this Handling element and all its descendants. |
Related_Packages0..1 | RelatedPackageRefsType |
The Related_Packages field identifies or characterizes relationships to set of related Packages. DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. |