Represents a single STIX Indicator.
Indicators convey specific Observable patterns combined with contextual information intended to represent artifacts and/or behaviors of interest within a cyber security context. They consist of one or more Observable patterns potentially mapped to a related TTP context and adorned with other relevant metadata on things like confidence in the indicator’s assertion, handling restrictions, valid time windows, likely impact, sightings of the indicator, structured test mechanisms for detection, related campaigns, suggested courses of action, related indicators, the source of the Indicator, etc.
If possible, an indicator should include the following fields:
When creating observables for use as patterns within indicators, you should always set the condition attribute on all possible fields to an appropriate value, even if that value is equals. Leaving off the condition attribute implies that the observable is an instance rather than a pattern.
| Field Name | Type | Description |
|---|---|---|
| @idoptional | QName |
Specifies a unique ID for this Indicator. |
| @idrefoptional | QName |
Specifies a reference to the ID of an Indicator specified elsewhere. When idref is specified, the id attribute must not be specified, and any instance of this Indicator should not hold content. |
| @timestampoptional | dateTime |
Specifies a timestamp for the definition of a specific version of an Indicator. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Indicator. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Indicator defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields. |
| @versionoptional | IndicatorVersionType |
Specifies the relevant STIX-Indicator schema version for this content. |
| @negateoptional | boolean |
The negate field specifies the absence of the pattern. |
| Title0..1 | string |
The Title field provides a simple title for this Indicator. |
| Type0..n | ControlledVocabularyStringType |
Specifies the type or types for this Indicator. This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is IndicatorTypeVocab-1.1 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd. Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field. |
| Alternative_ID0..n | string |
Specifies an alternative identifier (or alias) for the cyber threat Indicator. |
| Description0..n | StructuredTextType |
The Description field is optional and provides an unstructured, text description for this Indicator. |
| Short_Description0..n | StructuredTextType |
The Short_Description field is optional and provides an unstructured, text description for this Indicator. |
| Valid_Time_Position0..n | ValidTimeType |
Specifies the time window for which this Indicator is valid. |
| Observable0..1 | ObservableType |
Specifies a relevant cyber observable for this Indicator. |
| Composite_Indicator_Expression0..1 | CompositeIndicatorExpressionType |
Specifies a multipartite composite Indicator. |
| Indicated_TTP0..n | RelatedTTPType |
Specifies the relevant TTP indicated by this Indicator. |
| Kill_Chain_Phases0..1 | KillChainPhasesReferenceType |
Specifies relevant kill chain phases indicated by this Indicator. |
| Test_Mechanisms0..1 | TestMechanismsType |
The TestMechanisms field specifies Test Mechanisms effective at identifying the cyber Observables specified in this cyber threat Indicator. |
| Likely_Impact0..1 | StatementType |
Specifies the likely potential impact within the relevant context if this Indicator were to occur. This is typically local to an Indicator consumer and not typically shared. This field includes a Description of the likely potential impact within the relevant context if this Indicator were to occur and a Confidence held in the accuracy of this assertion. NOTE: This structure potentially still needs to be fleshed out more for structured characterization of impact. |
| Suggested_COAs0..1 | SuggestedCOAsType |
The Suggested_COAs field specifies suggested Courses of Action for this cyber threat Indicator. |
| Handling0..1 | MarkingType |
Specifies the relevant handling guidance for this Indicator. The valid marking scope is the nearest IndicatorBaseType ancestor of this Handling element and all its descendants. |
| Confidence0..1 | ConfidenceType |
Specifies a level of confidence held in the accuracy of this Indicator. |
| Sightings0..1 | SightingsType |
Characterizes a set of sighting reports for this Indicator. |
| Related_Indicators0..1 | RelatedIndicatorsType |
The Related_Indicators field is optional and enables content producers to express a relationship between the enclosing indicator (i.e., the subject of the relationship) and a disparate indicator (i.e., the object side of the relationship). |
| Related_Campaigns0..1 | RelatedCampaignReferencesType |
The Related_Campaigns field captures references to related campaigns. Note that unlike most other relationship types, Related_Campaigns does not allow campaigns to be embedded, only referenced via name or ID. |
| Related_Packages0..1 | RelatedPackageRefsType |
The Related_Packages field identifies or characterizes relationships to set of related Packages. DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. |
| Producer0..1 | InformationSourceType |
The Producer field details the source of this entry. |
