IndicatorTypeIndicator Schema

Represents a single STIX Indicator.

Indicators convey specific Observable patterns combined with contextual information intended to represent artifacts and/or behaviors of interest within a cyber security context. They consist of one or more Observable patterns potentially mapped to a related TTP context and adorned with other relevant metadata on things like confidence in the indicator’s assertion, handling restrictions, valid time windows, likely impact, sightings of the indicator, structured test mechanisms for detection, related campaigns, suggested courses of action, related indicators, the source of the Indicator, etc.

Suggested Practices

If possible, an indicator should include the following fields:

Creating pattern observables for indicators

When creating observables for use as patterns within indicators, you should always set the condition attribute on all possible fields to an appropriate value, even if that value is equals. Leaving off the condition attribute implies that the observable is an instance rather than a pattern.


Field Name Type Description
@idoptional QName

Specifies a unique ID for this Indicator.

@idrefoptional QName

Specifies a reference to the ID of an Indicator specified elsewhere.

When idref is specified, the id attribute must not be specified, and any instance of this Indicator should not hold content.

@timestampoptional dateTime

Specifies a timestamp for the definition of a specific version of an Indicator. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Indicator. When used in conjunction with the idref, this field is specifying a reference to a specific version of an Indicator defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.

@versionoptional IndicatorVersionType

Specifies the relevant STIX-Indicator schema version for this content.

@negateoptional boolean

The negate field specifies the absence of the pattern.

Title0..1 string

The Title field provides a simple title for this Indicator.

Type0..n ControlledVocabularyStringType

Specifies the type or types for this Indicator.

This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is IndicatorTypeVocab-1.1 in the namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL

Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.

Alternative_ID0..n string

Specifies an alternative identifier (or alias) for the cyber threat Indicator.

Description0..n StructuredTextType

The Description field is optional and provides an unstructured, text description for this Indicator.

Short_Description0..n StructuredTextType

The Short_Description field is optional and provides an unstructured, text description for this Indicator.

Valid_Time_Position0..n ValidTimeType

Specifies the time window for which this Indicator is valid.

Observable0..1 ObservableType

Specifies a relevant cyber observable for this Indicator.

Composite_Indicator_Expression0..1 CompositeIndicatorExpressionType

Specifies a multipartite composite Indicator.

Indicated_TTP0..n RelatedTTPType

Specifies the relevant TTP indicated by this Indicator.

Kill_Chain_Phases0..1 KillChainPhasesReferenceType

Specifies relevant kill chain phases indicated by this Indicator.

Test_Mechanisms0..1 TestMechanismsType

The TestMechanisms field specifies Test Mechanisms effective at identifying the cyber Observables specified in this cyber threat Indicator.

Likely_Impact0..1 StatementType

Specifies the likely potential impact within the relevant context if this Indicator were to occur. This is typically local to an Indicator consumer and not typically shared. This field includes a Description of the likely potential impact within the relevant context if this Indicator were to occur and a Confidence held in the accuracy of this assertion. NOTE: This structure potentially still needs to be fleshed out more for structured characterization of impact.

Suggested_COAs0..1 SuggestedCOAsType

The Suggested_COAs field specifies suggested Courses of Action for this cyber threat Indicator.

Handling0..1 MarkingType

Specifies the relevant handling guidance for this Indicator. The valid marking scope is the nearest IndicatorBaseType ancestor of this Handling element and all its descendants.

Confidence0..1 ConfidenceType

Specifies a level of confidence held in the accuracy of this Indicator.

Sightings0..1 SightingsType

Characterizes a set of sighting reports for this Indicator.

Related_Indicators0..1 RelatedIndicatorsType

The Related_Indicators field is optional and enables content producers to express a relationship between the enclosing indicator (i.e., the subject of the relationship) and a disparate indicator (i.e., the object side of the relationship).

Related_Campaigns0..1 RelatedCampaignReferencesType

The Related_Campaigns field captures references to related campaigns. Note that unlike most other relationship types, Related_Campaigns does not allow campaigns to be embedded, only referenced via name or ID.

Related_Packages0..1 RelatedPackageRefsType

The Related_Packages field identifies or characterizes relationships to set of related Packages.

DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.

Producer0..1 InformationSourceType

The Producer field details the source of this entry.