ReportType defines a contextual wrapper for a grouping of STIX content.
As of STIX 1.2, the Report construct should be used to give context to a set of STIX content. You’ll often see this in cases where a producer wants wrap up some threat intelligence with a common story such as a report about a particular campaign, actor, or piece of malware. The available fields are Title, Intent, Description, Short_Description, and Information_Source. At least Title, Intent, and Information_Source are recommended.
Note that unlike STIXType, the Information_Source field does not apply to the content included in the report but simply to the report itself.
Reports allow you to both reference content and embed content in order to denote that it’s included in the report. It’s generally suggested that you reference content from reports unless you have a good reason to embed it (document size, for example).
| Field Name | Type | Description |
|---|---|---|
| @idoptional | QName |
Specifies a globally unique identifier for this Report. |
| @idrefoptional | QName |
Specifies a globally unique identifier of a Report specified elsewhere. When idref is specified, the id attribute must not be specified, and any instance of this Report should not hold content. |
| @timestampoptional | dateTime |
Specifies a timestamp for the definition of a specific version of a Report. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Report. When used in conjunction with the idref, this field is specifying a reference to a specific version of a Report defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields. |
| @versionoptional | ReportVersionEnum |
Specifies the relevant Report schema version for this content. |
| Header0..1 | HeaderType |
The Header field provides the contextual information for this grouping of STIX content. |
| Observables0..1 | ObservablesType |
Characterizes one or more cyber observables. |
| Indicators0..1 | IndicatorsType |
Characterizes one or more cyber threat Indicators. |
| TTPs0..1 | TTPsType |
Characterizes one or more cyber threat adversary Tactics, Techniques or Procedures. |
| Exploit_Targets0..1 | ExploitTargetsType |
Characterizes one or more potential targets for exploitation. |
| Incidents0..1 | IncidentsType |
Characterizes one or more cyber threat Incidents. |
| Courses_Of_Action0..1 | CoursesOfActionType |
Characterizes Courses of Action to be taken in regards to one of more cyber threats. |
| Campaigns0..1 | CampaignsType |
Characterizes one or more cyber threat Campaigns. |
| Threat_Actors0..1 | ThreatActorsType |
Characterizes one or more cyber Threat Actors. |
| Related_Reports0..1 | RelatedReportsType |
Characterizes one or more relationships to other Reports. |
