ReportTypeReport Schema

ReportType defines a contextual wrapper for a grouping of STIX content.


Suggested Practices

As of STIX 1.2, the Report construct should be used to give context to a set of STIX content. You’ll often see this in cases where a producer wants wrap up some threat intelligence with a common story such as a report about a particular campaign, actor, or piece of malware. The available fields are Title, Intent, Description, Short_Description, and Information_Source. At least Title, Intent, and Information_Source are recommended.

Note that unlike STIXType, the Information_Source field does not apply to the content included in the report but simply to the report itself.

Reports allow you to both reference content and embed content in order to denote that it’s included in the report. It’s generally suggested that you reference content from reports unless you have a good reason to embed it (document size, for example).


Fields

Field Name Type Description
@idoptional QName

Specifies a globally unique identifier for this Report.

@idrefoptional QName

Specifies a globally unique identifier of a Report specified elsewhere.

When idref is specified, the id attribute must not be specified, and any instance of this Report should not hold content.

@timestampoptional dateTime

Specifies a timestamp for the definition of a specific version of a Report. When used in conjunction with the id, this field is specifying the definition time for the specific version of the Report. When used in conjunction with the idref, this field is specifying a reference to a specific version of a Report defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.

@versionoptional ReportVersionEnum

Specifies the relevant Report schema version for this content.

Header0..1 HeaderType

The Header field provides the contextual information for this grouping of STIX content.

Observables0..1 ObservablesType

Characterizes one or more cyber observables.

Indicators0..1 IndicatorsType

Characterizes one or more cyber threat Indicators.

TTPs0..1 TTPsType

Characterizes one or more cyber threat adversary Tactics, Techniques or Procedures.

Exploit_Targets0..1 ExploitTargetsType

Characterizes one or more potential targets for exploitation.

Incidents0..1 IncidentsType

Characterizes one or more cyber threat Incidents.

Courses_Of_Action0..1 CoursesOfActionType

Characterizes Courses of Action to be taken in regards to one of more cyber threats.

Campaigns0..1 CampaignsType

Characterizes one or more cyber threat Campaigns.

Threat_Actors0..1 ThreatActorsType

Characterizes one or more cyber Threat Actors.

Related_Reports0..1 RelatedReportsType

Characterizes one or more relationships to other Reports.