STIXType defines a bundle of information characterized in the Structured Threat Information eXpression (STIX) language.
As of STIX 1.2, the contextual fields in STIX_Header
have been deprecated. If you want to give context to set of STIX content you should use a Report. The Information_Source
field is still available and should be used to indicate the source of content that’s included in the report (in other words, it’s equivalent to setting the Information_Source
in each individual construct).
Field Name | Type | Description |
---|---|---|
@idoptional | QName |
Specifies a globally unique identifier for this STIX Package. |
@idrefoptional | QName |
Specifies a globally unique identifier of a STIX Package specified elsewhere. When idref is specified, the id attribute must not be specified, and any instance of this STIX Package should not hold content. DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. |
@timestampoptional | dateTime |
Specifies a timestamp for the definition of a specific version of a STIX Package. When used in conjunction with the id, this field is specifying the definition time for the specific version of the STIX Package. When used in conjunction with the idref, this field is specifying a reference to a specific version of a STIX Package defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields. DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. |
@versionoptional | STIXPackageVersionEnum |
Specifies the relevant STIX schema version for this content. |
STIX_Header0..1 | STIXHeaderType |
The STIX_Header field provides information characterizing this package of STIX content. |
Observables0..1 | ObservablesType |
Characterizes one or more cyber observables. DEPRECATION NOTICE: The use of the @idref attribute on observables at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Observables in this list should only be embedded, not referenced. |
Indicators0..1 | IndicatorsType |
Characterizes one or more cyber threat Indicators. DEPRECATION NOTICE: The use of the @idref attribute on indicators at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Indicators in this list should only be embedded, not referenced. |
TTPs0..1 | TTPsType |
Characterizes one or more cyber threat adversary Tactics, Techniques or Procedures. DEPRECATION NOTICE: The use of the @idref attribute on TTPs at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. TTPs in this list should only be embedded, not referenced. |
Exploit_Targets0..1 | ExploitTargetsType |
Characterizes one or more potential targets for exploitation. DEPRECATION NOTICE: The use of the @idref attribute on exploit targets at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Exploit targets in this list should only be embedded, not referenced. |
Incidents0..1 | IncidentsType |
Characterizes one or more cyber threat Incidents. DEPRECATION NOTICE: The use of the @idref attribute on incidents at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Incidents in this list should only be embedded, not referenced. |
Courses_Of_Action0..1 | CoursesOfActionType |
Characterizes Courses of Action to be taken in regards to one of more cyber threats. DEPRECATION NOTICE: The use of the @idref attribute on courses of action at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Courses of action in this list should only be embedded, not referenced. |
Campaigns0..1 | CampaignsType |
Characterizes one or more cyber threat Campaigns. DEPRECATION NOTICE: The use of the @idref attribute on campaigns at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Campaigns in this list should only be embedded, not referenced. |
Threat_Actors0..1 | ThreatActorsType |
Characterizes one or more cyber Threat Actors. DEPRECATION NOTICE: The use of the @idref attribute on threat actors at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Threat actors in this list should only be embedded, not referenced. |
Reports0..1 | ReportsType |
Characterizes one or more cyber threat Reports. DEPRECATION NOTICE: The use of the @idref attribute on reports at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Reports in this list should only be embedded, not referenced. |
Related_Packages0..1 | RelatedPackagesType |
Characterizes one or more relationships to other Packages. DEPRECATION NOTICE: The use of the @idref attribute on related packages is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Related packages in this list should only be embedded, not referenced. |