ThreatActorTypeThreat Actor Schema

Represents a single STIX Threat Actor.

ThreatActors are characterizations of malicious actors (or adversaries) representing a cyber attack threat including presumed intent and historically observed behavior. In a structured sense, ThreatActors consist of a characterization of identity, suspected motivation, suspected intended effect, historically observed TTP used by the ThreatActor, historical Campaigns believed associated with the ThreatActor, other ThreatActors believed associated with the ThreatActor, handling guidance, confidence in the asserted characterization of the ThreatActor, source of the ThreatActor information, etc.


Fields

Field Name Type Description
@idoptional QName

Specifies a globally unique identifier for this ThreatActor.

@idrefoptional QName

Specifies a globally unique identifier of a ThreatActor specified elsewhere.

When idref is specified, the id attribute must not be specified, and any instance of this ThreatActor should not hold content.

@timestampoptional dateTime

Specifies a timestamp for the definition of a specific version of a ThreatActor. When used in conjunction with the id, this field is specifying the definition time for the specific version of the ThreatActor. When used in conjunction with the idref, this field is specifying a reference to a specific version of a ThreatActor defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.

@versionoptional ThreatActorVersionType

Specifies the relevant STIX-ThreatActor schema version for this content.

Title0..1 string

The Title field provides a simple title for this ThreatActor.

Description0..n StructuredTextType

The Description field is optional and provides an unstructured, text description of this ThreatActor.

Short_Description0..n StructuredTextType

The Short_Description field is optional and provides a short, unstructured, text description of this ThreatActor.

Identity0..1 IdentityType

The Identity field characterizes the identity of this Threat Actor.

This field is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://stix.mitre.org/extensions/Identity#CIQIdentity3.0-1 namespace. This type is defined in the extensions/identity/ciq_identity.xsd file or at the URL http://stix.mitre.org/XMLSchema/extensions/identity/ciq_identity/1.1/ciq_identity.xsd.

Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name field.

Type0..n StatementType

The Type field characterizes the type(s) of this threat actor. It may be used multiple times to capture multiple types.

It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is ThreatActorTypeVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.

Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.

Motivation0..n StatementType

The Type field characterizes the motivations of this threat actor. It may be used multiple times to capture multiple motivations.

It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is MotivationVocab-1.1 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.

Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.

Sophistication0..n StatementType

The Sophistication field specifies the sophistication of this Threat Actor.

It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is ThreatActorSophisticationVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.

Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.

Intended_Effect0..n StatementType

The Intended_Effect field specifies the suspected intended effect for this Threat Actor.

It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is IntendedEffectVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.

Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.

Planning_And_Operational_Support0..n StatementType

The Planning_And_Operational_Support field specifies the suspected planning and operational support performed by this threat actor.

It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is PlanningAndOperationalSupportVocab-1.0.1 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.

Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.

Observed_TTPs0..1 ObservedTTPsType

The Observed_TTPs field specifies the TTPs that this Threat Actor has been observed to leverage.

Associated_Campaigns0..1 AssociatedCampaignsType

The Associated_Campaigns field specifies any known Campaigns attributed to this Threat Actor.

Associated_Actors0..1 AssociatedActorsType

The Associated_Actors field specifies other Threat Actors asserted to be associated with this Threat Actor.

Handling0..1 MarkingType

The Handling field specifies the appropriate data handling markings for the elements of this Threat Actor characterization. The valid marking scope is the nearest ThreatActorBaseType ancestor of this Handling element and all its descendants.

Confidence0..1 ConfidenceType

The Confidence field characterizes the level of confidence held in the characterization of this Threat Actor.

Information_Source0..1 InformationSourceType

The Information_Source field details the source of this entry.

Related_Packages0..1 RelatedPackageRefsType

The Related_Packages field identifies or characterizes relationships to set of related Packages.

DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.