-
Notifications
You must be signed in to change notification settings - Fork 21
/
stix_core.xsd
300 lines (300 loc) · 21.5 KB
/
stix_core.xsd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:cybox="http://cybox.mitre.org/cybox-2" xmlns:stix="http://stix.mitre.org/stix-1" xmlns:marking="http://data-marking.mitre.org/Marking-1" xmlns:stixCommon="http://stix.mitre.org/common-1" targetNamespace="http://stix.mitre.org/stix-1" elementFormDefault="qualified" attributeFormDefault="unqualified" version="1.2" xml:lang="en">
<xs:annotation>
<xs:documentation>This schema was originally developed by The MITRE Corporation. The STIX XML Schema implementation is maintained by The MITRE Corporation and developed by the open STIX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the STIX website at http://stix.mitre.org. </xs:documentation>
<xs:appinfo>
<version>1.2</version>
<date>05/15/2015 9:00:00 AM</date>
<short_description>Structured Threat Information eXpression (STIX) - Schematic implementation for a structured cyber threat expression language architecture.</short_description>
<terms_of_use>Copyright (c) 2012-2015, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the STIX License located at http://stix.mitre.org/about/termsofuse.html. See the STIX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the STIX Schema, this license header must be included. </terms_of_use>
</xs:appinfo>
</xs:annotation>
<xs:import namespace="http://stix.mitre.org/common-1" schemaLocation="stix_common.xsd"/>
<xs:import namespace="http://cybox.mitre.org/cybox-2" schemaLocation="cybox/cybox_core.xsd"/>
<xs:import namespace="http://data-marking.mitre.org/Marking-1" schemaLocation="data_marking.xsd"/>
<xs:element name="STIX_Package" type="stix:STIXType">
<xs:annotation>
<xs:documentation>The STIX_Package field contains a bundle of information characterized in the Structured Threat Information eXpression (STIX) language.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:complexType name="STIXType">
<xs:annotation>
<xs:documentation>STIXType defines a bundle of information characterized in the Structured Threat Information eXpression (STIX) language.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="STIX_Header" type="stix:STIXHeaderType" minOccurs="0">
<xs:annotation>
<xs:documentation>The STIX_Header field provides information characterizing this package of STIX content.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Observables" type="cybox:ObservablesType" minOccurs="0">
<xs:annotation>
<xs:documentation>Characterizes one or more cyber observables.</xs:documentation>
<xs:documentation>DEPRECATION NOTICE: The use of the @idref attribute on observables at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Observables in this list should only be embedded, not referenced.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Indicators" type="stix:IndicatorsType" minOccurs="0">
<xs:annotation>
<xs:documentation>Characterizes one or more cyber threat Indicators.</xs:documentation>
<xs:documentation>DEPRECATION NOTICE: The use of the @idref attribute on indicators at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Indicators in this list should only be embedded, not referenced.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="TTPs" type="stix:TTPsType" minOccurs="0">
<xs:annotation>
<xs:documentation>Characterizes one or more cyber threat adversary Tactics, Techniques or Procedures.</xs:documentation>
<xs:documentation>DEPRECATION NOTICE: The use of the @idref attribute on TTPs at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. TTPs in this list should only be embedded, not referenced.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Exploit_Targets" type="stixCommon:ExploitTargetsType" minOccurs="0">
<xs:annotation>
<xs:documentation>Characterizes one or more potential targets for exploitation.</xs:documentation>
<xs:documentation>DEPRECATION NOTICE: The use of the @idref attribute on exploit targets at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Exploit targets in this list should only be embedded, not referenced.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Incidents" type="stix:IncidentsType" minOccurs="0">
<xs:annotation>
<xs:documentation>Characterizes one or more cyber threat Incidents.</xs:documentation>
<xs:documentation>DEPRECATION NOTICE: The use of the @idref attribute on incidents at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Incidents in this list should only be embedded, not referenced.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Courses_Of_Action" type="stix:CoursesOfActionType" minOccurs="0">
<xs:annotation>
<xs:documentation>Characterizes Courses of Action to be taken in regards to one of more cyber threats.</xs:documentation>
<xs:documentation>DEPRECATION NOTICE: The use of the @idref attribute on courses of action at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Courses of action in this list should only be embedded, not referenced.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Campaigns" type="stix:CampaignsType" minOccurs="0">
<xs:annotation>
<xs:documentation>Characterizes one or more cyber threat Campaigns.</xs:documentation>
<xs:documentation>DEPRECATION NOTICE: The use of the @idref attribute on campaigns at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Campaigns in this list should only be embedded, not referenced.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Threat_Actors" type="stix:ThreatActorsType" minOccurs="0">
<xs:annotation>
<xs:documentation>Characterizes one or more cyber Threat Actors.</xs:documentation>
<xs:documentation>DEPRECATION NOTICE: The use of the @idref attribute on threat actors at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Threat actors in this list should only be embedded, not referenced.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Reports" type="stix:ReportsType" minOccurs="0">
<xs:annotation>
<xs:documentation>Characterizes one or more cyber threat Reports.</xs:documentation>
<xs:documentation>DEPRECATION NOTICE: The use of the @idref attribute on reports at the top level of this list is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Reports in this list should only be embedded, not referenced.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Related_Packages" type="stix:RelatedPackagesType" minOccurs="0">
<xs:annotation>
<xs:documentation>Characterizes one or more relationships to other Packages.</xs:documentation>
<xs:documentation>DEPRECATION NOTICE: The use of the @idref attribute on related packages is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications. Related packages in this list should only be embedded, not referenced.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
<xs:attribute name="id" type="xs:QName">
<xs:annotation>
<xs:documentation>Specifies a globally unique identifier for this STIX Package. </xs:documentation>
</xs:annotation>
</xs:attribute>
<xs:attribute name="idref" type="xs:QName">
<xs:annotation>
<xs:documentation>Specifies a globally unique identifier of a STIX Package specified elsewhere.</xs:documentation>
<xs:documentation>When idref is specified, the id attribute must not be specified, and any instance of this STIX Package should not hold content.</xs:documentation>
<xs:documentation>DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.</xs:documentation>
<xs:appinfo>
<deprecated>true</deprecated>
</xs:appinfo>
</xs:annotation>
</xs:attribute>
<xs:attribute name="timestamp" type="xs:dateTime">
<xs:annotation>
<xs:documentation>Specifies a timestamp for the definition of a specific version of a STIX Package. When used in conjunction with the id, this field is specifying the definition time for the specific version of the STIX Package. When used in conjunction with the idref, this field is specifying a reference to a specific version of a STIX Package defined elsewhere. This field has no defined semantic meaning if used in the absence of either the id or idref fields.</xs:documentation>
<xs:documentation>DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.</xs:documentation>
<xs:appinfo>
<deprecated>true</deprecated>
</xs:appinfo>
</xs:annotation>
</xs:attribute>
<xs:attribute name="version" type="stix:STIXPackageVersionEnum">
<xs:annotation>
<xs:documentation>Specifies the relevant STIX schema version for this content.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:complexType>
<xs:simpleType name="STIXPackageVersionEnum">
<xs:annotation>
<xs:documentation>An enumeration of all versions of STIX package types valid in the current release of STIX.</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:string">
<xs:enumeration value="1.0"/>
<xs:enumeration value="1.0.1"/>
<xs:enumeration value="1.1"/>
<xs:enumeration value="1.1.1"/>
<xs:enumeration value="1.2"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="STIXHeaderType">
<xs:annotation>
<xs:documentation>The STIXHeaderType provides a structure for characterizing a package of STIX content.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="Title" type="xs:string" minOccurs="0">
<xs:annotation>
<xs:documentation>The Title field provides a simple title for this STIX Package.</xs:documentation>
<xs:documentation>DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.</xs:documentation>
<xs:appinfo>
<deprecated>true</deprecated>
</xs:appinfo>
</xs:annotation>
</xs:element>
<xs:element name="Package_Intent" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Package_Intent field characterizes the intended purpose(s) or use(s) for this package of STIX content.</xs:documentation>
<xs:documentation>This field is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is PackageIntentVocab-1.0 in the http://stix.mitre.org/default_vocabularies-1 namespace. This type is defined in the stix_default_vocabularies.xsd file or at the URL http://stix.mitre.org/XMLSchema/default_vocabularies/1.2.0/stix_default_vocabularies.xsd.</xs:documentation>
<xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use this as a string field.</xs:documentation>
<xs:documentation>DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.</xs:documentation>
<xs:appinfo>
<deprecated>true</deprecated>
</xs:appinfo>
</xs:annotation>
</xs:element>
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Description field provides a description of this package of STIX content.</xs:documentation>
<xs:documentation>DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.</xs:documentation>
<xs:appinfo>
<deprecated>true</deprecated>
</xs:appinfo>
</xs:annotation>
</xs:element>
<xs:element name="Short_Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Short_Description field provides a short description of this package of STIX content.</xs:documentation>
<xs:documentation>DEPRECATED: This field is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.</xs:documentation>
<xs:appinfo>
<deprecated>true</deprecated>
</xs:appinfo>
</xs:annotation>
</xs:element>
<xs:element name="Profiles" type="stixCommon:ProfilesType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Profiles field provides a list of profiles that the STIX_Package conforms to.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Handling" type="marking:MarkingType" minOccurs="0">
<xs:annotation>
<xs:documentation>Specifies the relevant handling guidance for this STIX_Package. The valid marking scope is the nearest STIXPackageType ancestor of this Handling element and all its descendants.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Information_Source" type="stixCommon:InformationSourceType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Information_Source field details the source of this entry, including time information as well as information about the producer, contributors, tools, and references.</xs:documentation>
<xs:documentation>This Information_Source field applies both to the package metadata in the STIX_Header as well as individually to the contents of the STIX_Package (unless overriden by their own Information_Source field).</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<!---->
<xs:complexType name="IndicatorsType">
<xs:sequence>
<xs:element name="Indicator" type="stixCommon:IndicatorBaseType" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Characterizes a single cyber threat Indicator.</xs:documentation>
<xs:documentation> This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IndicatorType in the http://stix.mitre.org/Indicator-2 namespace. This type is defined in the indicator.xsd file or at the URL http://stix.mitre.org/XMLSchema/indicator/2.2/indicator.xsd.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="TTPsType">
<xs:sequence>
<xs:element name="TTP" type="stixCommon:TTPBaseType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Characterizes a single cyber threat adversary Tactic, Technique or Procedure.</xs:documentation>
<xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is TTPType in the http://stix.mitre.org/TTP-1 namespace. This type is defined in the ttp.xsd file or at the URL http://stix.mitre.org/XMLSchema/ttp/1.2/ttp.xsd.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Kill_Chains" type="stixCommon:KillChainsType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Kill_Chains field characterizes specific Kill Chain definitions for reference within specific TTP entries, Indicators and elsewhere.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="IncidentsType">
<xs:sequence>
<xs:element name="Incident" type="stixCommon:IncidentBaseType" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Identifies or characterizes a single cyber threat Incident.</xs:documentation>
<xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IncidentType in the http://stix.mitre.org/Incident-1 namespace. This type is defined in the incident.xsd file or at the URL http://stix.mitre.org/XMLSchema/incident/1.2/incident.xsd.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="CoursesOfActionType">
<xs:sequence>
<xs:element name="Course_Of_Action" type="stixCommon:CourseOfActionBaseType" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Course_Of_Action field characterizes a Course of Action to be taken in regards to one of more cyber threats.</xs:documentation>
<xs:documentation> This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CourseOfActionType in the http://stix.mitre.org/CourseOfAction-1 namespace. This type is defined in the course_of_action.xsd file or at the URL http://stix.mitre.org/XMLSchema/course_of_action/1.2/course_of_action.xsd.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="CampaignsType">
<xs:sequence>
<xs:element name="Campaign" type="stixCommon:CampaignBaseType" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Characterizes a single cyber threat Campaign.</xs:documentation>
<xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CampaignType in the http://stix.mitre.org/Campaign-1 namespace. This type is defined in the campaign.xsd file or at the URL http://stix.mitre.org/XMLSchema/campaign/1.2/campaign.xsd.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="ThreatActorsType">
<xs:sequence>
<xs:element name="Threat_Actor" type="stixCommon:ThreatActorBaseType" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Characterizes a single cyber Threat Actor.</xs:documentation>
<xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ThreatActorType in the http://stix.mitre.org/ThreatActor-1 namespace. This type is defined in the threat_actor.xsd file or at the URL http://stix.mitre.org/XMLSchema/threat_actor/1.2/threat_actor.xsd.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="ReportsType">
<xs:sequence>
<xs:element name="Report" type="stixCommon:ReportBaseType" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Characterizes a single cyber threat Report.</xs:documentation>
<xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ReportType in the http://stix.mitre.org/Report-1 namespace. This type is defined in the report.xsd file or at the URL http://stix.mitre.org/XMLSchema/report/1.2/report.xsd.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="RelatedPackageType">
<xs:annotation>
<xs:documentation>Identifies or characterizes a relationship to a Package.</xs:documentation>
</xs:annotation>
<xs:complexContent>
<xs:extension base="stixCommon:GenericRelationshipType">
<xs:sequence>
<xs:element name="Package" type="stix:STIXType">
<xs:annotation>
<xs:documentation>A reference to or representation of the related Package.</xs:documentation>
<xs:documentation>This field is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IncidentType in the http://stix.mitre.org/Incident-1 namespace. This type is defined in the incident.xsd file or at the URL http://stix.mitre.org/XMLSchema/incident/1.2/incident.xsd.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<xs:complexType name="RelatedPackagesType">
<xs:complexContent>
<xs:extension base="stixCommon:GenericRelationshipListType">
<xs:sequence>
<xs:element name="Related_Package" type="stix:RelatedPackageType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Characterizes a single relationship to another Package.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:schema>