-
Notifications
You must be signed in to change notification settings - Fork 21
/
threat-actor.xsd
188 lines (188 loc) · 17.9 KB
/
threat-actor.xsd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:cybox="http://docs.oasis-open.org/cti/ns/cybox/core-2" xmlns:stixCommon="http://docs.oasis-open.org/cti/ns/stix/common-1" xmlns:ta="http://docs.oasis-open.org/cti/ns/stix/threat-actor-1" xmlns:marking="http://docs.oasis-open.org/cti/ns/stix/data-marking-1" targetNamespace="http://docs.oasis-open.org/cti/ns/stix/threat-actor-1" elementFormDefault="qualified" attributeFormDefault="unqualified" version="1.2.1" xml:lang="en">
<xs:annotation>
<xs:documentation> STIX[TM] Version 1.2.1. Committee Specification Draft 01 / Public Review Draft 01</xs:documentation>
<xs:appinfo>
<schema>STIX Threat Actor</schema>
<version>1.2.1</version>
<date>12/15/2015 9:00:00 AM</date>
<short_description>Structured Threat Information eXpression (STIX) - ThreatActor - Schematic implementation for the Threat Actor construct within the STIX structured cyber threat expression language architecture.</short_description>
<terms_of_use>Copyright (c) OASIS Open 2016. All Rights Reserved.
Distributed under the terms of the OASIS IPR Policy, [http://www.oasis-open.org/policies-guidelines/ipr], AS-IS, WITHOUT ANY IMPLIED OR EXPRESS WARRANTY; there is no warranty of MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE or NONINFRINGEMENT of the rights of others.</terms_of_use>
<terms_of_use> Portions copyright (c) United States Government 2012-2016. All Rights Reserved.
Source: http://docs.oasis-open.org/cti/stix/v1.2.1/csprd01/schemas/
Latest version of the specification: REPLACE_WITH_SPECIFICATION_URL
TC IPR Statement: https://www.oasis-open.org/committees/cti/ipr.php
</terms_of_use>
</xs:appinfo>
</xs:annotation>
<xs:import namespace="http://docs.oasis-open.org/cti/ns/cybox/core-2" schemaLocation="cybox/core.xsd"/>
<xs:import namespace="http://docs.oasis-open.org/cti/ns/stix/common-1" schemaLocation="common.xsd"/>
<xs:import namespace="http://docs.oasis-open.org/cti/ns/stix/data-marking-1" schemaLocation="data-marking.xsd"/>
<xs:element name="Threat_Actor" type="ta:ThreatActorType">
<xs:annotation>
<xs:documentation>Identification or characterization of the adversary</xs:documentation>
</xs:annotation>
</xs:element>
<!---->
<xs:complexType name="ThreatActorType">
<xs:annotation>
<xs:documentation>The ThreatActorType characterizes a cyber threat actor including their identity, sophistication, presumed intent, historically observed behavior (TTPs), and campaigns or other threat actors they are believed to be associated with. ThreatActorType extends ThreatActorBaseType from the Common schema, which provides the essential identifier (id) and identifier reference (idref) properties. </xs:documentation>
</xs:annotation>
<xs:complexContent>
<xs:extension base="stixCommon:ThreatActorBaseType">
<xs:sequence>
<xs:element name="Title" type="xs:string" minOccurs="0">
<xs:annotation>
<xs:documentation>The Title property captures a title for the Threat Actor and reflects what the content producer thinks the Threat Actor as a whole should be called. The Title property is typically used by humans to reference a particular Threat Actor; however, it is not suggested for correlation.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Description property captures a textual description of the Threat Actor. Any length is permitted. Optional formatting is supported via the structuring_format property of the StructuredTextType type.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Short_Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Short_Description property captures a short textual description of the Threat Actor. This property is secondary and should only be used if the Description property is already populated and another, shorter description is available.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Identity" type="stixCommon:IdentityType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Identity property characterizes the identity of this Threat Actor.</xs:documentation>
<xs:documentation>This property is implemented through the xsi:type extension mechanism. The default type is CIQIdentity3.0InstanceType in the http://docs.oasis-open.org/cti/ns/stix/extensions/identity/ciq-3.0-identity-1 namespace. This type is defined in the extensions/identity/ciq_identity.xsd file or at the URL http://docs.oasis-open.org/cti/stix/v1.2.1/csd01/xml-schemas/extensions/identity/ciq-3.0-identity.xsd.</xs:documentation>
<xs:documentation>Those who wish to express a simple name may also do so by not specifying an xsi:type and using the Name property.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Type" type="stixCommon:StatementType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Type property characterizes the type of this Threat Actor, which includes a Value property that specifies the particular type of the Threat Actor. Examples of potential types include black hat hacker, insider threat, and disgruntled customer (these specific values are only provided to help explain the Value property: they are neither recommended values nor necessarily part of any existing vocabulary). It may be used multiple times to capture multiple types.</xs:documentation>
<xs:documentation>It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is ThreatActorTypeVocab-1.0 in the http://docs.oasis-open.org/cti/ns/stix/vocabularies-1 namespace. This type is defined in the vocabularies.xsd file or at the URL http://docs.oasis-open.org/cti/stix-1.2.1-xml-binding/v1.0/csd01/schemas/vocabularies.xsd.</xs:documentation>
<xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use a string.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Motivation" type="stixCommon:StatementType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Motivation property characterizes the motivation of this Threat Actor, which includes a Value property that specifies the type of motivation, such as ego, religious and anti-establishment (these specific types are only provided to help explain the Value property: they are neither recommended types nor necessarily part of any existing vocabulary).</xs:documentation>
<xs:documentation>It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is MotivationVocab-1.1 in the http://docs.oasis-open.org/cti/ns/stix/vocabularies-1 namespace. This type is defined in the vocabularies.xsd file or at the URL http://docs.oasis-open.org/cti/stix-1.2.1-xml-binding/v1.0/csd01/schemas/vocabularies.xsd.</xs:documentation>
<xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use a string.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Sophistication" type="stixCommon:StatementType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Sophistication property characterizes the sophistication of this Threat Actor, which includes a Value property that specifies the level of sophistication. Examples of potential levels include innovator, expert, and novice (these specific levels are only provided to help explain the Value property: they are neither recommended levels nor necessarily part of any existing vocabulary).</xs:documentation>
<xs:documentation>It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is ThreatActorSophisticationVocab-1.0 in the http://docs.oasis-open.org/cti/ns/stix/vocabularies-1 namespace. This type is defined in the vocabularies.xsd file or at the URL http://docs.oasis-open.org/cti/stix-1.2.1-xml-binding/v1.0/csd01/schemas/vocabularies.xsd .</xs:documentation>
<xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use a string.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Intended_Effect" type="stixCommon:StatementType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Intended_Effect property characterizes the suspected intended effect of the Threat Actor, which includes a Value property that specifies the type of the effect. Examples of potential types include theft, disruption, and unauthorized access (these specific types are only provided to help explain the Value property: they are neither recommended types nor necessarily part of any existing vocabulary).</xs:documentation>
<xs:documentation>It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is IntendedEffectVocab-1.0 in the http://docs.oasis-open.org/cti/ns/stix/vocabularies-1 namespace. This type is defined in the vocabularies.xsd file or at the URL http://docs.oasis-open.org/cti/stix-1.2.1-xml-binding/v1.0/csd01/schemas/vocabularies.xsd.</xs:documentation>
<xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use a string.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Planning_And_Operational_Support" type="stixCommon:StatementType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Planning_And_Operational_Support property characterizes suspected planning and operational support available to this Threat Actor, which includes a Value property that specifies one type of support, such as financial, hiring and selecting targets (these specific types are only provided to help explain the Value property: they are neither recommended types nor necessarily part of any existing vocabulary).</xs:documentation>
<xs:documentation>It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is PlanningAndOperationalSupportVocab-1.0.1 in the http://docs.oasis-open.org/cti/ns/stix/vocabularies-1 namespace. This type is defined in the vocabularies.xsd file or at the URL http://docs.oasis-open.org/cti/stix-1.2.1-xml-binding/v1.0/csd01/schemas/vocabularies.xsd.</xs:documentation>
<xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use a string.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Observed_TTPs" type="ta:ObservedTTPsType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Observed_TTPs property specifies a set of one or more TTPs asserted as observed to be leveraged by the Threat Actor (or in some way related to a Threat Actor).</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Associated_Campaigns" type="ta:AssociatedCampaignsType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Associated_Campaigns property specifies a set of one or more Campaigns asserted to be related to the Threat Actor.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Associated_Actors" type="ta:AssociatedActorsType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Associated_Actors property specifies a set of one or more other Threat Actors asserted to be related to this Threat Actor.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Handling" type="marking:MarkingType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Handling property specifies the appropriate data handling markings for the properties of this Threat Actor. The marking scope is limited to the Threat Actor and the content is contains. Note that data handling markings can also be specified at a higher level.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Confidence" type="stixCommon:ConfidenceType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Confidence property characterizes the level of confidence in the accuracy of the collection of information captured for the Threat Actor. </xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Information_Source" type="stixCommon:InformationSourceType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Information_Source property characterizes the source of the Threat Actor information. Examples of details captured include identitifying characteristics, time-related attributes, and a list of tools used to collect the information.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Related_Packages" type="stixCommon:RelatedPackageRefsType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Related_Packages property specifies a set of one or more STIX Packages that are related to the Threat Actor.</xs:documentation>
<xs:documentation>DEPRECATED: This property is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.</xs:documentation>
<xs:appinfo>
<deprecated>true</deprecated>
</xs:appinfo>
</xs:annotation>
</xs:element>
</xs:sequence>
<xs:attribute name="version" type="ta:ThreatActorVersionType">
<xs:annotation>
<xs:documentation>The version property specifies the version number of the STIX Threat Actor data model used to capture the information associated with the Threat Actor.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<!---->
<xs:simpleType name="ThreatActorVersionType">
<xs:annotation>
<xs:documentation>An enumeration of all versions of the Threat Actor type valid in the current release of STIX.</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:string">
<xs:enumeration value="stix-1.2.1" />
</xs:restriction>
</xs:simpleType>
<xs:complexType name="AssociatedActorsType">
<xs:complexContent>
<xs:extension base="stixCommon:GenericRelationshipListType">
<xs:sequence>
<xs:element name="Associated_Actor" type="stixCommon:RelatedThreatActorType" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Associated_Actor property specifies another Threat Actor asserted to be associated with this Threat Actor and characterizes the relationship between the Threat Actors by capturing information such as the level of confidence that the Threat Actors are related, the source of the relationship information, and type of the relationship. A relationship between Threat Actors may represent assertions of general associativity or different versions of the same Threat Actor.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<xs:complexType name="AssociatedCampaignsType">
<xs:complexContent>
<xs:extension base="stixCommon:GenericRelationshipListType">
<xs:sequence>
<xs:element name="Associated_Campaign" type="stixCommon:RelatedCampaignType" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Associated_Campaign property specifies a Campaign asserted to be associated with this Threat Actor and characterizes the relationship between the Campaign and the Threat Actor by capturing information such as the level of confidence that the Campaign and the Threat Actor are related, the source of the relationship information, and the type of relationship.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<xs:complexType name="ObservedTTPsType">
<xs:complexContent>
<xs:extension base="stixCommon:GenericRelationshipListType">
<xs:sequence>
<xs:element name="Observed_TTP" type="stixCommon:RelatedTTPType" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Observed_TTP property specifies a TTP asserted as observed to be leveraged by the Threat Actor (or in some way related to a Threat Actor) and characterizes the relationship between the Threat Actor and the TTP by capturing information such as the level of confidence that the Threat Actor and the TTP are related, the source of the relationship information, and the type of relationship.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:schema>