-
Notifications
You must be signed in to change notification settings - Fork 21
/
Copy pathcampaign.xsd
237 lines (237 loc) · 19.4 KB
/
campaign.xsd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:stixCommon="http://docs.oasis-open.org/cti/ns/stix/common-1" xmlns:campaign="http://docs.oasis-open.org/cti/ns/stix/campaign-1" xmlns:marking="http://docs.oasis-open.org/cti/ns/stix/data-marking-1" xmlns:cyboxCommon="http://docs.oasis-open.org/cti/ns/cybox/common-2" targetNamespace="http://docs.oasis-open.org/cti/ns/stix/campaign-1" elementFormDefault="qualified" attributeFormDefault="unqualified" version="1.2.1" xml:lang="en">
<xs:annotation>
<xs:documentation> STIX[TM] Version 1.2.1. Committee Specification Draft 01 / Public Review Draft 01</xs:documentation>
<xs:appinfo>
<schema>STIX Campaign</schema>
<version>1.2.1</version>
<date>12/15/2015 9:00:00 AM</date>
<short_description>Structured Threat Information eXpression (STIX) - Campaign - Schematic implementation for the Campaign construct within the STIX structured cyber threat expression language architecture.</short_description>
<terms_of_use>Copyright (c) OASIS Open 2016. All Rights Reserved.
Distributed under the terms of the OASIS IPR Policy, [http://www.oasis-open.org/policies-guidelines/ipr], AS-IS, WITHOUT ANY IMPLIED OR EXPRESS WARRANTY; there is no warranty of MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE or NONINFRINGEMENT of the rights of others.</terms_of_use>
<terms_of_use> Portions copyright (c) United States Government 2012-2016. All Rights Reserved.
Source: http://docs.oasis-open.org/cti/stix/v1.2.1/csprd01/schemas/
Latest version of the specification: REPLACE_WITH_SPECIFICATION_URL
TC IPR Statement: https://www.oasis-open.org/committees/cti/ipr.php
</terms_of_use>
</xs:appinfo>
</xs:annotation>
<xs:import namespace="http://docs.oasis-open.org/cti/ns/cybox/core-2" schemaLocation="cybox/core.xsd"/>
<xs:import namespace="http://docs.oasis-open.org/cti/ns/stix/common-1" schemaLocation="common.xsd"/>
<xs:import namespace="http://docs.oasis-open.org/cti/ns/stix/data-marking-1" schemaLocation="data-marking.xsd"/>
<xs:element name="Campaign" type="campaign:CampaignType">
<xs:annotation>
<xs:documentation>The Campaign field characterizes a single cyber threat Campaign.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:complexType name="CampaignType">
<xs:annotation>
<xs:documentation>The CampaignType characterizes a cyber threat campaign by capturing an asserted relationship between the threat actors who are involved, the TTPs used, and the incidents that comprise parts of the campaign in addition to other intrinsic properties. The CampaignType extends CampaignBaseType from the Common schema, which provides the essential identifier (id) and identifier reference (idref) properties. </xs:documentation>
</xs:annotation>
<xs:complexContent>
<xs:extension base="stixCommon:CampaignBaseType">
<xs:sequence>
<xs:element name="Title" type="xs:string" minOccurs="0">
<xs:annotation>
<xs:documentation>The Title property captures a title for the Campaign and reflects what the content producer thinks the Campaign as a whole should be called. The Title property is typically used by humans to reference a particular Campaign; however, it is not suggested for correlation.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Description property captures a textual description of the Campaign. Any length is permitted. Optional formatting is supported via the structuring_format property</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Short_Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Short_Description property captures a short textual description of the Campaign. This property is secondary and should only be used if the Description property is already populated and another, shorter description is available.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Names" type="campaign:NamesType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Names property specifies a set of one or more names (i.e., aliases) used to identify the Campaign. An organization may use names that are created internally or externally (outside the organization). Note that the purpose of the Names property is different than that of the Title property: while the Title property is used to title the Campaign construct instance, the Names property gives the names of the set of activity that the Campaign describes.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Intended_Effect" type="stixCommon:StatementType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Intended_Effect property characterizes the suspected effect that the Campaign is intended to have on its target(s), which includes a Value property that specifies the type of the effect. Examples of potential types include theft, disruption, and unauthorized access (these specific values are only provided to help explain the Value property: they are neither recommended values nor necessarily part of any existing vocabulary). </xs:documentation>
<xs:documentation>It is implemented through the StatementType, which allows for the expression of a statement in a vocabulary (Value), a description of the statement (Description), a confidence in the statement (Confidence), and the source of the statement (Source). The default vocabulary type for the Value is IntendedEffectVocab-1.0 in the http://docs.oasis-open.org/cti/ns/stix/vocabularies-1 namespace. This type is defined in the vocabularies.xsd file or at the URL http://docs.oasis-open.org/cti/stix-1.2.1-xml-binding/v1.0/csd01/schemas/vocabularies.xsd.</xs:documentation>
<xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use a string.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Status" type="stixCommon:ControlledVocabularyStringType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Status property specifies the status of the Campaign. Examples of potential statuses include ongoing, historical, and future (these specific values are only provided to help explain the property: they are neither recommended values nor necessarily part of any existing vocabulary). </xs:documentation>
<xs:documentation>This property is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is CampaignStatusType in the http://docs.oasis-open.org/cti/ns/stix/vocabularies-1 namespace. This type is defined in the vocabularies.xsd file or at the URL http://docs.oasis-open.org/cti/stix-1.2.1-xml-binding/v1.0/csd01/schemas/vocabularies.xsd.</xs:documentation>
<xs:documentation> Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use a string.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Related_TTPs" type="campaign:RelatedTTPsType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Related_TTPs property specifies a set of one or more TTPs leveraged within the Campaign (or in some way related to a Campaign).</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Related_Incidents" type="campaign:RelatedIncidentsType" minOccurs="0">
<xs:annotation>
<xs:documentation>The RelatedIncidents property specifies a set of one or more Incidents that are part of the Campaign (or in some way related to the Campaign). </xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Related_Indicators" type="campaign:RelatedIndicatorsType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Related_Indicators property specifies a set of one or more Indicators relevant to the Campaign. </xs:documentation>
<xs:documentation>NOTE: As of STIX Version 1.1, this property is deprecated and is scheduled to be removed in STIX Version 2.0. Relationships between indicators and campaigns should be represented using the Related_Campaigns property on IndicatorType unless legacy code or content requires the use of this property.</xs:documentation>
<xs:appinfo>
<deprecated>true</deprecated>
</xs:appinfo>
</xs:annotation>
</xs:element>
<xs:element name="Attribution" type="campaign:AttributionType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Attribution property specifies attribution information in the form of a set of one or more Threat Actors who are asserted to be responsible for the Campaign. Multiple groups can be captured by defining multiple Attribution elements.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Associated_Campaigns" type="campaign:AssociatedCampaignsType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Associated_Campaigns property specifies a set of one or more other Campaigns related to this Campaign. </xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Confidence" type="stixCommon:ConfidenceType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Confidence property characterizes the level of confidence in the accuracy of the collection of information captured for the Campaign. </xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Activity" type="stixCommon:ActivityType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Activity property characterizes a defender activity associated with the Campaign. Its underlying abstract type must be extended to include the chosen format of activity characterization.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Information_Source" type="stixCommon:InformationSourceType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Information_Source property characterizes the source of the Campaign information. Examples of details captured include identitifying characteristics, time-related attributes, and a list of the tools used to collect the information. </xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Handling" type="marking:MarkingType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Handling property specifies data handling markings for the properties of this Campaign. The marking scope is limited to the campaign and the content it contains. Note that data handling markings can also be specified at a higher level.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Related_Packages" type="stixCommon:RelatedPackageRefsType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Related_Packages property specifies a set of one or more STIX Packages that are related to the Campaign. </xs:documentation>
<xs:documentation>DEPRECATED: This property is deprecated and will be removed in the next major version of STIX. Its use is strongly discouraged except for legacy applications.</xs:documentation>
<xs:appinfo>
<deprecated>true</deprecated>
</xs:appinfo>
</xs:annotation>
</xs:element>
</xs:sequence>
<xs:attribute name="version" type="campaign:CampaignVersionType">
<xs:annotation>
<xs:documentation>The version property specifies the version number of the STIX Campaign data model used to capture the information associated with the Campaign.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<!---->
<xs:simpleType name="CampaignVersionType">
<xs:annotation>
<xs:documentation>An enumeration of all versions of the Campaign type valid in the current release of STIX.</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:string">
<xs:enumeration value="stix-1.2.1" />
</xs:restriction>
</xs:simpleType>
<xs:complexType name="AttributionType">
<xs:annotation>
<xs:documentation>The AttributionType specifies a set of one or more Threat Actors asserted as related to a Campaign from an attribution perspective. It extends GenericRelationshipListType defined in the STIX Common data model, which specifies the scope (whether the elements of the set are related individually or as a group).</xs:documentation>
</xs:annotation>
<xs:complexContent>
<xs:extension base="stixCommon:GenericRelationshipListType">
<xs:sequence>
<xs:element name="Attributed_Threat_Actor" type="stixCommon:RelatedThreatActorType" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Attributed_Threat_Actor property specifies a Threat Actor asserted as related to the Campaign and characterizes the relationship between the Threat Actor and the Campaign by capturing information such as the level of confidence that the Threat Actor and the Campaign are related, the source of the relationship information, and the type of the relationship.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<!---->
<xs:complexType name="RelatedTTPsType">
<xs:annotation>
<xs:documentation>The RelatedTTPsType specifies a set of one or more TTPs asserted to be leveraged within the Campaign (or in some way related to a Campaign). It extends GenericRelationshipListType defined in the STIX Common data model, which specifies the scope (whether the elements of the set are related individually or as a group).</xs:documentation>
</xs:annotation>
<xs:complexContent>
<xs:extension base="stixCommon:GenericRelationshipListType">
<xs:sequence>
<xs:element name="Related_TTP" type="stixCommon:RelatedTTPType" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Related_TTP property specifies a TTP leveraged within the Campaign (or in some way related to a Campaign) and characterizes the relationship between the Campaign and the TTP by capturing information such as the level of confidence that the Campaign and the TTP are related, the source of the relationship information, and the type of relationship.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<xs:complexType name="NamesType">
<xs:annotation>
<xs:documentation>The NamesType specifies a set of one or more names used to identify the Campaign. Note that an equivalent NamesType is defined in the STIX Common data model; this duplication is due to backward-compatiblity issues and will be corrected in the next major release of STIX . At that time, the campaign:NamesType will be removed, and Campaign names will be defined via the stixCommon:NamesType type. </xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="Name" type="stixCommon:ControlledVocabularyStringType" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Name property is used to specify a single name or alias that identifies the Campaign. The content creator may choose any arbitrary value or may constrain the set of possible values by referencing an externally-defined vocabulary or leveraging a formally defined vocabulary extending from the stixCommon:ControlledVocabularyStringType. No default vocabulary has been defined for STIX.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="RelatedIncidentsType">
<xs:complexContent>
<xs:extension base="stixCommon:GenericRelationshipListType">
<xs:sequence>
<xs:element name="Related_Incident" type="stixCommon:RelatedIncidentType" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>Identifies or characterizes an Incident related to this Campaign. </xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<xs:complexType name="RelatedIndicatorsType">
<xs:annotation>
<xs:documentation>The RelatedIndicatorsType specifies a set of one or more Indicators asserted as relevent to a Campaign. It extends GenericRelationshipListType defined in the STIX Common data model, which specifies the scope (whether the elements of the set are related individually or as a group).
</xs:documentation>
<xs:documentation>The Related_Indicators property of the CampaignType was deprecated in STIX Version 1.1, and it is slated for removal in STIX Version 2.0 (it remains in the Campaign data model for backward compatibility). Therefore, because no other property requires it, RelatedIndicatorsType will be removed in STIX Version 2.0 of the Campaign data model. Unless legacy code or content require the use of the Related_Indicators property, Relationships between Indicators and Campaigns in STIX v1.2.1 SHOULD be represented using the Related_Campaigns property of the indicator:IndicatorType.</xs:documentation>
</xs:annotation>
<xs:complexContent>
<xs:extension base="stixCommon:GenericRelationshipListType">
<xs:sequence>
<xs:element name="Related_Indicator" type="stixCommon:RelatedIndicatorType" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Related_Indicator property specifies an Indicator asserted as relevant to this Campaign and characterizes the relationship between the Indicator and the Campaign by capturing information such as the level of confidence that the Indicator and the Campaign are related, the source of the relationship information, and the type of relationship.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<xs:complexType name="AssociatedCampaignsType">
<xs:annotation>
<xs:documentation>The AssociatedCampaignType specifies a set of one or more other Campaigns asserted as related to this Campaign and therefore is a self-referential relationship. It extends GenericRelationshipListType defined in the STIX Common data model, which specifies the scope (whether the elements of the set are related individually or as a group).
</xs:documentation>
</xs:annotation>
<xs:complexContent>
<xs:extension base="stixCommon:GenericRelationshipListType">
<xs:sequence>
<xs:element name="Associated_Campaign" type="stixCommon:RelatedCampaignType" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Associated_Campaign property specifies another Campaign associated with this Campaign and characterizes the relationship between the Campaigns by capturing information such as the level of confidence that the Campaigns are related, the source of the relationship information, and type of the relationship. A relationship between Campaigns may represent assertions of general associativity or different versions of the same Campaign.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:schema>