-
Notifications
You must be signed in to change notification settings - Fork 21
/
Copy pathreport.xsd
235 lines (235 loc) · 16.8 KB
/
report.xsd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
<?xml version="1.0" encoding="UTF-8"?>
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:cybox="http://docs.oasis-open.org/cti/ns/cybox/core-2" xmlns:report="http://docs.oasis-open.org/cti/ns/stix/report-1" xmlns:marking="http://docs.oasis-open.org/cti/ns/stix/data-marking-1" xmlns:stixCommon="http://docs.oasis-open.org/cti/ns/stix/common-1" xmlns:cyboxCommon="http://docs.oasis-open.org/cti/ns/cybox/common-2" xmlns:campaign="http://docs.oasis-open.org/cti/ns/stix/campaign-1" xmlns:coa="http://docs.oasis-open.org/cti/ns/stix/course-of-action-1" xmlns:et="http://docs.oasis-open.org/cti/ns/stix/exploit-target-1" xmlns:incident="http://docs.oasis-open.org/cti/ns/stix/incident-1" xmlns:indicator="http://docs.oasis-open.org/cti/ns/stix/indicator-1" xmlns:ta="http://docs.oasis-open.org/cti/ns/stix/threat-actor-1" xmlns:ttp="http://docs.oasis-open.org/cti/ns/stix/ttp-1" targetNamespace="http://docs.oasis-open.org/cti/ns/stix/report-1" elementFormDefault="qualified" attributeFormDefault="unqualified" version="1.2.1" xml:lang="en">
<xs:annotation>
<xs:documentation> STIX[TM] Version 1.2.1. Committee Specification Draft 01 / Public Review Draft 01</xs:documentation>
<xs:appinfo>
<schema>STIX Report</schema>
<version>1.2.1</version>
<date>12/15/2015 9:00:00 AM</date>
<short_description>Structured Threat Information eXpression (STIX) - Schematic implementation for a structured cyber threat expression language architecture.</short_description>
<terms_of_use>Copyright (c) OASIS Open 2016. All Rights Reserved.
Distributed under the terms of the OASIS IPR Policy, [http://www.oasis-open.org/policies-guidelines/ipr], AS-IS, WITHOUT ANY IMPLIED OR EXPRESS WARRANTY; there is no warranty of MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE or NONINFRINGEMENT of the rights of others.</terms_of_use>
<terms_of_use> Portions copyright (c) United States Government 2012-2016. All Rights Reserved.
Source: http://docs.oasis-open.org/cti/stix/v1.2.1/csprd01/schemas/
Latest version of the specification: REPLACE_WITH_SPECIFICATION_URL
TC IPR Statement: https://www.oasis-open.org/committees/cti/ipr.php
</terms_of_use>
</xs:appinfo>
</xs:annotation>
<xs:import namespace="http://docs.oasis-open.org/cti/ns/stix/common-1" schemaLocation="common.xsd"/>
<xs:import namespace="http://docs.oasis-open.org/cti/ns/cybox/core-2" schemaLocation="cybox/core.xsd"/>
<xs:import namespace="http://docs.oasis-open.org/cti/ns/stix/data-marking-1" schemaLocation="data-marking.xsd"/>
<xs:element name="Report" type="report:ReportType">
<xs:annotation>
<xs:documentation>The Report construct gives context to a grouping of STIX content.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:complexType name="ReportType">
<xs:annotation>
<xs:documentation>The ReportType defines a contextual wrapper for a grouping of STIX content. ReportType extends ReportBaseType from the Common schema, which provides the essential identifier (id) and identifier reference (idref) properties. </xs:documentation>
</xs:annotation>
<xs:complexContent>
<xs:extension base="stixCommon:ReportBaseType">
<xs:sequence>
<xs:element name="Header" type="report:HeaderType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Header property characterizes the contextual information for this grouping of STIX content.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Observables" type="cybox:ObservablesType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Observables property specifies a set of one or more cyber observables.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Indicators" type="report:IndicatorsType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Indicators property specifies a set of one or more cyber threat Indicators.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="TTPs" type="report:TTPsType" minOccurs="0">
<xs:annotation>
<xs:documentation>The TTPs property specifies a set of one or more cyber threat adversary Tactics, Techniques or Procedures.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Exploit_Targets" type="stixCommon:ExploitTargetsType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Exploit_Targets property specifies a set of one or more potential targets for exploitation.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Incidents" type="report:IncidentsType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Incidents property specifies a set of one or more cyber threat Incidents.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Courses_Of_Action" type="report:CoursesOfActionType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Courses_Of_Action property specifies a set of one or more Courses of Action to be taken in regards to one of more cyber threats.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Campaigns" type="report:CampaignsType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Campaigns property specifies a set of one or more cyber threat Campaigns.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Threat_Actors" type="report:ThreatActorsType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Threat_Actors property specifies a set of one or more cyber Threat Actors.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Related_Reports" type="report:RelatedReportsType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Related_Reports property specifies a set of one or more other Reports related to this Report.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
<xs:attribute name="version" type="report:ReportVersionEnum">
<xs:annotation>
<xs:documentation>Specifies the relevant Report schema version for this content.</xs:documentation>
</xs:annotation>
</xs:attribute>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<xs:simpleType name="ReportVersionEnum">
<xs:annotation>
<xs:documentation>An enumeration of all versions of Report types valid in the current release of STIX.</xs:documentation>
</xs:annotation>
<xs:restriction base="xs:string">
<xs:enumeration value="stix-1.2.1"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="HeaderType">
<xs:annotation>
<xs:documentation>The HeaderType provides a structure for characterizing the contextual information in a Report of STIX content.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="Title" type="xs:string" minOccurs="0">
<xs:annotation>
<xs:documentation>The Title property captures a title for the Report and reflects what the content producer thinks the Report as a whole should be called. The Title property is typically used by humans to reference a particular Report; however, it is not suggested for correlation.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Intent" type="stixCommon:ControlledVocabularyStringType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Intent property specifies the intended purpose(s) or use(s) for the Report. Examples of potential purposes are collective threat intelligence, campaign characterization and malware samples (these specific values are only provided to help explain the property: they are neither recommended types nor necessarily part of any existing vocabulary). </xs:documentation>
<xs:documentation>This property is implemented through the xsi:type controlled vocabulary extension mechanism. The default vocabulary type is ReportIntentVocab-1.0 in the http://docs.oasis-open.org/cti/ns/stix/vocabularies-1 namespace. This type is defined in the vocabularies.xsd file or at the URL http://docs.oasis-open.org/cti/stix-1.2.1-xml-binding/v1.0/csd01/schemas/vocabularies.xsd.</xs:documentation>
<xs:documentation>Users may also define their own vocabulary using the type extension mechanism, specify a vocabulary name and reference using the attributes, or simply use a string.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Description property captures a textual description of the Report. Any length is permitted. Optional formatting is supported via the structuring_format property.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Short_Description" type="stixCommon:StructuredTextType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Short_Description property captures a short textual description of the Report. This property is secondary and should only be used if the Description property is already populated and another, shorter description is available.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Handling" type="marking:MarkingType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Handling property specifies the appropriate data handling markings for the properties of this Report. The marking scope is limited to the Report and the content it contains. Note that data handling markings can also be specified at a higher level.</xs:documentation>
</xs:annotation>
</xs:element>
<xs:element name="Information_Source" type="stixCommon:InformationSourceType" minOccurs="0">
<xs:annotation>
<xs:documentation>The Information_Source property characterizes the source of the Report and all of its contained information unless that information specifies a different source. Examples of details captured include identitifying characteristics, time-related attributes, and a list of the tools used to collect the information.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<!---->
<xs:complexType name="IndicatorsType">
<xs:annotation>
<xs:documentation></xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="Indicator" type="stixCommon:IndicatorBaseType" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Indicator property characterizes a cyber threat Indicator.</xs:documentation>
<xs:documentation> This property is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IndicatorType in the http://docs.oasis-open.org/cti/ns/stix/indicator-1 namespace. This type is defined in the indicator.xsd file or at the URL http://docs.oasis-open.org/cti/stix-1.2.1-xml-binding/v1.0/csd01/schemas/indicator.xsd.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="TTPsType">
<xs:annotation>
<xs:documentation>The TTPsType specifies a set of zero or more cyber threat TTPs.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="TTP" type="stixCommon:TTPBaseType" minOccurs="0" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The TTP property characterizes a cyber threat adversary Tactic, Technique or Procedure (TTP). </xs:documentation>
<xs:documentation>This property is implemented through the xsi:type extension mechanism. The default and strongly recommended type is TTPType in the http://docs.oasis-open.org/cti/ns/stix/ttp-1 namespace. This type is defined in the ttp.xsd file or at the URL http://docs.oasis-open.org/cti/stix-1.2.1-xml-binding/v1.0/csd01/schemas/ttp.xsd.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="IncidentsType">
<xs:annotation>
<xs:documentation>The IncidentsType specifies a set of one or more cyber threat Incidents.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="Incident" type="stixCommon:IncidentBaseType" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Incident property characterizes a cyber threat Incident. </xs:documentation>
<xs:documentation>This property is implemented through the xsi:type extension mechanism. The default and strongly recommended type is IncidentType in the http://docs.oasis-open.org/cti/ns/stix/incident-1 namespace. This type is defined in the incident.xsd file or at the URL http://docs.oasis-open.org/cti/stix-1.2.1-xml-binding/v1.0/csd01/schemas/incident.xsd.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="CoursesOfActionType">
<xs:annotation>
<xs:documentation>The CoursesOfActionType specifies a set of one or more actions that could be taken in regard to cyber threats.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="Course_Of_Action" type="stixCommon:CourseOfActionBaseType" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Course_Of_Action property characterizes a Course of Action that could be taken in regard to one of more cyber threats. </xs:documentation>
<xs:documentation> This property is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CourseOfActionType in the http://docs.oasis-open.org/cti/ns/stix/course-of-action-1 namespace. This type is defined in the course-of-action.xsd file or at the URL http://docs.oasis-open.org/cti/stix-1.2.1-xml-binding/v1.0/csd01/schemas/course-of-action.xsd.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="CampaignsType">
<xs:annotation>
<xs:documentation>The CampaignsType specifies a set of one or more cyber threat Campaigns</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="Campaign" type="stixCommon:CampaignBaseType" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>CThe Campaign property characterizes a cyber threat Campaign. </xs:documentation>
<xs:documentation>This property is implemented through the xsi:type extension mechanism. The default and strongly recommended type is CampaignType in the http://docs.oasis-open.org/cti/ns/stix/campaign-1 namespace. This type is defined in the campaign.xsd file or at the URL http://docs.oasis-open.org/cti/stix-1.2.1-xml-binding/v1.0/csd01/schemas/campaign.xsd.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="ThreatActorsType">
<xs:annotation>
<xs:documentation>The ThreatActorsType specifies a set of one or more cyber Threat Actors.</xs:documentation>
</xs:annotation>
<xs:sequence>
<xs:element name="Threat_Actor" type="stixCommon:ThreatActorBaseType" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The ThreatActor property characterizes a cyber Threat Actor.</xs:documentation>
<xs:documentation>This property is implemented through the xsi:type extension mechanism. The default and strongly recommended type is ThreatActorType in the http://docs.oasis-open.org/cti/ns/stix/threat-actor-1 namespace. This type is defined in the threat-actor.xsd file or at the URL http://docs.oasis-open.org/cti/stix-1.2.1-xml-binding/v1.0/csd01/schemas/threat-actor.xsd.</xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:complexType>
<xs:complexType name="RelatedReportsType">
<xs:annotation>
<xs:documentation>The RelatedReportsType specifies a set of one or more STIX Reports related to this STIX Report and therefore is a self-referential relationship. It extends GenericRelationshipListType defined in the STIX Common data model, which specifies the scope (whether the elements of the set are related individually or as a group).</xs:documentation>
</xs:annotation>
<xs:complexContent>
<xs:extension base="stixCommon:GenericRelationshipListType">
<xs:sequence>
<xs:element name="Related_Report" type="stixCommon:RelatedReportType" maxOccurs="unbounded">
<xs:annotation>
<xs:documentation>The Related_Report property specifies another Report associated with this Report and characterizes the relationship between the Reports by capturing information such as the level of confidence that the Reports are related, the source of the relationship information, and the type of the relationship. A relationship between Reports may represent assertions of general associativity or different versions of the same Report. </xs:documentation>
</xs:annotation>
</xs:element>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
</xs:schema>