sra-stix2-validator
Version:
79 lines • 2.96 kB
JSON
{
"$id": "../sdos/indicator.json",
"$schema": "http://json-schema.org/draft-06/schema#",
"title": "indicator",
"description": "Indicators contain a pattern that can be used to detect suspicious or malicious cyber activity.",
"type": "object",
"allOf": [
{
"$ref": "../common/core.json"
},
{
"properties": {
"type": {
"type": "string",
"description": "The type of this object, which MUST be the literal `indicator`.",
"const": "indicator"
},
"id": {
"title": "id",
"pattern": "^indicator--"
},
"labels": {
"type": "array",
"description": "This field is an Open Vocabulary that specifies the type of indicator. Open vocab - indicator-label-ov",
"items": {
"type": "string"
},
"minItems": 1
},
"name": {
"type": "string",
"description": "The name used to identify the Indicator."
},
"description": {
"type": "string",
"description": "A description that provides the recipient with context about this Indicator potentially including its purpose and its key characteristics."
},
"pattern": {
"type": "string",
"description": "The detection pattern for this indicator. The default language is STIX Patterning."
},
"valid_from": {
"$ref": "../common/timestamp.json",
"description": "The time from which this indicator should be considered valuable intelligence."
},
"valid_until": {
"$ref": "../common/timestamp.json",
"description": "The time at which this indicator should no longer be considered valuable intelligence."
},
"kill_chain_phases": {
"type": "array",
"description": "The phases of the kill chain that this indicator detects.",
"items": {
"$ref": "../common/kill-chain-phase.json"
},
"minItems": 1
}
}
}
],
"required": [
"pattern",
"labels",
"valid_from"
],
"definitions": {
"indicator-label-ov": {
"type": "string",
"enum": [
"anomalous-activity",
"anonymization",
"benign",
"compromised",
"malicious-activity",
"attribution"
]
}
}
}