The PackageIntentVocabType is the default STIX vocabulary for Package Intent.
Note that this vocabulary is under development. Feedback is appreciated and should be sent to the STIX discussion list.
| Item | Description |
|---|---|
| Collective Threat Intelligence | Package is intended to convey a broad characterization of a threat across multiple facets. |
| Threat Report | Package is intended to convey a broad characterization of a threat across multiple facets expressed as a cohesive report. |
| Indicators | Package is intended to convey mainly indicators. |
| Indicators - Phishing | Package is intended to convey mainly phishing indicators. |
| Indicators - Watchlist | Package is intended to convey mainly network watchlist indicators. |
| Indicators - Malware Artifacts | Package is intended to convey mainly malware artifact indicators. |
| Indicators - Network Activity | Package is intended to convey mainly network activity indicators. |
| Indicators - Endpoint Characteristics | Package is intended to convey mainly endpoint characteristics (hashes, registry values, installed software, known vulnerabilities, etc.) indicators. |
| Campaign Characterization | Package is intended to convey mainly a characterization of one or more campaigns. |
| Threat Actor Characterization | Package is intended to convey mainly a characterization of one or more threat actors. |
| Exploit Characterization | Package is intended to convey mainly a characterization of one or more exploits. |
| Attack Pattern Characterization | Package is intended to convey mainly a characterization of one or more attack patterns. |
| Malware Characterization | Package is intended to convey mainly a characterization of one or more malware instances. |
| TTP - Infrastructure | Package is intended to convey mainly a characterization of attacker infrastructure. |
| TTP - Tools | Package is intended to convey mainly a characterization of attacker tools. |
| Courses of Action | Package is intended to convey mainly a set of courses of action. |
| Incident | Package is intended to convey mainly information about one or more incidents. |
| Observations | Package is intended to convey mainly information about instantial observations (cyber observables). |
| Observations - Email | Package is intended to convey mainly information about instantial email observations (email cyber observables). |
| Malware Samples | Package is intended to convey a set of malware samples. |
| Field Name | Type | Description |
|---|---|---|
| @vocab_nameoptional | string |
The vocab_name field specifies the name of the controlled vocabulary. |
| @vocab_referenceoptional | anyURI |
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file. |