The DiscoveryMethodVocab is the default STIX vocabulary for expressing how an incident was discovered.
Item | Description |
---|---|
Agent Disclosure | This incident was disclosed by the threat agent (e.g. public brag, private blackmail). |
Fraud Detection | This incident was discovered through external fraud detection means (e.g. CPP). |
Monitoring Service | This incident was reported by a managed security event monitoring service. |
Law Enforcement | This incident was reported by law enforcement. |
Customer | This incident was reported by a customer or partner affected by the incident. |
Unrelated Party | This incident was reported by an unrelated third party. |
Audit | This incident was discovered during an external security audit or scan. |
Antivirus | This incident was discovered by an antivirus system. |
Incident Response | This incident was discovered in the course of investigating a separate incident. |
Financial Audit | This incident was discovered in the course of a financial audit and/or reconciliation process. |
Fraud Detection | This incident was discovered through internal fraud detection means. |
HIPS | This incident was discovered a host-based IDS or file integrity monitoring. |
IT Audit | This incident was discovered by an internal IT audit or scan. |
Log Review | This incident was discovered during a log review process or by a SIEM. |
NIDS | This incident was discovered by a network-based intrustion detection/prevention system. |
Security Alarm | This incident was discovered by a physical security alarm. |
User | This incident was reported by a user. |
Unknown | It is not known how this incident was discovered. |
Field Name | Type | Description |
---|---|---|
@vocab_nameoptional | string |
The vocab_name field specifies the name of the controlled vocabulary. |
@vocab_referenceoptional | anyURI |
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file. |