The IncidentCategoryVocab is the default STIX vocabulary for expressing the possible categories of an incident.
|Exercise/Network Defense Testing||This category is used during state, federal, national, international exercises and approved activity testing of internal/external network defenses or responses.|
|Unauthorized Access||In this category an individual gains logical or physical access without permission to a federal agency network, system, application, data, or other resource.|
|Denial of Service||An attack that successfully prevents or impairs the normal authorized functionality of networks, systems or applications by exhausting resources. This activity includes being the victim or participating in the DoS.|
|Malicious Code||Installation of malicious software (e.g., virus, worm, Trojan horse, or other code-based malicious entity) that infects an operating system or application. Agencies are NOT required to report malicious logic that has been successfully quarantined by antivirus (AV) software.|
|Improper Usage||A person violates acceptable computing use policies.|
|Scans/Probes/Attempted Access||This category includes any activity that seeks to access or identify a federal agency computer, open ports, protocols, service, or any combination for later exploit. This activity does not directly result in a compromise or denial of service.|
|Investigation||Unconfirmed incidents that are potentially malicious or anomalous activity deemed by the reporting entity to warrant further review.|
The vocab_name field specifies the name of the controlled vocabulary.
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.