The CourseOfActionTypeVocab is the default STIX vocabulary for expressing types of courses of action.
|Perimeter Blocking||Perimeter-based blocking of traffic from a compromised source.|
|Internal Blocking||Host-based blocking of traffic from an internal compromised source.|
|Redirection||Re-routing of suspicious or known malicious traffic away from the intended target to an area where the threat can be more safely observed and analyzed.|
|Redirection (Honey Pot)||Setting up a decoy parallel network that is intended to attract adversaries to the honey pot and away from the real network assets.|
|Hardening||Securing a system by reducing its surface of unnecessary software, usernames or logins, and running services.|
|Patching||A specific form of hardening, patching involves applying a code fix directly to the software with the vulnerability.|
|Eradication||Identifying, locating, and eliminating malware from the network.|
|Rebuilding||Re-installing a computing resource from a known safe source in order to ensure that the malware is no longer present on the previously compromised resource.|
|Training||Training users and administrators on how to identify and mitigate this type of threat.|
|Monitoring||Setting up network or host-based sensors to detected the presence of this threat.|
|Physical Access Restrictions||Activities associated with restricting physical access to computing resources.|
|Logical Access Restrictions||Activities associated with restricting logical access to computing resources.|
|Public Disclosure||Informing the public of the existence and characteristics of the threat or threat actor to influence positive change in adversary behavior.|
|Diplomatic Actions||Engaging in communications and relationship building with threat actors to influence positive changes in behavior.|
|Policy Actions||Modifications to policy that reduce the attack surface or infection vectors of malware.|
|Other||Other actions not covered in this list.|
The vocab_name field specifies the name of the controlled vocabulary.
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.