The DiscoveryMethodVocab is the default STIX vocabulary for expressing how an incident was discovered.
| Item | Description |
|---|---|
| Agent Disclosure | This incident was disclosed by the threat agent (e.g. public brag, private blackmail). |
| Fraud Detection | This incident was discovered through external fraud detection means (e.g. CPP). |
| Monitoring Service | This incident was reported by a managed security event monitoring service. |
| Law Enforcement | This incident was reported by law enforcement. |
| Customer | This incident was reported by a customer or partner affected by the incident. |
| Unrelated Party | This incident was reported by an unrelated third party. |
| Audit | This incident was discovered during an external security audit or scan. |
| Antivirus | This incident was discovered by an antivirus system. |
| Incident Response | This incident was discovered in the course of investigating a separate incident. |
| Financial Audit | This incident was discovered in the course of a financial audit and/or reconciliation process. |
| Fraud Detection | This incident was discovered through internal fraud detection means. |
| HIPS | This incident was discovered a host-based IDS or file integrity monitoring. |
| IT Audit | This incident was discovered by an internal IT audit or scan. |
| Log Review | This incident was discovered during a log review process or by a SIEM. |
| NIDS | This incident was discovered by a network-based intrustion detection/prevention system. |
| Security Alarm | This incident was discovered by a physical security alarm. |
| User | This incident was reported by a user. |
| Unknown | It is not known how this incident was discovered. |
| Field Name | Type | Description |
|---|---|---|
| @vocab_nameoptional | string |
The vocab_name field specifies the name of the controlled vocabulary. |
| @vocab_referenceoptional | anyURI |
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file. |
