DiscoveryMethodVocab-2.0STIX Vocabularies Schema

The DiscoveryMethodVocab is the default STIX vocabulary for expressing how an incident was discovered.


Vocabulary Items

Item Description
Agent Disclosure This incident was disclosed by the threat agent (e.g. public brag, private blackmail).
External - Fraud Detection This incident was discovered through external fraud detection means (e.g. CPP).
Monitoring Service This incident was reported by a managed security event monitoring service.
Law Enforcement This incident was reported by law enforcement.
Customer This incident was reported by a customer or partner affected by the incident.
Unrelated Party This incident was reported by an unrelated third party.
Audit This incident was discovered during an external security audit or scan.
Antivirus This incident was discovered by an antivirus system.
Incident Response This incident was discovered in the course of investigating a separate incident.
Financial Audit This incident was discovered in the course of a financial audit and/or reconciliation process.
Internal - Fraud Detection This incident was discovered through internal fraud detection means.
HIPS This incident was discovered a host-based IDS or file integrity monitoring.
IT Audit This incident was discovered by an internal IT audit or scan.
Log Review This incident was discovered during a log review process or by a SIEM.
NIDS This incident was discovered by a network-based intrustion detection/prevention system.
Security Alarm This incident was discovered by a physical security alarm.
User This incident was reported by a user.
Unknown It is not known how this incident was discovered.

Fields

Field Name Type Description
@vocab_nameoptional string

The vocab_name field specifies the name of the controlled vocabulary.

@vocab_referenceoptional anyURI

The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.