The IndicatorTypeVocab is the default STIX vocabulary for expressing indicator types.
NOTE: As of STIX Version 1.1, this version of the IndicatorTypeVocab is deprecated. Please use IndicatorTypeVocab-1.1 instead.
Item | Description |
---|---|
Malicious E-mail | Indicator describes suspected malicious e-mail (phishing, spear phishing, infected, etc.). |
IP Watchlist | Indicator describes a set of suspected malicious IP addresses or IP blocks. |
File Hash Watchlist | Indicator describes a set of hashes for suspected malicious files. |
Domain Watchlist | Indicator describes a set of suspected malicious domains. |
URL Watchlist | Indicator describes a set of suspected malicious URLS. |
Malware Artifacts | Indicator describes the effects of suspected malware. |
C2 | Indicator describes suspected command and control activity or static indications. |
Anonymization | Indicator describes suspected anonymization techniques (Proxy, TOR, VPN, etc.). |
Exfiltration | Indicator describes suspected exfiltration techniques or behavior. |
Host Characteristics | Indicator describes suspected malicious host characteristics. |
Field Name | Type | Description |
---|---|---|
@vocab_nameoptional | string |
The vocab_name field specifies the name of the controlled vocabulary. |
@vocab_referenceoptional | anyURI |
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file. |