IndicatorTypeVocab-1.1STIX Vocabularies Schema

The IndicatorTypeVocab is the default STIX vocabulary for expressing indicator types.

Note that this vocabulary is under development. Feedback is appreciated and should be sent to the STIX discussion list.


Vocabulary Items

Item Description
Malicious E-mail Indicator describes suspected malicious e-mail (phishing, spear phishing, infected, etc.).
IP Watchlist Indicator describes a set of suspected malicious IP addresses or IP blocks.
File Hash Watchlist Indicator describes a set of hashes for suspected malicious files.
Domain Watchlist Indicator describes a set of suspected malicious domains.
URL Watchlist Indicator describes a set of suspected malicious URLS.
Malware Artifacts Indicator describes the effects of suspected malware.
C2 Indicator describes suspected command and control activity or static indications.
Anonymization Indicator describes suspected anonymization techniques (Proxy, TOR, VPN, etc.).
Exfiltration Indicator describes suspected exfiltration techniques or behavior.
Host Characteristics Indicator describes suspected malicious host characteristics.
Compromised PKI Certificate Indicator describes a compromised PKI Certificate.
Login Name Indicator describes a compromised Login Name.
IMEI Watchlist Indicator describes a watchlist for IMEI (handset) identifiers.
IMSI Watchlist Indicator describes a watchlist for IMSI (SIM card) identifiers.

Fields

Field Name Type Description
@vocab_nameoptional string

The vocab_name field specifies the name of the controlled vocabulary.

@vocab_referenceoptional anyURI

The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.