The IndicatorTypeVocab is the default STIX vocabulary for expressing indicator types.
Note that this vocabulary is under development. Feedback is appreciated and should be sent to the STIX discussion list.
Item | Description |
---|---|
Malicious E-mail | Indicator describes suspected malicious e-mail (phishing, spear phishing, infected, etc.). |
IP Watchlist | Indicator describes a set of suspected malicious IP addresses or IP blocks. |
File Hash Watchlist | Indicator describes a set of hashes for suspected malicious files. |
Domain Watchlist | Indicator describes a set of suspected malicious domains. |
URL Watchlist | Indicator describes a set of suspected malicious URLS. |
Malware Artifacts | Indicator describes the effects of suspected malware. |
C2 | Indicator describes suspected command and control activity or static indications. |
Anonymization | Indicator describes suspected anonymization techniques (Proxy, TOR, VPN, etc.). |
Exfiltration | Indicator describes suspected exfiltration techniques or behavior. |
Host Characteristics | Indicator describes suspected malicious host characteristics. |
Compromised PKI Certificate | Indicator describes a compromised PKI Certificate. |
Login Name | Indicator describes a compromised Login Name. |
IMEI Watchlist | Indicator describes a watchlist for IMEI (handset) identifiers. |
IMSI Watchlist | Indicator describes a watchlist for IMSI (SIM card) identifiers. |
Field Name | Type | Description |
---|---|---|
@vocab_nameoptional | string |
The vocab_name field specifies the name of the controlled vocabulary. |
@vocab_referenceoptional | anyURI |
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file. |