ReportIntentVocab-1.0STIX Vocabularies Schema

The ReportIntentVocab is the default STIX vocabulary for the ReportType Intent field.

Note that this vocabulary is under development. Feedback is appreciated and should be sent to the STIX discussion list.

API support

Vocabulary Items

Item	Description
Collective Threat Intelligence	Report is intended to describe a broad characterization of a threat across multiple facets.
Threat Report	Report is intended to describe a broad characterization of a threat across multiple facets expressed as a cohesive report.
Indicators	Report is intended to describe mainly indicators.
Indicators - Phishing	Report is intended to describe mainly phishing indicators.
Indicators - Watchlist	Report is intended to describe mainly network watchlist indicators.
Indicators - Malware Artifacts	Report is intended to describe mainly malware artifact indicators.
Indicators - Network Activity	Report is intended to describe mainly network activity indicators.
Indicators - Endpoint Characteristics	Report is intended to describe mainly endpoint characteristics (hashes, registry values, installed software, known vulnerabilities, etc.) indicators.
Campaign Characterization	Report is intended to describe mainly a characterization of one or more campaigns.
Threat Actor Characterization	Report is intended to describe mainly a characterization of one or more threat actors.
Exploit Characterization	Report is intended to describe mainly a characterization of one or more exploits.
Attack Pattern Characterization	Report is intended to describe mainly a characterization of one or more attack patterns.
Malware Characterization	Report is intended to describe mainly a characterization of one or more malware instances.
TTP - Infrastructure	Report is intended to describe mainly a characterization of attacker infrastructure.
TTP - Tools	Report is intended to describe mainly a characterization of attacker tools.
Courses of Action	Report is intended to describe mainly a set of courses of action.
Incident	Report is intended to describe mainly information about one or more incidents.
Observations	Report is intended to describe mainly information about instantial observations (cyber observables).
Observations - Email	Report is intended to describe mainly information about instantial email observations (email cyber observables).
Malware Samples	Report is intended to describe a set of malware samples.

Item

Description

Collective Threat Intelligence

Report is intended to describe a broad characterization of a threat across multiple facets.

Threat Report

Report is intended to describe a broad characterization of a threat across multiple facets expressed as a cohesive report.

Indicators

Report is intended to describe mainly indicators.

Indicators - Phishing

Report is intended to describe mainly phishing indicators.

Indicators - Watchlist

Report is intended to describe mainly network watchlist indicators.

Indicators - Malware Artifacts

Report is intended to describe mainly malware artifact indicators.

Indicators - Network Activity

Report is intended to describe mainly network activity indicators.

Indicators - Endpoint Characteristics

Report is intended to describe mainly endpoint characteristics (hashes, registry values, installed software, known vulnerabilities, etc.) indicators.

Campaign Characterization

Report is intended to describe mainly a characterization of one or more campaigns.

Threat Actor Characterization

Report is intended to describe mainly a characterization of one or more threat actors.

Exploit Characterization

Report is intended to describe mainly a characterization of one or more exploits.

Attack Pattern Characterization

Report is intended to describe mainly a characterization of one or more attack patterns.

Malware Characterization

Report is intended to describe mainly a characterization of one or more malware instances.

TTP - Infrastructure

Report is intended to describe mainly a characterization of attacker infrastructure.

TTP - Tools

Report is intended to describe mainly a characterization of attacker tools.

Courses of Action

Report is intended to describe mainly a set of courses of action.

Incident

Report is intended to describe mainly information about one or more incidents.

Observations

Report is intended to describe mainly information about instantial observations (cyber observables).

Observations - Email

Report is intended to describe mainly information about instantial email observations (email cyber observables).

Malware Samples

Report is intended to describe a set of malware samples.

Fields

Field Name	Type	Description
@vocab_nameoptional	string	The vocab_name field specifies the name of the controlled vocabulary.
@vocab_referenceoptional	anyURI	The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.

Field Name

Type

Description

@vocab_nameoptional

string

The vocab_name field specifies the name of the controlled vocabulary.

@vocab_referenceoptional

anyURI

The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.