The PackageIntentVocab is the default STIX vocabulary for Package Intent.
Note that this vocabulary is under development. Feedback is appreciated and should be sent to the STIX discussion list.
Item | Description |
---|---|
Collective Threat Intelligence | Package is intended to convey a broad characterization of a threat across multiple facets. |
Threat Report | Package is intended to convey a broad characterization of a threat across multiple facets expressed as a cohesive report. |
Indicators | Package is intended to convey mainly indicators. |
Indicators - Phishing | Package is intended to convey mainly phishing indicators. |
Indicators - Watchlist | Package is intended to convey mainly network watchlist indicators. |
Indicators - Malware Artifacts | Package is intended to convey mainly malware artifact indicators. |
Indicators - Network Activity | Package is intended to convey mainly network activity indicators. |
Indicators - Endpoint Characteristics | Package is intended to convey mainly endpoint characteristics (hashes, registry values, installed software, known vulnerabilities, etc.) indicators. |
Campaign Characterization | Package is intended to convey mainly a characterization of one or more campaigns. |
Threat Actor Characterization | Package is intended to convey mainly a characterization of one or more threat actors. |
Exploit Characterization | Package is intended to convey mainly a characterization of one or more exploits. |
Attack Pattern Characterization | Package is intended to convey mainly a characterization of one or more attack patterns. |
Malware Characterization | Package is intended to convey mainly a characterization of one or more malware instances. |
TTP - Infrastructure | Package is intended to convey mainly a characterization of attacker infrastructure. |
TTP - Tools | Package is intended to convey mainly a characterization of attacker tools. |
Courses of Action | Package is intended to convey mainly a set of courses of action. |
Incident | Package is intended to convey mainly information about one or more incidents. |
Observations | Package is intended to convey mainly information about instantial observations (cyber observables). |
Observations - Email | Package is intended to convey mainly information about instantial email observations (email cyber observables). |
Malware Samples | Package is intended to convey a set of malware samples. |
Field Name | Type | Description |
---|---|---|
@vocab_nameoptional | string |
The vocab_name field specifies the name of the controlled vocabulary. |
@vocab_referenceoptional | anyURI |
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file. |