CourseOfActionTypeVocab-1.0STIX Vocabularies Schema

The CourseOfActionTypeVocab is the default STIX vocabulary for expressing types of courses of action.

Vocabulary Items

Item Description
Perimeter Blocking Perimeter-based blocking of traffic from a compromised source.
Internal Blocking Host-based blocking of traffic from an internal compromised source.
Redirection Re-routing of suspicious or known malicious traffic away from the intended target to an area where the threat can be more safely observed and analyzed.
Redirection (Honey Pot) Setting up a decoy parallel network that is intended to attract adversaries to the honey pot and away from the real network assets.
Hardening Securing a system by reducing its surface of unnecessary software, usernames or logins, and running services.
Patching A specific form of hardening, patching involves applying a code fix directly to the software with the vulnerability.
Eradication Identifying, locating, and eliminating malware from the network.
Rebuilding Re-installing a computing resource from a known safe source in order to ensure that the malware is no longer present on the previously compromised resource.
Training Training users and administrators on how to identify and mitigate this type of threat.
Monitoring Setting up network or host-based sensors to detected the presence of this threat.
Physical Access Restrictions Activities associated with restricting physical access to computing resources.
Logical Access Restrictions Activities associated with restricting logical access to computing resources.
Public Disclosure Informing the public of the existence and characteristics of the threat or threat actor to influence positive change in adversary behavior.
Diplomatic Actions Engaging in communications and relationship building with threat actors to influence positive changes in behavior.
Policy Actions Modifications to policy that reduce the attack surface or infection vectors of malware.
Other Other actions not covered in this list.


Field Name Type Description
@vocab_nameoptional string

The vocab_name field specifies the name of the controlled vocabulary.

@vocab_referenceoptional anyURI

The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.