DiscoveryMethodVocab-2.0STIX Vocabularies Schema

The DiscoveryMethodVocab is the default STIX vocabulary for expressing how an incident was discovered.

API support

Vocabulary Items

Item	Description
Agent Disclosure	This incident was disclosed by the threat agent (e.g. public brag, private blackmail).
External - Fraud Detection	This incident was discovered through external fraud detection means (e.g. CPP).
Monitoring Service	This incident was reported by a managed security event monitoring service.
Law Enforcement	This incident was reported by law enforcement.
Customer	This incident was reported by a customer or partner affected by the incident.
Unrelated Party	This incident was reported by an unrelated third party.
Audit	This incident was discovered during an external security audit or scan.
Antivirus	This incident was discovered by an antivirus system.
Incident Response	This incident was discovered in the course of investigating a separate incident.
Financial Audit	This incident was discovered in the course of a financial audit and/or reconciliation process.
Internal - Fraud Detection	This incident was discovered through internal fraud detection means.
HIPS	This incident was discovered a host-based IDS or file integrity monitoring.
IT Audit	This incident was discovered by an internal IT audit or scan.
Log Review	This incident was discovered during a log review process or by a SIEM.
NIDS	This incident was discovered by a network-based intrustion detection/prevention system.
Security Alarm	This incident was discovered by a physical security alarm.
User	This incident was reported by a user.
Unknown	It is not known how this incident was discovered.

Item

Description

Agent Disclosure

This incident was disclosed by the threat agent (e.g. public brag, private blackmail).

External - Fraud Detection

This incident was discovered through external fraud detection means (e.g. CPP).

Monitoring Service

This incident was reported by a managed security event monitoring service.

Law Enforcement

This incident was reported by law enforcement.

Customer

This incident was reported by a customer or partner affected by the incident.

Unrelated Party

This incident was reported by an unrelated third party.

Audit

This incident was discovered during an external security audit or scan.

Antivirus

This incident was discovered by an antivirus system.

Incident Response

This incident was discovered in the course of investigating a separate incident.

Financial Audit

This incident was discovered in the course of a financial audit and/or reconciliation process.

Internal - Fraud Detection

This incident was discovered through internal fraud detection means.

HIPS

This incident was discovered a host-based IDS or file integrity monitoring.

IT Audit

This incident was discovered by an internal IT audit or scan.

Log Review

This incident was discovered during a log review process or by a SIEM.

NIDS

This incident was discovered by a network-based intrustion detection/prevention system.

Security Alarm

This incident was discovered by a physical security alarm.

User

This incident was reported by a user.

Unknown

It is not known how this incident was discovered.

Fields

Field Name	Type	Description
@vocab_nameoptional	string	The vocab_name field specifies the name of the controlled vocabulary.
@vocab_referenceoptional	anyURI	The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.

Field Name

Type

Description

@vocab_nameoptional

string

The vocab_name field specifies the name of the controlled vocabulary.

@vocab_referenceoptional

anyURI

The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.