The DiscoveryMethodVocab is the default STIX vocabulary for expressing how an incident was discovered.
|Agent Disclosure||This incident was disclosed by the threat agent (e.g. public brag, private blackmail).|
|External - Fraud Detection||This incident was discovered through external fraud detection means (e.g. CPP).|
|Monitoring Service||This incident was reported by a managed security event monitoring service.|
|Law Enforcement||This incident was reported by law enforcement.|
|Customer||This incident was reported by a customer or partner affected by the incident.|
|Unrelated Party||This incident was reported by an unrelated third party.|
|Audit||This incident was discovered during an external security audit or scan.|
|Antivirus||This incident was discovered by an antivirus system.|
|Incident Response||This incident was discovered in the course of investigating a separate incident.|
|Financial Audit||This incident was discovered in the course of a financial audit and/or reconciliation process.|
|Internal - Fraud Detection||This incident was discovered through internal fraud detection means.|
|HIPS||This incident was discovered a host-based IDS or file integrity monitoring.|
|IT Audit||This incident was discovered by an internal IT audit or scan.|
|Log Review||This incident was discovered during a log review process or by a SIEM.|
|NIDS||This incident was discovered by a network-based intrustion detection/prevention system.|
|Security Alarm||This incident was discovered by a physical security alarm.|
|User||This incident was reported by a user.|
|Unknown||It is not known how this incident was discovered.|
The vocab_name field specifies the name of the controlled vocabulary.
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.