The IncidentCategoryVocab is the default STIX vocabulary for expressing the possible categories of an incident.
| Item | Description |
|---|---|
| Exercise/Network Defense Testing | This category is used during state, federal, national, international exercises and approved activity testing of internal/external network defenses or responses. |
| Unauthorized Access | In this category an individual gains logical or physical access without permission to a federal agency network, system, application, data, or other resource. |
| Denial of Service | An attack that successfully prevents or impairs the normal authorized functionality of networks, systems or applications by exhausting resources. This activity includes being the victim or participating in the DoS. |
| Malicious Code | Installation of malicious software (e.g., virus, worm, Trojan horse, or other code-based malicious entity) that infects an operating system or application. Agencies are NOT required to report malicious logic that has been successfully quarantined by antivirus (AV) software. |
| Improper Usage | A person violates acceptable computing use policies. |
| Scans/Probes/Attempted Access | This category includes any activity that seeks to access or identify a federal agency computer, open ports, protocols, service, or any combination for later exploit. This activity does not directly result in a compromise or denial of service. |
| Investigation | Unconfirmed incidents that are potentially malicious or anomalous activity deemed by the reporting entity to warrant further review. |
| Field Name | Type | Description |
|---|---|---|
| @vocab_nameoptional | string |
The vocab_name field specifies the name of the controlled vocabulary. |
| @vocab_referenceoptional | anyURI |
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file. |
