IncidentCategoryVocab-1.0STIX Vocabularies Schema

The IncidentCategoryVocab is the default STIX vocabulary for expressing the possible categories of an incident.

Vocabulary Items

Item Description
Exercise/Network Defense Testing This category is used during state, federal, national, international exercises and approved activity testing of internal/external network defenses or responses.
Unauthorized Access In this category an individual gains logical or physical access without permission to a federal agency network, system, application, data, or other resource.
Denial of Service An attack that successfully prevents or impairs the normal authorized functionality of networks, systems or applications by exhausting resources. This activity includes being the victim or participating in the DoS.
Malicious Code Installation of malicious software (e.g., virus, worm, Trojan horse, or other code-based malicious entity) that infects an operating system or application. Agencies are NOT required to report malicious logic that has been successfully quarantined by antivirus (AV) software.
Improper Usage A person violates acceptable computing use policies.
Scans/Probes/Attempted Access This category includes any activity that seeks to access or identify a federal agency computer, open ports, protocols, service, or any combination for later exploit. This activity does not directly result in a compromise or denial of service.
Investigation Unconfirmed incidents that are potentially malicious or anomalous activity deemed by the reporting entity to warrant further review.


Field Name Type Description
@vocab_nameoptional string

The vocab_name field specifies the name of the controlled vocabulary.

@vocab_referenceoptional anyURI

The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.