The IndicatorTypeVocab is the default STIX vocabulary for expressing indicator types.
Note that this vocabulary is under development. Feedback is appreciated and should be sent to the STIX discussion list.
| Item | Description |
|---|---|
| Malicious E-mail | Indicator describes suspected malicious e-mail (phishing, spear phishing, infected, etc.). |
| IP Watchlist | Indicator describes a set of suspected malicious IP addresses or IP blocks. |
| File Hash Watchlist | Indicator describes a set of hashes for suspected malicious files. |
| Domain Watchlist | Indicator describes a set of suspected malicious domains. |
| URL Watchlist | Indicator describes a set of suspected malicious URLS. |
| Malware Artifacts | Indicator describes the effects of suspected malware. |
| C2 | Indicator describes suspected command and control activity or static indications. |
| Anonymization | Indicator describes suspected anonymization techniques (Proxy, TOR, VPN, etc.). |
| Exfiltration | Indicator describes suspected exfiltration techniques or behavior. |
| Host Characteristics | Indicator describes suspected malicious host characteristics. |
| Compromised PKI Certificate | Indicator describes a compromised PKI Certificate. |
| Login Name | Indicator describes a compromised Login Name. |
| IMEI Watchlist | Indicator describes a watchlist for IMEI (handset) identifiers. |
| IMSI Watchlist | Indicator describes a watchlist for IMSI (SIM card) identifiers. |
| Field Name | Type | Description |
|---|---|---|
| @vocab_nameoptional | string |
The vocab_name field specifies the name of the controlled vocabulary. |
| @vocab_referenceoptional | anyURI |
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file. |
