ReportIntentVocab-1.0STIX Vocabularies Schema

The ReportIntentVocab is the default STIX vocabulary for the ReportType Intent field.

Note that this vocabulary is under development. Feedback is appreciated and should be sent to the STIX discussion list.


Vocabulary Items

Item Description
Collective Threat Intelligence Report is intended to describe a broad characterization of a threat across multiple facets.
Threat Report Report is intended to describe a broad characterization of a threat across multiple facets expressed as a cohesive report.
Indicators Report is intended to describe mainly indicators.
Indicators - Phishing Report is intended to describe mainly phishing indicators.
Indicators - Watchlist Report is intended to describe mainly network watchlist indicators.
Indicators - Malware Artifacts Report is intended to describe mainly malware artifact indicators.
Indicators - Network Activity Report is intended to describe mainly network activity indicators.
Indicators - Endpoint Characteristics Report is intended to describe mainly endpoint characteristics (hashes, registry values, installed software, known vulnerabilities, etc.) indicators.
Campaign Characterization Report is intended to describe mainly a characterization of one or more campaigns.
Threat Actor Characterization Report is intended to describe mainly a characterization of one or more threat actors.
Exploit Characterization Report is intended to describe mainly a characterization of one or more exploits.
Attack Pattern Characterization Report is intended to describe mainly a characterization of one or more attack patterns.
Malware Characterization Report is intended to describe mainly a characterization of one or more malware instances.
TTP - Infrastructure Report is intended to describe mainly a characterization of attacker infrastructure.
TTP - Tools Report is intended to describe mainly a characterization of attacker tools.
Courses of Action Report is intended to describe mainly a set of courses of action.
Incident Report is intended to describe mainly information about one or more incidents.
Observations Report is intended to describe mainly information about instantial observations (cyber observables).
Observations - Email Report is intended to describe mainly information about instantial email observations (email cyber observables).
Malware Samples Report is intended to describe a set of malware samples.

Fields

Field Name Type Description
@vocab_nameoptional string

The vocab_name field specifies the name of the controlled vocabulary.

@vocab_referenceoptional anyURI

The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file.