The ReportIntentVocab is the default STIX vocabulary for the ReportType Intent field.
Note that this vocabulary is under development. Feedback is appreciated and should be sent to the STIX discussion list.
Item | Description |
---|---|
Collective Threat Intelligence | Report is intended to describe a broad characterization of a threat across multiple facets. |
Threat Report | Report is intended to describe a broad characterization of a threat across multiple facets expressed as a cohesive report. |
Indicators | Report is intended to describe mainly indicators. |
Indicators - Phishing | Report is intended to describe mainly phishing indicators. |
Indicators - Watchlist | Report is intended to describe mainly network watchlist indicators. |
Indicators - Malware Artifacts | Report is intended to describe mainly malware artifact indicators. |
Indicators - Network Activity | Report is intended to describe mainly network activity indicators. |
Indicators - Endpoint Characteristics | Report is intended to describe mainly endpoint characteristics (hashes, registry values, installed software, known vulnerabilities, etc.) indicators. |
Campaign Characterization | Report is intended to describe mainly a characterization of one or more campaigns. |
Threat Actor Characterization | Report is intended to describe mainly a characterization of one or more threat actors. |
Exploit Characterization | Report is intended to describe mainly a characterization of one or more exploits. |
Attack Pattern Characterization | Report is intended to describe mainly a characterization of one or more attack patterns. |
Malware Characterization | Report is intended to describe mainly a characterization of one or more malware instances. |
TTP - Infrastructure | Report is intended to describe mainly a characterization of attacker infrastructure. |
TTP - Tools | Report is intended to describe mainly a characterization of attacker tools. |
Courses of Action | Report is intended to describe mainly a set of courses of action. |
Incident | Report is intended to describe mainly information about one or more incidents. |
Observations | Report is intended to describe mainly information about instantial observations (cyber observables). |
Observations - Email | Report is intended to describe mainly information about instantial email observations (email cyber observables). |
Malware Samples | Report is intended to describe a set of malware samples. |
Field Name | Type | Description |
---|---|---|
@vocab_nameoptional | string |
The vocab_name field specifies the name of the controlled vocabulary. |
@vocab_referenceoptional | anyURI |
The vocab_reference field specifies the URI to the location of where the controlled vocabulary is defined, e.g., in an externally located XML schema file. |