6.5 Indicator Label
Vocabulary Name: indicator-label-ov
The indicator label vocabulary is currently used in the following SDO(s):
- Indicator
Indicator labels is an open vocabulary used to categorize Indicators. It is intended to be high-level to promote consistent practices. Indicator labels should not be used to capture information that can be better captured via related Malware or Attack Pattern objects. It is better to link an Indicator to a Malware object describing Poison Ivy rather than simply labeling it with "poison-ivy".
| Vocabulary Summary | |
|---|---|
| anomalous-activity, anonymization, benign, compromised, malicious-activity, attribution | |
| Vocabulary Value | Description |
| anomalous-activity | Unexpected, or unusual activity that may not necessarily be malicious or indicate compromise. This type of activity may include reconnaissance-like behavior such as port scans or version identification, network behavior anomalies, and asset and/or user behavioral anomalies. |
| anonymization | Suspected anonymization tools or infrastructure (proxy, TOR, VPN, etc.). |
| benign | Activity that is not suspicious or malicious in and of itself, but when combined with other activity may indicate suspicious or malicious behavior. |
| compromised | Assets that are suspected to be compromised. |
| malicious-activity | Patterns of suspected malicious objects and/or activity. |
| attribution | Patterns of behavior that indicate attribution to a particular Threat Actor or Campaign. |