Story Anonymization User - COS301-SE-2025/CRISP GitHub Wiki

CRISP Anonymization Component - User Stories

Secure Threat Intelligence Sharing Through Data Anonymization

As a cybersecurity professional working in threat intelligence sharing
I want to control how much sensitive information is revealed when sharing threat data
So that I can collaborate with other organizations while protecting sensitive operational details.

User Story 1: Admin Configures Global Anonymization Policies

As a Administrator (Admin)
I want to configure global anonymization policies for the platform
So that I can ensure consistent data protection standards across all organizations.

  • I can access the anonymization configuration panel in the admin interface
  • I can set default anonymization levels for different data types (IP addresses, domains, emails, URLs)
  • I can configure trust level mappings (high trust = low anonymization, low trust = high anonymization)
  • I can define industry-specific anonymization rules
  • I can set maximum data retention periods for anonymized data
  • Changes to global policies are logged for audit purposes
  • I can preview how anonymization will affect sample data before applying changes

User Story 2: Publisher Controls Data Sharing Levels

As a Publisher
I want to control the anonymization level when sharing my organization's threat data
So that I can balance information sharing with operational security needs.

  • I can set anonymization levels when creating a new threat feed
  • I can specify different anonymization levels for different subscriber organizations
  • I can preview how my data will appear to different trust levels before publishing
  • I can modify anonymization settings for existing feeds I own
  • I receive warnings when sharing data that might be too revealing
  • I can see statistics on how much data is being anonymized vs. shared raw

User Story 3: Viewer Understands Data Anonymization Status

As a e Viewer
I want to understand when and how threat data has been anonymized
So that I can properly interpret the intelligence and assess its reliability.

  • I can see anonymization indicators on threat intelligence data
  • I understand what anonymization level was applied (e.g., "192.168.x.x" indicates medium IP anonymization)
  • I can view metadata about the original data source and anonymization applied
  • I can filter threat feeds based on anonymization levels
  • I receive explanations of what different anonymization patterns mean
  • I can request higher trust levels to access less anonymized data

User Story 4: Publisher Manages Trust-Based Data Sharing

As a Publisher
I want to share different levels of detail with different organizations based on trust relationships
So that I can provide more detailed information to trusted partners while still contributing to community defense.

  • I can define trust levels for different subscriber organizations
  • High-trust partners receive less anonymized data (e.g., full IP addresses)
  • Medium-trust partners receive moderately anonymized data (e.g., "192.168.x.x")
  • Low-trust or public feeds receive highly anonymized data (e.g., "*.commercial")
  • I can bulk update trust levels for multiple organizations
  • Changes to trust levels apply to future data shares immediately
  • I can see which organizations are receiving which anonymization levels

User Story 5: Admin Monitors Anonymization System Health

As a Administrator
I want to monitor the anonymization system's performance and accuracy
So that I can ensure data is being properly protected and the system is functioning correctly.

  • I can view anonymization processing statistics (items processed, success rate)
  • I can monitor system performance metrics (processing time, memory usage)
  • I receive alerts when anonymization failures occur
  • I can run validation checks to ensure anonymization consistency
  • I can view anonymization audit logs showing what was anonymized when
  • I can generate compliance reports showing data protection measures

User Story 6: Viewer Searches Anonymized Threat Data

As a Viewer
I want to search for threat indicators even when they've been anonymized
So that I can find relevant threats that might affect my organization.

  • I can search for anonymized patterns (e.g., "192.168.x.x" finds all indicators in that range)
  • Search results show anonymization level applied to each result
  • I can filter search results by anonymization level
  • I can search for threat indicators by industry category when domains are highly anonymized
  • Search suggestions help me understand what anonymized patterns to look for
  • I can save searches for anonymized patterns I'm interested in

User Story 7: Publisher Reviews Anonymization Before Publishing

As a Publisher
I want to review exactly how my threat data will appear after anonymization
So that I can ensure the right balance of sharing and security before publishing.

  • I can preview anonymized data before publishing a threat feed
  • Preview shows data as it will appear to different trust levels
  • I can compare original data side-by-side with anonymized versions
  • I can modify anonymization settings and see updated previews immediately
  • I can identify when anonymization might make data less useful
  • I can export anonymized previews for review by my security team

User Story 8: Admin Manages Anonymization Strategies

As a Administrator
I want to configure and update anonymization strategies for different data types
So that I can maintain effective data protection as threats and sharing needs evolve.

  • I can configure anonymization rules for IP addresses, domains, emails, and URLs
  • I can add new anonymization strategies for emerging data types
  • I can test anonymization strategies with sample data before deployment
  • I can schedule gradual rollouts of new anonymization strategies
  • I can revert to previous anonymization strategies if needed
  • Changes to strategies are logged and can be audited