Story Notification system User - COS301-SE-2025/CRISP GitHub Wiki

CRISP Observer Pattern User Stories

Real-time Threat Intelligence Notification System

As a cybersecurity professional working in an educational institution
I want to receive real-time notifications when relevant threat intelligence is shared
So that I can quickly respond to emerging threats and protect my organization's infrastructure.

User Story 1: Threat Feed Subscription Management

As a Viewer at a university
I want to subscribe to relevant threat intelligence feeds
So that I can stay informed about threats targeting educational institutions.

  • I can browse available threat feeds in the CRISP platform
  • I can subscribe to feeds that are relevant to my institution's industry
  • I can view my current feed subscriptions in a dashboard
  • I can unsubscribe from feeds that are no longer relevant
  • I receive a confirmation email when I subscribe to a new feed

User Story 2: High-Priority Threat Alerts

As a Viewer I want to receive immediate email alerts for high-severity threat indicators
So that I can mobilize my security team to address critical threats quickly.

  • I receive email alerts within 2 minutes of a critical threat being published
  • High-severity alerts are sent to security team email addresses
  • Email includes threat details: type, severity, confidence level, and source
  • Email has professional formatting and clear call-to-action
  • Failed email deliveries are automatically retried
  • I can configure which threat types trigger immediate alerts

User Story 3: Batch Notification Management

As a User of the platform , meaning any role I want multiple related threat updates to be grouped into summary emails
So that I don't get overwhelmed by individual notifications for each indicator.

  • Multiple indicators added within 5 minutes are grouped into one email
  • Batch emails include summary statistics (number of indicators, affected feeds)
  • Individual threat details are still accessible within the batch email
  • I can configure batching preferences (time window, maximum batch size)
  • Emergency/critical threats bypass batching and send immediately
  • Batch emails have clear subject lines indicating multiple threats

User Story 4: Cross-Institutional Threat Sharing

As a Publisher I want to share threat intelligence with trusted partner institutions
So that we can collectively defend against common threat actors.

  • I can publish threat feeds for sharing with specific institutions
  • Partner institutions are automatically notified when I publish new threats
  • Sensitive data is appropriately anonymized based on trust relationships
  • I can see which institutions are subscribed to my feeds
  • Publishing actions are logged for audit purposes
  • Recipients receive professional notification emails about new intelligence

User Story 5: Smart Infrastructure-Based Alerting

As a Viewer I want to receive alerts only for threats that are relevant to my infrastructure
So that I can focus on threats that actually affect my organization.

  • I can upload my organization's IP ranges and domain lists
  • I only receive alerts for threats matching my infrastructure
  • Alerts include specific details about which assets are affected
  • I can update my infrastructure information as it changes
  • Generic threats are filtered out unless they meet severity thresholds
  • Alert emails clearly indicate which assets are at risk

User Story 6: Real-time Feed Update Notifications

As a Viewer
I want to be notified when threat feeds I follow are updated
So that I can access the latest threat intelligence for my research.

  • I receive email notifications when subscribed feeds publish new content
  • Notifications include summary of what was added (indicators, TTPs)
  • I can choose notification frequency (immediate, daily digest, weekly)
  • Email includes direct links to view the new intelligence
  • Notification preferences are saved and applied consistently
  • I can temporarily pause notifications without unsubscribing

User Story 7: System Health Monitoring

As a Admin I want to receive alerts when the notification system has issues
So that I can ensure users continue to receive critical threat intelligence.

  • I receive alerts when email delivery fails repeatedly
  • System health status is available in an admin dashboard
  • Failed notification attempts are logged with detailed error information
  • I can manually retry failed notifications
  • System performance metrics are tracked (delivery times, success rates)
  • Integration status with SMTP2Go is monitored and reported

User Story 8: Notification Customization

As a Viewer I want to customize notification templates and recipients
So that alerts match my organization's communication standards and reach the right people.

  • I can define custom email templates with my organization's branding
  • I can set up recipient groups (security team, executives, analysts)
  • Different threat types can route to different recipient groups
  • Email templates support both HTML and plain text formats
  • I can test email templates before deploying them
  • Template changes apply to future notifications immediately