Story Threat Feed Consumption (User Story) - COS301-SE-2025/CRISP GitHub Wiki

CRISP Threat Feed Consumption Component - User Stories

Automated External Threat Intelligence Integration

As a cybersecurity professional in an educational institution
I want to automatically consume standardized threat intelligence from external sources
So that my organization stays informed about emerging threats without manual data collection efforts.

User Story 1: Admin Configures External TAXII Feed Sources

As a CRISP System Administrator (Admin)
I want to configure and manage external TAXII 2.1 threat intelligence sources
So that the platform can automatically consume threat data from trusted external providers.

  • I can add new external TAXII servers through the admin interface
  • I can configure authentication credentials (API keys, username/password) for each source
  • I can set consumption schedules (hourly, daily, weekly) for each feed
  • I can configure batch processing parameters (batch size, processing intervals)
  • I can test connections to external TAXII servers before saving configurations
  • I can view the status and health of all configured external sources
  • I can enable/disable specific external feeds without deleting their configuration
  • I can set data retention policies for consumed external intelligence

User Story 2: Admin Monitors Feed Consumption Performance

As a CRISP System Administrator
I want to monitor the performance and status of external threat feed consumption
So that I can ensure the system is successfully ingesting threat intelligence and troubleshoot any issues.

  • I can view real-time consumption statistics (items processed, success rates, processing times)
  • I can see the last successful sync time for each external feed
  • I can view error logs when consumption fails or encounters issues
  • I can manually trigger immediate consumption from specific sources
  • I can receive alerts when feeds fail to sync for extended periods
  • I can view detailed statistics about data types consumed (indicators vs TTPs)
  • I can monitor system resource usage during consumption operations
  • I can generate consumption reports for management and compliance

User Story 3: Publisher Reviews and Approves External Intelligence

As a Threat Intelligence Publisher
I want to review external threat intelligence before it's made available to viewers
So that I can ensure data quality and relevance for my organization's security needs.

  • I can view newly consumed external threat intelligence in a review queue
  • I can see the source and confidence level of external intelligence
  • I can approve, reject, or modify external indicators before publication
  • I can add organizational context or tags to external intelligence
  • I can batch approve multiple items that meet certain criteria
  • I can set up automatic approval rules for trusted sources
  • I can merge duplicate indicators from multiple external sources
  • I can assign external intelligence to specific internal threat feeds

User Story 4: Viewer Accesses External Threat Intelligence

As a Threat Intelligence Viewer
I want to access and search external threat intelligence that has been consumed by the platform
So that I can incorporate external insights into my organization's threat analysis and defense strategies.

  • I can browse external threat intelligence in the main threat intelligence interface
  • I can filter threat data by external source (AlienVault OTX, MISP feeds, etc.)
  • I can see clear attribution showing which external source provided each indicator
  • I can search across both internal and external threat intelligence simultaneously
  • I can view the freshness/age of external intelligence data
  • I can export external intelligence in standard formats (CSV, STIX, JSON)
  • I can subscribe to notifications when new external intelligence matches my interests
  • I can see confidence scores and reliability ratings for external sources

User Story 5: Admin Manages Data Quality and Deduplication

As a CRISP System Administrator
I want to manage data quality and prevent duplicates when consuming external threat feeds
So that the platform maintains high-quality, clean threat intelligence data.

  • I can configure deduplication rules based on STIX IDs, indicator values, and hashes
  • I can view statistics on duplicates detected and handled
  • I can set up data validation rules for incoming external intelligence
  • I can configure automatic cleanup of outdated external intelligence
  • I can manually review and resolve duplicate conflicts when automatic resolution fails
  • I can blacklist specific indicators or sources that provide low-quality data
  • I can configure data enrichment rules to enhance external intelligence
  • I can track data lineage showing how external intelligence flows through the system

User Story 6: Publisher Manages External Feed Integration with Internal Feeds

As a Threat Intelligence Publisher
I want to integrate external threat intelligence with our internal threat feeds
So that viewers receive a comprehensive view of threats combining internal analysis with external intelligence.

  • I can create mixed feeds containing both internal and external intelligence
  • I can configure which external sources contribute to specific internal feeds
  • I can set priority levels for external vs internal intelligence in mixed feeds
  • I can add organizational analysis and context to external intelligence
  • I can create threat campaigns that combine indicators from multiple external sources
  • I can apply organizational anonymization policies to external intelligence before sharing
  • I can track the provenance of intelligence in mixed feeds
  • I can configure automatic feed updates when new external intelligence arrives

User Story 7: Admin Ensures Compliance and Security for External Sources

As a CRISP System Administrator
I want to ensure that external threat feed consumption complies with security policies and regulations
So that the organization maintains security standards while benefiting from external intelligence.

  • I can configure network security settings for external TAXII connections
  • I can audit all external intelligence consumption activities
  • I can apply data classification labels to external intelligence
  • I can configure retention policies specific to external intelligence sources
  • I can ensure external intelligence meets organizational data quality standards
  • I can track and report on external source reliability and accuracy over time
  • I can implement emergency disconnection procedures for compromised external sources
  • I can configure compliance reporting for external intelligence consumption

User Story 8: Viewer Understands External Intelligence Context and Reliability

As a Threat Intelligence Viewer
I want to understand the context, reliability, and freshness of external threat intelligence
So that I can make informed decisions about how to act on external intelligence data.

  • I can see clear indicators showing which intelligence came from external sources
  • I can view source reliability scores based on historical accuracy
  • I can see how recently external intelligence was collected and processed
  • I can access original source attribution and links where available
  • I can view confidence levels assigned by both external sources and internal analysis
  • I can see correlation analysis showing how external intelligence relates to internal data
  • I can access documentation about each external source's methodology and focus areas
  • I can provide feedback on external intelligence accuracy to improve source scoring