Story Threat Feed Publishing User - COS301-SE-2025/CRISP GitHub Wiki
User Story: Threat Feed Publishing
Overview
As a CRISP platform user (Security Analyst, Administrator, or automated system),
I want to curate, configure, and publish high-quality threat intelligence feeds to share with trusted institutions and the broader security community
So that I can contribute to collective cybersecurity defense by sharing my organization's validated threat intelligence while maintaining appropriate access controls and data protection standards.
User Roles
- Security Analyst: Front-line security professionals who curate threat intelligence and prepare content for publication
- Administrator: System administrators who configure feed access policies, manage organizational publishing settings, and oversee publication workflows
- CRISP System: The automated platform components that handle feed serving, validation, and access control
- External Consumer: External systems, organizations, and security platforms that consume published feeds
Narrative
The CRISP platform enables organizations to transform their internal threat intelligence discoveries into valuable shared resources for the cybersecurity community. Security analysts curate high-quality threat intelligence from incident response activities, security research, and validated external sources, while administrators ensure proper access controls and publication policies. The system automatically validates, formats, and serves threat feeds using standard protocols like STIX/TAXII, enabling seamless consumption by partner organizations and external systems while maintaining data quality and appropriate confidentiality controls.
Acceptance Criteria
1. Curate Intelligence for Publication
AC1.1 - Intelligence Collection and Curation (Functional)
- As a Security Analyst, I can curate threat intelligence from multiple sources:
- Manual entry of indicators discovered during incident response
- Selection and validation of relevant external feed data
- Correlation of related indicators and attack campaigns
- Addition of organizational context and attribution
- Quality review and confidence level assignment
AC1.2 - Content Enhancement and Analysis (Functional)
- I can enhance curated intelligence with:
- Detailed descriptions and contextual information
- Relationships between indicators, TTPs, and campaigns
- Kill chain mapping and attack timeline construction
- Impact assessment and business risk evaluation
- Mitigation recommendations and detection rules
AC1.3 - Collaborative Curation Workflow (Functional)
- Support for team-based intelligence curation:
- Assignment of curation tasks to team members
- Peer review and validation workflows
- Version control and change tracking
- Approval processes for high-sensitivity intelligence
- Collaborative editing and annotation capabilities
AC1.4 - Source Attribution and Provenance (Functional)
- Proper attribution and provenance tracking:
- Original source identification and citation
- Chain of custody documentation
- Analyst contributions and modifications tracking
- Legal and sharing restrictions compliance
- Source reliability and trust level documentation
2. Configure Published Feeds and Access
AC2.1 - Feed Publication Configuration (Functional)
- As an Administrator, I can configure organizational feed publishing:
- Feed metadata definition (name, description, categories)
- Target audience specification (public, partners, specific organizations)
- Access control policies and trust level requirements
- Data sharing restrictions and anonymization policies
- Publication schedules and update frequencies
AC2.2 - Access Control Management (Functional)
- Granular access control for published feeds:
- Organization-level access permissions
- Role-based access within organizations
- Time-based access restrictions and expiration
- Geographic access limitations where applicable
- API rate limiting and quota management
AC2.3 - Feed Customization and Filtering (Functional)
- Customizable feed content for different audiences:
- Subscriber-specific data filtering
- Trust-level based anonymization application
- Industry-specific content curation
- Threat type and severity filtering
- Historical data access controls
AC2.4 - Subscription Management (Functional)
- Management of feed subscriptions and subscribers:
- Subscription request approval workflows
- Subscriber onboarding and verification
- Usage monitoring and compliance tracking
- Subscription modification and termination
- Access audit logs and reporting
3. Serve Published Organizational Feed
AC3.1 - TAXII Server Implementation (Functional)
- The CRISP System provides TAXII 2.1 compliant server endpoints:
- Discovery service for available collections
- Collection management and metadata serving
- Object retrieval with filtering and pagination
- Manifest generation for collection contents
- Status monitoring and health checks
AC3.2 - REST API Feed Serving (Functional)
- RESTful API endpoints for feed consumption:
- JSON-formatted threat intelligence data
- Flexible query parameters and filtering
- Pagination support for large datasets
- Basic webhook notifications for updates
- OpenAPI specification and documentation
AC3.3 - Feed Format Support (Functional)
- Multiple output formats for different consumer needs:
- STIX 2.1 bundles and objects
- Custom JSON schemas for specific use cases
- CSV exports for spreadsheet analysis
- IOC formats for security tool integration
- Basic MISP event format support
AC3.4 - Performance and Scalability (Non-Functional)
- High-performance feed serving capabilities:
- Response times under 2 seconds for standard queries
- Support for 100+ concurrent feed consumers
- Efficient caching and content delivery
- Optimized database queries and indexing
- Resource monitoring and capacity planning
4. Content Validation and Quality Control
AC4.1 - Pre-Publication Validation (Functional)
- Comprehensive validation before publication:
- STIX 2.1 schema compliance verification
- Business logic validation for data consistency
- Duplicate detection and conflict resolution
- Source verification and attribution checking
- Automated testing with validation rules
AC4.2 - Publication Quality Control (Functional)
- Quality control measures for published content:
- Mandatory review workflows for sensitive intelligence
- Automated quality scoring and flagging
- Consistency checks across related indicators
- Format standardization and normalization
- Error detection and correction recommendations
AC4.3 - Publication Approval Workflow (Functional)
- Structured approval process for content publication:
- Multi-level approval for different content types
- Escalation procedures for high-risk intelligence
- Legal and compliance review integration
- Publication scheduling and timing controls
- Rollback capabilities for published content
AC4.4 - Post-Publication Monitoring (Functional)
- Monitoring and feedback for published content:
- Consumer usage analytics and statistics
- Quality feedback collection from subscribers
- False positive reporting and handling
- Performance impact monitoring
- Content effectiveness assessment
5. Feed Management and Administration
AC5.1 - Feed Lifecycle Management (Functional)
- Complete lifecycle management for published feeds:
- Feed creation, configuration, and activation
- Content updates and versioning
- Feed suspension and reactivation
- Archival and deletion procedures
- Migration and backup capabilities
AC5.2 - Content Updating and Versioning (Functional)
- Systematic content updates and version control:
- Incremental updates with change tracking
- Version history and rollback capabilities
- Update notification mechanisms
- Conflict resolution for simultaneous edits
- Audit trails for all content modifications
AC5.3 - Subscriber Communication (Functional)
- Communication and notification systems:
- Automated notifications for feed updates
- Maintenance and downtime announcements
- Policy changes and access modifications
- Quality alerts and issue notifications
- Subscriber support and documentation
6. Security and Access Control
AC6.1 - Authentication and Authorization (Security)
- Robust security for feed access:
- Multi-factor authentication for administrative access
- API key management for programmatic access
- Certificate-based authentication for TAXII
- Role-based permissions for feed management
- Session management and timeout controls
AC6.2 - Data Protection and Privacy (Security)
- Protection of sensitive published content:
- Encryption in transit and at rest
- Anonymization integration for trust-based sharing
- Data classification and handling procedures
- Privacy protection for sensitive indicators
- Compliance with data protection regulations
AC6.3 - Audit and Compliance (Security)
- Comprehensive audit and compliance capabilities:
- Detailed access logs and audit trails
- Compliance reporting for regulatory requirements
- Data sharing agreements and terms enforcement
- Security incident detection and response
- Regular security assessments and reviews
7. Performance and Monitoring
AC7.1 - Real-Time Monitoring (Non-Functional)
- Comprehensive monitoring of publication activities:
- Feed serving performance and response times
- Consumer access patterns and usage statistics
- Error rates and failure analysis
- Resource utilization and capacity planning
- Security event detection and alerting
AC7.2 - Analytics and Reporting (Functional)
- Detailed analytics for publication insights:
- Feed consumption statistics and trends
- Subscriber engagement and feedback analysis
- Content performance and effectiveness metrics
- Quality improvement recommendations
- ROI analysis for threat intelligence sharing
Assumptions & Pre-conditions
- Organizations have established threat intelligence analysis and validation capabilities
- Clear organizational policies exist for threat intelligence sharing and publication
- Legal frameworks permit the publication of threat intelligence data
- Technical staff have adequate training on STIX/TAXII standards and threat intelligence concepts
- Organizations have defined data classification and sensitivity policies
- Network infrastructure supports secure, reliable feed serving capabilities