Use Case: Indicator Sighting Reporting with Count - STIXProject/use-cases GitHub Wiki
Indicator Sighting Reporting with Count
Pre-1.2.1 Use Case (True/False): True
Relevant to which SCs (STIX/TAXII/CybOX): STIX/TAXII/CybOX
Abstraction Level (High, Medium or Low): Medium
Related Use Cases: Related use case (replace with your content)
Description: A recipient of an Indicator provides a report to the producer of the Indicator that an observation was made matching the pattern defined by the Indicator along with a "count" of how many times it was observed. NOTE: there are many different ways to calculate a "count". This is an ambiguity that bears exploration. NOTE: the producer and recipient of the Indicator may exist within the same organization or in different organizations.
Stakeholders/Goals:
- Stakeholder: Indicator Producer
- Goal: Share patterns indicating malicious activity to assist others in detecting it
- Goal: Receive back reports of where particular malicious activity may be occurring to better understand that activity and its potential impact on the producer
- Stakeholder: Indicator Recipient/Sighter
- Goal: Share back sighting with producer to engender trust, encourage future sharing from producer, and to assist in collective defense
Preconditions:
- An Indicator exists
- An observation was made matching the pattern defined by the Indicator
- The "sighter" has the ability to "count" matching occurrences
- The "sighter" of the Indicator knows how and to who to report the sighting
Dependencies:
- Dependency description (replace with your content)
Main Success Scenario:
- Entity A produces an Indicator
- Entity A shares the Indicator with Entity B (could be in the same org or different orgs)
- Entity B deploys capabilities to collect observations and attempt to match them against the pattern defined by the Indicator
- Entity B finds one or more observations matching the pattern defined by the Indicator
- Entity B transmits a report to Entity A that references the Indicator, indicates that the Indicator was observed, provides a "count" of times the Indicator was observed and identifies Entity B as the sighter
Minimum Information Profile
- ID
- Indicator reference
- "Count" of sighting occurrences
- Sighting Source ("sighter" identity)
Optional Information Profile
- Alternative ID (typically for external system generated sightings)
- Time of observation
- Data Markings (typically for org-to-org sharing/sighting)
- Confidence