Use Case: Indicator Sighting Reporting with Count - STIXProject/use-cases GitHub Wiki

Indicator Sighting Reporting with Count

Pre-1.2.1 Use Case (True/False): True

Relevant to which SCs (STIX/TAXII/CybOX): STIX/TAXII/CybOX

Abstraction Level (High, Medium or Low): Medium

Related Use Cases: Related use case (replace with your content)

Description: A recipient of an Indicator provides a report to the producer of the Indicator that an observation was made matching the pattern defined by the Indicator along with a "count" of how many times it was observed. NOTE: there are many different ways to calculate a "count". This is an ambiguity that bears exploration. NOTE: the producer and recipient of the Indicator may exist within the same organization or in different organizations.

Stakeholders/Goals:

  • Stakeholder: Indicator Producer
  • Goal: Share patterns indicating malicious activity to assist others in detecting it
  • Goal: Receive back reports of where particular malicious activity may be occurring to better understand that activity and its potential impact on the producer
  • Stakeholder: Indicator Recipient/Sighter
  • Goal: Share back sighting with producer to engender trust, encourage future sharing from producer, and to assist in collective defense

Preconditions:

  1. An Indicator exists
  2. An observation was made matching the pattern defined by the Indicator
  3. The "sighter" has the ability to "count" matching occurrences
  4. The "sighter" of the Indicator knows how and to who to report the sighting

Dependencies:

  1. Dependency description (replace with your content)

Main Success Scenario:

  1. Entity A produces an Indicator
  2. Entity A shares the Indicator with Entity B (could be in the same org or different orgs)
  3. Entity B deploys capabilities to collect observations and attempt to match them against the pattern defined by the Indicator
  4. Entity B finds one or more observations matching the pattern defined by the Indicator
  5. Entity B transmits a report to Entity A that references the Indicator, indicates that the Indicator was observed, provides a "count" of times the Indicator was observed and identifies Entity B as the sighter

Minimum Information Profile

  • ID
  • Indicator reference
  • "Count" of sighting occurrences
  • Sighting Source ("sighter" identity)

Optional Information Profile

  • Alternative ID (typically for external system generated sightings)
  • Time of observation
  • Data Markings (typically for org-to-org sharing/sighting)
  • Confidence