Use Case: Indicator Sighting Reporting with Specific Observation - STIXProject/use-cases GitHub Wiki
Indicator Sighting Reporting with Specific Observation
Pre-1.2.1 Use Case (True/False): True
Relevant to which SCs (STIX/TAXII/CybOX): STIX/TAXII/CybOX
Abstraction Level (High, Medium or Low): Medium
Related Use Cases: Related use case (replace with your content)
Description: A recipient of an Indicator provides a detailed report (including observation details) to the producer of the Indicator that an observation was made matching the pattern defined by the Indicator. NOTE: the producer and recipient of the Indicator may exist within the same organization or in different organizations.
Stakeholders/Goals:
- Stakeholder: Indicator Producer
- Goal: Share patterns indicating malicious activity to assist others in detecting it
- Goal: Receive back reports of where particular malicious activity may be occurring to better understand that activity and its potential impact on the producer
- Stakeholder: Indicator Recipient/Sighter
- Goal: Share back sighting with producer to engender trust, encourage future sharing from producer, enable producer to further evolve and improve their threat intelligence and to assist in collective defense
Preconditions:
- An Indicator exists
- An observation was made matching the pattern defined by the Indicator
- The "sighter" of the Indicator knows how and to who to report the sighting
Dependencies:
- Dependency description (replace with your content)
Main Success Scenario:
- Entity A produces an Indicator
- Entity A shares the Indicator with Entity B (could be in the same org or different orgs)
- Entity B deploys capabilities to collect observations and attempt to match them against the pattern defined by the Indicator
- Entity B finds an observation matching the pattern defined by the Indicator
- Entity B transmits a detailed report to Entity A that references the Indicator, indicates that the Indicator was observed, provides details of what was observed and identifies Entity B as the sighter
Minimum Information Profile
- ID
- Indicator reference
- Observation details (e.g. outgoing network connection to 34.122.3.89)
- Sighting Source ("sighter" identity)
Optional Information Profile
- Alternative ID (typically for external system generated sightings)
- Time of observation
- "Count" of sighting occurrences
- Details of method of detection (e.g. tool used)
- Data Markings (typically for org-to-org sharing/sighting)
- Confidence