Use Case: Indicator Sighting Reporting with Specific Observation - STIXProject/use-cases GitHub Wiki

Indicator Sighting Reporting with Specific Observation

Pre-1.2.1 Use Case (True/False): True

Relevant to which SCs (STIX/TAXII/CybOX): STIX/TAXII/CybOX

Abstraction Level (High, Medium or Low): Medium

Related Use Cases: Related use case (replace with your content)

Description: A recipient of an Indicator provides a detailed report (including observation details) to the producer of the Indicator that an observation was made matching the pattern defined by the Indicator. NOTE: the producer and recipient of the Indicator may exist within the same organization or in different organizations.

Stakeholders/Goals:

  • Stakeholder: Indicator Producer
  • Goal: Share patterns indicating malicious activity to assist others in detecting it
  • Goal: Receive back reports of where particular malicious activity may be occurring to better understand that activity and its potential impact on the producer
  • Stakeholder: Indicator Recipient/Sighter
  • Goal: Share back sighting with producer to engender trust, encourage future sharing from producer, enable producer to further evolve and improve their threat intelligence and to assist in collective defense

Preconditions:

  1. An Indicator exists
  2. An observation was made matching the pattern defined by the Indicator
  3. The "sighter" of the Indicator knows how and to who to report the sighting

Dependencies:

  1. Dependency description (replace with your content)

Main Success Scenario:

  1. Entity A produces an Indicator
  2. Entity A shares the Indicator with Entity B (could be in the same org or different orgs)
  3. Entity B deploys capabilities to collect observations and attempt to match them against the pattern defined by the Indicator
  4. Entity B finds an observation matching the pattern defined by the Indicator
  5. Entity B transmits a detailed report to Entity A that references the Indicator, indicates that the Indicator was observed, provides details of what was observed and identifies Entity B as the sighter

Minimum Information Profile

  • ID
  • Indicator reference
  • Observation details (e.g. outgoing network connection to 34.122.3.89)
  • Sighting Source ("sighter" identity)

Optional Information Profile

  • Alternative ID (typically for external system generated sightings)
  • Time of observation
  • "Count" of sighting occurrences
  • Details of method of detection (e.g. tool used)
  • Data Markings (typically for org-to-org sharing/sighting)
  • Confidence