Indicator Management

The Structured Threat Information eXpression (STIX) - describes standard terminology for documenting IoCs & ways of indicating relationships between them.

The STIX architecture is built from high-level STIX domain objects (SDO). The attributes of SDOs and the terminology and format for attribute values are defined in the STIX patterning language. Some of the SDOs are as follows:

Observed Data — Examples of observables include an IP address, a change in an executable file property or signature, an HTTP request, or a firewall blocking a connection attempt.

Indicator — A pattern of observables that are "of interest," or worthy of cybersecurity analysis. 2 osintme.com

Attack Pattern — Known adversary behaviors, starting with the overall goal and asset target (tactic), and elaborated over specific techniques and procedures. This information is used to identify potential indicators and intrusion sets.

Campaign and Threat Actors — The adversaries launching cyberattacks are referred to in this framework as Threat Actors.

Course of Action (CoA) — Mitigating actions or use of security controls to reduce risk from attacks or to resolve an incident