OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

cti-users message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [cti-users] ThreatActor associated with a Sighting?

I happen to live in a world of sightings.

In STIX 1.2 you cannot link a Threat Actor to a Sighting. Sightings are only contained within indicators. Your goal is to create a relationship that will either get you to your threat actor, or get you back to your indicator. 

Commonly used relationships:
Indicator -> TTP <- Threat Actor
Indicator -> Campaign -> Threat Actor

Hope this helps.

Aharon

On Mon, Dec 12, 2016 at 7:25 PM, Memory, Alexander C. <ALEXANDER.C.MEMORY@leidos.com> wrote:
I am new to STIX and have a question about how to use it.  Suppose that a sighting of some indicator can give us knowledge of which threat actor is involved.  In that case, I would want to associate a STIX ThreatActor with a Sighting, but I don’t see how to do that using STIX 1.2.  I see how the Indicator can be related to a ThreatActor through a Campaign, but I need to associate a specific ThreatActor to a specific Sighting.  Is this the wrong way to use Indicators and Sightings?

Alex Memory

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]