Observables are data objects with a type and value such as IP’s, URL’s, Hashes used to create relationships between two data records. Observables do not have context and scores
Events are generated by internal systems capturing anomalous behaviors and actions within a software environment. Often events need to be processed and categorized as legitimate or fraudulent. Events contain observables.
Indicators are Observables with a context such as a score, attributes, and a detection validity time range. Observables are contained within Indicators. Indicators can be used to determine fraudulent Events.
Attributes provide malicious categorization and context for an indicator, such as a ttp, a campaign, a malware family, or a threat actor associated to an indicator object. Attributes provide context as to why an indicator was scored a certain way.
Intelligence reports are data objects that contain a collection of Indicators grouped around an attribute such as a campaign, a malware family, a threat actor, or a ttp.
- Observables/events can be scored and correlated with with Indicators from intelligence reports
- Observables that correlate with Indicators can infer the attributes of that indicator and assume indicator status