TruSTAR uses the concept of entities to categorize and manage data types.
Observables are data objects that have a type and a value. For example, types can be IP addresses, URLs, or hashes. Observables do not have context (attributues) or scores.
Events are anomalous behaviors and actions captured by your internal systems. Often events need to be processed and categorized as legitimate or fraudulent. Events contain observables.
Indicators are Observables with a context such as a score, attributes, and a detection validity time range. Indicators can be used to determine fraudulent Events.
- Within an Indicator, Attributes provide malicious categorization and context, such as a ttp, a campaign, a malware family, or a threat actor associated to an indicator object. Attributes provide context as to why an indicator was scored a certain way.
Intelligence reports are data objects that contain a collection of Indicators grouped around an attribute such as a campaign, a malware family, a threat actor, or a ttp.
- Observables/events can be scored and correlated with with Indicators from intelligence reports
- Observables that correlate with Indicators can infer the attributes of that indicator and assume indicator status