Indicator Entities

An Indicator is a test, or a collection of criteria for identifying the activity, or presence of a cyber threat. Those threats could be malware, patterns of activity that might precede an attack or indicate an attack in progress, or the presence of tools and other infrastructure for the same.

Indicator Field Summary

Required Indicator Fields

  • type - This must be the string "indicator".
  • valid_time - Must include a start_time datetime string, and may include an optional end_time, which must not be later than "2525-01-01:00:00:00.000Z". See below for examples.
  • producer - The name of the party or organization that produced the indicator entity, distinct from the source of the threat intelligence.

Optional Indicator Fields

These are the most important of the many optional fields. A full list of optional fields can be found in the Indicator Schema.

  • confidence - Must be one of ["Info", "Low", "Medium", "High", "None", "Unknown"].
  • severity - Must be one of ["Info", "Low", "Medium", "High", "None", "Unknown"].

Types of Indicators

Broadly speaking, indicators come in two types:

  1. Pattern or rule based indicators, such as those you would execute in an expert system (such as Secure Malware Analytics), or inside of a rule engine (such as Snort), or a next generation firewall.
  2. Observable based feed and watchlist indicators, such as a feed containing known malicious IP addresses, or a feed containing URLs that are used in botnet Command and Control networks, or perhaps a feed containing known malicious SSL certificate hashes. These tend to contain lists of observables, and are updated periodically. How much stock you place in these feeds can depend on the age of their contents, the reputation of their source, and their false positive rate. Unlike the pattern or rule based indicators, observable-based feeds and watchlists often obscure the precise combinations of rules or patterns that led to the inclusion of a given observable in the feed.

Example Indicator

{
    "type":"indicator",
    "source":"Modeling Threat Intelligence in CTIM Tutorial",
    "source_uri":"https://github.com/threatgrid/ctim/blob/master/src/doc/tutorials/modeling-threat-intel-ctim.md",
    "title":"Example Indicator Title",
    "short_description":"Example indicator entity, provided for purposes of illustrating the correct construction of indicators in a CTIM tutorial.",
    "valid_time":{
        "start_time":"2019-02-28T00:00:00.000Z",
        "end_time":"2525-01-01T00:00:00.000Z"
    },
    "confidence":"None",
    "severity":"None",
    "tags":[
        "example"
    ],
    "tlp":"white",
    "producer":"Cisco Systems",
    "external_ids":[
        "ctim-tutorial-indicator-5206f31d14f7b1965dc97c1ec8febfbe45439e8872ff19782f6ac7c49a0ffc68"
    ],
    "id":"transient:ctim-tutorial-indicator-5206f31d14f7b1965dc97c1ec8febfbe45439e8872ff19782f6ac7c49a0ffc68"
}