Skip to content

Latest commit

 

History

History

doc

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Cisco Threat Intel Model (CTIM)

Description

CTIM, the data model of CTIA, is closely based on STIX with a few simplifications:

  • The base Types cannot be documented inside of each other. It's like always having to use an idref. This is because we intend to build a hypermedia threat intel web combining global and local threat intel.

  • It's built on top of a "verdict service" so we simplify Observables into their most commonly observed properties. You no longer have to say, "a file, with the sha256 checksum equal to X" you would simple say, "a sha256 checksum". We cross index everything on these observables, and distill the indicators down into verdicts that allow quick looking to see if an observable is of interest.

  • We flatten some structured data to make it easier to deal with as JSON and simpler, since we are dealing with specific cases in CTIA. We will use default vocabularies whenever they are available.

  • We assume specific string representations for descriptions and such, instead of the more complex structured data which allows the specification of multiple formats. This is to enforce a more secure representation format suitable for embedding in web applications.

Models

Relationships

Graphs

Examples

Domain Logic