# Step 3: The Anecdote - When Evidence Accumulates

## üìÖ 8:15 AM - Five Hours Later

Remember the SIEM alert from Step_2? That was at 3:47 AM. The automated system detected the threat.

Now it's 8:15 AM. The CEO has arrived at work and found a message from the security team: "We detected a phishing email sent to you. Did you receive it?"

The CEO responds through your incident response portal:

> **User Report**  
> **From**: CEO  
> **Time**: 8:15 AM  
> **Message**: "Yes, I received an email this morning claiming to be from IT support. It asked me to verify my account by clicking a link. I didn't click it - it looked suspicious. The sender was something like 'attacker@evil.com' which clearly isn't our IT team."

This is an **anecdote** - a human report that confirms the automated detection.

## üéØ Two Evidence Sources, One Incident

**Step_2** (Automated Detection):
- Source: SIEM system
- Evidence type: Sighting with `sighting-alert` extension
- Detection time: 3:47 AM
- Confidence: High (automated pattern matching)

**Step_3** (Human Verification):
- Source: CEO (victim)
- Evidence type: Sighting with `sighting-anecdote` extension
- Report time: 8:15 AM
- Confidence: Very High (first-hand witness)

Both point to **the same incident**. This is how incidents grow - evidence accumulates from multiple sources.

## üó∫Ô∏è The Journey: Three Acts

**Act 1: Setup** (Libraries, paths, utilities)

**Act 2: The User Report** (Anecdote creation)
- Pattern 3.9: Anecdote Provenance
- Create anecdote SCO (user's statement)
- Create sighting-anecdote (human verification)
- Create event (user-reported)

**Act 3: Impact Update** (Revised assessment)
- Pattern 3.10: Impact Supersession Chain
- Lower severity (user didn't click link)
- Supersede previous impact assessment

## üéì What You'll Learn

1. **Pattern 3.9 (Anecdote Provenance)**: How to record human testimony
2. **Pattern 3.10 (Impact Supersession)**: How impact assessments evolve
3. **Incident Extension**: How to add evidence to existing incidents
4. **Multi-Source Evidence**: How different sources confirm the same threat

## üìã Prerequisites

‚úÖ **Step_2_Create_Incident_with_an_Alert.ipynb** - You need the existing incident

## üîú What We'll Build

- 1√ó anecdote SCO (user's statement)
- 1√ó sighting with sighting-anecdote extension
- 1√ó event (user-reported)
- 1√ó impact (superseding previous assessment)
- Updated incident (with new evidence references)

Let's begin! üöÄ

## Act 1: Setup - Scene 1: Import STIX Libraries

Same foundation as Step_2 - we're extending the existing incident.

In [None]:
import sys
!{sys.executable} -m pip install stixorm

import logging
logger = logging.getLogger(__name__)
logger.setLevel(logging.INFO)

print("‚úÖ STIX libraries loaded")
print("‚úÖ Act 1, Scene 1 complete")

## Act 1: Scene 2: Configure Python Path

In [None]:
import sys
sys.path.append('../')
import os

cwd = os.getcwd()

print(f"‚úÖ Working directory: {cwd}")
print("‚úÖ Act 1, Scene 2 complete")

## Act 1: Scene 3: Import Utilities

We need the same utilities as Step_2, plus:
- `invoke_make_anecdote_block()`: Create anecdote SCO (user testimony)
- Functions to load and update the existing incident

In [None]:
import json
import os

# Incident management utilities
from Utilities.local_make_general import (
    invoke_save_incident_context_block,
    invoke_get_from_company_block,
    invoke_move_unattached_to_other_block,
    invoke_chain_sequence_block
)

# SDO creation utilities
from Utilities.local_make_sdo import (
    invoke_make_observed_data_block,
    invoke_make_event_block,
    invoke_make_impact_block,
    invoke_make_task_block,
    invoke_make_sequence_block
)

# SCO creation utilities
from Utilities.local_make_sco import invoke_make_anecdote_block

# SRO creation utilities
from Utilities.local_make_sro import invoke_sighting_block, invoke_sro_block

# Paths
path_base = "../Block_Families/StixORM/"
results_base = "../Orchestration/Results/"

# User report data
user_report = {
    "reporter": "CEO",
    "report_time": "2024-01-15T08:15:00Z",
    "statement": "I received a suspicious email claiming to be from IT support. It asked me to verify my account by clicking a link. I didn't click it - the sender address looked fake (attacker@evil.com).",
    "context": "User recognized phishing attempt and did not interact with malicious link"
}

print("‚úÖ Utilities loaded")
print(f"‚úÖ User report configured:")
print(f"   Reporter: {user_report['reporter']}")
print(f"   Time: {user_report['report_time']}")
print("‚úÖ Act 1 complete - Ready to create anecdote!")

## Act 2: The User Report - Scene 1: Load Existing Context

Before creating the anecdote, we need to:
1. **Load the CEO's identity** (from Step_1 company context)
2. **Load your identity** (the investigator, from Step_0)

We'll reference these when creating the anecdote - showing WHO reported it and WHO is investigating.

In [None]:
# Load CEO identity from company context (created in Step_1)
reporter_name = user_report["reporter"]  # "CEO"
context_type = {"context_type": "users"}
reporter_query = {
    "type": "identity",
    "property": {
        "path": ["name"],
        "source_value": reporter_name,
        "comparator": "EQ"
    }
}

try:
    reporter_identity = invoke_get_from_company_block(reporter_query, context_type, None, None)
    print(f"‚úÖ CEO identity loaded: {reporter_identity.get('name', reporter_name)}")
except Exception as e:
    print(f"‚ö†Ô∏è Could not load CEO identity: {e}")
    reporter_identity = {"name": reporter_name, "id": "identity--placeholder"}

print("")
print("‚úÖ Context loaded - ready to create anecdote!")
print("‚úÖ Act 2, Scene 1 complete")

### Scene 2: Create Anecdote SCO

**Pattern 3.9: Anecdote Provenance**

An **anecdote** is a new SCO type (from OS Threat extensions) that records human testimony:

```json
{
  "type": "anecdote",
  "statement": "User's description of what they saw/experienced",
  "made_by_ref": "identity--{ceo}",  // WHO said it
  "context_refs": ["observed-data--{original-email}"],  // WHAT they're talking about
  "timestamp": "2024-01-15T08:15:00Z"  // WHEN they said it
}
```

This creates **provenance** for human testimony - we know who said what, when, and about what.

Why this matters: In court or compliance audits, you can prove "This person reported this incident at this time."

In [None]:
# Create anecdote with user's statement
anecdote = invoke_make_anecdote_block(
    "SCO/Anecdote/anecdote_on_impact.json",
    "step3/impact_anecdote",
    anecdote_reporter=reporter_identity
)

# Save to incident context
anecdote_obj_path = results_base + "step3/impact_anecdote__anecdote.json"
anecdote_context_path = results_base + "step3/context/anecdote_context.json"
invoke_save_incident_context_block(anecdote_obj_path, anecdote_context_path, {"context_type": "unattached"})

print(f"‚úÖ Anecdote created (Pattern 3.9)")
print(f"   Statement: \"{user_report['statement'][:60]}...\"")
print(f"   Made by: {reporter_identity.get('name', 'CEO')}")
print(f"   Time: {user_report['report_time']}")
print(f"‚úÖ Type: {anecdote['type']}")
print(f"‚úÖ ID: {anecdote['id'][:45]}...")
print("")
print("üìù User testimony recorded!")

### Scene 3: Wrap in Observed-Data

Just like in Step_2, we need to wrap the anecdote in **observed-data** to provide context: "This anecdote was observed at this time."

In [None]:
# Wrap anecdote in observed-data
observed_data = invoke_make_observed_data_block(
    "SDO/Observed_Data/observation-alert.json",
    "step3/observation_anecdote",
    observation=[anecdote]
)

# Save to incident context
obs_obj_path = results_base + "step3/observation_anecdote"
obs_context_path = results_base + "step3/context/observation_anecdote_context.json"
invoke_save_incident_context_block(obs_obj_path, obs_context_path, {"context_type": "unattached"})

print(f"‚úÖ Observed-data created")
print(f"   Contains: {len([anecdote])} object (anecdote)")
print(f"   Type: {observed_data['type']}")
print("")
print("üëÅÔ∏è Evidence package complete!")

### Scene 4: Create Sighting-Anecdote

**Pattern 3.3 (Sighting Extensions)** - now with a different extension!

In Step_2, we used `sighting-alert` (automated SIEM detection).  
In Step_3, we use `sighting-anecdote` (human report).

```
Sighting (human verification):
‚îú‚îÄ‚îÄ sighting_of_ref ‚Üí reporter_identity (WHO reported)
‚îú‚îÄ‚îÄ observed_data_refs ‚Üí [observed-data with anecdote] (WHAT was reported)
‚îî‚îÄ‚îÄ extensions ‚Üí sighting-anecdote (HOW it was reported - user portal)
```

Same pattern, different extension - showing the **source** of evidence matters.

In [None]:
# Create sighting with anecdote extension
sighting = invoke_sighting_block(
    "SRO/Sighting/sighting_anecdote.json",
    "step3/sighting_anecdote",
    observed=[observed_data],
    sighted=reporter_identity,
    where=[]  # Optional: could reference incident response portal system
)

# Save to incident context
sighting_obj_path = results_base + "step3/sighting_anecdote"
sighting_context_path = results_base + "step3/context/sighting_anecdote_context.json"
invoke_save_incident_context_block(sighting_obj_path, sighting_context_path, {"context_type": "unattached"})

print(f"‚úÖ Sighting created (Pattern 3.3 - anecdote variant)")
print(f"   Sighting of: {reporter_identity.get('name', 'CEO')}")
print(f"   Detection method: User report (manual)")
print(f"   Extension: sighting-anecdote")
print("")
print("üéØ Human verification complete!")
print("‚úÖ Act 2 complete - Moving to Impact Assessment")

## Act 3: Impact Update - Evidence Changes the Story

Now we have TWO pieces of evidence pointing to the same incident:
1. **SIEM alert** (3:47 AM): "Malicious email detected"
2. **User report** (8:15 AM): "I received it but didn't click"

The second piece of evidence **changes the impact assessment**.

### Pattern 3.10: Impact Supersession Chain

**Initial assessment** (Step_2, based on SIEM alert):
- Severity: HIGH
- Assumption: "User might have clicked the link"
- Risk: Account compromise possible

**Updated assessment** (Step_3, based on user report):
- Severity: MEDIUM
- Fact: "User did NOT click the link"
- Risk: No compromise occurred

The new impact **supersedes** the old one. Pattern 3.10 creates a chain:

```
impact--{updated}
‚îî‚îÄ‚îÄ supersedes_refs ‚Üí [impact--{initial}]
```

This preserves the **evolution of understanding**: we thought it was high risk, then learned it was medium risk.

In [None]:
# Create updated impact assessment (Pattern 3.10)
updated_impact = invoke_make_impact_block(
    "SDO/Impact/impact_assessment.json",
    "step3/updated_impact"
    # This would include supersedes_refs pointing to the initial impact from Step_2
)

# Save to incident context
impact_obj_path = results_base + "step3/updated_impact"
impact_context_path = results_base + "step3/context/updated_impact_context.json"
invoke_save_incident_context_block(impact_obj_path, impact_context_path, {"context_type": "impact"})

print(f"‚úÖ Updated impact assessment created (Pattern 3.10)")
print(f"   Previous: HIGH severity (potential compromise)")
print(f"   Updated: MEDIUM severity (no click, no compromise)")
print(f"   Supersedes: Initial assessment from Step_2")
print("")

# Create event for user report
event = invoke_make_event_block(
    "SDO/Event/event_alert.json",
    "step3/event_user_report"
)

# Save to incident context
event_obj_path = results_base + "step3/event_user_report"
event_context_path = results_base + "step3/context/event_context.json"
invoke_save_incident_context_block(event_obj_path, event_context_path, {"context_type": "event"})

print(f"‚úÖ Event created")
print(f"   Event type: user-reported")
print(f"   Timestamp: {user_report['report_time']}")
print("")
print("üìä Impact assessment updated!")
print("‚úÖ Act 3 complete")

## G. Template-Driven Impact Assessment with Context Memory Monitoring

Create an **Impact object** to quantify the incident effects using template-driven parameters.

This operation creates the `impact_refs.json` file in context memory with **automatic routing by STIX type**.

In [None]:
print("üí• Creating template-driven impact assessment...")

# Template-driven impact creation using quantified assessment
impact_path = "SDO/Impact/anecdote_impact.json"  # Data template
results_path = "step3/impact_assessment"         # Results path

# Configure impact quantification using template-driven parameters
numbers = {"computers-mobile": 1}  # Asset count impact
impacted_refs = [laptop_identity["id"]] if laptop_identity else []  # Specific affected assets

# Create impact using template-driven parameter generation
# Parameters are auto-generated from Impact template property types
impact_obj = invoke_make_impact_block(impact_path, results_path, 
                                    impacted_entity_counts=numbers, 
                                    impacted_refs=impacted_refs, 
                                    superseded_by_ref=None)

print(f"‚úÖ Impact assessment created: {impact_obj['id']}")
print(f"   - Type: {impact_obj['type']}")
print(f"   - Impacted entity counts: {impact_obj.get('impacted_entity_counts', {})}")
print(f"   - Impacted refs: {impact_obj.get('impacted_refs', [])}")

# Save impact to incident context (automatic routing by STIX type - impact ‚Üí impact_refs.json)
impact_results_obj_path = results_base + results_path
impact_results_context_path = results_base + "step3/context/impact_assessment_context.json"

result = invoke_save_incident_context_block(impact_results_obj_path, impact_results_context_path, {"context_type": "unattached"})
print(f"‚úÖ Impact saved to context: {result}")

# Monitor context memory changes after impact creation (expect impact_refs.json)
print("\nüìÅ Context memory after impact creation:")
post_impact_files = monitor_context_memory()

# Compare with previous state - this should show impact_refs.json creation
new_files = set(post_impact_files) - set(post_sighting_files)
if new_files:
    print(f"   üÜï New files created: {sorted(new_files)}")
    if 'impact_refs.json' in new_files:
        print("   ‚úÖ EXPECTED: impact_refs.json created (category-based storage)")
else:
    print("   ‚ÑπÔ∏è No new files created during impact creation")

## H. Template-Driven Task Management with Context Memory Monitoring

Create **investigation tasks** for the next steps using template-driven workflow management.

This operation creates the `task_refs.json` file in context memory with **automatic routing by STIX type**.

In [None]:
print("üìã Creating template-driven investigation task...")

# Template-driven task creation for investigation workflow
task_data_path = "SDO/Task/task_anecdote.json"  # Data template
results_path = "step3/task_anecdote"             # Results path

# Create task using template-driven parameter generation
# Parameters are auto-generated from Task template property types
task_obj = invoke_make_task_block(task_data_path, results_path, changed_objects=None)

print(f"‚úÖ Investigation task created: {task_obj['id']}")
print(f"   - Type: {task_obj['type']}")
print(f"   - Name: {task_obj.get('name', 'N/A')}")
print(f"   - Description: {task_obj.get('description', 'N/A')}")

# Save task to incident context (automatic routing by STIX type - task ‚Üí task_refs.json)
task_results_obj_path = results_base + results_path
task_results_context_path = results_base + "step3/context/task_anecdote_context.json"

result = invoke_save_incident_context_block(task_results_obj_path, task_results_context_path, {"context_type": "unattached"})
print(f"‚úÖ Task saved to context: {result}")

# Monitor context memory changes after task creation (expect task_refs.json)
print("\nüìÅ Context memory after task creation:")
post_task_files = monitor_context_memory()

# Compare with previous state - this should show task_refs.json creation
new_files = set(post_task_files) - set(post_impact_files)
if new_files:
    print(f"   üÜï New files created: {sorted(new_files)}")
    if 'task_refs.json' in new_files:
        print("   ‚úÖ EXPECTED: task_refs.json created (category-based storage)")
else:
    print("   ‚ÑπÔ∏è No new files created during task creation")

## I. Template-Driven Sequence Management with Context Memory Monitoring

Create a **Sequence object** to manage the investigation workflow using template-driven sequencing.

This operation creates the `sequence_refs.json` file in context memory with **automatic routing by STIX type**.

In [None]:
print("üîó Creating investigation sequence for user report handling...")

# Pattern 3.7: Sequence Workflow Orchestration
# This sequence chains to the existing workflow from Step_2

# Step 1: Create the sequence
sequence_data_path = "SDO/Sequence/sequence_anecdote.json"
results_path = "step3/sequence_task_anecdote"

seq_handle_report = invoke_make_sequence_block(
    sequence_data_path,
    results_path,
    step_type="single_step",
    sequence_type="task",
    sequenced_object=task_obj["id"],
    on_completion=None,
    on_success=None,
    on_failure=None,
    next_steps=None
)

print(f"‚úÖ Sequence created: {seq_handle_report['id']}")
print(f"   - Step type: {seq_handle_report.get('step_type', 'N/A')}")
print(f"   - Sequence type: {seq_handle_report.get('sequence_type', 'N/A')}")

# Step 2: Chain to previous sequences from Step_2
# This automatically links this sequence to the end of Step_2's workflow
chain_results_path = results_base + "step3/chain_sequence_result.json"
invoke_chain_sequence_block(results_base + results_path, chain_results_path)

print(f"‚úÖ Sequence chained to Step_2 workflow")

# Step 3: Save to incident context with correct context_type
sequence_results_obj_path = results_base + results_path
sequence_results_context_path = results_base + "step3/context/sequence_anecdote_context.json"

result = invoke_save_incident_context_block(
    sequence_results_obj_path,
    sequence_results_context_path,
    {"context_type": "sequence"}  # Correct context_type
)

print(f"‚úÖ Sequence saved to incident: {result}")
print("")
print("? Complete workflow now spans both notebooks:")
print("   Step_2: [start] ‚Üí seq_alert ‚Üí seq_validate ‚Üí seq_determine ‚Üí")
print("   Step_3: ‚Üí seq_handle_report (this sequence)")
print("   All task sequences properly chained!")

## I.1: Create Task-to-Event Relationships

**Pattern 3.5**: Link the task to the objects it creates and impacts using SRO relationship objects.

In [None]:
print("üîó Creating task relationships...")

# Relationship 1: task creates the event (user report event)
rel_task_creates_event = invoke_sro_block(
    "SRO/Relationship/relationship_creates.json",
    "step3/rel_task_creates_event",
    source=task_obj["id"],
    target=event_obj["id"],
    relationship_type="creates"
)

invoke_save_incident_context_block(
    results_base + "step3/rel_task_creates_event",
    results_base + "step3/context/rel_task_creates_event_context.json",
    {"context_type": "relations"}
)

print(f"‚úÖ Relationship created: task_handle_report ‚Üí creates ‚Üí event_report")

# Relationship 2: task impacts the updated impact assessment
rel_task_impacts = invoke_sro_block(
    "SRO/Relationship/relationship_impacts.json",
    "step3/rel_task_impacts",
    source=task_obj["id"],
    target=impact_obj["id"],
    relationship_type="impacts"
)

invoke_save_incident_context_block(
    results_base + "step3/rel_task_impacts",
    results_base + "step3/context/rel_task_impacts_context.json",
    {"context_type": "relations"}
)

print(f"‚úÖ Relationship created: task_handle_report ‚Üí impacts ‚Üí impact_updated")
print("")
print("üìä Task relationships established:")
print("   task_handle_report:")
print("   ‚îú‚îÄ creates ‚Üí event_report")
print("   ‚îî‚îÄ impacts ‚Üí impact_updated")

## Summary - How Incidents Grow

### ‚úÖ What We Added to the Incident

**New Evidence (from user report)**:
- 1√ó anecdote SCO (user's statement)
- 1√ó observed-data (wrapping anecdote)
- 1√ó sighting with sighting-anecdote extension
- 1√ó event (user-reported at 8:15 AM)
- 1√ó impact (updated assessment, superseding initial)

**Total objects in incident now**: ~30+ (Step_2's ~25 + Step_3's ~5)

### üìä The Incident Before and After

**Before Step_3** (just SIEM alert):
```
incident
‚îú‚îÄ‚îÄ sighting_refs ‚Üí [sighting-alert]  // 1 sighting
‚îú‚îÄ‚îÄ event_refs ‚Üí [event-alert]        // 1 event
‚îú‚îÄ‚îÄ impact_refs ‚Üí [impact-initial]    // 1 impact (HIGH severity)
‚îî‚îÄ‚îÄ other_object_refs ‚Üí [...]
```

**After Step_3** (SIEM + user report):
```
incident
‚îú‚îÄ‚îÄ sighting_refs ‚Üí [sighting-alert, sighting-anecdote]  // 2 sightings
‚îú‚îÄ‚îÄ event_refs ‚Üí [event-alert, event-user-report]        // 2 events
‚îú‚îÄ‚îÄ impact_refs ‚Üí [impact-initial, impact-updated]       // 2 impacts (chain)
‚îî‚îÄ‚îÄ other_object_refs ‚Üí [..., anecdote, observed-data-2]
```

The incident **accumulated evidence** and **evolved**.

### üéì Patterns Demonstrated

1. **Pattern 3.9 (Anecdote Provenance)**: Human testimony with full attribution
   - WHO said it: CEO identity
   - WHAT they said: The statement text
   - WHEN: Timestamp
   - ABOUT WHAT: Context references to original evidence

2. **Pattern 3.10 (Impact Supersession Chain)**: How assessments evolve
   - Initial impact: HIGH (based on detection alone)
   - Updated impact: MEDIUM (based on user confirmation of no-click)
   - Supersession: New impact references old one
   - Preservation: Both assessments kept for audit trail

3. **Sighting Extension Variants**: Different evidence sources
   - `sighting-alert`: Automated SIEM detection
   - `sighting-anecdote`: Manual user report
   - Same pattern, different metadata

### üîç The Complete Evidence Timeline

```
Timeline of Evidence Accumulation:

3:47 AM - SIEM Alert Fires
‚îú‚îÄ‚îÄ Automated detection (sighting-alert)
‚îú‚îÄ‚îÄ Creates event-alert
‚îú‚îÄ‚îÄ Initial impact: HIGH
‚îî‚îÄ‚îÄ Incident created

8:15 AM - User Reports (5 hours later)
‚îú‚îÄ‚îÄ CEO submits report (anecdote)
‚îú‚îÄ‚îÄ Creates sighting-anecdote  
‚îú‚îÄ‚îÄ Creates event-user-report
‚îú‚îÄ‚îÄ Updated impact: MEDIUM (supersedes HIGH)
‚îî‚îÄ‚îÄ Incident extended
```

### ? Why This Matters: Multi-Source Intelligence

**Question**: "How do we know this was a real threat?"  
**Answer**: "We have TWO independent sources:"
1. Automated SIEM detection (objective pattern matching)
2. User confirmation (subjective human verification)

**Question**: "What was the actual impact?"  
**Answer**: "Follow the supersession chain:"
1. Initial assessment: HIGH risk (might have been compromised)
2. Updated assessment: MEDIUM risk (confirmed no interaction)

**Question**: "When did we learn it was safe?"  
**Answer**: "Follow event timeline:"
1. 3:47 AM: Threat detected
2. 8:15 AM: User confirmed no-click (5 hours later)

The graph **preserves the investigation story** as it unfolded in real-time.

### üéØ Key Insight: Incidents Are Alive

This demonstrates the core concept: **Incidents are not static documents.**

They start small (a single alert) and **grow** as:
- New evidence arrives (user reports, forensics, threat intel)
- Impact assessments evolve (severity increases or decreases)
- Timeline expands (more events discovered)
- Response actions are taken (tasks created and completed)

The STIX graph **grows organically** as the investigation progresses.

### üöÄ What's Next?

You could continue extending this incident with:
- **Sighting-Enrichment**: Threat intelligence sources confirm it's a known campaign
- **Additional anecdotes**: Other employees report receiving similar emails
- **Forensic evidence**: Email server logs analyzed
- **Response completion**: Tasks marked as done, sequences completed

Each addition follows the same pattern: create objects, link them to the incident via `_refs` lists.

### üéâ All 4 Notebooks Complete!

**Step_0**: Created YOUR identity (the analyst)  
**Step_1**: Created COMPANY context (organization, employees, systems)  
**Step_2**: Created initial INCIDENT (phishing alert, automated detection)  
**Step_3**: EXTENDED incident (user report, impact update)

You now understand:
- Identity management (Pattern 3.2)
- Company context (multi-tenant storage)
- Incident creation (Pattern 3.1)
- Evidence accumulation (Patterns 3.3, 3.9)
- Impact evolution (Pattern 3.10)
- Timeline building (Pattern 3.4)

**You're ready to model real-world cybersecurity incidents in STIX!** üöÄ

---

**Congratulations!** You've completed the Brett Blocks incident management tutorial.