Replies: 1 comment
-
Good point! Currently Intelligence Requirements identification is outside a Kestrel huntbook---only when the IR is identified and connected, one can run a huntbook. It is an interesting idea to put IR into levels, and let the huntbook execution to adapt to the case when not all IR are available. In my opinion, we do not need any PIR/CIR tag in STIX data---the tags should be associated with data sources, not data retrieved from the data sources. When the data is retrieved, then it makes less sense to know whether it is from a PIR or CIR. Some thoughts:
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Cyber threat hunting is an evolving practice; growing more mature as more people with different skill sets contribute to the state-of-the-art. One of the practices that has been adopted by critical infrastructure cyber threat hunters is the process of establishing Priority Intelligence Requirements (PIRs) [along with the operational Critical Intelligence Requirements (CIRs) and the tactical Specific Intelligence Requirements (SIRs)] as part of a hunting process. My question is this: Is it possible to tie a PIR / CIR / SIR process to Hunt Books as they are currently conceived? If so, what kinds of data objects would we need to develop to capture the PIR / CIR / SIR in a STIX2.1 data format?
Beta Was this translation helpful? Give feedback.
All reactions