This chapter list standards such as (STIX, TAXII, IODEF) and describes their role in supporting effective DFIR/Response operations. It provides a short overview and provides pointers to more extensive resources.
Atomic Network Indicators
The CTI-SIG is proposing the use of the following field names for the atomic network indicators:
- feed_name: name of the provider
- ip_as_name: The autonomous system name from which the indicator originated
- ip_asn: The autonomous system number from which the indicator originated
- type: the original atomic indicator data type (url, fqdn, ip):
- url: url (if reported by the source)
- domain: fqdn (if reported by the source)
- ip: ip
- geolocation_cc: Country code denoted for the ip
- network: BGP prefix.
- first_seen: first time the feed distributed the atomic indicator
- last_seen: last time the feed distributed the atomic indicator