Tables installed with Threat Intelligence

Threat Intelligence adds the following tables.
Table Description
Associated Indicator Type

[sn_ti_m2m_indicator_indicator_type]

Used for many-to-many association between indicators and indicator types as an indicator can be associated with multiple types.
Attack mechanism

[sn_ti_attack_mechanism]

Organizes attack patterns hierarchically based on mechanisms that are frequently employed when exploiting a vulnerability. The categories that are members of this view represent the different techniques used to attack a system.
Attack mode/method

[sn_ti_attack_mode]

Attack modes and methods are representations of the behavior of cyber adversaries. They characterize what an adversary does and how they do it in increasing levels of detail.
Discovery method

[sn_ti_discovery_method]

An expression of how an incident was discovered.
Feed

[sn_ti_feed]

Used for configuring the Threat Feed (RSS) in the Threat Overview.
Indicator Attack mode/method

[sn_ti_m2m_indicator_attack_mode]

Used to map attack modes/methods to indicators.
Indicator of Compromise

[sn_ti_indicator]

Used to convey specific observable patterns combined with contextual information intended to represent artifacts and/or behaviors of interest within a cyber security context.
Indicator Source

[sn_ti_m2m_indicator_source]

Used to collect all of the sources reporting the specific indicator.
Indicator Type

[sn_ti_indicator_type]

Used to characterize a cyber threat indicator made up of a pattern identifying certain observable conditions as well as contextual information about the patterns meaning, how and when it should be acted on, etc.
Intended effect

[sn_ti_intended_effect]

Used for expressing the intended effect of a threat actor.
IP Scan Result

[sn_ti_ip_result]

Used to show the results of an IP scan.
Malware Type

[sn_ti_malware_type]

Used for expressing the types of malware instances.
Observable

[sn_ti_observable]

Observables in STIX represent stateful properties or measurable events pertinent to the operation of computers and networks.
Observable Indicator

[sn_ti_m2m_observable_indicator]

Used to relate observables to indicators.
Observable Source

[sn_ti_observable_source]

Used to relate observables to threat sources.
Observable Type

[sn_ti_observable_type]

Lists the various types of observables, such as IP addresses.
Related attack mode/method

[sn_ti_m2m_attack_mode_attack_mode]

Used to relate attack modes to each other.
Related Observables

[sn_ti_m2m_observables]

Used to relate observables to each other.
Rate limit

[sn_ti_rate_limit]

Defines a rate limit to be used on a scanner.
Scan

[sn_ti_scan]

A threat scan. Contains what to scan, with what scanner, and a summary of the scan results.
Scan Result

[sn_ti_scan_result]

Displays the result of a scan.
Scan type

[sn_ti_scan_type]

The definition of a scan type, with initial records for File, URL, and IP.
Scanner rate limit

[sn_ti_scanner_rate_limit]

Associates a scanner with a rate limit.
Supported Observable Types

[sn_ti_m2m_ind_type_obs_type]

Relates indicator types to valid observable types.
Supported scan type

[sn_ti_supported_scan_type]

Maps the scan type to a scanner/vendor-specific implementation. Indicates that a specific scanner supports the type.
Task Attack mode/method

[sn_ti_m2m_task_attack_mode]

Relates attack modes to tasks.
Task Indicator

[sn_ti_m2m_task_indicator]

Relates indicators to tasks.
Task Observable

[sn_ti_m2m_task_observable]

Relates observables to tasks.
TAXII Collection

[sn_ti_taxii_collection]

Defines a cyber-risk intelligence feed that can be imported by a TAXII server.
TAXII Profile

[sn_ti_taxii_profile]

Defines a repository for sharing cyber-risk intelligence. Contains TAXII collections.
Threat Actor type

[sn_ti_threat_actor_type]

Provides characterizations of malicious actors (or adversaries) representing a cyber attack threat, including presumed intent and historically observed behavior.
Threat Intelligence Source

[sn_ti_source]

Defines a source for importing threat data.
Threat Scan Queue Entry

[sn_ti_scan_q_entry]

A scan record queued for scanning or processing. Facilitates the requests within stated rate limits.
Threat Scanner

[sn_ti_scanner]

Defines third-party scanners to use in scans