Tables installed with Threat Intelligence

Threat Intelligence adds the following tables.
Table Description
Associated Indicator Type


Used for many-to-many association between indicators and indicator types as an indicator can be associated with multiple types.
Attack mechanism


Organizes attack patterns hierarchically based on mechanisms that are frequently employed when exploiting a vulnerability. The categories that are members of this view represent the different techniques used to attack a system.
Attack mode/method


Attack modes and methods are representations of the behavior of cyber adversaries. They characterize what an adversary does and how they do it in increasing levels of detail.
Discovery method


An expression of how an incident was discovered.


Used for configuring the Threat Feed (RSS) in the Threat Overview.
Indicator Attack mode/method


Used to map attack modes/methods to indicators.
Indicator of Compromise


Used to convey specific observable patterns combined with contextual information intended to represent artifacts and/or behaviors of interest within a cyber security context.
Indicator Source


Used to collect all of the sources reporting the specific indicator.
Indicator Type


Used to characterize a cyber threat indicator made up of a pattern identifying certain observable conditions as well as contextual information about the patterns meaning, how and when it should be acted on, etc.
Intended effect


Used for expressing the intended effect of a threat actor.
IP Scan Result


Used to show the results of an IP scan.
Malware Type


Used for expressing the types of malware instances.


Observables in STIX represent stateful properties or measurable events pertinent to the operation of computers and networks.
Observable Indicator


Used to relate observables to indicators.
Observable Source


Used to relate observables to threat sources.
Observable Type


Lists the various types of observables, such as IP addresses.
Related attack mode/method


Used to relate attack modes to each other.
Related Observables


Used to relate observables to each other.
Rate limit


Defines a rate limit to be used on a scanner.


A threat scan. Contains what to scan, with what scanner, and a summary of the scan results.
Scan Result


Displays the result of a scan.
Scan type


The definition of a scan type, with initial records for File, URL, and IP.
Scanner rate limit


Associates a scanner with a rate limit.
Supported Observable Types


Relates indicator types to valid observable types.
Supported scan type


Maps the scan type to a scanner/vendor-specific implementation. Indicates that a specific scanner supports the type.
Task Attack mode/method


Relates attack modes to tasks.
Task Indicator


Relates indicators to tasks.
Task Observable


Relates observables to tasks.
TAXII Collection


Defines a cyber-risk intelligence feed that can be imported by a TAXII server.
TAXII Profile


Defines a repository for sharing cyber-risk intelligence. Contains TAXII collections.
Threat Actor type


Provides characterizations of malicious actors (or adversaries) representing a cyber attack threat, including presumed intent and historically observed behavior.
Threat Intelligence Source


Defines a source for importing threat data.
Threat Scan Queue Entry


A scan record queued for scanning or processing. Facilitates the requests within stated rate limits.
Threat Scanner


Defines third-party scanners to use in scans