Tables installed with Threat Intelligence

Threat Intelligence adds the following tables.
Table Description
Attack mechanism


Organizes attack patterns hierarchically based on mechanisms that are frequently employed when exploiting a vulnerability. The categories that are members of this view represent the different techniques used to attack a system.
Attack mode/method


Attack modes and methods are representations of the behavior of cyber adversaries. They characterize what an adversary does and how they do it in increasing levels of detail.
Discovery method


An expression of how an incident was discovered.


Used for configuring the Threat Feed (RSS) in the Threat Overview.
Indicator Attack mode/method


Used to map attack modes/methods to indicators.
Indicator of Compromise


Used to convey specific observable patterns combined with contextual information intended to represent artifacts and/or behaviors of interest within a cyber security context.
Indicator of Compromise Metadata


Indicator Source


Used to collect all the sources reporting the specific indicator.
Indicator Type


Used to characterize a cyber threat indicator made up of a pattern identifying certain observable conditions as well as contextual information about the patterns meaning, how and when it is acted on, and so on.
Associated Indicator Type


Links indicators with their applicable types.
Intended effect


Used for expressing the intended effect of a threat actor.
IP Scan Result


Used to show the results of an IP lookup.
Malware Rate limit


Defines a rate limit to be used on a lookup source.
Malware Scan


A lookup. Contains what to look up, with what lookup source, and a summary of the lookup results.
Malware Scanner


Defines third-party lookup sources to use in performing lookups.
Malware Scanner Rate Limit


Associates a lookup source with a rate limit.
Malware Scan Queue Entry


A lookup record queued for lookup or processing. Facilitates the requests within stated rate limits.
Malware Scan Result


Displays the result of a lookup.
Malware Type


Used for expressing the types of malware instances.


Observables in STIX represent stateful properties or measurable events pertinent to the operation of computers and networks.
Observable Indicator


Used to relate observables to indicators.
Observable Source


Used to relate observables to threat sources.
Observable Type


Lists the various types of observables, such as IP addresses.
Related attack mode/method


Used to relate attack modes to each other.
Related Observables


Used to relate observables to each other.
Scan type


The definition of a lookup type, with initial records for File, URL, and IP.
Supported Observable Types


Relates indicator types to valid observable types.
Supported Scan Type


Maps the lookup type to a lookup source/vendor-specific implementation. Indicates that a specific lookup source supports the type.
Task Attack mode/method


Relates attack modes to tasks.
Task Indicator


Relates indicators to tasks.
Task Observable


Relates observables to tasks.
TAXII Collection


Defines a cyber-risk intelligence feed that can be imported by a TAXII server.
TAXII Profile


Defines a repository for sharing cyber-risk intelligence. Contains TAXII collections.
Threat Actor type


Provides characterizations of malicious actors (or adversaries) representing a cyber attack threat, including presumed intent and historically observed behavior.
Threat Intelligence Source


Defines a source for importing threat data.
The Security Support Common [com.snc.security_support.common] plugin, which is activated when you activate Threat Intelligence, adds the following tables.
Table Description
Rate limit


Defines a rate limit to be used on a lookup source or scanner.


A threat lookup or vulnerability scan. Contains what to look up or scan, with what lookup source or scanner, and a summary of the results.


Defines third-party lookup source or scanners to use in lookups or scans.
Scan Queue Entry


A threat lookup or vulnerability scan record queued for lookup, scan, or processing. Facilitates the requests within stated rate limits.
Scanner Rate Limit


Associates a lookup source or scanner with a rate limit.