Tables installed with Threat Intelligence

Threat Intelligence adds the following tables.
Table Description
Attack mechanism

[sn_ti_attack_mechanism]

Organizes attack patterns hierarchically based on mechanisms that are frequently employed when exploiting a vulnerability. The categories that are members of this view represent the different techniques used to attack a system.
Attack mode/method

[sn_ti_attack_mode]

Attack modes and methods are representations of the behavior of cyber adversaries. They characterize what an adversary does and how they do it in increasing levels of detail.
Discovery method

[sn_ti_discovery_method]

An expression of how an incident was discovered.
Feed

[sn_ti_feed]

Used for configuring the Threat Feed (RSS) in the Threat Overview.
Indicator Attack mode/method

[sn_ti_m2m_indicator_attack_mode]

Used to map attack modes/methods to indicators.
Indicator of Compromise

[sn_ti_indicator]

Used to convey specific observable patterns combined with contextual information intended to represent artifacts and/or behaviors of interest within a cyber security context.
Indicator of Compromise Metadata

[sn_ti_indicator_metadata]

Indicator Source

[sn_ti_m2m_indicator_source]

Used to collect all the sources reporting the specific indicator.
Indicator Type

[sn_ti_indicator_type]

Used to characterize a cyber threat indicator made up of a pattern identifying certain observable conditions as well as contextual information about the patterns meaning, how and when it is acted on, and so on.
Associated Indicator Type

[sn_ti_m2m_indicator_indicator_type]

Links indicators with their applicable types.
Intended effect

[sn_ti_intended_effect]

Used for expressing the intended effect of a threat actor.
IP Scan Result

[sn_ti_ip_result]

Used to show the results of an IP lookup.
Malware Rate limit

[sn_ti_rate_limit]

Defines a rate limit to be used on a lookup source.
Malware Scan

[sn_ti_scan]

A lookup. Contains what to look up, with what lookup source, and a summary of the lookup results.
Malware Scanner

[sn_ti_scanner]

Defines third-party lookup sources to use in performing lookups.
Malware Scanner Rate Limit

[sn_ti_scanner_rate_limit]

Associates a lookup source with a rate limit.
Malware Scan Queue Entry

[sn_ti_scan_q_entry]

A lookup record queued for lookup or processing. Facilitates the requests within stated rate limits.
Malware Scan Result

[sn_ti_scan_result]

Displays the result of a lookup.
Malware Type

[sn_ti_malware_type]

Used for expressing the types of malware instances.
Observable

[sn_ti_observable]

Observables in STIX represent stateful properties or measurable events pertinent to the operation of computers and networks.
Observable Indicator

[sn_ti_m2m_observable_indicator]

Used to relate observables to indicators.
Observable Source

[sn_ti_observable_source]

Used to relate observables to threat sources.
Observable Type

[sn_ti_observable_type]

Lists the various types of observables, such as IP addresses.
Related attack mode/method

[sn_ti_m2m_attack_mode_attack_mode]

Used to relate attack modes to each other.
Related Observables

[sn_ti_m2m_observables]

Used to relate observables to each other.
Scan type

[sn_ti_scan_type]

The definition of a lookup type, with initial records for File, URL, and IP.
Supported Observable Types

[sn_ti_m2m_ind_type_obs_type]

Relates indicator types to valid observable types.
Supported Scan Type

[sn_ti_supported_scan_type]

Maps the lookup type to a lookup source/vendor-specific implementation. Indicates that a specific lookup source supports the type.
Task Attack mode/method

[sn_ti_m2m_task_attack_mode]

Relates attack modes to tasks.
Task Indicator

[sn_ti_m2m_task_indicator]

Relates indicators to tasks.
Task Observable

[sn_ti_m2m_task_observable]

Relates observables to tasks.
TAXII Collection

[sn_ti_taxii_collection]

Defines a cyber-risk intelligence feed that can be imported by a TAXII server.
TAXII Profile

[sn_ti_taxii_profile]

Defines a repository for sharing cyber-risk intelligence. Contains TAXII collections.
Threat Actor type

[sn_ti_threat_actor_type]

Provides characterizations of malicious actors (or adversaries) representing a cyber attack threat, including presumed intent and historically observed behavior.
Threat Intelligence Source

[sn_ti_source]

Defines a source for importing threat data.
The Security Support Common [com.snc.security_support.common] plugin, which is activated when you activate Threat Intelligence, adds the following tables.
Table Description
Rate limit

[sn_cmn_rate_limit]

Defines a rate limit to be used on a lookup source or scanner.
Scan

[sn_sec_cmn_scan]

A threat lookup or vulnerability scan. Contains what to look up or scan, with what lookup source or scanner, and a summary of the results.
Scanner

[sn_sec_cmn_scanner]

Defines third-party lookup source or scanners to use in lookups or scans.
Scan Queue Entry

[sn_cmn_scan_q_entry]

A threat lookup or vulnerability scan record queued for lookup, scan, or processing. Facilitates the requests within stated rate limits.
Scanner Rate Limit

[sn_cmn_scanner_rate_limit]

Associates a lookup source or scanner with a rate limit.