Perfect Threat Intel Report Ideas

What would make up the perfect cybersecurity threat intelligence (CTI) report to receive, ingest, automate around? Honestly, even any three of these things makes for a great report. More context and detail are better, if the report author / information sharing organisation can support it.

Detailed data, using integrated frameworks and CTI data models

  • Intrusion (or attempts) detailed (ala Diamond Model) with time and impact
    • Actor, Victim (and/or Target), Infrastructure, Capability .. plus time and impact :
      • “who tried to do what to whom, when/how often, and did it work” ?
  • Activity and any impact detailed and coded, categorised (ala VERIS or DoD 6510 Categories)
  • Notable techniques and tactics observed (eg MITRE ATT&CK ids, versions)
  • Possible countermeasures and detections in open formats (Suricata, Sigma, Yara, ClamAV) or public reference (Critical Controls, NIST CSF)
  • Recommended Actions / Practices public reference (Critical Controls, NIST, etc)
  • References & Citations


  • The Diamond Model of Intrusion Analysis:
  • VERIS Getting Started :
    • VERIS - MITRE Att&ck bridge:
    • DoD 6510 for hard mode: CJCSM 6510.01B (PDF, check B-A-3 around p54)
  • MITRE ATT&CK Framework(s):
  • LM Intelligence driven CND paper (2010) , arguably still everything you need to know about indicators
  • Suricata, Sigma, Yara (Security Onion docs)
Written on April 17, 2023