1 Semantic data model MRS-001
The data model of the system to be built in SATRAP-DL, called SATRAP, SHALL build upon knowledge representation formalisms that natively capture the semantics of information.
Rationale
Flexible storage and management of contextualized CTI and support for automated reasoning
Acceptance criteria
See validation test case specification
Child links: SRS-001 Data modelling language
| Attribute | Value |
|---|---|
| type | A |
| importance | 5 |
| urgency | 5 |
| vm | R |
| release | Alpha |
2 CTI knowledge base MRS-002
The SATRAP-DL system, called SATRAP, SHALL host a native semantic CTI repository (a.k.a. CTI semantic knowledge base or CTI SKB) to enable by design the storage, management, and retrieval of information by means of semantic technologies.
Rationale
The main goal of the project is to enrich the automation capabilities of current approaches by working with semantically enriched data and automated reasoning on such data.
Acceptance criteria
See validation test case specification
Child links: SRS-002 Database paradigm, SRS-003 Semantic search
| Attribute | Value |
|---|---|
| type | A |
| importance | 5 |
| urgency | 5 |
| vm | R |
| release | Alpha |
3 CTI SKB extensibility MRS-003
The CTI SKB SHALL support the integration of new concepts (e.g., facts, entities, or relationships) while maintaining the existing core data model.
Rationale
Extensibility of the data model allows for gradual enrichment of the CTI SKB by combining multiple threat frameworks, as CTI might not be expressible in a single one.
Acceptance criteria
See validation test case specification
Child links: SRS-004 Extensibility of the data model
| Attribute | Value |
|---|---|
| type | A |
| importance | 5 |
| urgency | 5 |
| vm | R |
| release | Alpha |
4 SKB data model flexibility MRS-004
The CTI SKB SHALL rely on a database solution supporting structural modifications to the data model without requiring a data schema migration, e.g., in a relational DBMS needing a schema migration tool.
Rationale
CTI relationships are complex and often uncertain, thus, subject to frequent changes. A flexible data model accommodates for those evolving requirements.
Acceptance criteria
See validation test case specification
Child links: SRS-005 NoSQL data model
| Attribute | Value |
|---|---|
| type | A |
| importance | 5 |
| urgency | 5 |
| vm | R,T |
| release | Alpha |
5 CTI SKB content: public CTI knowledge MRS-005
The CTI SKB SHALL contain by default public and curated cyber threat intelligence (CTI) content, such as attack campaigns, intrusion sets, and TTPs, e.g., the MITRE ATT&CK data sets.
Rationale
Ground knowledge (terminological axioms in DL) of the knowledge base. Provides a global picture of the threat landscape.
Acceptance criteria
See validation test case specification
Child links: SRS-006 Integration of common CTI
| Attribute | Value |
|---|---|
| type | Q |
| importance | 5 |
| urgency | 5 |
| vm | R |
| release | Alpha |
6 Domain-specific CTI MRS-006
The CTI SKB SHOULD contain publicly available domain-specific CTI content about less commonly documented threats, such as those dealing with PQC schemes.
Rationale
To enrich the CTI SKB ground knowledge and enlarge the scope of coverage.
Acceptance criteria
See validation test case specification
| Attribute | Value |
|---|---|
| type | Q |
| importance | 3 |
| urgency | 3 |
| vm | R,I |
| release | FID |
7 Semantic CTI and MITRE D3FEND MRS-007
The CTI SKB SHOULD contain data from existing open-source semantic CTI repositories, including at least MITRE D3FEND.
Rationale
To incorporate other efforts dealing with semantic CTI.
Acceptance criteria
See validation test case specification
| Attribute | Value |
|---|---|
| type | Q |
| importance | 3 |
| urgency | 3 |
| vm | R,I |
| release | FID |
8 CTI SKB data integrity MRS-008
The CTI SKB technology choice SHALL enforce data integrity by design.
Rationale
To ensure consistency, stability, accuracy and reliability of data, preventing among others contradictory and repeated data to be stored.
Acceptance criteria
See validation test case specification
Child links: SRS-007 Semantic data integrity
| Attribute | Value |
|---|---|
| type | Q |
| importance | 5 |
| urgency | 5 |
| vm | R |
| release | Alpha |
9 Policy-driven automated SKB update MRS-009
SATRAP-DL SHALL provide an automated process to maintain the CTI SKB up to date according to some update policy.
Rationale
To automatically address one of the major challenges related to keeping up with the fast evolving nature of CTI.
Acceptance criteria
See validation test case specification
| Attribute | Value |
|---|---|
| type | F |
| importance | 4 |
| urgency | 4 |
| vm | R |
| release | FID |
10 Removal of expired intelligence MRS-010
SATRAP MAY enforce an automated process to deal with the identification and removal of expired intelligence in the CTI SKB.
Rationale
To maintain an up to date CTI SKB.
Acceptance criteria
See validation test case specification
| Attribute | Value |
|---|---|
| type | F |
| importance | 3 |
| urgency | 1 |
| vm | T |
| release | FID |
11 Ingestion of CTI in a standard format MRS-011
SATRAP SHALL allow for the import of threat data expressed in a standard CTI representation format, such as STIX.
Rationale
To enable the ingestion of data observed in a specific system, thereby allowing to effectively tailor the CTI knowledge obtained from the world to protect the referred system.
Acceptance criteria
See validation test case specification
Child links: SRS-008 ETL subsystem, SRS-009 ETL Transformer, SRS-010 Database manager
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 5 |
| vm | T |
| release | Alpha |
12 CyFORT CTI repository MRS-012
The SATRAP-DL system, called SATRAP, SHALL implement a mechanism for storing and accessing CTI information in and from a repository consisting of one or more open-source TIPs with sharing capabilities (e.g., MISP or OpenCTI). This upstream CTI repository will be referred to as the CyFORT CTI repository.
Rationale
To leverage the mature and robust data collection, storage and sharing capabilities of existing TIPs and to facilitate integration as many CSIRT/CERT and SOC teams already maintain their repositories in such platforms.
Acceptance criteria
See validation test case specification
Child links: SRS-044 Open-source TIP integration
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 4 |
| vm | R |
| release | Alpha |
13 OSINT ingestion MRS-013
The CyFORT CTI repository SHOULD ingest open-source threat intelligence (OSINT), e.g. government feeds, according to predefined parameters, such as sources and frequency.
Rationale
To integrate relevant and up to date publicly available data about threats around the world.
Acceptance criteria
See validation test case specification
Child links: SRS-047 OSINT feeds configuration and catalog
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 4 |
| vm | I |
| release | FID |
14 Automated CTI enrichment MRS-014
The SATRAP-DL system SHALL provide a mechanism for automated enrichment of the information ingested into the CTI SKB according to well-defined logical rules.
Rationale
To address one of the major challenges for incident responders, namely, manual data correlation and contextualization of collected IoCs.
Acceptance criteria
See validation test case specification
Child links: SRS-012 Inference rules
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 4 |
| vm | T |
| release | Alpha |
15 Semantic relations preservation MRS-015
The SATRAP-DL system SHALL store imported threat data in the CTI SKB maintaining the semantic relations defined in the input data.
Rationale
To ensure storage in data structures suitable for knowledge representation and preservation of the context of the imported threat data.
Acceptance criteria
See validation test case specification
Child links: SRS-001 Data modelling language, SRS-002 Database paradigm, SRS-013 STIX 2.1 data model
| Attribute | Value |
|---|---|
| type | A |
| importance | 5 |
| urgency | 5 |
| vm | R |
| release | Alpha |
16 Configuration management MRS-016
The data integration module SHALL provide a configuration management mechanism with a set of predefined values for the user to adjust settings related to the data ingestion process.
Rationale
To allow tunning the system performance.
Acceptance criteria
See validation test case specification
Child links: SRS-041 Configuration management mechanism
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 3 |
| vm | T |
| release | Alpha |
17 Conformance with user settings MRS-017
The data integration SHALL execute its data import function according to settings defined by the user.
Rationale
To ensure enforcement of user defined settings
Acceptance criteria
See validation test case specification
Child links: SRS-041 Configuration management mechanism
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 5 |
| vm | T |
| release | Alpha |
18 Automated reasoning MRS-018
SATRAP-DL SHALL provide native automated reasoning capabilities over the information in the CTI SKB to infer new relations and provide insights to the CTI analyst.
Rationale
Automated reasoning capabilities are expected not only to simplify analysis tasks over large amounts of data, but also to efficiently infer relations that would otherwise require dedicated time and effort from a CTI analyst.
Acceptance criteria
See validation test case specification
Child links: SRS-014 Native reasoning engine
| Attribute | Value |
|---|---|
| type | A |
| importance | 5 |
| urgency | 5 |
| vm | R |
| release | Alpha |
19 Exporting inferred CTI MRS-019
SATRAP SHALL facilitate the extraction of CTI inferred over the CTI SKB, in a standardized CTI machine-readable format.
Rationale
To enable the export and integration of CTI produced in SATRAP into other tools in the ecosystem, such as the CyFORT CTI repository.
Acceptance criteria
See validation test case specification
Child links: SRS-019 CTI export to STIX 2.1, SRS-039 TypeQL to STIX 2.1 transformer
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 4 |
| vm | T |
| release | Beta |
20 Interactive frontend MRS-020
SATRAP-DL SHALL provide and/or incorporate at least one frontend to enable interactive analysis of CTI, e.g., a command line interface (CLI), a web interface, a Jupyter Notebook or a desktop GUI application.
Rationale
To enhance and extend the toolset for CTI analysts.
Acceptance criteria
See validation test case specification
Child links: SRS-015 Jupyter Notebook frontend, SRS-042 Command line interface (CLI), SRS-043 TypeDB Studio
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 5 |
| vm | T |
| release | Alpha |
21 Self-defined CTI queries MRS-021
The SATRAP-DL frontend MAY allow the user to run self-defined CTI queries using a high-level language/representation, e.g., Python code encapsulating TypeQL.
Rationale
To provide enhanced capabilities accessible to end users for performing CTI analysis according to their investigative needs and objectives.
Acceptance criteria
See validation test case specification
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 5 |
| vm | T |
| release | FID |
22 Storage of CTI investigations MRS-022
The frontend SHALL allow the user to create and save CTI investigation notes, e.g., a step by step investigation notebook with results obtained from the SATRAP-DL service layer.
Rationale
To allow for the creation of reusable playbooks for common cases of CTI analysis and to save reproducible work in progress.
Acceptance criteria
See validation test case specification
Child links: SRS-015 Jupyter Notebook frontend
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 5 |
| vm | T |
| release | Alpha |
23 Query parameterization MRS-023
The frontend SHALL allow the user to customize parametrized pre-defined CTI queries in a high-level language/representation.
Rationale
For usability and adoption by removing the need for end users to know the native CTI SKB query language.
Acceptance criteria
See validation test case specification
Child links: SRS-015 Jupyter Notebook frontend, SRS-046 CTI analysis toolbox
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 5 |
| vm | T |
| release | Alpha |
24 CTI analysis MRS-024
The SATRAP-DL system SHALL include a component providing a set of fundamental CTI analytic/query functions over the concepts in the CTI SKB.
Rationale
To provide baseline functionality for the automation of CTI analysis tasks.
Acceptance criteria
See validation test case specification
Child links: SRS-045 CTI analysis engine
| Attribute | Value |
|---|---|
| type | A |
| importance | 5 |
| urgency | 5 |
| vm | R |
| release | Alpha |
25 SATRAP-DL service MRS-025
SATRAP-DL SHALL provide a service to process CTI queries provided via the frontend, relay them to the CTI analysis component and return the response to the user in a pre-defined format.
Rationale
Instead of navigating the data space, CTI analysts can ask direct questions (functions) with specific data and automatically obtain answers based on explicit and derived CTI.
Acceptance criteria
See validation test case specification
Child links: SRS-015 Jupyter Notebook frontend, SRS-046 CTI analysis toolbox
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 5 |
| vm | T |
| release | Alpha |
26 Query result viewer MRS-026
The SATRAP-DL frontend SHALL display the data set resulting from a user query to the user.
Rationale
For providing a natural user experience (UX), as users expect to get an answer in the interface where they asked a question.
Acceptance criteria
See validation test case specification
Child links: SRS-015 Jupyter Notebook frontend
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 5 |
| vm | T |
| release | Alpha |
27 Frontend query status MRS-027
The frontend SHALL inform the user about the status of their queries, e.g., when the result is ready, a set wait time is exceeded, or errors have occurred, etc.
Rationale
For supporting a good user experience (UX).
Acceptance criteria
See validation test case specification
Child links: SRS-015 Jupyter Notebook frontend
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 5 |
| vm | T |
| release | Alpha |
28 Native query execution MRS-028
The SATRAP-DL frontend SHALL provide the means to execute queries in the native query language of the CTI SKB.
Rationale
For convenience of advanced users.
Acceptance criteria
See validation test case specification
Child links: SRS-043 TypeDB Studio
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 5 |
| vm | T |
| release | Alpha |
29 Frontend design MRS-029
The frontend design SHALL adhere to well-established guidelines for UI design.
Rationale
To facilitate ease of use, intuitiveness, and efficiency in completing tasks.
Acceptance criteria
See validation test case specification
Child links: SRS-015 Jupyter Notebook frontend, SRS-043 TypeDB Studio
| Attribute | Value |
|---|---|
| type | C |
| importance | 5 |
| urgency | 5 |
| vm | I |
| release | Alpha |
30 Frontend terminology MRS-030
Wherever applicable, the frontend SHALL use terms specified in relevant standards to refer to CTI concepts.
Rationale
Among other features, usage of a common vocabulary is essential for the adoption of tools in a given application domain.
Acceptance criteria
See validation test case specification
| Attribute | Value |
|---|---|
| type | I |
| importance | 5 |
| urgency | 5 |
| vm | I |
| release | FID |
31 Frontend STIX compliance MRS-031
When terms coming from different CTI sources are used to refer to the same CTI concept, the frontend SHOULD provide a mapping to the equivalent concept in STIX.
Rationale
Among other features, usage of a common vocabulary is essential for the adoption of tools in a given application domain.
Acceptance criteria
See validation test case specification
| Attribute | Value |
|---|---|
| type | C |
| importance | 5 |
| urgency | 5 |
| vm | I |
| release | FID |
32 User-controlled CTI curation MRS-032
The frontend SHOULD allow the user to update the information stored in its CTI SKB.
Rationale
To enable CTI curation by the users themselves.
Acceptance criteria
See validation test case specification
Child links: SRS-043 TypeDB Studio
| Attribute | Value |
|---|---|
| type | F |
| importance | 3 |
| urgency | 2 |
| vm | T |
| release | Alpha |
33 File-based SKB update MRS-033
The frontend MAY allow the user to update the SKB by loading CTI content from files encoded using a predefined format (e.g., JSON) and according to a well-defined specification (e.g., STIX).
Rationale
To keep the CTI updated by the users themselves.
Acceptance criteria
See validation test case specification
Child links: SRS-042 Command line interface (CLI)
| Attribute | Value |
|---|---|
| type | F |
| importance | 3 |
| urgency | 2 |
| vm | T |
| release | Alpha |
34 Frontend cross-platform support MRS-034
The frontend SHALL be cross-platform compatible, either by providing dedicated platform-dependent deployment artifacts (e.g., build binaries for GNU/Linux and MacOS) or rely on technology enabling cross-platform support by design, e.g., web-based stacks or containerization solutions.
Rationale
For portability and compatibility with prevailing operating systems
Acceptance criteria
See validation test case specification
Child links: SRS-015 Jupyter Notebook frontend, SRS-042 Command line interface (CLI)
| Attribute | Value |
|---|---|
| type | A |
| importance | 5 |
| urgency | 5 |
| vm | T |
| release | Alpha |
35 SATRAP as software library MRS-037
The SATRAP-DL system, called SATRAP, SHALL implement a native library grouping together a set of low-level algorithms to provide high-level CTI analysis services (functionality) and to facilitate the use of SATRAP as a software library from external applications.
Rationale
For interoperability with the ecosystem, to enable the automation of the CTI lifecycle through the integration of multiple complementary solutions.
Acceptance criteria
See validation test case specification
Child links: SRS-046 CTI analysis toolbox
| Attribute | Value |
|---|---|
| type | A |
| importance | 4 |
| urgency | 3 |
| vm | I |
| release | Alpha |
36 Platform-independent API MRS-038
SATRAP-DL SHALL provide a platform-independent API (e.g., a web-based one such as a REST API) enabling programmatic access to the data and services provided by SATRAP.
Rationale
To provide a programming language-agnostic access point to the analytic services of SATRAP, with human and machine readable specifications.
Acceptance criteria
See validation test case specification
Child links: SRS-016 API based on OAS
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 2 |
| vm | T |
| release | FID |
37 CTI SKB content: from IDPS-ESCAPE MRS-039
SATRAP SHALL have a mechanism that enables importing information obtained from the monitoring subsystem of IDPS-ESCAPE (e.g., observed IoCs) into the CTI SKB.
Rationale
To enrich the knowledge base with information concerning observed behavior in the system under monitoring.
Acceptance criteria
See validation test case specification
Child links: SRS-017 Integration of behavioral data, SRS-044 Open-source TIP integration
| Attribute | Value |
|---|---|
| type | F |
| importance | 4 |
| urgency | 3 |
| vm | T |
| release | Beta |
38 CTI SKB content: organizational CTI MRS-040
SATRAP SHALL provide a mechanism to retrieve information from the CyFORT CTI repository and integrate it into the CTI SKB.
Rationale
To integrate CTI knowledge relevant for the organization. Organizational CTI refers here to CTI internally produced or shared by other organizations in a CTI sharing network.
Acceptance criteria
See validation test case specification
Child links: SRS-011 Ingestion of organizational CTI
| Attribute | Value |
|---|---|
| type | F |
| importance | 4 |
| urgency | 4 |
| vm | T |
| release | Beta |
39 CTI SKB content: system blueprint MRS-041
SATRAP SHALL have a mechanism that enables importing information describing the system under monitoring; for instance, network topology, location of endpoints and firewalls, etc.
Rationale
To enable CTI analysis targeted to the actual system under monitoring.
Acceptance criteria
Successful validation according to the corresponding test case specification
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 4 |
| vm | T |
| release | Beta |
40 CyFORT CTI continuous analysis MRS-042
SATRAP SHALL provide an automation mechanism for ingesting data from the CyFORT CTI repository and running predefined knowledge derivation functions on the newly ingested data, configurable by user-set parameters.
Rationale
For integration of the different components in the CyFORT stack supporting continuous knowledge derivation, to maintain up to date and relevant CTI.
Acceptance criteria
See validation test case specification
Child links: SRS-018 Automated CTI analysis
| Attribute | Value |
|---|---|
| type | F |
| importance | 4 |
| urgency | 2 |
| vm | T |
| release | Beta |
41 CyFORT CTI repository enrichment connector MRS-043
SATRAP SHALL provide an enrichment mechanism to repopulate the CyFORT CTI repository with newly derived CTI, either on-demand or automatically according to a maintenance/update policy.
Rationale
For sharing CTI findings into central repositories of an organization, which could be further shared with external communities.
Acceptance criteria
See validation test case specification
| Attribute | Value |
|---|---|
| type | F |
| importance | 4 |
| urgency | 2 |
| vm | T |
| release | Beta |
42 Modular architecture MRS-044
The design of the SATRAP-DL system SHALL follow a modular architecture according to software design criteria specified, e.g., in the SWEBOK.
Rationale
As an open-source project, extensions by the community are expected, e.g., for supporting standards and tool interoperability. This requirement aims to facilitate smooth code integration.
Acceptance criteria
See validation test case specification
Child links: SRS-020 System configuration file, SRS-021 Centralized logging, SRS-022 Centralized exception handling, SRS-024 Design and implementation principles
| Attribute | Value |
|---|---|
| type | A |
| importance | 5 |
| urgency | 5 |
| vm | R |
| release | Alpha |
43 STIX compliance MRS-045
The SATRAP-DL system SHALL adopt the STIX (Structured Threat Information eXpression) language and serialization format for structured CTI representation.
Rationale
For data sharing interoperability
Acceptance criteria
See validation test case specification
Child links: SRS-023 CTI representation in STIX 2.1
| Attribute | Value |
|---|---|
| type | C |
| importance | 5 |
| urgency | 5 |
| vm | T |
| release | Alpha |
44 C5-DEC compliance MRS-046
The development of the SATRAP-DL system SHALL conform to the C5-DEC SSDLC method.
Rationale
To enforce security by design and a rigorous development process.
Acceptance criteria
See validation test case specification
Child links: SRS-024 Design and implementation principles, SRS-025 Code readability
| Attribute | Value |
|---|---|
| type | C |
| importance | 5 |
| urgency | 5 |
| vm | I |
| release | Alpha |
45 Open-source releases MRS-051
The source code, API specifications and technical documentation of SATRAP-DL SHALL be made available under open and permissive licenses to entities with legitimate interest in the cybersecurity dataspace.
Rationale
An open-source release allows contributions and usage by the community, which in turn foster adoption and exchange of feedback.
Acceptance criteria
See validation test case specification
Child links: SRS-026 Public release, SRS-027 Open-source licensing
| Attribute | Value |
|---|---|
| type | Q |
| importance | 5 |
| urgency | 5 |
| vm | I |
| release | Alpha |
46 Secure programming compliance MRS-053
Software components of SATRAP-DL SHALL be implemented in agreement with secure coding best practices, such as those specified in the C5-DEC SSDLC.
Rationale
To enforce security by design as per the CyFORT SSDLC.
Acceptance criteria
See validation test case specification
Child links: SRS-028 Input validation, SRS-029 Input sanitization, SRS-030 Resource management, SRS-031 Code static analysis, SRS-032 Dependencies management, SRS-033 Functional ETL events logging, SRS-034 Detailed event logging, SRS-035 Consistent logging format, SRS-036 Log validation, SRS-037 Sensitive information, SRS-038 Software identification
| Attribute | Value |
|---|---|
| type | C |
| importance | 5 |
| urgency | 5 |
| vm | I, R |
| release | Alpha |
47 Access control MRS-056
The SATRAP-DL connectors (for ingestion and enrichment) SHALL rely on the built-in functionality of the integrated open-source TIP(s) (i.e., CyFORT CTI repository) to enforce access control and role-based access management.
Rationale
Separation of roles should be implemented to address security concerns, and to provide information and relevant functionalities according to the type of user.
Acceptance criteria
See validation test case specification
Child links: SRS-040 Authentication and authorization
| Attribute | Value |
|---|---|
| type | S |
| importance | 4 |
| urgency | 2 |
| vm | T |
| release | Beta |
48 Secure channels to the CyFORT ecosystem MRS-057
The communication between separate components of the SATRAP-DL system crossing through different trust boundaries SHALL occur over confidential and authenticated channels.
Rationale
Integration of tools within the CyFORT ecosystem enables the exchange of information managed by internal tools. Such data might be available only to authorized users in the organization, hence, it should be by default protected from external parties.
Acceptance criteria
See validation test case specification
| Attribute | Value |
|---|---|
| type | S |
| importance | 5 |
| urgency | 2 |
| vm | T |
| release | FID |
49 Integration with open-source tools for incident handling MRS-035
SATRAP-DL SHALL integrate at least two open-source cybersecurity tools to support CTI-informed incident handling; for instance, a SIEM as the threat data source, and a case management tool to create incident cases if considered relevant after an analysis using SATRAP.
Rationale
- To support investigations facilitating immediate access to CTI for reacting in an adequate way.
- To use and enrich the open-source ecosystem in a coherent and interoperable manner, fostering adoption of SATRAP-DL.
Acceptance criteria
Successful validation according to the corresponding test case specification
Child links: SRS-048 Integration of security tools for automation
| Attribute | Value |
|---|---|
| type | F |
| importance | 4 |
| urgency | 5 |
| vm | T |
| release | Beta |
50 Automated support for incident handling MRS-058
The SATRAP-DL ecosystem SHALL support an automated pipeline for incident handling informed by CTI analysis, covering at least two incident scenarios.
Rationale
To simplify the decision-making for escalation of incidents to cases, based on a preliminary CTI investigation of detected threats according to well-defined criteria for each specific threat scenario.
Acceptance criteria
See validation test case specification
Child links: SRS-049 Automated support for incident handling: phishing
| Attribute | Value |
|---|---|
| type | F |
| importance | 5 |
| urgency | 5 |
| vm | T |
| release | Beta |