An Intrusion Set Object is an Intelligence Object used to represent a group of adversary behaviors attributable to a single organization or individual. It may encompass multiple campaigns or activities that can be tied to a known or unknown threat actor. An Intrusion Set is differentiated from a Campaign in that it may take place against multiple victims across significant timespans—whereas Campaigns are associated with a distinct target and/or a limited timeframe.
The following properties can be added to an Intrusion Set Object:
Name The name to be used for this Object (mandatory)
Description An optional narrative description of the Intrusion Set
Aliases Alternate names of this Intrusion Set
First Seen Date the Intrusion Set was first observed
Last Seen Date the Intrusion Set was most recently observed
Goals The high-level intension of the actors using this Intrusion Set
Resource Level Capabilities and resources associated with the Intrusion Set. Begin typing in the box to see a list of existing values.
Primary Motivation Main motivation associated with this Intrusion Set. Begin typing in the box to see a list of existing values.
Secondary Motivations Secondary motivation associated with this intrusion set. Begin typing in the box to see a list of existing values.
Revoked Flag that will permanently make this Object inactive. Note that this cannot be undone.
Labels Field allowing for the addition of labels to the Intrusion Set Object
Confidence Analytic assessment of the confidence in the data contained within this Intrusion Set Object.