# STORM

An angry cloud.

A registry of how to protect a system.

## Tags

Tags are limited to `a-z`, `0-9`, or `-` characters and can be hierarchically separated via `.`.

For example when referring to a MITRE ATT&CK technique we could use `attack.t0001`.

## Domains

| Domain     | Model         | Description                                                                   |
| ---------- | ------------- | ----------------------------------------------------------------------------- |
| [Source]   |               | Sourcing of intelligence for improving observation, reaction and mitigation   |
|            | Intelligence  | Feed or result of a query used to satisfy intelligence requirements           |
|            | Requirement   | Collection of intelligence used by actions, detections and mitigations        |
|            | Provider      | An internal or external supplier of intelligence                              |
| [Threat]   |               | Modelling and simulations of threat actor tactics, techniques and software    |
|            | Tactic        | High-level categorization of threat actor behaviour                           |
|            | Technique     | Specific description of threat actor behaviour                                |
|            | Software      | Code/utilities/tools used in conducting threat actor behaviour                |
|            | Simulation    | Generating threat behaviour for testing observation, reaction and mitigations |
| [Observe]  |               | Events, definitions and configuration for observing threat actor behaviour    |
|            | Event         | Observable items use to detect and respond to threat actor behaviour          |
|            | Detection     | Rule used to detect threat actor behaviour mapped to threat actor behaviour   |
|            | Provider      | Software or systems that are capable of producing events                      |
|            | Configuration | Configuration applied to a provider enabling it to produce events             |
| [React]    |               | Structured responses to observed threat behaviour                             |
|            | Stage         | Phase of a response to observed threat behaviour                              |
|            | Action        | An atomic human action assigned to an response stage                          |
|            | Playbook      | Composition of response actions for a given context                           |
| [Mitigate] |               | Proactive and reactive strategies to address address threats                  |
|            | Strategy      | Composition of platforms and configurations to address a threat               |
|            | Platform      | Platform that is capable of mitigating threats with or without configuration  |
|            | Configuration | Configuration applied to a platform enabling it to mitigate threats           |

### Source

How do you what is happening outside of your system or if something you saw
is elsewhere considered a threat?

A source is an entity that provides an external perspective and knowledge of
threats, techniques, tools, mitigations that can be pulled or queried.

#### Provider

#### Requirement

#### Intelligence

### Threat

### Observe

### React

### Mitigate

source/
    provider      `SPR#####`
    requirement   `SRT#####`
    intelligence  `SIE#####`
threat/
    tactic        `TTC#####`
    software      `TSE#####`
    technique     `TTE#####`
    deficiency    
    simulation    `TSN#####`
observe/
    event         `OET#####`
    detection     `ODN#####`
    provider      `OPR#####`
    configuration `OCG#####`
react/
    stage         `RSE#####`
    action        `RAN#####`
    playbook      `RPK#####`
mitigate/
    strategy      `MSY#####`
    platform      `MPM#####`
    configuration `MCG#####`