# STORM An angry cloud. A registry of how to protect a system. ## Tags Tags are limited to `a-z`, `0-9`, or `-` characters and can be hierarchically separated via `.`. For example when referring to a MITRE ATT&CK technique we could use `attack.t0001`. ## Domains | Domain | Model | Description | | ---------- | ------------- | ----------------------------------------------------------------------------- | | [Source] | | Sourcing of intelligence for improving observation, reaction and mitigation | | | Intelligence | Feed or result of a query used to satisfy intelligence requirements | | | Requirement | Collection of intelligence used by actions, detections and mitigations | | | Provider | An internal or external supplier of intelligence | | [Threat] | | Modelling and simulations of threat actor tactics, techniques and software | | | Tactic | High-level categorization of threat actor behaviour | | | Technique | Specific description of threat actor behaviour | | | Software | Code/utilities/tools used in conducting threat actor behaviour | | | Simulation | Generating threat behaviour for testing observation, reaction and mitigations | | [Observe] | | Events, definitions and configuration for observing threat actor behaviour | | | Event | Observable items use to detect and respond to threat actor behaviour | | | Detection | Rule used to detect threat actor behaviour mapped to threat actor behaviour | | | Provider | Software or systems that are capable of producing events | | | Configuration | Configuration applied to a provider enabling it to produce events | | [React] | | Structured responses to observed threat behaviour | | | Stage | Phase of a response to observed threat behaviour | | | Action | An atomic human action assigned to an response stage | | | Playbook | Composition of response actions for a given context | | [Mitigate] | | Proactive and reactive strategies to address address threats | | | Strategy | Composition of platforms and configurations to address a threat | | | Platform | Platform that is capable of mitigating threats with or without configuration | | | Configuration | Configuration applied to a platform enabling it to mitigate threats | ### Source How do you what is happening outside of your system or if something you saw is elsewhere considered a threat? A source is an entity that provides an external perspective and knowledge of threats, techniques, tools, mitigations that can be pulled or queried. #### Provider #### Requirement #### Intelligence ### Threat ### Observe ### React ### Mitigate source/ provider `SPR#####` requirement `SRT#####` intelligence `SIE#####` threat/ tactic `TTC#####` software `TSE#####` technique `TTE#####` deficiency simulation `TSN#####` observe/ event `OET#####` detection `ODN#####` provider `OPR#####` configuration `OCG#####` react/ stage `RSE#####` action `RAN#####` playbook `RPK#####` mitigate/ strategy `MSY#####` platform `MPM#####` configuration `MCG#####`