🧭Conceptual Guide

This guide introduces the core concepts, standards, terminology, and methodologies used within the PIARA platform. Understanding these concepts will help you effectively utilize the platform and interpret the intelligence it provides.

Core Standards and Objects

  • STIX: PIARA uses the STIX™ (Structured Threat Information eXpression) standard as its core data schema for representing threat intelligence objects and their relationships.

  • TAXII Collections: Within PIARA (and generally in TAXII), Collections represent thematic groupings of STIX data shared via a TAXII server (e.g., "Malware IoCs," "Threat Actor Profiles"). Objects can belong to multiple collections.

  • Reports: A common STIX object used in PIARA. Reports are narrative documents that group related STIX objects (like Indicators, Malware, Threat Actors) to describe a specific event, threat, or analysis finding (e.g., "Analysis of Campaign XYZ"). A report typically contains a curated set of STIX objects relevant to its narrative (e.g., a report on "Operation Stealthy Badger" might include specific indicators, malware and TTPs). STIX objects within a report can also exist independently or in other collections/reports.

  • Reusability: STIX objects are atomic and can be reused across different analytical contexts (e.g., the same Indicator appearing in multiple Reports).

  • Relationships: Explicitly defines and tracks relationships between objects (e.g., linking specific malware to the threat-actor that uses it, or an indicator to a campaign).

PIARA Data Concepts

While PIARA uses STIX as its core data model, it includes several enhancements and custom objects to better meet specific intelligence needs and workflows.

  • Custom STIX Objects: To capture specific intelligence types, PIARA extends STIX with custom objects:

    • News: A custom STIX Domain Object (SDO) used to record relevant findings from open sources like forums, social media, news articles, or vendor blogs.

    • Task: A custom STIX Domain Object (SDO) allowing users to create and manage internal tasks or tickets related to intelligence analysis or response directly within the platform.

  • File & Image Attachments: A key enhancement in PIARA is the ability to attach relevant files (e.g., malware samples, source code snippets, reports) and/or images (e.g., screenshots, diagrams) directly to any STIX object instance. This allows for richer context and evidence to be stored alongside the structured threat data.

  • Object Publishing & Versioning: PIARA employs a specific lifecycle for STIX objects:

    • Only objects marked as "Published" are versioned.

    • Published objects are immutable; any modification creates a new, editable version while retaining the history.

    • Objects can be continuously enriched even after publishing; the timestamp indicates the latest update, ensuring intelligence remains current.

PIARA Components & Features

  • Workers(AKA Feeders): PIARA modules used for data processing and external interaction capabilities(e.g.,translation, data enrichment, ingest/disseminate data, typically by connecting to TAXII servers (including other PIARA instances) to synchronize STIX objects from specified TAXII Collections).

  • PiaraQL: PIARA's dedicated query language, designed to enable powerful and flexible searching and analysis across the structured STIX data, its relationships, and custom objects within the platform.

  • Open FAIR Risk Calculation: PIARA incorporates capabilities based on the Open FAIR (Factor Analysis of Information Risk) model, allowing users to perform quantitative risk analysis directly within the platform, often leveraging the collected threat intelligence.

PIARA Mesh & Data Federation

  • Supports data segregation through separate PIARA instances based on data ingestion methods (manual vs automated)

  • Ability to access and integrate data from multiple PIARA instances

PreviousArchitectureNextPIARA Features

Last updated