# Conceptual Guide This guide introduces the core concepts, standards, terminology, and methodologies used within the PIARA platform. Understanding these concepts will help you effectively utilize the platform and interpret the intelligence it provides. ## Core Standards and Objects * **STIX:** PIARA uses the [STIX™ (Structured Threat Information eXpression)](https://oasis-open.github.io/cti-documentation/stix/intro.html) standard as its core data schema for representing threat intelligence objects and their relationships. * **TAXII Collections:** Within PIARA (and generally in TAXII), Collections represent thematic groupings of STIX data shared via a TAXII server (e.g., "Malware IoCs," "Threat Actor Profiles"). Objects can belong to multiple collections. * **Reports:** A common STIX object used in PIARA. Reports are narrative documents that group related STIX objects (like Indicators, Malware, Threat Actors) to describe a specific event, threat, or analysis finding (e.g., "Analysis of Campaign XYZ"). A report typically contains a curated set of STIX objects relevant to its narrative (e.g., a report on "Operation Stealthy Badger" might include specific indicators, malware and TTPs). STIX objects within a report can also exist independently or in other collections/reports. * **Reusability:** STIX objects are atomic and can be reused across different analytical contexts (e.g., the same Indicator appearing in multiple Reports). * **Relationships:** Explicitly defines and tracks relationships between objects (e.g., linking specific `malware` to the `threat-actor` that uses it, or an `indicator` to a `campaign`). ## PIARA Data Concepts While PIARA uses STIX as **its** core data model, it includes several enhancements and custom objects to better meet specific intelligence needs and workflows. * **Custom STIX Objects:** To capture specific intelligence types, PIARA extends STIX with custom objects: * **News:** A custom STIX Domain Object (SDO) used to record relevant findings from open sources like forums, social media, news articles, or vendor blogs. * **Task:** A custom STIX Domain Object (SDO) allowing users to create and manage internal tasks or tickets related to intelligence analysis or response directly within the platform. * **File & Image Attachments:** A key enhancement in PIARA is the ability to attach relevant **files** (e.g., malware samples, source code snippets, reports) and/or **images** (e.g., screenshots, diagrams) directly to *any* STIX object instance. This allows for richer context and evidence to be stored alongside the structured threat data. * **Object Publishing & Versioning:** PIARA employs a specific lifecycle for STIX objects: * Only objects marked as "Published" are versioned. * Published objects are immutable; any modification creates a new, editable version while retaining the history. * Objects can be continuously enriched even after publishing; the timestamp indicates the latest update, ensuring intelligence remains current. ## PIARA Components & Features * **Workers(AKA Feeders):** PIARA modules used for data processing and external interaction capabilities(e.g.,translation, data enrichment, ingest/disseminate data, typically by connecting to TAXII servers (including other PIARA instances) to synchronize STIX objects from specified TAXII Collections). * **PiaraQL:** PIARA's dedicated query language, designed to enable powerful and flexible searching and analysis across the structured STIX data, its relationships, and custom objects within the platform. * **Open FAIR Risk Calculation:** PIARA incorporates capabilities based on the Open FAIR (Factor Analysis of Information Risk) model, allowing users to perform quantitative risk analysis directly within the platform, often leveraging the collected threat intelligence. ## PIARA Mesh & Data Federation * Supports data segregation through separate PIARA instances based on data ingestion methods (manual vs automated) * Ability to access and integrate data from multiple PIARA instances --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://piara-docs.gitbook.io/piara-documentation/fundamentals/concepts.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.