Threat Intelligence Analysis Enhancement System

Build a system that enriches threat intelligence events with analytical context and implements indicator decay tracking.

Context

Security analysts need to collaborate on threat intelligence events by adding their analysis notes, confidence ratings, and observations. Additionally, indicators of compromise (IOCs) lose relevance over time, so implementing decay scoring helps prioritize fresher intelligence.

Requirements

Your system must implement the following capabilities:

1. Add Analyst Notes

   • Accept an event identifier and note text
   • Attach the note to the specified event
   • Each note should be stored as analyst data

2. Record Analyst Opinions

   • Accept an event identifier and a confidence rating (0-100 scale)
   • Attach the opinion to the specified event
   • Higher ratings indicate higher confidence in the threat intelligence

3. Attach Narrative Reports

   • Accept an event identifier and report content
   • Create a structured report associated with the event
   • Reports should contain the narrative text describing the threat analysis

4. Query with Decay Scoring

   • Search for attributes with decay scores included
   • Filter results to show only non-decayed indicators
   • Return the decay score alongside each attribute

Implementation Notes

• All operations require a connection to a threat intelligence platform instance
• Event identifiers are integer IDs
• Notes and report content are plain text strings
• Opinion ratings must be integers between 0 and 100
• Decay scoring requires model configuration on the platform side

Dependencies { .dependencies }

pymisp { .dependency }

Python library for interacting with MISP threat intelligence platform.

Test Cases

Test 1: Add analyst note to event @test

Input:

• event_id: 42
• note_text: "Confirmed C2 server still active as of analysis date"

Expected behavior:

• Note is successfully attached to event 42
• Function returns success status or created note object

Test 2: Record analyst opinion with high confidence @test

Input:

• event_id: 42
• opinion_rating: 85

Expected behavior:

• Opinion with value 85 is attached to event 42
• Function returns success status or created opinion object

Test 3: Create narrative report for event @test

Input:

• event_id: 42
• report_content: "This campaign targets financial institutions using phishing emails with malicious attachments. The threat actor demonstrates intermediate capabilities."

Expected behavior:

• Report is created and associated with event 42
• Function returns success status or created report object

Test 4: Search attributes with decay scoring @test

Input:

• Search parameters indicating decay scores should be included
• Filter for attributes that have not decayed

Expected behavior:

• Results include decay score information for each attribute
• Only non-decayed attributes are returned
• Each result shows the decay score value