Overview#
A threat intelligence analyst receives sighting reports of the same IP address from four different partner organisations over a 72-hour window. Individually, each report might not cross the threshold for action. Aggregated, the pattern is clear: the indicator is active, widely observed, and confidence is rising. The challenge is pulling those fragmented reports into a single view before the window for a defensive response closes.
SACTI Sighting Aggregation provides a specialised workflow for collecting, consolidating, and reviewing cyber threat intelligence sightings and associated indicators. It helps teams track total sightings, count unique indicators, and monitor average confidence so they can turn fragmented partner reporting into a coherent view of indicator relevance and prevalence.
Open Standards#
- OASIS STIX 2.1: Sighting records are modelled as STIX Sighting Domain Objects (SDOs), indicator identifiers follow the STIX 2.1 ID format, and inbound bundles are parsed and exported as conformant STIX 2.1 bundle JSON.
- OASIS TAXII 2.1: The platform polls remote TAXII 2.1 collection endpoints (including paginated object retrieval via the
X-TAXII-Date-Added-Lastheader) to ingest STIX bundles that feed the sighting aggregation pipeline. - MISP (Malware Information Sharing Platform) Event Format: Indicators sourced from MISP feeds are ingested and normalised into the sighting store; aggregated results can be pushed back to MISP instances as MISP events for distribution.
- TLP (Traffic Light Protocol): STIX
object_marking_refsTLP marking-definition IDs (WHITE, GREEN, AMBER, AMBER+STRICT, RED, CLEAR) are mapped to access-control secrecy levels, governing how sighting data is filtered and shared across partner organisations. - GraphQL: All sighting submission and aggregation queries are exposed through a typed GraphQL API (queries
sactiSightings,sactiAggregation,sactiStats; mutationsubmitSactiSighting), with field-level authentication enforced per operation. - OAuth 2.0 Bearer Token (RFC 6750): Remote SACTI API calls authenticate using a Bearer token in the
Authorizationheader, following the OAuth 2.0 token usage specification. - JSON (RFC 8259): All sighting payloads, STIX bundles, and SACTI REST API request/response bodies are serialised as JSON, the canonical interchange format throughout the pipeline.
Last Reviewed: 2026-03-25 Last Updated: 2026-04-14
Key Features#
- Sighting Aggregation: Combines multiple indicator sightings from internal and partner sources into a single operational view, removing the need to cross-reference separate reporting channels manually.
- Unique Indicator Tracking: Shows how many distinct indicators are represented across the collected sightings, distinguishing breadth of reporting from raw volume.
- Confidence Monitoring: Surfaces average confidence to help analysts judge the strength of the aggregated sighting picture before deciding on escalation or distribution.
- Indicator-Centric Workflow: Keeps the focus on operational indicator handling rather than generic reporting or static lists.
- Threat Intelligence Support: Fits naturally into threat-intelligence and cyber-response operations alongside MISP feeds and indicator enrichment pipelines.
Use Cases#
- Indicator Validation: Threat-intelligence teams compare repeated sightings to determine whether an indicator deserves elevation or wider distribution.
- Crowdsourced Reporting Consolidation: Organisations aggregate incoming sighting reports from multiple internal or partner sources into a single view for faster analysis.
- Confidence-Based Prioritisation: Analysts use aggregate confidence to prioritise which indicators merit deeper investigation or defensive action.
- Threat Trend Monitoring: Teams monitor whether the same indicator family is appearing repeatedly across the reporting base, identifying coordinated campaigns.
Integration#
- Threat-intelligence indicator workflows
- Sighting submission and review processes
- Cyber and CERT workbenches
- Indicator enrichment and dissemination pipelines