Define an intrusion set

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read

    • Define an intrusion set that is a grouped set of adversarial behaviors and resources with common properties.

    Before you begin

    Role required: sn_ti.admin

    Procedure

    1. Navigate to All > Threat Intelligence > IoC Repository > Intrustion Set.
    2. Click New.
    3. Complete the fields in the form as appropriate.
      FieldDescription
      Name Enter a descriptive name to identify the intrusion set.
      First Seen The time that this intrusion set was first seen performing malicious activities.
      Last Seen The time that this intrusion set was last seen performing malicious activities.
      Primary Motivation The primary reason, motivation, or purpose behind this intrusion set. The motivation is why the Intrusion Set wants to achieve the goal (what they are trying to achieve).

      For example, an intrusion set with a goal to disrupt the finance sector in a country might be motivated by ideological hatred of capitalism.
      Resource Level This property specifies the organizational level at which this intrusion set typically works, which in turn determines the resources available for use in an attack.
      Source Specifies the threat source from which this record is created.
      Description A description that provides more details and context about the intrusion set, potentially including its purpose and its key characteristics.
      Aliases Alternative names to identify this intrusion set.
      Goals The high-level goals of this intrusion set, namely, what are they trying to do.

      For example, they may be motivated by personal gain, but their goal is to steal credit card numbers. To do this, they may execute specific campaigns that have detailed objectives like compromising point of sale systems at a large retailer.
      Source ID Unique identifier for this object in the threat source.
      Created Time in Source Specifies the time the object is created in the source.
      Modified Time in Source Specifies the time the object is modified in the source.
    4. Click Submit.

    What to do next

    Click any of the following related lists to view additional information about objects associated with the intrusion set.
    Related Links and Related Lists Description
    Show Relationships Opens the STIX Visualizer where you can view the relationship of the STIX object.

    Show Relationships appears only when the object has an associated object.
    External References Lists external references which refer to non-STIX information. This property is used to provide one or more external object identifiers.
    Associated Attack Motivations Lists any secondary motivations why this intrusion set wants to achieve.
    Attack Patterns Lists the attack patterns that help categorize attacks that are associated with this object.
    Campaigns Lists campaigns associated with this object.
    Identities List of identities associated with this object.
    Indicators Lists related Indicators of Compromise (IoC) that have been identified by the threat source associated with this object.
    Locations Lists locations that provide geographic context to this object.
    Malware Lists malicious code associated with this object.
    Threat Actors Lists individuals, groups, or organizations who act with malicious intent associated with this object.
    Tools Lists legitimate software that is used by threat actors to perform attacks associated with this object.
    Vulnerabilities Lists a weakness or defect in a software or hardware that attackers exploit which is associated with this object.