Abstract: Examples disclosed herein relate to source entities of security indicators. Some examples disclosed herein enable identifying, in a security information sharing platform, a security indicator that is originated from a source entity where the security indicator comprises an observable. Some examples further enable determining a reliability level of the source entity based on at least one of: security events, sightings of the observable, a first set of user feedback information that is submitted for the security indicator by users of the security information sharing platform, or a second set of user feedback information that is collected from external resources that are external to the security information sharing platform.

Abstract: Examples disclosed herein relate to strength of associations among data records in a security information sharing platform. Some examples may enable creating, in the security information sharing platform, an association between a security indicator comprising an observable, and a data record. Some examples may further enable determining strength of the association between the security indicator and the data record based on at least one of: a likelihood of change in the association; a creator of the association; an aging rate of the association; or a quality of evidence that supports the association.

Abstract: Examples disclosed herein relate to visualization of associations among data records in a security information sharing platform. Some examples may enable creating, in the security information sharing platform, an association between a first data record comprising a security indicator, and a second data record. Some examples may further enable providing a visual representation of the first data record, the second data record, and the association, wherein the first data record represents a first node in the visual representation, the second data record represents a second node in the visual representation, and the association represents an edge that connects the first node and the second node.

Abstract: In one example in accordance with the present disclosure, a method for threat score determination includes detecting a change in malicious activity for a security object. The method also includes identifying an indicator that provides contextual information for the security object and determining a linked resource that is associated with a database record of the security object. The method also includes determining a first threat score associated with the security object and determining a relationship between the linked resource and the security object. The method also includes determining a second threat score associated with the linked resource based on the indicator, the threat score of the linked object and the relationship between the linked resource and the security object.

Abstract: Examples disclosed herein relate to source entities of security indicators. Some examples disclosed herein enable identifying, in a security information sharing platform, a security indicator that is originated from a source entity where the security indicator comprises an observable. Some examples further enable determining a reliability level of the source entity based on at least one of: security events, sightings of the observable, a first set of user feedback information that is submitted for the security indicator by users of the security information sharing platform, or a second set of user feedback information that is collected from external resources that are external to the security information sharing platform.

Abstract: Examples disclosed herein relate to associations among data records in a security information sharing platform. Some examples may enable creating, in the security information sharing platform that enables sharing of security information among a plurality of users, an association between a first security indicator comprising a first observable and a first data record based on sightings of the first observable by at least one source entity associated with the first data record. Some examples may further enable obtaining a search query that specifies the first security indicator, and identifying a set of data records that satisfy the search query. The set of data records may include the first data record.

Abstract: Examples relate to collaborative security lists. The examples disclosed herein enable obtaining a first candidate entry suggested by a first user of a community to be included in a collaborative security list. The collaborative security list may comprise a list of entries known to be secure or a list of entries known to be insecure. The examples disclosed herein further enable providing a candidate security list comprising at least the first candidate entry to the community and obtaining, from a second user of the community, a first score indicating how confident the second user is that the first candidate entry is secure. The examples disclosed herein further enable determining whether to include the first candidate entry in the collaborative security list based on the first score.

Abstract: Examples disclosed herein relate to sharing of community-based security information. Some examples may enable generating a first community on a security information sharing platform that enables sharing of security information among a plurality of communities; obtaining a first security indicator from a first user of the first community; providing the first security indicator to the first community; obtaining contextual information related to the first security indicator from a second user of the first community; including the first security indicator and the contextual information related to the first security indicator in the security information of the first community; and encrypting a portion of the security information of the first community with an encryption key, wherein the encryption key is unavailable to users outside of the first community.

Abstract: Examples disclosed herein relate to alerts for communities of a security information sharing platform. Some examples may enable obtaining a security indicator from a user of a first community of a security information sharing platform that enables sharing of security information among a plurality of communities; including the security indicator in community-based security information associated with the first community, the first security indicator comprising a first observable; sharing the first security indicator with the security information sharing platform; obtaining, from the security information sharing platform, information related to sightings of the first observable; and providing a first alert to the first community based on the information related to the sightings of the first observable.

Abstract: According to an example, security indicator linkage determination may include parsing input data that is used to determine a plurality of sequences of steps that are involved in attacks. A linkage selected from temporal, spatial, and/or behavioral linkages may be applied to the parsed input data to determine the plurality of sequences of steps. A security indicator that is related to a potential attack may be received. The plurality of sequences of steps may be used to determine whether the security indicator matches a step in one of the plurality of sequences of steps. In response to a determination that the security indicator matches a step in one of the plurality of sequences of steps, linkage between the security indicator and another security indicator from the one of the plurality of sequences of steps that are involved in the attacks may be identified.

Abstract: Examples disclosed herein relate to visualization of associations among data records in a security information sharing platform. Some examples may enable creating, in the security information sharing platform, an association between a first data record comprising a security indicator, and a second data record. Some examples may further enable providing a visual representation of the first data record, the second data record, and the association, wherein the first data record represents a first node in the visual representation, the second data record represents a second node in the visual representation, and the association represents an edge that connects the first node and the second node.

Abstract: Examples disclosed herein relate to strength of associations among data records in a security information sharing platform, Some examples may enable creating, in the security information sharing platform, an association between a security indicator comprising an observable, and a data record. Some examples may further enable determining strength of the association between the security indicator and the data record based on at least one of: a likelihood of change in the association; a creator of the association; an aging rate of the association; or a quality of evidence that supports the association.

Abstract: Examples disclosed herein relate to sharing of community-based security information. Some examples may enable generating a first community on a security information sharing platform that enables sharing of security information among a plurality of communities; obtaining a first security indicator from a first user of the first community; providing the first security indicator to the first community; obtaining contextual information related to the first security indicator from a second user of the first community; including the first security indicator and the contextual information related to the first security indicator in the security information of the first community; and encrypting a portion of the security information of the first community with an encryption key, wherein the encryption key is unavailable to users outside of the first community.

Abstract: In one example in accordance with the present disclosure, a method for threat score determination includes detecting a change in malicious activity for a security object. The method also includes identifying an indicator that provides contextual information for the security object and determining a linked resource that is associated with a database record of the security object. The method also includes determining a first threat score associated with the security object and determining a relationship between the linked resource and the security object. The method also includes determining a second threat score associated with the linked resource based on the indicator, the threat score of the linked object and the relationship between the linked resource and the security object.

Abstract: Examples disclosed herein relate to associations among data records in a security information sharing platform. Some examples may enable creating, in the security information sharing platform that enables sharing of security information among a plurality of users, an association between a first security indicator comprising a first observable and a first data record based on sightings of the first observable by at least one source entity associated with the first data record. Some examples may further enable obtaining a search query that specifies the first security indicator, and identifying a set of data records that satisfy the search query. The set of data records may include the first data record.

Abstract: Examples disclosed herein relate to alerts for communities of a security information sharing platform. Some examples may enable obtaining a security indicator from a user of a first community of a security information sharing platform that enables sharing of security information among a plurality of communities; including the security indicator in community-based security information associated with the first community, the first security indicator comprising a first observable; sharing the first security indicator with the security information sharing platform; obtaining, from the security information sharing platform, information related to sightings of the first observable; and providing a first alert to the first community based on the information related to the sightings of the first observable.

Abstract: Examples relate to collaborative security lists. The examples disclosed herein enable obtaining a first candidate entry suggested by a first user of a community to be included in a collaborative security list. The collaborative security list may comprise a list of entries known to be secure or a list of entries known to be insecure. The examples disclosed herein further enable providing a candidate security list comprising at least the first candidate entry to the community and obtaining, from a second user of the community, a first score indicating how confident the second user is that the first candidate entry is secure. The examples disclosed herein further enable determining whether to include the first candidate entry in the collaborative security list based on the first score.

Abstract: According to an example, security indicator linkage determination may include parsing input data that is used to determine a plurality of sequences of steps that are involved in attacks. A linkage selected from temporal, spatial, and/or behavioral linkages may be applied to the parsed input data to determine the plurality of sequences of steps. A security indicator that is related to a potential attack may be received. The plurality of sequences of steps may be used to determine whether the security indicator matches a step in one of the plurality of sequences of steps. In response to a determination that the security indicator matches a step in one of the plurality of sequences of steps, linkage between the security indicator and another security indicator from the one of the plurality of sequences of steps that are involved in the attacks may be identified.