Investigation: Cluster Multiple APT Reports
Draft
Level: Complex Platform Workflows
Goal: Assess whether several reports belong to one campaign cluster.
Real-Life Scenario
Three reports from different sources describe similar targeting and malware, and the CTI team needs to determine whether they form a campaign cluster.
When To Use This
Use this workflow when you need an end-to-end platform workflow across multiple AdversaryGraph modules and want the output to remain traceable to evidence.
Steps
- Create a campaign workspace.
- Analyze each report separately and store results.
- Normalize report metadata, dates, sectors, and source labels.
- Compare reports for shared and unique TTPs.
- Compare IOCs across reports and enrich shared observables.
- Compare combined TTPs against known actors and campaigns.
- Separate generic TTP overlap from distinctive procedures.
- Open actor profiles for likely matches and review timeline/sector fit.
- Create one combined Navigator layer and one layer per report.
- Write a cluster assessment: related, possibly related, or unrelated.
- Export campaign evidence and matrix layers.
Expected Result
Campaign clustering assessment with report-to-report and actor comparison evidence.
Review Notes
- Keep source labels and evidence attached to every accepted result.
- Treat actor matches, enrichment hits, and matrix overlap as analytical signals until corroborated.
- Export only reviewed findings for customer, SOC, detection engineering, or executive use.
Platform Areas Used
- Operations / Pipeline
- AI Analysis
- ATT&CK Group Library
- IOC Library
- VirusTotal / OTX / ThreatFox / Malpedia enrichment where configured
- Reference Sync
- Navigator matrix
- PDF, JSON, CSV, STIX, and Navigator exports as needed