{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,24]],"date-time":"2026-03-24T15:56:04Z","timestamp":1774367764110,"version":"3.50.1"},"reference-count":129,"publisher":"Institute of Electrical and Electronics Engineers (IEEE)","issue":"4","license":[{"start":{"date-parts":[[2021,1,1]],"date-time":"2021-01-01T00:00:00Z","timestamp":1609459200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/ieeexplore.ieee.org\/Xplorehelp\/downloads\/license-information\/IEEE.html"},{"start":{"date-parts":[[2021,1,1]],"date-time":"2021-01-01T00:00:00Z","timestamp":1609459200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-029"},{"start":{"date-parts":[[2021,1,1]],"date-time":"2021-01-01T00:00:00Z","timestamp":1609459200000},"content-version":"stm-asf","delay-in-days":0,"URL":"https:\/\/doi.org\/10.15223\/policy-037"}],"funder":[{"DOI":"10.13039\/501100002347","name":"Federal Ministry of Education and Research, Germany, as a part of the BMBF DEVISE Project","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100002347","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100010667","name":"Union\u2019s Horizon 2020 Research and Innovation Program","doi-asserted-by":"publisher","award":["830927"],"award-info":[{"award-number":["830927"]}],"id":[{"id":"10.13039\/100010667","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IEEE Commun. Surv. Tutorials"],"published-print":{"date-parts":[[2021]]},"DOI":"10.1109\/comst.2021.3117338","type":"journal-article","created":{"date-parts":[[2021,10,5]],"date-time":"2021-10-05T00:07:21Z","timestamp":1633392441000},"page":"2525-2556","source":"Crossref","is-referenced-by-count":103,"title":["A Comparative Study on Cyber Threat Intelligence: The Security Incident Response Perspective"],"prefix":"10.1109","volume":"23","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-4847-522X","authenticated-orcid":false,"given":"Daniel","family":"Schlette","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0003-4883-797X","authenticated-orcid":false,"given":"Marco","family":"Caselli","sequence":"additional","affiliation":[]},{"given":"Gunther","family":"Pernul","sequence":"additional","affiliation":[]}],"member":"263","reference":[{"key":"ref39","year":"2017","journal-title":"Integrated Adaptive Cyber Defense (IACD) Playbooks—A Specification for Defining Building and Employing Playbooks to Enable Cybersecurity Integration and Automation"},{"key":"ref38","year":"2018","journal-title":"COPS—Collaborative Open Playbook Standard"},{"key":"ref33","year":"2021","journal-title":"Executive Order 14028 of May 12 2021—Improving the Nation’s Cybersecurity"},{"key":"ref32","author":"zimmerman","year":"2014","journal-title":"Cybersecurity Operations Center"},{"key":"ref31","doi-asserted-by":"publisher","DOI":"10.21236\/ADA413778"},{"key":"ref30","doi-asserted-by":"publisher","DOI":"10.1109\/ACCESS.2020.3045514"},{"key":"ref37","year":"2021","journal-title":"CACAO Security Playbooks Version 1 0—Committee Specification 01"},{"key":"ref36","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2017.2781126"},{"key":"ref35","article-title":"2020 market guide for security orchestration, automation and response solutions","author":"neiva","year":"2020"},{"key":"ref34","author":"bromiley","year":"2019","journal-title":"Empowering incident response via automation"},{"key":"ref28","doi-asserted-by":"publisher","DOI":"10.1108\/13673270110384419"},{"key":"ref27","doi-asserted-by":"publisher","DOI":"10.1145\/1866835.1866850"},{"key":"ref29","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2014.102"},{"key":"ref20","article-title":"A common language for computer security incidents","author":"howard","year":"1998"},{"key":"ref22","doi-asserted-by":"publisher","DOI":"10.1145\/3305268"},{"key":"ref21","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2014.11.006"},{"key":"ref24","doi-asserted-by":"publisher","DOI":"10.21236\/ADA453378"},{"key":"ref23","first-page":"1","volume":"800","author":"cichonski","year":"2012","journal-title":"Computer Security Incident Handling Guide"},{"key":"ref101","doi-asserted-by":"publisher","DOI":"10.1093\/oso\/9780198841524.001.0001"},{"key":"ref26","first-page":"19","article-title":"A common process model for incident response and computer forensics","author":"freiling","year":"2007","journal-title":"Proc IT Incident Manage IT Forensics (IMF)"},{"key":"ref100","doi-asserted-by":"publisher","DOI":"10.23919\/ITUK48006.2019.8996148"},{"key":"ref25","volume":"3","author":"van bon","year":"2008","journal-title":"Foundations of IT Service Management Based on ITIL"},{"key":"ref50","year":"2020","journal-title":"STIX™ Version 2 1 Committee Specification 01"},{"key":"ref51","year":"2019","journal-title":"Common vulnerability scoring system version 3 1 Specification document"},{"key":"ref59","doi-asserted-by":"publisher","DOI":"10.3390\/electronics9050824"},{"key":"ref58","first-page":"1","article-title":"Human-as-a-security-sensor for harvesting threat intelligence","volume":"2","author":"vielberth","year":"2019","journal-title":"Cybersecurity"},{"key":"ref57","author":"dandurand","year":"2014","journal-title":"Standards and tools for exchange and processing of actionable information"},{"key":"ref56","first-page":"1","article-title":"Information sharing models for cooperative cyber defence","author":"hernandez-ardieta","year":"2013","journal-title":"Proc 5th Int Conf Cyber Conflict (CyCon)"},{"key":"ref55","first-page":"1","article-title":"Semantic potential of existing security advisory standards","author":"fenz","year":"2008","journal-title":"Proc 1st Conf Forum Incident Response Security Teams"},{"key":"ref54","year":"2020","journal-title":"Common Weakness Enumeration - a community-developed list of software weakness types"},{"key":"ref53","first-page":"9","article-title":"The development of a common enumeration of vulnerabilities and exposures","volume":"7","author":"baker","year":"1999","journal-title":"Proc 2nd Int Workshop Recent Adv Intrusion Detection"},{"key":"ref52","doi-asserted-by":"publisher","DOI":"10.6028\/NIST.IR.7695"},{"key":"ref40","year":"2020","journal-title":"Open Command and Control (OpenC2) Language Specification Version 1 0—Committee Specification 02"},{"key":"ref4","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2017.09.001"},{"key":"ref3","doi-asserted-by":"publisher","DOI":"10.1109\/MILCOM.2008.4753203"},{"key":"ref6","doi-asserted-by":"publisher","DOI":"10.1109\/INM.2015.7140300"},{"key":"ref5","article-title":"Standards and tools for exchange and processing of actionable information","author":"dandurand","year":"2014"},{"key":"ref8","doi-asserted-by":"publisher","DOI":"10.1145\/2994539.2994542"},{"key":"ref49","article-title":"The trusted automated eXchange of indicator information (TAXII)","author":"connolly","year":"2014"},{"key":"ref7","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2017.10.009"},{"key":"ref9","first-page":"837","article-title":"Threat intelligence sharing platforms: An exploratory study of software vendors and research perspectives","author":"sauerwein","year":"2017","journal-title":"Proc 13th Int Conf Wirtschaftsinformatik (WI)"},{"key":"ref46","article-title":"MISP core format","author":"dulaunoy","year":"2020"},{"key":"ref45","article-title":"MITRE ATT&CK: Design and philosophy","author":"strom","year":"2018"},{"key":"ref48","year":"2020","journal-title":"STIX™ Version 2 1 Committee Specification 01"},{"key":"ref47","article-title":"Standardizing cyber threat intelligence information with the structured threat information eXpression (STIX): Version 1.1, revision 1","author":"barnum","year":"2014"},{"key":"ref42","doi-asserted-by":"publisher","DOI":"10.1109\/NCS.2018.00007"},{"key":"ref41","year":"2020","journal-title":"Framework Document"},{"key":"ref44","first-page":"80","article-title":"Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains","volume":"1","author":"hutchins","year":"2011","journal-title":"Lead Issues Inf Warf Secur Res"},{"key":"ref43","doi-asserted-by":"publisher","DOI":"10.1109\/MCE.2019.2892220"},{"key":"ref127","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2011.11.002"},{"key":"ref126","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2009.06.010"},{"key":"ref125","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2019.2962586"},{"key":"ref124","year":"2020","journal-title":"RE&CT Framework Repository"},{"key":"ref73","year":"2016","journal-title":"The Dragos Platform"},{"key":"ref72","year":"2020","journal-title":"D3 SOAR—Security Orchestration and Automated Incident Response With MITRE ATT&CK"},{"key":"ref129","article-title":"2019 market guide for security orchestration, automation and response solutions","author":"neiva","year":"2019"},{"key":"ref71","year":"2020","journal-title":"Cortex XSOAR—Security Orchestration Automation and Response (SOAR)"},{"key":"ref128","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2015.01.014"},{"key":"ref70","year":"2020","journal-title":"Ayehu—Next-Gen IT Automation Platform Powered by AI"},{"key":"ref76","year":"2020","journal-title":"Helix Security Platform"},{"key":"ref77","year":"2020","journal-title":"IncMan SOAR—Automate"},{"key":"ref74","year":"2020","journal-title":"EclecticIQ—Threat Intelligence Powered Cybersecurity"},{"key":"ref75","year":"2020","journal-title":"FortiSOAR—Security Orchestration Automation and Response (SOAR)"},{"key":"ref78","year":"2020","journal-title":"Security Orchestration and Automation With InsightConnect"},{"key":"ref79","year":"2020","journal-title":"ONAP–Open Network Automation Platform"},{"key":"ref60","doi-asserted-by":"publisher","DOI":"10.3390\/fi12060108"},{"key":"ref62","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2019.101589"},{"key":"ref61","doi-asserted-by":"publisher","DOI":"10.24251\/HICSS.2020.239"},{"key":"ref63","year":"2020","journal-title":"Ansible is simple IT automation"},{"key":"ref64","year":"2011","journal-title":"Business Process Model and Notation (BPMN) Version 2 0 Specification"},{"key":"ref65","year":"2016","journal-title":"OpenDXL—Open Data Exchange Layer"},{"key":"ref66","doi-asserted-by":"publisher","DOI":"10.17487\/RFC8322"},{"key":"ref67","author":"cohen","year":"2017","journal-title":"AFF4 Standard V1 0"},{"key":"ref68","year":"2017","journal-title":"DFXML Schema Version 1 2 0"},{"key":"ref2","article-title":"Threat intelligence: Collecting, analysing, evaluating","author":"chismon","year":"2015"},{"key":"ref69","year":"2020","journal-title":"ArcSight SOAR"},{"key":"ref1","author":"mcmillan","year":"2013","journal-title":"Definition threat intelligence"},{"key":"ref109","doi-asserted-by":"publisher","DOI":"10.1109\/MC.2015.11"},{"key":"ref95","year":"2020","journal-title":"Virtual Cyber Fusion Solutions"},{"key":"ref108","first-page":"46","article-title":"Active cyber defense: A Vision for Real-Time Cyber Defense","volume":"13","author":"herring","year":"2014","journal-title":"J Inf Warfare"},{"key":"ref94","year":"2020","journal-title":"Tines—Security Orchestration Automation and Response (SOAR) Platform"},{"key":"ref107","year":"2016","journal-title":"Integrated Adaptive Cyber Defense (IACD) Baseline Reference Architecture"},{"key":"ref93","year":"2020","journal-title":"ThreatConnect - threat intelligence platform"},{"key":"ref106","author":"iyer","year":"2019","journal-title":"Security Orchestration for Dummies Demisto Special Edition"},{"key":"ref92","year":"2020","journal-title":"ThreatConnect - threat intelligence platform"},{"key":"ref105","year":"2020","journal-title":"Cortex XSOAR Platform—Content Repository"},{"key":"ref91","year":"2020","journal-title":"Swimlane—Security Orchestration Automation and Response Platform"},{"key":"ref104","year":"2020","journal-title":"Cortex XSOAR Platform Developer Documentation—Playbooks"},{"key":"ref90","year":"2020","journal-title":"TheHive & Cortex—A 4-in-1 Security Incident Response Platform"},{"key":"ref103","author":"puzis","year":"2020","journal-title":"ATHAFI Agile threat hunting and forensic investigation"},{"key":"ref102","year":"2020","journal-title":"CACAO Playbook Requirements Version 1 0—Committee Note Draft 01"},{"key":"ref111","doi-asserted-by":"publisher","DOI":"10.1002\/inst.12091"},{"key":"ref112","doi-asserted-by":"publisher","DOI":"10.1145\/2809826.2809827"},{"key":"ref110","first-page":"1","article-title":"Integrated adaptive cyberspace defense: Secure orchestration","author":"willett","year":"2015","journal-title":"Proc Int Command Control Res Technol Symp (ICCRTS)"},{"key":"ref98","doi-asserted-by":"publisher","DOI":"10.6028\/NIST.SP.800-184"},{"key":"ref99","doi-asserted-by":"publisher","DOI":"10.1109\/TEM.2020.2979832"},{"key":"ref96","year":"2020","journal-title":"WALKOFF"},{"key":"ref97","doi-asserted-by":"publisher","DOI":"10.1016\/S1353-4858(15)30026-X"},{"key":"ref10","doi-asserted-by":"publisher","DOI":"10.1007\/s10207-020-00528-1"},{"key":"ref11","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2016.04.003"},{"key":"ref12","doi-asserted-by":"publisher","DOI":"10.1109\/EISIC.2017.20"},{"key":"ref13","doi-asserted-by":"publisher","DOI":"10.1145\/2994539.2994546"},{"key":"ref14","doi-asserted-by":"publisher","DOI":"10.1007\/s10207-020-00490-y"},{"key":"ref15","first-page":"851","article-title":"Reading the tea leaves: A comparative analysis of threat intelligence","author":"li","year":"2019","journal-title":"Proc 28th USENIX Security Symp (USENIX Security)"},{"key":"ref118","year":"2020","journal-title":"Specification for Transfer of OpenC2 Messages via HTTPS Version 1 0—Committee Specification 01"},{"key":"ref16","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2015.2494502"},{"key":"ref82","year":"2020","journal-title":"Resolve—Accelerate Security Incident Response With Automation and Orchestration"},{"key":"ref117","year":"2020","journal-title":"Open Command and Control (OpenC2) Profile for Stateless Packet Filtering Version 1 0—Committee Specification 01"},{"key":"ref17","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2020.101867"},{"key":"ref81","year":"2020","journal-title":"IBM Resilient Security Orchestration Automation and Response (SOAR)"},{"key":"ref18","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-59291-2_7"},{"key":"ref84","author":"\u00e3deg\u00e3rdstuen","year":"2020","journal-title":"Shuffle SOAR"},{"key":"ref119","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2020.101999"},{"key":"ref19","doi-asserted-by":"publisher","DOI":"10.1155\/2020\/8833765"},{"key":"ref83","year":"2020","journal-title":"SecOps—Enterprise Security Operations"},{"key":"ref114","year":"2017","journal-title":"Integrated Adaptive Cyber Defense (IACD) Orchestration Thin Specification"},{"key":"ref113","year":"2020","journal-title":"Shareable Automation and Orchestration Workflows for Scoring Sharing and Responding to Cyber Indicators of Compromise"},{"key":"ref116","year":"2017","journal-title":"Types of Content within an IACD Playbooks"},{"key":"ref80","year":"2020","journal-title":"Unit 42 Playbook Viewer"},{"key":"ref115","year":"2017","journal-title":"Introduction to Integrated Adaptive Cyber Defense (IACD) Playbooks"},{"key":"ref120","doi-asserted-by":"publisher","DOI":"10.1145\/3372823"},{"key":"ref89","year":"2020","journal-title":"Swimlane—Security Orchestration Automation and Response Platform"},{"key":"ref121","first-page":"251","article-title":"VISECO: An annotated security management framework for 5G","author":"thanh","year":"2018","journal-title":"Proc Int Conf Mobile Secure Program Netw"},{"key":"ref122","doi-asserted-by":"publisher","DOI":"10.1109\/CyberSA.2017.8073389"},{"key":"ref123","doi-asserted-by":"publisher","DOI":"10.1145\/3199478.3199490"},{"key":"ref85","year":"2020","journal-title":"Siemplify—Security Orchestration Automation & Response (SOAR) Platform"},{"key":"ref86","year":"2020","journal-title":"Soar platform"},{"key":"ref87","year":"2020","journal-title":"Honeycomb SOCAutomation"},{"key":"ref88","year":"2020","journal-title":"Splunk Phantom Security Orchestration & Automation"}],"container-title":["IEEE Communications Surveys & Tutorials"],"original-title":[],"link":[{"URL":"http:\/\/xplorestaging.ieee.org\/ielx7\/9739\/9621320\/09557787.pdf?arnumber=9557787","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,5,10]],"date-time":"2022-05-10T14:52:25Z","timestamp":1652194345000},"score":1,"resource":{"primary":{"URL":"https:\/\/ieeexplore.ieee.org\/document\/9557787\/"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021]]},"references-count":129,"journal-issue":{"issue":"4"},"URL":"https:\/\/doi.org\/10.1109\/comst.2021.3117338","relation":{},"ISSN":["1553-877X","2373-745X"],"issn-type":[{"value":"1553-877X","type":"electronic"},{"value":"2373-745X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2021]]}}}