Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

1309 osint extension #1310

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

1309 osint extension #1310

wants to merge 6 commits into from

Conversation

PavelJurka
Copy link
Contributor

@PavelJurka PavelJurka commented Jan 9, 2025
edited
Loading

Related Issue:

#1309

Description of changes:

We want to use the OSINT profile for threat intelligence, however there are some fields missing from what we currently have. We should align naming to STIX.

@PavelJurka PavelJurka marked this pull request as draft January 9, 2025 13:27
@PavelJurka PavelJurka marked this pull request as ready for review January 9, 2025 14:29
@pagbabian-splunk pagbabian-splunk added enhancement New feature or request non_breaking Non Breaking, backwards compatible changes v1.4.0 Changes marked for the upcoming version 1.4.0 labels Jan 14, 2025
@jonrau-at-queryai
Copy link
Contributor

As per the discussion today, we should push this off until 1.5.0. There is a mixture of STIX and vendor-specific (S1) concepts in here that clash with the more genericized incarnation of OSINT.

I feel the schema does either require a specific campaign object, a STIX Extension, or we create a separate CTI/Threat Intel Profile/Object that is either standalone or extends OSINT.

@jonrau-at-queryai jonrau-at-queryai added v1.5.0 Items to be considered for OCSF v1.5.0 and removed v1.4.0 Changes marked for the upcoming version 1.4.0 labels Jan 14, 2025
davemcatcisco
davemcatcisco requested changes Jan 22, 2025
View reviewed changes
@PavelJurka
extending osint profile
b1bcc88 
Issue-1304: Remove 'domains' attribute from 'email' object (ocsf#1305)
@PavelJurka
extending osint profile
ea7ad80 
Issue-1304: Remove 'domains' attribute from 'email' object (ocsf#1305)
@PavelJurka
extending osint profile
aef006b 
Issue-1304: Remove 'domains' attribute from 'email' object (ocsf#1305)
@PavelJurka
extending osint profile
023431d 
Issue-1304: Remove 'domains' attribute from 'email' object (ocsf#1305)
@PavelJurka
Copy link
Contributor Author

As per the discussion today, we should push this off until 1.5.0. There is a mixture of STIX and vendor-specific (S1) concepts in here that clash with the more genericized incarnation of OSINT.

I feel the schema does either require a specific campaign object, a STIX Extension, or we create a separate CTI/Threat Intel Profile/Object that is either standalone or extends OSINT.

Hello @jonrau-at-queryai and @mikeradka - Is this PR acceptable or what is the way you would accept? Thank you very much!

@zelienka
Copy link

I see two potential issues here:

  1. detection_pattern_type_id should STIX patterns; i.e., stix, pcre, sigma, snort, suricata, yara.
  2. create a campaign object and use that

I don't see any other vendor specific concepts.

Would these changes help?

@zelienka
Copy link

we create a separate CTI/Threat Intel Profile/Object that is either standalone or extends OSINT.

Semantically, what would be the difference between CTI and OSINT?

@PavelJurka
extending osint profile
77d0641 
Issue-1304: Remove 'domains' attribute from 'email' object (ocsf#1305)
@PavelJurka
extending osint profile
14d7571 
Issue-1304: Remove 'domains' attribute from 'email' object (ocsf#1305)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@floydtree floydtree Awaiting requested review from floydtree floydtree is a code owner

@pagbabian-splunk pagbabian-splunk Awaiting requested review from pagbabian-splunk pagbabian-splunk is a code owner

@Aniak5 Aniak5 Awaiting requested review from Aniak5 Aniak5 is a code owner

@mikeradka mikeradka Awaiting requested review from mikeradka mikeradka is a code owner

@zschmerber zschmerber Awaiting requested review from zschmerber zschmerber is a code owner

@jonrau-at-queryai jonrau-at-queryai Awaiting requested review from jonrau-at-queryai jonrau-at-queryai is a code owner

@davemcatcisco davemcatcisco Awaiting requested review from davemcatcisco davemcatcisco is a code owner

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
enhancement New feature or request non_breaking Non Breaking, backwards compatible changes v1.5.0 Items to be considered for OCSF v1.5.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@PavelJurka @jonrau-at-queryai @zelienka @davemcatcisco @pagbabian-splunk