diff --git a/CHANGELOG.md b/CHANGELOG.md
index 312467efa..48c187d53 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -53,10 +53,16 @@ Thankyou! -->
1. Added `fix_coverage` as `string_t` and `fix_coverage_id` as `int_t`. #1350
1. Added `eid`, `iccid`, and `meid` as `string_t`. #1346
1. Added `is_backed_up`, `is_mobile_account_active`, and `is_shared` as `boolean_t`. #1346
+ 1. Added `detection_pattern_type` an `detection_pattern_type_id` as a `string_t` and `int_t` respectively. #1310
+ 1. Added `external_id` as an `string_t`. #1310
+ 1. Added `intrusion_sets` as an array `string_t`. #1310
+ 1. Added `uploaded_time` as an `timestamp_t`. #1310
1. Added `isp_org` as `string_t`. #1351
* #### Objects
1. Added `assessment` object to capture evaluations/assessments of configurations/signals. #1343
1. Added `node`, `edge`, `graph` objects. #1343
+ 1. Added `camapign` object #1310
+ 1. Added `threat_actor` object #1310
### Improved
* #### Event Classes
@@ -76,6 +82,7 @@ Thankyou! -->
1. Added `is_backed_up` to `resource_details`. #1346
1. Added `isp`, `isp_org` to `network_endpoint` & `whois` objects. #1351
1. Reduced requirement of `standards` to recommended in the `compliance` object. #1352
+ 1. Added `campaign`, `category`, `created_time`, `creator`, `desc`, `expiration_time`, `external_id`, `labels`, `malware`, `modified_time`, `name`, `detection_pattern`, `detection_pattern_type`, `detection_pattern_type_id`, `intrusion_sets`, `risk_score`, `references`, `uploaded_time`, `severity`, `uid` and `threat_actor` to `osint` object. #1310
### Deprecated
1. Deprecated usage of `isp` attribute in the `location` object. #1351
diff --git a/dictionary.json b/dictionary.json
index 66ec7c3e9..cee787057 100644
--- a/dictionary.json
+++ b/dictionary.json
@@ -525,6 +525,11 @@
"type": "string_t",
"is_array": true
},
+ "campaign": {
+ "caption": "Campaign",
+ "description": "The campaign object describes details about the campaign that was the source of the activity.",
+ "type": "campaign"
+ },
"caption": {
"caption": "Caption",
"description": "A short description or caption of the device. For example: Scanner 1 or Database Manager.",
@@ -1560,6 +1565,45 @@
"description": "Specific pattern, algorithm, fingerprint, or model used for detection.",
"type": "string_t"
},
+ "detection_pattern_type": {
+ "caption": "Detection Pattern",
+ "description": "The detection pattern type, normalized to the caption of the detection_pattern_type_id value. In the case of 'Other', it is defined by the event source.",
+ "type": "string_t"
+ },
+ "detection_pattern_type_id": {
+ "caption": "Detection Pattern Type ID",
+ "description": "Specifies the type of detection pattern used to identify the associated threat indicator. This field identifies whether the pattern is based on behavioral analysis, static indicators, or heuristic methods.",
+ "sibling": "detection_pattern_type",
+ "type": "integer_t",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The type is not mapped."
+ },
+ "1": {
+ "caption": "STIX"
+ },
+ "2": {
+ "caption": "PCRE"
+ },
+ "3": {
+ "caption": "SIGMA"
+ },
+ "4": {
+ "caption": "Snort"
+ },
+ "5": {
+ "caption": "Suricata"
+ },
+ "6": {
+ "caption": "YARA"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The detection pattern type is not mapped. See the detection_pattern_type attribute, which contains a data source specific value."
+ }
+ }
+ },
"detection_system": {
"caption": "Detection System",
"description": "The name of the type of data security tool or system that the finding, detection, or alert originated from. E.g., Endpoint, Secure Email Gateway, etc.",
@@ -2193,6 +2237,11 @@
"type": "extension",
"is_array": true
},
+ "external_id": {
+ "caption": "External ID",
+ "description": "A unique identifier assigned by an external system for cross-referencing.",
+ "type": "string_t"
+ },
"factor_type": {
"caption": "Factor Type",
"description": "The type of authentication factor used in an authentication attempt.",
@@ -2668,6 +2717,12 @@
"description": "The impact as an integer value of the finding, valid range 0-100.",
"type": "integer_t"
},
+ "intrusion_sets": {
+ "caption": "Intrusion Sets",
+ "description": "A grouping of adversarial behaviors and resources believed to be associated with specific threat actors or campaigns. Intrusion sets often encompass multiple campaigns and are used to organize related activities under a common label.",
+ "type": "string_t",
+ "is_array": true
+ },
"injection_type": {
"caption": "Injection Type",
"description": "The process injection method, normalized to the caption of the injection_type_id value. In the case of 'Other', it is defined by the event source.",
@@ -5437,6 +5492,11 @@
"description": "The tree id is a unique SMB identifier which represents an open connection to a share.",
"type": "string_t"
},
+ "threat_actor": {
+ "caption": "Threat Actor",
+ "description": "The Threat Actor object describes the characteristics and metadata of a threat actor.",
+ "type": "threat_actor"
+ },
"ttl": {
"caption": "TTL",
"description": "The time interval that the resource record may be cached. Zero value means that the resource record can only be used for the transaction in progress, and should not be cached.",
@@ -5536,6 +5596,11 @@
"description": "The size in bytes of an attribute before truncation. See specific usage.",
"type": "integer_t"
},
+ "uploaded_time": {
+ "caption": "Uploaded Time",
+ "description": "The timestamp at which an entity was uploaded. See specific usage.",
+ "type": "timestamp_t"
+ },
"url": {
"caption": "URL",
"description": "The URL object that pertains to the event or object. See specific usage.",
diff --git a/objects/campaign.json b/objects/campaign.json
new file mode 100644
index 000000000..46703cd62
--- /dev/null
+++ b/objects/campaign.json
@@ -0,0 +1,12 @@
+{
+ "caption": "Campaign",
+ "description": "Campaign represent organized efforts by threat actors to achieve malicious objectives over a period, often characterized by shared tactics, techniques, and procedures (TTPs).",
+ "extends": "object",
+ "name": "campaign",
+ "attributes": {
+ "name": {
+ "description": "The name of a specific campaign associated with a cyber threat.",
+ "requirement": "required"
+ }
+ }
+}
diff --git a/objects/osint.json b/objects/osint.json
index f74f3ac69..0f4d5e1a9 100644
--- a/objects/osint.json
+++ b/objects/osint.json
@@ -30,6 +30,25 @@
"description": "The normalized confidence refers to the accuracy of collected information related to the OSINT or how pertinent an indicator or analysis is to a specific event or finding. A low confidence means that the information collected or analysis conducted lacked detail or is not accurate enough to qualify an indicator as fully malicious.",
"requirement": "recommended"
},
+ "campaign": {
+ "requirement": "optional"
+ },
+ "category": {
+ "description": "Categorizes the threat indicator based on its functional or operational role.",
+ "requirement": "optional"
+ },
+ "created_time": {
+ "description": "The timestamp when the indicator was initially created or identified.",
+ "requirement": "optional"
+ },
+ "creator": {
+ "description": "The identifier of the user, system, or organization that contributed the indicator.",
+ "requirement": "optional"
+ },
+ "desc": {
+ "description": "A detailed explanation of the indicator, including its context, purpose, and relevance.",
+ "requirement": "optional"
+ },
"email": {
"caption": "Related Email",
"description": "Any email information pertinent to an indicator or OSINT analysis.",
@@ -40,19 +59,54 @@
"description": "Any email authentication information pertinent to an indicator or OSINT analysis.",
"requirement": "optional"
},
+ "expiration_time": {
+ "description": "The expiration date of the indicator, after which it is no longer considered reliable.",
+ "requirement": "optional"
+ },
+ "external_id": {
+ "requirement": "optional"
+ },
"file": {
"caption": "Related File",
"description": "Any pertinent file information related to an indicator or OSINT analysis.",
"requirement": "optional"
},
+ "detection_pattern": {
+ "description": "The specific detection pattern or signature associated with the indicator.",
+ "requirement": "optional"
+ },
+ "detection_pattern_type": {
+ "requirement": "optional"
+ },
+ "detection_pattern_type_id": {
+ "requirement": "optional"
+ },
+ "intrusion_sets": {
+ "requirement": "optional"
+ },
"kill_chain": {
"description": "Lockheed Martin Kill Chain Phases pertinent to an indicator or OSINT analysis.",
"requirement": "optional"
},
+ "labels": {
+ "description": "Tags or keywords associated with the indicator to enhance searchability.",
+ "requirement": "optional"
+ },
"location": {
"description": "Any pertinent geolocation information related to an indicator or OSINT analysis.",
"requirement": "optional"
},
+ "malware": {
+ "requirement": "optional"
+ },
+ "modified_time": {
+ "description": "The timestamp of the last modification or update to the indicator.",
+ "requirement": "optional"
+ },
+ "name": {
+ "description": "The name of the OSINT object.",
+ "requirement": "optional"
+ },
"related_analytics": {
"caption": "Related Analytics",
"description": "Any analytics related to an indicator or OSINT analysis.",
@@ -62,11 +116,23 @@
"description": "Related reputational analysis from third-party engines and analysts for a given indicator or OSINT analysis.",
"requirement": "optional"
},
+ "risk_score": {
+ "description": "A numerical representation of the threat indicator’s risk or confidence level.",
+ "requirement": "optional"
+ },
+ "references": {
+ "description": "Provides a reference to an external source of information related to the CTI being represented. This may include a URL, a document, or some other type of reference that provides additional context or information about the CTI.",
+ "requirement": "optional"
+ },
"script": {
"caption": "Related Script Data",
"description": "Any pertinent script information related to an indicator or OSINT analysis.",
"requirement": "optional"
},
+ "severity": {
+ "description": "Represents the severity level of the threat indicator, typically reflecting its potential impact or damage.",
+ "requirement": "optional"
+ },
"signatures": {
"caption": "Related Digital Signatures",
"description": "Any digital signatures or hashes related to an indicator or OSINT analysis.",
@@ -86,6 +152,9 @@
"description": "A CIDR or network block related to an indicator or OSINT analysis.",
"requirement": "optional"
},
+ "threat_actor": {
+ "requirement": "optional"
+ },
"tlp": {
"caption": "Traffic Light Protocol",
"description": "The Traffic Light Protocol was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. TLP provides a simple and intuitive schema for indicating with whom potentially sensitive information can be shared.",
@@ -193,6 +262,14 @@
},
"requirement": "required"
},
+ "uid": {
+ "description": "The unique identifier for the OSINT object.",
+ "requirement": "optional"
+ },
+ "uploaded_time": {
+ "description": "The timestamp indicating when the associated indicator or intelligence was added to the system or repository.",
+ "requirement": "optional"
+ },
"value": {
"caption": "Indicator",
"description": "The actual indicator value in scope, e.g., a SHA-256 hash hexdigest or a domain name.",
diff --git a/objects/threat_actor.json b/objects/threat_actor.json
new file mode 100644
index 000000000..3e722b4ae
--- /dev/null
+++ b/objects/threat_actor.json
@@ -0,0 +1,44 @@
+{
+ "caption": "Threat Actor",
+ "description": "Threat actor is responsible for the observed malicious activity.",
+ "extends": "object",
+ "name": "threat_actor",
+ "attributes": {
+ "name": {
+ "description": "The name of the threat actor.",
+ "requirement": "optional"
+ },
+ "type": {
+ "caption": "Threat Actor Type",
+ "description": "The classification of the threat actor based on their motivations, capabilities, or affiliations. Common types include nation-state actors, cybercriminal groups, hacktivists, or insider threats.",
+ "requirement": "optional"
+ },
+ "type_id": {
+ "caption": "Threat Actor Type ID",
+ "description": "The normalized datastore resource type identifier.",
+ "requirement": "recommended",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The threat actor type is unknown."
+ },
+ "1": {
+ "caption": "Nation-state"
+ },
+ "2": {
+ "caption": "Cybercriminal"
+ },
+ "3": {
+ "caption": "Hacktivists"
+ },
+ "4": {
+ "caption": "Insider"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The threat actor type is not mapped."
+ }
+ }
+ }
+ }
+ }
\ No newline at end of file