From b1bcc883f42aa80adac822cec5b09eeb3de4e965 Mon Sep 17 00:00:00 2001 From: pavel jurka Date: Wed, 26 Feb 2025 14:45:31 +0100 Subject: [PATCH 1/6] extending osint profile Issue-1304: Remove 'domains' attribute from 'email' object (#1305) --- CHANGELOG.md | 7 ++++ dictionary.json | 56 +++++++++++++++++++++++++++++ objects/campaign.json | 12 +++++++ objects/osint.json | 76 +++++++++++++++++++++++++++++++++++++++ objects/threat_actor.json | 44 +++++++++++++++++++++++ 5 files changed, 195 insertions(+) create mode 100644 objects/campaign.json create mode 100644 objects/threat_actor.json diff --git a/CHANGELOG.md b/CHANGELOG.md index 312467efa..48c187d53 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -53,10 +53,16 @@ Thankyou! --> 1. Added `fix_coverage` as `string_t` and `fix_coverage_id` as `int_t`. #1350 1. Added `eid`, `iccid`, and `meid` as `string_t`. #1346 1. Added `is_backed_up`, `is_mobile_account_active`, and `is_shared` as `boolean_t`. #1346 + 1. Added `detection_pattern_type` an `detection_pattern_type_id` as a `string_t` and `int_t` respectively. #1310 + 1. Added `external_id` as an `string_t`. #1310 + 1. Added `intrusion_sets` as an array `string_t`. #1310 + 1. Added `uploaded_time` as an `timestamp_t`. #1310 1. Added `isp_org` as `string_t`. #1351 * #### Objects 1. Added `assessment` object to capture evaluations/assessments of configurations/signals. #1343 1. Added `node`, `edge`, `graph` objects. #1343 + 1. Added `camapign` object #1310 + 1. Added `threat_actor` object #1310 ### Improved * #### Event Classes @@ -76,6 +82,7 @@ Thankyou! --> 1. Added `is_backed_up` to `resource_details`. #1346 1. Added `isp`, `isp_org` to `network_endpoint` & `whois` objects. #1351 1. Reduced requirement of `standards` to recommended in the `compliance` object. #1352 + 1. Added `campaign`, `category`, `created_time`, `creator`, `desc`, `expiration_time`, `external_id`, `labels`, `malware`, `modified_time`, `name`, `detection_pattern`, `detection_pattern_type`, `detection_pattern_type_id`, `intrusion_sets`, `risk_score`, `references`, `uploaded_time`, `severity`, `uid` and `threat_actor` to `osint` object. #1310 ### Deprecated 1. Deprecated usage of `isp` attribute in the `location` object. #1351 diff --git a/dictionary.json b/dictionary.json index 66ec7c3e9..1950da2c7 100644 --- a/dictionary.json +++ b/dictionary.json @@ -525,6 +525,11 @@ "type": "string_t", "is_array": true }, + "campaign": { + "caption": "Campaign", + "description": "The campaign object describes details about the campaign that was the source of the activity.", + "type": "campaign" + }, "caption": { "caption": "Caption", "description": "A short description or caption of the device. For example: Scanner 1 or Database Manager.", @@ -1560,6 +1565,36 @@ "description": "Specific pattern, algorithm, fingerprint, or model used for detection.", "type": "string_t" }, + "detection_pattern_type": { + "caption": "Detection Pattern", + "description": "Specifies the type of detection pattern used to identify the associated threat indicator. This field identifies whether the pattern is based on behavioral analysis, static indicators, or heuristic methods.", + "type": "string_t" + }, + "detection_pattern_type_id": { + "caption": "Detection Pattern Type ID", + "description": "The normalised identifier of the detection pattern type.", + "sibling": "detection_pattern_type", + "type": "integer_t", + "enum": { + "0": { + "caption": "Unknown", + "description": "The type is not mapped." + }, + "1": { + "caption": "Behavioral analysis" + }, + "2": { + "caption": "Static indicators" + }, + "3": { + "caption": "Heuristic methods" + }, + "99": { + "caption": "Other", + "description": "Any other type of detection pattern type." + } + } + }, "detection_system": { "caption": "Detection System", "description": "The name of the type of data security tool or system that the finding, detection, or alert originated from. E.g., Endpoint, Secure Email Gateway, etc.", @@ -2193,6 +2228,11 @@ "type": "extension", "is_array": true }, + "external_id": { + "caption": "External ID", + "description": "A unique identifier assigned by an external system for cross-referencing.", + "type": "string_t" + }, "factor_type": { "caption": "Factor Type", "description": "The type of authentication factor used in an authentication attempt.", @@ -2668,6 +2708,12 @@ "description": "The impact as an integer value of the finding, valid range 0-100.", "type": "integer_t" }, + "intrusion_sets": { + "caption": "Intrusion Sets", + "description": "A grouping of adversarial behaviors and resources believed to be associated with specific threat actors or campaigns. Intrusion sets often encompass multiple campaigns and are used to organize related activities under a common label.", + "type": "string_t", + "is_array": true + }, "injection_type": { "caption": "Injection Type", "description": "The process injection method, normalized to the caption of the injection_type_id value. In the case of 'Other', it is defined by the event source.", @@ -5437,6 +5483,11 @@ "description": "The tree id is a unique SMB identifier which represents an open connection to a share.", "type": "string_t" }, + "threat_actor": { + "caption": "Threat Actor", + "description": "The Threat Actor object describes the characteristics and metadata of a threat actor.", + "type": "threat_actor" + }, "ttl": { "caption": "TTL", "description": "The time interval that the resource record may be cached. Zero value means that the resource record can only be used for the transaction in progress, and should not be cached.", @@ -5536,6 +5587,11 @@ "description": "The size in bytes of an attribute before truncation. See specific usage.", "type": "integer_t" }, + "uploaded_time": { + "caption": "Uploaded Time", + "description": "The timestamp indicating when the associated indicator or intelligence was added to the system or repository.", + "type": "timestamp_t" + }, "url": { "caption": "URL", "description": "The URL object that pertains to the event or object. See specific usage.", diff --git a/objects/campaign.json b/objects/campaign.json new file mode 100644 index 000000000..760e31ea7 --- /dev/null +++ b/objects/campaign.json @@ -0,0 +1,12 @@ +{ + "caption": "Campaign", + "description": "Campaign represent organized efforts by threat actors to achieve malicious objectives over a period, often characterized by shared tactics, techniques, and procedures (TTPs).", + "extends": "object", + "name": "campaign", + "attributes": { + "name": { + "description": "The name of a specific campaign associated with a cyber threat.", + "requirement": "optional" + } + } +} diff --git a/objects/osint.json b/objects/osint.json index f74f3ac69..9636d1701 100644 --- a/objects/osint.json +++ b/objects/osint.json @@ -30,6 +30,25 @@ "description": "The normalized confidence refers to the accuracy of collected information related to the OSINT or how pertinent an indicator or analysis is to a specific event or finding. A low confidence means that the information collected or analysis conducted lacked detail or is not accurate enough to qualify an indicator as fully malicious.", "requirement": "recommended" }, + "campaign": { + "requirement": "optional" + }, + "category": { + "description": "Categorizes the threat indicator based on its functional or operational role.", + "requirement": "optional" + }, + "created_time": { + "description": "The timestamp when the indicator was initially created or identified.", + "requirement": "optional" + }, + "creator": { + "description": "The identifier of the user, system, or organization that contributed the indicator.", + "requirement": "optional" + }, + "desc": { + "description": "A detailed explanation of the indicator, including its context, purpose, and relevance.", + "requirement": "optional" + }, "email": { "caption": "Related Email", "description": "Any email information pertinent to an indicator or OSINT analysis.", @@ -40,19 +59,54 @@ "description": "Any email authentication information pertinent to an indicator or OSINT analysis.", "requirement": "optional" }, + "expiration_time": { + "description": "The expiration date of the indicator, after which it is no longer considered reliable.", + "requirement": "optional" + }, + "external_id": { + "requirement": "optional" + }, "file": { "caption": "Related File", "description": "Any pertinent file information related to an indicator or OSINT analysis.", "requirement": "optional" }, + "detection_pattern": { + "description": "The specific detection pattern or signature associated with the indicator.", + "requirement": "optional" + }, + "detection_pattern_type": { + "requirement": "optional" + }, + "detection_pattern_type_id": { + "requirement": "optional" + }, + "intrusion_sets": { + "requirement": "optional" + }, "kill_chain": { "description": "Lockheed Martin Kill Chain Phases pertinent to an indicator or OSINT analysis.", "requirement": "optional" }, + "labels": { + "description": "Tags or keywords associated with the indicator to enhance searchability.", + "requirement": "optional" + }, "location": { "description": "Any pertinent geolocation information related to an indicator or OSINT analysis.", "requirement": "optional" }, + "malware": { + "requirement": "optional" + }, + "modified_time": { + "description": "The timestamp of the last modification or update to the indicator.", + "requirement": "optional" + }, + "name": { + "description": "Specifies the field(s) in logs or datasets where this indicator is expected to match.", + "requirement": "optional" + }, "related_analytics": { "caption": "Related Analytics", "description": "Any analytics related to an indicator or OSINT analysis.", @@ -62,11 +116,23 @@ "description": "Related reputational analysis from third-party engines and analysts for a given indicator or OSINT analysis.", "requirement": "optional" }, + "risk_score": { + "description": "A numerical representation of the threat indicator’s risk or confidence level.", + "requirement": "optional" + }, + "references": { + "description": "Provides a reference to an external source of information related to the CTI being represented. This may include a URL, a document, or some other type of reference that provides additional context or information about the CTI.", + "requirement": "optional" + }, "script": { "caption": "Related Script Data", "description": "Any pertinent script information related to an indicator or OSINT analysis.", "requirement": "optional" }, + "severity": { + "description": "Represents the severity level of the threat indicator, typically reflecting its potential impact or damage.", + "requirement": "optional" + }, "signatures": { "caption": "Related Digital Signatures", "description": "Any digital signatures or hashes related to an indicator or OSINT analysis.", @@ -86,6 +152,9 @@ "description": "A CIDR or network block related to an indicator or OSINT analysis.", "requirement": "optional" }, + "threat_actor": { + "requirement": "optional" + }, "tlp": { "caption": "Traffic Light Protocol", "description": "The Traffic Light Protocol was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. TLP provides a simple and intuitive schema for indicating with whom potentially sensitive information can be shared.", @@ -193,6 +262,13 @@ }, "requirement": "required" }, + "uid": { + "description": "The unique identifier for the OSINT object.", + "requirement": "optional" + }, + "uploaded_time": { + "requirement": "optional" + }, "value": { "caption": "Indicator", "description": "The actual indicator value in scope, e.g., a SHA-256 hash hexdigest or a domain name.", diff --git a/objects/threat_actor.json b/objects/threat_actor.json new file mode 100644 index 000000000..3e722b4ae --- /dev/null +++ b/objects/threat_actor.json @@ -0,0 +1,44 @@ +{ + "caption": "Threat Actor", + "description": "Threat actor is responsible for the observed malicious activity.", + "extends": "object", + "name": "threat_actor", + "attributes": { + "name": { + "description": "The name of the threat actor.", + "requirement": "optional" + }, + "type": { + "caption": "Threat Actor Type", + "description": "The classification of the threat actor based on their motivations, capabilities, or affiliations. Common types include nation-state actors, cybercriminal groups, hacktivists, or insider threats.", + "requirement": "optional" + }, + "type_id": { + "caption": "Threat Actor Type ID", + "description": "The normalized datastore resource type identifier.", + "requirement": "recommended", + "enum": { + "0": { + "caption": "Unknown", + "description": "The threat actor type is unknown." + }, + "1": { + "caption": "Nation-state" + }, + "2": { + "caption": "Cybercriminal" + }, + "3": { + "caption": "Hacktivists" + }, + "4": { + "caption": "Insider" + }, + "99": { + "caption": "Other", + "description": "The threat actor type is not mapped." + } + } + } + } + } \ No newline at end of file From ea7ad8034dfc27aabbd25a27e2707dc3aa048ece Mon Sep 17 00:00:00 2001 From: pavel jurka Date: Wed, 26 Feb 2025 15:14:03 +0100 Subject: [PATCH 2/6] extending osint profile Issue-1304: Remove 'domains' attribute from 'email' object (#1305) --- dictionary.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dictionary.json b/dictionary.json index 1950da2c7..53b36a719 100644 --- a/dictionary.json +++ b/dictionary.json @@ -1567,12 +1567,12 @@ }, "detection_pattern_type": { "caption": "Detection Pattern", - "description": "Specifies the type of detection pattern used to identify the associated threat indicator. This field identifies whether the pattern is based on behavioral analysis, static indicators, or heuristic methods.", + "description": "The detection pattern type, normalized to the caption of the detection_pattern_type_id value. In the case of 'Other', it is defined by the event source.", "type": "string_t" }, "detection_pattern_type_id": { "caption": "Detection Pattern Type ID", - "description": "The normalised identifier of the detection pattern type.", + "description": "Specifies the type of detection pattern used to identify the associated threat indicator. This field identifies whether the pattern is based on behavioral analysis, static indicators, or heuristic methods.", "sibling": "detection_pattern_type", "type": "integer_t", "enum": { From aef006b8d06fc8802cc04cd20d3bdc8db6b39a46 Mon Sep 17 00:00:00 2001 From: pavel jurka Date: Wed, 26 Feb 2025 15:18:11 +0100 Subject: [PATCH 3/6] extending osint profile Issue-1304: Remove 'domains' attribute from 'email' object (#1305) --- dictionary.json | 4 ++-- objects/osint.json | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/dictionary.json b/dictionary.json index 53b36a719..f7b895c1b 100644 --- a/dictionary.json +++ b/dictionary.json @@ -1591,7 +1591,7 @@ }, "99": { "caption": "Other", - "description": "Any other type of detection pattern type." + "description": "The detection pattern type is not mapped. See the detection_pattern_type attribute, which contains a data source specific value." } } }, @@ -5589,7 +5589,7 @@ }, "uploaded_time": { "caption": "Uploaded Time", - "description": "The timestamp indicating when the associated indicator or intelligence was added to the system or repository.", + "description": "The timestamp at which an entity was uploaded. See specific usage.", "type": "timestamp_t" }, "url": { diff --git a/objects/osint.json b/objects/osint.json index 9636d1701..6d15c3a87 100644 --- a/objects/osint.json +++ b/objects/osint.json @@ -267,6 +267,7 @@ "requirement": "optional" }, "uploaded_time": { + "description": "The timestamp indicating when the associated indicator or intelligence was added to the system or repository.", "requirement": "optional" }, "value": { From 023431db7f25d4ca2669e77cd818a5e4fb6bb9d9 Mon Sep 17 00:00:00 2001 From: pavel jurka Date: Wed, 26 Feb 2025 15:26:11 +0100 Subject: [PATCH 4/6] extending osint profile Issue-1304: Remove 'domains' attribute from 'email' object (#1305) --- objects/campaign.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/campaign.json b/objects/campaign.json index 760e31ea7..46703cd62 100644 --- a/objects/campaign.json +++ b/objects/campaign.json @@ -6,7 +6,7 @@ "attributes": { "name": { "description": "The name of a specific campaign associated with a cyber threat.", - "requirement": "optional" + "requirement": "required" } } } From 77d0641c5e04784479256a0176a4c0c7662cd6c9 Mon Sep 17 00:00:00 2001 From: pavel jurka Date: Thu, 27 Feb 2025 11:46:17 +0100 Subject: [PATCH 5/6] extending osint profile Issue-1304: Remove 'domains' attribute from 'email' object (#1305) --- objects/osint.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/osint.json b/objects/osint.json index 6d15c3a87..0f4d5e1a9 100644 --- a/objects/osint.json +++ b/objects/osint.json @@ -104,7 +104,7 @@ "requirement": "optional" }, "name": { - "description": "Specifies the field(s) in logs or datasets where this indicator is expected to match.", + "description": "The name of the OSINT object.", "requirement": "optional" }, "related_analytics": { From 14d7571687bdadd531f8c1459ab868d41d9d0228 Mon Sep 17 00:00:00 2001 From: pavel jurka Date: Thu, 27 Feb 2025 11:51:53 +0100 Subject: [PATCH 6/6] extending osint profile Issue-1304: Remove 'domains' attribute from 'email' object (#1305) --- dictionary.json | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/dictionary.json b/dictionary.json index f7b895c1b..cee787057 100644 --- a/dictionary.json +++ b/dictionary.json @@ -1581,13 +1581,22 @@ "description": "The type is not mapped." }, "1": { - "caption": "Behavioral analysis" + "caption": "STIX" }, "2": { - "caption": "Static indicators" + "caption": "PCRE" }, "3": { - "caption": "Heuristic methods" + "caption": "SIGMA" + }, + "4": { + "caption": "Snort" + }, + "5": { + "caption": "Suricata" + }, + "6": { + "caption": "YARA" }, "99": { "caption": "Other",