mirror of https://github.com/MISP/PyTaxonomies
Improve readme
parent
1f6370a2d7
commit
0a14e83f49
167
README.md
167
README.md
|
@ -6,3 +6,170 @@
|
||||||
|
|
||||||
Pythonic way to work with the taxonomies defined there: https://github.com/MISP/misp-taxonomies
|
Pythonic way to work with the taxonomies defined there: https://github.com/MISP/misp-taxonomies
|
||||||
|
|
||||||
|
# Usage
|
||||||
|
|
||||||
|
Taxonomies and predicates are represented as immurable Python dictionaries.
|
||||||
|
|
||||||
|
## Basics
|
||||||
|
|
||||||
|
```
|
||||||
|
In [1]: from pytaxonomies import Taxonomies
|
||||||
|
|
||||||
|
In [2]: taxonomies = Taxonomies()
|
||||||
|
|
||||||
|
In [3]: taxonomies.version
|
||||||
|
Out[3]: '20160725'
|
||||||
|
|
||||||
|
In [4]: taxonomies.license
|
||||||
|
Out[4]: 'CC-BY'
|
||||||
|
|
||||||
|
In [5]: taxonomies.description
|
||||||
|
Out[5]: 'Manifest file of MISP taxonomies available.'
|
||||||
|
|
||||||
|
# How many taxonomies have been imported
|
||||||
|
In [6]: len(taxonomies)
|
||||||
|
Out[6]: 27
|
||||||
|
|
||||||
|
# Names of the taxonomies
|
||||||
|
In [7]: list(taxonomies.keys())
|
||||||
|
Out[7]:
|
||||||
|
['tlp',
|
||||||
|
'eu-critical-sectors',
|
||||||
|
'dni-ism',
|
||||||
|
'de-vs',
|
||||||
|
'osint',
|
||||||
|
'ms-caro-malware',
|
||||||
|
'open-threat',
|
||||||
|
'circl',
|
||||||
|
'iep',
|
||||||
|
'euci',
|
||||||
|
'kill-chain',
|
||||||
|
'europol-events',
|
||||||
|
'veris',
|
||||||
|
'information-security-indicators',
|
||||||
|
'estimative-language',
|
||||||
|
'adversary',
|
||||||
|
'europol-incident',
|
||||||
|
'malware_classification',
|
||||||
|
'ecsirt',
|
||||||
|
'dhs-ciip-sectors',
|
||||||
|
'csirt_case_classification',
|
||||||
|
'nato',
|
||||||
|
'fr-classif',
|
||||||
|
'enisa',
|
||||||
|
'misp',
|
||||||
|
'admiralty-scale',
|
||||||
|
'ms-caro-malware-full']
|
||||||
|
|
||||||
|
In [8]: taxonomies.get('enisa').description
|
||||||
|
Out[8]: 'The present threat taxonomy is an initial version that has been developed on the basis of available ENISA material. This material has been used as an ENISA-internal structuring aid for information collection and threat consolidation purposes. It emerged in the time period 2012-2015.'
|
||||||
|
|
||||||
|
In [9]: taxonomies.get('enisa').version
|
||||||
|
Out[9]: 201601
|
||||||
|
|
||||||
|
In [10]: taxonomies.get('enisa').name
|
||||||
|
Out[10]: 'enisa'
|
||||||
|
|
||||||
|
In [11]: list(taxonomies.get('enisa').keys())
|
||||||
|
Out[11]:
|
||||||
|
['legal',
|
||||||
|
'outages',
|
||||||
|
'eavesdropping-interception-hijacking',
|
||||||
|
'nefarious-activity-abuse',
|
||||||
|
'physical-attack',
|
||||||
|
'failures-malfunction',
|
||||||
|
'disaster',
|
||||||
|
'unintentional-damage']
|
||||||
|
|
||||||
|
In [12]: list(taxonomies.get('enisa').get('physical-attack'))
|
||||||
|
Out[12]:
|
||||||
|
['fraud-by-employees',
|
||||||
|
'theft',
|
||||||
|
'unauthorised-physical-access-or-unauthorised-entry-to-premises',
|
||||||
|
'theft-of-documents',
|
||||||
|
'information-leak-or-unauthorised-sharing',
|
||||||
|
'vandalism',
|
||||||
|
'damage-from-the-wafare',
|
||||||
|
'sabotage',
|
||||||
|
'coercion-or-extortion-or-corruption',
|
||||||
|
'theft-of-mobile-devices',
|
||||||
|
'theft-of-fixed-hardware',
|
||||||
|
'terrorist-attack',
|
||||||
|
'theft-of-backups',
|
||||||
|
'fraud']
|
||||||
|
|
||||||
|
In [13]: taxonomies.get('enisa').get('physical-attack').get('vandalism').value
|
||||||
|
Out[13]: 'vandalism'
|
||||||
|
|
||||||
|
In [14]: taxonomies.get('enisa').get('physical-attack').get('vandalism').expanded
|
||||||
|
Out[14]: 'Vandalism'
|
||||||
|
|
||||||
|
In [15]: taxonomies.get('enisa').get('physical-attack').get('vandalism').description
|
||||||
|
Out[15]: 'Act of physically damaging IT assets.'
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
## Get machine tags
|
||||||
|
|
||||||
|
```
|
||||||
|
In [1]: print(taxonomies) # or taxonomies.all_machinetags()
|
||||||
|
|
||||||
|
<display the machine tags for all the taxonomies>
|
||||||
|
|
||||||
|
In [2]: print(taxonomies.get('circl')) # or taxonomies.get('circl').machinetags()
|
||||||
|
circl:incident-classification="vulnerability"
|
||||||
|
circl:incident-classification="malware"
|
||||||
|
circl:incident-classification="fastflux"
|
||||||
|
circl:incident-classification="system-compromise"
|
||||||
|
circl:incident-classification="sql-injection"
|
||||||
|
circl:incident-classification="scan"
|
||||||
|
circl:incident-classification="XSS"
|
||||||
|
circl:incident-classification="information-leak"
|
||||||
|
circl:incident-classification="scam"
|
||||||
|
circl:incident-classification="copyright-issue"
|
||||||
|
circl:incident-classification="denial-of-service"
|
||||||
|
circl:incident-classification="phishing"
|
||||||
|
circl:incident-classification="spam"
|
||||||
|
circl:topic="undefined"
|
||||||
|
circl:topic="industry"
|
||||||
|
circl:topic="ict"
|
||||||
|
circl:topic="finance"
|
||||||
|
circl:topic="services"
|
||||||
|
circl:topic="individual"
|
||||||
|
circl:topic="medical"
|
||||||
|
|
||||||
|
# All entries
|
||||||
|
In [3]: taxonomies.get('circl').amount_entries()
|
||||||
|
Out[3]: 28
|
||||||
|
|
||||||
|
# Amount predicates
|
||||||
|
In [3]: len(taxonomies.get('circl'))
|
||||||
|
Out[3]: 2
|
||||||
|
|
||||||
|
```
|
||||||
|
|
||||||
|
## Expanded machine tag
|
||||||
|
|
||||||
|
```
|
||||||
|
In [10]: print(taxonomies.get('circl').machinetags_expanded())
|
||||||
|
circl:topic="Individual"
|
||||||
|
circl:topic="Services"
|
||||||
|
circl:topic="Finance"
|
||||||
|
circl:topic="Medical"
|
||||||
|
circl:topic="Industry"
|
||||||
|
circl:topic="Undefined"
|
||||||
|
circl:topic="ICT"
|
||||||
|
circl:incident-classification="Phishing"
|
||||||
|
circl:incident-classification="Malware"
|
||||||
|
circl:incident-classification="XSS"
|
||||||
|
circl:incident-classification="Copyright issue"
|
||||||
|
circl:incident-classification="Spam"
|
||||||
|
circl:incident-classification="SQL Injection"
|
||||||
|
circl:incident-classification="Scan"
|
||||||
|
circl:incident-classification="Scam"
|
||||||
|
circl:incident-classification="Vulnerability"
|
||||||
|
circl:incident-classification="Denial of Service"
|
||||||
|
circl:incident-classification="Information leak"
|
||||||
|
circl:incident-classification="Fastflux"
|
||||||
|
circl:incident-classification="System compromise"
|
||||||
|
```
|
||||||
|
|
|
@ -14,6 +14,9 @@ class Entry():
|
||||||
self.expanded = expanded
|
self.expanded = expanded
|
||||||
self.description = description
|
self.description = description
|
||||||
|
|
||||||
|
def __str__(self):
|
||||||
|
return self.value
|
||||||
|
|
||||||
|
|
||||||
class Predicate(collections.Mapping):
|
class Predicate(collections.Mapping):
|
||||||
|
|
||||||
|
@ -29,6 +32,9 @@ class Predicate(collections.Mapping):
|
||||||
self.entries[e['value']] = Entry(e['value'], e['expanded'],
|
self.entries[e['value']] = Entry(e['value'], e['expanded'],
|
||||||
e.get('description'))
|
e.get('description'))
|
||||||
|
|
||||||
|
def __str__(self):
|
||||||
|
return self.predicate
|
||||||
|
|
||||||
def __getitem__(self, entry):
|
def __getitem__(self, entry):
|
||||||
return self.entries[entry]
|
return self.entries[entry]
|
||||||
|
|
||||||
|
@ -61,6 +67,9 @@ class Taxonomy(collections.Mapping):
|
||||||
entries.get(p['value']))
|
entries.get(p['value']))
|
||||||
|
|
||||||
def __str__(self):
|
def __str__(self):
|
||||||
|
return self.machinetags()
|
||||||
|
|
||||||
|
def machinetags(self):
|
||||||
to_return = ''
|
to_return = ''
|
||||||
for p, content in self.predicates.items():
|
for p, content in self.predicates.items():
|
||||||
if content:
|
if content:
|
||||||
|
@ -82,7 +91,7 @@ class Taxonomy(collections.Mapping):
|
||||||
def amount_entries(self):
|
def amount_entries(self):
|
||||||
return sum([len(p) for p in self.predicates])
|
return sum([len(p) for p in self.predicates])
|
||||||
|
|
||||||
def print_expanded_entries(self):
|
def machinetags_expanded(self):
|
||||||
to_return = ''
|
to_return = ''
|
||||||
for p, content in self.predicates.items():
|
for p, content in self.predicates.items():
|
||||||
if content:
|
if content:
|
||||||
|
@ -111,7 +120,6 @@ class Taxonomies(collections.Mapping):
|
||||||
self.version = self.manifest['version']
|
self.version = self.manifest['version']
|
||||||
self.license = self.manifest['license']
|
self.license = self.manifest['license']
|
||||||
self.description = self.manifest['description']
|
self.description = self.manifest['description']
|
||||||
self.taxonomies_names = [t['name'] for t in self.manifest['taxonomies']]
|
|
||||||
self.__init_taxonomies()
|
self.__init_taxonomies()
|
||||||
|
|
||||||
def __load_path(self, path):
|
def __load_path(self, path):
|
||||||
|
@ -141,7 +149,10 @@ class Taxonomies(collections.Mapping):
|
||||||
return len(self.taxonomies)
|
return len(self.taxonomies)
|
||||||
|
|
||||||
def __str__(self):
|
def __str__(self):
|
||||||
|
return self.all_machinetags()
|
||||||
|
|
||||||
|
def all_machinetags(self):
|
||||||
to_return = ''
|
to_return = ''
|
||||||
for k, taxonomy in self.taxonomies.items():
|
for k, taxonomy in self.taxonomies.items():
|
||||||
to_return += '{}\n'.format(taxonomy.__str__())
|
to_return += '{}\n'.format(taxonomy.machinetags())
|
||||||
return to_return
|
return to_return
|
||||||
|
|
Loading…
Reference in New Issue