diff --git a/relationships/definition.json b/relationships/definition.json index c444212..e27168b 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -6,7 +6,8 @@ "description": "The information in the target object is based on information from the source object.", "format": [ "misp", - "stix-2.0" + "stix-2.0", + "alfred" ] }, { @@ -22,7 +23,8 @@ "description": "The referenced source is related to the target object.", "format": [ "misp", - "stix-2.0" + "stix-2.0", + "alfred" ] }, { @@ -46,7 +48,8 @@ "description": "The referenced source is containing the target object.", "format": [ "misp", - "stix-1.1" + "stix-1.1", + "alfred" ] }, { @@ -182,7 +185,8 @@ "description": "This relationship describes the use by the source object of the target object.", "format": [ "misp", - "stix-2.0" + "stix-2.0", + "alfred" ] }, { @@ -206,7 +210,8 @@ "description": "This relationship describes a source object which is a variant of the target object", "format": [ "misp", - "stix-2.0" + "stix-2.0", + "alfred" ] }, { @@ -284,14 +289,16 @@ "name": "affects", "description": "This relationship describes an object affected by another object.", "format": [ - "misp" + "misp", + "alfred" ] }, { "name": "beacons-to", "description": "This relationship describes an object beaconing to another object.", "format": [ - "misp" + "misp", + "alfred" ] }, { @@ -305,21 +312,24 @@ "name": "exfiltrates-to", "description": "This relationship describes an object exfiltrating to another object.", "format": [ - "misp" + "misp", + "alfred" ] }, { "name": "identifies", "description": "This relationship describes an object which identifies another object.", "format": [ - "misp" + "misp", + "alfred" ] }, { "name": "intercepts", "description": "This relationship describes an object which intercepts another object.", "format": [ - "misp" + "misp", + "alfred" ] }, { @@ -578,7 +588,8 @@ "name": "owner-of", "description": "This relationship describes an object which owns another object.", "format": [ - "cert-eu" + "cert-eu", + "alfred" ] }, { @@ -650,9 +661,275 @@ "format": [ "misp" ] + }, + { + "name": "child-of", + "description": "A child semantic link to a parent.", + "format": [ + "alfred" + ] + }, + { + "name": "compromised", + "description": "Represents the semantic link of having compromised something.", + "format": [ + "alfred" + ] + }, + { + "name": "connects", + "description": "The initiator of a connection.", + "format": [ + "alfred" + ] + }, + { + "name": "connects-to", + "description": "The destination or target of a connection.", + "format": [ + "alfred" + ] + }, + { + "name": "cover-term-for", + "description": "Represents the semantic link of one thing being the cover term for another.", + "format": [ + "alfred" + ] + }, + { + "name": "disclosed-to", + "description": "Semantic link indicating where information is disclosed to.", + "format": [ + "alfred" + ] + }, + { + "name": "downloads", + "description": "Represents the semantic link of one thing downloading another.", + "format": [ + "alfred" + ] + }, + { + "name": "downloads-from", + "description": "Represents the semantic link of malware being downloaded from a location.", + "format": [ + "alfred" + ] + }, + { + "name": "generated", + "description": "Represents the semantic link of an alert generated from a signature.", + "format": [ + "alfred" + ] + }, + { + "name": "implements", + "description": "One data object implements another.", + "format": [ + "alfred" + ] + }, + { + "name": "initiates", + "description": "Represents the semantic link of a communication initiating an event.", + "format": [ + "alfred" + ] + }, + { + "name": "instance-of", + "description": "Represents the semantic link between a FILE and FILE_BINARY.", + "format": [ + "alfred" + ] + }, + { + "name": "issuer-of", + "description": "Represents the semantic link of being the issuer of something.", + "format": [ + "alfred" + ] + }, + { + "name": "linked-to", + "description": "Represents the semantic link of being associated with something.", + "format": [ + "alfred" + ] + }, + { + "name": "not-relevant-to", + "description": "Represents the semantic link of a comm that is not relevant to an EVENT.", + "format": [ + "alfred" + ] + }, + { + "name": "part-of", + "description": "Represents the semantic link that defines one thing to be part of another in a hierachial structure from the child to the parent.", + "format": [ + "alfred" + ] + }, + { + "name": "processed-by", + "description": "Represents the semantic link of something has been processed by another program.", + "format": [ + "alfred" + ] + }, + { + "name": "produced", + "description": "Represents the semantic link of something having produced something else.", + "format": [ + "alfred" + ] + }, + { + "name": "queried-for", + "description": "The IP Address or domain being queried for.", + "format": [ + "alfred" + ] + }, + { + "name": "query-returned", + "description": "The IP Address or domain returned as the result of a query.", + "format": [ + "alfred" + ] + }, + { + "name": "registered", + "description": "Represents the semantic link of someone registered some thing.", + "format": [ + "alfred" + ] + }, + { + "name": "registered-to", + "description": "Represents the semantic link of something being registered to.", + "format": [ + "alfred" + ] + }, + { + "name": "relates", + "description": "Represents the semantic link between HBS Comms and communication addresses.", + "format": [ + "alfred" + ] + }, + { + "name": "relevant-to", + "description": "Represents the semantic link of a comm that is relevant to an EVENT.", + "format": [ + "alfred" + ] + }, + { + "name": "resolves-to", + "description": "Represents the semantic link of resolving to something.", + "format": [ + "alfred" + ] + }, + { + "name": "responsible-for", + "description": "Represents the semantic link of some entity being responsible for something.", + "format": [ + "alfred" + ] + }, + { + "name": "seeded", + "description": "Represents the semantic link of a seeded domain redirecting to another site.", + "format": [ + "alfred" + ] + }, + { + "name": "sends", + "description": "A sends semantic link meaning 'who sends what'.", + "format": [ + "alfred" + ] + }, + { + "name": "sends-as-bcc-to", + "description": "A sends to as BCC semantic link meaning 'what sends to who as BCC'.", + "format": [ + "alfred" + ] + }, + { + "name": "sends-as-cc-to", + "description": "A sends to as CC semantic link meaning 'what sends to who as CC'.", + "format": [ + "alfred" + ] + }, + { + "name": "sends-to", + "description": "A sends to semantic link meaning 'what sends to who'.", + "format": [ + "alfred" + ] + }, + { + "name": "spoofer-of", + "description": "The represents the semantic link of having spoofed something.", + "format": [ + "alfred" + ] + }, + { + "name": "subdomain-of", + "description": "Represents a domain being a subdomain of another.", + "format": [ + "alfred" + ] + }, + { + "name": "supersedes", + "description": "One data object supersedes another.", + "format": [ + "alfred" + ] + }, + { + "name": "triggered-on", + "description": "Represents the semantic link of an alert triggered on an event.", + "format": [ + "alfred" + ] + }, + { + "name": "uploads", + "description": "Represents the semantic link of one thing uploading another.", + "format": [ + "alfred" + ] + }, + { + "name": "user-of", + "description": "The represents the semantic link of being the user of something.", + "format": [ + "alfred" + ] + }, + { + "name": "works-for", + "description": "Represents the semantic link of working for something.", + "format": [ + "alfred" + ] } ], "description": "Default type of relationships in MISP objects.", "uuid": "b002c0d6-320f-450d-82c4-b3aa15bbbd6c", "name": "relationships" -} +} \ No newline at end of file diff --git a/tools/alfred_links_to_relarelationships.py b/tools/alfred_links_to_relarelationships.py new file mode 100644 index 0000000..bab18a2 --- /dev/null +++ b/tools/alfred_links_to_relarelationships.py @@ -0,0 +1,48 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +from pathlib import Path +import json + +name_ontology = 'alfred' + +relationships_path = Path('..', 'relationships', 'definition.json') + +with open(relationships_path) as f: + relationships = json.load(f) + +rel_fast_lookup = {entry['name']: entry for entry in relationships['values']} + +ontology_path = Path('alfred-ontology.json') + +with open(ontology_path) as f: + ontology = json.load(f) + +links = ontology['data']['linkTypes'] + + +for linktype in links: + link_name = linktype['name'].lower().replace('_', '-') + link_description = linktype['description'] + if link_name in rel_fast_lookup: + if rel_fast_lookup[link_name]['description'] != link_description: + print(link_name) + print('\t MISP:', rel_fast_lookup[link_name]['description']) + print('\t Alfred:', link_description) + for entry in relationships['values']: + if entry['name'] == link_name: + if name_ontology not in entry['format']: + entry['format'].append(name_ontology) + break + # Update the fast lookup to avoid duplicates. + rel_fast_lookup = {entry['name']: entry for entry in relationships['values']} + else: + if link_name not in rel_fast_lookup: + linktype['name'] = link_name + linktype['format'] = [name_ontology] + relationships['values'].append(linktype) + else: + print("Duplicate", link_name) + +with open(relationships_path, 'w') as f: + json.dump(relationships, f, indent=2)