new: Add Alfred relationships (CCCS)

pull/120/head
Raphaël Vinot 2018-10-22 12:19:47 -04:00
parent de3acf865d
commit 0db808ab6a
2 changed files with 337 additions and 12 deletions

View File

@ -6,7 +6,8 @@
"description": "The information in the target object is based on information from the source object.", "description": "The information in the target object is based on information from the source object.",
"format": [ "format": [
"misp", "misp",
"stix-2.0" "stix-2.0",
"alfred"
] ]
}, },
{ {
@ -22,7 +23,8 @@
"description": "The referenced source is related to the target object.", "description": "The referenced source is related to the target object.",
"format": [ "format": [
"misp", "misp",
"stix-2.0" "stix-2.0",
"alfred"
] ]
}, },
{ {
@ -46,7 +48,8 @@
"description": "The referenced source is containing the target object.", "description": "The referenced source is containing the target object.",
"format": [ "format": [
"misp", "misp",
"stix-1.1" "stix-1.1",
"alfred"
] ]
}, },
{ {
@ -182,7 +185,8 @@
"description": "This relationship describes the use by the source object of the target object.", "description": "This relationship describes the use by the source object of the target object.",
"format": [ "format": [
"misp", "misp",
"stix-2.0" "stix-2.0",
"alfred"
] ]
}, },
{ {
@ -206,7 +210,8 @@
"description": "This relationship describes a source object which is a variant of the target object", "description": "This relationship describes a source object which is a variant of the target object",
"format": [ "format": [
"misp", "misp",
"stix-2.0" "stix-2.0",
"alfred"
] ]
}, },
{ {
@ -284,14 +289,16 @@
"name": "affects", "name": "affects",
"description": "This relationship describes an object affected by another object.", "description": "This relationship describes an object affected by another object.",
"format": [ "format": [
"misp" "misp",
"alfred"
] ]
}, },
{ {
"name": "beacons-to", "name": "beacons-to",
"description": "This relationship describes an object beaconing to another object.", "description": "This relationship describes an object beaconing to another object.",
"format": [ "format": [
"misp" "misp",
"alfred"
] ]
}, },
{ {
@ -305,21 +312,24 @@
"name": "exfiltrates-to", "name": "exfiltrates-to",
"description": "This relationship describes an object exfiltrating to another object.", "description": "This relationship describes an object exfiltrating to another object.",
"format": [ "format": [
"misp" "misp",
"alfred"
] ]
}, },
{ {
"name": "identifies", "name": "identifies",
"description": "This relationship describes an object which identifies another object.", "description": "This relationship describes an object which identifies another object.",
"format": [ "format": [
"misp" "misp",
"alfred"
] ]
}, },
{ {
"name": "intercepts", "name": "intercepts",
"description": "This relationship describes an object which intercepts another object.", "description": "This relationship describes an object which intercepts another object.",
"format": [ "format": [
"misp" "misp",
"alfred"
] ]
}, },
{ {
@ -578,7 +588,8 @@
"name": "owner-of", "name": "owner-of",
"description": "This relationship describes an object which owns another object.", "description": "This relationship describes an object which owns another object.",
"format": [ "format": [
"cert-eu" "cert-eu",
"alfred"
] ]
}, },
{ {
@ -650,9 +661,275 @@
"format": [ "format": [
"misp" "misp"
] ]
},
{
"name": "child-of",
"description": "A child semantic link to a parent.",
"format": [
"alfred"
]
},
{
"name": "compromised",
"description": "Represents the semantic link of having compromised something.",
"format": [
"alfred"
]
},
{
"name": "connects",
"description": "The initiator of a connection.",
"format": [
"alfred"
]
},
{
"name": "connects-to",
"description": "The destination or target of a connection.",
"format": [
"alfred"
]
},
{
"name": "cover-term-for",
"description": "Represents the semantic link of one thing being the cover term for another.",
"format": [
"alfred"
]
},
{
"name": "disclosed-to",
"description": "Semantic link indicating where information is disclosed to.",
"format": [
"alfred"
]
},
{
"name": "downloads",
"description": "Represents the semantic link of one thing downloading another.",
"format": [
"alfred"
]
},
{
"name": "downloads-from",
"description": "Represents the semantic link of malware being downloaded from a location.",
"format": [
"alfred"
]
},
{
"name": "generated",
"description": "Represents the semantic link of an alert generated from a signature.",
"format": [
"alfred"
]
},
{
"name": "implements",
"description": "One data object implements another.",
"format": [
"alfred"
]
},
{
"name": "initiates",
"description": "Represents the semantic link of a communication initiating an event.",
"format": [
"alfred"
]
},
{
"name": "instance-of",
"description": "Represents the semantic link between a FILE and FILE_BINARY.",
"format": [
"alfred"
]
},
{
"name": "issuer-of",
"description": "Represents the semantic link of being the issuer of something.",
"format": [
"alfred"
]
},
{
"name": "linked-to",
"description": "Represents the semantic link of being associated with something.",
"format": [
"alfred"
]
},
{
"name": "not-relevant-to",
"description": "Represents the semantic link of a comm that is not relevant to an EVENT.",
"format": [
"alfred"
]
},
{
"name": "part-of",
"description": "Represents the semantic link that defines one thing to be part of another in a hierachial structure from the child to the parent.",
"format": [
"alfred"
]
},
{
"name": "processed-by",
"description": "Represents the semantic link of something has been processed by another program.",
"format": [
"alfred"
]
},
{
"name": "produced",
"description": "Represents the semantic link of something having produced something else.",
"format": [
"alfred"
]
},
{
"name": "queried-for",
"description": "The IP Address or domain being queried for.",
"format": [
"alfred"
]
},
{
"name": "query-returned",
"description": "The IP Address or domain returned as the result of a query.",
"format": [
"alfred"
]
},
{
"name": "registered",
"description": "Represents the semantic link of someone registered some thing.",
"format": [
"alfred"
]
},
{
"name": "registered-to",
"description": "Represents the semantic link of something being registered to.",
"format": [
"alfred"
]
},
{
"name": "relates",
"description": "Represents the semantic link between HBS Comms and communication addresses.",
"format": [
"alfred"
]
},
{
"name": "relevant-to",
"description": "Represents the semantic link of a comm that is relevant to an EVENT.",
"format": [
"alfred"
]
},
{
"name": "resolves-to",
"description": "Represents the semantic link of resolving to something.",
"format": [
"alfred"
]
},
{
"name": "responsible-for",
"description": "Represents the semantic link of some entity being responsible for something.",
"format": [
"alfred"
]
},
{
"name": "seeded",
"description": "Represents the semantic link of a seeded domain redirecting to another site.",
"format": [
"alfred"
]
},
{
"name": "sends",
"description": "A sends semantic link meaning 'who sends what'.",
"format": [
"alfred"
]
},
{
"name": "sends-as-bcc-to",
"description": "A sends to as BCC semantic link meaning 'what sends to who as BCC'.",
"format": [
"alfred"
]
},
{
"name": "sends-as-cc-to",
"description": "A sends to as CC semantic link meaning 'what sends to who as CC'.",
"format": [
"alfred"
]
},
{
"name": "sends-to",
"description": "A sends to semantic link meaning 'what sends to who'.",
"format": [
"alfred"
]
},
{
"name": "spoofer-of",
"description": "The represents the semantic link of having spoofed something.",
"format": [
"alfred"
]
},
{
"name": "subdomain-of",
"description": "Represents a domain being a subdomain of another.",
"format": [
"alfred"
]
},
{
"name": "supersedes",
"description": "One data object supersedes another.",
"format": [
"alfred"
]
},
{
"name": "triggered-on",
"description": "Represents the semantic link of an alert triggered on an event.",
"format": [
"alfred"
]
},
{
"name": "uploads",
"description": "Represents the semantic link of one thing uploading another.",
"format": [
"alfred"
]
},
{
"name": "user-of",
"description": "The represents the semantic link of being the user of something.",
"format": [
"alfred"
]
},
{
"name": "works-for",
"description": "Represents the semantic link of working for something.",
"format": [
"alfred"
]
} }
], ],
"description": "Default type of relationships in MISP objects.", "description": "Default type of relationships in MISP objects.",
"uuid": "b002c0d6-320f-450d-82c4-b3aa15bbbd6c", "uuid": "b002c0d6-320f-450d-82c4-b3aa15bbbd6c",
"name": "relationships" "name": "relationships"
} }

View File

@ -0,0 +1,48 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from pathlib import Path
import json
name_ontology = 'alfred'
relationships_path = Path('..', 'relationships', 'definition.json')
with open(relationships_path) as f:
relationships = json.load(f)
rel_fast_lookup = {entry['name']: entry for entry in relationships['values']}
ontology_path = Path('alfred-ontology.json')
with open(ontology_path) as f:
ontology = json.load(f)
links = ontology['data']['linkTypes']
for linktype in links:
link_name = linktype['name'].lower().replace('_', '-')
link_description = linktype['description']
if link_name in rel_fast_lookup:
if rel_fast_lookup[link_name]['description'] != link_description:
print(link_name)
print('\t MISP:', rel_fast_lookup[link_name]['description'])
print('\t Alfred:', link_description)
for entry in relationships['values']:
if entry['name'] == link_name:
if name_ontology not in entry['format']:
entry['format'].append(name_ontology)
break
# Update the fast lookup to avoid duplicates.
rel_fast_lookup = {entry['name']: entry for entry in relationships['values']}
else:
if link_name not in rel_fast_lookup:
linktype['name'] = link_name
linktype['format'] = [name_ontology]
relationships['values'].append(linktype)
else:
print("Duplicate", link_name)
with open(relationships_path, 'w') as f:
json.dump(relationships, f, indent=2)