mirror of https://github.com/MISP/misp-objects
new: Add Alfred relationships (CCCS)
parent
de3acf865d
commit
0db808ab6a
|
@ -6,7 +6,8 @@
|
||||||
"description": "The information in the target object is based on information from the source object.",
|
"description": "The information in the target object is based on information from the source object.",
|
||||||
"format": [
|
"format": [
|
||||||
"misp",
|
"misp",
|
||||||
"stix-2.0"
|
"stix-2.0",
|
||||||
|
"alfred"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -22,7 +23,8 @@
|
||||||
"description": "The referenced source is related to the target object.",
|
"description": "The referenced source is related to the target object.",
|
||||||
"format": [
|
"format": [
|
||||||
"misp",
|
"misp",
|
||||||
"stix-2.0"
|
"stix-2.0",
|
||||||
|
"alfred"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -46,7 +48,8 @@
|
||||||
"description": "The referenced source is containing the target object.",
|
"description": "The referenced source is containing the target object.",
|
||||||
"format": [
|
"format": [
|
||||||
"misp",
|
"misp",
|
||||||
"stix-1.1"
|
"stix-1.1",
|
||||||
|
"alfred"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -182,7 +185,8 @@
|
||||||
"description": "This relationship describes the use by the source object of the target object.",
|
"description": "This relationship describes the use by the source object of the target object.",
|
||||||
"format": [
|
"format": [
|
||||||
"misp",
|
"misp",
|
||||||
"stix-2.0"
|
"stix-2.0",
|
||||||
|
"alfred"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -206,7 +210,8 @@
|
||||||
"description": "This relationship describes a source object which is a variant of the target object",
|
"description": "This relationship describes a source object which is a variant of the target object",
|
||||||
"format": [
|
"format": [
|
||||||
"misp",
|
"misp",
|
||||||
"stix-2.0"
|
"stix-2.0",
|
||||||
|
"alfred"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -284,14 +289,16 @@
|
||||||
"name": "affects",
|
"name": "affects",
|
||||||
"description": "This relationship describes an object affected by another object.",
|
"description": "This relationship describes an object affected by another object.",
|
||||||
"format": [
|
"format": [
|
||||||
"misp"
|
"misp",
|
||||||
|
"alfred"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"name": "beacons-to",
|
"name": "beacons-to",
|
||||||
"description": "This relationship describes an object beaconing to another object.",
|
"description": "This relationship describes an object beaconing to another object.",
|
||||||
"format": [
|
"format": [
|
||||||
"misp"
|
"misp",
|
||||||
|
"alfred"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -305,21 +312,24 @@
|
||||||
"name": "exfiltrates-to",
|
"name": "exfiltrates-to",
|
||||||
"description": "This relationship describes an object exfiltrating to another object.",
|
"description": "This relationship describes an object exfiltrating to another object.",
|
||||||
"format": [
|
"format": [
|
||||||
"misp"
|
"misp",
|
||||||
|
"alfred"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"name": "identifies",
|
"name": "identifies",
|
||||||
"description": "This relationship describes an object which identifies another object.",
|
"description": "This relationship describes an object which identifies another object.",
|
||||||
"format": [
|
"format": [
|
||||||
"misp"
|
"misp",
|
||||||
|
"alfred"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"name": "intercepts",
|
"name": "intercepts",
|
||||||
"description": "This relationship describes an object which intercepts another object.",
|
"description": "This relationship describes an object which intercepts another object.",
|
||||||
"format": [
|
"format": [
|
||||||
"misp"
|
"misp",
|
||||||
|
"alfred"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -578,7 +588,8 @@
|
||||||
"name": "owner-of",
|
"name": "owner-of",
|
||||||
"description": "This relationship describes an object which owns another object.",
|
"description": "This relationship describes an object which owns another object.",
|
||||||
"format": [
|
"format": [
|
||||||
"cert-eu"
|
"cert-eu",
|
||||||
|
"alfred"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -650,9 +661,275 @@
|
||||||
"format": [
|
"format": [
|
||||||
"misp"
|
"misp"
|
||||||
]
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "child-of",
|
||||||
|
"description": "A child semantic link to a parent.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "compromised",
|
||||||
|
"description": "Represents the semantic link of having compromised something.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "connects",
|
||||||
|
"description": "The initiator of a connection.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "connects-to",
|
||||||
|
"description": "The destination or target of a connection.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "cover-term-for",
|
||||||
|
"description": "Represents the semantic link of one thing being the cover term for another.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "disclosed-to",
|
||||||
|
"description": "Semantic link indicating where information is disclosed to.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "downloads",
|
||||||
|
"description": "Represents the semantic link of one thing downloading another.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "downloads-from",
|
||||||
|
"description": "Represents the semantic link of malware being downloaded from a location.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "generated",
|
||||||
|
"description": "Represents the semantic link of an alert generated from a signature.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "implements",
|
||||||
|
"description": "One data object implements another.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "initiates",
|
||||||
|
"description": "Represents the semantic link of a communication initiating an event.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "instance-of",
|
||||||
|
"description": "Represents the semantic link between a FILE and FILE_BINARY.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "issuer-of",
|
||||||
|
"description": "Represents the semantic link of being the issuer of something.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "linked-to",
|
||||||
|
"description": "Represents the semantic link of being associated with something.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "not-relevant-to",
|
||||||
|
"description": "Represents the semantic link of a comm that is not relevant to an EVENT.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "part-of",
|
||||||
|
"description": "Represents the semantic link that defines one thing to be part of another in a hierachial structure from the child to the parent.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "processed-by",
|
||||||
|
"description": "Represents the semantic link of something has been processed by another program.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "produced",
|
||||||
|
"description": "Represents the semantic link of something having produced something else.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "queried-for",
|
||||||
|
"description": "The IP Address or domain being queried for.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "query-returned",
|
||||||
|
"description": "The IP Address or domain returned as the result of a query.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "registered",
|
||||||
|
"description": "Represents the semantic link of someone registered some thing.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "registered-to",
|
||||||
|
"description": "Represents the semantic link of something being registered to.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "relates",
|
||||||
|
"description": "Represents the semantic link between HBS Comms and communication addresses.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "relevant-to",
|
||||||
|
"description": "Represents the semantic link of a comm that is relevant to an EVENT.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "resolves-to",
|
||||||
|
"description": "Represents the semantic link of resolving to something.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "responsible-for",
|
||||||
|
"description": "Represents the semantic link of some entity being responsible for something.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "seeded",
|
||||||
|
"description": "Represents the semantic link of a seeded domain redirecting to another site.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "sends",
|
||||||
|
"description": "A sends semantic link meaning 'who sends what'.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "sends-as-bcc-to",
|
||||||
|
"description": "A sends to as BCC semantic link meaning 'what sends to who as BCC'.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "sends-as-cc-to",
|
||||||
|
"description": "A sends to as CC semantic link meaning 'what sends to who as CC'.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "sends-to",
|
||||||
|
"description": "A sends to semantic link meaning 'what sends to who'.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "spoofer-of",
|
||||||
|
"description": "The represents the semantic link of having spoofed something.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "subdomain-of",
|
||||||
|
"description": "Represents a domain being a subdomain of another.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "supersedes",
|
||||||
|
"description": "One data object supersedes another.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "triggered-on",
|
||||||
|
"description": "Represents the semantic link of an alert triggered on an event.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "uploads",
|
||||||
|
"description": "Represents the semantic link of one thing uploading another.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "user-of",
|
||||||
|
"description": "The represents the semantic link of being the user of something.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "works-for",
|
||||||
|
"description": "Represents the semantic link of working for something.",
|
||||||
|
"format": [
|
||||||
|
"alfred"
|
||||||
|
]
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"description": "Default type of relationships in MISP objects.",
|
"description": "Default type of relationships in MISP objects.",
|
||||||
"uuid": "b002c0d6-320f-450d-82c4-b3aa15bbbd6c",
|
"uuid": "b002c0d6-320f-450d-82c4-b3aa15bbbd6c",
|
||||||
"name": "relationships"
|
"name": "relationships"
|
||||||
}
|
}
|
|
@ -0,0 +1,48 @@
|
||||||
|
#!/usr/bin/env python3
|
||||||
|
# -*- coding: utf-8 -*-
|
||||||
|
|
||||||
|
from pathlib import Path
|
||||||
|
import json
|
||||||
|
|
||||||
|
name_ontology = 'alfred'
|
||||||
|
|
||||||
|
relationships_path = Path('..', 'relationships', 'definition.json')
|
||||||
|
|
||||||
|
with open(relationships_path) as f:
|
||||||
|
relationships = json.load(f)
|
||||||
|
|
||||||
|
rel_fast_lookup = {entry['name']: entry for entry in relationships['values']}
|
||||||
|
|
||||||
|
ontology_path = Path('alfred-ontology.json')
|
||||||
|
|
||||||
|
with open(ontology_path) as f:
|
||||||
|
ontology = json.load(f)
|
||||||
|
|
||||||
|
links = ontology['data']['linkTypes']
|
||||||
|
|
||||||
|
|
||||||
|
for linktype in links:
|
||||||
|
link_name = linktype['name'].lower().replace('_', '-')
|
||||||
|
link_description = linktype['description']
|
||||||
|
if link_name in rel_fast_lookup:
|
||||||
|
if rel_fast_lookup[link_name]['description'] != link_description:
|
||||||
|
print(link_name)
|
||||||
|
print('\t MISP:', rel_fast_lookup[link_name]['description'])
|
||||||
|
print('\t Alfred:', link_description)
|
||||||
|
for entry in relationships['values']:
|
||||||
|
if entry['name'] == link_name:
|
||||||
|
if name_ontology not in entry['format']:
|
||||||
|
entry['format'].append(name_ontology)
|
||||||
|
break
|
||||||
|
# Update the fast lookup to avoid duplicates.
|
||||||
|
rel_fast_lookup = {entry['name']: entry for entry in relationships['values']}
|
||||||
|
else:
|
||||||
|
if link_name not in rel_fast_lookup:
|
||||||
|
linktype['name'] = link_name
|
||||||
|
linktype['format'] = [name_ontology]
|
||||||
|
relationships['values'].append(linktype)
|
||||||
|
else:
|
||||||
|
print("Duplicate", link_name)
|
||||||
|
|
||||||
|
with open(relationships_path, 'w') as f:
|
||||||
|
json.dump(relationships, f, indent=2)
|
Loading…
Reference in New Issue