From ef04ff80200a13d9bb6b22be8f981a9b4187f4f3 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Wed, 21 Jun 2023 16:32:30 +0200 Subject: [PATCH 1/9] add: [incident] Incident object based on the STIX 2.1 Incident object as well as its core extension --- objects/incident/definition.json | 179 +++++++++++++++++++++++++++++++ 1 file changed, 179 insertions(+) create mode 100644 objects/incident/definition.json diff --git a/objects/incident/definition.json b/objects/incident/definition.json new file mode 100644 index 0000000..d61644c --- /dev/null +++ b/objects/incident/definition.json @@ -0,0 +1,179 @@ +{ + "attributes": { + "criticality": { + "description": "Criticality of the incident", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Not Specified", + "False Positive", + "Low", + "Moderate", + "High", + "Extreme" + ], + "ui-priority": 0 + }, + "description": { + "description": "Description of the incident.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "detection_method": { + "description": "Methods used to detect the activity.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "automated-tool", + "human-review", + "message-from-attacker", + "system-outage", + "user-reporting" + ], + "ui-priority": 0 + }, + "determination": { + "description": "Determination on the outcome of the incident.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "blocked", + "successful-attempt", + "failed-attempt", + "false-positive", + "low-value", + "suspected" + ], + "ui-priority": 0 + }, + "incident_type": { + "description": "Type of incident", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "aggregation-information-phishing-schemes", + "benign", + "blocked", + "brute-force-attempt", + "c&c-server-hosting", + "compromised-system", + "confirmed", + "connection-malware-port", + "connection-malware-system", + "content-forbidden-by-law", + "control-system-bypass", + "copyrighted-content", + "data-exfiltration", + "deferred", + "deletion-information", + "denial-of-service", + "destruction", + "dictionary-attack-attempt", + "discarded", + "disruption-data-transmission", + "dissemination-malware-email", + "dissemination-phishing-emails", + "dns-cache-poisoning", + "dns-local-resolver-hijacking", + "dns-spoofing-registered", + "dns-rebinding", + "dns-server-compromise", + "dns-spoofing-unregistered", + "dns-stub-resolver-hijacking", + "dns-zone-transfer", + "domain-name-compromise", + "duplicate", + "email-flooding", + "equipment-loss", + "equipment-theft", + "exploit", + "exploit-attempt", + "exploit-framework-exhausting-resources", + "exploit-tool-exhausting-resources", + "failed", + "file-inclusion", + "file-inclusion-attempt", + "hosting-malware-webpage", + "hosting-phishing-sites", + "illegitimate-use-name", + "illegitimate-use-resources", + "infected-by-known-malware", + "insufficient-data", + "known-malware", + "lame-delegations", + "major", + "modification-information", + "misconfiguration", + "natural", + "network-scanning", + "no-apt", + "packet-flood", + "password-cracking-attempt", + "ransomware", + "refuted", + "scan-probe", + "silently-discarded", + "supply-chain-customer", + "supply-chain-vendor", + "spam", + "sql-injection", + "sql-injection-attempt", + "successful", + "system-probe", + "theft-access-credentials", + "unattributed", + "unauthorized-access-information", + "unauthorized-access-system", + "unauthorized-equipment", + "unauthorized-release", + "unauthorized-use", + "undetermined", + "unintentional", + "unknown-apt", + "unspecified", + "vandalism", + "wiretapping", + "worm-spreading", + "xss", + "xss-attempt" + ], + "ui-priority": 0 + }, + "investigation_status": { + "description": "Current status of the incident investigation.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "closed", + "new", + "open" + ], + "ui-priority": 0 + }, + "name": { + "description": "Name of the incident.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "recoverability": { + "description": "Recoverability of the incident, with respect to feasibility and required time and resources.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "extended", + "not-applicable", + "not-recoverable", + "regular", + "supplemented" + ], + "ui-priority": 0 + } + }, + "description": "Incident object template as described in STIX 2.1 Incident object and its core extension.", + "meta-category": "misc", + "name": "incident", + "uuid": "38597424-f9bb-4865-9b4b-819172df0334", + "version": 1 +} \ No newline at end of file From 1a05a9f253f4a99b3e1606db0abc980838c3e92f Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Thu, 22 Jun 2023 12:28:04 +0200 Subject: [PATCH 2/9] add: [incident] Added the required object relation --- objects/incident/definition.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/objects/incident/definition.json b/objects/incident/definition.json index d61644c..0824509 100644 --- a/objects/incident/definition.json +++ b/objects/incident/definition.json @@ -174,6 +174,9 @@ "description": "Incident object template as described in STIX 2.1 Incident object and its core extension.", "meta-category": "misc", "name": "incident", + "required": [ + "name" + ], "uuid": "38597424-f9bb-4865-9b4b-819172df0334", "version": 1 } \ No newline at end of file From c5c8f35fb40444bc21c1db634729806c090eb43f Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Thu, 22 Jun 2023 12:28:47 +0200 Subject: [PATCH 3/9] wip: [event] New object template to describe events that can happen during an incident --- objects/event/definition.json | 172 ++++++++++++++++++++++++++++++++++ 1 file changed, 172 insertions(+) create mode 100644 objects/event/definition.json diff --git a/objects/event/definition.json b/objects/event/definition.json new file mode 100644 index 0000000..58c6e1b --- /dev/null +++ b/objects/event/definition.json @@ -0,0 +1,172 @@ +{ + "attributes": { + "description": { + "description": "Description of the event.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "end_time": { + "description": "The date and time the event was last recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "end_time_fidelity": { + "description": "Level of fidelity that the `end_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + }, + "event_type": { + "description": "Type of event.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "aggregation-information-phishing-schemes", + "benign", + "blocked", + "brute-force-attempt", + "c&c-server-hosting", + "compromised-system", + "confirmed", + "connection-malware-port", + "connection-malware-system", + "content-forbidden-by-law", + "control-system-bypass", + "copyrighted-content", + "data-exfiltration", + "deferred", + "deletion-information", + "denial-of-service", + "destruction", + "dictionary-attack-attempt", + "discarded", + "disruption-data-transmission", + "dissemination-malware-email", + "dissemination-phishing-emails", + "dns-cache-poisoning", + "dns-local-resolver-hijacking", + "dns-spoofing-registered", + "dns-rebinding", + "dns-server-compromise", + "dns-spoofing-unregistered", + "dns-stub-resolver-hijacking", + "dns-zone-transfer", + "domain-name-compromise", + "duplicate", + "email-flooding", + "equipment-loss", + "equipment-theft", + "exploit", + "exploit-attempt", + "exploit-framework-exhausting-resources", + "exploit-tool-exhausting-resources", + "failed", + "file-inclusion", + "file-inclusion-attempt", + "hosting-malware-webpage", + "hosting-phishing-sites", + "illegitimate-use-name", + "illegitimate-use-resources", + "infected-by-known-malware", + "insufficient-data", + "known-malware", + "lame-delegations", + "major", + "modification-information", + "misconfiguration", + "natural", + "network-scanning", + "no-apt", + "packet-flood", + "password-cracking-attempt", + "ransomware", + "refuted", + "scan-probe", + "silently-discarded", + "supply-chain-customer", + "supply-chain-vendor", + "spam", + "sql-injection", + "sql-injection-attempt", + "successful", + "system-probe", + "theft-access-credentials", + "unattributed", + "unauthorized-access-information", + "unauthorized-access-system", + "unauthorized-equipment", + "unauthorized-release", + "unauthorized-use", + "undetermined", + "unintentional", + "unknown-apt", + "unspecified", + "vandalism", + "wiretapping", + "worm-spreading", + "xss", + "xss-attempt" + ], + "ui-priority": 0 + }, + "goal": { + "description": "The assumed objective of the event.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "name": { + "description": "Name of the event.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "start_time": { + "description": "The date and time the event was first recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "start_time_fidelity": { + "description": "Level of fidelity that the `start_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + }, + "status": { + "description": "Current status of the event.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "not-occurred", + "ongoing", + "occurred", + "pending", + "undetermined" + ], + "ui-priority": 1 + } + }, + "description": "Event object as described in STIX 2.1 Incident object extension.", + "meta-category": "misc", + "name": "event", + "required": [ + "status" + ], + "uuid": "3853b726-6a9c-43b3-8ffb-23839b07d5a9", + "version": 1 +} \ No newline at end of file From 3c17729f0ec5d8d03f53d7588ad487428c91fa5e Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Thu, 22 Jun 2023 15:16:48 +0200 Subject: [PATCH 4/9] wip: [impacts] New template for different types of impacts as described in STIX 2.1 Incident object extensions --- objects/availability-impact/definition.json | 96 +++++++++++++ .../confidentiality-impact/definition.json | 125 ++++++++++++++++ objects/external-impact/definition.json | 97 +++++++++++++ objects/integrity-impact/definition.json | 127 ++++++++++++++++ objects/monetary-impact/definition.json | 135 ++++++++++++++++++ objects/physical-impact/definition.json | 124 ++++++++++++++++ objects/traceability-impact/definition.json | 93 ++++++++++++ 7 files changed, 797 insertions(+) create mode 100644 objects/availability-impact/definition.json create mode 100644 objects/confidentiality-impact/definition.json create mode 100644 objects/external-impact/definition.json create mode 100644 objects/integrity-impact/definition.json create mode 100644 objects/monetary-impact/definition.json create mode 100644 objects/physical-impact/definition.json create mode 100644 objects/traceability-impact/definition.json diff --git a/objects/availability-impact/definition.json b/objects/availability-impact/definition.json new file mode 100644 index 0000000..ff6daa1 --- /dev/null +++ b/objects/availability-impact/definition.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "availability_impact": { + "description": "The availability impact.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Not Specified", + "None", + "Minimal", + "Significant", + "Denial", + "Loss of Control" + ], + "ui-priority": 0 + }, + "criticality": { + "description": "Criticality of the impact", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Not Specified", + "False Positive", + "Low", + "Moderate", + "High", + "Extreme" + ], + "ui-priority": 0 + }, + "description": { + "description": "Additional details about the impact.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "end_time": { + "description": "The date and time the impact was last recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "end_time_fidelity": { + "description": "Level of fidelity that the `end_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + }, + "recoverability": { + "description": "Recoverability of this particular impact with respect to feasibility and required time and resources.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "extended", + "not-applicable", + "not-recoverable", + "regular", + "supplemented" + ], + "ui-priority": 0 + }, + "start_time": { + "description": "The date and time the impact was first recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "start_time_fidelity": { + "description": "Level of fidelity that the `start_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + } + }, + "description": "Availability Impact object as described in STIX 2.1 Incident object extension.", + "meta-category": "misc", + "name": "availability-impact", + "required": [ + "availability_impact" + ], + "uuid": "19b4394a-46a9-4196-a30c-080eaed06273", + "version": 1 +} \ No newline at end of file diff --git a/objects/confidentiality-impact/definition.json b/objects/confidentiality-impact/definition.json new file mode 100644 index 0000000..022dad0 --- /dev/null +++ b/objects/confidentiality-impact/definition.json @@ -0,0 +1,125 @@ +{ + "attributes": { + "criticality": { + "description": "Criticality of the impact", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Not Specified", + "False Positive", + "Low", + "Moderate", + "High", + "Extreme" + ], + "ui-priority": 0 + }, + "description": { + "description": "Additional details about the impact.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "end_time": { + "description": "The date and time the impact was last recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "end_time_fidelity": { + "description": "Level of fidelity that the `end_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + }, + "information_type": { + "description": "Type of information that had its confidentiality compromised.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "classified-material", + "communication", + "credentials-admin", + "credentials-user", + "financial", + "leval", + "payment", + "phi", + "pii", + "proprietary" + ], + "ui-priority": 0 + }, + "loss_type": { + "description": "The type of loss that occurred to the relevant information.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "confirmed-loss", + "contained", + "exploited-loss", + "none", + "suspected-loss" + ], + "ui-priority": 0 + }, + "record_count":{ + "description": "The number of records of this type that were compromised.", + "disable_correlation": true, + "misp_attribute": "counter", + "ui-priority": 0 + }, + "record_size":{ + "description": "The amount of data that was compromised in bytes.", + "disable_correlation": true, + "misp_attribute": "size-in-bytes", + "ui-priority": 0 + }, + "recoverability": { + "description": "Recoverability of this particular impact with respect to feasibility and required time and resources.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "extended", + "not-applicable", + "not-recoverable", + "regular", + "supplemented" + ], + "ui-priority": 0 + }, + "start_time": { + "description": "The date and time the impact was first recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "start_time_fidelity": { + "description": "Level of fidelity that the `start_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + } + }, + "description": "Confidentiality Impact object as described in STIX 2.1 Incident object extension.", + "meta-category": "misc", + "name": "confidentiality-impact", + "required": [ + "loss_type" + ], + "uuid": "b0027f13-56e4-4c85-9632-3cf81208429b", + "version": 1 +} \ No newline at end of file diff --git a/objects/external-impact/definition.json b/objects/external-impact/definition.json new file mode 100644 index 0000000..045cb20 --- /dev/null +++ b/objects/external-impact/definition.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "criticality": { + "description": "Criticality of the impact", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Not Specified", + "False Positive", + "Low", + "Moderate", + "High", + "Extreme" + ], + "ui-priority": 0 + }, + "description": { + "description": "Additional details about the impact.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "end_time": { + "description": "The date and time the impact was last recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "end_time_fidelity": { + "description": "Level of fidelity that the `end_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + }, + "impact_type": { + "description": "Type of impact.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "economic", + "emergency-services", + "foreign-relations", + "national-secuirty", + "public-confidence", + "public-health", + "public-safety" + ], + "ui-priority": 0 + }, + "recoverability": { + "description": "Recoverability of this particular impact with respect to feasibility and required time and resources.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "extended", + "not-applicable", + "not-recoverable", + "regular", + "supplemented" + ], + "ui-priority": 0 + }, + "start_time": { + "description": "The date and time the impact was first recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "start_time_fidelity": { + "description": "Level of fidelity that the `start_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + } + }, + "description": "External Impact object as described in STIX 2.1 Incident object extension.", + "meta-category": "misc", + "name": "external-impact", + "required": [ + "impact_type" + ], + "uuid": "4ac36991-9333-4ada-8e17-bcbeb988160a", + "version": 1 +} \ No newline at end of file diff --git a/objects/integrity-impact/definition.json b/objects/integrity-impact/definition.json new file mode 100644 index 0000000..b53dca1 --- /dev/null +++ b/objects/integrity-impact/definition.json @@ -0,0 +1,127 @@ +{ + "attributes": { + "alteration": { + "description": "", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "potential-destruction", + "potential-modification", + "partial-destruction", + "partial-modification", + "full-destruction", + "full-modification", + "none" + ], + "ui-priority": 0 + }, + "criticality": { + "description": "Criticality of the impact", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Not Specified", + "False Positive", + "Low", + "Moderate", + "High", + "Extreme" + ], + "ui-priority": 0 + }, + "description": { + "description": "Additional details about the impact.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "end_time": { + "description": "The date and time the impact was last recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "end_time_fidelity": { + "description": "Level of fidelity that the `end_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + }, + "information_type": { + "description": "Type of information that had its confidentiality compromised.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "classified-material", + "communication", + "credentials-admin", + "credentials-user", + "financial", + "leval", + "payment", + "phi", + "pii", + "proprietary" + ], + "ui-priority": 0 + }, + "record_count": { + "description": "The number of records of this type that were compromised.", + "disable_correlation": true, + "misp_attribute": "counter", + "ui-priority": 0 + }, + "record_size": { + "description": "The amount of data that was compromised in bytes.", + "disable_correlation": true, + "misp_attribute": "size-in-bytes", + "ui-priority": 0 + }, + "recoverability": { + "description": "Recoverability of this particular impact with respect to feasibility and required time and resources.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "extended", + "not-applicable", + "not-recoverable", + "regular", + "supplemented" + ], + "ui-priority": 0 + }, + "start_time": { + "description": "The date and time the impact was first recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "start_time_fidelity": { + "description": "Level of fidelity that the `start_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + } + }, + "description": "Integrity Impact object as described in STIX 2.1 Incident object extension.", + "meta-category": "misc", + "name": "integrity-impact", + "required": [ + "alteration" + ], + "uuid": "604830f2-8035-4454-aa32-7f6eee1f04c6", + "version": 1 +} \ No newline at end of file diff --git a/objects/monetary-impact/definition.json b/objects/monetary-impact/definition.json new file mode 100644 index 0000000..0fe7c37 --- /dev/null +++ b/objects/monetary-impact/definition.json @@ -0,0 +1,135 @@ +{ + "attributes": { + "conversion_rate": { + "description": "Conversion rate between currency and currency_actual (if needed).", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 0 + }, + "conversion_time": { + "description": "Timestamp when the conversion rate was queried.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "criticality": { + "description": "Criticality of the impact", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Not Specified", + "False Positive", + "Low", + "Moderate", + "High", + "Extreme" + ], + "ui-priority": 0 + }, + "currency": { + "description": "Currency used to describe the max and min amount of the impact.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "currency_actual": { + "description": "Currency that the impact actually used.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "description": { + "description": "Additional details about the impact.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "end_time": { + "description": "The date and time the impact was last recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "end_time_fidelity": { + "description": "Level of fidelity that the `end_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + }, + "max_amount": { + "description": "Maximum damage estimate.", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 0 + }, + "min_amount": { + "description": "Minimum damage estimate.", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 0 + }, + "recoverability": { + "description": "Recoverability of this particular impact with respect to feasibility and required time and resources.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "extended", + "not-applicable", + "not-recoverable", + "regular", + "supplemented" + ], + "ui-priority": 0 + }, + "start_time": { + "description": "The date and time the impact was first recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "start_time_fidelity": { + "description": "Level of fidelity that the `start_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + }, + "variety": { + "description": "Variety of the moneraty impact.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "asset-and-fraud", + "brand-damage", + "business-disruption", + "competitive-advantage", + "legal-and-regulatory", + "operating-costs", + "ransom-demand", + "ransom-payment", + "response-and-recovery", + "uncategorized" + ], + "ui-priority": 0 + } + }, + "description": "Monetary Impact object as described in STIX 2.1 Incident object extension.", + "meta-category": "misc", + "name": "monetary-impact", + "required": [ + "variety" + ], + "uuid": "3376296c-c1ef-4847-979f-2bfc49aa983e", + "version": 1 +} \ No newline at end of file diff --git a/objects/physical-impact/definition.json b/objects/physical-impact/definition.json new file mode 100644 index 0000000..54cd04a --- /dev/null +++ b/objects/physical-impact/definition.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "asset_type": { + "description": "The type or property or system that was affected by this impact.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "building-doors", + "building-windows", + "buildings", + "computers-mobile", + "computers-personal", + "computers-server", + "environment", + "ics-actuator", + "ics-engineering-workstation", + "ics-historian", + "ics-hmi", + "ics-other", + "ics-plc", + "ics-safety-system", + "ics-sensor", + "inventory", + "network-device", + "private-infrastructure", + "public-infrastructure", + "security-containers", + "vehicles" + ], + "ui-priority": 0 + }, + "criticality": { + "description": "Criticality of the impact", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Not Specified", + "False Positive", + "Low", + "Moderate", + "High", + "Extreme" + ], + "ui-priority": 0 + }, + "description": { + "description": "Additional details about the impact.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "end_time": { + "description": "The date and time the impact was last recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "end_time_fidelity": { + "description": "Level of fidelity that the `end_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + }, + "impact_type": { + "description": "Type of physical impact.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "damaged-functional", + "damaged-nonfunctional", + "destruction", + "none", + "unknown" + ], + "ui-priority": 0 + }, + "recoverability": { + "description": "Recoverability of this particular impact with respect to feasibility and required time and resources.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "extended", + "not-applicable", + "not-recoverable", + "regular", + "supplemented" + ], + "ui-priority": 0 + }, + "start_time": { + "description": "The date and time the impact was first recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "start_time_fidelity": { + "description": "Level of fidelity that the `start_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + } + }, + "description": "Physical Impact object as described in STIX 2.1 Incident object extension.", + "meta-category": "misc", + "name": "physical-impact", + "required": [ + "impact_type" + ], + "uuid": "ae979b91-5896-46f7-ad70-4f3036d79251", + "version": 1 +} \ No newline at end of file diff --git a/objects/traceability-impact/definition.json b/objects/traceability-impact/definition.json new file mode 100644 index 0000000..5aa5f55 --- /dev/null +++ b/objects/traceability-impact/definition.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "criticality": { + "description": "Criticality of the impact", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Not Specified", + "False Positive", + "Low", + "Moderate", + "High", + "Extreme" + ], + "ui-priority": 0 + }, + "description": { + "description": "Additional details about the impact.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "end_time": { + "description": "The date and time the impact was last recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "end_time_fidelity": { + "description": "Level of fidelity that the `end_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + }, + "recoverability": { + "description": "Recoverability of this particular impact with respect to feasibility and required time and resources.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "extended", + "not-applicable", + "not-recoverable", + "regular", + "supplemented" + ], + "ui-priority": 0 + }, + "start_time": { + "description": "The date and time the impact was first recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "start_time_fidelity": { + "description": "Level of fidelity that the `start_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + }, + "traceability_impact": { + "description": "Impact on a system or organization's ability to perform audits or provvide non-repudiation.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "accountability-lost", + "partial-accountability", + "provable-accountability" + ], + "ui-priority": 0 + } + }, + "description": "Traceability Impact object as described in STIX 2.1 Incident object extension.", + "meta-category": "misc", + "name": "traceability-impact", + "required": [ + "traceability_impact" + ], + "uuid": "1dd26500-6246-4750-ad47-94ae4e200d8f", + "version": 1 +} \ No newline at end of file From e3556784b5c06d072f5bf06af6b233acd05f131e Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Thu, 22 Jun 2023 15:39:02 +0200 Subject: [PATCH 5/9] wip: [task] New object template for tasks as described in STIX 2.1 Incident object extensions --- objects/task/definition.json | 122 +++++++++++++++++++++++++++++++++++ 1 file changed, 122 insertions(+) create mode 100644 objects/task/definition.json diff --git a/objects/task/definition.json b/objects/task/definition.json new file mode 100644 index 0000000..2b0774a --- /dev/null +++ b/objects/task/definition.json @@ -0,0 +1,122 @@ +{ + "attributes": { + "description": { + "description": "Description of the task.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "end_time": { + "description": "The date and time the event was last recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "end_time_fidelity": { + "description": "Level of fidelity that the `end_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + }, + "error": { + "description": "Details about any failure or deviation that occurred in the task.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "name": { + "description": "Name of the task.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "outcome": { + "description": "Outcome of the task", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "cancelled", + "failed", + "ongoing", + "pending", + "successful", + "unknown" + ], + "ui-priority": 0 + }, + "priority": { + "description": "Priority or importance of the task.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Not Specified", + "False Positive", + "Low", + "Moderate", + "High", + "Extreme" + ], + "ui-priority": 0 + }, + "start_time": { + "description": "The date and time the event was first recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "start_time_fidelity": { + "description": "Level of fidelity that the `start_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + }, + "task_type": { + "description": "Type of task.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "administrative", + "attribution", + "containment", + "declared", + "detected", + "eradication", + "escalated", + "exercised-control", + "external-intelligence", + "external-outreach", + "external-support", + "implemented-control", + "negotiation", + "playbook-execution", + "playbook-step-execution", + "recovery", + "reported", + "routine-updates", + "victim-notification" + ], + "ui-priority": 0 + } + }, + "description": "Task object as described in STIX 2.1 Incident object extension.", + "meta-category": "misc", + "name": "task", + "required": [ + "outcome" + ], + "uuid": "384734e7-8710-4ab0-901a-6f0e73a551e6", + "version": 1 +} \ No newline at end of file From 49a715e1cfec6d8160219b3ba7ec853e7672ca72 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Thu, 22 Jun 2023 15:41:06 +0200 Subject: [PATCH 6/9] fix: [confidentiality-impact] JQed --- objects/confidentiality-impact/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/confidentiality-impact/definition.json b/objects/confidentiality-impact/definition.json index 022dad0..0a550ed 100644 --- a/objects/confidentiality-impact/definition.json +++ b/objects/confidentiality-impact/definition.json @@ -69,13 +69,13 @@ ], "ui-priority": 0 }, - "record_count":{ + "record_count": { "description": "The number of records of this type that were compromised.", "disable_correlation": true, "misp_attribute": "counter", "ui-priority": 0 }, - "record_size":{ + "record_size": { "description": "The amount of data that was compromised in bytes.", "disable_correlation": true, "misp_attribute": "size-in-bytes", From ae62d5f9b3de6d21dabbf58f5aac3a42c3c4e8f2 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Thu, 22 Jun 2023 15:50:54 +0200 Subject: [PATCH 7/9] fix: [impacts] Typo --- objects/confidentiality-impact/definition.json | 4 ++-- objects/integrity-impact/definition.json | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/objects/confidentiality-impact/definition.json b/objects/confidentiality-impact/definition.json index 0a550ed..71d9449 100644 --- a/objects/confidentiality-impact/definition.json +++ b/objects/confidentiality-impact/definition.json @@ -72,13 +72,13 @@ "record_count": { "description": "The number of records of this type that were compromised.", "disable_correlation": true, - "misp_attribute": "counter", + "misp-attribute": "counter", "ui-priority": 0 }, "record_size": { "description": "The amount of data that was compromised in bytes.", "disable_correlation": true, - "misp_attribute": "size-in-bytes", + "misp-attribute": "size-in-bytes", "ui-priority": 0 }, "recoverability": { diff --git a/objects/integrity-impact/definition.json b/objects/integrity-impact/definition.json index b53dca1..87d1d10 100644 --- a/objects/integrity-impact/definition.json +++ b/objects/integrity-impact/definition.json @@ -74,13 +74,13 @@ "record_count": { "description": "The number of records of this type that were compromised.", "disable_correlation": true, - "misp_attribute": "counter", + "misp-attribute": "counter", "ui-priority": 0 }, "record_size": { "description": "The amount of data that was compromised in bytes.", "disable_correlation": true, - "misp_attribute": "size-in-bytes", + "misp-attribute": "size-in-bytes", "ui-priority": 0 }, "recoverability": { From e215a0ff1a15d4cc36a88642acf4893c60125cc0 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Fri, 7 Jul 2023 11:36:42 +0200 Subject: [PATCH 8/9] add: [incident] Added the score attribute - We will probably parse scores and build the attribute value the following way: "{name} - {description}: {score}" --- objects/incident/definition.json | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/objects/incident/definition.json b/objects/incident/definition.json index 0824509..ddfe798 100644 --- a/objects/incident/definition.json +++ b/objects/incident/definition.json @@ -169,6 +169,12 @@ "supplemented" ], "ui-priority": 0 + }, + "score": { + "description": "Incident score, with a name, an optional description and the numeric score value.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 } }, "description": "Incident object template as described in STIX 2.1 Incident object and its core extension.", From 2b7d5634394d7d68e4d0a01608c4b2959e19c7ec Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Sat, 8 Jul 2023 11:52:40 +0200 Subject: [PATCH 9/9] chg: [relationships] Added some relationships defined in STIX 2.1 & updated some opposite relationships in consequence --- relationships/definition.json | 173 +++++++++++++++++++++++++++++++++- 1 file changed, 168 insertions(+), 5 deletions(-) diff --git a/relationships/definition.json b/relationships/definition.json index a2f8b1e..bc228c1 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -200,7 +200,8 @@ "misp", "stix-2.0" ], - "name": "targets" + "name": "targets", + "opposite": "targeted-by" }, { "description": "This relationship describes the use by the source object of the target object.", @@ -400,14 +401,14 @@ "misp" ], "name": "followed-by", - "opposite": "preceding-by" + "opposite": "preceded-by" }, { "description": "This relationship describes an object which is preceded by another object. This can be used when a time reference is missing but a sequence is known.", "format": [ "misp" ], - "name": "preceding-by", + "name": "preceded-by", "opposite": "followed-by" }, { @@ -1058,7 +1059,8 @@ "misp", "haxpak" ], - "name": "creates" + "name": "creates", + "opposite": "created-by" }, { "description": "Represents an object being the screenshot of something.", @@ -1534,7 +1536,168 @@ "misp" ], "name": "known-as" + }, + { + "description": "The source object is led to the target object.", + "format": [ + "stix-2.1" + ], + "name": "led-to" + }, + { + "description": "The source object has an impact on the target.", + "format": [ + "stix-2.1" + ], + "name": "impacts", + "opposite": "impacted-by" + }, + { + "description": "The source object is impacted by the target.", + "format": [ + "misp" + ], + "name": "impacted-by", + "opposite": "impacts" + }, + { + "description": "An object occured at a specific location.", + "format": [ + "stix-2.1" + ], + "name": "located-at" + }, + { + "description": "The source object should be considered a point of contact for the target.", + "format": [ + "stix-2.1" + ], + "name": "contact-for" + }, + { + "description": "The source object was responsible for detecting the target object.", + "format": [ + "stix-2.1" + ], + "name": "detects", + "opposite": "detected-by" + }, + { + "description": "The source object is detected by the target object.", + "format": [ + "misp" + ], + "name": "detected-by", + "opposite": "detects" + }, + { + "description": "The target object was observed as part of a source event.", + "format": [ + "stix-2.1" + ], + "name": "observed", + "opposite": "observed-by" + }, + { + "description": "The source object was observed by the target object.", + "format": [ + "misp" + ], + "name": "observed-by", + "opposite": "observed" + }, + { + "description": "The source object is based on the target.", + "format": [ + "stix-2.1" + ], + "name": "based-on" + }, + { + "description": "The source object performed the target event.", + "format": [ + "stix-2.1" + ], + "name": "performed", + "opposite": "performed-by" + }, + { + "description": "The source object was performed by the target.", + "format": [ + "misp" + ], + "name": "performed-by", + "opposite": "performed" + }, + { + "description": "The source object blocks the target object.", + "format": [ + "stix-2.1" + ], + "name": "blocks", + "opposite": "blocked-by" + }, + { + "description": "The source object is blocked by the target object.", + "format": [ + "misp" + ], + "name": "blocked-by", + "opposite": "blocks" + }, + { + "description": "The source object causes the target event.", + "format": [ + "stix-2.1" + ], + "name": "causes", + "opposite": "caused-by" + }, + { + "description": "The source object is caused by the target object.", + "format": [ + "misp" + ], + "name": "caused-by", + "opposite": "causes" + }, + { + "description": "The source object is followed by the target because of an error.", + "format": [ + "stix-2.1" + ], + "name": "errored-to" + }, + { + "description": "The source object has been assigned the target.", + "format": [ + "stix-2.1" + ], + "name": "assigned" + }, + { + "description": "The source object participated in the target task.", + "format": [ + "stix-2.1" + ], + "name": "participated-in" + }, + { + "description": "The source object is targeted by the target object.", + "format": [ + "misp" + ], + "name": "targeted-by", + "opposite": "targets" + }, + { + "description": "The source object was created by the target object.", + "format": [ + "misp" + ], + "name": "created-by", + "opposite": "creates" } ], - "version": 39 + "version": 40 } \ No newline at end of file