From 7573465e74548dacea257d41bbd25aad4438ab0c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 11 Aug 2017 10:52:02 +0200 Subject: [PATCH] First version of the types of relationships for MISP objects Relationship type can be from existing STIX 2.0 ones, MISP relationships or other proposed by the community. Please be careful that a relationship type can influence the ability of export of MISP events if the type is not supported by the target format. --- relationships/definition.json | 68 +++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 relationships/definition.json diff --git a/relationships/definition.json b/relationships/definition.json new file mode 100644 index 0000000..a330af1 --- /dev/null +++ b/relationships/definition.json @@ -0,0 +1,68 @@ +{ + "version": 1, + "values": [ + { + "name": "derived-from", + "description": "STIX 2.0: The information in the target object is based on information from the source object." + }, + { + "name": "duplicate-of", + "description": "STIX 2.0: The referenced source and target objects are semantically duplicates of each other." + }, + { + "name": "related-to", + "description": "STIX 2.0: Asserts a non - specific relationship between two SDOs. This relationship ca n be used when none of the other predefined relationships are appropriate." + }, + { + "name": "attributed-to", + "description": "STIX 2.0: This Relationship describes that the Intrusion Set or Threat Actor that is involved in carrying out the Campaign." + }, + { + "name": "targets", + "description": "STIX 2.0: This Relationship describes that the Campaign uses exploits of the related Vulnerability or targets the type of victims described by the related Identity." + }, + { + "name": "uses", + "description": "STIX 2.0: This Relationship describes that attacks carried out as part of the Campaign typically use the related Attack Pattern, Malware, or Tool." + }, + { + "name": "indicates", + "description": "STIX 2.0: This Relationship describes that the Indicator can detect evidence of the related Campaign, Intrusion, or Threat Actor. This evidence may not be direct: for example, the Indicator may detect secondary evidence of the Campaign, such as malware or behavior commonly used by that Campaign." + }, + { + "name": "mitigates", + "description": "STIX 2.0: This Relationship describes that the Course of Action can mitigate the related Attack Pattern, Malware, Vulnerability, or Tool." + }, + { + "name": "variant-of", + "description": "STIX 2.0: This Relationship is used to document that one piece of Malware is a variant of another piece of Malware." + }, + { + "name": "impersonates", + "description": "STIX 2.0: This Relationship describes that the actor is the real identity represented in the related Identity." + }, + { + "name": "authored-by", + "description": "This relationship describes the author of a specific object." + }, + { + "name": "located", + "description": "This relationship describes the location (of any type) of a specific object." + }, + { + "name": "included-in", + "description": "This relationship describes an object included in another object." + }, + { + "name": "analysed-with", + "description": "This relationship describes an object analysed by another object." + }, + { + "name": "claimed-by", + "description": "This relationship describes an object claimed by another object." + } + ], + "description": "Default type of relationships in MISP objects.", + "uuid": "b002c0d6-320f-450d-82c4-b3aa15bbbd6c", + "name": "relationships" +}