2018-10-24 21:30:30 +02:00
|
|
|
{
|
|
|
|
"namespace": "cccs",
|
|
|
|
"description": "Internal taxonomy for CCCS.",
|
2018-10-24 23:50:05 +02:00
|
|
|
"version": 2,
|
2018-10-24 21:30:30 +02:00
|
|
|
"expanded": "CCCS",
|
|
|
|
"predicates": [
|
|
|
|
{
|
|
|
|
"value": "event",
|
|
|
|
"expanded": "Event type",
|
|
|
|
"description": "Type of event associated to the internal reference"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "disclosure-type",
|
|
|
|
"expanded": "Disclosure type",
|
|
|
|
"description": "Type of information being disclosed."
|
|
|
|
},
|
2018-10-24 23:50:05 +02:00
|
|
|
{
|
|
|
|
"value": "domain-category",
|
|
|
|
"expanded": "Domain category",
|
|
|
|
"description": "The Domain Category."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "email-type",
|
|
|
|
"expanded": "Email type",
|
|
|
|
"description": "Type of email event."
|
|
|
|
},
|
2018-10-24 21:30:30 +02:00
|
|
|
{
|
|
|
|
"value": "exploitation-technique",
|
|
|
|
"expanded": "Exploitation technique",
|
|
|
|
"description": "The technique used to remotely exploit a GoC system."
|
|
|
|
},
|
2018-10-24 23:50:05 +02:00
|
|
|
{
|
|
|
|
"value": "ip-category",
|
|
|
|
"expanded": "Ip category",
|
|
|
|
"description": "The IP Category."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "maliciousness",
|
|
|
|
"expanded": "Maliciousness",
|
|
|
|
"description": "Level of maliciousness."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "malware-category",
|
|
|
|
"expanded": "Malware category",
|
|
|
|
"description": "The Malware Category."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "misusage-type",
|
|
|
|
"expanded": "Misusage type",
|
|
|
|
"description": "The type of misusage."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "mitigation-type",
|
|
|
|
"expanded": "Mitigation type",
|
|
|
|
"description": "The type of mitigation."
|
|
|
|
},
|
2018-10-24 21:30:30 +02:00
|
|
|
{
|
|
|
|
"value": "origin",
|
|
|
|
"expanded": "Origin",
|
|
|
|
"description": "Where the request originated from."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "originating-organization",
|
|
|
|
"expanded": "Originating organization",
|
|
|
|
"description": "Origin of a signature."
|
2018-10-24 23:50:05 +02:00
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "scan-type",
|
|
|
|
"expanded": "Scan type",
|
|
|
|
"description": "The type of scan event."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "severity",
|
|
|
|
"expanded": "Severity",
|
|
|
|
"description": "Severity of the event."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "threat-vector",
|
|
|
|
"expanded": "Threat vector",
|
|
|
|
"description": "Specifies how the threat actor gained or attempted to gain initial access to the target GoC host."
|
2018-10-24 21:30:30 +02:00
|
|
|
}
|
|
|
|
],
|
|
|
|
"values": [
|
|
|
|
{
|
|
|
|
"predicate": "event",
|
|
|
|
"entry": [
|
|
|
|
{
|
|
|
|
"value": "beacon",
|
|
|
|
"expanded": "Beacon",
|
|
|
|
"description": "A host infected with malware is connecting to threat actor owned infrastructure."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "browser-based-exploitation",
|
|
|
|
"expanded": "Browser based exploitation",
|
|
|
|
"description": "A browser component is being exploited in order to infect a host."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "dos",
|
|
|
|
"expanded": "Dos",
|
|
|
|
"description": "An attack in which the goal is to disrupt access to a host or resource."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "email",
|
|
|
|
"expanded": "Email",
|
|
|
|
"description": "Malicious emails sent to a department (baiting, content delivery, phishing)."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "exfiltration",
|
|
|
|
"expanded": "Exfiltration",
|
|
|
|
"description": "Unauthorized transfer of data from a target's network to a location a threat actor controls."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "generic-event",
|
|
|
|
"expanded": "Generic event",
|
|
|
|
"description": "Represents a collection of virtually identical events within a range of time."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "improper-usage",
|
|
|
|
"expanded": "Improper usage",
|
|
|
|
"description": "Technology used in a way that compromises security or violates policy."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "malware-artifacts",
|
|
|
|
"expanded": "Malware artifacts",
|
|
|
|
"description": "Signs of the presence of malware observed on a host."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "malware-download",
|
|
|
|
"expanded": "Malware download",
|
|
|
|
"description": "Malware was transferred (downloaded/uploaded) to a host."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "phishing",
|
|
|
|
"expanded": "Phishing",
|
|
|
|
"description": "Information or credentials disclosed to a threat actor."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "remote-access",
|
|
|
|
"expanded": "Remote access",
|
|
|
|
"description": "A threat actor is attempting to or succeeding in remotely logging in to a host."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "remote-exploitation",
|
|
|
|
"expanded": "Remote exploitation",
|
|
|
|
"description": "A threat actor is attempting to exploit vulnerabilities remotely."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "scan",
|
|
|
|
"expanded": "Scan",
|
|
|
|
"description": "A threat actor is scanning the network."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "scraping",
|
|
|
|
"expanded": "Scraping",
|
|
|
|
"description": "Represents a collection of virtually identical scraping events within a range of time."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "traffic-interception",
|
|
|
|
"expanded": "Traffic interception",
|
|
|
|
"description": "Represents a collection of virtually identical traffic interception events within a range of time."
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"predicate": "disclosure-type",
|
|
|
|
"entry": [
|
|
|
|
{
|
|
|
|
"value": "goc-credential-disclosure",
|
|
|
|
"expanded": "Goc credential disclosure",
|
|
|
|
"description": "Credentials for a GoC system or user were disclosed."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "personal-credential-disclosure",
|
|
|
|
"expanded": "Personal credential disclosure",
|
|
|
|
"description": "Credentials not related to a GoC system or user were disclosed."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "personal-information-disclosure",
|
|
|
|
"expanded": "Personal information disclosure",
|
|
|
|
"description": "Information about a person or persons was disclosed."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "none",
|
|
|
|
"expanded": "None",
|
|
|
|
"description": "No information was disclosed."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "other",
|
|
|
|
"expanded": "Other",
|
|
|
|
"description": "Information other than credentials and personal information was disclosed."
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
2018-10-24 23:50:05 +02:00
|
|
|
{
|
|
|
|
"predicate": "domain-category",
|
|
|
|
"entry": [
|
|
|
|
{
|
|
|
|
"value": "c2",
|
|
|
|
"expanded": "C2",
|
|
|
|
"description": "Domain is being used as command-and-control infrastructure."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "proxy",
|
|
|
|
"expanded": "Proxy",
|
|
|
|
"description": "Domain is being used as a proxy."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "seeded",
|
|
|
|
"expanded": "Seeded",
|
|
|
|
"description": "Domain has been seeded with malware or other malicious code."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "wateringhole",
|
|
|
|
"expanded": "Wateringhole",
|
|
|
|
"description": "Domain is being used a wateringhole."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "cloud-infrastructure",
|
|
|
|
"expanded": "Cloud infrastructure",
|
|
|
|
"description": "Domain is hosted on cloud infrastructure."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "name-server",
|
|
|
|
"expanded": "Name server",
|
|
|
|
"description": "Domain is a name server."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "sinkholed",
|
|
|
|
"expanded": "Sinkholed",
|
|
|
|
"description": "Domain is being re-directed to a sinkhole."
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"predicate": "email-type",
|
|
|
|
"entry": [
|
|
|
|
{
|
|
|
|
"value": "spam",
|
|
|
|
"expanded": "Spam",
|
|
|
|
"description": "Unsolicited or junk email named after a Monty Python sketch."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "content\\-delivery\\-attack",
|
|
|
|
"expanded": "Content\\-delivery\\-attack",
|
|
|
|
"description": "Email contained malicious content or attachments."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "phishing",
|
|
|
|
"expanded": "Phishing",
|
|
|
|
"description": "Email designed to trick the recipient into providing sensitive information."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "baiting",
|
|
|
|
"expanded": "Baiting",
|
|
|
|
"description": "Email designed to trick the recipient into providing sensitive information."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "unknown",
|
|
|
|
"expanded": "Unknown",
|
|
|
|
"description": "Type of email was unknown."
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
2018-10-24 21:30:30 +02:00
|
|
|
{
|
|
|
|
"predicate": "exploitation-technique",
|
|
|
|
"entry": [
|
|
|
|
{
|
|
|
|
"value": "sql-injection",
|
|
|
|
"expanded": "Sql injection",
|
|
|
|
"description": "Exploitation occurred due to malicious SQL queries being executed against a database."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "directory-traversal",
|
|
|
|
"expanded": "Directory traversal",
|
|
|
|
"description": "Exploitation occurred through a directory traversal attack allowing access to a restricted directory."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "remote-file-inclusion",
|
|
|
|
"expanded": "Remote file inclusion",
|
|
|
|
"description": "Exploitation occurred due to vulnerabilities allowing malicious files to be sent."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "code-injection",
|
|
|
|
"expanded": "Code injection",
|
|
|
|
"description": "Exploitation occurred due to malicious code being injected."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "other",
|
|
|
|
"expanded": "Other",
|
|
|
|
"description": "Other."
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
2018-10-24 23:50:05 +02:00
|
|
|
{
|
|
|
|
"predicate": "ip-category",
|
|
|
|
"entry": [
|
|
|
|
{
|
|
|
|
"value": "c2",
|
|
|
|
"expanded": "C2",
|
|
|
|
"description": "IP address is a command-and-control server."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "proxy",
|
|
|
|
"expanded": "Proxy",
|
|
|
|
"description": "IP address is a proxy server."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "seeded",
|
|
|
|
"expanded": "Seeded",
|
|
|
|
"description": "IP address has been seeded with malware or other malicious code."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "wateringhole",
|
|
|
|
"expanded": "Wateringhole",
|
|
|
|
"description": "IP address is a wateringhole."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "cloud-infrastructure",
|
|
|
|
"expanded": "Cloud infrastructure",
|
|
|
|
"description": "IP address is part of cloud infrastructure."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "network-gateway",
|
|
|
|
"expanded": "Network gateway",
|
|
|
|
"description": "IP address is a network gateway."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "server",
|
|
|
|
"expanded": "Server",
|
|
|
|
"description": "IP address is a server of some type."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "dns-server",
|
|
|
|
"expanded": "Dns server",
|
|
|
|
"description": "IP address is a DNS server."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "smtp-server",
|
|
|
|
"expanded": "Smtp server",
|
|
|
|
"description": "IP address is a mail server."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "web-server",
|
|
|
|
"expanded": "Web server",
|
|
|
|
"description": "IP address is a web server."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "file-server",
|
|
|
|
"expanded": "File server",
|
|
|
|
"description": "IP address is a file server."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "database-server",
|
|
|
|
"expanded": "Database server",
|
|
|
|
"description": "IP address is a database server."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "security-appliance",
|
|
|
|
"expanded": "Security appliance",
|
|
|
|
"description": "IP address is a security appliance of some type."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "tor-node",
|
|
|
|
"expanded": "Tor node",
|
|
|
|
"description": "IP address is a node of the TOR anonymization system."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "sinkhole",
|
|
|
|
"expanded": "Sinkhole",
|
|
|
|
"description": "IP address is a sinkhole."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "router",
|
|
|
|
"expanded": "Router",
|
|
|
|
"description": "IP address is a router device."
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"predicate": "maliciousness",
|
|
|
|
"entry": [
|
|
|
|
{
|
|
|
|
"value": "non-malicious",
|
|
|
|
"expanded": "Non-malicious",
|
|
|
|
"description": "Non-malicious is not malicious or suspicious."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "suspicious",
|
|
|
|
"expanded": "Suspicious",
|
|
|
|
"description": "Suspicious is not non-malicious and not malicious."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "malicious",
|
|
|
|
"expanded": "Malicious",
|
|
|
|
"description": "Malicious is not non-malicious or suspicious."
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"predicate": "malware-category",
|
|
|
|
"entry": [
|
|
|
|
{
|
|
|
|
"value": "exploit-kit",
|
|
|
|
"expanded": "Exploit kit",
|
|
|
|
"description": "Toolkit used to attack vulnerabilities in systems."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "first-stage",
|
|
|
|
"expanded": "First stage",
|
|
|
|
"description": "Malware used in the initial phase of an attack and commonly used to retrieve a second stage."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "second-stage",
|
|
|
|
"expanded": "Second stage",
|
|
|
|
"description": "Typical more complex malware retrieved by first stage malware."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "scanner",
|
|
|
|
"expanded": "Scanner",
|
|
|
|
"description": "Malware used to look for common vulnerabilities or running software."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "downloader",
|
|
|
|
"expanded": "Downloader",
|
|
|
|
"description": "Malware used to retrieve additional malware or tools."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "proxy",
|
|
|
|
"expanded": "Proxy",
|
|
|
|
"description": "Malware used to proxy traffic on an infected host."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "reverse-proxy",
|
|
|
|
"expanded": "Reverse proxy",
|
|
|
|
"description": "If you choose this option please provide a description of what it is to the ALFRED PO."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "webshell",
|
|
|
|
"expanded": "Webshell",
|
|
|
|
"description": "Malware uploaded to a web server allowing remote access to an attacker."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "ransomware",
|
|
|
|
"expanded": "Ransomware",
|
|
|
|
"description": "Malware used to hold infected host's data hostage, typically through encryption until a payment is made to the attackers."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "adware",
|
|
|
|
"expanded": "Adware",
|
|
|
|
"description": "Malware used to display ads to the infected host."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "spyware",
|
|
|
|
"expanded": "Spyware",
|
|
|
|
"description": "Malware used to collect information from the infected host, such as credentials."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "virus",
|
|
|
|
"expanded": "Virus",
|
|
|
|
"description": "Malware that propogates by inserting a copy of itself into another program."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "worm",
|
|
|
|
"expanded": "Worm",
|
|
|
|
"description": "Standalone malware that propogates by copying itself.."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "trojan",
|
|
|
|
"expanded": "Trojan",
|
|
|
|
"description": "Malware that looks like legitimate software but hides malicious code."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "rootkit",
|
|
|
|
"expanded": "Rootkit",
|
|
|
|
"description": "Malware that can hide the existance of other malware by modifying operating system functions."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "keylogger",
|
|
|
|
"expanded": "Keylogger",
|
|
|
|
"description": "Malware that runs in the background, capturing keystrokes from a user unknowingly for exfiltration."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "browser-hijacker",
|
|
|
|
"expanded": "Browser hijacker",
|
|
|
|
"description": "Malware that re-directs or otherwise intercepts Internet browsing by the user."
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"predicate": "misusage-type",
|
|
|
|
"entry": [
|
|
|
|
{
|
|
|
|
"value": "unauthorized-usage",
|
|
|
|
"expanded": "Unauthorized usage",
|
|
|
|
"description": "Usage of the system or resource was without appropriate permission or authorization."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "misconfiguration",
|
|
|
|
"expanded": "Misconfiguration",
|
|
|
|
"description": "System or resource is misconfigured."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "lack-of-encryption",
|
|
|
|
"expanded": "Lack of encryption",
|
|
|
|
"description": "System or resources has insufficient encryption or no encryption."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "vulnerable-software",
|
|
|
|
"expanded": "Vulnerable software",
|
|
|
|
"description": "System or resource has software with known vulnerabilities."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "privilege-escalation",
|
|
|
|
"expanded": "Privilege escalation",
|
|
|
|
"description": "System or resource was exploited to gain higher privilege level."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "other",
|
|
|
|
"expanded": "Other",
|
|
|
|
"description": "Other."
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"predicate": "mitigation-type",
|
|
|
|
"entry": [
|
|
|
|
{
|
|
|
|
"value": "anti-virus",
|
|
|
|
"expanded": "Anti-virus",
|
|
|
|
"description": "Anti-Virus"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "content-filtering-system",
|
|
|
|
"expanded": "Content filtering system",
|
|
|
|
"description": "Content Filtering System"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "dynamic-defense",
|
|
|
|
"expanded": "Dynamic defense",
|
|
|
|
"description": "Dynamic Defense"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "insufficient-privileges",
|
|
|
|
"expanded": "Insufficient privileges",
|
|
|
|
"description": "Insufficient Privileges"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "ids",
|
|
|
|
"expanded": "Ids",
|
|
|
|
"description": "Intrusion Detection System"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "sink-hole-/-take-down-by-third-party",
|
|
|
|
"expanded": "Sink hole / take down by third party",
|
|
|
|
"description": "Sink Hole / Take Down by Third Party"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "isp",
|
|
|
|
"expanded": "Isp",
|
|
|
|
"description": "Internet Service Provider"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "invalid-credentials",
|
|
|
|
"expanded": "Invalid credentials",
|
|
|
|
"description": "Invalid Credentials"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "not-vulnerable",
|
|
|
|
"expanded": "Not vulnerable",
|
|
|
|
"description": "No mitigation was required because the system was not vulnerable to the attack."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "other",
|
|
|
|
"expanded": "Other",
|
|
|
|
"description": "Other"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "unknown",
|
|
|
|
"expanded": "Unknown",
|
|
|
|
"description": "Unknown"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "user",
|
|
|
|
"expanded": "User",
|
|
|
|
"description": "User"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
2018-10-24 21:30:30 +02:00
|
|
|
{
|
|
|
|
"predicate": "origin",
|
|
|
|
"entry": [
|
|
|
|
{
|
|
|
|
"value": "subscriber",
|
|
|
|
"expanded": "Subscriber",
|
|
|
|
"description": "Subscriber."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "internet",
|
|
|
|
"expanded": "Internet",
|
|
|
|
"description": "Internet."
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"predicate": "originating-organization",
|
|
|
|
"entry": [
|
|
|
|
{
|
|
|
|
"value": "cse",
|
|
|
|
"expanded": "Cse",
|
|
|
|
"description": "Communications Security Establishment."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "nsa",
|
|
|
|
"expanded": "Nsa",
|
|
|
|
"description": "National Security Agency."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "gchq",
|
|
|
|
"expanded": "Gchq",
|
|
|
|
"description": "Government Communications Headquarters."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "asd",
|
|
|
|
"expanded": "Asd",
|
|
|
|
"description": "Australian Signals Directorate."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "gcsb",
|
|
|
|
"expanded": "Gcsb",
|
|
|
|
"description": "Government Communications Security Bureau."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "open-source",
|
|
|
|
"expanded": "Open source",
|
|
|
|
"description": "Originated from publically available information."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "3rd-party",
|
|
|
|
"expanded": "3rd party",
|
|
|
|
"description": "Originated from a 3rd party organization."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "other",
|
|
|
|
"expanded": "Other",
|
|
|
|
"description": "Other."
|
|
|
|
}
|
|
|
|
]
|
2018-10-24 23:50:05 +02:00
|
|
|
},
|
|
|
|
{
|
|
|
|
"predicate": "scan-type",
|
|
|
|
"entry": [
|
|
|
|
{
|
|
|
|
"value": "open-port",
|
|
|
|
"expanded": "Open port",
|
|
|
|
"description": "Scan was looking for open ports corresponding to common applications or protocols."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "icmp",
|
|
|
|
"expanded": "Icmp",
|
|
|
|
"description": "Scan was attempting to enumerate devices through the ICMP protocol."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "os-fingerprinting",
|
|
|
|
"expanded": "Os fingerprinting",
|
|
|
|
"description": "Scan was looking for operating system information through unique characteristics in responses."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "web",
|
|
|
|
"expanded": "Web",
|
|
|
|
"description": "Scan was enumerating or otherwise traversing web hosts."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "other",
|
|
|
|
"expanded": "Other",
|
|
|
|
"description": "Other."
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"predicate": "severity",
|
|
|
|
"entry": [
|
|
|
|
{
|
|
|
|
"value": "reconnaissance",
|
|
|
|
"expanded": "Reconnaissance",
|
|
|
|
"description": "An actor attempted or succeeded in gaining information that may be used to identify and/or compromise systems or data."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "attempted-compromise",
|
|
|
|
"expanded": "Attempted compromise",
|
|
|
|
"description": "An actor attempted affecting the confidentiality, integrity or availability of a system."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "exploited",
|
|
|
|
"expanded": "Exploited",
|
|
|
|
"description": "A vulnerability was successfully exploited."
|
|
|
|
}
|
|
|
|
]
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"predicate": "threat-vector",
|
|
|
|
"entry": [
|
|
|
|
{
|
|
|
|
"value": "application:cms",
|
|
|
|
"expanded": "Application:cms",
|
|
|
|
"description": "Content Management System."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "application:bash",
|
|
|
|
"expanded": "Application:bash",
|
|
|
|
"description": "BASH script."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "application:acrobat-reader",
|
|
|
|
"expanded": "Application:acrobat reader",
|
|
|
|
"description": "Adobe Acrobat Reader."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "application:ms-excel",
|
|
|
|
"expanded": "Application:ms excel",
|
|
|
|
"description": "Microsoft Excel."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "application:other",
|
|
|
|
"expanded": "Application:other",
|
|
|
|
"description": "Other Application."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "language:sql",
|
|
|
|
"expanded": "Language:sql",
|
|
|
|
"description": "Structured Query Language."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "language:php",
|
|
|
|
"expanded": "Language:php",
|
|
|
|
"description": "PHP: Hypertext Preprocessor."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "language:javascript",
|
|
|
|
"expanded": "Language:javascript",
|
|
|
|
"description": "JavaScript."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "language:other",
|
|
|
|
"expanded": "Language:other",
|
|
|
|
"description": "Other Language."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "protocol:dns",
|
|
|
|
"expanded": "Protocol:dns",
|
|
|
|
"description": "Domain Name System."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "protocol:ftp",
|
|
|
|
"expanded": "Protocol:ftp",
|
|
|
|
"description": "File Transfer Protocol."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "protocol:http",
|
|
|
|
"expanded": "Protocol:http",
|
|
|
|
"description": "Hyper Text Transfer Protocol."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "protocol:icmp",
|
|
|
|
"expanded": "Protocol:icmp",
|
|
|
|
"description": "Internet Control Message Protocol."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "protocol:ntp",
|
|
|
|
"expanded": "Protocol:ntp",
|
|
|
|
"description": "Network Time Protocol."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "protocol:rdp",
|
|
|
|
"expanded": "Protocol:rdp",
|
|
|
|
"description": "Remote Desktop Protocol."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "protocol:smb",
|
|
|
|
"expanded": "Protocol:smb",
|
|
|
|
"description": "Server Message Block."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "protocol:snmp",
|
|
|
|
"expanded": "Protocol:snmp",
|
|
|
|
"description": "Simple Network Management Protocol."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "protocol:ssl",
|
|
|
|
"expanded": "Protocol:ssl",
|
|
|
|
"description": "Secure Sockets Layer."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "protocol:telnet",
|
|
|
|
"expanded": "Protocol:telnet",
|
|
|
|
"description": "Network Virtual Terminal Protocol."
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"value": "protocol:sip",
|
|
|
|
"expanded": "Protocol:sip",
|
|
|
|
"description": "Session Initiation Protocol."
|
|
|
|
}
|
|
|
|
]
|
2018-10-24 21:30:30 +02:00
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|