From 25db95cbb618e43762adcbc08cd2f83c29a14740 Mon Sep 17 00:00:00 2001 From: Koen Van Impe Date: Fri, 4 Nov 2022 22:33:07 +0100 Subject: [PATCH 1/4] Sentinel indicator threat types. Taxonomy in support of integrating MISP with Sentinel. Allows to set the "threatType values". --- MANIFEST.json | 2 +- sentinel-threattype/machinetag.json | 57 +++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+), 1 deletion(-) create mode 100644 sentinel-threattype/machinetag.json diff --git a/MANIFEST.json b/MANIFEST.json index 4ebe446..78fec79 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -725,5 +725,5 @@ } ], "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/main/", - "version": "20221101" + "version": "20220918" } diff --git a/sentinel-threattype/machinetag.json b/sentinel-threattype/machinetag.json new file mode 100644 index 0000000..ce2b46a --- /dev/null +++ b/sentinel-threattype/machinetag.json @@ -0,0 +1,57 @@ +{ + "namespace": "sentinel-threattype", + "expanded": "sentinel-threattype", + "description": "Sentinel indicator threat types.", + "version": 1, + "exclusive": true, + "refs": [ + "https://learn.microsoft.com/en-us/graph/api/resources/tiindicator?view=graph-rest-beta#threattype-values" + ], + "predicates": [ + { + "value": "Botnet", + "expanded": "Indicator is detailing a botnet node/member." + }, + { + "value": "C2", + "expanded": "Indicator is detailing a Command & Control node of a botnet." + }, + { + "value": "CryptoMining", + "expanded": "Traffic involving this network address / URL is an indication of CyrptoMining / Resource abuse." + }, + { + "value": "Darknet", + "expanded": "Indicator is that of a Darknet node/network." + }, + { + "value": "DDoS", + "expanded": "Indicators relating to an active or upcoming DDoS campaign." + }, + { + "value": "MaliciousUrl", + "expanded": "URL that is serving malware." + }, + { + "value": "Malware", + "expanded": "Indicator describing a malicious file or files." + }, + { + "value": "Phishing", + "expanded": "Indicators relating to a phishing campaign." + }, + { + "value": "Proxy", + "expanded": "Indicator is that of a proxy service." + }, + { + "value": "PUA", + "expanded": "Potentially Unwanted Application." + }, + { + "value": "WatchList", + "expanded": "This is the generic bucket into which indicators are placed when it cannot be determined exactly what the threat is or will require manual interpretation. This should typically not be used by partners submitting data into the system." + } + ] + } + \ No newline at end of file From 04a5878739c590a63c1d464c9f65e7bdb3f7993c Mon Sep 17 00:00:00 2001 From: Koen Van Impe Date: Fri, 4 Nov 2022 22:34:51 +0100 Subject: [PATCH 2/4] Update MANIFEST.json --- MANIFEST.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MANIFEST.json b/MANIFEST.json index 78fec79..4ebe446 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -725,5 +725,5 @@ } ], "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/main/", - "version": "20220918" + "version": "20221101" } From f18fbb387858cb17e860d7037d1ed5a733545c40 Mon Sep 17 00:00:00 2001 From: Koen Van Impe Date: Fri, 4 Nov 2022 22:40:04 +0100 Subject: [PATCH 3/4] Update machinetag.json --- sentinel-threattype/machinetag.json | 111 ++++++++++++++-------------- 1 file changed, 55 insertions(+), 56 deletions(-) diff --git a/sentinel-threattype/machinetag.json b/sentinel-threattype/machinetag.json index ce2b46a..8d5fdfa 100644 --- a/sentinel-threattype/machinetag.json +++ b/sentinel-threattype/machinetag.json @@ -1,57 +1,56 @@ { - "namespace": "sentinel-threattype", - "expanded": "sentinel-threattype", - "description": "Sentinel indicator threat types.", - "version": 1, - "exclusive": true, - "refs": [ - "https://learn.microsoft.com/en-us/graph/api/resources/tiindicator?view=graph-rest-beta#threattype-values" - ], - "predicates": [ - { - "value": "Botnet", - "expanded": "Indicator is detailing a botnet node/member." - }, - { - "value": "C2", - "expanded": "Indicator is detailing a Command & Control node of a botnet." - }, - { - "value": "CryptoMining", - "expanded": "Traffic involving this network address / URL is an indication of CyrptoMining / Resource abuse." - }, - { - "value": "Darknet", - "expanded": "Indicator is that of a Darknet node/network." - }, - { - "value": "DDoS", - "expanded": "Indicators relating to an active or upcoming DDoS campaign." - }, - { - "value": "MaliciousUrl", - "expanded": "URL that is serving malware." - }, - { - "value": "Malware", - "expanded": "Indicator describing a malicious file or files." - }, - { - "value": "Phishing", - "expanded": "Indicators relating to a phishing campaign." - }, - { - "value": "Proxy", - "expanded": "Indicator is that of a proxy service." - }, - { - "value": "PUA", - "expanded": "Potentially Unwanted Application." - }, - { - "value": "WatchList", - "expanded": "This is the generic bucket into which indicators are placed when it cannot be determined exactly what the threat is or will require manual interpretation. This should typically not be used by partners submitting data into the system." - } - ] - } - \ No newline at end of file + "namespace": "sentinel-threattype", + "expanded": "sentinel-threattype", + "description": "Sentinel indicator threat types.", + "version": 1, + "exclusive": true, + "refs": [ + "https://learn.microsoft.com/en-us/graph/api/resources/tiindicator?view=graph-rest-beta#threattype-values" + ], + "predicates": [ + { + "value": "Botnet", + "expanded": "Indicator is detailing a botnet node/member." + }, + { + "value": "C2", + "expanded": "Indicator is detailing a Command & Control node of a botnet." + }, + { + "value": "CryptoMining", + "expanded": "Traffic involving this network address / URL is an indication of CyrptoMining / Resource abuse." + }, + { + "value": "Darknet", + "expanded": "Indicator is that of a Darknet node/network." + }, + { + "value": "DDoS", + "expanded": "Indicators relating to an active or upcoming DDoS campaign." + }, + { + "value": "MaliciousUrl", + "expanded": "URL that is serving malware." + }, + { + "value": "Malware", + "expanded": "Indicator describing a malicious file or files." + }, + { + "value": "Phishing", + "expanded": "Indicators relating to a phishing campaign." + }, + { + "value": "Proxy", + "expanded": "Indicator is that of a proxy service." + }, + { + "value": "PUA", + "expanded": "Potentially Unwanted Application." + }, + { + "value": "WatchList", + "expanded": "This is the generic bucket into which indicators are placed when it cannot be determined exactly what the threat is or will require manual interpretation. This should typically not be used by partners submitting data into the system." + } + ] +} From 80c44735cc0962baf9d565283ad50f315bdc9114 Mon Sep 17 00:00:00 2001 From: Koen Van Impe Date: Fri, 4 Nov 2022 22:45:56 +0100 Subject: [PATCH 4/4] Update MANIFEST.json --- MANIFEST.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/MANIFEST.json b/MANIFEST.json index 4ebe446..4dc831c 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -628,6 +628,11 @@ "name": "scrippsco2-sampling-stations", "version": 1 }, + { + "description": "Sentinel indicator threat types.", + "name": "sentinel-threattype", + "version": 1 + }, { "description": "Threat taxonomy in the scope of securing smart airports by ENISA. https://www.enisa.europa.eu/publications/securing-smart-airports", "name": "smart-airports-threats", @@ -725,5 +730,5 @@ } ], "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/main/", - "version": "20221101" + "version": "20221104" }