From 8f26a434fdefb5eaab15c6fe4ecf5d26b0f818b0 Mon Sep 17 00:00:00 2001 From: paulingega-sa Date: Mon, 24 Aug 2020 14:50:30 +0100 Subject: [PATCH 1/3] update threatmatch taxonomies into a single taxonomy --- MANIFEST.json | 19 +- threatmatch-alert-types/README.md | 3 - threatmatch-alert-types/machinetag.json | 99 ---- threatmatch-incident-types/README.md | 3 - threatmatch-incident-types/machinetag.json | 175 ------- threatmatch-malware-types/README.md | 3 - threatmatch-malware-types/machinetag.json | 115 ----- threatmatch-sectors/README.md | 3 - threatmatch-sectors/machinetag.json | 167 ------- threatmatch/README.md | 2 + threatmatch/machinetag.json | 515 +++++++++++++++++++++ 11 files changed, 519 insertions(+), 585 deletions(-) delete mode 100644 threatmatch-alert-types/README.md delete mode 100644 threatmatch-alert-types/machinetag.json delete mode 100644 threatmatch-incident-types/README.md delete mode 100644 threatmatch-incident-types/machinetag.json delete mode 100644 threatmatch-malware-types/README.md delete mode 100644 threatmatch-malware-types/machinetag.json delete mode 100644 threatmatch-sectors/README.md delete mode 100644 threatmatch-sectors/machinetag.json create mode 100644 threatmatch/README.md create mode 100644 threatmatch/machinetag.json diff --git a/MANIFEST.json b/MANIFEST.json index 320289c..8dd23de 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -544,23 +544,8 @@ "version": 3 }, { - "description": "The ThreatMatch Alert types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.", - "name": "threatmatch-alert-types", - "version": 1 - }, - { - "description": "The ThreatMatch Incident types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.", - "name": "threatmatch-incident-types", - "version": 1 - }, - { - "description": "The ThreatMatch Malware types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.", - "name": "threatmatch-malware-types", - "version": 1 - }, - { - "description": "The ThreatMatch Sector types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.", - "name": "threatmatch-sectors", + "description": "The ThreatMatch Sectors, Incident types, Malware types and Alert types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.", + "name": "threatmatch", "version": 1 }, { diff --git a/threatmatch-alert-types/README.md b/threatmatch-alert-types/README.md deleted file mode 100644 index 9ccc39e..0000000 --- a/threatmatch-alert-types/README.md +++ /dev/null @@ -1,3 +0,0 @@ -## Alert types -Alert tags are used by the ThreatMatch platform to categorise a relevant threat. -Tags should be used for all CIISI and TIBER projects. diff --git a/threatmatch-alert-types/machinetag.json b/threatmatch-alert-types/machinetag.json deleted file mode 100644 index e999f8f..0000000 --- a/threatmatch-alert-types/machinetag.json +++ /dev/null @@ -1,99 +0,0 @@ -{ - "namespace": "threatmatch-alert-types", - "expanded": "Alert Types for Sharing into ThreatMatch and MISP.", - "version": 1, - "description": "The ThreatMatch Alert types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.", - "refs": [ - "https://www.secalliance.com/platform/", - "https://www.ecb.europa.eu/press/pr/date/2020/html/ecb.pr200227_1~062992656b.en.html" - ], - "predicates": [ - { - "value": "alert_type", - "expanded": "Alert type" - } - ], - "values": [ - { - "predicate": "alert_type", - "entry": [ - { - "value": "Actor Campaigns", - "expanded": "Actor Campaigns" - }, - { - "value": "Credential Breaches", - "expanded": "Credential Breaches" - }, - { - "value": "DDoS", - "expanded": "DDoS" - }, - { - "value": "Exploit Alert", - "expanded": "Exploit Alert" - }, - { - "value": "General Notification", - "expanded": "General Notification" - }, - { - "value": "High Impact Vulnerabilities", - "expanded": "High Impact Vulnerabilities" - }, - { - "value": "Information Leakages", - "expanded": "Information Leakages" - }, - { - "value": "Malware Analysis", - "expanded": "Malware Analysis" - }, - { - "value": "Nefarious Domains", - "expanded": "Nefarious Domains" - }, - { - "value": "Nefarious Forum Mention", - "expanded": "Nefarious Forum Mention" - }, - { - "value": "Pastebin Dumps", - "expanded": "Pastebin Dumps" - }, - { - "value": "Phishing Attempts", - "expanded": "Phishing Attempts" - }, - { - "value": "PII Exposure", - "expanded": "PII Exposure" - }, - { - "value": "Sensitive Information Disclosures", - "expanded": "Sensitive Information Disclosures" - }, - { - "value": "Social Media Alerts", - "expanded": "Social Media Alerts" - }, - { - "value": "Supply Chain Event", - "expanded": "Supply Chain Event" - }, - { - "value": "Technical Exposure", - "expanded": "Technical Exposure" - }, - { - "value": "Threat Actor Updates", - "expanded": "Threat Actor Updates" - }, - { - "value": "Trigger Events", - "expanded": "Trigger Events" - } - ] - } - ] -} diff --git a/threatmatch-incident-types/README.md b/threatmatch-incident-types/README.md deleted file mode 100644 index 1e95764..0000000 --- a/threatmatch-incident-types/README.md +++ /dev/null @@ -1,3 +0,0 @@ -## Incident types -Incident tags are used by the ThreatMatch platform to categorise a relevant incident event. -Tags should be used for all CIISI and TIBER projects. diff --git a/threatmatch-incident-types/machinetag.json b/threatmatch-incident-types/machinetag.json deleted file mode 100644 index cc2d031..0000000 --- a/threatmatch-incident-types/machinetag.json +++ /dev/null @@ -1,175 +0,0 @@ -{ - "namespace": "threatmatch-incident-types", - "expanded": "Incident Types for Sharing into ThreatMatch and MISP", - "version": 1, - "description": "The ThreatMatch Incident types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.", - "refs": [ - "https://www.secalliance.com/platform/", - "https://www.ecb.europa.eu/press/pr/date/2020/html/ecb.pr200227_1~062992656b.en.html" - ], - "predicates": [ - { - "value": "incident_type", - "expanded": "Threat Match incident types" - } - ], - "values": [ - { - "predicate": "incident_type", - "entry": [ - { - "value": "ATM Attacks", - "expanded": "ATM Attacks" - }, - { - "value": "ATM Breach", - "expanded": "ATM Breach" - }, - { - "value": "Attempted Exploitation", - "expanded": "Attempted Exploitation" - }, - { - "value": "Botnet Activity", - "expanded": "Botnet Activity" - }, - { - "value": "Business Email Compromise", - "expanded": "Business Email Compromise" - }, - { - "value": "Crypto Mining", - "expanded": "Crypto Mining" - }, - { - "value": "Data Breach/Compromise", - "expanded": "Data Breach/Compromise" - }, - { - "value": "Data Dump", - "expanded": "Data Dump" - }, - { - "value": "Data Leakage", - "expanded": "Data Leakage" - }, - { - "value": "DDoS", - "expanded": "DDoS" - }, - { - "value": "Defacement Activity", - "expanded": "Defacement Activity" - }, - { - "value": "Denial of Service (DoS)", - "expanded": "Denial of Service (DoS)" - }, - { - "value": "Disruption Activity", - "expanded": "Disruption Activity" - }, - { - "value": "Espionage", - "expanded": "Espionage" - }, - { - "value": "Espionage Activity", - "expanded": "Espionage Activity" - }, - { - "value": "Exec Targeting ", - "expanded": "Exec Targeting " - }, - { - "value": "Exposure of Data", - "expanded": "Exposure of Data" - }, - { - "value": "Extortion Activity", - "expanded": "Extortion Activity" - }, - { - "value": "Fraud Activity", - "expanded": "Fraud Activity" - }, - { - "value": "General Notification", - "expanded": "General Notification" - }, - { - "value": "Hacktivism Activity", - "expanded": "Hacktivism Activity" - }, - { - "value": "Malicious Insider", - "expanded": "Malicious Insider" - }, - { - "value": "Malware Infection", - "expanded": "Malware Infection" - }, - { - "value": "Man in the Middle Attacks", - "expanded": "Man in the Middle Attacks" - }, - { - "value": "MFA Attack", - "expanded": "MFA Attack" - }, - { - "value": "Mobile Malware", - "expanded": "Mobile Malware" - }, - { - "value": "Phishing Activity", - "expanded": "Phishing Activity" - }, - { - "value": "Ransomware Activity", - "expanded": "Ransomware Activity" - }, - { - "value": "Social Engineering Activity", - "expanded": "Social Engineering Activity" - }, - { - "value": "Social Media Compromise", - "expanded": "Social Media Compromise" - }, - { - "value": "Spear-phishing Activity", - "expanded": "Spear-phishing Activity" - }, - { - "value": "Spyware", - "expanded": "Spyware" - }, - { - "value": "SQL Injection Activity", - "expanded": "SQL Injection Activity" - }, - { - "value": "Supply Chain Compromise", - "expanded": "Supply Chain Compromise" - }, - { - "value": "Trojanised Software", - "expanded": "Trojanised Software" - }, - { - "value": "Vishing", - "expanded": "Vishing" - }, - { - "value": "Website Attack (Other)", - "expanded": "Website Attack (Other)" - }, - { - "value": "Unknown", - "expanded": "Unknown" - } - ] - } - ] -} diff --git a/threatmatch-malware-types/README.md b/threatmatch-malware-types/README.md deleted file mode 100644 index 2a6c9df..0000000 --- a/threatmatch-malware-types/README.md +++ /dev/null @@ -1,3 +0,0 @@ -## Malware types -Malware tags are used by the ThreatMatch platform to categorise malware types. -Tags should be used for all CIISI and TIBER projects. diff --git a/threatmatch-malware-types/machinetag.json b/threatmatch-malware-types/machinetag.json deleted file mode 100644 index 001c78e..0000000 --- a/threatmatch-malware-types/machinetag.json +++ /dev/null @@ -1,115 +0,0 @@ -{ - "namespace": "threatmatch-malware-types", - "expanded": "Malware Types for Sharing into ThreatMatch and MISP", - "version": 1, - "description": "The ThreatMatch Malware types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.", - "refs": [ - "https://www.secalliance.com/platform/", - "https://www.ecb.europa.eu/press/pr/date/2020/html/ecb.pr200227_1~062992656b.en.html" - ], - "predicates": [ - { - "value": "malware_type", - "expanded": "Malware type" - } - ], - "values": [ - { - "predicate": "malware_type", - "entry": [ - { - "value": "Adware", - "expanded": "Adware" - }, - { - "value": "Backdoor", - "expanded": "Backdoor" - }, - { - "value": "Banking Trojan", - "expanded": "Banking Trojan" - }, - { - "value": "Botnet", - "expanded": "Botnet" - }, - { - "value": "Destructive", - "expanded": "Destructive" - }, - { - "value": "Downloader", - "expanded": "Downloader" - }, - { - "value": "Exploit Kit", - "expanded": "Exploit Kit" - }, - { - "value": "Fileless Malware", - "expanded": "Fileless Malware" - }, - { - "value": "Keylogger", - "expanded": "Keylogger" - }, - { - "value": "Legitimate Tool", - "expanded": "Legitimate Tool" - }, - { - "value": "Mobile Application", - "expanded": "Mobile Application" - }, - { - "value": "Mobile Malware", - "expanded": "Mobile Malware" - }, - { - "value": "Point-of-Sale (PoS)", - "expanded": "Point-of-Sale (PoS)" - }, - { - "value": "Remote Access Trojan", - "expanded": "Remote Access Trojan" - }, - { - "value": "Rootkit", - "expanded": "Rootkit" - }, - { - "value": "Skimmer", - "expanded": "Skimmer" - }, - { - "value": "Spyware", - "expanded": "Spyware" - }, - { - "value": "Surveillance Tool", - "expanded": "Surveillance Tool" - }, - { - "value": "Trojan", - "expanded": "Trojan" - }, - { - "value": "Virus", - "expanded": "Virus " - }, - { - "value": "Worm", - "expanded": "Worm" - }, - { - "value": "Zero-day", - "expanded": "Zero-day" - }, - { - "value": "Unknown", - "expanded": "Unknown" - } - ] - } - ] -} diff --git a/threatmatch-sectors/README.md b/threatmatch-sectors/README.md deleted file mode 100644 index ad6b550..0000000 --- a/threatmatch-sectors/README.md +++ /dev/null @@ -1,3 +0,0 @@ -## Sector types -Extensive list of sector definition tags. -Tags should be used for all CIISI and TIBER projects. \ No newline at end of file diff --git a/threatmatch-sectors/machinetag.json b/threatmatch-sectors/machinetag.json deleted file mode 100644 index 9081c91..0000000 --- a/threatmatch-sectors/machinetag.json +++ /dev/null @@ -1,167 +0,0 @@ -{ - "namespace": "threatmatch-sectors", - "expanded": "Sector Types for Sharing into ThreatMatch and MISP", - "version": 1, - "description": "The ThreatMatch Sector types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.", - "refs": [ - "https://www.secalliance.com/platform/", - "https://www.ecb.europa.eu/press/pr/date/2020/html/ecb.pr200227_1~062992656b.en.html" - ], - "predicates": [ - { - "value": "sector", - "expanded": "Threat Match sector definitions" - } - ], - "values": [ - { - "predicate": "sector", - "entry": [ - { - "value": "Banking & Capital Markets", - "expanded": "Banking & capital markets" - }, - { - "value": "Financial Services", - "expanded": "Financial Services" - }, - { - "value": "Insurance", - "expanded": "Insurance" - }, - { - "value": "Pension", - "expanded": "Pension" - }, - { - "value": "Government & Public Service", - "expanded": "Government & Public Service" - }, - { - "value": "Diplomatic Services", - "expanded": "Diplomatic Services" - }, - { - "value": "Energy, Utilities & Mining", - "expanded": "Energy, Utilities & Mining" - }, - { - "value": "Telecommunications", - "expanded": "Telecommunications" - }, - { - "value": "Technology", - "expanded": "Technology" - }, - { - "value": "Academic/Research Institutes", - "expanded": "Academic/Research Institutes" - }, - { - "value": "Aerospace, Defence & Security", - "expanded": "Aerospace, Defence & Security" - }, - { - "value": "Agriculture", - "expanded": "Agriculture" - }, - { - "value": "Asset & Wealth Management", - "expanded": "Asset & Wealth Management" - }, - { - "value": "Automotive", - "expanded": "Automotive" - }, - { - "value": "Business and Professional Services", - "expanded": "Business and Professional Services" - }, - { - "value": "Capital Projects & Infrastructure", - "expanded": "Capital Projects & Infrastructure" - }, - { - "value": "Charity/Not-for-Profit", - "expanded": "Charity/Not-for-Profit" - }, - { - "value": "Chemicals", - "expanded": "Chemicals" - }, - { - "value": "Commercial Aviation", - "expanded": "Commercial Aviation" - }, - { - "value": "Commodities", - "expanded": "Commodities" - }, - { - "value": "Education", - "expanded": "Education" - }, - { - "value": "Engineering & Construction", - "expanded": "Engineering & Construction" - }, - { - "value": "Entertainment & Media", - "expanded": "Entertainment & Media" - }, - { - "value": "Forest, Paper & Packaging", - "expanded": "Forest, Paper & Packaging" - }, - { - "value": "Healthcare", - "expanded": "Healthcare" - }, - { - "value": "Hospitality & Leisure", - "expanded": "Hospitality & Leisure" - }, - { - "value": "Industrial Manufacturing", - "expanded": "Industrial Manufacturing" - }, - { - "value": "IT Industry", - "expanded": "IT Industry" - }, - { - "value": "Legal", - "expanded": "Legal" - }, - { - "value": "Metals", - "expanded": "Metals" - }, - { - "value": "Pharmaceuticals & Life Sciences", - "expanded": "Pharmaceuticals & Life Sciences" - }, - { - "value": "Private Equity", - "expanded": "Private Equity" - }, - { - "value": "Retail & Consumer", - "expanded": "Retail & Consumer" - }, - { - "value": "Semiconductors", - "expanded": "Semiconductors" - }, - { - "value": "Sovereign Investment Funds", - "expanded": "Sovereign Investment Funds" - }, - { - "value": "Transport & Logistics", - "expanded": "Transport & Logistics" - } - ] - } - ] -} diff --git a/threatmatch/README.md b/threatmatch/README.md new file mode 100644 index 0000000..8b0fb1e --- /dev/null +++ b/threatmatch/README.md @@ -0,0 +1,2 @@ +## ThreatMatch +Incident types, Alert types, Malware types and Sectors should be used for all CIISI and TIBER projects. \ No newline at end of file diff --git a/threatmatch/machinetag.json b/threatmatch/machinetag.json new file mode 100644 index 0000000..761830c --- /dev/null +++ b/threatmatch/machinetag.json @@ -0,0 +1,515 @@ +{ + "namespace": "ThreatMatch", + "expanded": "ThreatMatch categories for sharing into ThreatMatch and MISP", + "version": 1, + "description": "The ThreatMatch Sectors, Incident types, Malware types and Alert types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.", + "refs": [ + "https://www.secalliance.com/platform/", + "https://www.ecb.europa.eu/press/pr/date/2020/html/ecb.pr200227_1~062992656b.en.html" + ], + "predicates":[ + { + "value": "sector", + "expanded": "Extensive list of sector definition tags" + }, + { + "value": "incident_type", + "expanded": "Incident tags are used by the ThreatMatch platform to categorise a relevant incident event." + }, + { + "value": "malware_type", + "expanded": "Malware tags are used by the ThreatMatch platform to categorise malware types." + }, + { + "value": "alert_type", + "expanded": "Alert tags are used by the ThreatMatch platform to categorise a relevant threat." + } + ], + "values": [ + { + "predicate": "sector", + "entry": [ + { + "value": "Banking & Capital Markets", + "expanded": "Banking & capital markets" + }, + { + "value": "Financial Services", + "expanded": "Financial Services" + }, + { + "value": "Insurance", + "expanded": "Insurance" + }, + { + "value": "Pension", + "expanded": "Pension" + }, + { + "value": "Government & Public Service", + "expanded": "Government & Public Service" + }, + { + "value": "Diplomatic Services", + "expanded": "Diplomatic Services" + }, + { + "value": "Energy, Utilities & Mining", + "expanded": "Energy, Utilities & Mining" + }, + { + "value": "Telecommunications", + "expanded": "Telecommunications" + }, + { + "value": "Technology", + "expanded": "Technology" + }, + { + "value": "Academic/Research Institutes", + "expanded": "Academic/Research Institutes" + }, + { + "value": "Aerospace, Defence & Security", + "expanded": "Aerospace, Defence & Security" + }, + { + "value": "Agriculture", + "expanded": "Agriculture" + }, + { + "value": "Asset & Wealth Management", + "expanded": "Asset & Wealth Management" + }, + { + "value": "Automotive", + "expanded": "Automotive" + }, + { + "value": "Business and Professional Services", + "expanded": "Business and Professional Services" + }, + { + "value": "Capital Projects & Infrastructure", + "expanded": "Capital Projects & Infrastructure" + }, + { + "value": "Charity/Not-for-Profit", + "expanded": "Charity/Not-for-Profit" + }, + { + "value": "Chemicals", + "expanded": "Chemicals" + }, + { + "value": "Commercial Aviation", + "expanded": "Commercial Aviation" + }, + { + "value": "Commodities", + "expanded": "Commodities" + }, + { + "value": "Education", + "expanded": "Education" + }, + { + "value": "Engineering & Construction", + "expanded": "Engineering & Construction" + }, + { + "value": "Entertainment & Media", + "expanded": "Entertainment & Media" + }, + { + "value": "Forest, Paper & Packaging", + "expanded": "Forest, Paper & Packaging" + }, + { + "value": "Healthcare", + "expanded": "Healthcare" + }, + { + "value": "Hospitality & Leisure", + "expanded": "Hospitality & Leisure" + }, + { + "value": "Industrial Manufacturing", + "expanded": "Industrial Manufacturing" + }, + { + "value": "IT Industry", + "expanded": "IT Industry" + }, + { + "value": "Legal", + "expanded": "Legal" + }, + { + "value": "Metals", + "expanded": "Metals" + }, + { + "value": "Pharmaceuticals & Life Sciences", + "expanded": "Pharmaceuticals & Life Sciences" + }, + { + "value": "Private Equity", + "expanded": "Private Equity" + }, + { + "value": "Retail & Consumer", + "expanded": "Retail & Consumer" + }, + { + "value": "Semiconductors", + "expanded": "Semiconductors" + }, + { + "value": "Sovereign Investment Funds", + "expanded": "Sovereign Investment Funds" + }, + { + "value": "Transport & Logistics", + "expanded": "Transport & Logistics" + } + ] + }, + { + "predicate": "incident_type", + "entry": [ + { + "value": "ATM Attacks", + "expanded": "ATM Attacks" + }, + { + "value": "ATM Breach", + "expanded": "ATM Breach" + }, + { + "value": "Attempted Exploitation", + "expanded": "Attempted Exploitation" + }, + { + "value": "Botnet Activity", + "expanded": "Botnet Activity" + }, + { + "value": "Business Email Compromise", + "expanded": "Business Email Compromise" + }, + { + "value": "Crypto Mining", + "expanded": "Crypto Mining" + }, + { + "value": "Data Breach/Compromise", + "expanded": "Data Breach/Compromise" + }, + { + "value": "Data Dump", + "expanded": "Data Dump" + }, + { + "value": "Data Leakage", + "expanded": "Data Leakage" + }, + { + "value": "DDoS", + "expanded": "DDoS" + }, + { + "value": "Defacement Activity", + "expanded": "Defacement Activity" + }, + { + "value": "Denial of Service (DoS)", + "expanded": "Denial of Service (DoS)" + }, + { + "value": "Disruption Activity", + "expanded": "Disruption Activity" + }, + { + "value": "Espionage", + "expanded": "Espionage" + }, + { + "value": "Espionage Activity", + "expanded": "Espionage Activity" + }, + { + "value": "Exec Targeting ", + "expanded": "Exec Targeting " + }, + { + "value": "Exposure of Data", + "expanded": "Exposure of Data" + }, + { + "value": "Extortion Activity", + "expanded": "Extortion Activity" + }, + { + "value": "Fraud Activity", + "expanded": "Fraud Activity" + }, + { + "value": "General Notification", + "expanded": "General Notification" + }, + { + "value": "Hacktivism Activity", + "expanded": "Hacktivism Activity" + }, + { + "value": "Malicious Insider", + "expanded": "Malicious Insider" + }, + { + "value": "Malware Infection", + "expanded": "Malware Infection" + }, + { + "value": "Man in the Middle Attacks", + "expanded": "Man in the Middle Attacks" + }, + { + "value": "MFA Attack", + "expanded": "MFA Attack" + }, + { + "value": "Mobile Malware", + "expanded": "Mobile Malware" + }, + { + "value": "Phishing Activity", + "expanded": "Phishing Activity" + }, + { + "value": "Ransomware Activity", + "expanded": "Ransomware Activity" + }, + { + "value": "Social Engineering Activity", + "expanded": "Social Engineering Activity" + }, + { + "value": "Social Media Compromise", + "expanded": "Social Media Compromise" + }, + { + "value": "Spear-phishing Activity", + "expanded": "Spear-phishing Activity" + }, + { + "value": "Spyware", + "expanded": "Spyware" + }, + { + "value": "SQL Injection Activity", + "expanded": "SQL Injection Activity" + }, + { + "value": "Supply Chain Compromise", + "expanded": "Supply Chain Compromise" + }, + { + "value": "Trojanised Software", + "expanded": "Trojanised Software" + }, + { + "value": "Vishing", + "expanded": "Vishing" + }, + { + "value": "Website Attack (Other)", + "expanded": "Website Attack (Other)" + }, + { + "value": "Unknown", + "expanded": "Unknown" + } + ] + }, + { + "predicate": "malware_type", + "entry": [ + { + "value": "Adware", + "expanded": "Adware" + }, + { + "value": "Backdoor", + "expanded": "Backdoor" + }, + { + "value": "Banking Trojan", + "expanded": "Banking Trojan" + }, + { + "value": "Botnet", + "expanded": "Botnet" + }, + { + "value": "Destructive", + "expanded": "Destructive" + }, + { + "value": "Downloader", + "expanded": "Downloader" + }, + { + "value": "Exploit Kit", + "expanded": "Exploit Kit" + }, + { + "value": "Fileless Malware", + "expanded": "Fileless Malware" + }, + { + "value": "Keylogger", + "expanded": "Keylogger" + }, + { + "value": "Legitimate Tool", + "expanded": "Legitimate Tool" + }, + { + "value": "Mobile Application", + "expanded": "Mobile Application" + }, + { + "value": "Mobile Malware", + "expanded": "Mobile Malware" + }, + { + "value": "Point-of-Sale (PoS)", + "expanded": "Point-of-Sale (PoS)" + }, + { + "value": "Remote Access Trojan", + "expanded": "Remote Access Trojan" + }, + { + "value": "Rootkit", + "expanded": "Rootkit" + }, + { + "value": "Skimmer", + "expanded": "Skimmer" + }, + { + "value": "Spyware", + "expanded": "Spyware" + }, + { + "value": "Surveillance Tool", + "expanded": "Surveillance Tool" + }, + { + "value": "Trojan", + "expanded": "Trojan" + }, + { + "value": "Virus", + "expanded": "Virus " + }, + { + "value": "Worm", + "expanded": "Worm" + }, + { + "value": "Zero-day", + "expanded": "Zero-day" + }, + { + "value": "Unknown", + "expanded": "Unknown" + } + ] + }, + { + "predicate": "alert_type", + "entry": [ + { + "value": "Actor Campaigns", + "expanded": "Actor Campaigns" + }, + { + "value": "Credential Breaches", + "expanded": "Credential Breaches" + }, + { + "value": "DDoS", + "expanded": "DDoS" + }, + { + "value": "Exploit Alert", + "expanded": "Exploit Alert" + }, + { + "value": "General Notification", + "expanded": "General Notification" + }, + { + "value": "High Impact Vulnerabilities", + "expanded": "High Impact Vulnerabilities" + }, + { + "value": "Information Leakages", + "expanded": "Information Leakages" + }, + { + "value": "Malware Analysis", + "expanded": "Malware Analysis" + }, + { + "value": "Nefarious Domains", + "expanded": "Nefarious Domains" + }, + { + "value": "Nefarious Forum Mention", + "expanded": "Nefarious Forum Mention" + }, + { + "value": "Pastebin Dumps", + "expanded": "Pastebin Dumps" + }, + { + "value": "Phishing Attempts", + "expanded": "Phishing Attempts" + }, + { + "value": "PII Exposure", + "expanded": "PII Exposure" + }, + { + "value": "Sensitive Information Disclosures", + "expanded": "Sensitive Information Disclosures" + }, + { + "value": "Social Media Alerts", + "expanded": "Social Media Alerts" + }, + { + "value": "Supply Chain Event", + "expanded": "Supply Chain Event" + }, + { + "value": "Technical Exposure", + "expanded": "Technical Exposure" + }, + { + "value": "Threat Actor Updates", + "expanded": "Threat Actor Updates" + }, + { + "value": "Trigger Events", + "expanded": "Trigger Events" + } + ] + } + + ] +} From a9eb804553f8cb456c6c15b046ed1f0711f0ccb7 Mon Sep 17 00:00:00 2001 From: paulingega-sa <56026340+paulingega-sa@users.noreply.github.com> Date: Tue, 13 Apr 2021 09:24:12 +0100 Subject: [PATCH 2/3] Update machinetag.json --- threatmatch/machinetag.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/threatmatch/machinetag.json b/threatmatch/machinetag.json index 761830c..71bd30c 100644 --- a/threatmatch/machinetag.json +++ b/threatmatch/machinetag.json @@ -13,15 +13,15 @@ "expanded": "Extensive list of sector definition tags" }, { - "value": "incident_type", + "value": "incident-type", "expanded": "Incident tags are used by the ThreatMatch platform to categorise a relevant incident event." }, { - "value": "malware_type", + "value": "malware-type", "expanded": "Malware tags are used by the ThreatMatch platform to categorise malware types." }, { - "value": "alert_type", + "value": "alert-type", "expanded": "Alert tags are used by the ThreatMatch platform to categorise a relevant threat." } ], From d4fddb65e519a3cdb6b91bacc90fbf51fcd1551d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 13 Apr 2021 11:04:37 +0200 Subject: [PATCH 3/3] fix: [threatmatch] various fixes --- MANIFEST.json | 4 +- README.md | 26 +- summary.md | 48 +-- threatmatch/machinetag.json | 561 ++++++++++++++++++------------------ 4 files changed, 316 insertions(+), 323 deletions(-) diff --git a/MANIFEST.json b/MANIFEST.json index 7bcb0d1..9d06e2f 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -560,7 +560,7 @@ }, { "description": "The ThreatMatch Sectors, Incident types, Malware types and Alert types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.", - "name": "threatmatch", + "name": "ThreatMatch", "version": 1 }, { @@ -615,5 +615,5 @@ } ], "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/main/", - "version": "20210325" + "version": "20210413" } diff --git a/README.md b/README.md index 76bb256..98b5438 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,6 @@ Taxonomies that can be used in [MISP](https://github.com/MISP/MISP) (2.4) and ot The following taxonomies can be used in MISP (as local or distributed tags) or in other tools and software willing to share common taxonomies among security information sharing tools. - ### CERT-XLM [CERT-XLM](https://github.com/MISP/misp-taxonomies/tree/main/CERT-XLM) : @@ -31,6 +30,11 @@ The Detection Maturity Level (DML) model is a capability maturity model for refe [PAP](https://github.com/MISP/misp-taxonomies/tree/main/PAP) : The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used. [Overview](https://www.misp-project.org/taxonomies.html#_PAP) +### ThreatMatch + +[ThreatMatch](https://github.com/MISP/misp-taxonomies/tree/main/ThreatMatch) : +The ThreatMatch Sectors, Incident types, Malware types and Alert types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects. [Overview](https://www.misp-project.org/taxonomies.html#_ThreatMatch) + ### access-method [access-method](https://github.com/MISP/misp-taxonomies/tree/main/access-method) : @@ -566,26 +570,6 @@ TTPs are representations of the behavior or modus operandi of cyber adversaries. [targeted-threat-index](https://github.com/MISP/misp-taxonomies/tree/main/targeted-threat-index) : The Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victim’s computer. The TTI metric was first introduced at SecTor 2013 by Seth Hardy as part of the talk “RATastrophe: Monitoring a Malware Menagerie” along with Katie Kleemola and Greg Wiseman. [Overview](https://www.misp-project.org/taxonomies.html#_targeted_threat_index) -### threatmatch-alert-types - -[threatmatch-alert-types](https://github.com/MISP/misp-taxonomies/tree/main/threatmatch-alert-types) : -The ThreatMatch Alert types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects. [Overview](https://www.misp-project.org/taxonomies.html#_threatmatch_alert_types) - -### threatmatch-incident-types - -[threatmatch-incident-types](https://github.com/MISP/misp-taxonomies/tree/main/threatmatch-incident-types) : -The ThreatMatch Incident types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects. [Overview](https://www.misp-project.org/taxonomies.html#_threatmatch_incident_types) - -### threatmatch-malware-types - -[threatmatch-malware-types](https://github.com/MISP/misp-taxonomies/tree/main/threatmatch-malware-types) : -The ThreatMatch Malware types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects. [Overview](https://www.misp-project.org/taxonomies.html#_threatmatch_malware_types) - -### threatmatch-sectors - -[threatmatch-sectors](https://github.com/MISP/misp-taxonomies/tree/main/threatmatch-sectors) : -The ThreatMatch Sector types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects. [Overview](https://www.misp-project.org/taxonomies.html#_threatmatch_sectors) - ### threats-to-dns [threats-to-dns](https://github.com/MISP/misp-taxonomies/tree/main/threats-to-dns) : diff --git a/summary.md b/summary.md index c16c1a1..2c7ce10 100644 --- a/summary.md +++ b/summary.md @@ -1,5 +1,5 @@ # Taxonomies -- Generation date: 2021-03-24 +- Generation date: 2021-04-13 - license: CC-0 - description: Manifest file of MISP taxonomies available. @@ -180,7 +180,7 @@ - threat-vector ### circl - description: CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection -- version: 4 +- version: 5 - Predicates - incident-classification - topic @@ -280,6 +280,16 @@ - report - origin - analyse +### cti +- description: Cyber Threat Intelligence cycle to control workflow state of your process. +- version: 1 +- Predicates + - planning + - collection + - processing-and-analysis + - dissemination-done + - feedback-received + - feedback-pending ### current-event - description: Current events - Schemes of Classification in Incident Response and Detection - version: 1 @@ -837,6 +847,11 @@ - dns - host-file - other +### ioc +- description: An IOC classification to facilitate automation of malicious and non malicious artifacts +- version: 2 +- Predicates + - artifact-state ### iot - description: Internet of Things taxonomy, based on IOT UK report https://iotuk.org.uk/wp-content/uploads/2017/01/IOT-Taxonomy-Report.pdf - version: 2 @@ -1144,26 +1159,14 @@ - Predicates - targeting-sophistication-base-value - technical-sophistication-multiplier -### threatmatch-alert-types -- description: The ThreatMatch Alert types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects. -- version: 1 -- Predicates - - alert_type -### threatmatch-incident-types -- description: The ThreatMatch Incident types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects. -- version: 1 -- Predicates - - incident_type -### threatmatch-malware-types -- description: The ThreatMatch Malware types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects. -- version: 1 -- Predicates - - malware_type -### threatmatch-sectors -- description: The ThreatMatch Sector types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects. +### ThreatMatch +- description: The ThreatMatch Sectors, Incident types, Malware types and Alert types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects. - version: 1 - Predicates - sector + - incident-type + - malware-type + - alert-type ### threats-to-dns - description: An overview of some of the known attacks related to DNS as described by Torabi, S., Boukhtouta, A., Assi, C., & Debbabi, M. (2018) in Detecting Internet Abuse by Analyzing Passive DNS Traffic: A Survey of Implemented Systems. IEEE Communications Surveys & Tutorials, 1–1. doi:10.1109/comst.2018.2849614 - version: 1 @@ -1282,6 +1285,13 @@ - victim:revenue:iso_currency_code - attribute:availability:duration:unit - attribute:confidentiality:data:variety +### vmray +- description: VMRay taxonomies to map VMRay Thread Identifier scores and artifacts. +- version: 1 +- Predicates + - artifact + - verdict + - vti_analysis_score ### vocabulaire-des-probabilites-estimatives - description: Ce vocabulaire attribue des valeurs en pourcentage à certains énoncés de probabilité - version: 3 diff --git a/threatmatch/machinetag.json b/threatmatch/machinetag.json index 71bd30c..6f1c54d 100644 --- a/threatmatch/machinetag.json +++ b/threatmatch/machinetag.json @@ -7,7 +7,7 @@ "https://www.secalliance.com/platform/", "https://www.ecb.europa.eu/press/pr/date/2020/html/ecb.pr200227_1~062992656b.en.html" ], - "predicates":[ + "predicates": [ { "value": "sector", "expanded": "Extensive list of sector definition tags" @@ -29,150 +29,150 @@ { "predicate": "sector", "entry": [ - { - "value": "Banking & Capital Markets", - "expanded": "Banking & capital markets" - }, - { - "value": "Financial Services", - "expanded": "Financial Services" - }, - { - "value": "Insurance", - "expanded": "Insurance" - }, - { - "value": "Pension", - "expanded": "Pension" - }, - { - "value": "Government & Public Service", - "expanded": "Government & Public Service" - }, - { - "value": "Diplomatic Services", - "expanded": "Diplomatic Services" - }, - { - "value": "Energy, Utilities & Mining", - "expanded": "Energy, Utilities & Mining" - }, - { - "value": "Telecommunications", - "expanded": "Telecommunications" - }, - { - "value": "Technology", - "expanded": "Technology" - }, - { - "value": "Academic/Research Institutes", - "expanded": "Academic/Research Institutes" - }, - { - "value": "Aerospace, Defence & Security", - "expanded": "Aerospace, Defence & Security" - }, - { - "value": "Agriculture", - "expanded": "Agriculture" - }, - { - "value": "Asset & Wealth Management", - "expanded": "Asset & Wealth Management" - }, - { - "value": "Automotive", - "expanded": "Automotive" - }, - { - "value": "Business and Professional Services", - "expanded": "Business and Professional Services" - }, - { - "value": "Capital Projects & Infrastructure", - "expanded": "Capital Projects & Infrastructure" - }, - { - "value": "Charity/Not-for-Profit", - "expanded": "Charity/Not-for-Profit" - }, - { - "value": "Chemicals", - "expanded": "Chemicals" - }, - { - "value": "Commercial Aviation", - "expanded": "Commercial Aviation" - }, - { - "value": "Commodities", - "expanded": "Commodities" - }, - { - "value": "Education", - "expanded": "Education" - }, - { - "value": "Engineering & Construction", - "expanded": "Engineering & Construction" - }, - { - "value": "Entertainment & Media", - "expanded": "Entertainment & Media" - }, - { - "value": "Forest, Paper & Packaging", - "expanded": "Forest, Paper & Packaging" - }, - { - "value": "Healthcare", - "expanded": "Healthcare" - }, - { - "value": "Hospitality & Leisure", - "expanded": "Hospitality & Leisure" - }, - { - "value": "Industrial Manufacturing", - "expanded": "Industrial Manufacturing" - }, - { - "value": "IT Industry", - "expanded": "IT Industry" - }, - { - "value": "Legal", - "expanded": "Legal" - }, - { - "value": "Metals", - "expanded": "Metals" - }, - { - "value": "Pharmaceuticals & Life Sciences", - "expanded": "Pharmaceuticals & Life Sciences" - }, - { - "value": "Private Equity", - "expanded": "Private Equity" - }, - { - "value": "Retail & Consumer", - "expanded": "Retail & Consumer" - }, - { - "value": "Semiconductors", - "expanded": "Semiconductors" - }, - { - "value": "Sovereign Investment Funds", - "expanded": "Sovereign Investment Funds" - }, - { - "value": "Transport & Logistics", - "expanded": "Transport & Logistics" - } + { + "value": "Banking & Capital Markets", + "expanded": "Banking & capital markets" + }, + { + "value": "Financial Services", + "expanded": "Financial Services" + }, + { + "value": "Insurance", + "expanded": "Insurance" + }, + { + "value": "Pension", + "expanded": "Pension" + }, + { + "value": "Government & Public Service", + "expanded": "Government & Public Service" + }, + { + "value": "Diplomatic Services", + "expanded": "Diplomatic Services" + }, + { + "value": "Energy, Utilities & Mining", + "expanded": "Energy, Utilities & Mining" + }, + { + "value": "Telecommunications", + "expanded": "Telecommunications" + }, + { + "value": "Technology", + "expanded": "Technology" + }, + { + "value": "Academic/Research Institutes", + "expanded": "Academic/Research Institutes" + }, + { + "value": "Aerospace, Defence & Security", + "expanded": "Aerospace, Defence & Security" + }, + { + "value": "Agriculture", + "expanded": "Agriculture" + }, + { + "value": "Asset & Wealth Management", + "expanded": "Asset & Wealth Management" + }, + { + "value": "Automotive", + "expanded": "Automotive" + }, + { + "value": "Business and Professional Services", + "expanded": "Business and Professional Services" + }, + { + "value": "Capital Projects & Infrastructure", + "expanded": "Capital Projects & Infrastructure" + }, + { + "value": "Charity/Not-for-Profit", + "expanded": "Charity/Not-for-Profit" + }, + { + "value": "Chemicals", + "expanded": "Chemicals" + }, + { + "value": "Commercial Aviation", + "expanded": "Commercial Aviation" + }, + { + "value": "Commodities", + "expanded": "Commodities" + }, + { + "value": "Education", + "expanded": "Education" + }, + { + "value": "Engineering & Construction", + "expanded": "Engineering & Construction" + }, + { + "value": "Entertainment & Media", + "expanded": "Entertainment & Media" + }, + { + "value": "Forest, Paper & Packaging", + "expanded": "Forest, Paper & Packaging" + }, + { + "value": "Healthcare", + "expanded": "Healthcare" + }, + { + "value": "Hospitality & Leisure", + "expanded": "Hospitality & Leisure" + }, + { + "value": "Industrial Manufacturing", + "expanded": "Industrial Manufacturing" + }, + { + "value": "IT Industry", + "expanded": "IT Industry" + }, + { + "value": "Legal", + "expanded": "Legal" + }, + { + "value": "Metals", + "expanded": "Metals" + }, + { + "value": "Pharmaceuticals & Life Sciences", + "expanded": "Pharmaceuticals & Life Sciences" + }, + { + "value": "Private Equity", + "expanded": "Private Equity" + }, + { + "value": "Retail & Consumer", + "expanded": "Retail & Consumer" + }, + { + "value": "Semiconductors", + "expanded": "Semiconductors" + }, + { + "value": "Sovereign Investment Funds", + "expanded": "Sovereign Investment Funds" + }, + { + "value": "Transport & Logistics", + "expanded": "Transport & Logistics" + } ] }, { @@ -332,184 +332,183 @@ } ] }, - { - "predicate": "malware_type", - "entry": [ - { - "value": "Adware", - "expanded": "Adware" - }, - { - "value": "Backdoor", - "expanded": "Backdoor" - }, - { - "value": "Banking Trojan", - "expanded": "Banking Trojan" - }, - { - "value": "Botnet", - "expanded": "Botnet" - }, - { - "value": "Destructive", - "expanded": "Destructive" - }, - { - "value": "Downloader", - "expanded": "Downloader" - }, - { - "value": "Exploit Kit", - "expanded": "Exploit Kit" - }, - { - "value": "Fileless Malware", - "expanded": "Fileless Malware" - }, - { - "value": "Keylogger", - "expanded": "Keylogger" - }, - { - "value": "Legitimate Tool", - "expanded": "Legitimate Tool" - }, - { - "value": "Mobile Application", - "expanded": "Mobile Application" - }, - { - "value": "Mobile Malware", - "expanded": "Mobile Malware" - }, - { - "value": "Point-of-Sale (PoS)", - "expanded": "Point-of-Sale (PoS)" - }, - { - "value": "Remote Access Trojan", - "expanded": "Remote Access Trojan" - }, - { - "value": "Rootkit", - "expanded": "Rootkit" - }, - { - "value": "Skimmer", - "expanded": "Skimmer" - }, - { - "value": "Spyware", - "expanded": "Spyware" - }, - { - "value": "Surveillance Tool", - "expanded": "Surveillance Tool" - }, - { - "value": "Trojan", - "expanded": "Trojan" - }, - { - "value": "Virus", - "expanded": "Virus " - }, - { - "value": "Worm", - "expanded": "Worm" - }, - { - "value": "Zero-day", - "expanded": "Zero-day" - }, - { - "value": "Unknown", - "expanded": "Unknown" - } - ] - }, + { + "predicate": "malware_type", + "entry": [ + { + "value": "Adware", + "expanded": "Adware" + }, + { + "value": "Backdoor", + "expanded": "Backdoor" + }, + { + "value": "Banking Trojan", + "expanded": "Banking Trojan" + }, + { + "value": "Botnet", + "expanded": "Botnet" + }, + { + "value": "Destructive", + "expanded": "Destructive" + }, + { + "value": "Downloader", + "expanded": "Downloader" + }, + { + "value": "Exploit Kit", + "expanded": "Exploit Kit" + }, + { + "value": "Fileless Malware", + "expanded": "Fileless Malware" + }, + { + "value": "Keylogger", + "expanded": "Keylogger" + }, + { + "value": "Legitimate Tool", + "expanded": "Legitimate Tool" + }, + { + "value": "Mobile Application", + "expanded": "Mobile Application" + }, + { + "value": "Mobile Malware", + "expanded": "Mobile Malware" + }, + { + "value": "Point-of-Sale (PoS)", + "expanded": "Point-of-Sale (PoS)" + }, + { + "value": "Remote Access Trojan", + "expanded": "Remote Access Trojan" + }, + { + "value": "Rootkit", + "expanded": "Rootkit" + }, + { + "value": "Skimmer", + "expanded": "Skimmer" + }, + { + "value": "Spyware", + "expanded": "Spyware" + }, + { + "value": "Surveillance Tool", + "expanded": "Surveillance Tool" + }, + { + "value": "Trojan", + "expanded": "Trojan" + }, + { + "value": "Virus", + "expanded": "Virus " + }, + { + "value": "Worm", + "expanded": "Worm" + }, + { + "value": "Zero-day", + "expanded": "Zero-day" + }, + { + "value": "Unknown", + "expanded": "Unknown" + } + ] + }, { "predicate": "alert_type", "entry": [ { - "value": "Actor Campaigns", - "expanded": "Actor Campaigns" + "value": "Actor Campaigns", + "expanded": "Actor Campaigns" }, { - "value": "Credential Breaches", - "expanded": "Credential Breaches" + "value": "Credential Breaches", + "expanded": "Credential Breaches" }, { - "value": "DDoS", - "expanded": "DDoS" + "value": "DDoS", + "expanded": "DDoS" }, { - "value": "Exploit Alert", - "expanded": "Exploit Alert" + "value": "Exploit Alert", + "expanded": "Exploit Alert" }, { - "value": "General Notification", - "expanded": "General Notification" + "value": "General Notification", + "expanded": "General Notification" }, { - "value": "High Impact Vulnerabilities", - "expanded": "High Impact Vulnerabilities" + "value": "High Impact Vulnerabilities", + "expanded": "High Impact Vulnerabilities" }, { - "value": "Information Leakages", - "expanded": "Information Leakages" + "value": "Information Leakages", + "expanded": "Information Leakages" }, { - "value": "Malware Analysis", - "expanded": "Malware Analysis" + "value": "Malware Analysis", + "expanded": "Malware Analysis" }, { - "value": "Nefarious Domains", - "expanded": "Nefarious Domains" + "value": "Nefarious Domains", + "expanded": "Nefarious Domains" }, { - "value": "Nefarious Forum Mention", - "expanded": "Nefarious Forum Mention" + "value": "Nefarious Forum Mention", + "expanded": "Nefarious Forum Mention" }, { - "value": "Pastebin Dumps", - "expanded": "Pastebin Dumps" + "value": "Pastebin Dumps", + "expanded": "Pastebin Dumps" }, { - "value": "Phishing Attempts", - "expanded": "Phishing Attempts" + "value": "Phishing Attempts", + "expanded": "Phishing Attempts" }, { - "value": "PII Exposure", - "expanded": "PII Exposure" + "value": "PII Exposure", + "expanded": "PII Exposure" }, { - "value": "Sensitive Information Disclosures", - "expanded": "Sensitive Information Disclosures" + "value": "Sensitive Information Disclosures", + "expanded": "Sensitive Information Disclosures" }, { - "value": "Social Media Alerts", - "expanded": "Social Media Alerts" + "value": "Social Media Alerts", + "expanded": "Social Media Alerts" }, { - "value": "Supply Chain Event", - "expanded": "Supply Chain Event" + "value": "Supply Chain Event", + "expanded": "Supply Chain Event" }, { - "value": "Technical Exposure", - "expanded": "Technical Exposure" + "value": "Technical Exposure", + "expanded": "Technical Exposure" }, { - "value": "Threat Actor Updates", - "expanded": "Threat Actor Updates" + "value": "Threat Actor Updates", + "expanded": "Threat Actor Updates" }, { - "value": "Trigger Events", - "expanded": "Trigger Events" + "value": "Trigger Events", + "expanded": "Trigger Events" } ] } - ] }