From 614853569825cc23e38f49b04fd10262a7869b9e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 7 Aug 2016 06:23:49 +0200 Subject: [PATCH 01/21] IEP added --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 21ed189..44efca6 100644 --- a/README.md +++ b/README.md @@ -24,6 +24,7 @@ The following taxonomies are described: - [Europol Incident](./europol-incident) - Europol class of incident taxonomy - [Europol Events](./europol-events) - Europol type of events taxonomy - [FIRST CSIRT Case](./csirt_case_classification) classification +- [FIRST Information Exchange Policy (IEP)](./iep) framework - [Information Security Indicators](./information-security-indicators) - ETSI GS ISI 001-1 (V1.1.2): ISI Indicators - [Information Security Marking Metadata](./dni-ism) from DNI (Director of National Intelligence - US) - [Malware](./malware) classification based on a SANS document @@ -91,6 +92,8 @@ EUROPOL type of events taxonomy FIRST CSIRT Case Classification. +### [FIRST Information Exchange Policy (IEP)](./iep) framework + ### [Information Security Indicators](./information-security-indicators) - ETSI GS ISI 001-1 (V1.1.2): ISI Indicators Information security indicators have been standardized by the [ETSI Industrial Specification Group (ISG) ISI](http://www.etsi.org/technologies-clusters/technologies/information-security-indicators). These indicators provide the basis to switch from a qualitative to a quantitative culture in IT Security Scope of measurements: External and internal threats (attempt and success), user's deviant behaviours, nonconformities and/or vulnerabilities (software, configuration, behavioural, general security framework). From b41b4d27cb11cb7d02045279be2a6c7a3f22b90b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 12 Aug 2016 07:42:49 +0200 Subject: [PATCH 02/21] First idea of mapping the MISP galaxy with taxonomies --- galaxy/threat-actor.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 galaxy/threat-actor.json diff --git a/galaxy/threat-actor.json b/galaxy/threat-actor.json new file mode 100644 index 0000000..9b4fadf --- /dev/null +++ b/galaxy/threat-actor.json @@ -0,0 +1,15 @@ +{ +"predicate_in": "elementOneOf", +"cluster_url": "https://www.github.com/MISP/misp-galaxy/cluster/threat-actor.json", +"default_predicate_value": "value", +"default_predicate_value_in": "values", +"elements_url" : "https://www.github.com/MISP/misp-galaxy/elements/", +"exceptions": [ +{ + "predicate": "adversary-groups", + "value": "group", + "value_in": "details" + +} +] +} From 4f1b78cd8b0cc490433a880c9fcaa7ecbb896d50 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 12 Aug 2016 07:47:40 +0200 Subject: [PATCH 03/21] Reserved taxonomy added --- README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/README.md b/README.md index 44efca6..07ddd0c 100644 --- a/README.md +++ b/README.md @@ -128,6 +128,13 @@ The Traffic Light Protocol - or short: TLP - was designed with the objective to Vocabulary for Event Recording and Incident Sharing is a format created by the [VERIS community](http://veriscommunity.net/). +# Reserved Taxonomy + +The following taxonomy namespaces are reserved and used internally to MISP. + +- [galaxy](./galaxy/) mapping taxonomy with cluster:element:"value". +- [misp](./misp/) internal misp namespace to influence tagged event or attribute from a MISP perspective. + # How to contribute your taxonomy? It is quite easy. Create a JSON file describing your taxonomy as triple tags (e.g. check an existing one like [Admiralty Scale](./admiralty-scale)), create a directory matching your name space, put your machinetag file in the directory and pull your request. That's it. Everyone can benefit from your taxonomy and can be automatically enabled in information sharing tools like [MISP](https://www.github.com/MISP/MISP). From 5e6e04927516ba50a26c9ecfd213f324ed3f1262 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 12 Aug 2016 08:46:40 +0200 Subject: [PATCH 04/21] Simplify the mapping KISS KISS KISS principle --- galaxy/threat-actor.json | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) diff --git a/galaxy/threat-actor.json b/galaxy/threat-actor.json index 9b4fadf..17510f8 100644 --- a/galaxy/threat-actor.json +++ b/galaxy/threat-actor.json @@ -1,15 +1,7 @@ { -"predicate_in": "elementOneOf", -"cluster_url": "https://www.github.com/MISP/misp-galaxy/cluster/threat-actor.json", -"default_predicate_value": "value", -"default_predicate_value_in": "values", -"elements_url" : "https://www.github.com/MISP/misp-galaxy/elements/", -"exceptions": [ -{ - "predicate": "adversary-groups", - "value": "group", - "value_in": "details" - -} -] + "elements_url": "https://www.github.com/MISP/misp-galaxy/elements/", + "default_predicate_value_in": "values", + "default_predicate_value": "value", + "cluster_url": "https://www.github.com/MISP/misp-galaxy/cluster/threat-actor.json", + "predicate_in": "elementOneOf" } From fee61b2f6001cdd1e3b9a2653fbb7f6cab4749db Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 12 Aug 2016 09:03:20 +0200 Subject: [PATCH 05/21] URLs to galaxy, clusters and elements fixed --- galaxy/threat-actor.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/galaxy/threat-actor.json b/galaxy/threat-actor.json index 17510f8..568eaa2 100644 --- a/galaxy/threat-actor.json +++ b/galaxy/threat-actor.json @@ -1,7 +1,7 @@ { - "elements_url": "https://www.github.com/MISP/misp-galaxy/elements/", + "elements_url": "https://raw.githubusercontent.com/MISP/misp-galaxy/master/elements/", "default_predicate_value_in": "values", "default_predicate_value": "value", - "cluster_url": "https://www.github.com/MISP/misp-galaxy/cluster/threat-actor.json", + "cluster_url": "https://raw.githubusercontent.com/MISP/misp-galaxy/master/cluster/threat-actor.json", "predicate_in": "elementOneOf" } From 91ff875dc9d3e62f47864bbcee93d35814098e52 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 12 Aug 2016 09:44:20 +0200 Subject: [PATCH 06/21] Galaxy moved to galaxy repo --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 07ddd0c..3e78cd6 100644 --- a/README.md +++ b/README.md @@ -133,7 +133,6 @@ Vocabulary for Event Recording and Incident Sharing is a format created by the [ The following taxonomy namespaces are reserved and used internally to MISP. - [galaxy](./galaxy/) mapping taxonomy with cluster:element:"value". -- [misp](./misp/) internal misp namespace to influence tagged event or attribute from a MISP perspective. # How to contribute your taxonomy? From fcd3160d618b2400f4a39d995368850c36547c3f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 12 Aug 2016 09:45:22 +0200 Subject: [PATCH 07/21] Galaxy mapping removed - moved to the galaxy repo --- galaxy/threat-actor.json | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 galaxy/threat-actor.json diff --git a/galaxy/threat-actor.json b/galaxy/threat-actor.json deleted file mode 100644 index 568eaa2..0000000 --- a/galaxy/threat-actor.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "elements_url": "https://raw.githubusercontent.com/MISP/misp-galaxy/master/elements/", - "default_predicate_value_in": "values", - "default_predicate_value": "value", - "cluster_url": "https://raw.githubusercontent.com/MISP/misp-galaxy/master/cluster/threat-actor.json", - "predicate_in": "elementOneOf" -} From 8d95adf35353b479668ac8265388174c55e21ee9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Fri, 12 Aug 2016 10:29:28 +0200 Subject: [PATCH 08/21] add Botnet to malware_classification:malware-category --- malware_classification/README.md | 7 +++++-- malware_classification/machinetag.json | 4 ++++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/malware_classification/README.md b/malware_classification/README.md index 2beea3e..6218d62 100644 --- a/malware_classification/README.md +++ b/malware_classification/README.md @@ -2,7 +2,7 @@ ## Malware Categories -All malware samples should be classified into one of the categories listed in the table below. +All malware samples should be classified into one of the categories listed in the table below.
Virus
@@ -29,11 +29,14 @@ All malware samples should be classified into one of the categories listed in th
Spyware
+
Botnet
+
+
## Obfuscation Classification -All malware samples should be classified into one of the categories listed in the table below. +All malware samples should be classified into one of the categories listed in the table below.
no-obfuscation
diff --git a/malware_classification/machinetag.json b/malware_classification/machinetag.json index e4bf3a6..e7b5151 100644 --- a/malware_classification/machinetag.json +++ b/malware_classification/machinetag.json @@ -55,6 +55,10 @@ { "value": "Spyware", "expanded": "Spyware" + }, + { + "value": "Botnet", + "expanded": "Botnet" } ] }, From 9a88d14b23cd32d7c805c137853ff49a93917ba3 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 29 Aug 2016 11:34:21 +0200 Subject: [PATCH 09/21] TLP updated according to FIRST SIG about TLP. For more info: https://www.first.org/tlp --- tlp/machinetag.json | 37 ++++++++++++++++++++++--------------- 1 file changed, 22 insertions(+), 15 deletions(-) diff --git a/tlp/machinetag.json b/tlp/machinetag.json index 9430582..6a7b898 100644 --- a/tlp/machinetag.json +++ b/tlp/machinetag.json @@ -1,34 +1,41 @@ { - "namespace": "tlp", - "expanded": "Traffic Light Protocol", - "description": "The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time.", - "version": 3, + "values": null, "predicates": [ { - "value": "red", + "colour": "#CC0033", + "description": "Not for disclosure, restricted to participants only. Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.", "expanded": "(TLP:RED) Information exclusively and directly given to (a group of) individual recipients. Sharing outside is not legitimate.", - "colour": "#ff0000" + "value": "red" }, { - "value": "amber", + "colour:": "#FFC000", + "description": "Limited disclosure, restricted to participants’ organizations. Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.", "expanded": "(TLP:AMBER) Information exclusively given to an organization; sharing limited within the organization to be effectively acted upon.", - "colour:": "#ffa800" + "value": "amber" }, { - "value": "green", + "colour": "#339900", + "description": "Limited disclosure, restricted to the community. Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.", "expanded": "(TLP:GREEN) Information given to a community or a group of organizations at large. The information cannot be publicly released.", - "colour": "#00ad1c" + "value": "green" }, { - "value": "white", + "colour": "#ffffff", + "description": "Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.", "expanded": "(TLP:WHITE) Information can be shared publicly in accordance with the law.", - "colour": "#ffffff" + "value": "white" }, { - "value": "ex:chr", + "colour": "#d208f4", "expanded": "(TLP:EX:CHR) Information extended with a specific tag called Chatham House Rule (CHR). When this specific CHR tag is mentioned, the attribution (the source of information) must not be disclosed. This additional rule is at the discretion of the initial sender who can decide to apply or not the CHR tag.", - "colour": "#d208f4" + "value": "ex:chr" } ], - "values": null + "refs": [ + "https://www.first.org/tlp" + ], + "version": 4, + "description": "The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time.", + "expanded": "Traffic Light Protocol", + "namespace": "tlp" } From 5429632d880b4f165af7756eaaa57f6d610eff5c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 2 Sep 2016 17:20:23 +0200 Subject: [PATCH 10/21] License clarification - CC0 --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 3e78cd6..840fc07 100644 --- a/README.md +++ b/README.md @@ -175,3 +175,7 @@ Once you are happy with your file go to MISP Web GUI taxonomies/index and update ... ~~~~ +# License + +The MISP taxonomies are licensed under [CC0 1.0 Universal (CC0 1.0)](https://creativecommons.org/publicdomain/zero/1.0/) - Public Domain Dedication. If a specific author of a taxonomy wants to license it under a different license, a pull request can be requested. + From e5e553a7bad394a36b6fc7e5c710ff28f63fe993 Mon Sep 17 00:00:00 2001 From: Andras Iklody Date: Thu, 8 Sep 2016 14:15:52 +0200 Subject: [PATCH 11/21] Fixed a typo in the MUST NOT tag As discovered by @packet-rat in https://github.com/MISP/misp-taxonomies/issues/33 --- iep/machinetag.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/iep/machinetag.json b/iep/machinetag.json index 15b2c57..8e90dac 100644 --- a/iep/machinetag.json +++ b/iep/machinetag.json @@ -1,7 +1,7 @@ { "namespace": "iep", "description": "Forum of Incident Response and Security Teams (FIRST) Information Exchange Policy (IEP) framework", - "version": 1, + "version": 2, "predicates": [ { "value": "id", @@ -234,7 +234,7 @@ "expanded": "Recipients MAY resell the information received." }, { - "value": "MUST NO", + "value": "MUST NOT", "expanded": "Recipients MUST NOT resell the information received unmodified or in a semantically equivalent format." } ] From 6c0b71a7607e26ef5b2d0201aa875dc03c8a0a06 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 9 Sep 2016 22:21:12 +0200 Subject: [PATCH 12/21] First experimental confidence level for MISP taxonomy. --- misp/machinetag.json | 43 +++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 41 insertions(+), 2 deletions(-) diff --git a/misp/machinetag.json b/misp/machinetag.json index d7d87b3..b6e1701 100644 --- a/misp/machinetag.json +++ b/misp/machinetag.json @@ -26,6 +26,41 @@ "value": "pgpfingerprint" } ] + }, + { + "predicate": "confidence-level", + "entry": [ + { + "expanded": "Completely confident", + "value": "completely-confident", + "numerical_value": 100 + }, + { + "expanded": "Usually confident", + "value": "usually-confident", + "numerical_value": 80 + }, + { + "expanded": "Fairly confident", + "value": "fairly-confident", + "numerical_value": 60 + }, + { + "expanded": "Not usually confident", + "value": "not-usually-confident", + "numerical_value": 40 + }, + { + "expanded": "Unconfident", + "value": "unconfident", + "numerical_value": 20 + }, + { + "expanded": "Confidence cannot be evaluated", + "value": "confident-cannot-be-evalued", + "numerical_value": 0 + } + ] } ], "predicates": [ @@ -40,10 +75,14 @@ { "expanded": "Information related to the contributor.", "value": "contributor" + }, + { + "expanded": "Confidence level", + "value": "confidence-level" } ], - "version": 1, - "description": "MISP internal taxonomy to infer with MISP behavior or operation.", + "version": 2, + "description": "MISP taxonomy to infer with MISP behavior or operation.", "expanded": "MISP", "namespace": "misp" } From ec10ec4594005e3e2c2a6d10547361af88773177 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 10 Sep 2016 12:13:41 +0200 Subject: [PATCH 13/21] MISP confidence level updated The confidence levels have been changed to 100, 75, 50, 25 and 0. Undefined confidences are not set to avoid ambiguities. --- misp/machinetag.json | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/misp/machinetag.json b/misp/machinetag.json index b6e1701..e5c0d2e 100644 --- a/misp/machinetag.json +++ b/misp/machinetag.json @@ -38,27 +38,26 @@ { "expanded": "Usually confident", "value": "usually-confident", - "numerical_value": 80 + "numerical_value": 75 }, { "expanded": "Fairly confident", "value": "fairly-confident", - "numerical_value": 60 + "numerical_value": 50 }, { "expanded": "Not usually confident", "value": "not-usually-confident", - "numerical_value": 40 + "numerical_value": 25 }, { "expanded": "Unconfident", "value": "unconfident", - "numerical_value": 20 + "numerical_value": 0 }, { "expanded": "Confidence cannot be evaluated", "value": "confident-cannot-be-evalued", - "numerical_value": 0 } ] } From 6d2e4de0b0b12fa517de486a723e003fbeabbca5 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 10 Sep 2016 12:22:01 +0200 Subject: [PATCH 14/21] Typo fixed --- misp/machinetag.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misp/machinetag.json b/misp/machinetag.json index e5c0d2e..4f59f71 100644 --- a/misp/machinetag.json +++ b/misp/machinetag.json @@ -57,7 +57,7 @@ }, { "expanded": "Confidence cannot be evaluated", - "value": "confident-cannot-be-evalued", + "value": "confident-cannot-be-evalued" } ] } From df876d75ba102d0266bf9382f5680f87746a68f9 Mon Sep 17 00:00:00 2001 From: Sascha Rommelfangen Date: Mon, 12 Sep 2016 10:57:12 +0200 Subject: [PATCH 15/21] Update, language related --- misp/machinetag.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/misp/machinetag.json b/misp/machinetag.json index 4f59f71..5e50214 100644 --- a/misp/machinetag.json +++ b/misp/machinetag.json @@ -46,8 +46,8 @@ "numerical_value": 50 }, { - "expanded": "Not usually confident", - "value": "not-usually-confident", + "expanded": "Rarely confident", + "value": "rarely-confident", "numerical_value": 25 }, { @@ -57,7 +57,7 @@ }, { "expanded": "Confidence cannot be evaluated", - "value": "confident-cannot-be-evalued" + "value": "confidence-cannot-be-evalued" } ] } From b3bb4cfb4ceabe318d5d997148ce0e10b980b849 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 15 Sep 2016 21:57:51 +0200 Subject: [PATCH 16/21] New threat level created (including CEUS mapping) --- misp/machinetag.json | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/misp/machinetag.json b/misp/machinetag.json index 5e50214..2237a3d 100644 --- a/misp/machinetag.json +++ b/misp/machinetag.json @@ -60,6 +60,29 @@ "value": "confidence-cannot-be-evalued" } ] + }, + { + "predicate": "threat-level", + "entry": [ + { + "expanded": "No risk", + "value": "no-risk", + "numerical_value": 0, + "description": "Harmless information. (CEUS threat level)" + }, + { + "expanded": "Medium risk", + "value": "medium-risk", + "numerical_value": 50, + "description": "Medium risk which can include targeted attacks (e.g. APT). (CEUS threat level)" + }, + { + "expanded": "High risk", + "value": "high-risk", + "numerical_value": 100, + "description": "High risk which can include highly sophisticated attacks or 0-day attack. (CEUS threat level)" + } + ] } ], "predicates": [ From 859b2e1648aa039a9305c2893620adec70ef684d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 15 Sep 2016 22:03:18 +0200 Subject: [PATCH 17/21] low risk added --- misp/machinetag.json | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/misp/machinetag.json b/misp/machinetag.json index 2237a3d..5092013 100644 --- a/misp/machinetag.json +++ b/misp/machinetag.json @@ -70,6 +70,12 @@ "numerical_value": 0, "description": "Harmless information. (CEUS threat level)" }, + { + "expanded": "Low risk", + "value": "low-risk", + "numerical_value": 25, + "description": "Low risk which can include mass-malware. (CEUS threat level)" + }, { "expanded": "Medium risk", "value": "medium-risk", From d7cec103952847d68cbdda419061c519303da124 Mon Sep 17 00:00:00 2001 From: Andras Iklody Date: Thu, 15 Sep 2016 22:05:43 +0200 Subject: [PATCH 18/21] Added predicate description --- misp/machinetag.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/misp/machinetag.json b/misp/machinetag.json index 5092013..a0e4dd4 100644 --- a/misp/machinetag.json +++ b/misp/machinetag.json @@ -107,6 +107,10 @@ { "expanded": "Confidence level", "value": "confidence-level" + }, + { + "expanded": "Cyberthreat Effect Universal Scale - MISP's internal threat level taxonomy", + "value": "threat-level-ceus" } ], "version": 2, From 180b8e56428c62fedeb83c4e6a00155d191a3806 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 15 Sep 2016 22:54:28 +0200 Subject: [PATCH 19/21] threat-level predicate fixed --- misp/machinetag.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/misp/machinetag.json b/misp/machinetag.json index a0e4dd4..d407035 100644 --- a/misp/machinetag.json +++ b/misp/machinetag.json @@ -110,7 +110,7 @@ }, { "expanded": "Cyberthreat Effect Universal Scale - MISP's internal threat level taxonomy", - "value": "threat-level-ceus" + "value": "threat-level" } ], "version": 2, From 48976bf65654506f0ae0faf2b4f7326e11ea6510 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 16 Sep 2016 07:29:43 +0200 Subject: [PATCH 20/21] OSINT: numerical value added to confidence level --- osint/machinetag.json | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/osint/machinetag.json b/osint/machinetag.json index 907ea48..ee2f869 100644 --- a/osint/machinetag.json +++ b/osint/machinetag.json @@ -48,36 +48,43 @@ "predicate": "certainty", "entry": [ { - "value": "1", + "numerical_value": 100, + "value": "100", "expanded": "100% Certainty", "description": "100% Certainty" }, { - "value": "0.93", + "numerical_value": 93, + "value": "93", "expanded": "93% Almost certain", "description": "93% Almost certain" }, { - "value": "0.75", + "numerical_value": 75, + "value": "75", "expanded": "75% Probable", "description": "75% Probable" }, { - "value": "0.5", + "numerical_value": 50, + "value": "50", "expanded": "50% Chances about even", "description": "50% Chances about even" }, { - "value": "0.3", + "numerical_value": 30, + "value": "30", "expanded": "30% Probably not", "description": "30% Probably not" }, { - "value": "0.07", + "numerical_value": 7, + "value": "7", "expanded": "7% Almost certainly not", "description": "7% Almost certainly not" }, { + "numerical_value": 0, "value": "0", "expanded": "0% Impossibility", "description": "0% Impossibility" @@ -99,7 +106,7 @@ }, { "value": "certainty", - "expanded": "Certainty of the elements mentioned in this Open Source Intelligence - ref https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/sherman-kent-and-the-board-of-national-estimates-collected-essays/6words.html" + "expanded": "Certainty of the elements mentioned in this Open Source Intelligence" } ] } From ab94a8fb42cdb46d95fca7e0993e3c876fa6d559 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 21 Sep 2016 10:37:13 +0200 Subject: [PATCH 21/21] name of taxonomies updated --- tools/machinetag.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/machinetag.py b/tools/machinetag.py index 4bec940..4101471 100755 --- a/tools/machinetag.py +++ b/tools/machinetag.py @@ -30,7 +30,7 @@ import json import os.path import argparse -taxonomies = ['admiralty-scale', 'adversary', 'tlp', 'circl', 'iep', 'kill-chain', 'veris', 'ecsirt', 'enisa', 'dni-ism', 'europol-events', 'europol-incident', 'nato', 'euci', 'osint', 'first_csirt_case_classification', 'malware', 'de-vs', 'fr-classification','eu-critical-sectors','dhs-ciip-sectors','estimative-language', 'ms-caro-malware', 'information-security-indicators', 'open-threat'] +taxonomies = ['admiralty-scale', 'adversary', 'tlp', 'circl', 'iep', 'kill-chain', 'veris', 'ecsirt', 'enisa', 'dni-ism', 'europol-events', 'europol-incident', 'nato', 'euci', 'osint', 'csirt_case_classification', 'malware_classification', 'de-vs', 'fr-classif','eu-critical-sectors','dhs-ciip-sectors','estimative-language', 'ms-caro-malware', 'information-security-indicators', 'open-threat', 'misp'] argParser = argparse.ArgumentParser(description='Dump Machine Tags (Triple Tags) from MISP taxonomies', epilog='Available taxonomies are {0}'.format(taxonomies)) argParser.add_argument('-e', action='store_true', help='Include expanded tags') argParser.add_argument('-a', action='store_true', help='Generate asciidoctor document from MISP taxonomies')