MISP
/
misp-taxonomies
mirror of https://github.com/MISP/misp-taxonomies
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' of github.com:MISP/misp-taxonomies

pull/195/head
Raphaël Vinot 2020-06-03 12:00:59 +02:00
parent 84b5a5306c 35e561697a
commit 6dfff0812f
7 changed files with 171 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
MANIFEST.json
View File

@ -246,7 +246,12 @@
{
"description": "Exercise is a taxonomy to describe if the information is part of one or more cyber or crisis exercise.",
"name": "exercise",
"version": 7
"version": 8
},
{
"description": "Reasons why an event has been extended. ",
"name": "extended-event",
"version": 1
},
{
"description": "The purpose of this taxonomy is to jointly tabulate both the of these failure modes in a single place. Intentional failures wherein the failure is caused by an active adversary attempting to subvert the system to attain her goals either to misclassify the result, infer private training data, or to steal the underlying algorithm. Unintentional failures wherein the failure is because an ML system produces a formally correct but completely unsafe outcome.",
@ -451,7 +456,7 @@
{
"description": "Pandemic",
"name": "pandemic",
"version": 2
"version": 4
},
{
"description": "Tags from RiskIQ's PassiveTotal service",
@ -548,6 +553,11 @@
"name": "tor",
"version": 1
},
{
"description": "The Indicator of Trust provides insight about data on what can be trusted and known as a good actor. Similar to a whitelist but on steroids, reusing features one would use with Indicators of Compromise, but to filter out what is known to be good.",
"name": "trust",
"version": 1
},
{
"description": "Taxonomy to describe different types of intelligence gathering discipline which can be described the origin of intelligence.",
"name": "type",
@ -580,5 +590,5 @@
}
],
"url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/",
"version": "20200401"
"version": "20200526"
}

2
README.md
View File

@ -183,7 +183,7 @@ The Traffic Light Protocol - or short: TLP - was designed with the objective to
### [Trust - Indicators of Trust](./trust)
Indicators of Trust provide insight about data on what can be trusted and known as a good actor. Similar to a whitelist but on steroids, reusing features one would use with Indicators of Compromise, but to filter out what is known to be good.
The Trust Taxonomy provides a way to use Indicators of Trust within MISP to get insight on data about what can be trusted. Similar to a whitelist but on steroids, leveraging MISP features one would use with Inidicators of Compromise, but to filter out what is known to be good.
### Vocabulary for Event Recording and Incident Sharing [VERIS](./veris)

17
exercise/machinetag.json
View File

@ -34,6 +34,11 @@
"description": "Cyber SOPEx (formerly known as EuroSOPEx) is the first step in a series of ENISA exercises focusing on training the participants on situational awareness, information sharing, understanding roles and responsibilities and utilising related tools, as agreed by the CSIRTs Network",
"expanded": "Cyber SOPEx",
"value": "cyber-sopex"
},
{
"value": "generic",
"expanded": "Generic",
"description": "Generic exercise which are not named."
}
],
"values": [
@ -166,9 +171,19 @@
"expanded": "2021"
}
]
},
{
"predicate": "generic",
"entry": [
{
"value": "comcheck",
"expanded": "Communication check",
"description": "A communication check exercise which can include digital or non-digital communication."
}
]
}
],
"version": 7,
"version": 8,
"description": "Exercise is a taxonomy to describe if the information is part of one or more cyber or crisis exercise.",
"expanded": "Exercise",
"namespace": "exercise"

92
extended-event/machinetag.json Normal file
View File

@ -0,0 +1,92 @@
{
"namespace": "extended-event",
"description": "Reasons why an event has been extended. ",
"version": 1,
"predicates": [
{
"value": "competitive-analysis",
"expanded": "Competitive analysis"
},
{
"value": "extended-analysis",
"expanded": "Extended analysis"
},
{
"value": "human-readable",
"expanded": "Human readable",
"description": "This extended event makes a human readable output of a machine or technical report."
},
{
"value": "chunked-event",
"expanded": "Chunked Event",
"description": "This extended event is a part of a large event."
},
{
"value": "update",
"expanded": "Update",
"description": "Original event is deprecated"
}
],
"values": [
{
"predicate": "competitive-analysis",
"entry": [
{
"value": "devil-advocate",
"expanded": "Devil's advocate",
"description": "Is a competitive analysis of devil's advocate type."
},
{
"value": "absurd-reasoning",
"expanded": "Absurd reasoning",
"description": "Is a competitive analysis of absurd reasoning type"
},
{
"value": "role-playing",
"expanded": "Role playing",
"description": "Is a competitive analysis of role playing type"
},
{
"value": "crystal-ball",
"expanded": "Crystal ball",
"description": "Is a competitive analysis of crystal ball type"
}
]
},
{
"predicate": "extended-analysis",
"entry": [
{
"value": "automatic-expansion",
"expanded": "Automatic expansion",
"description": "This extended event is composed of elements derived from automatic expanxions services"
},
{
"value": "aggressive-pivoting",
"expanded": "Aggressive pivoting",
"description": "This extended event is composed of elements resulting of a careless pivoting"
},
{
"value": "complementary-analysis",
"expanded": "Complementary analysis",
"description": "This extended event is composed of elements gathered by a different analyst than the original one"
}
]
},
{
"predicate": "chunked-event",
"entry": [
{
"value": "time-based",
"expanded": "Time based",
"description": "is an element of a serie of extended events, split by matter of time"
},
{
"value": "counter-based",
"expanded": "Counter based",
"description": "is an element of a serie of extended events, split by number of elements"
}
]
}
]
}

12
pandemic/machinetag.json
View File

@ -1,7 +1,7 @@
{
"namespace": "pandemic",
"description": "Pandemic",
"version": 2,
"version": 4,
"predicates": [
{
"value": "covid-19",
@ -21,6 +21,16 @@
"value": "cyber",
"expanded": "Cyber",
"description": "Information tagged about COVID-19 and related to cybersecurity"
},
{
"value": "disinformation",
"expanded": "Disinformation",
"description": "Information tagged about COVID-19 and related to disinformation"
},
{
"value": "geostrategy",
"expanded": "Geostrategy",
"description": "Information tagged about COVID-19 and related to geostrategy or geopolitics"
}
]
}

5
phishing/machinetag.json
View File

@ -94,6 +94,11 @@
"value": "bulk-phishing",
"expanded": "Bulk phishing",
"description": "Adversary attempts to target a large group of potential targets without specific knowledge of the victims."
},
{
"value": "whaling",
"expanded": "Whaling phishing",
"description": "Adversary attempts to target executives and high-level employees (like public spokespersons)."
}
]
},

102
trust/machinetag.json
View File

@ -1,74 +1,51 @@
{
"version": 1,
"description": "The Indicator of Trust provides insight about data on what can be trusted and known as a good actor. Similar to a whitelist but on steroids, reusing features one would use with Indicators of Compromise, but to filter out what is known to be good.",
"expanded": "Indicators of Trust",
"namespace": "trust",
"exclusive": true,
"predicates": [
{
"colour": "#2657ff",
"description": "This domain is known to be good",
"expanded": "A domain, the human name given to a host can be trusted",
"value": "domain"
"value": "trust",
"expanded": "How much trust the analyst has with this indicator."
},
{
"colour": "#e8c90e",
"description": "This IP is known to be good",
"expanded": "This IP address can be trusted",
"value": "ip"
"value": "frequency",
"expanded": "Recency/count of occurence at which the indicator occurs in data."
},
{
"colour": "#0E40E8",
"description": "This SHA256 Hash can be trusted",
"expanded": "This SHA256 Hash can be trusted",
"value": "sha256"
},
{
"colour": "#0E40E8",
"description": "This SHA384 Hash can be trusted",
"expanded": "This SHA384 Hash can be trusted",
"value": "sha384"
},
{
"colour": "#0E40E8",
"description": "This SHA512 Hash can be trusted",
"expanded": "This SHA512 Hash can be trusted",
"value": "sha512"
},
{
"colour": "#00BD25",
"description": "This URI can be trusted",
"expanded": "This URI can be trusted",
"value": "uri"
},
{
"colour": "#00BD25",
"description": "This URL can be trusted",
"expanded": "This URL can be trusted",
"value": "url"
},
{
"colour": "#9D9D9D",
"description": "This email is trusted",
"expanded": "This email can be trusted",
"value": "email"
"value": "valid",
"expanded": "Whether this indicator was pushed as trusted but cannot be trusted (ie. MD5 cannot be valid because it is cryptographically broken)."
}
],
"values": [
{
"predicate": "confidence",
"predicate": "trust",
"entry": [
{
"value": "High",
"expanded": "High confidence"
"value": "unknown",
"expanded": "Unknown Confidence State"
},
{
"value": "Low",
"value": "none",
"expanded": "Cannot Trust, no confidence"
},
{
"value": "partial",
"expanded": "Low confidence"
},
{
"value": "Medium",
"expanded": "Medium confidence"
"value": "relationship",
"expanded": "Inherited Full Trust by a third party that we trust"
},
{
"value": "full",
"expanded": "We fully trust it"
}
]
},
{
"predicate": "periodicity",
"predicate": "frequency",
"entry": [
{
"value": "hourly",
@ -88,38 +65,25 @@
},
{
"value": "yearly",
"expanded": "This attribute is likely to happen at a yearly interval"
"expanded": "Thie attribute is likely to happen at a yearly interval"
}
]
},
{
"predicate": "change-likelihood",
"predicate": "valid",
"entry": [
{
"value": "low",
"expanded": "Low change probability"
"value": "true",
"expanded": "This Trust is valid"
},
{
"value": "medium",
"expanded": "Medium change probability"
},
{
"value": "high",
"expanded": "High change probability"
},
{
"value": "unknown",
"expanded": "Unknown change probability"
"value": "false",
"expanded": "This trust is invalid. Such as a MD5 Hash etc."
}
]
}
],
"refs": [
"https://trust.fyi/"
],
"version": 1,
"description": "The Indicator of Trust provides insight about data on what can be trusted and known as a good actor. Similar to a whitelist but on steroids, reusing features one would use with Indicators of Compromise, but to filter out what is known to be good.",
"expanded": "Indicators of Trust",
"namespace": "trust",
"exclusive": true
]
}