MISP
/
misp-taxonomies
mirror of https://github.com/MISP/misp-taxonomies
2
0
Fork 0
Code Issues Releases Wiki Activity

Adding the Trust Taxonomy. It is using the reverse approach in order to describe what is known to be good, instead of the bad stuff.

pull/184/head
Sebastien Tricaud 2020-04-01 23:12:32 -07:00
parent d577ad8758
commit 75ccdaebf4
2 changed files with 134 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
README.md
View File

@ -58,6 +58,7 @@ bfuscation techniques. This taxonomy lists all the known or official packer used
- [The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.](./PAP) - [The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.](./PAP)
- [Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victims computer.](./targeted-threat-index) - [Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victims computer.](./targeted-threat-index)
- [TLP - Traffic Light Protocol](./tlp) - [TLP - Traffic Light Protocol](./tlp)
- [Trust - Indicators of Trust](./trust)
- [Type](./type) - [Type](./type)
- [Vocabulaire des probabilités estimatives](./vocabulaire-des-probabilites-estimatives) - [Vocabulaire des probabilités estimatives](./vocabulaire-des-probabilites-estimatives)
- Vocabulary for Event Recording and Incident Sharing [VERIS](./veris) - Vocabulary for Event Recording and Incident Sharing [VERIS](./veris)
@ -180,6 +181,10 @@ The Permissible Actions Protocol - or short: PAP - was designed to indicate how
The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time. The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time.
### [Trust - Indicators of Trust](./trust)
Indicators of Trust provide insight about data on what can be trusted and known as a good actor. Similar to a whitelist but on steroids, reusing features one would use with Indicators of Compromise, but to filter out what is known to be good.
### Vocabulary for Event Recording and Incident Sharing [VERIS](./veris) ### Vocabulary for Event Recording and Incident Sharing [VERIS](./veris)
Vocabulary for Event Recording and Incident Sharing is a format created by the [VERIS community](http://veriscommunity.net/). Vocabulary for Event Recording and Incident Sharing is a format created by the [VERIS community](http://veriscommunity.net/).

129
trust/machinetag.json Normal file
View File

@ -0,0 +1,129 @@
{
"predicates": [
{
"colour": "#2657ff",
"description": "This domain is known to be good",
"expanded": "A domain, the human name given to a host can be trusted",
"value": "domain"
},
{
"colour": "#e8c90e",
"description": "This IP is known to be good",
"expanded": "This IP address can be trusted",
"value": "ip"
},
{
"colour": "#0E40E8",
"description": "This SHA256 Hash is trust worthy",
"expanded": "This SHA256 Hash can be trusted",
"value": "sha256"
},
{
"colour": "#0E40E8",
"description": "This SHA384 Hash is trust worthy",
"expanded": "This SHA384 Hash can be trusted",
"value": "sha384"
},
{
"colour": "#0E40E8",
"description": "This SHA512 Hash is trust worthy",
"expanded": "This SHA512 Hash can be trusted",
"value": "sha512"
},
{
"colour": "#00BD25",
"description": "This URI is trust worthy",
"expanded": "This URI can be trusted",
"value": "uri"
},
{
"colour": "#00BD25",
"description": "This URL is trust worthy",
"expanded": "This URL can be trusted",
"value": "url"
},
{
"colour": "#9D9D9D",
"description": "This email is trust worthy",
"expanded": "This email can be trusted",
"value": "email"
}
],
"values": [
{
"predicate": "confidence",
"entry": [
{
"value": "High",
"expanded": "High confidence"
},
{
"value": "Low",
"expanded": "Low confidence"
},
{
"value": "Medium",
"expanded": "Medium confidence"
}
]
}
],
"values": [
{
"predicate": "periodicity",
"entry": [
{
"value": "hourly",
"expanded": ""
},
{
"value": "daily",
"expanded": ""
},
{
"value": "weekly",
"expanded": ""
},
{
"value": "monthly",
"expanded": ""
},
{
"value": "yearly",
"expanded": ""
}
]
}
],
"values": [
{
"predicate": "change-likelihood",
"entry": [
{
"value": "low",
"expanded": ""
},
{
"value": "medium",
"expanded": ""
},
{
"value": "high",
"expanded": ""
},
{
"value": "unknown",
"expanded": ""
}
]
}
],
"refs": [
"https://trust.fyi"
],
"version": 1,
"description": "Indicators of Trust provide insight about data on what can be trusted and known as a good actor. Similar to a whitelist but on steroids, reusing features one would use with Indicators of Compromise, but to filter out what is known to be good.",
"expanded": "Indicators of Trust",
"namespace": "trust",
"exclusive": true
}