Merge pull request #184 from stricaud/trust

Adding the Trust Taxonomy
pull/185/head
Alexandre Dulaunoy 2020-04-02 09:21:42 +02:00 committed by GitHub
commit 87c7d5f519
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 94 additions and 1 deletions

View File

@ -553,6 +553,11 @@
"name": "type",
"version": 1
},
{
"description": "Indicators of Trust provide insight about data on what can be trusted and known as a good actor. Similar to a whitelist but on steroids, reusing features one would use with Indicators of Compromise, but to filter out what is known to be good.",
"name": "trust",
"version": 1
},
{
"description": "The Use Case Applicability categories reflect standard resolution categories, to clearly display alerting rule configuration problems.",
"name": "use-case-applicability",
@ -575,5 +580,5 @@
}
],
"url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/",
"version": "20200324"
"version": "20200401"
}

View File

@ -58,6 +58,7 @@ bfuscation techniques. This taxonomy lists all the known or official packer used
- [The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.](./PAP)
- [Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victims computer.](./targeted-threat-index)
- [TLP - Traffic Light Protocol](./tlp)
- [Trust - Indicators of Trust](./trust)
- [Type](./type)
- [Vocabulaire des probabilités estimatives](./vocabulaire-des-probabilites-estimatives)
- Vocabulary for Event Recording and Incident Sharing [VERIS](./veris)
@ -180,6 +181,10 @@ The Permissible Actions Protocol - or short: PAP - was designed to indicate how
The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time.
### [Trust - Indicators of Trust](./trust)
Indicators of Trust provide insight about data on what can be trusted and known as a good actor. Similar to a whitelist but on steroids, reusing features one would use with Indicators of Compromise, but to filter out what is known to be good.
### Vocabulary for Event Recording and Incident Sharing [VERIS](./veris)
Vocabulary for Event Recording and Incident Sharing is a format created by the [VERIS community](http://veriscommunity.net/).

83
trust/machinetag.json Normal file
View File

@ -0,0 +1,83 @@
{
"predicates": [
{
"colour": "#2657ff",
"description": "This domain is known to be good",
"expanded": "A domain, the human name given to a host can be trusted",
"value": "domain"
},
{
"colour": "#e8c90e",
"description": "This IP is known to be good",
"expanded": "This IP address can be trusted",
"value": "ip"
},
{
"colour": "#0E40E8",
"description": "This SHA256 Hash is trust worthy",
"expanded": "This SHA256 Hash can be trusted",
"value": "sha256"
},
{
"colour": "#0E40E8",
"description": "This SHA384 Hash is trust worthy",
"expanded": "This SHA384 Hash can be trusted",
"value": "sha384"
},
{
"colour": "#0E40E8",
"description": "This SHA512 Hash is trust worthy",
"expanded": "This SHA512 Hash can be trusted",
"value": "sha512"
},
{
"colour": "#00BD25",
"description": "This URI is trust worthy",
"expanded": "This URI can be trusted",
"value": "uri"
},
{
"colour": "#00BD25",
"description": "This URL is trust worthy",
"expanded": "This URL can be trusted",
"value": "url"
},
{
"colour": "#9D9D9D",
"description": "This email is trust worthy",
"expanded": "This email can be trusted",
"value": "email"
}
],
"values": [
{
"predicate": "change-likelihood",
"entry": [
{
"value": "low",
"expanded": "Low Change"
},
{
"value": "medium",
"expanded": "Medium Change"
},
{
"value": "high",
"expanded": "High Change"
},
{
"value": "unknown",
"expanded": "Unknown Change Likelihood"
}
]
}
],
"refs": [
"https://trust.fyi"
],
"version": 1,
"description": "Indicators of Trust provide insight about data on what can be trusted and known as a good actor. Similar to a whitelist but on steroids, reusing features one would use with Indicators of Compromise, but to filter out what is known to be good.",
"expanded": "Indicators of Trust",
"namespace": "trust",
"exclusive": true
}