diff --git a/MANIFEST.json b/MANIFEST.json index c161894..0d124dc 100644 --- a/MANIFEST.json +++ b/MANIFEST.json @@ -61,7 +61,12 @@ "description": "CIRCL Taxonomy is a simple scheme for incident classification and area topic where the incident took place." }, { - "version": 2, + "version": 1, + "name": "coa", + "description": "Course of action taken within organization to discover, detect, deny, disrupt, degrade, deceive and/or destroy an attack." + }, + { + "version": 3, "name": "collaborative-intelligence", "description": "Collaborative intelligence support language is a common language to support analysts to perform their analysis to get crowdsourced support when using threat intelligence sharing platform like MISP." }, @@ -138,7 +143,7 @@ { "version": 1, "name": "euci", - "description": "EU classified information (EUCI) means any information or material designated by a EU security classification, the unauthorised disclosure of which could cause varying degrees of prejudice to the interests of the European Union or of one or more of the Member States as described in http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32013D0488&from=EN" + "description": "EU classified information (EUCI) means any information or material designated by a EU security classification, the unauthorised disclosure of which could cause varying degrees of prejudice to the interests of the European Union or of one or more of the Member States as described in COUNCIL DECISION of 23 September 2013 on the security rules for protecting EU classified information" }, { "version": 2, @@ -191,7 +196,7 @@ "description": "Malware classification based on a SANS whitepaper about malware." }, { - "version": 5, + "version": 9, "name": "misp", "description": "Internal MISP taxonomy." }, @@ -251,7 +256,7 @@ "description": "Representation of the behavior or modus operandi of cyber adversaries (a.k.a TTP) as normalized in STIX" }, { - "version": 1, + "version": 2, "name": "targeted-threat-index", "description": "The Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victim’s computer. The TTI metric was first introduced at SecTor 2013 by Seth Hardy as part of the talk “RATastrophe: Monitoring a Malware Menagerie” along with Katie Kleemola and Greg Wiseman." }, @@ -271,7 +276,7 @@ "description": "Vocabulary for Event Recording and Incident Sharing (VERIS)." }, { - "version": 1, + "version": 2, "name": "vocabulaire-des-probabilites-estimatives", "description": "Vocabulaire des probabilités estimatives" }, @@ -311,7 +316,7 @@ "description": "Sectors and sub sectors as identified by the NIS Directive." }, { - "version": 2, + "version": 3, "name": "economical-impact", "description": "Economical impact is a taxonomy to describe the financial impact as positive or negative gain to the tagged information." }, @@ -361,7 +366,7 @@ "version": 1 }, { - "version": 1, + "version": 3, "name": "false-positive", "description": "This taxonomy aims to ballpark the expected amount of false positives." }, @@ -435,6 +440,21 @@ "name": "information-security-data-source", "description": "Taxonomy to classify the information security data sources" }, + { + "version": 1, + "name": "gea-nz-entities", + "description": "Information relating to instances of entities or things." + }, + { + "version": 1, + "name": "gea-nz-activities", + "description": "Information needed to track or monitor moments, periods or events that occur over time. This type of information is focused on occurrences that must be tracked for business reasons or represent a specific point in the evolution of ‘The Business’." + }, + { + "version": 3, + "name": "gea-nz-motivators", + "description": "Information relating to authority or governance." + }, { "version": 1, "name": "cryptocurrency-threat", @@ -444,11 +464,71 @@ "version": 1, "name": "flesch-reading-ease", "description": "Flesch Reading Ease is a revised system for determining the comprehension difficulty of written material. The scoring of the flesh score can have a maximum of 121.22 and there is no limit on how low a score can be (negative score are valid)." + }, + { + "version": 3, + "name": "common-taxonomy", + "description": "The Common Taxonomy for Law Enforcement and The National Network of CSIRTs bridges the gap between the CSIRTs and international Law Enforcement communities by adding a legislative framework to facilitate the harmonisation of incident reporting to competent authorities, the development of useful statistics and sharing information within the entire cybercrime ecosystem." + }, + { + "version": 1, + "name": "ransomware", + "description": "Ransomware is used to define ransomware types and the elements that compose them." + }, + { + "version": 3, + "name": "dark-web", + "description": "Criminal motivation on the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project." + }, + { + "version": 2, + "name": "retention", + "description": "Retention taxonomy to describe the retention period of the tagged information." + }, + { + "version": 1, + "name": "threats-to-dns", + "description": "An overview of some of the known attacks related to DNS as described by Torabi, S., Boukhtouta, A., Assi, C., & Debbabi, M. (2018) in Detecting Internet Abuse by Analyzing Passive DNS Traffic: A Survey of Implemented Systems. IEEE Communications Surveys & Tutorials, 1–1. doi:10.1109/comst.2018.2849614" + }, + { + "version": 1, + "name": "csirt-americas", + "description": "Taxonomy from CSIRTAmericas.org." + }, + { + "version": 1, + "name": "scrippsco2-fgc", + "description": "Flags describing the sample" + }, + { + "version": 1, + "name": "scrippsco2-fgi", + "description": "Flags describing the sample for isotopic data (C14, O18)" + }, + { + "version": 1, + "name": "scrippsco2-sampling-stations", + "description": "Sampling stations of the Scripps CO2 Program" + }, + { + "version": 4, + "name": "phishing", + "description": "Taxonomy to classify phishing attacks including techniques, collection mechanisms and analysis status." + }, + { + "description": "FIRST.ORG CTI SIG - MISP Proposal for ICS/OT Threat Attribution (IOC) Project", + "version": 1, + "name": "ics" + }, + { + "name": "course-of-action", + "description": "A Course Of Action analysis considers six potential courses of action for the development of a cyber security capability.", + "version": 2 } ], "path": "machinetag.json", "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/master/", "description": "Manifest file of MISP taxonomies available.", "license": "CC-0", - "version": "20190315" + "version": "20191023" } diff --git a/analyst-assessment/machinetag.json b/analyst-assessment/machinetag.json index 0371a9f..7a4573b 100644 --- a/analyst-assessment/machinetag.json +++ b/analyst-assessment/machinetag.json @@ -5,27 +5,27 @@ { "expanded": "Less than 1 year", "value": "less-than-1-year", - "numerical_value": 1 + "numerical_value": 20 }, { "expanded": "Between 1 and 5 years", "value": "between-1-and-5-years", - "numerical_value": 2 + "numerical_value": 40 }, { "expanded": "Between 5 and 10 years", "value": "between-5-and-10-years", - "numerical_value": 3 + "numerical_value": 60 }, { "expanded": "Between 10 and 20 years", "value": "between-10-and-20-years", - "numerical_value": 4 + "numerical_value": 80 }, { "expanded": "More than 20 years", "value": "more-than-20-years", - "numerical_value": 5 + "numerical_value": 100 } ], "predicate": "experience" @@ -56,27 +56,27 @@ { "expanded": "Less than 1 year", "value": "less-than-1-year", - "numerical_value": 1 + "numerical_value": 20 }, { "expanded": "Between 1 and 5 years", "value": "between-1-and-5-years", - "numerical_value": 2 + "numerical_value": 40 }, { "expanded": "Between 5 and 10 years", "value": "between-5-and-10-years", - "numerical_value": 3 + "numerical_value": 60 }, { "expanded": "Between 10 and 20 years", "value": "between-10-and-20-years", - "numerical_value": 4 + "numerical_value": 80 }, { "expanded": "More than 20 years", "value": "more-than-20-years", - "numerical_value": 5 + "numerical_value": 100 } ], "predicate": "binary-reversing-experience" @@ -132,27 +132,27 @@ { "expanded": "Less than 1 year", "value": "less-than-1-year", - "numerical_value": 1 + "numerical_value": 20 }, { "expanded": "Between 1 and 5 years", "value": "between-1-and-5-years", - "numerical_value": 2 + "numerical_value": 40 }, { "expanded": "Between 5 and 10 years", "value": "between-5-and-10-years", - "numerical_value": 3 + "numerical_value": 60 }, { "expanded": "Between 10 and 20 years", "value": "between-10-and-20-years", - "numerical_value": 4 + "numerical_value": 80 }, { "expanded": "More than 20 years", "value": "more-than-20-years", - "numerical_value": 5 + "numerical_value": 100 } ], "predicate": "web-experience" @@ -162,27 +162,27 @@ { "expanded": "Less than 1 year", "value": "less-than-1-year", - "numerical_value": 1 + "numerical_value": 20 }, { "expanded": "Between 1 and 5 years", "value": "between-1-and-5-years", - "numerical_value": 2 + "numerical_value": 40 }, { "expanded": "Between 5 and 10 years", "value": "between-5-and-10-years", - "numerical_value": 3 + "numerical_value": 60 }, { "expanded": "Between 10 and 20 years", "value": "between-10-and-20-years", - "numerical_value": 4 + "numerical_value": 80 }, { "expanded": "More than 20 years", "value": "more-than-20-years", - "numerical_value": 5 + "numerical_value": 100 } ], "predicate": "crypto-experience" @@ -229,7 +229,7 @@ "org", "user" ], - "version": 2, + "version": 3, "description": "A series of assessment predicates describing the analyst capabilities to perform analysis. These assessment can be assigned by the analyst him/herself or by another party evaluating the analyst.", "expanded": "Analyst (Self) Assessment", "namespace": "analyst-assessment" diff --git a/circl/machinetag.json b/circl/machinetag.json index 291ae4d..caeb3ef 100644 --- a/circl/machinetag.json +++ b/circl/machinetag.json @@ -1,7 +1,7 @@ { "namespace": "circl", "description": "CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection", - "version": 2, + "version": 3, "predicates": [ { "value": "incident-classification", @@ -83,6 +83,10 @@ { "value": "wiper", "expanded": "Wiper" + }, + { + "value": "sextortion", + "expanded": "sextortion" } ] }, diff --git a/coa/machinetag.json b/coa/machinetag.json new file mode 100644 index 0000000..8ac2e39 --- /dev/null +++ b/coa/machinetag.json @@ -0,0 +1,377 @@ +{ + "namespace": "coa", + "description": "Course of action taken within organization to discover, detect, deny, disrupt, degrade, deceive and/or destroy an attack.", + "version": 2, + "predicates": [ + { + "value": "discover", + "expanded": "Search historical data for an indicator." + }, + { + "value": "detect", + "expanded": "Set up a detection rule for an indicator for future alerting." + }, + { + "value": "deny", + "expanded": "Prevent an event from taking place." + }, + { + "value": "disrupt", + "expanded": "Make an event fail when it is taking place." + }, + { + "value": "degrade", + "expanded": "Slow down attacker activity; reduce attacker efficiency." + }, + { + "value": "deceive", + "expanded": "Pretend only that an action was successful or provide misinformation to the attacker." + }, + { + "value": "destroy", + "expanded": "Offensive action against the attacker." + } + ], + "values": [ + { + "predicate": "discover", + "entry": [ + { + "value": "proxy", + "expanded": "Searched historical proxy logs.", + "colour": "#005065" + }, + { + "value": "ids", + "expanded": "Searched historical IDS logs.", + "colour": "#00586f" + }, + { + "value": "firewall", + "expanded": "Searched historical firewall logs.", + "colour": "#005f78" + }, + { + "value": "pcap", + "expanded": "Discovered in packet-capture logs", + "colour": "#006681" + }, + { + "value": "remote-access", + "expanded": "Searched historical remote access logs.", + "colour": "#006e8b" + }, + { + "value": "authentication", + "expanded": "Searched historical authentication logs.", + "colour": "#007594" + }, + { + "value": "honeypot", + "expanded": "Searched historical honeypot data.", + "colour": "#007c9d" + }, + { + "value": "syslog", + "expanded": "Searched historical system logs.", + "colour": "#0084a6" + }, + { + "value": "web", + "expanded": "Searched historical WAF and web application logs.", + "colour": "#008bb0" + }, + { + "value": "database", + "expanded": "Searched historcial database logs.", + "colour": "#0092b9" + }, + { + "value": "mail", + "expanded": "Searched historical mail logs.", + "colour": "#009ac2" + }, + { + "value": "antivirus", + "expanded": "Searched historical antivirus alerts.", + "colour": "#00a1cb" + }, + { + "value": "malware-collection", + "expanded": "Retro hunted in a malware collection.", + "colour": "#00a8d5" + }, + { + "value": "other", + "expanded": "Searched other historical data.", + "colour": "#00b0de" + }, + { + "value": "unspecified", + "expanded": "Unspecified information.", + "colour": "#00b7e7" + } + ] + }, + { + "predicate": "detect", + "entry": [ + { + "value": "proxy", + "expanded": "Detect by Proxy infrastructure", + "colour": "#0abdeb" + }, + { + "value": "nids", + "expanded": "Detect by Network Intrusion detection system.", + "colour": "#13c5f4" + }, + { + "value": "hids", + "expanded": "Detect by Host Intrusion detection system.", + "colour": "#24c9f5" + }, + { + "value": "other", + "expanded": "Detect by other tools.", + "colour": "#35cef5" + }, + { + "value": "syslog", + "expanded": "Detect in system logs.", + "colour": "#45d2f6" + }, + { + "value": "firewall", + "expanded": "Detect by firewall.", + "colour": "#56d6f7" + }, + { + "value": "email", + "expanded": "Detect by MTA.", + "colour": "#67daf8" + }, + { + "value": "web", + "expanded": "Detect by web infrastructure including WAF.", + "colour": "#78def8" + }, + { + "value": "database", + "expanded": "Detect in database.", + "colour": "#89e2f9" + }, + { + "value": "remote-access", + "expanded": "Detect in remote-access logs.", + "colour": "#9ae6fa" + }, + { + "value": "malware-collection", + "expanded": "Detect in malware-collection.", + "colour": "#aaeafb" + }, + { + "value": "antivirus", + "expanded": "Detect with antivirus.", + "colour": "#bbeefb" + }, + { + "value": "unspecified", + "expanded": "Unspecified information.", + "colour": "#ccf2fc" + } + ] + }, + { + "predicate": "deny", + "entry": [ + { + "value": "proxy", + "expanded": "Implemented a proxy filter.", + "colour": "#f09105" + }, + { + "value": "firewall", + "expanded": "Implemented a block rule on a firewall.", + "colour": "#f99a0e" + }, + { + "value": "waf", + "expanded": "Implemented a block rule on a web application firewall.", + "colour": "#f9a11f" + }, + { + "value": "email", + "expanded": "Implemented a filter on a mail transfer agent.", + "colour": "#faa830" + }, + { + "value": "chroot", + "expanded": "Implemented a chroot jail.", + "colour": "#faaf41" + }, + { + "value": "remote-access", + "expanded": "Blocked an account for remote access.", + "colour": "#fbb653" + }, + { + "value": "other", + "expanded": "Denied an action by other means.", + "colour": "#fbbe64" + }, + { + "value": "unspecified", + "expanded": "Unspecified information.", + "colour": "#fbc575" + } + ] + }, + { + "predicate": "disrupt", + "entry": [ + { + "value": "nips", + "expanded": "Implemented a rule on a network IPS.", + "colour": "#660389" + }, + { + "value": "hips", + "expanded": "Implemented a rule on a host-based IPS.", + "colour": "#73039a" + }, + { + "value": "other", + "expanded": "Disrupted an action by other means.", + "colour": "#8003ab" + }, + { + "value": "email", + "expanded": "Quarantined an email.", + "colour": "#8d04bd" + }, + { + "value": "memory-protection", + "expanded": "Implemented memory protection like DEP and/or ASLR.", + "colour": "#9a04ce" + }, + { + "value": "sandboxing", + "expanded": "Exploded in a sandbox.", + "colour": "#a605df" + }, + { + "value": "antivirus", + "expanded": "Activated an antivirus signature.", + "colour": "#b305f0" + }, + { + "value": "unspecified", + "expanded": "Unspecified information.", + "colour": "#bc0ef9" + } + ] + }, + { + "predicate": "degrade", + "entry": [ + { + "value": "bandwidth", + "expanded": "Throttled the bandwidth.", + "colour": "#0421ce" + }, + { + "value": "tarpit", + "expanded": "Implement a network tarpit.", + "colour": "#0523df" + }, + { + "value": "other", + "expanded": "Degraded an action by other means.", + "colour": "#0526f0" + }, + { + "value": "email", + "expanded": "Queued an email.", + "colour": "#0e2ff9" + }, + { + "value": "unspecified", + "expanded": "Unspecified information.", + "colour": "#1f3ef9" + } + ] + }, + { + "predicate": "deceive", + "entry": [ + { + "value": "honeypot", + "expanded": "Implemented an interactive honeypot.", + "colour": "#0eb274" + }, + { + "value": "DNS", + "expanded": "Implemented DNS redirects, e.g. a response policy zone.", + "colour": "#10c37f" + }, + { + "value": "other", + "expanded": "Deceived the attacker with other technology.", + "colour": "#11d389" + }, + { + "value": "email", + "expanded": "Implemented email redirection.", + "colour": "#12e394" + }, + { + "value": "unspecified", + "expanded": "Unspecified information.", + "colour": "#1bec9d" + } + ] + }, + { + "predicate": "destroy", + "entry": [ + { + "value": "arrest", + "expanded": "Arrested the threat actor.", + "colour": "#c33210" + }, + { + "value": "seize", + "expanded": "Seized attacker infrastructure.", + "colour": "#d33611" + }, + { + "value": "physical", + "expanded": "Physically destroyed attacker hardware.", + "colour": "#e33b12" + }, + { + "value": "dos", + "expanded": "Performed a denial-of-service attack against attacker infrastructure.", + "colour": "#ec441b" + }, + { + "value": "hack-back", + "expanded": "Hack back against the threat actor.", + "colour": "#ed512b" + }, + { + "value": "other", + "expanded": "Carried out other offensive actions against the attacker.", + "colour": "#ee5e3b" + }, + { + "value": "unspecified", + "expanded": "Unspecified information.", + "colour": "#f06c4c" + } + ] + } + ] +} diff --git a/collaborative-intelligence/machinetag.json b/collaborative-intelligence/machinetag.json index d33aa22..b67abd8 100644 --- a/collaborative-intelligence/machinetag.json +++ b/collaborative-intelligence/machinetag.json @@ -2,7 +2,7 @@ "namespace": "collaborative-intelligence", "expanded": "collaborative intelligence support language", "description": "Collaborative intelligence support language is a common language to support analysts to perform their analysis to get crowdsourced support when using threat intelligence sharing platform like MISP. The objective of this language is to advance collaborative analysis and to share earlier than later.", - "version": 2, + "version": 3, "predicates": [ { "value": "request", @@ -18,6 +18,11 @@ "value": "sample", "expanded": "Request a binary sample" }, + { + "value": "extracted-malware-config", + "expanded": "Extracted malware config", + "description": "Request of the malware configuration extracted from the malware sample tagged." + }, { "value": "deobfuscated-sample", "expanded": "Request a deobfuscated sample of the shared sample" diff --git a/common-taxonomy/machinetag.json b/common-taxonomy/machinetag.json new file mode 100644 index 0000000..ed9f324 --- /dev/null +++ b/common-taxonomy/machinetag.json @@ -0,0 +1,213 @@ +{ + "values": [ + { + "entry": [ + { + "description": "Malware detected in a system.", + "expanded": "Infection", + "value": "infection" + }, + { + "description": "Malware attached to a message or email message containing link to malicious URL or IP.", + "expanded": "Distribution", + "value": "distribution" + }, + { + "description": "System used as a command-and-control point by a botnet. Also included in this field are systems serving as a point for gathering information stolen by botnets.", + "expanded": "Command & Control (C&C)", + "value": "command-and-control" + }, + { + "description": "System attempting to gain access to a port normally linked to a specific type of malware / System attempting to gain access to an IP address or URL normally linked to a specific type of malware, e.g. C&C or a distribution page for components linked to a specific botnet.", + "expanded": "Malicious connection", + "value": "malicious-connection" + } + ], + "predicate": "malware" + }, + { + "entry": [ + { + "description": "Single source using specially designed software to affect the normal functioning of a specific service, by exploiting vulnerability / Mass mailing of requests (network packets, emails, etc.) from one single source to a specific service, aimed at affecting its normal functioning.", + "expanded": "Denial of Service (DoS) / Distributed Denial of Service (DDoS)", + "value": "dos-ddos" + }, + { + "description": "Logical and physical activities which – although they are not aimed at causing damage to information or at preventing its transmission among systems – have this effect.", + "expanded": "Sabotage", + "value": "sabotage" + } + ], + "predicate": "availability" + }, + { + "entry": [ + { + "description": "Single system scan searching for open ports or services using these ports for responding / Scanning a network aimed at identifying systems which are active in the same network / Transfer of a specific DNS zone.", + "expanded": "Scanning", + "value": "scanning" + }, + { + "description": "Logical or physical interception of communications.", + "expanded": "Sniffing", + "value": "sniffing" + }, + { + "description": "Mass emailing aimed at collecting data for phishing purposes with regard to the victims / Hosting web sites for phishing purposes.", + "expanded": "Phishing", + "value": "phishing" + } + ], + "predicate": "information-gathering" + }, + { + "entry": [ + { + "description": "Unsuccessful use of a tool exploiting a specific vulnerability of the system / Unsuccessful attempt to manipulate or read the information of a database by using the SQL injection technique / Unsuccessful attempts to perform attacks by using cross-site scripting techniques / Unsuccessful attempt to include files in the system under attack by using file inclusion techniques / Unauthorised access to a system or component by bypassing an access control system in place.", + "expanded": "Exploitation of vulnerability attempt", + "value": "vulnerability-exploitation-attempt" + }, + { + "description": "Unsuccessful login by using sequential credentials for gaining access to the system / Unsuccessful acquisition of access credentials by breaking the protective cryptographic keys / Unsuccessful login by using system access credentials previously loaded into a dictionary.", + "expanded": "Login attempt", + "value": "login-attempt" + } + ], + "predicate": "intrusion-attempt" + }, + { + "entry": [ + { + "description": "Unauthorised use of a tool exploiting a specific vulnerability of the system / Unauthorised manipulation or reading of information contained in a database by using the SQL injection technique / Attack performed with the use of cross-site scripting techniques / Unauthorised inclusion of files into a system under attack with the use of file inclusion techniques / Unauthorised access to a system or component by bypassing an access control system in place.", + "expanded": "(Successful) Exploitation of vulnerability", + "value": "vulnerability-exploitation" + }, + { + "description": "Unauthorised access to a system or component by using stolen access credentials.", + "expanded": "Compromising an account", + "value": "account-compromise" + } + ], + "predicate": "intrusion" + }, + { + "entry": [ + { + "description": "Unauthorised access to a system or component / Unauthorised access to a set of information / Unauthorised access to and sharing of a specific set of information.", + "expanded": "Unauthorised access", + "value": "unauthorised-access" + }, + { + "description": "Unauthorised changes to a specific set of information / Unauthorised deleting of a specific set of information.", + "expanded": "Unauthorised modification / deletion", + "value": "unauthorised-modification-or-deletion" + } + ], + "predicate": "information-security" + }, + { + "entry": [ + { + "description": "Use of institutional resources for purposes other than those intended.", + "expanded": "Misuse or unauthorised use of resources", + "value": "resources-misuse" + }, + { + "description": "Unauthorised use of the name of an institution.", + "expanded": "False representation", + "value": "false-representation" + } + ], + "predicate": "fraud" + }, + { + "entry": [ + { + "description": "Sending an unusually large quantity of email messages / Unsolicited or unwanted email message sent to the recipient.", + "expanded": "SPAM", + "value": "spam" + }, + { + "description": "Unauthorised distribution or sharing of content protected by Copyright and related rights.", + "expanded": "Copyright", + "value": "copyright" + }, + { + "description": "Distribution or sharing of illegal content such as child sexual exploitation material, racism, xenophobia, etc.", + "expanded": "Child Sexual Exploitation, racism or incitement to violence", + "value": "cse-racism-violence-incitement" + } + ], + "predicate": "abusive-content" + }, + { + "entry": [ + { + "description": "Incidents which do not fit the existing classification, acting as an indicator for the classification’s update.", + "expanded": "Unclassified incident", + "value": "unclassified-incident" + }, + { + "description": "Unprocessed incidents which have remained undetermined from the beginning.", + "expanded": "Undetermined incident", + "value": "undetermined-incident" + } + ], + "predicate": "other" + } + ], + "predicates": [ + { + "description": "Infection of one or various systems with a specific type of malware / Connection performed by/from/to (a) suspicious system(s)", + "expanded": "Malicious software/code", + "value": "malware" + }, + { + "description": "Disruption of the processing and response capacity of systems and networks in order to render them inoperative / Premeditated action to damage a system, interrupt a process, change or delete information, etc.", + "expanded": "Availability", + "value": "availability" + }, + { + "description": "Active and passive gathering of information on systems or networks / Unauthorised monitoring and reading of network traffic / Attempt to gather information on a user or a system through phishing methods.", + "expanded": "Information Gathering", + "value": "information-gathering" + }, + { + "description": "Attempt to intrude by exploiting vulnerability in a system, component or network / Attempt to log in to services or authentication/access control mechanisms.", + "expanded": "Intrusion Attempt", + "value": "intrusion-attempt" + }, + { + "description": "Actual intrusion by exploiting vulnerability in the system, component or network / Actual intrusion in a system, component or network by compromising a user or administrator account.", + "expanded": "Intrusion", + "value": "intrusion" + }, + { + "description": "Unauthorised access to a particular set of information / Unauthorised change or elimination of a particular set of information.", + "expanded": "Information Security", + "value": "information-security" + }, + { + "description": "Loss of property caused with fraudulent or dishonest intent of procuring, without right, an economic benefit for oneself or for another person.", + "expanded": "Fraud", + "value": "fraud" + }, + { + "description": "Sending SPAM messages / Distribution and sharing of copyright protected content / Dissemination of content forbidden by law.", + "expanded": "Abusive Content", + "value": "abusive-content" + }, + { + "description": "Incidents not classified in the existing classification.", + "expanded": "Other", + "value": "other" + } + ], + "version": 3, + "description": "Common Taxonomy for Law enforcement and CSIRTs", + "refs": [ + "https://www.europol.europa.eu/publications-documents/common-taxonomy-for-law-enforcement-and-csirts", + "https://www.enisa.europa.eu/publications/tools-and-methodologies-to-support-cooperation-between-csirts-and-law-enforcement" + ], + "namespace": "common-taxonomy" +} diff --git a/copine-scale/machinetag.json b/copine-scale/machinetag.json index b339587..840df7c 100644 --- a/copine-scale/machinetag.json +++ b/copine-scale/machinetag.json @@ -2,50 +2,60 @@ "predicates": [ { "expanded": "Sadistic/bestiality: (a) Pictures showing a child being tied, bound, beaten, whipped, or otherwise subjected to something that implies pain; (b) Pictures where an animal is involved in some form of sexual behavior with a child", - "value": "level-10" + "value": "level-10", + "numerical_value": 100 }, { "expanded": "Gross assault: Grossly obscene pictures of sexual assault, involving penetrative sex, masturbation, or oral sex involving an adult", - "value": "level-9" + "value": "level-9", + "numerical_value": 90 }, { "expanded": "Assault: Pictures of children being subjected to a sexual assault, involving digital touching, involving an adult", - "value": "level-8" + "value": "level-8", + "numerical_value": 80 }, { "expanded": "Explicit sexual activity: Involves touching, mutual and self-masturbation, oral sex, and intercourse by child, not involving an adult", - "value": "level-7" + "value": "level-7", + "numerical_value": 70 }, { "expanded": "Explicit erotic posing: Emphasizing genital areas where the child is posing either naked, partially clothed, or fully clothed", - "value": "level-6" + "value": "level-6", + "numerical_value": 60 }, { "expanded": "Erotic posing: Deliberately posed pictures of fully or partially clothed or naked children in sexualized or provocative poses", - "value": "level-5" + "value": "level-5", + "numerical_value": 50 }, { "expanded": "Posing: Deliberately posed pictures of children fully or partially clothed or naked (where the amount, context, and organization suggests sexual interest)", - "value": "level-4" + "value": "level-4", + "numerical_value": 40 }, { "expanded": "Erotica: Surreptitiously taken photographs of children in play areas or other safe environments showing either underwear or varying degrees of nakedness", - "value": "level-3" + "value": "level-3", + "numerical_value": 30 }, { "expanded": "Nudist: Pictures of naked or seminaked children in appropriate nudist settings, and from legitimate sources", - "value": "level-2" + "value": "level-2", + "numerical_value": 20 }, { "expanded": "Indicative: Nonerotic and nonsexualized pictures showing children in their underwear, swimming costumes, and so on, from either commercial sources or family albums; pictures of children playing in normal settings, in which the context or organization of pictures by the collector indicates inappropriateness", - "value": "level-1" + "value": "level-1", + "numerical_value": 10 } ], "refs": [ "https://en.wikipedia.org/wiki/COPINE_scale", "http://journals.sagepub.com/doi/pdf/10.1177/1079063217724768" ], - "version": 1, + "version": 2, "description": "The COPINE Scale is a rating system created in Ireland and used in the United Kingdom to categorise the severity of images of child sex abuse. The scale was developed by staff at the COPINE (Combating Paedophile Information Networks in Europe) project. The COPINE Project was founded in 1997, and is based in the Department of Applied Psychology, University College Cork, Ireland.", "expanded": "COPINE Scale", "namespace": "copine-scale", diff --git a/course-of-action/machinetag.json b/course-of-action/machinetag.json new file mode 100644 index 0000000..0f62b8d --- /dev/null +++ b/course-of-action/machinetag.json @@ -0,0 +1,56 @@ +{ + "namespace": "course-of-action", + "expanded": "Courses of Action", + "description": "A Course Of Action analysis considers six potential courses of action for the development of a cyber security capability.", + "version": 1, + "predicates": [ + { + "value": "passive", + "expanded": "Passive actions have no influence of the adversarys doing." + }, + { + "value": "active", + "expanded": "Active actions can impact the adversary doing." + } + ], + "values": [ + { + "predicate": "passive", + "entry": [ + { + "value": "discover", + "expanded": "The discover action is a 'historical look at the data'. This action heavily relies on your capability to store logs for a reasonable amount of time and have them accessible for searching. Typically, this type of action is applied against security information and event management (SIEM) or stored network data. The goal is to determine whether you have seen a specific indicator in the past." + }, + { + "value": "detect", + "expanded": "The passive action is setting up detection rules of an indicator for future traffic. These actions are most often executed via an intrusion detection system (IDS) or a specific logging rule on your firewall or application. It can also be configured as an alert in a SIEM when a specific condition is triggered." + } + ] + }, + { + "predicate": "active", + "entry": [ + { + "value": "deny", + "expanded": "The deny action prevents the event from taking place. Common examples include a firewall block or a proxy filter." + }, + { + "value": "disrupt", + "expanded": "Disruption makes the event fail as it is occurring. Examples include quarantining or memory protection measures." + }, + { + "value": "degrade", + "expanded": "Degrading will not immediately fail an event, but it will slow down the further actions of the attacker. This tactic allows you to catch up during an incident response process, but you have to consider that the attackers may eventually succeed in achieving their objectives. Throttling bandwidth is one way to degrade an intrusion." + }, + { + "value": "decieve", + "expanded": "Deception allows you to learn more about the intentions of the attacker by making them think the action was successful. One way to do this is to put a honeypot in place and redirect the traffic, based on an indicator, towards the honeypot." + }, + { + "value": "destroy", + "expanded": "The destroy action is rarely for 'usual' defenders, as this is an offensive action against the attacker. These actions, including physical destructive actions and arresting the attackers, are usually left to law enforcement agencies." + } + ] + } + ] +} diff --git a/csirt-americas/machinetag.json b/csirt-americas/machinetag.json new file mode 100644 index 0000000..995a234 --- /dev/null +++ b/csirt-americas/machinetag.json @@ -0,0 +1,63 @@ +{ + "namespace": "csirt-americas", + "description": "Taxonomía CSIRT Américas.", + "version": 1, + "predicates": [ + { + "value": "defacement", + "expanded": "Defacement" + }, + { + "value": "malware", + "expanded": "Malware" + }, + { + "value": "ddos", + "expanded": "DDoS" + }, + { + "value": "phishing", + "expanded": "Phishing" + }, + { + "value": "spam", + "expanded": "Spam" + }, + { + "value": "botnet", + "expanded": "Botnet" + }, + { + "value": "fastflux", + "expanded": "Fastflux" + }, + { + "value": "cryptojacking", + "expanded": "Cryptojacking" + }, + { + "value": "xss", + "expanded": "XSS" + }, + { + "value": "sqli", + "expanded": "SQL Injection" + }, + { + "value": "vulnerability", + "expanded": "Vulnerability" + }, + { + "value": "infoleak", + "expanded": "Information leak" + }, + { + "value": "compromise", + "expanded": "System compromise" + }, + { + "value": "other", + "expanded": "Other" + } + ] +} diff --git a/cssa/machinetag.json b/cssa/machinetag.json index eb1a425..1c8b2b9 100644 --- a/cssa/machinetag.json +++ b/cssa/machinetag.json @@ -1,7 +1,7 @@ { "namespace": "cssa", "description": "The CSSA agreed sharing taxonomy.", - "version": 4, + "version": 6, "predicates": [ { "value": "sharing-class", @@ -11,6 +11,10 @@ "value": "origin", "expanded": "Origin" }, + { + "value": "report", + "expanded": "Report" + }, { "value": "analyse", "expanded": "Please analyse sample", @@ -24,17 +28,40 @@ { "value": "high_profile", "expanded": "Generated within the company during incident/case related investigations or forensic analysis or via malware reversing, validated by humans and highly contextualized.", - "colour": "#007695" + "colour": "#007695", + "numerical_value": 95 }, { "value": "vetted", "expanded": "Generated within the company, validated by a human prior to sharing, data points have been contextualized (to a degree) e.g. IPs are related to C2 or drop site.", - "colour": "#008aaf" + "colour": "#008aaf", + "numerical_value": 50 }, { "value": "unvetted", "expanded": "Generated within the company by automated means without human interaction e.g., by malware sandbox, honeypots, IDS, etc.", - "colour": "#00b3e2" + "colour": "#00b3e2", + "numerical_value": 10 + } + ] + }, + { + "predicate": "report", + "entry": [ + { + "value": "details", + "expanded": "Description of the incidence.", + "colour": "#fbc166" + }, + { + "value": "link", + "expanded": "Link to the original report location.", + "colour": "#fbcb7f" + }, + { + "value": "attached", + "expanded": "Attached report.", + "colour": "#fcd597" } ] }, @@ -59,13 +86,18 @@ { "value": "email", "expanded": "Information coming out of email infrastructure.", - "colour": "#3cb08a" + "colour": "#3db08a" }, { "value": "3rd-party", "expanded": "Information from outside the company.", "colour": "#46c098" }, + { + "value": "report", + "expanded": "Information coming from a report.", + "colour": "#22644e" + }, { "value": "other", "expanded": "If none of the other origins applies.", diff --git a/dark-web/machinetag.json b/dark-web/machinetag.json new file mode 100644 index 0000000..a13404e --- /dev/null +++ b/dark-web/machinetag.json @@ -0,0 +1,355 @@ +{ + "namespace": "dark-web", + "expanded": "Dark Web", + "description": "Criminal motivation on the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project", + "version": 3, + "predicates": [ + { + "value": "topic", + "description": "Topic associated with the materials tagged", + "expanded": "Topic" + }, + { + "value": "motivation", + "description": "Motivation with the materials tagged", + "expanded": "Motivation" + }, + { + "value": "structure", + "description": "Structure of the materials tagged", + "expanded": "Structure" + } + ], + "values": [ + { + "predicate": "topic", + "entry": [ + { + "value": "drugs-narcotics", + "expanded": "Drugs/Narcotics", + "description": "Illegal drugs/chemical compounds for consumption/ingestion - either via blanket unlawfulness (e.g. proscribed drugs) or via unlawful access (e.g. prescription-only/restricted medications sold without lawful accessibility)." + }, + { + "value": "electronics", + "expanded": "Electronics", + "description": "Electronics and high tech materials, described or to sell for example." + }, + { + "value": "finance", + "expanded": "Finance", + "description": "Any monetary/currency/exchangeable materials. Includes carding, Paypal etc." + }, + { + "value": "finance-crypto", + "expanded": "CryptoFinance", + "description": "Any monetary/currency/exchangeable materials based on cryptocurrencies. Includes Bitcoin, Litecoin etc." + }, + { + "value": "credit-card", + "expanded": "Credit-Card", + "description": "Credit cards and payments materials" + }, + { + "value": "cash-in", + "expanded": "Cash-in", + "description": "Buying parts of assets, conversion from liquid assets, currency, etc." + }, + { + "value": "cash-out", + "expanded": "Cash-out", + "description": "Selling parts of assets, conversion to liquid assets, currency, etc." + }, + { + "value": "escrow", + "expanded": "Escrow", + "description": "Third party keeping assets in behalf of two other parties making a transactions." + }, + { + "value": "hacking", + "expanded": "Hacking", + "description": "Materials relating to the illegal access to or alteration of data and/or electronic services." + }, + { + "value": "identification-credentials", + "expanded": "Identification/Credentials", + "description": "Materials used for providing/establishing identification with third parties. Examples include passports, driver licenses and login credentials." + }, + { + "value": "intellectual-property-copyright-materials", + "expanded": "Intellectual Property/Copyright Materials", + "description": "Otherwise lawful materials stored, transferred or made available without consent of their legal rights holders." + }, + { + "value": "pornography-adult", + "expanded": "Pornography - Adult", + "description": "Lawful, ethical pornography (i.e. involving only consenting adults)." + }, + { + "value": "pornography-child-exploitation", + "expanded": "Pornography - Child (Child Exploitation)", + "description": "Child abuse materials (aka child pornography), including 'fantasy' fiction materials, CGI. Also includes the provision/offering of child abuse materials and/or activities" + }, + { + "value": "pornography-illicit-or-illegal", + "expanded": "Pornography - Illicit or Illegal", + "description": "Illegal pornography NOT including children/child abuse. Includes bestiality, stolen/revenge porn, hidden cameras etc." + }, + { + "value": "search-engine-index", + "expanded": "Search Engine/Index", + "description": "Site providing links/references to other sites/services. Referred to as a ‘nexus’ by (Moore and Rid, 2016)" + }, + { + "value": "unclear", + "expanded": "Unclear", + "description": "Unable to completely establish topic of material." + }, + { + "value": "extremism", + "expanded": "Extremism", + "description": "Illegal or ‘of concern’ levels of extremist ideology. Note this does not provide blanket coverage of fundamentalist ideologies and dogma - only those associated with illegal acts. Socialist/anarchist/religious materials (for example) will not be included unless inclusive or indicative of associated illegal conduct, such as hate crimes." + }, + { + "value": "violence", + "expanded": "Violence", + "description": "Materials relating to violence against persons or property." + }, + { + "value": "weapons", + "expanded": "Weapons", + "description": "Materials specifically associated with materials and/or items for use in violent acts against persons or property. Examples include firearms and bomb-making ingredients." + }, + { + "value": "softwares", + "expanded": "Softwares", + "description": "Illegal or armful software distribution" + }, + { + "value": "counteir-feit-materials", + "expanded": "Counter-feit materials", + "description": "Fake identification papers." + }, + { + "value": "gambling", + "expanded": "Gambling", + "description": "Games involving money" + }, + { + "value": "library", + "expanded": "Library", + "description": "Library or list of books" + }, + { + "value": "other-not-illegal", + "expanded": "Other not illegal", + "description": "Material not of interest to law enforcement - e.g. personal sites, Facebook mirrors." + }, + { + "value": "legitimate", + "expanded": "Legitimate", + "description": "Legitimate websites" + }, + { + "value": "chat", + "expanded": "Chats platforms", + "description": "Chats space or equivalent, which are not forums" + }, + { + "value": "mixer", + "expanded": "Mixer", + "description": "Anonymization tools for crypto-currencies transactions" + }, + { + "value": "mystery-box", + "expanded": "Mystery-Box", + "description": "Mystery Box seller" + }, + { + "value": "anonymizer", + "expanded": "Anonymizer", + "description": "Anonymization tools" + }, + { + "value": "vpn-provider", + "expanded": "VPN-Provider", + "description": "Provides VPN services and related" + }, + { + "value": "email-provider", + "expanded": "EMail-Provider", + "description": "Provides e-mail services and related" + }, + { + "value": "ponies", + "expanded": "Ponies", + "description": "self-explanatory. It's ponies" + }, + { + "value": "games", + "expanded": "Games", + "description": "Flash or online games" + }, + { + "value": "parody", + "expanded": "Parody or Joke", + "description": "Meme, Parody, Jokes, Trolling, ..." + }, + { + "value": "whistleblower", + "expanded": "Whistleblower", + "description": "Exposition and sharing of confidential information with protection of the witness in mind" + } + ] + }, + { + "predicate": "motivation", + "entry": [ + { + "value": "education-training", + "expanded": "Education & Training", + "description": "Materials providing instruction - e.g. ‘how to’ guides" + }, + { + "value": "wiki", + "expanded": "Wiki", + "description": "Wiki pages, documentation and information display" + }, + { + "value": "forum", + "expanded": "Forum", + "description": "Sites specifically designed for multiple users to communicate as peers" + }, + { + "value": "file-sharing", + "expanded": "File Sharing", + "description": "General file sharing, typically (but not limited to) movie/image sharing" + }, + { + "value": "hosting", + "expanded": "Hosting", + "description": "Hosting providers, e-mails, websites, file-storage etc." + }, + { + "value": "ddos-services", + "expanded": "DDoS-Services", + "description": "Stresser, Booter, DDoSer, DDoS as a Service provider, DDoS tools, etc." + }, + { + "value": "general", + "expanded": "General", + "description": "Materials not covered by the other motivations. Typically, materials of a nature not of interest to law enforcement. For example, personal biography sites." + }, + { + "value": "information-sharing-reportage", + "expanded": "Information Sharing/Reportage", + "description": "Journalism/reporting on topics. Can include biased coverage, but obvious propaganda materials are covered by Recruitment/Advocacy." + }, + { + "value": "scam", + "expanded": "Scam", + "description": "Intentional confidence trick to fraud people or group of people" + }, + { + "value": "political-speech", + "expanded": "Political-Speech", + "description": "Political, activism, without extremism." + }, + { + "value": "conspirationist", + "expanded": "Conspirationist", + "description": "Conspirationist content, fake news, etc." + }, + { + "value": "hate-speech", + "expanded": "Hate-Speech", + "description": "Racism, violent, hate... speech." + }, + { + "value": "religious", + "expanded": "Religious", + "description": "Religious, faith, doctrinal related content." + }, + { + "value": "marketplace-for-sale", + "expanded": "Marketplace/For Sale", + "description": "Services/goods for sale, regardless of means of payment." + }, + { + "value": "smuggling", + "expanded": "Smuggling", + "description": "Information or trading of wild animals, prohibited goods, ... " + }, + { + "value": "recruitment-advocacy", + "expanded": "Recruitment/Advocacy", + "description": "Propaganda" + }, + { + "value": "system-placeholder", + "expanded": "System/Placeholder", + "description": "Automatically generated content, not designed for any identifiable purpose other than diagnostics - e.g. “It Works” message provided by default by Apache2" + }, + { + "value": "unclear", + "expanded": "Unclear", + "description": "Unable to completely establish motivation of material." + } + ] + }, + { + "predicate": "structure", + "entry": [ + { + "value": "incomplete", + "expanded": "Incomplete websites or information", + "description": "Websites and pages that are unable to load completely properly" + }, + { + "value": "captcha", + "expanded": "Captcha and Solvers", + "description": "Captchas and solvers elements" + }, + { + "value": "login-forms", + "expanded": "Logins forms and gates", + "description": "Authentication pages, login page, login forms that block access to an internal part of a website." + }, + { + "value": "contact-forms", + "expanded": "Contact forms and gates", + "description": "Forms to perform a contact request, send an e-mail, fill information, enter a password, ..." + }, + { + "value": "encryption-keys", + "expanded": "Encryption and decryption keys", + "description": "e.g. PGP Keys, passwords, ..." + }, + { + "value": "police-notice", + "expanded": "Police Notice", + "description": "Closed websites, with police-equivalent banners" + }, + { + "value": "legal-statement", + "expanded": "Legal-Statement", + "description": "RGPD statement, Privacy-policy, guidelines of a websites or forum..." + }, + { + "value": "test", + "expanded": "Test", + "description": "Test websites without any real consequences or effects" + }, + { + "value": "videos", + "expanded": "Videos", + "description": "Videos and streaming" + }, + { + "value": "unclear", + "expanded": "Unclear", + "description": "Unable to completely establish structure of material." + } + ] + } + ] +} diff --git a/economical-impact/machinetag.json b/economical-impact/machinetag.json index 2150dc8..3acbc1f 100644 --- a/economical-impact/machinetag.json +++ b/economical-impact/machinetag.json @@ -2,7 +2,7 @@ "namespace": "economical-impact", "expanded": " Economical Impact", "description": "Economical impact is a taxonomy to describe the financial impact as positive or negative gain to the tagged information (e.g. data exfiltration loss, a positive gain for an adversary).", - "version": 2, + "version": 3, "refs": [ "https://www.misp-project.org/" ], @@ -12,39 +12,48 @@ "entry": [ { "value": "none", - "expanded": "No loss" + "expanded": "No loss", + "numerical_value": 0 }, { "value": "less-than-25k-eur", - "expanded": "Less than 25K EUR" + "expanded": "Less than 25K EUR", + "numerical_value": 10 }, { "value": "less-than-50k-euro", - "expanded": "Less than 50K EUR" + "expanded": "Less than 50K EUR", + "numerical_value": 20 }, { "value": "less-than-100k-euro", - "expanded": "Less than 100K EUR" + "expanded": "Less than 100K EUR", + "numerical_value": 30 }, { "value": "less-than-1M-euro", - "expanded": "Less than 1 million EUR" + "expanded": "Less than 1 million EUR", + "numerical_value": 40 }, { "value": "less-than-10M-euro", - "expanded": "Less than 10 million EUR" + "expanded": "Less than 10 million EUR", + "numerical_value": 50 }, { "value": "less-than-100M-euro", - "expanded": "Less than 100 million EUR" + "expanded": "Less than 100 million EUR", + "numerical_value": 60 }, { "value": "less-than-1B-euro", - "expanded": "Less than 1 billion EUR" + "expanded": "Less than 1 billion EUR", + "numerical_value": 70 }, { "value": "more-than-1B-euro", - "expanded": "More than 1 billion EUR" + "expanded": "More than 1 billion EUR", + "numerical_value": 80 } ] }, @@ -53,39 +62,48 @@ "entry": [ { "value": "none", - "expanded": "No gain" + "expanded": "No gain", + "numerical_value": 0 }, { "value": "less-than-25k-eur", - "expanded": "Less than 25K EUR" + "expanded": "Less than 25K EUR", + "numerical_value": 10 }, { "value": "less-than-50k-euro", - "expanded": "Less than 50K EUR" + "expanded": "Less than 50K EUR", + "numerical_value": 20 }, { "value": "less-than-100k-euro", - "expanded": "Less than 100K EUR" + "expanded": "Less than 100K EUR", + "numerical_value": 30 }, { "value": "less-than-1M-euro", - "expanded": "Less than 1 million EUR" + "expanded": "Less than 1 million EUR", + "numerical_value": 40 }, { "value": "less-than-10M-euro", - "expanded": "Less than 10 million EUR" + "expanded": "Less than 10 million EUR", + "numerical_value": 50 }, { "value": "less-than-100M-euro", - "expanded": "Less than 100 million EUR" + "expanded": "Less than 100 million EUR", + "numerical_value": 60 }, { "value": "less-than-1B-euro", - "expanded": "Less than 1 billion EUR" + "expanded": "Less than 1 billion EUR", + "numerical_value": 70 }, { "value": "more-than-1B-euro", - "expanded": "More than 1 billion EUR" + "expanded": "More than 1 billion EUR", + "numerical_value": 80 } ] } diff --git a/estimative-language/machinetag.json b/estimative-language/machinetag.json index 16445ac..8a65673 100644 --- a/estimative-language/machinetag.json +++ b/estimative-language/machinetag.json @@ -2,7 +2,7 @@ "namespace": "estimative-language", "expanded": "Estimative languages", "description": "Estimative language to describe quality and credibility of underlying sources, data, and methodologies based Intelligence Community Directive 203 (ICD 203) and JP 2-0, Joint Intelligence", - "version": 3, + "version": 4, "predicates": [ { "value": "likelihood-probability", @@ -62,17 +62,20 @@ { "value": "low", "expanded": "Low", - "description": "Uncorroborated information from good or marginal sources. Many assumptions. Mostly weak logical inferences, minimal methods application. Glaring intelligence gaps exist. Terms or expressions used: 'Possible', 'Could, may, might', 'Cannot judge, unclear.'" + "description": "Uncorroborated information from good or marginal sources. Many assumptions. Mostly weak logical inferences, minimal methods application. Glaring intelligence gaps exist. Terms or expressions used: 'Possible', 'Could, may, might', 'Cannot judge, unclear.'", + "numerical_value": 0 }, { "value": "moderate", "expanded": "Moderate", - "description": "Partially corroborated information from good sources. Several assumptions. Mix of strong and weak inferences and methods. Minimum intelligence gaps exist. Terms or expressions used: 'Likely, unlikely', 'Probable, improbable' 'Anticipate, appear'." + "description": "Partially corroborated information from good sources. Several assumptions. Mix of strong and weak inferences and methods. Minimum intelligence gaps exist. Terms or expressions used: 'Likely, unlikely', 'Probable, improbable' 'Anticipate, appear'.", + "numerical_value": 55 }, { "value": "high", "expanded": "High", - "description": "Well-corroborated information from proven sources. Minimal assumptions. Strong logical inferences and methods. No or minor intelligence gaps exist. Terms or expressions used: 'Will, will not', 'Almost certainly, remote', 'Highly likely, highly unlikely', 'Expect, assert, affirm'." + "description": "Well-corroborated information from proven sources. Minimal assumptions. Strong logical inferences and methods. No or minor intelligence gaps exist. Terms or expressions used: 'Will, will not', 'Almost certainly, remote', 'Highly likely, highly unlikely', 'Expect, assert, affirm'.", + "numerical_value": 95 } ] } diff --git a/false-positive/machinetag.json b/false-positive/machinetag.json index 3e15d4a..23420dc 100644 --- a/false-positive/machinetag.json +++ b/false-positive/machinetag.json @@ -1,13 +1,18 @@ { "namespace": "false-positive", "description": "This taxonomy aims to ballpark the expected amount of false positives.", - "version": 1, + "version": 3, "expanded": "False positive", "predicates": [ { "value": "risk", "expanded": "Risk", "description": "Risk of having false positives in the tagged value." + }, + { + "value": "confirmed", + "expanded": "Confirmed", + "description": "Confirmed false positives in the tagged value." } ], "values": [ @@ -18,7 +23,7 @@ "value": "low", "expanded": "Low", "description": "The risk of having false positives in the tagged value is low.", - "numerical_value": 25 + "numerical_value": 75 }, { "value": "medium", @@ -30,7 +35,7 @@ "value": "high", "expanded": "High", "description": "The risk of having false positives in the tagged value is high.", - "numerical_value": 75 + "numerical_value": 25 } ] } diff --git a/gea-nz-activities/machinetag.json b/gea-nz-activities/machinetag.json new file mode 100644 index 0000000..b66edf8 --- /dev/null +++ b/gea-nz-activities/machinetag.json @@ -0,0 +1,967 @@ +{ + "namespace": "gea-nz-activities", + "description": "Information needed to track or monitor moments, periods or events that occur over time. This type of information is focused on occurrences that must be tracked for business reasons or represent a specific point in the evolution of ‘The Business’.", + "refs": [ + "https://www.dragon1.com/downloads/government-enterprise-architecture-for-new-zealand-v3.1.pdf" + ], + "version": 1, + "predicates": [ + { + "value": "cases-compliance", + "expanded": "Cases Compliance", + "description": "Information about an occurrence by a person or organisation that is under official investigation." + }, + { + "value": "cases-proceeding", + "expanded": "Cases Proceeding", + "description": "Information about a case held by an organisation related to interpretation of the law." + }, + { + "value": "cases-episode", + "expanded": "Cases Episode", + "description": "Information focused on individual’s interactions with an agency, organisation or enterprise, which is tacked as a sequence over a period of time." + }, + { + "value": "cases-commission-of-inquiry", + "expanded": "Cases Commission of Inquiry", + "description": "Information relating to inquiries into various issues. Commissions report findings, give advice and make recommendations." + }, + { + "value": "cases-claim", + "expanded": "Cases Claim", + "description": "Information about claims." + }, + { + "value": "cases-request", + "expanded": "Cases Request", + "description": "Information about requests that need to be tracked." + }, + { + "value": "cases-order", + "expanded": "Cases Order", + "description": "Information relating to orders and tracking of the orders." + }, + { + "value": "events-personal", + "expanded": "Events Personal", + "description": "Information around personal events like birth, starting school, getting married, etc." + }, + { + "value": "events-crisis", + "expanded": "Events Crisis", + "description": "Information about events that describe a personal crisis." + }, + { + "value": "events-social", + "expanded": "Events Social", + "description": "Information relating to planned or spontaneous occurrences of a social nature that may require a response by an organisation." + }, + { + "value": "events-business", + "expanded": "Events Business", + "description": "Information related to a type of event relating to the business of the organisation." + }, + { + "value": "events-trade", + "expanded": "Events Trade", + "description": "Information about events that hold substantial meaning for an individual but which are tracked by an organisation such as birth, deaths, health condition etc." + }, + { + "value": "events-travel", + "expanded": "Events Travel", + "description": "Information related to traveling overseas or coming into France." + }, + { + "value": "events-environmental", + "expanded": "Events Environmental", + "description": "Information held by an organisation about environmental activities such as atmospheric pressures, geological formations, rainfall etc." + }, + { + "value": "events-uncontrolled", + "expanded": "Events Uncontrolled", + "description": "Information about events that occur spontaneously, but to which the organisation is required to respond." + }, + { + "value": "events-interaction", + "expanded": "Events Interaction", + "description": "Information about activity that describes a relevant process or action undertaken by the enterprise." + }, + { + "value": "services-france-society", + "expanded": "Services France Society", + "description": "Information related to services delivered across France individuals, communities, and businesses." + }, + { + "value": "services-inviduals-&-communities", + "expanded": "Services Inviduals & Communities", + "description": "Information related to services delivered specifically to France individuals and communities." + }, + { + "value": "services-services-to-business", + "expanded": "Services Services to Business", + "description": "Information related to services delivered specifically to France businesses." + }, + { + "value": "services-civic-infrastructure", + "expanded": "Services Civic Infrastructure", + "description": "Information related to services delivering France infrastructure." + }, + { + "value": "services-government-administration", + "expanded": "Services Government Infrastructure", + "description": "Information related to delivering France government wide operations and support services." + }, + { + "value": "services-services-from-business", + "expanded": "Services Services from Business", + "description": "Information related to services delivered by businesses." + } + ], + "values": [ + { + "predicate": "cases-compliance", + "entry": [ + { + "value": "assessment", + "expanded": "Assessment", + "description": "Detailed information related to performing an assessment, the act of assessing; appraisal; evaluation." + }, + { + "value": "audit", + "expanded": "Audit", + "description": "Detailed information related to performing an audit, to make an audit of; examine (accounts, records, etc.) for purposes of verification." + }, + { + "value": "inspection", + "expanded": "Inspection", + "description": "Detailed information related to performing an inspection or viewing." + }, + { + "value": "investigation", + "expanded": "Investigation", + "description": "Detailed information related to performing an investigation, to search out and examine the particulars of in an attempt to learn the facts about something hidden, unique, or complex, especially in an attempt to find a motive, cause, or culprit." + }, + { + "value": "review", + "expanded": "Review", + "description": "Detailed information related to performing a review, to survey mentally; take a survey of." + } + ] + }, + { + "predicate": "cases-proceeding", + "entry": [ + { + "value": "breach", + "expanded": "Breach", + "description": "Detailed information related to breaches, such as breach of contract, defamation, the recovering of debts, and family disputes over care arrangements for children, and others." + }, + { + "value": "fine", + "expanded": "Fine", + "description": "Detailed information related to fines, such as parking fine, speeding fine, and others." + }, + { + "value": "fraud", + "expanded": "Fraud", + "description": "Detailed information related to fraud." + }, + { + "value": "offence", + "expanded": "Offence", + "description": "Detailed information related to an offence." + } + ] + }, + { + "predicate": "cases-episode", + "entry": [ + { + "value": "defect", + "expanded": "Defect", + "description": "Detailed information related to cases concerning defects, such as time of occurrence, a repeated defect, solution, etc." + }, + { + "value": "emergency", + "expanded": "Emergency", + "description": "Detailed information related to emergency cases." + }, + { + "value": "error", + "expanded": "Error", + "description": "Detailed information related to errors, a deviation from accuracy or correctness." + }, + { + "value": "fault", + "expanded": "Fault", + "description": "Detailed information related to cases concerning faults, a defect or imperfection; flaw; failing." + }, + { + "value": "history", + "expanded": "History", + "description": "Detailed information related to history, meaning a sequence of events, such as family history." + }, + { + "value": "incident", + "expanded": "Incident", + "description": "Detailed information related to cases concerning incidents, an individual occurrence or event." + }, + { + "value": "issue", + "expanded": "Issue", + "description": "Detailed information related to cases concerning issues, a point in question or a matter that is in dispute which needs a decision." + }, + { + "value": "problem", + "expanded": "Problem", + "description": "Detailed information related to problems, any question or matter involving doubt, uncertainty, or difficulty." + }, + { + "value": "crime", + "expanded": "Crime", + "description": "Detailed information related to cases concerning crimes, actions or instances of negligence that is deemed injurious to the public welfare or morals or to the interests of the state and that is legally prohibited." + }, + { + "value": "infrigement", + "expanded": "Infrigement", + "description": "Detailed information related to cases concerning infringements, a breach or infraction, as of a law, right, or obligation; violation; transgression." + } + ] + }, + { + "predicate": "cases-claim", + "entry": [ + { + "value": "claim-of-definition", + "expanded": "Claim of Definition", + "description": "Detailed information related to claims of definition." + }, + { + "value": "claim-of-cause", + "expanded": "Claim of Cause", + "description": "Detailed information related to claims of cause." + }, + { + "value": "claim-of-value", + "expanded": "Claim of Value", + "description": "Detailed information related to claims of value." + }, + { + "value": "claim-of-policy", + "expanded": "Claim of Policy", + "description": "Detailed information related to claims of policy." + }, + { + "value": "claim-of-fact", + "expanded": "Claim of Fact", + "description": "Detailed information related to claims of fact." + } + ] + }, + { + "predicate": "cases-request", + "entry": [ + { + "value": "request-for-information", + "expanded": "Request for Information", + "description": "Detailed information related to requests for information." + }, + { + "value": "request-for-proposal", + "expanded": "Request for proposal", + "description": "Detailed information related to requests for proposals." + }, + { + "value": "request-for-quotation", + "expanded": "Request for quotation", + "description": "Detailed information related to requests for quotation." + }, + { + "value": "request-for-tender", + "expanded": "Request for Tender", + "description": "Detailed information related to requests for tender." + }, + { + "value": "request-for-approval", + "expanded": "Request for Approval", + "description": "Detailed information related to requests for approval." + }, + { + "value": "request-for-comments", + "expanded": "Request for Comments", + "description": "Detailed information related to requests for comments." + }, + { + "value": "order", + "expanded": "Order", + "description": "Information relating to orders and tracking of the orders." + } + ] + }, + { + "predicate": "events-personal", + "entry": [ + { + "value": "birth", + "expanded": "Birth", + "description": "Detailed information related to giving birth." + }, + { + "value": "starting-school", + "expanded": "Starting School", + "description": "Detailed information related to starting school." + }, + { + "value": "adoption", + "expanded": "Adoption", + "description": "Detailed information related to adopting a child." + }, + { + "value": "marriage", + "expanded": "Marriage", + "description": "Detailed information related to get married." + }, + { + "value": "senior-citizenship", + "expanded": "Senior Citizenship", + "description": "Detailed information related to becoming a senior citizen." + }, + { + "value": "care", + "expanded": "Care", + "description": "Detailed information related to going into care." + }, + { + "value": "death", + "expanded": "Death", + "description": "Detailed information related to a death." + }, + { + "value": "fostering", + "expanded": "Fostering", + "description": "Detailed information related to fostering a child." + }, + { + "value": "enrol-to-vote", + "expanded": "Enrol to Vote", + "description": "Detailed information related to the event of enrolling to vote and voting." + }, + { + "value": "volunteering", + "expanded": "Volunteering", + "description": "Detailed information related to the event of volunteering for public services." + }, + { + "value": "driver's-licence", + "expanded": "Driver's Licence", + "description": "Detailed information related to getting a driver's licence." + } + ] + }, + { + "predicate": "events-crisis", + "entry": [ + { + "value": "victim-of-a-crime", + "expanded": "Victim of a Crime", + "description": "Detailed information related to the event of being a victim of a crime." + }, + { + "value": "witness-of-a-crime", + "expanded": "Witness of a Crime", + "description": "Detailed information related to the event of being a witness of a crime." + }, + { + "value": "health", + "expanded": "Health", + "description": "Detailed information related to a health event, such as illness and operations." + }, + { + "value": "emergency", + "expanded": "Emergency", + "description": "Detailed information related to an emergency." + }, + { + "value": "accused", + "expanded": "Accused", + "description": "Detailed information related to being accused of a crime." + }, + { + "value": "convicted", + "expanded": "Convicted", + "description": "Detailed information related to being convicted of a crime." + } + ] + }, + { + "predicate": "events-social", + "entry": [ + { + "value": "ceremony", + "expanded": "Ceremony", + "description": "Detailed information related to ceremonies." + }, + { + "value": "conference", + "expanded": "Conference", + "description": "Detailed information related to conferences." + }, + { + "value": "concert", + "expanded": "Concert", + "description": "Detailed information related to concerts." + }, + { + "value": "sporting-event", + "expanded": "Spporting Event", + "description": "Detailed information related to sporting events, an activity involving physical exertion and skill that is governed by a set of rules or customs and often undertaken competitively, often sports." + }, + { + "value": "protest", + "expanded": "Protest", + "description": "Detailed information related to protests, an event at which people gather together to show strong disapproval about something." + }, + { + "value": "festival", + "expanded": "Festival", + "description": "Detailed information related to festivals." + } + ] + }, + { + "predicate": "events-business", + "entry": [ + { + "value": "seed-capital", + "expanded": "Seed Capital", + "description": "Detailed information related to seeding a business." + }, + { + "value": "start-up", + "expanded": "Start-up", + "description": "Detailed information related to starting up a business." + }, + { + "value": "hiring", + "expanded": "Hiring", + "description": "Detailed information related to hiring staff." + }, + { + "value": "termination-of-employment", + "expanded": "Termination of Employment", + "description": "Detailed information related to terminating a employment contract." + }, + { + "value": "merge", + "expanded": "Merge", + "description": "Detailed information related to merging of two or more companies, generally by offering the stockholders of one company securities in the acquiring company in exchange for the surrender of their stock." + }, + { + "value": "demerge", + "expanded": "Demerge", + "description": "Detailed information related to a demerger, the separation of a large company into two or more smaller organizations, particularly as the dissolution of an earlier merger." + }, + { + "value": "stock-exchange-listing", + "expanded": "Stock Exchange Listing", + "description": "Detailed information related to listing a company on the stock exchange." + }, + { + "value": "stock-exchange-delisting", + "expanded": "Stock Exchange Delisting", + "description": "Detailed information related to de-listing or removing a company from the stock exchange." + }, + { + "value": "change-name", + "expanded": "Change Name", + "description": "Detailed information related to changing the name of a company." + }, + { + "value": "bankruptcy", + "expanded": "Bankruptcy", + "description": "Detailed information related to a company going bankrupt." + }, + { + "value": "cease", + "expanded": "Cease", + "description": "Detailed information related to closing a company." + } + ] + }, + { + "predicate": "events-trade", + "entry": [ + { + "value": "buying", + "expanded": "Buying", + "description": "Detailed information related to buying goods or real estates." + }, + { + "value": "selling", + "expanded": "Selling", + "description": "Detailed information related to selling goods or real estates." + }, + { + "value": "importing", + "expanded": "Importing", + "description": "Detailed information related to importing goods." + }, + { + "value": "exporting", + "expanded": "Exporting", + "description": "Detailed information related to exporting goods." + }, + { + "value": "renting", + "expanded": "Renting", + "description": "Detailed information related to renting goods or real estate." + } + ] + }, + { + "predicate": "events-travel", + "entry": [ + { + "value": "travelling-overseas", + "expanded": "Travelling Overseas", + "description": "Detailed information related to traveling overseas." + }, + { + "value": "extended-stay-in-france", + "expanded": "Extended Stay in France", + "description": "Detailed information related to an extended stay in France." + } + ] + }, + { + "predicate": "events-environmental", + "entry": [ + { + "value": "atmospheric", + "expanded": "Atmospheric", + "description": "Detailed information related to atmospheric event, such as cyclone, hail, hurricane, lightning, rain, snow, typhoon, wind, pressure." + }, + { + "value": "elemental", + "expanded": "Elemental", + "description": "Detailed information related to elemental event, such as avalanche, fire, flood, landslide, tsunami, etc." + }, + { + "value": "geological", + "expanded": "Geological", + "description": "Detailed information related to geological event, such as earthquake, eruption, formation." + }, + { + "value": "seasonal", + "expanded": "Seasonal", + "description": "Detailed information related to seasonal events." + } + ] + }, + { + "predicate": "events-uncontrolled", + "entry": [ + { + "value": "accident", + "expanded": "Accident", + "description": "Detailed information related to an accident, such as crash, explosion, implosion, spill, etc." + }, + { + "value": "attack", + "expanded": "Attack", + "description": "Detailed information related to attacks, such as arson, bombing, coup, kidnapping, biological attack, terrorism, uprising, and threats which lead to an offence." + }, + { + "value": "failure", + "expanded": "Failure", + "description": "Detailed information related to a failure, such as blackout, nuclear meltdown, etc." + }, + { + "value": "other", + "expanded": "Other", + "description": "Detailed information related to other uncontrolled events." + } + ] + }, + { + "predicate": "events-interaction", + "entry": [ + { + "value": "channel", + "expanded": "Channel", + "description": "A channel or mode by which an interaction takes place. For example face-to-face, in-person or by mail etc." + }, + { + "value": "medium", + "expanded": "Medium", + "description": "The format in which information content is supplied to others, provided internally to the organisation or purchased from an external provider." + }, + { + "value": "interaction-type", + "expanded": "Interaction Type", + "description": "Actions represent the information about key interactions that occur. Concepts such as Operators Assisted and Self Service are just relationships from parties in their appropriate roles to an action." + } + ] + }, + { + "predicate": "services-france-society", + "entry": [ + { + "value": "border-control", + "expanded": "Border Control", + "description": "Detailed information related to border control services." + }, + { + "value": "culture-and-heritage", + "expanded": "Culture and Heritage", + "description": "Detailed information related to services to support culture and heritage." + }, + { + "value": "defence", + "expanded": "Defence", + "description": "Detailed information related to services to support the defence and protection of the nation." + }, + { + "value": "economic-service", + "expanded": "Economic Service", + "description": "Detailed information related to services to support the economic management of public funds and other resources." + }, + { + "value": "environment", + "expanded": "Environment", + "description": "Detailed information related to services to support the management of surrounding natural and built environment." + }, + { + "value": "financial-transaction-with-government", + "expanded": "Financial Transaction with Government", + "description": "Detailed information related to provisioning earned and unearned financial or monetary-like benefits to individuals, groups, or corporations." + }, + { + "value": "international-relationship", + "expanded": "International Relationship", + "description": "Detailed information related to services around international relationships." + }, + { + "value": "justice", + "expanded": "Justice", + "description": "Detailed information related to services to provide justice, apply legislation, etc." + }, + { + "value": "france-society", + "expanded": "France Society", + "description": "Detailed information related to services to assist individuals and organisations." + }, + { + "value": "natural-resources", + "expanded": "Natural Resources", + "description": "Detailed information related to services to support the sustainability use and management of energy, minerals, land, and water." + }, + { + "value": "open-government", + "expanded": "Open Government", + "description": "Detailed information related to services around transparency that gives citizens oversight of the government." + }, + { + "value": "regulatory-compliance-and-enforcement", + "expanded": "Regulatory Compliance and Enforcement", + "description": "Detailed information related to services to monitor and oversight of specific individuals, groups, industries, or communities participating in regulated activities." + }, + { + "value": "science-and-research", + "expanded": "Science and Research", + "description": "Detailed information related to services to support and promote research and systematic studies." + }, + { + "value": "security", + "expanded": "Security", + "description": "Detailed information related to services to maintain the safety of New Zealand at all levels of society." + }, + { + "value": "statistical-services", + "expanded": "Statistical Services", + "description": "Detailed information related to services to provide high quality, objective and responsive statistics" + } + ] + }, + { + "predicate": "services-inviduals-&-communities", + "entry": [ + { + "value": "adopting-and-fostering", + "expanded": "Adopting and Fostering", + "description": "Detailed information related to services to support a person who wants to adopt or foster another person, usually a child." + }, + { + "value": "births-deaths-and-marriages", + "expanded": "Births, Deaths and Marriages", + "description": "Detailed information related to these life events of France citizens, and residents." + }, + { + "value": "citizenship-and-immigration", + "expanded": "Citizenship and Immigration", + "description": "Detailed information related to services to assist people wishing to enter France on a permanent or temporary basis" + }, + { + "value": "community-support", + "expanded": "Community Support", + "description": "Detailed information related to services to assist citizens in a particular district or those with common interests and needs." + }, + { + "value": "education-and-training", + "expanded": "Education and Training", + "description": "Detailed information related to services to support the provisioning of skills and knowledge to citizens and the strategies to make education available to the broadest possible cross-section of the community." + }, + { + "value": "emergency-and-disaster-preparedness", + "expanded": "Emergency and Disaster Preparedness", + "description": "Detailed information related to services to deal with and avoid both natural and manmade disasters." + }, + { + "value": "information-from-citizens", + "expanded": "Information from Citizens", + "description": "Detailed information related to services to support avenues through which the government exchange information and explicit knowledge with individuals." + }, + { + "value": "health-care", + "expanded": "Health Care", + "description": "Detailed information related to services to prevent, diagnose and treat diseases or injuries, to provision health care services and medical research." + }, + { + "value": "passport-travel-and-tourism", + "expanded": "Passport, Travel and Tourism", + "description": "Detailed information related to services to support France citizens traveling or living overseas, and local and overseas tourists traveling within France." + }, + { + "value": "sport-and-recreation", + "expanded": "Sport and Recreation", + "description": "Detailed information related to services to support, promote and encourage operating and marinating amenities or facilities for cultural, recreational and sporting activities." + }, + { + "value": "work-and-jobs", + "expanded": "Work and Jobs", + "description": "Detailed information related to services to support employment, develop careers, and gain professional accreditation for individuals." + } + ] + }, + { + "predicate": "services-services-to-business", + "entry": [ + { + "value": "business-development", + "expanded": "Business Development", + "description": "Detailed information related to services to assist business growth and management, and support advocacy programs and advising on regulations surrounding business activities." + }, + { + "value": "business-support", + "expanded": "Business Support", + "description": "Detailed information related to services to support the private sector, including small business and non-profit organisations assisting businesses to comply with reporting requirements of the government." + }, + { + "value": "commercial-sport", + "expanded": "Commercial Sport", + "description": "Detailed information related to services to cover the commercial aspects of sport when run as a business." + }, + { + "value": "employment", + "expanded": "Employment", + "description": "Detailed information related to services to support the employment growth and working environment." + }, + { + "value": "primal-industries", + "expanded": "Primal Industries", + "description": "Detailed information related to services to support rural and marine industries." + }, + { + "value": "tourism", + "expanded": "Tourism", + "description": "Detailed information related to services to encourage recreational visitors to a region, and support the tourism industry." + }, + { + "value": "trade", + "expanded": "Trade", + "description": "Detailed information related to services to support purchase, sale or exchange of commodities and advising on trade regulations." + } + ] + }, + { + "predicate": "services-civic-infrastructure", + "entry": [ + { + "value": "civic-management", + "expanded": "Civic Management", + "description": "Detailed information related to services to provision integrated support for town planning and building projects, coordinate of building projects, provide advice on building regulations and guidelines." + }, + { + "value": "communications", + "expanded": "Communications", + "description": "Detailed information related to services to support the growth of industries that enable and facilitate communication and transmission of information." + }, + { + "value": "essential-services", + "expanded": "Essential Services", + "description": "Detailed information related to services to provision essential community services, evaluate land use, town planning, etc." + }, + { + "value": "maritime-services", + "expanded": "Maritime Services", + "description": "Detailed information related to services to negotiate passage for sea transport and maritime jurisdiction, provide advice on regulations and manage maritime infrastructure." + }, + { + "value": "public-housing", + "expanded": "Public Housing", + "description": "Detailed information related to services to supply low cost accommodations, provide advice on guidelines, evaluate the need for public housing, setting construction targets, support on-going maintenance of public houses." + }, + { + "value": "regional-development", + "expanded": "Regional Development", + "description": "Detailed information related to services to support infrastructure projects, extend facilities beyond urban boundaries and support the installation of equipment to enable communications." + }, + { + "value": "transport", + "expanded": "Transport", + "description": "Detailed information related to services to support road, rail and air transportation systems." + } + ] + }, + { + "predicate": "services-government-administration", + "entry": [ + { + "value": "government-administration-management", + "expanded": "Government Administration Management", + "description": "Detailed information related to services that involve day-to day management and maintenance of the internal administrative operations." + }, + { + "value": "government-business-management", + "expanded": "Government Business Management", + "description": "Detailed information related to services that involve activities associated with the management of how the government conduct its business." + }, + { + "value": "government-credit-and-insurance", + "expanded": "Government Credit and Insurance", + "description": "Detailed information related to services that involve the use of government funds to cover the subsidy cost of a direct loan or loan guarantee or to protect/indemnify members of the public from financial losses." + }, + { + "value": "government-financial-management", + "expanded": "Government Financial Management", + "description": "Detailed information related to services that involve agency's use of financial information to measure, operate and predict the effectiveness of efficiency of an entity's activities in relation to its objectives." + }, + { + "value": "government-human-ressource-management", + "expanded": "Government Human Ressource Management", + "description": "Detailed information related to services that involve all activities associated with the recruitment and management of personnel." + }, + { + "value": "government-ict-management", + "expanded": "Government ICT Management", + "description": "Detailed information related to services that involve the coordination of information and technology resources and solutions required to support or provide a service." + }, + { + "value": "government-information-and-knowledge-management", + "expanded": "Government Information and Knowledge Management", + "description": "Detailed information related to services that involve the ownership or custody of information and intellectual assets held by the government." + }, + { + "value": "government-strategy-planning-and-budgeting", + "expanded": "Government Strategy, Planning and Budgeting", + "description": "Detailed information related to services that involve the government activities of determining strategic direction, identifying and establishing programs, services and processes." + }, + { + "value": "machinery-of-government", + "expanded": "Machinery of Government", + "description": "Detailed information related to services that involve executing legislative processes in Houses of Parliament, assemblies or councils." + } + ] + }, + { + "predicate": "services-services-from-business", + "entry": [ + { + "value": "advertising", + "expanded": "Advertising", + "description": "Detailed information related to advertising services rendered by advertising establishments primarily undertaking communications to the public, declarations or announcements by all means of diffusion and concerning all kinds of goods or services." + }, + { + "value": "business-management", + "expanded": "Business Management", + "description": "Detailed information related to services to support business management, mainly services rendered by persons or organizations principally with the object of help in the working or management of a commercial undertaking, or help in the management of the business affairs or commercial functions of an industrial or commercial enterprise." + }, + { + "value": "insurance", + "expanded": "Insurance", + "description": "Detailed information related to services rendered in relation to insurance contracts of all kinds, such as services dealing with insurance such as services rendered by agents or brokers engaged in insurance, services rendered to insured, and insurance underwriting services." + }, + { + "value": "financial-service", + "expanded": "Finalcial Service", + "description": "Detailed information related to services rendered in financial and monetary affairs." + }, + { + "value": "real-estate-affairs", + "expanded": "Real Estate Affairs", + "description": "Detailed information related to services of realty administrators of buildings, i.e., services of letting or valuation, or financing." + }, + { + "value": "building-construction", + "expanded": "Building-Construction", + "description": "Detailed information related to services rendered by contractors or subcontractors in the construction or making of permanent buildings, as well as services rendered by persons or organizations engaged in the restoration of objects to their original condition or in their preservation without altering their physical or chemical properties." + }, + { + "value": "telecommunication", + "expanded": "Telecommunication", + "description": "Detailed information related to services allowing at least one person to communicate with another by a sensory means." + }, + { + "value": "transportation", + "expanded": "Transportation", + "description": "Detailed information related to services rendered in transporting people or goods from one place to another (by rail, road, water, air or pipeline) and services necessarily connected with such transport." + }, + { + "value": "packaging-and-storage-of-goods", + "expanded": "Packaging and Storage of Goods", + "description": "Detailed information related to services relating to the storing of goods in a warehouse or other building for their preservation or guarding." + }, + { + "value": "travel-arrangement", + "expanded": "Travel Arrangement", + "description": "Detailed information related to services consisting of information about journeys by tourist agencies, information relating to tariffs, timetables and methods of travel." + }, + { + "value": "treatment-of-material", + "expanded": "Treatment of Material", + "description": "Detailed information related to services not included in other categories, rendered by the mechanical or chemical processing or transformation of objects or inorganic or organic substances and any process involving a change in its essential properties (for example, dyeing a garment), and services of material treatment which may be present during the production of any substance or object other than a building, for example, services which involve cutting, shaping, polishing by abrasion or metal coating." + }, + { + "value": "providing-training", + "expanded": "Providing Training", + "description": "Detailed information related to services rendered by persons or institutions in the development of the mental faculties of persons or animals." + }, + { + "value": "entertainment", + "expanded": "Entertainment", + "description": "Detailed information related to services having the basic aim of the entertainment, amusement or recreation of people." + }, + { + "value": "scientific-service", + "expanded": "Scientific Service", + "description": "Detailed information related to services provided by persons, individually or collectively, in relation to the theoretical and practical aspects of complex fields of activities, such services are provided by members of professions such as chemists, physicists, engineers, computer programmers, etc." + }, + { + "value": "providing-food-drink-and-accomodation", + "expanded": "Providing Food, Drinking and Accomodation", + "description": "Detailed information related to services provided by persons or establishments whose aim is to prepare food and drink for consumption and services provided to obtain bed and board in hotels, boarding houses or other establishments providing temporary accommodation." + }, + { + "value": "medical-service", + "expanded": "Medical Service", + "description": "Detailed information related to medical care, hygienic and beauty care given by persons or establishments to human beings and animals, it also includes services relating to the fields of agriculture, horticulture and forestry." + }, + { + "value": "legal-service", + "expanded": "Legal Service", + "description": "Detailed information related to legal services, security services for the protection of property and individuals, personal and social services rendered by others to meet the needs of individuals." + } + ] + } + ] +} diff --git a/gea-nz-entities/machinetag.json b/gea-nz-entities/machinetag.json new file mode 100644 index 0000000..d066b29 --- /dev/null +++ b/gea-nz-entities/machinetag.json @@ -0,0 +1,777 @@ +{ + "namespace": "gea-nz-entities", + "description": "Information relating to instances of entities or things.", + "refs": [ + "https://www.dragon1.com/downloads/government-enterprise-architecture-for-new-zealand-v3.1.pdf" + ], + "version": 1, + "predicates": [ + { + "value": "parties-party", + "expanded": "Parties Party", + "description": "Information dealing with people or organisations." + }, + { + "value": "parties-qualification", + "expanded": "Parties Qualification", + "description": "Information which relates to persons or organisations of a qualifying nature." + }, + { + "value": "parties-role", + "expanded": "Parties Role", + "description": "Role information which relates to persons or organisations." + }, + { + "value": "parties-party-relationship", + "expanded": "Parties Party Relationship", + "description": "Information about the relationship between two or more parties." + }, + { + "value": "places-address", + "expanded": "Places Address", + "description": "Detailed information related to an address." + }, + { + "value": "places-location-type", + "expanded": "Places Location Type", + "description": "Information of a geospatial or geopolitical nature held by an organisation." + }, + { + "value": "places-address-type", + "expanded": "Places Address Type", + "description": "Identifies the types of address." + }, + { + "value": "places-purpose-of-location", + "expanded": "Places Purpose of Location", + "description": "Information about the purpose of a given address or location." + }, + { + "value": "items-application-&-ict-services", + "expanded": "Items Application & ICT Services", + "description": "Information about application and ICT service assets." + }, + { + "value": "items-ict-infrastructure", + "expanded": "Items ICT Infrastructure", + "description": "Information about man made surroundings that provide setting for organisational activity, such as platforms, networks, facilities, and end user equipment." + }, + { + "value": "items-natural", + "expanded": "Items natural", + "description": "Information held by organisation which relate to natural resources." + }, + { + "value": "items-financial", + "expanded": "Items Financial", + "description": "Information related to financial assistance products." + }, + { + "value": "items-goods", + "expanded": "Items Goods", + "description": "Information related to goods." + }, + { + "value": "items-regulatory", + "expanded": "Items Regulatory", + "description": "Information on regulatory products managed by an organisation." + }, + { + "value": "items-urban-infrastructure", + "expanded": "Items Urban Infrastructure", + "description": "Information related to urban infrastructure." + }, + { + "value": "items-accommodation", + "expanded": "Items Accommodation", + "description": "Information related to short–term accommodation provided on a commercial basis, excluding long–term accommodation and accommodation that is provided on a non–commercial basis." + }, + { + "value": "items-dwelling-type", + "expanded": "Items Dwelling Type", + "description": "Information related to occupied dwelling type is used to monitor trends and developments in housing and institutional dwellings, to plan for the future housing and service needs of the community." + }, + { + "value": "items-artefact", + "expanded": "Items Artefact", + "description": "An artefact is an item of value and manifests in a concrete form such as reports, documents, tables, books, instruction manuals, evidence, etc." + }, + { + "value": "items-waste", + "expanded": "Items Waste", + "description": "Information related to the waste used, managed or produced by the organisation." + }, + { + "value": "items-item-usage", + "expanded": "Items Item Usage", + "description": "Identifies the ways in which an organisation may use an item." + }, + { + "value": "items-other-item", + "expanded": "Items Other Item", + "description": "Detailed information of other items not categorised within Items." + } + ], + "values": [ + { + "predicate": "parties-party", + "entry": [ + { + "value": "organisation", + "expanded": "Organisation", + "description": "Information dealing with organisations, particularly where an information asset has no requirement to address either of these party sub-types directly." + }, + { + "value": "individual", + "expanded": "Individual", + "description": "Information dealing with an individual." + } + ] + }, + { + "predicate": "parties-qualification", + "entry": [ + { + "value": "competence", + "expanded": "Competence", + "description": "Detailed information relating to party's competencies, experience based or professional." + }, + { + "value": "education", + "expanded": "Education", + "description": "Detailed information relating to party's education history, such as higher education, schools, vocations." + }, + { + "value": "industry", + "expanded": "Industry", + "description": "Detailed information relating to party's (mostly of an organisation) specific industry." + }, + { + "value": "occupation", + "expanded": "Occupation", + "description": "Detailed information relating to a party's occupation." + } + ] + }, + { + "predicate": "parties-role", + "entry": [ + { + "value": "commerce", + "expanded": "Commerce", + "description": "Detailed information relating to commercial roles." + }, + { + "value": "legal", + "expanded": "Legal", + "description": "Detailed information relating to legal roles, such as commissioner, counsel, defendant, investigator, offender, source, suspect, witness." + }, + { + "value": "of-interest", + "expanded": "Of Interest", + "description": "Detailed information relating to roles a party plays in any subject of interest." + }, + { + "value": "social", + "expanded": "Social", + "description": "Detailed information relating to social roles." + } + ] + }, + { + "predicate": "parties-party-relationship", + "entry": [ + { + "value": "membership", + "expanded": "Membership", + "description": "Detailed information relating to membership to groups, forums, etc." + }, + { + "value": "employer", + "expanded": "Employer", + "description": "Detailed information relating to relationship of an employer towards other parties, such as employee, government, industry." + }, + { + "value": "provider", + "expanded": "Provider", + "description": "Detailed information relating to relationship as a provider of services towards other parties." + }, + { + "value": "delegation", + "expanded": "Delegation", + "description": "Detailed information related to the relationship of delegation, both delegator / delegated." + } + ] + }, + { + "predicate": "places-address", + "entry": [ + { + "value": "electronic-address", + "expanded": "Electronic Address", + "description": "Detailed information around an electronic address." + }, + { + "value": "physical-address", + "expanded": "Physical Address", + "description": "Detailed information related to geographic addresses." + } + ] + }, + { + "predicate": "places-location-type", + "entry": [ + { + "value": "geopolitical", + "expanded": "Geopolitical", + "description": "Detailed information related to geopolitical places, such as council, country, electorate, locality, nation, region, and province." + }, + { + "value": "geospatial", + "expanded": "Geospatial", + "description": "Detailed information related to geospatial places, such as area, lot, parish, statistical area, suburb, town, village, and zone." + } + ] + }, + { + "predicate": "places-address-type", + "entry": [ + { + "value": "nz-standard-addresss", + "expanded": "NZ Standard Address", + "description": "Detailed information relating to standard New Zealand addresses." + }, + { + "value": "po-box", + "expanded": "PO Box", + "description": "Detailed information relating to PO Box, a numbered box in a post office assigned to a person or organization, where letters for them are kept until called for." + }, + { + "value": "rural-delivery-address", + "expanded": "Rural Delivery Address", + "description": "Detailed information relating to rural delivery addresses which have no standard NZ format." + }, + { + "value": "ovearseas-address", + "expanded": "Overseas Address", + "description": "Detailed information relating to addresses in other countries." + }, + { + "value": "location-addresss", + "expanded": "Location Address", + "description": "Detailed information relating to physical location addresses including coordinates." + } + ] + }, + { + "predicate": "places-purpose-of-location", + "entry": [ + { + "value": "residency", + "expanded": "Residency", + "description": "Detailed information relating to home addresses, both current and previous." + }, + { + "value": "delivery", + "expanded": "Delivery", + "description": "Detailed information related to delivery addresses." + }, + { + "value": "billing", + "expanded": "Billing", + "description": "Detailed information related to billing addresses." + }, + { + "value": "place-of-birth", + "expanded": "Place of Birth", + "description": "Detailed information related to the place of birth." + }, + { + "value": "consultation", + "expanded": "Consultation", + "description": "Detailed information related to the location of a consultation." + }, + { + "value": "referral", + "expanded": "Referral", + "description": "Detailed information related to location of a referral." + }, + { + "value": "admission", + "expanded": "Admission", + "description": "Detailed information related to the location of an admission." + }, + { + "value": "treatment", + "expanded": "Treatment", + "description": "Detailed information related to the location of a treatment." + }, + { + "value": "work-place", + "expanded": "Work Place", + "description": "Detailed information related to the workplace location or address." + }, + { + "value": "facility-location", + "expanded": "Facility Location", + "description": "Detailed information related to the location of a facility." + }, + { + "value": "storage", + "expanded": "Storage", + "description": "Detailed information related to the location of storage of goods or other items." + }, + { + "value": "place-of-event", + "expanded": "Place of Event", + "description": "Detailed information related to the location of an event." + } + ] + }, + { + "predicate": "items-application-&-ict-services", + "entry": [ + { + "value": "corporate-application", + "expanded": "Corporate Application", + "description": "Detailed information related to corporate applications, such as applications for enterprise resource planning, financial and asset management, HR management, business continuity, etc.." + }, + { + "value": "common-line-of-business-application", + "expanded": "Common Line of Business Application", + "description": "Detailed information related to common LoB application, such as applications to manage product and services, marketing, customer and partner relationships, customer accounting, etc." + }, + { + "value": "end-user-computing", + "expanded": "End User Computing", + "description": "Detailed information related to end user computing, such as applications to manage end user devices, end user tools, mobile applications, productivity suits, etc." + }, + { + "value": "data-and-information-management", + "expanded": "Data and Information Management", + "description": "Detailed information related to data and information management ICT services, such as services for interoperability, data governance, quality management, data protection etc." + }, + { + "value": "identity-and-accesd-management", + "expanded": "Identity and Access Management", + "description": "Detailed information related to identity and access management ICT services, such as services for identity governance, identity administration, authentication, authorisation, directory, etc." + }, + { + "value": "security-service", + "expanded": "Security Service", + "description": "Detailed information related to security ICT services, such as encryption, network security; public key infrastructure, security controls, etc." + }, + { + "value": "ict-components-services-and-tools", + "expanded": "ICT Components, Services and Tools", + "description": "Detailed information related to software and ICT services for operational management and maintenance of applications, ICT components and services." + }, + { + "value": "interface-and-integration", + "expanded": "Interface and Integration", + "description": "Detailed information related to software and ICT services that support how agencies will interface and integrate both internally and externally." + } + ] + }, + { + "predicate": "items-ict-infrastructure", + "entry": [ + { + "value": "platform", + "expanded": "Platform", + "description": "Detailed information related to platforms, such as hardware, platform operating systems, and virtualisation." + }, + { + "value": "network", + "expanded": "Network", + "description": "Detailed information related to networks, such as network types, traffic types, network infrastructure, transmission types, and network protocol layering." + }, + { + "value": "facility", + "expanded": "Facility", + "description": "Detailed information related to facilities, such as facility types, operational controls, facility physical security, and facility infrastructure." + }, + { + "value": "end-user-equipment", + "expanded": "End User Equipment", + "description": "Detailed information related to end user equipment, such as desktop equipment, mobility equipment, user peripherals, embedded technology devices, and equipment operating systems." + } + ] + }, + { + "predicate": "items-natural", + "entry": [ + { + "value": "air", + "expanded": "Air", + "description": "Detailed information related to air, such as condition, pollution, health." + }, + { + "value": "fauna", + "expanded": "Fauna", + "description": "Detailed information related to fauna." + }, + { + "value": "flora", + "expanded": "Flora", + "description": "Detailed information related to flora." + }, + { + "value": "land", + "expanded": "Land", + "description": "Detailed information related to land or earth, such as percentage of rocks, soil, mud, pollution, usage, etc." + }, + { + "value": "minerals", + "expanded": "Minerals", + "description": "Detailed information related to minerals." + }, + { + "value": "water", + "expanded": "Water", + "description": "Detailed information related to water, such as ground water, river water, sea water." + }, + { + "value": "energy", + "expanded": "Energy", + "description": "Detailed information related to energy." + } + ] + }, + { + "predicate": "items-financial", + "entry": [ + { + "value": "allowance", + "expanded": "Allowance", + "description": "Detailed information related to allowances." + }, + { + "value": "award", + "expanded": "Award", + "description": "Detailed information related to awards." + }, + { + "value": "benefit", + "expanded": "Benefit", + "description": "Detailed information related to benefits." + }, + { + "value": "bonus", + "expanded": "Bonus", + "description": "Detailed information related to bonuses." + }, + { + "value": "compensation", + "expanded": "Compensation", + "description": "Detail information related to compensations." + }, + { + "value": "concession", + "expanded": "Concession", + "description": "Detailed information related to concessions." + }, + { + "value": "grant", + "expanded": "Grant", + "description": "Detailed information related to grants." + }, + { + "value": "pension", + "expanded": "Pension", + "description": "Detailed information related to pensions." + }, + { + "value": "subsidy", + "expanded": "Subsidy", + "description": "Detailed information related to subsidies." + }, + { + "value": "wage", + "expanded": "Wage", + "description": "Detailed information related to wages." + }, + { + "value": "bond", + "expanded": "Bond", + "description": "Detailed information related to bonds." + }, + { + "value": "duty", + "expanded": "Duty", + "description": "Detailed information related to income from duties." + }, + { + "value": "excise", + "expanded": "Excise", + "description": "Detailed information related to income from internal tax or duty on certain commodities, as liquor or tobacco, levied on their manufacture, sale, or consumption within the country." + }, + { + "value": "insurance", + "expanded": "Insurance", + "description": "Detailed information related to insurance." + }, + { + "value": "loan", + "expanded": "Loan", + "description": "Detailed information related to revenue from loans." + }, + { + "value": "tax", + "expanded": "Tax", + "description": "Detailed information related to revenue from taxes." + } + ] + }, + { + "predicate": "items-goods", + "entry": [ + { + "value": "chemical", + "expanded": "Chemical", + "description": "Detailed information relating to chemicals used in industry, science and photography, as well as in agriculture, horticulture and forestry, unprocessed artificial resins, unprocessed plastics, manures, fire extinguishing compositions, tempering and soldering preparations, chemical substances for preserving foodstuffs, tanning substances, adhesives used in industry." + }, + { + "value": "paint", + "expanded": "Paint", + "description": "Detailed information relating to paints, varnishes, lacquers, preservatives against rust and against deterioration of wood, colorants, mordant, raw natural resins, metals in foil and powder form for painters, decorators, printers and artists." + }, + { + "value": "bleach", + "expanded": "Bleach", + "description": "Detailed information relating to bleaching preparations and other substances for laundry use, cleaning, polishing, scouring and abrasive preparations, soaps, perfumery, essential oils, cosmetics, hair lotions, dentifrices." + }, + { + "value": "industrial-oil", + "expanded": "Industrial Oil", + "description": "Detailed information relating to industrial oils and greases, lubricants, dust absorbing, wetting and binding compositions, fuels (including motor spirit) and illuminants, candles and wicks for lighting." + }, + { + "value": "pharmaceutical-preparation", + "expanded": "Pharmaceutical Preparation", + "description": "Detailed information relating to pharmaceutical and veterinary preparations, sanitary preparations for medical purposes, dietetic substances adapted for medical use, food for babies, plasters, materials for dressings, material for stopping teeth, dental wax, disinfectants, preparations for destroying vermin, fungicides, herbicides." + }, + { + "value": "common-metal", + "expanded": "Common Metal", + "description": "Detailed information relating to common metals and their alloys, metal building materials, transportable buildings of metal, materials of metal for railway tracks, non-electric cables and wires of common metal, ironmongery, small items of metal hardware, pipes and tubes of metal, safes, goods of common metal not included in other classes, ores." + }, + { + "value": "machine", + "expanded": "Machine", + "description": "Detailed information relating to machines and machine tools, motors and engines (except for land vehicles), machine coupling and transmission components (except for land vehicles), agricultural implements other than hand-operated, incubators for eggs." + }, + { + "value": "hand-tool", + "expanded": "Hand Tool", + "description": "Detailed information relating to hand tools and implements (hand-operated), cutlery, side arms, razors." + }, + { + "value": "scientific-apparatus-and-instrument", + "expanded": "Scientific Apparatus and Instrument", + "description": "Detailed information relating to scientific, nautical, surveying, photographic, cinematographic, optical, weighing, measuring, signalling, checking (supervision), life-saving and teaching apparatus and instruments, apparatus and instruments for conducting, switching, transforming, accumulating, regulating or controlling electricity, apparatus for recording, transmission or reproduction of sound or images, magnetic data carriers, recording discs, automatic vending machines and mechanisms for coin-operated apparatus, cash registers, calculating machines, data processing equipment and computers, fire-extinguishing apparatus." + }, + { + "value": "medical-apparatus-and-instrument", + "expanded": "Medical Apparatus and Instrument", + "description": "Detailed information relating to surgical, medical, dental and veterinary apparatus and instruments, artificial limbs, eyes and teeth, orthopaedic articles, suture materials." + }, + { + "value": "electrical-apparatus", + "expanded": "Electrical Apparatus", + "description": "Detailed information relating to apparatus for lighting, heating, steam generating, cooking, refrigerating, drying, ventilating, water supply and sanitary purposes." + }, + { + "value": "vehicle", + "expanded": "Vehicle", + "description": "Detailed information relating to vehicles, apparatus for locomotion by land, air or water." + }, + { + "value": "firearm", + "expanded": "Firearm", + "description": "Detailed information relating to firearms, ammunition and projectiles, explosives, fireworks" + }, + { + "value": "precious-metal", + "expanded": "Precious Metal", + "description": "Detailed information relating to precious metals and their alloys and goods in precious metals or coated therewith, not included in other classes, jewellery, precious stones, horologic and chronometrical instruments." + }, + { + "value": "musical-instrument", + "expanded": "Musical Instrument", + "description": "Detailed information relating to musical instruments." + }, + { + "value": "paper", + "expanded": "Paper", + "description": "Detailed information relating to paper, cardboard and goods made from these materials, not included in other classes, printed matter, bookbinding material, photographs, stationery, adhesives for stationery or household purposes, artists' materials, paint brushes, typewriters and office requisites (except furniture), instructional and teaching material (except apparatus), plastic materials for packaging (not included in other classes), printers' type, printing blocks." + }, + { + "value": "rubber-good", + "expanded": "Rubber Good", + "description": "Detailed information relating to rubber, gutta-percha, gum, asbestos, mica and goods made from these materials and not included in other classes, plastics in extruded form for use in manufacture, packing, stopping and insulating materials, flexible pipes, not of metal." + }, + { + "value": "leather", + "expanded": "Leather", + "description": "Detailed information relating to leather and imitations of leather, and goods made of these materials and not included in other classes, animal skins, hides, trunks and traveling bags, umbrellas, parasols and walking sticks, whips, harness and saddlery." + }, + { + "value": "building-material", + "expanded": "Building Material", + "description": "Detailed information relating to Building materials (non-metallic), non-metallic rigid pipes for building, asphalt, pitch and bitumen, non-metallic transportable buildings, monuments, not of metal." + }, + { + "value": "furniture", + "expanded": "Furniture", + "description": "Detailed information relating to furniture, mirrors, picture frames, goods (not included in other categories) of wood, cork, reed, cane, wicker, horn, bone, ivory, whalebone, shell, amber, mother-of-pearl, meerschaum and substitutes for all these materials, or of plastics." + }, + { + "value": "household-utensil", + "expanded": "Household Utensil", + "description": "Detailed information relating to Household or kitchen utensils and containers (not of precious metal or coated therewith), combs and sponges, brushes (except paint brushes), brush-making materials, articles for cleaning purposes, steel wool, unworked or semi-worked glass (except glass used in building), glassware, porcelain and earthenware not included in other classes." + }, + { + "value": "rope", + "expanded": "Rope", + "description": "Detailed information relating to ropes, string, nets, tents, awnings, tarpaulins, sails, sacks and bags (not included in other classes), padding and stuffing materials (except of rubber or plastics), raw fibrous textile materials." + }, + { + "value": "yarn", + "expanded": "Yarn", + "description": "Detailed information relating to yarns and threads, for textile use." + }, + { + "value": "textile", + "expanded": "Textile", + "description": "Detailed information relating to textiles and textile goods not included in other categories, like bed and table covers." + }, + { + "value": "clothing", + "expanded": "Clothing", + "description": "Detailed information relating to clothing, footwear, headgear." + }, + { + "value": "lace", + "expanded": "Lace", + "description": "Detailed information relating to lace and embroidery, ribbons and braid, buttons, hooks and eyes, pins and needles, artificial flowers." + }, + { + "value": "carpet", + "expanded": "Carpet", + "description": "Detailed information relating to carpets, rugs, mats and matting, linoleum and other materials for covering existing floors wall hangings (non-textile)." + }, + { + "value": "toy", + "expanded": "Toy", + "description": "Detailed information relating to games and toys, gymnastic and sporting articles not included in other classes, decorations." + }, + { + "value": "food", + "expanded": "Food", + "description": "Detailed information relating to food, such as meat, fish, poultry and game, meat extracts, preserved, dried and cooked fruits and vegetables, jellies, jams, compotes, eggs, milk and milk products, edible oils and fats." + }, + { + "value": "liquid-food", + "expanded": "Liquid Food", + "description": "Detailed information relating to coffee, tea, cocoa, sugar, rice, tapioca, sago, artificial coffee, flour and preparations made from cereals, bread, pastry and confectionery, ices, honey, treacle, yeast, baking-powder, salt, mustard, vinegar, sauces (condiments), spices, ice." + }, + { + "value": "agricultural-product", + "expanded": "Agricultural Product", + "description": "Detailed information relating to agricultural, horticultural and forestry products and grains not included in other classes, live animals, fresh fruits and vegetables, seeds, natural plants and flowers, foodstuffs for animals, malt." + }, + { + "value": "beverages", + "expanded": "Beverages", + "description": "Detailed information relating to beers, mineral and aerated waters and other non-alcoholic drinks, fruit drinks and fruit juices, syrups and other preparations for making beverages." + }, + { + "value": "alcoholic-beverage", + "expanded": "Alcoholic Beverage", + "description": "Detailed information relating to Alcoholic beverages (except beers)." + }, + { + "value": "tobacco", + "expanded": "Tobacco", + "description": "Detailed information relating to tobacco, smokers' articles, matches." + } + ] + }, + { + "predicate": "items-regulatory", + "entry": [ + { + "value": "certificate", + "expanded": "Certificate", + "description": "Detailed information related to certificates." + }, + { + "value": "license", + "expanded": "License", + "description": "Detailed information related to licenses." + }, + { + "value": "permit", + "expanded": "Permit", + "description": "Detailed information related to permits." + }, + { + "value": "registration", + "expanded": "Registration", + "description": "Detailed information related to registrations." + }, + { + "value": "declaration", + "expanded": "Declaration", + "description": "Detailed information related to declarations." + } + ] + }, + { + "predicate": "items-urban-infrastructure", + "entry": [ + { + "value": "water-supply-system", + "expanded": "Water Supply System", + "description": "Detailed information related to a water supply system. A water supply system or water supply network is a system of engineered hydrologic and hydraulic components which provide water supply." + }, + { + "value": "electric-power-system", + "expanded": "Electric Power System", + "description": "Detailed information related to an electric power supply system. An electric power system is a network of electrical components used to supply, transmit and use electric power." + }, + { + "value": "transport-network", + "expanded": "Transport Network", + "description": "Detailed information related to transport networks." + }, + { + "value": "sanitation-system", + "expanded": "Sanitation System", + "description": "Detailed information related to sanitation systems to provide a hygienic means of promoting health through prevention of human contact with the hazards of wastes as well as the treatment and proper disposal of sewage or wastewater." + }, + { + "value": "communication-system", + "expanded": "Communication System", + "description": "Detailed information related to a communication system." + } + ] + }, + { + "predicate": "items-item-usage", + "entry": [ + { + "value": "product", + "expanded": "Product", + "description": "Information about tangible outputs of processes which an organisation can offer to other parties." + }, + { + "value": "resource", + "expanded": "Resource", + "description": "Resources are not kept or assigned to parties except to accomplish an activity within the organisation, typically during an interaction or the supply of products or delivery of services." + } + ] + } + ] +} diff --git a/gea-nz-motivators/machinetag.json b/gea-nz-motivators/machinetag.json new file mode 100644 index 0000000..7a4cadb --- /dev/null +++ b/gea-nz-motivators/machinetag.json @@ -0,0 +1,660 @@ +{ + "namespace": "gea-nz-motivators", + "description": "Information relating to authority or governance.", + "refs": [ + "https://www.dragon1.com/downloads/government-enterprise-architecture-for-new-zealand-v3.1.pdf" + ], + "version": 1, + "predicates": [ + { + "value": "plans-budget", + "expanded": "Plans Budget", + "description": "Information relating to budget direction or processes." + }, + { + "value": "plans-strategy", + "expanded": "Plans Strategy", + "description": "Detailed information relating to strategic management." + }, + { + "value": "plans-effort", + "expanded": "Plans Effort", + "description": "Information relating to the required effort to achieve or fulfil a work related activity." + }, + { + "value": "plans-measure", + "expanded": "Plans Measure", + "description": "Information which tracks the effectiveness in relation to activities managed by the organisation (inputs/outputs) or employee performance." + }, + { + "value": "plans-risk", + "expanded": "Plans Risk", + "description": "Information about person(s) or thing(s) which relate to risk management within organisation." + }, + { + "value": "plans-specification", + "expanded": "Plans Specification", + "description": "Information dealing with properties and constraints." + }, + { + "value": "controls-operational", + "expanded": "Controls Operational", + "description": "Information about controls that provide the foundation for administration of an organisation." + }, + { + "value": "controls-finance", + "expanded": "Controls Finance", + "description": "Information about the financial structures that provide management and control over the economic resources of the organisation." + }, + { + "value": "controls-industry", + "expanded": "Controls Industry", + "description": "Information about industry practice issued by an industry specific regulation or professional body." + }, + { + "value": "controls-technological", + "expanded": "Controls Technological", + "description": "Information about technical constraints." + }, + { + "value": "controls-law", + "expanded": "Controls Law", + "description": "Information about controls in the form of legislation (statues, regulations, etc.)." + }, + { + "value": "controls-personal", + "expanded": "Controls Personal", + "description": "Information about the constraints an individual places on interactions with the government, or agency." + }, + { + "value": "controls-security", + "expanded": "Controls Security", + "description": "Information about the constraints security places on interactions within and across the government, agencies and 3th parties." + }, + { + "value": "controls-risk-governance", + "expanded": "Controls Risk Governance" + }, + { + "value": "contracts-arrangement", + "expanded": "Contracts Arrangement", + "description": "Information relating to contracts, agreements or other arrangements with other agencies, governments, public or private organizations." + }, + { + "value": "contracts-rights", + "expanded": "Contracts Rights", + "description": "Information relating to moral or legal entitlement to have or do something." + }, + { + "value": "contracts-obligation", + "expanded": "Contracts Obligation", + "description": "Information which is held by an organisation which relates to its obligations." + }, + { + "value": "contracts-jurisdiction", + "expanded": "Contracts Jurisdicrion", + "description": "nformation about political and geographical areas in which an organisation operates." + } + ], + "values": [ + { + "predicate": "plans-budget", + "entry": [ + { + "value": "capital", + "expanded": "Capital", + "description": "Detailed information relating to capital budget planning." + }, + { + "value": "operating", + "expanded": "Operating", + "description": "Detailed information relating to operational budget planning." + } + ] + }, + { + "predicate": "plans-strategy", + "entry": [ + { + "value": "strategic-directive", + "expanded": "Strategic Directive", + "description": "Detailed information relating to planning of strategic or organisational directives." + }, + { + "value": "strategic-goal", + "expanded": "Strategic Goal", + "description": "Detailed information relating to strategic and organisational goals, such as key learning, key results, targets, and others." + }, + { + "value": "strategic-objective", + "expanded": "Strategic Objective", + "description": "Detailed information relating to strategic and organisational objectives, such as KPIs." + }, + { + "value": "strategic-outcome", + "expanded": "Strategic Outcome", + "description": "Detailed information relating to strategic business outcomes." + }, + { + "value": "road-map", + "expanded": "Road Map", + "description": "Detailed information relating to strategic business road maps." + }, + { + "value": "challenge", + "expanded": "Challenge", + "description": "Detailed information relating to strategic and organisational challenges." + }, + { + "value": "opportunity", + "expanded": "Opportunity", + "description": "Detailed information relating to strategic and organisational opportunities." + } + ] + }, + { + "predicate": "plans-effort", + "entry": [ + { + "value": "activity", + "expanded": "Activity", + "description": "Detailed information relating to planning of activities." + }, + { + "value": "campaign", + "expanded": "Campaign", + "description": "Detailed information relating to planned campaigns." + }, + { + "value": "care", + "expanded": "Care", + "description": "Detailed information relating to planning of activities for an individual to achieve an outcome (PDP)." + }, + { + "value": "programme", + "expanded": "Programme", + "description": "Detailed information relating to programmes plans." + }, + { + "value": "project", + "expanded": "Project", + "description": "Detailed information relating to project plans." + }, + { + "value": "roster", + "expanded": "Roster", + "description": "Detailed information relating to rosters." + }, + { + "value": "schedule", + "expanded": "Schedule", + "description": "Detailed information relating to schedules." + }, + { + "value": "task", + "expanded": "Task", + "description": "Detailed information relating to planning of tasks." + } + ] + }, + { + "predicate": "plans-measure", + "entry": [ + { + "value": "input", + "expanded": "Input", + "description": "Detailed information relating to input measurements." + }, + { + "value": "output", + "expanded": "Output", + "description": "Detailed information relating to output measurements." + }, + { + "value": "performance", + "expanded": "Performance", + "description": "Detailed information regarding the performance of an individual, group, organization, system or component." + }, + { + "value": "benefit", + "expanded": "Benefit", + "description": "Detailed information regarding the benefits of individual, group, organization, system or component." + } + ] + }, + { + "predicate": "plans-risk", + "entry": [ + { + "value": "consequence", + "expanded": "Consequence", + "description": "Detailed information relating to consequences of a risk." + }, + { + "value": "hazard", + "expanded": "Hazard", + "description": "Detailed information relating to risk hazards." + }, + { + "value": "likelihood", + "expanded": "Likelihood", + "description": "Detailed information relating to likelihood of a risk." + }, + { + "value": "mitigation", + "expanded": "Mitigation", + "description": "Detailed information relating to risk mitigation." + }, + { + "value": "influence", + "expanded": "Influence", + "description": "Detailed information relating to influences that can impact the organisation's operations, strategic goals, outcomes, etc." + }, + { + "value": "disruption", + "expanded": "Disruption", + "description": "Detailed information relating to disruptions that can impact the organisation's operations, objectives, goals, outcomes, etc." + } + ] + }, + { + "predicate": "plans-specification", + "entry": [ + { + "value": "functional-requirement", + "expanded": "Functional Requirement", + "description": "Detailed information relating to functional requirements." + }, + { + "value": "non-functional-requirement", + "expanded": "Non-Functional Requirement", + "description": "Detailed information relating to non-functional requirements." + }, + { + "value": "design", + "expanded": "Design", + "description": "Detailed information relating to solution designs." + } + ] + }, + { + "predicate": "controls-operational", + "entry": [ + { + "value": "convention", + "expanded": "Convention", + "description": "Detailed information relating to conventions, which are general agreements about basic principles or procedures." + }, + { + "value": "guideline", + "expanded": "Guideline", + "description": "Detailed information relating to guidelines, which are principles put forward to set standards or determine a course of action. For example guidelines on tax reform." + }, + { + "value": "policy", + "expanded": "Policy", + "description": "Detailed information relating to policies. A policy is a plan or course of action intended to influence and determine decisions, actions, and other matters." + }, + { + "value": "principle", + "expanded": "Principle", + "description": "Detailed information relating to principles, which are accepted rules or actions on conduct." + }, + { + "value": "standard", + "expanded": "Standard", + "description": "Detailed information relating to standards, which are accepted or approved examples of something against which people, processes, items are measured." + }, + { + "value": "procedure", + "expanded": "Procedure", + "description": "Detailed information relating to procedures. A procedure is a series of steps taken to accomplish an end." + }, + { + "value": "process", + "expanded": "Process", + "description": "Detailed information relating to processes. A process is a series of operations performed in the making or treatment of a product." + }, + { + "value": "capability", + "expanded": "Capability", + "description": "Detailed information relating to capabilities; capacity to be used, treated, or developed for a specific purpose." + }, + { + "value": "rule", + "expanded": "Rule", + "description": "Detailed information relating to rules." + }, + { + "value": "exception", + "expanded": "Exception", + "description": "Detailed information around anything excluded from or not in conformance with a general rules, principles, regulations, etc." + }, + { + "value": "scope-of-use", + "expanded": "Scope of Use", + "description": "Detailed information around the scope of use of assets." + } + ] + }, + { + "predicate": "controls-finance", + "entry": [ + { + "value": "financial-asset", + "expanded": "Financial Asset", + "description": "Detailed information relating to the financial control of assets." + }, + { + "value": "equity", + "expanded": "Equity", + "description": "Detailed information relating to the financial control of equities, monetary value of a property or business beyond any amounts owed on it in mortgages, claims, liens, etc." + }, + { + "value": "expense", + "expanded": "Expense", + "description": "Detailed information relating to the financial control of expenses. An expense is a cost of something, such as time or labour, necessary for the attainment of a goal." + }, + { + "value": "fee", + "expanded": "Fee", + "description": "Detailed information relating to the financial control of fees; a fixed sum charged, as by an institution or by law, for a privilege: a license fee; tuition fees. Also a charge for professional services: a surgeon's fee." + }, + { + "value": "income", + "expanded": "Income", + "description": "Detailed information relating to the financial control of income." + }, + { + "value": "financial-liability", + "expanded": "Financial Liability", + "description": "Detailed information relating to financial obligations entered in the balance sheet of the organisation." + }, + { + "value": "acquisition-method", + "expanded": "Acquisition Method", + "description": "Detailed information relating to acquisition methods. An acquisition method defines the method by which assets are acquired." + } + ] + }, + { + "predicate": "controls-industry", + "entry": [ + { + "value": "best-practice", + "expanded": "Best Practice", + "description": "Detailed information relating to endorsed or recommended industry practices." + }, + { + "value": "regulation", + "expanded": "Regulation", + "description": "Detailed information relating to endorsed or recommended industry specific regulations, rules of behaviour and procedure." + }, + { + "value": "terminology", + "expanded": "Terminology", + "description": "Detailed information of defined sets of concepts and related terms, including definitions and usage guidelines, and the industry-specific business context within which they are to be used." + } + ] + }, + { + "predicate": "controls-technological", + "entry": [ + { + "value": "enforced-rules", + "expanded": "Enforced Rules", + "description": "Detailed information relating to enforced rules around chosen or legacy systems, i.e. Windows policies." + }, + { + "value": "constraints", + "expanded": "Constraints", + "description": "Detailed information relating to technical constraints imposed by a chosen or legacy technology." + } + ] + }, + { + "predicate": "controls-law", + "entry": [ + { + "value": "common-law", + "expanded": "Common Law", + "description": "Detailed information relating to common laws A common law is established by court decisions rather than by statutes enacted by legislatures." + }, + { + "value": "legislative-instrument", + "expanded": "Legislative Instrument", + "description": "Detailed information relating to legislation, which are laws enacted by a legislative body." + }, + { + "value": "act", + "expanded": "Act", + "description": "Detailed information relating to Acts." + }, + { + "value": "cabinet-minute", + "expanded": "Cabinet Minute", + "description": "Detailed information relating to Cabinet minutes." + } + ] + }, + { + "predicate": "controls-personal", + "entry": [ + { + "value": "personal-directive", + "expanded": "Personal Directive", + "description": "Detailed information relating to directives of an individual, such as release of personal information, advance care directive." + } + ] + }, + { + "predicate": "contracts-arrangement", + "entry": [ + { + "value": "memorandum-of-understanding", + "expanded": "Memorandum of Understanding", + "description": "Detailed information relating to terms of agreement, not the legal instrument." + }, + { + "value": "offer", + "expanded": "Offer", + "description": "Detailed information relating to offers, such as proposals, quotes, and others." + }, + { + "value": "order", + "expanded": "Order", + "description": "Detailed information relating to orders, official request to be made, supplied, or served." + }, + { + "value": "agreement", + "expanded": "Agreement", + "description": "Detailed information relating to Service level Agreements (SLA), Master Service Agreements (MSA), Statement of Work (SoW), Purchase Agreement (PA), etc." + }, + { + "value": "request", + "expanded": "Request", + "description": "Detailed information relating to requests, such as request for information, request for assistance, etc." + }, + { + "value": "confidentiality", + "expanded": "Confidentiality", + "description": "Detailed information relating to confidentiality, such as commercial-in-confidence (CIC), non-disclosure, privacy, and other" + }, + { + "value": "employment", + "expanded": "Employment", + "description": "Detailed information relating to employment contracts." + }, + { + "value": "service", + "expanded": "Service", + "description": "Detailed information relating to service contracts." + }, + { + "value": "supply", + "expanded": "Supply", + "description": "Detailed information relating to supply contracts." + } + ] + }, + { + "predicate": "contracts-rights", + "entry": [ + { + "value": "eligibility", + "expanded": "Eligibility", + "description": "Detailed information related to eligibilities (fit or proper to be chosen; worthy of choice; desirable)." + }, + { + "value": "credits", + "expanded": "Credits", + "description": "Detailed information relating to credit rights like account receivable, e. i. a legally enforceable claim for payment held by a business against its customer/clients for goods supplied and/or services rendered in execution of the customer's order." + }, + { + "value": "access-right", + "expanded": "Access Right", + "description": "Detailed information related to access rights to facilities, services, processes, information, etc." + }, + { + "value": "authorisation", + "expanded": "Authorisation", + "description": "Detailed information related to authorisation, e. i. right to give orders or make decisions." + }, + { + "value": "human-right", + "expanded": "Human Right", + "description": "Detailed information related to human rights." + }, + { + "value": "employment-right", + "expanded": "Employment Right", + "description": "Detailed information related to employment rights. New Zealand has a comprehensive set of employment laws that help keep workplaces fair." + }, + { + "value": "property-right", + "expanded": "Property Right", + "description": "Detailed information related to property rights." + }, + { + "value": "consumer-right", + "expanded": "Consumer Right", + "description": "Detailed information related to consumer rights." + } + ] + }, + { + "predicate": "contracts-obligation", + "entry": [ + { + "value": "duty-of-care", + "expanded": "Duty of Care", + "description": "Detailed information relating to the obligations of duty of care." + }, + { + "value": "fitness-for-purpose", + "expanded": "Fitness for Purpose", + "description": "Detailed information relating to something that is good enough to do the job it was designed to do." + }, + { + "value": "warranty", + "expanded": "Warranty", + "description": "Detailed information relating to warranties." + }, + { + "value": "privacy", + "expanded": "Privacy", + "description": "Detailed information relating to privacy obligations." + }, + { + "value": "truthfulness", + "expanded": "Truthfulness", + "description": "Detailed information relating to the obligation to be truthful." + }, + { + "value": "enforce-the-law", + "expanded": "Enforce the Law", + "description": "Detailed information relating to the obligation to enforce laws and regulations." + }, + { + "value": "obey-the-law", + "expanded": "Obey the Law", + "description": "Detailed information relating to the obligation to obey laws and regulations." + }, + { + "value": "account-payable", + "expanded": "Account Payable", + "description": "Detailed information related to account payables or billable, i.e. money which an agency owes to vendors for products and services purchased on credit." + }, + { + "value": "enforce-rules", + "expanded": "Enforce Rules", + "description": "Detailed information relating to the obligation to enforce rules, like organisational rules, educational rules, industrial rules, etc." + }, + { + "value": "obey-rules", + "expanded": "Obey Rules", + "description": "Detailed information relating to the obligation to obey rules, like organisational rules, educational rules, industrial rules, etc." + } + ] + }, + { + "predicate": "contracts-jurisdiction", + "entry": [ + { + "value": "national", + "expanded": "National", + "description": "Detailed information relating to national jurisdictions." + }, + { + "value": "international", + "expanded": "International", + "description": "Detailed information relating to international jurisdictions." + }, + { + "value": "local", + "expanded": "Local", + "description": "Detailed information relating to local jurisdictions." + }, + { + "value": "political", + "expanded": "Political", + "description": "Detailed information relating to political jurisdictions." + }, + { + "value": "regional", + "expanded": "Regional", + "description": "Detailed information relating to regional jurisdictions." + } + ] + }, + { + "predicate": "controls-risk-governance", + "entry": [ + { + "value": "residual", + "expanded": "Residual" + }, + { + "value": "acceptance", + "expanded": "Acceptance" + }, + { + "value": "analysis", + "expanded": "Analysis" + }, + { + "value": "assessement", + "expanded": "Assessement" + }, + { + "value": "management", + "expanded": "Management" + }, + { + "value": "treatment", + "expanded": "Treatment" + } + ] + } + ] +} diff --git a/ics/machinetag.json b/ics/machinetag.json new file mode 100644 index 0000000..54d60b2 --- /dev/null +++ b/ics/machinetag.json @@ -0,0 +1,567 @@ +{ + "predicates": [ + { + "value": "ot-security-issues", + "expanded": "OT IR Security Issues" + }, + { + "expanded": "OT Network/Data Transmission Protocols in Automobile / Vehicle / Aviation", + "value": "ot-network-data-transmission-protocols-automatic-automobile-vehicle-aviation" + }, + { + "expanded": "OT Network/Data Transmission Protocols in Automatic Meter Reading", + "value": "ot-network-data-transmission-protocols-automatic-meter-reading" + }, + { + "expanded": "OT Network/Data Transmission Protocols in Industrial Control System", + "value": "ot-network-data-transmission-protocols-industrial-control-system" + }, + { + "expanded": "OT Network/Data Transmission Protocols in Building Automation", + "value": "ot-network-data-transmission-protocols-building-automation" + }, + { + "expanded": "OT Network/Data Transmission Protocols in Power System Automation", + "value": "ot-network-data-transmission-protocols-power-system-automation" + }, + { + "expanded": "OT Network/Data Transmission Protocols in Process Automation", + "value": "ot-network-data-transmission-protocols-process-automation" + }, + { + "expanded": "OT IR Communication Interface", + "value": "ot-communication-interface" + }, + { + "expanded": "OT Operating Systems", + "value": "ot-operating-systems" + }, + { + "expanded": "OT Components Category", + "value": "ot-components-category" + } + ], + "values": [ + { + "predicate": "ot-security-issues", + "entry": [ + { + "value": "Message Authentication", + "expanded": "Message Authentication", + "description": "Auth in used protocols is attacked and falsification command can be sent" + }, + { + "value": "Message Integrity Checking", + "expanded": "Message Integrity Checking", + "description": "Message poart of the sent protocol is maliciously tampered" + }, + { + "value": "Message Encryption", + "expanded": "Message Encryption", + "description": "Self explanatory, i.e. Weak encryption is attacked" + }, + { + "value": "Command Injection", + "expanded": "Command Injection", + "description": "Either Remote Command Injection or Local. On local can be timer triggered under tampered firmware" + }, + { + "value": "Replay Attack", + "expanded": "Replay Attack", + "description": "Self explanatory" + }, + { + "value": "Man in the middle (MITM) Attack", + "expanded": "Man in the middle (MITM) Attack", + "description": "Self explanatory" + }, + { + "value": "Undocumented instructions", + "expanded": "Undocumented instructions", + "description": "Vendor's left several instruction used for development or trouble shooting that is finally leaked and used to performed malicious activities on the devices." + }, + { + "value": "Vendor proprietary protocols", + "expanded": "Vendor proprietary protocols", + "description": "Internal vendor protocols used for development or trouble shooting, that is being maliciously for an attack." + } + ] + }, + { + "predicate": "ot-network-data-transmission-protocols-automatic-automobile-vehicle-aviation", + "entry": [ + { + "value": "ARINC 429", + "expanded": "ARINC 429" + }, + { + "value": "CAN bus (ARINC 825 SAE J1939 NMEA 2000 FMS)", + "expanded": "CAN bus (ARINC 825 SAE J1939 NMEA 2000 FMS)" + }, + { + "value": "Factory Instrumentation Protocol", + "expanded": "Factory Instrumentation Protocol" + }, + { + "value": "FlexRay", + "expanded": "FlexRay" + }, + { + "value": "IEBus", + "expanded": "IEBus" + }, + { + "value": "J1587", + "expanded": "J1587" + }, + { + "value": "J1708", + "expanded": "J1708" + }, + { + "value": "Keyword Protocol 2000", + "expanded": "Keyword Protocol 2000" + }, + { + "value": "Unified Diagnostic Services", + "expanded": "Unified Diagnostic Services" + }, + { + "value": "LIN", + "expanded": "LIN" + }, + { + "value": "MOST", + "expanded": "MOST" + }, + { + "value": "VAN", + "expanded": "VAN" + } + ] + }, + { + "predicate": "ot-network-data-transmission-protocols-automatic-meter-reading", + "entry": [ + { + "value": "ANSI C12.18", + "expanded": "ANSI C12.18" + }, + { + "value": "IEC 61107", + "expanded": "IEC 61107" + }, + { + "value": "DLMS/IEC 62056", + "expanded": "DLMS/IEC 62056" + }, + { + "value": "M-Bus", + "expanded": "M-Bus" + }, + { + "value": "Modbus", + "expanded": "Modbus" + }, + { + "value": "ZigBee", + "expanded": "ZigBee" + } + ] + }, + { + "predicate": "ot-network-data-transmission-protocols-industrial-control-system", + "entry": [ + { + "value": "MTConnect", + "expanded": "MTConnect" + }, + { + "value": "OPC", + "expanded": "OPC" + }, + { + "value": "DA", + "expanded": "DA" + }, + { + "value": "HDA", + "expanded": "HDA" + }, + { + "value": "UA", + "expanded": "UA" + } + ] + }, + { + "predicate": "ot-network-data-transmission-protocols-building-automation", + "entry": [ + { + "value": "1-Wire", + "expanded": "1-Wire" + }, + { + "value": "BACnet", + "expanded": "BACnet" + }, + { + "value": "C-Bus", + "expanded": "C-Bus" + }, + { + "value": "CEBus", + "expanded": "CEBus" + }, + { + "value": "DALI", + "expanded": "DALI" + }, + { + "value": "DSI", + "expanded": "DSI" + }, + { + "value": "DyNet", + "expanded": "DyNet" + }, + { + "value": "Factory Instrumentation Protocol", + "expanded": "Factory Instrumentation Protocol" + }, + { + "value": "KNX", + "expanded": "KNX" + }, + { + "value": "LonTalk", + "expanded": "LonTalk" + }, + { + "value": "Modbus", + "expanded": "Modbus" + }, + { + "value": "oBIX", + "expanded": "oBIX" + }, + { + "value": "VSCP", + "expanded": "VSCP" + }, + { + "value": "X10", + "expanded": "X10" + }, + { + "value": "xAP", + "expanded": "xAP" + }, + { + "value": "xPL", + "expanded": "xPL" + }, + { + "value": "ZigBee", + "expanded": "ZigBee" + } + ] + }, + { + "predicate": "ot-network-data-transmission-protocols-power-system-automation", + "entry": [ + { + "value": "IEC 60870", + "expanded": "IEC 60870" + }, + { + "value": "DNP3", + "expanded": "DNP3" + }, + { + "value": "Factory Instrumentation Protocol", + "expanded": "Factory Instrumentation Protocol" + }, + { + "value": "IEC 61850", + "expanded": "IEC 61850" + }, + { + "value": "IEC 62351", + "expanded": "IEC 62351" + }, + { + "value": "Modbus", + "expanded": "Modbus" + }, + { + "value": "Profibus", + "expanded": "Profibus" + } + ] + }, + { + "predicate": "ot-network-data-transmission-protocols-process-automation", + "entry": [ + { + "value": "AS-i", + "expanded": "AS-i" + }, + { + "value": "BSAP", + "expanded": "BSAP" + }, + { + "value": "CC-Link Industrial Networks", + "expanded": "CC-Link Industrial Networks" + }, + { + "value": "CIP", + "expanded": "CIP" + }, + { + "value": "CAN bus", + "expanded": "CAN bus" + }, + { + "value": "ControlNet", + "expanded": "ControlNet" + }, + { + "value": "DF-1", + "expanded": "DF-1" + }, + { + "value": "DirectNET", + "expanded": "DirectNET" + }, + { + "value": "EtherCAT", + "expanded": "EtherCAT" + }, + { + "value": "Ethernet Global Data (EGD)", + "expanded": "Ethernet Global Data (EGD)" + }, + { + "value": "Ethernet Powerlink", + "expanded": "Ethernet Powerlink" + }, + { + "value": "EtherNet/IP", + "expanded": "EtherNet/IP" + }, + { + "value": "Experimental Physics and Industrial Control System (EPICS) StreamDevice protocol (i.e RF:FREQ 499.655 MHZ)", + "expanded": "Experimental Physics and Industrial Control System (EPICS) StreamDevice protocol (i.e RF:FREQ 499.655 MHZ)" + }, + { + "value": "Factory Instrumentation Protocol", + "expanded": "Factory Instrumentation Protocol" + }, + { + "value": "FINS", + "expanded": "FINS" + }, + { + "value": "FOUNDATION fieldbus (H1 HSE)", + "expanded": "FOUNDATION fieldbus (H1 HSE)" + }, + { + "value": "GE SRTP", + "expanded": "GE SRTP" + }, + { + "value": "HART Protocol", + "expanded": "HART Protocol" + }, + { + "value": "Honeywell SDS", + "expanded": "Honeywell SDS" + }, + { + "value": "HostLink", + "expanded": "HostLink" + }, + { + "value": "INTERBUS", + "expanded": "INTERBUS" + }, + { + "value": "IO-Link", + "expanded": "IO-Link" + }, + { + "value": "MECHATROLINK", + "expanded": "MECHATROLINK" + }, + { + "value": "MelsecNet", + "expanded": "MelsecNet" + }, + { + "value": "Modbus", + "expanded": "Modbus" + }, + { + "value": "Optomu", + "expanded": "Optomu" + }, + { + "value": "PieP", + "expanded": "PieP" + }, + { + "value": "Profibus", + "expanded": "Profibus" + }, + { + "value": "PROFINET IO", + "expanded": "PROFINET IO" + }, + { + "value": "RAPIEnet", + "expanded": "RAPIEnet" + }, + { + "value": "SERCOS interface", + "expanded": "SERCOS interface" + }, + { + "value": "SERCOS III", + "expanded": "SERCOS III" + }, + { + "value": "Sinec H1", + "expanded": "Sinec H1" + }, + { + "value": "SynqNet", + "expanded": "SynqNet" + }, + { + "value": "TTEthernet", + "expanded": "TTEthernet" + }, + { + "value": "TCP/IP", + "expanded": "TCP/IP" + } + ] + }, + { + "predicate": "ot-communication-interface", + "entry": [ + { + "value": "rs-232", + "expanded": "RS-232 (comm port)", + "description": "Serial communication with an implementation comprises 2 data lines, 6 control lines and one ground." + }, + { + "value": "rs-422, rs-423 or rs-485", + "expanded": "RS-422, RS-423 or RS-485", + "description": "RS-422 is compatible to RS-232, used in situations where long distances are required, it can drive up to 1200m at 100kbit/s, and up to 1Mbit/s over short distances. RS-422 uses a differential driver, uses a four-conductor cable, and up to ten receivers can be on a multi-dropped network or bus. RS-485 is like RS-422 but RS-422 allows just one driver with multiple receivers whereas RS-485 supports multiple drivers and receivers RS-485 also allows up to thirty two (32) multi-dropped receivers or transmitters on a multi-dropped network or bus. At 90 kbit/s, the maximum cable length is 1250 m, and at 10 Mbit/s it is 15 m. The devices are half-duplex (i.e. send or receive, but not both at the same time). For more nodes or long distances, you can use repeaters that regenerate the signals and begin a new RS-485 line. " + }, + { + "value": "ieee-488-gpib", + "expanded": "IEEE-488 (GPIB)", + "description": "Known as Hewlett-Packard HP-IB but was renamed as GPIB (General Purpose Interface Bus) by the IEEE-488 (1975). IEEE-488 interface comprises 8 data lines, 8 control lines and 8 ground lines. Up to 15 devices can be interconnected on one bus. Each device is assigned a unique primary address, ranging from 4-30, by setting the address switches on the device. Devices are linked in either a daisy-chain or star (or some combination) configuration with up to 20 m of shielded 24-conductor cable. A maximum separation of 4 m is specified between any two devices, and an average of 2m over the entire bus. The data transfer rate can be up to 1 Mbyte/s. Three types of devices can be connected to an IEEE-488 bus (Listeners, Talkers, and Controllers)" + }, + { + "value": "ieee-1394-firewire", + "expanded": "IEEE-1394 (FireWire)", + "description": "The IEEE-1394 defines a serial serial interface that can use the bus cable to power devices. Firewire transmits data in packets and incurs some overhead as a result. Firewire frames are 125 msec long which means that despite a 'headline' transfer speed of 400 Mbit/s Firewire can be substantially slower in responding to instruments' service requests. Firewire uses a peer-peer protocol, similar to IEEE-488. Using standard cable, the maximum length bus comprises 16 hops of 4.5m each. Each hop connects two devices, but each physical device can contain four logical nodes. A Firewire cable contains two twisted-pairs (signals and clock) and two untwisted conductors (power and ground)." + }, + { + "value": "usb-universal-serial-bus", + "expanded": "USB (Universal Serial Bus)", + "description": "USB is the bus topology, and host-target protocol, mean that giving existing PC-based instruments a USB port not as trivial as it could be, but instruments with USB ports are coming onto the ICS market increasing numbers. USB 1.1 has many features as serial data transmission, device powering, data sent in 1 ms packets. USB offers 1.5- and 12-Mbit/s speeds. Individual devices can use the bus for a maximum of 50% of the time. In practice, the maximum rate is not more than 0.6 Mbyte/s. USB 2.0 specification was released in 2000. In addition to increasing the signaling rate from 12 MHz to 480 MHz, the specification describes a more advanced feature set and uses bandwidth more efficiently than 'Classic' USB. Version 2 of USB seems likely to prevent IEEE 1394 becoming widely adopted in instrument systems." + }, + { + "value": "ethernet", + "expanded": "Ethernet", + "description": "Instruments with ethernet interfaces have the great advantage that they can be accessed and controlled from a desktop anywhere in the world. A web-enabled ICS device behaves can be operated with standard browser. Systems with comm based on these interface can make use of existing Ethernet networks and connecting an instrument directly into the internet makes sharing of data easy. Fast data transfer is possible. However, when connected to the public internet it is difficult to secure or maintain its security and a full evaluation of the risks involved for this interface usage is very essential." + }, + { + "value": "others", + "expanded": "Others", + "description": "Other communication interface not listed." + } + ] + }, + { + "predicate": "ot-operating-systems", + "entry": [ + { + "value": "rtos", + "expanded": "RTOS", + "description": "Please see the URL reference, there are a lot of it to be listed in here. These OS are also referred as Firmware. https://en.wikipedia.org/wiki/Comparison_of_real-time_operating_systems" + }, + { + "value": "linux-embedded-base-os", + "expanded": "Linux Embedded Base OS", + "description": "Yocto\\nBuildroot\\nOpenWRT\\nB & R Linux\\n Scientific Linux\\nRaspbian\\nAndroid" + }, + { + "value": "bsd", + "expanded": "BSD", + "description": "NetBSD (NetBSD Embedded Systems)\\nFreeBSD (Modified. i.e.: Orbis OS)" + }, + { + "value": "microsoft", + "expanded": "Microsoft", + "description": "Windows 10 IoT Enterprise\\n Windows Embedded 8.1 Industry Professional\\n Windows 7 Professional/Ultimate\\n Windows Embedded Standard 7\\n Windows Embedded Standard 2009\\n Windows CE 6.0\\n" + } + ] + }, + { + "predicate": "ot-components-category", + "entry": [ + { + "value": "programmable-logic-controller", + "expanded": "Programmable Logic Controller (PLC)", + "description": "1. Computing device with user-programmable memory to storing instructions to operate a physical process.\\n\\n 2.Various PLC types for different processses" + }, + { + "value": "remote-terminal-unit", + "expanded": "Remote Terminal Unit (RTU)", + "description": "1. Data aquisitionand control unit designedto support field sites and remote stations.\\n\\n2. Wired and wireless communication capabilities.\\n\\n3. No stored program logic." + }, + { + "value": "human-machine-interface", + "expanded": "Human-Machine Interface (HMI)", + "description": "1. Hardware/software that operators used to interact with control system.\\n\\n2. From physical control panels to a complete computer systems" + }, + { + "value": "sensors", + "expanded": "Sensors", + "description": "Pressure, Temperature, Flow, Voltage, Optical, Proximity" + }, + { + "value": "actuators", + "expanded": "Actuators", + "description": "Variable Frequency Drive, Servo Drive, Valve, Circuit Breaker" + }, + { + "value": "communications", + "expanded": "Communications", + "description": "Modems, Routers, Serial - Ethernet Converters, Swtiches" + }, + { + "value": "supervisory-level-devices", + "expanded": "Supervisory Level Devices", + "description": "1. Control Server (Supervisory systems that hosts control software to manage lower level control devices like PLC).\\n\\n2. Data Historian (Centralized database for information about process, control activity and status record).\\n\\n3. Engineering workstations (Creating and revising control systems anbd programs, incl. project files)." + } + ] + } + ], + "refs": [ + "https://www.first.org/global/sigs/cti/", + "https://www.isa.org/isa99/", + "https://www.isa.org/intech/201810standards/" + ], + "version": 1, + "description": "FIRST.ORG CTI SIG - MISP Proposal for ICS/OT Threat Attribution (IOC) Project", + "expanded": "Industrial Control System (ICS)", + "namespace": "ics" +} diff --git a/infoleak/machinetag.json b/infoleak/machinetag.json index d1b70f5..438d227 100644 --- a/infoleak/machinetag.json +++ b/infoleak/machinetag.json @@ -33,7 +33,7 @@ "expanded": "Test" } ], - "version": 3, + "version": 6, "description": "A taxonomy describing information leaks and especially information classified as being potentially leaked. The taxonomy is based on the work by CIRCL on the AIL framework. The taxonomy aim is to be used at large to improve classification of leaked information.", "namespace": "infoleak", "values": [ @@ -52,6 +52,10 @@ "value": "iban", "expanded": "IBAN" }, + { + "value": "ip", + "expanded": "IP address" + }, { "value": "mail", "expanded": "Mail" @@ -96,6 +100,14 @@ "value": "pgp-message", "expanded": "PGP message" }, + { + "value": "pgp-public-key-block", + "expanded": "PGP public key block" + }, + { + "value": "pgp-signature", + "expanded": "PGP signature" + }, { "value": "pgp-private-key", "expanded": "PGP private key" @@ -116,6 +128,10 @@ "value": "ec-private-key", "expanded": "EC private key" }, + { + "value": "public-key", + "expanded": "Public key" + }, { "value": "base64", "expanded": "Base64" @@ -165,6 +181,10 @@ "value": "iban", "expanded": "IBAN" }, + { + "value": "ip", + "expanded": "IP address" + }, { "value": "mail", "expanded": "Mail" @@ -209,6 +229,14 @@ "value": "pgp-message", "expanded": "PGP message" }, + { + "value": "pgp-public-key-block", + "expanded": "PGP public key block" + }, + { + "value": "pgp-signature", + "expanded": "PGP signature" + }, { "value": "pgp-private-key", "expanded": "PGP private key" @@ -229,6 +257,10 @@ "value": "ec-private-key", "expanded": "EC private key" }, + { + "value": "public-key", + "expanded": "Public key" + }, { "value": "base64", "expanded": "Base64" diff --git a/maec-malware-capabilities/machinetag.json b/maec-malware-capabilities/machinetag.json index e61ba2f..6848883 100644 --- a/maec-malware-capabilities/machinetag.json +++ b/maec-malware-capabilities/machinetag.json @@ -1,7 +1,7 @@ { "namespace": "maec-malware-capabilities", "description": "Malware Capabilities based on MAEC 5.0", - "version": 1, + "version": 2, "predicates": [ { "value": "maec-malware-capability", @@ -66,7 +66,7 @@ }, { "value": "integrity-violation", - "expanded": "integrity-violationk" + "expanded": "integrity-violation" }, { "value": "machine-access-control", @@ -130,7 +130,7 @@ }, { "value": "communicate-with-c2-server", - "expanded": "communicate-with-c2-servern" + "expanded": "communicate-with-c2-server" }, { "value": "compromise-data-availability", diff --git a/mapping/mapping.json b/mapping/mapping.json index b589879..ecf673c 100644 --- a/mapping/mapping.json +++ b/mapping/mapping.json @@ -1,6 +1,9 @@ { "DDoS": { "values": [ + "rsit:availability=\"dos\"", + "rsit:availability=\"ddos\"", + "rsit:vulnerable=\"ddos-amplifier\"", "ecsirt:availability=\"ddos\"", "europol-incident:availability=\"dos-ddos\"", "ms-caro-malware:malware-type=\"DDoS\"", @@ -26,6 +29,7 @@ }, "exploit": { "values": [ + "rsit:intrusion-attempts=\"exploit\"", "veris:action:malware:variety=\"Exploit vuln\"", "ecsirt:intrusion-attempts=\"exploit\"", "europol-event:exploit", @@ -35,6 +39,8 @@ }, "malware": { "values": [ + "rsit:malicious-code=\"malware-distribution\"", + "rsit:malicious-code=\"malware-configuration\"", "ecsirt:malicious-code=\"malware\"", "circl:incident-classification=\"malware\"" ] @@ -57,6 +63,7 @@ }, "spam": { "values": [ + "rsit:abusive-content=\"spam\"", "circl:incident-classification=\"spam\"", "ecsirt:abusive-content=\"spam\"", "enisa:nefarious-activity-abuse=\"spam\"", @@ -68,6 +75,7 @@ }, "scan": { "values": [ + "rsit:information-gathering=\"scanner\"", "circl:incident-classification=\"scan\"", "ecsirt:information-gathering=\"scanner\"", "europol-incident:information-gathering=\"scanning\"" @@ -87,6 +95,7 @@ }, "phishing": { "values": [ + "rsit:fraud=\"phishing\"", "circl:incident-classification=\"phishing\"", "ecsirt:fraud=\"phishing\"", "veris:action:social:variety=\"Phishing\"", @@ -96,6 +105,7 @@ }, "brute force": { "values": [ + "rsit:intrusion-attempts=\"brute-force\"", "ecsirt:intrusion-attempts=\"brute-force\"", "veris:action:malware:variety=\"Brute force\"", "europol-event:brute-force-attempt", @@ -111,6 +121,7 @@ }, "c&c": { "values": [ + "rsit:malicious-code=\"c2-server\"", "ecsirt:malicious-code=\"c&c\"", "europol-incident:malware=\"c&c\"", "europol-event:c&c-server-hosting", @@ -168,6 +179,24 @@ "ecsirt:malicious-code=\"worm\"" ] }, + "content": { + "values": [ + "rsit:abusive-content=\"harmful-speech\"", + "rsit:abusive-content=\"violence\"", + "rsit:fraud=\"copyright\"", + "rsit:fraud=\"masquerade\"" + ] + }, + "other": { + "values": [ + "rsit:other=\"other\"" + ] + }, + "test": { + "values": [ + "rsit:test=\"test\"" + ] + }, "tlp-white": { "values": [ "tlp:white", diff --git a/misp/machinetag.json b/misp/machinetag.json index e3e5f43..5a61033 100755 --- a/misp/machinetag.json +++ b/misp/machinetag.json @@ -66,7 +66,8 @@ }, { "expanded": "Confidence cannot be evaluated", - "value": "confidence-cannot-be-evalued" + "value": "confidence-cannot-be-evalued", + "numerical_value": 50 } ] }, @@ -105,7 +106,7 @@ { "expanded": "Generated automatically without human verification", "value": "unsupervised", - "numerical_value": 100 + "numerical_value": 0 }, { "expanded": "Generated automatically but verified by a human", @@ -115,7 +116,7 @@ { "expanded": "Output of human analysis", "value": "manual", - "numerical_value": 0 + "numerical_value": 100 } ] }, @@ -125,6 +126,31 @@ { "expanded": "misp2stix", "value": "misp2stix" + }, + { + "expanded": "misp2yara", + "value": "misp2yara" + } + ] + }, + { + "predicate": "misp2yara", + "entry": [ + { + "expanded": "generated", + "value": "generated" + }, + { + "expanded": "as-is", + "value": "as-is" + }, + { + "expanded": "valid", + "value": "valid" + }, + { + "expanded": "invalid", + "value": "invalid" } ] } @@ -169,9 +195,13 @@ "description": "Tool associated with the information taggged", "expanded": "Tool", "value": "tool" + }, + { + "expanded": "misp2yara export tool", + "value": "misp2yara" } ], - "version": 7, + "version": 9, "description": "MISP taxonomy to infer with MISP behavior or operation.", "expanded": "MISP", "namespace": "misp" diff --git a/phishing/machinetag.json b/phishing/machinetag.json new file mode 100644 index 0000000..a9d6df6 --- /dev/null +++ b/phishing/machinetag.json @@ -0,0 +1,228 @@ +{ + "namespace": "phishing", + "description": "Taxonomy to classify phishing attacks including techniques, collection mechanisms and analysis status.", + "version": 3, + "predicates": [ + { + "value": "techniques", + "expanded": "Techniques", + "description": "Phishing techniques used." + }, + { + "value": "distribution", + "expanded": "Distribution", + "description": "How the phishing is distributed." + }, + { + "value": "report-type", + "expanded": "Report type", + "description": "How the phishing information was reported." + }, + { + "value": "report-origin", + "expanded": "Report origin", + "description": "Origin or source of the phishing information such as tools or services." + }, + { + "value": "action", + "expanded": "Action", + "description": "Action(s) taken related to the phishing tagged with this taxonomy." + }, + { + "value": "state", + "expanded": "State", + "description": "State of the phishing." + }, + { + "value": "psychological-acceptability", + "expanded": "Psychological acceptability", + "description": "Quality of the phishing by its level of acceptance by the target." + }, + { + "value": "principle-of-persuasion", + "expanded": "Principle of Persuasion", + "description": "The principle of persuasion used during the attack to higher psychological acceptability." + } + ], + "values": [ + { + "predicate": "techniques", + "entry": [ + { + "value": "fake-website", + "expanded": "Social engineering fake website", + "description": "Adversary controls a fake website to phish for credentials or information." + }, + { + "value": "email-spoofing", + "expanded": "Social engineering email spoofing", + "description": "Adversary sends email with domains related to target. Adversary controls the domains used." + }, + { + "value": "clone-phishing", + "expanded": "Clone phishing", + "description": "Adversary clones an email to target potential victims with duplicated content." + }, + { + "value": "voice-phishing", + "expanded": "Voice phishing", + "description": "Adversary uses voice-based techniques to trick a potential victim to give credentials or sensitive information. This is also known as vishing." + }, + { + "value": "search-engines-abuse", + "expanded": "Social engineering search engines abuse", + "description": "Adversary controls the search engine result to get an advantage" + }, + { + "value": "sms-phishing", + "expanded": "SMS phishing", + "description": "Adversary sends an SMS to a potential victims to gather sensitive information or use another phishing technique at a later stage." + } + ] + }, + { + "predicate": "distribution", + "entry": [ + { + "value": "spear-phishing", + "expanded": "Spear phishing", + "description": "Adversary attempts targeted phishing to a user or a specific group of users based on knowledge known by the adversary." + }, + { + "value": "bulk-phishing", + "expanded": "Bulk phishing", + "description": "Adversary attempts to target a large group of potential targets without specific knowledge of the victims." + } + ] + }, + { + "predicate": "report-type", + "entry": [ + { + "value": "manual-reporting", + "expanded": "Manual reporting", + "description": "Phishing reported by a human (e.g. tickets, manual reporting)." + }, + { + "value": "automatic-reporting", + "expanded": "Automatic reporting", + "description": "Phishing collected by automatic reporting (e.g. phishing report tool, API)." + } + ] + }, + { + "predicate": "report-origin", + "entry": [ + { + "value": "url-abuse", + "expanded": "url-abuse", + "description": "CIRCL url-abuse service." + }, + { + "value": "lookyloo", + "expanded": "lookyloo", + "description": "CIRCL lookyloo service." + }, + { + "value": "phishtank", + "expanded": "Phishtank", + "description": "Phishtank service." + }, + { + "value": "spambee", + "expanded": "Spambee", + "description": "C-3 Spambee service." + } + ] + }, + { + "predicate": "action", + "entry": [ + { + "value": "take-down", + "expanded": "Take down", + "description": "Take down notification sent to the operator where the phishing infrastructure is hosted." + }, + { + "value": "pending-law-enforcement-request", + "expanded": "Pending law enforcement request", + "description": "Law enforcement requests are ongoing on the phishing infrastructure." + }, + { + "value": "pending-dispute-resolution", + "expanded": "Pending dispute resolution", + "description": "Dispute resolution sent to competent authorities (e.g. domain authority, trademark dispute)." + } + ] + }, + { + "predicate": "state", + "entry": [ + { + "value": "unknown", + "expanded": "Phishing state is unknown or cannot be evaluated", + "numerical_value": 50 + }, + { + "value": "active", + "expanded": "Phishing state is active and actively used by the adversary", + "numerical_value": 100 + }, + { + "value": "down", + "expanded": "Phishing state is known to be down", + "numerical_value": 0 + } + ] + }, + { + "predicate": "psychological-acceptability", + "entry": [ + { + "value": "unknown", + "expanded": "Phishing acceptance rate is unknown." + }, + { + "value": "low", + "expanded": "Phishing acceptance rate is low.", + "numerical_value": 25 + }, + { + "value": "medium", + "expanded": "Phishing acceptance rate is medium.", + "numerical_value": 50 + }, + { + "value": "high", + "expanded": "Phishing acceptance rate is high.", + "numerical_value": 75 + } + ] + }, + { + "predicate": "principle-of-persuasion", + "entry": [ + { + "value": "authority", + "expanded": "Society trains people not to question authority so they are conditioned to respond to it. People usually follow an expert or pretense of authority and do a great deal for someone they think is an authority." + }, + { + "value": "social-proof", + "expanded": "People tend to mimic what the majority of people do or seem to be doing. People let their guard and suspicion down when everyone else appears to share the same behaviours and risks. In this way, they will not be held solely responsible for their actions." + }, + { + "value": "liking-similarity-deception", + "expanded": "People prefer to abide to whom (they think) they know or like, or to whom they are similar to or familiar with, as well as attracted to." + }, + { + "value": "commitment-reciprocation-consistency", + "expanded": "People feel more confident in their decision once they commit (publically) to a specific action and need to follow it through until the end. This is true whether in the workplace, or in a situation when their action is illegal. People have tendency to believe what others say and need, and they want to appear consistent in what they do, for instance, when they owe a favour. There is an automatic response of repaying a favour." + }, + { + "value": "distraction", + "expanded": "People focus on one thing and ignore other things that may happen without them noticing; they focus attention on what they can gain, what they need, what they can lose or miss out on, or if that thing will soon be unavailable, has been censored, restricted or will be more expensive later. These distractions can heighten people’s emotional state and make them forget other logical facts to consider when making decisions." + } + ] + } + ] +} diff --git a/ransomware/machinetag.json b/ransomware/machinetag.json index 99a05e0..0ac0b1b 100644 --- a/ransomware/machinetag.json +++ b/ransomware/machinetag.json @@ -2,7 +2,7 @@ "namespace": "ransomware", "expanded": "ransomware types and elements", "description": "Ransomware is used to define ransomware types and the elements that compose them.", - "version": 1, + "version": 4, "refs": [ "https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf", "https://docs.apwg.org/ecrimeresearch/2018/5357083.pdf", @@ -40,11 +40,11 @@ }, { "value": "locker-ransomware", - "expanded": "Locker eansomware, also called computer locker, denies access to the computer or device " + "expanded": "Locker ransomware, also called screen locker, denies access to the browser, computer or device." }, { "value": "crypto-ransomware", - "expanded": "Crypto ransomware, also called data locker prevents access to files or data. Crypto ransomware doesn’t necessarily have to use encryption to stop users from accessing their data, but the vast majority of it does." + "expanded": "Crypto ransomware, also called data locker or cryptoware, prevents access to files or data. Crypto ransomware doesn’t necessarily have to use encryption to stop users from accessing their data, but the vast majority of it does." } ] }, @@ -53,15 +53,27 @@ "entry": [ { "value": "ransomnote", - "expanded": "A ransomnote is the message left by the attacker to threaten his victim and ask for ransom. It is usually seen as a text file or a picture set as background." + "expanded": "A ransomnote is the message left by the attacker to threaten their victim and ask for a ransom. It is usually seen as a text or HTML file, or a picture set as background." + }, + { + "value": "ransomware-appended-extension", + "expanded": "This is the extension added by the ransomware to the files." + }, + { + "value": "ransomware-encrypted-extensions", + "expanded": "This is the list of extensions that will be encrypted by the ransomware. Beware to keep the order." + }, + { + "value": "ransomware-excluded-extensions", + "expanded": "This is the list of extensions that will not be encrypted by the ransomware. Beware to keep the order." }, { "value": "dropper", - "expanded": "A dropper is a means of getting malware into a machine while bypassing the security checks by carring the malware inside of itself." + "expanded": "A dropper is a means of getting malware into a machine while bypassing the security checks, often by containing the malware inside of itself." }, { "value": "downloader", - "expanded": "a downloader is a means of getting malware into a machine while bypassing the security checks, by downloading it instead of carring it." + "expanded": "A downloader is a means of getting malware into a machine while bypassing the security checks, by downloading it instead of containing it." } ] }, @@ -69,20 +81,20 @@ "predicate": "complexity-level", "entry": [ { - "value": "no-actual-encryption-fake-scareware", - "expanded": "No actual encryption (fake scareware). infection merely poses as a ransomware by displaying a ransom note while not actually encrypting user files" + "value": "no-actual-encryption-scareware", + "expanded": "No actual encryption (scareware). Infection merely poses as a ransomware by displaying a ransom note or message while not actually encrypting user files." }, { "value": "display-ransomnote-before-encrypting", - "expanded": "Displaying the ransom note before encryption process commences. As seen in the case of Nemucod, some ransomware will display a ransom note before file encryption. This is a serious operational flaw in the ransomware. The victim or their antivirus solution could effectively take prompt evasive action to prevent ransomware from commencing encryption." + "expanded": "Displaying the ransom note before the encryption process commences. As seen in the case of Nemucod, some ransomware will display a ransom note before file encryption. This is a serious operational flaw in the ransomware. The victim or their antivirus solution could effectively take prompt evasive action to prevent ransomware from commencing encryption." }, { "value": "decryption-essentials-extracted-from-binary", - "expanded": "Decryption essentials can be reverse engineered from ransomware code or the user system. For example, if the ransomware uses a hard-coded key, then it becomes straight-forward for malware analysts to extract the key by disassembling the ransomware binary. " + "expanded": "Decryption essentials can be reverse engineered from ransomware code or the user's system. For example, if the ransomware uses a hard-coded key, then it becomes straight-forward for malware analysts to extract the key by reverse engineering the ransomware binary. " }, { "value": "derived-encryption-key-predicted ", - "expanded": "Another possibility of reverse engineering the key is demonstrated in the case of the Linux.Encoder. Aransomware where a timestamp on the system was used to create keys for encryption resulting in easy decryption provided that the timestamp is still accessible." + "expanded": "Another possibility of reverse engineering the key is demonstrated in the case of Linux.Encoder, a type of ransomware where a timestamp on the system was used to create keys for encryption resulting in easy decryption provided that the timestamp is still accessible." }, { "value": "same-key used-for-each-infection", @@ -90,15 +102,19 @@ }, { "value": "encryption-circumvented", - "expanded": "decryption possible without key - Files can be decrypted without the need for a key due to poor choice or implementation of the encryption algorithm. Consider the case of desuCrypt that used an RC4 stream cipher for encryption. Using a stream cipher with key reuse is vulnerable to known plaintext attacks and known-ciphertext attacks due to the keyreuse vulnerability and hence this is a poor implementation of the encryption algorithm." + "expanded": "Decryption possible without key - files can be decrypted without the need for a key due to poor choice or implementation of the encryption algorithm. Consider the case of desuCrypt that used an RC4 stream cipher for encryption. Using a stream cipher with key reuse is vulnerable to known plaintext attacks and known ciphertext attacks due to key reuse and hence this is a poor implementation of an encryption algorithm." }, { "value": "file-restoration-possible-using-shadow-volume-copies", - "expanded": "Files can be restored using system backups, e.g. Shadow Volume Copies on the New Technology File System (NTFS), that were neglected by the ransomware." + "expanded": "Files can be restored using Shadow Volume Copies (“Previous Versions”) on the New Technology File System (NTFS), that were neglected to be deleted by the ransomware." + }, + { + "value": "file-restoration-possible-using-backups", + "expanded": "Files can be restored using a System State backup, System Image backup or other means of backup mechanisms (such as third-party backup software) that will render the ransomware's extortion attempt unsuccessful." }, { "value": "key-recovered-from-file-system-or-memory", - "expanded": "Decryption key can be retrieved from the host machine’s file structure or memory by an average user without the need for an expert. In the case of CryptoDefense, the ransomware did not securely delete keys from the host machine. The user can look in the right folder to discover the decryption key." + "expanded": "Decryption key can be retrieved from the host machine’s file structure or memory by an average user without the need for an expert. In the case of CryptoDefense, the ransomware did not securely delete keys from the host machine. The user can examine the right file or folder to discover the decryption key." }, { "value": "due-diligence-prevented-ransomware-from-acquiring-key", @@ -106,19 +122,19 @@ }, { "value": "click-and-run-decryptor-exists", - "expanded": "Easy ‘Click-and-run’ solution such as a decryptor has been created by the security community such that a user can simply run the program to decrypt all files." + "expanded": "Easy “Click-and-run” solutions such as a decryptor has been created by the security community such that a user can simply run the program to decrypt all files." }, { "value": "kill-switch-exists-outside-of-attacker-s-control", - "expanded": "There exists a kill switch outside of attacker’s control that renders the cryptoviral infection ineffective. For example, in the case of WannaCry, a global kill switch existed in the form of a domain name. The ransomware reached out to this domain before commencing encryption and if the domain existed, the ransomware aborted execution. This kill switch was outside the attacker’s control as anyone could register it and neutralize the ransomware outbreak." + "expanded": "There exists a kill switch outside of an attacker’s control that renders the cryptoviral infection ineffective. For example, in the case of WannaCry, a global kill switch existed in the form of a domain name. The ransomware reached out to this domain before commencing encryption and if the domain existed, the ransomware aborted execution. This kill switch was outside the attacker’s control as anyone could register it and neutralize the ransomware outbreak." }, { "value": "decryption-key-recovered-from-a-C&C-server-or-network-communications", - "expanded": "Key can be retrieved from a central location such as a C&C server on a compromised host or gleaned with some difficulty from communication between ransomware on the host and the C&C server. For instance, in the case of CryptoLocker, authorities were able to seize a network of compromised hosts used to spread CryptoLocker and gain access to decryption essentials of around 500, 000 victims." + "expanded": "Key can be retrieved from a central location such as a C&C server on a compromised host or gleaned with some difficulty from communication between ransomware on the host and the C&C server. For instance, in the case of CryptoLocker, authorities were able to seize a network of compromised hosts used to spread CryptoLocker and gain access to decryption essentials of around 500,000 victims." }, { "value": "custom-encryption-algorithm-used", - "expanded": "Ransomware uses custom encryption techniques and violates the fundamental rule of cryptography: “do not roll your own crypto.” It is tempting to design a custom cipher that one cannot break themselves, however it will likely not withstand the scrutiny of professional cryptanalysts. Amateur custom cryptography in the ransomware implies there will likely soon be a solution to decrypt files without paying the ransom. An example of this is an early variant of the GPCoder ransomware that emerged in 2005 with weak custom encryption." + "expanded": "Ransomware uses custom encryption techniques and violates the fundamental rule of cryptography: “do not roll your own crypto.” It is tempting to design a custom cipher that one cannot break themselves, however it will likely not withstand the scrutiny of professional cryptanalysts. Amateur custom cryptography in the ransomware implies there will likely soon be a solution to decrypt files without paying the ransom. An example of this is an early variant of the GPCode ransomware that emerged in 2005 with weak custom encryption." }, { "value": "decryption-key-recovered-under-specialized-lab-setting", @@ -155,11 +171,11 @@ }, { "value": "deployed-out-of-frustration", - "expanded": " Sometimes, an attacker may gain initial access to a server or other machine, but consequent attempts to, for example, exfiltrate data or attack other machine, is unsuccessful. This may be due to a number of things, but often due to the access being discovered, and quickly patched. On the other hand, it may have not been discovered yet, but the attacker is sitting with the same problem: the purpose is not fulfilled. Then, out of frustration, or to gain at least something out of the victim, the machine gets trashed with ransomware. Another possibility is a disgruntled employee, leaving ransomware as a 'present' before leaving the company." + "expanded": "Sometimes, an attacker may gain initial access to a server or other machine, but consequent attempts to, for example, exfiltrate data or attack other machine, is unsuccessful. This may be due to a number of things, but often due to the access being discovered, and quickly patched. On the other hand, it may have not been discovered yet, but the attacker is sitting with the same problem: the purpose is not fulfilled. Then, out of frustration, or to gain at least something out of the victim, the machine gets trashed with ransomware. Another possibility is a disgruntled employee, leaving ransomware as a 'present' before leaving the company." }, { "value": "deployed-as-a-cover-up", - "expanded": " This may sound ambiguous at first, but imagine a scenario where a company may face sanctions, is already compromised, or has a running investigation. The company or organisation deploying ransomware itself, is a viable way of destroying data forever, and any evidence may be lost.\nAnother possibility is, in order to cover up a much larger compromise, ransomware is installed, and everything is formatted to hide what actually happened.\nAgain, there is also the possibility of a disgruntled employee, or even an intruder: which brings us back to 'deployed as a smokescreen'." + "expanded": "This may sound ambiguous at first, but imagine a scenario where a company may face sanctions, is already compromised, or has a running investigation. The company or organisation deploying ransomware itself, is a viable way of destroying data forever, and any evidence may be lost.\nAnother possibility is, in order to cover up a much larger compromise, ransomware is installed, and everything is formatted to hide what actually happened.\nAgain, there is also the possibility of a disgruntled employee, or even an intruder: which brings us back to 'deployed as a smokescreen'." }, { "value": "deployed-as-a-penetration-test-or-user-awareness-training", @@ -167,7 +183,7 @@ }, { "value": "deployed-as-a-means-of-disruption-destruction", - "expanded": " Last but not least - while ransomware can have several purposes, it can also serve a particularly nasty goal: destroy a company or organisation, or at least take them offline for several days, or even weeks.\nAgain, there are some possibilities, but this may be a rivalry company in a similar business, again a disgruntled employee, or to disrupt large organisations on a worldwide scale." + "expanded": "Last but not least - while ransomware can have several purposes, it can also serve a particularly nasty goal: destroy a company or organisation, or at least take them offline for several days, or even weeks.\nAgain, there are some possibilities, but this may be a rivalry company in a similar business, again a disgruntled employee, or to disrupt large organisations on a worldwide scale." } ] } diff --git a/retention/machinetag.json b/retention/machinetag.json new file mode 100644 index 0000000..1f2bfea --- /dev/null +++ b/retention/machinetag.json @@ -0,0 +1,66 @@ +{ + "namespace": "retention", + "expanded": "retention", + "description": "Add a retenion time to events to automatically remove the IDS-flag on ip-dst or ip-src attributes. We calculate the time elapsed based on the date of the event. Supported time units are: d(ays), w(eeks), m(onths), y(ears). The numerical_value is just for sorting in the web-interface and is not used for calculations.", + "version": 2, + "refs": [ + "https://en.wikipedia.org/wiki/Retention_period" + ], + "predicates": [ + { + "value": "expired", + "expanded": "Set when the retention period has expired", + "numerical_value": 0 + }, + { + "value": "1d", + "expanded": "1 day", + "numerical_value": 1 + }, + { + "value": "2d", + "expanded": "2 days", + "numerical_value": 2 + }, + { + "value": "7d", + "expanded": "7 days", + "numerical_value": 7 + }, + { + "value": "2w", + "expanded": "2 weeks", + "numerical_value": 14 + }, + { + "value": "1m", + "expanded": "1 month", + "numerical_value": 30 + }, + { + "value": "2m", + "expanded": "2 months", + "numerical_value": 60 + }, + { + "value": "3m", + "expanded": "3 months", + "numerical_value": 90 + }, + { + "value": "6m", + "expanded": "6 months", + "numerical_value": 180 + }, + { + "value": "1y", + "expanded": "1 year", + "numerical_value": 365 + }, + { + "value": "10y", + "expanded": "10 year", + "numerical_value": 3650 + } + ] +} diff --git a/rsit/machinetag.json b/rsit/machinetag.json index 75e4d10..c74d3fc 100644 --- a/rsit/machinetag.json +++ b/rsit/machinetag.json @@ -4,17 +4,17 @@ "entry": [ { "description": "Or 'Unsolicited Bulk Email', this means that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having a functionally comparable content.", - "expanded": "spam", + "expanded": "Spam", "value": "spam" }, { - "description": "Discreditation or discrimination of somebody e.g. cyber stalking, racism and threats against one or more individuals).", + "description": "Discreditation or discrimination of somebody, e.g. cyber stalking, racism or threats against one or more individuals.", "expanded": "Harmful Speech", "value": "harmful-speech" }, { - "description": "Child Pornography, glorification of violence, ...", - "expanded": "Child/Sexual/Violence/...", + "description": "Child pornography, glorification of violence, etc.", + "expanded": "Child Porn/Sexual/Violent Content", "value": "violence" } ], @@ -23,34 +23,24 @@ { "entry": [ { - "description": "Software that is intentionally included or inserted in a system for a harmful purpose. A user interaction is normally necessary to activate the code.", - "expanded": "Virus", - "value": "virus" + "description": "System infected with malware, e.g. PC, smartphone or server infected with a rootkit.", + "expanded": "Infected System", + "value": "infected-system" }, { - "description": "see 'virus'", - "expanded": "Worm", - "value": "worm" + "description": "Command-and-control server contacted by malware on infected systems.", + "expanded": "C2 Server", + "value": "c2-server" }, { - "description": "see 'virus'", - "expanded": "Trojan", - "value": "trojan" + "description": "URI used for malware distribution, e.g. a download URL included in fake invoice malware spam.", + "expanded": "Malware Distribution", + "value": "malware-distribution" }, { - "description": "see 'virus'", - "expanded": "Spyware", - "value": "spyware" - }, - { - "description": "see 'virus'", - "expanded": "Dialer", - "value": "dialer" - }, - { - "description": "see 'virus'", - "expanded": "Rootkit", - "value": "rootkit" + "description": "URI hosting a malware configuration file, e.g. webinjects for a banking trojan.", + "expanded": "Malware Configuration", + "value": "malware-configuration" } ], "predicate": "malicious-code" @@ -58,7 +48,7 @@ { "entry": [ { - "description": "Attacks that send requests to a system to discover weak points. This includes also some kind of testing processes to gather information about hosts, services and accounts. Examples: fingerd, DNS querying, ICMP, SMTP (EXPN, RCPT, ...), port scanning.", + "description": "Attacks that send requests to a system to discover weaknesses. This also includes testing processes to gather information on hosts, services and accounts. Examples: fingerd, DNS querying, ICMP, SMTP (EXPN, RCPT, ...), port scanning.", "expanded": "Scanning", "value": "scanner" }, @@ -78,8 +68,8 @@ { "entry": [ { - "description": "An attempt to compromise a system or to disrupt any service by exploiting vunerabilities with a standardised identifier such as CVE name (e.g. buffer overflow, backdoor, cross site scripting, etc.)", - "expanded": "Exploiting of known Vulnerabilities", + "description": "An attempt to compromise a system or to disrupt any service by exploiting vulnerabilities with a standardised identifier such as CVE name (e.g. buffer overflow, backdoor, cross site scripting, etc.)", + "expanded": "Exploitation of known Vulnerabilities", "value": "ids-alert" }, { @@ -88,7 +78,7 @@ "value": "brute-force" }, { - "description": "An attempt using an unknown exploit.", + "description": "An attack using an unknown exploit.", "expanded": "New attack signature", "value": "exploit" } @@ -98,24 +88,24 @@ { "entry": [ { - "description": "A successful compromise of a system or application (service). This can have been caused remotely by a known or new vulnerability, but also by an unauthorized local access. Also includes being part of a botnet.", + "description": "Compromise of a system where the attacker gained administrative privileges.", "expanded": "Privileged Account Compromise", "value": "privileged-account-compromise" }, { - "description": "see 'Privileged Account Compromise'", + "description": "Compromise of a system using an unprivileged (user/service) account.", "expanded": "Unprivileged Account Compromise", "value": "unprivileged-account-compromise" }, { - "description": "see 'Privileged Account Compromise'", + "description": "Compromise of an application by exploiting (un)known software vulnerabilities, e.g. SQL injection.", "expanded": "Application Compromise", "value": "application-compromise" }, { - "description": "see 'Privileged Account Compromise'", - "expanded": "Bot", - "value": "bot" + "description": "Physical intrusion, e.g. into corporate building or data center.", + "expanded": "Burglary", + "value": "burglary" } ], "predicate": "intrusions" @@ -123,23 +113,28 @@ { "entry": [ { - "description": "Denial of Service.", - "expanded": "DoS", + "description": "Denial of Service attack, e.g. sending specially crafted requests to a web application which causes the application to crash or slow down.", + "expanded": "Denial of Service", "value": "dos" }, { - "description": "Distributed Denial of Service.", - "expanded": "DDoS", + "description": "Distributed Denial of Service attack, e.g. SYN-Flood or UDP-based reflection/amplification attacks.", + "expanded": "Distributed Denial of Service", "value": "ddos" }, { - "description": "Sabotage.", + "description": "Software misconfiguration resulting in service availability issues, e.g. DNS server with outdated DNSSEC Root Zone KSK.", + "expanded": "Misconfiguration", + "value": "misconfiguration" + }, + { + "description": "Physical sabotage, e.g cutting wires or malicious arson.", "expanded": "Sabotage", "value": "sabotage" }, { - "description": "Outage (no malice).", - "expanded": "Outage (no malice)", + "description": "Outage caused e.g. by air condition failure or natural disaster.", + "expanded": "Outage", "value": "outage" } ], @@ -148,14 +143,19 @@ { "entry": [ { - "description": "Besides local abuse of data and systems, the security of information can be endangered by successful compromise of an account or application. In addition, attacks that intercept and access information during transmission (wiretapping, spoofing or hijacking) are possible. Human/configuration/software error can also be the cause.", + "description": "Unauthorized access to information, e.g. by abusing stolen login credentials for a system or application, intercepting traffic or gaining access to physical documents.", "expanded": "Unauthorised access to information", - "value": "Unauthorised-information-access" + "value": "unauthorised-information-access" }, { - "description": "see 'Unauthorised access to information'", + "description": "Unauthorised modification of information, e.g. by an attacker abusing stolen login credentials for a system or application or a ransomware encrypting data.", "expanded": "Unauthorised modification of information", - "value": "Unauthorised-information-modification" + "value": "unauthorised-information-modification" + }, + { + "description": "Loss of data, e.g. caused by harddisk failure or physical theft.", + "expanded": "Data Loss", + "value": "data-loss" } ], "predicate": "information-content-security" @@ -163,7 +163,7 @@ { "entry": [ { - "description": "Using resources for unauthorized purposes including profit-making ventures (E.g. the use of e-mail to participate in illegal profit chain letters or pyramid schemes).", + "description": "Using resources for unauthorized purposes including profit-making ventures, e.g. the use of e-mail to participate in illegal profit chain letters or pyramid schemes.", "expanded": "Unauthorized use of resources", "value": "unauthorized-use-of-resources" }, @@ -173,12 +173,12 @@ "value": "copyright" }, { - "description": "Type of attacks in which one entity illegitimately assumes the identity of another in order to benefit from it.", + "description": "Type of attack in which one entity illegitimately impersonates the identity of another in order to benefit from it.", "expanded": "Masquerade", "value": "masquerade" }, { - "description": "Masquerading as another entity in order to persuade the user to reveal a private credential.", + "description": "Masquerading as another entity in order to persuade the user to reveal private credentials.", "expanded": "Phishing", "value": "phishing" } @@ -188,9 +188,29 @@ { "entry": [ { - "description": "Open resolvers, world readable printers, vulnerability apparent from Nessus etc scans, virus, signatures not up to date, etc.", - "expanded": "Open for abuse", - "value": "vulnerable-service" + "description": "Publicly accessible services offering weak crypto, e.g. web servers susceptible to POODLE/FREAK attacks.", + "expanded": "Weak crypto", + "value": "weak-crypto" + }, + { + "description": "Publicly accessible services that can be abused for conducting DDoS reflection/amplification attacks, e.g. DNS open-resolvers or NTP servers with monlist enabled.", + "expanded": "DDoS amplifier", + "value": "ddos-amplifier" + }, + { + "description": "Potentially unwanted publicly accessible services, e.g. Telnet, RDP or VNC.", + "expanded": "Potentially unwanted accessible services", + "value": "potentially-unwanted-accessible" + }, + { + "description": "Publicly accessible services potentially disclosing sensitive information, e.g. SNMP or Redis.", + "expanded": "Information disclosure", + "value": "information-disclosure" + }, + { + "description": "A system which is vulnerable to certain attacks. Example: misconfigured client proxy settings (example: WPAD), outdated operating system version, etc.", + "expanded": "Vulnerable system", + "value": "vulnerable-system" } ], "predicate": "vulnerable" @@ -199,7 +219,7 @@ "entry": [ { "description": "All incidents which don't fit in one of the given categories should be put into this class.", - "expanded": "other", + "expanded": "Other", "value": "other" } ], @@ -273,7 +293,7 @@ "value": "test" } ], - "version": 1, + "version": 3, "description": "Reference Security Incident Classification Taxonomy", "namespace": "rsit" } diff --git a/scrippsco2-fgc/machinetag.json b/scrippsco2-fgc/machinetag.json new file mode 100644 index 0000000..e212c93 --- /dev/null +++ b/scrippsco2-fgc/machinetag.json @@ -0,0 +1,67 @@ +{ + "predicates": [ + { + "description": "Potentially Suspect Data Accepted", + "expanded": "accepted-suspect", + "value": "-3" + }, + { + "description": "Accepted value from continuous analyzer replacing flask data", + "expanded": "accepted-continuous-analyzer", + "value": "-2" + }, + { + "description": "Acepted Value retained although individual measurements deviated by more than selected tolerance", + "expanded": "accepted-deviated-tolerance", + "value": "-1" + }, + { + "description": "Accepted Value", + "expanded": "accepted", + "value": "0" + }, + { + "description": "Rejected during analysis", + "expanded": "rejected-during-analysis", + "value": "1" + }, + { + "description": "Rejected unacceptably large flask-analyzer differences associated with night sampling (used only at MLO between Dec 1962 and Sep 1968)", + "expanded": "rejected-legacy-difference-night-mlo", + "value": "2" + }, + { + "description": "Rejected flask measurement; used continuous data instead", + "expanded": "rejected-continuous-data", + "value": "3" + }, + { + "description": "Rejected Replicates do not agree to selected tolerance or single flask", + "expanded": "rejected-tolerance-single-flask", + "value": "4" + }, + { + "description": "Rejected Daily average deviates from fit by more than 3 standard deviations", + "expanded": "rejected-derivation", + "value": "5" + }, + { + "description": "Rejected to improve local distribution of data such as too many data of generally poor quality (used only at two stations: KUM Aug 1979 - Jun 1980 and LJO Apr 1979 - Sep 1985)", + "expanded": "rejected-legacy-poor-quality-kum-ljo", + "value": "6" + }, + { + "description": "Rejected Unsteady air at site (La Jolla only)", + "expanded": "rejected-unsteady-ljo", + "value": "7" + }, + { + "description": "Rejected manually (see input/flag_flasks.csv)", + "expanded": "rejected-manual", + "value": "8" + } + ], + "version": 1, + "description": "Flags describing the sample", + "namespace": "scrippsco2-fgc" +} diff --git a/scrippsco2-fgi/machinetag.json b/scrippsco2-fgi/machinetag.json new file mode 100644 index 0000000..cc4b6b4 --- /dev/null +++ b/scrippsco2-fgi/machinetag.json @@ -0,0 +1,42 @@ +{ + "predicates": [ + { + "description": "Suspect but accepted isotopic measurement", + "expanded": "accepted-suspect", + "value": "-3" + }, + { + "description": "Accepted isotopic measurement", + "expanded": "accepted", + "value": "0" + }, + { + "description": "Rejected", + "expanded": "rejected", + "value": "3" + }, + { + "description": "Outlier from fit", + "expanded": "outlier", + "value": "5" + }, + { + "description": "Other rejected, older data", + "expanded": "rejected-old-data", + "value": "6" + }, + { + "description": "Flask extracted but not analyzed yet", + "expanded": "extracted-not-analyzed", + "value": "8" + }, + { + "description": "Flask not extracted", + "expanded": "not-extracted", + "value": "9" + } + ], + "version": 1, + "description": "Flags describing the sample for isotopic data (C14, O18)", + "namespace": "scrippsco2-fgi" +} diff --git a/scrippsco2-sampling-stations/machinetag.json b/scrippsco2-sampling-stations/machinetag.json new file mode 100644 index 0000000..c50c65b --- /dev/null +++ b/scrippsco2-sampling-stations/machinetag.json @@ -0,0 +1,59 @@ +{ + "predicates": [ + { + "expanded": "Alert, NWT, Canada", + "value": "ALT" + }, + { + "expanded": "Point Barrow, Alaska", + "value": "PTB" + }, + { + "expanded": "Station P", + "value": "STP" + }, + { + "expanded": "La Jolla Pier, California", + "value": "LJO" + }, + { + "expanded": "Baja California Sur, Mexico", + "value": "BCS" + }, + { + "expanded": "Mauna Loa Observatory, Hawaii", + "value": "MLO" + }, + { + "expanded": "Cape Kumukahi, Hawaii ", + "value": "KUM" + }, + { + "expanded": "Christmas Island, Fanning Island", + "value": "CHR" + }, + { + "expanded": "American Samoa", + "value": "SAM" + }, + { + "expanded": "Kermadec Islands, Raoul Island", + "value": "KER" + }, + { + "expanded": "Baring Head, New Zealand", + "value": "NZD" + }, + { + "expanded": "Palmer Station, Antarctica", + "value": "PSA" + }, + { + "expanded": "South Pole", + "value": "SPO" + } + ], + "version": 1, + "description": "Sampling stations of the Scripps CO2 Program", + "namespace": "scrippsco2-sampling-stations" +} diff --git a/targeted-threat-index/machinetag.json b/targeted-threat-index/machinetag.json index ad172c6..7139263 100644 --- a/targeted-threat-index/machinetag.json +++ b/targeted-threat-index/machinetag.json @@ -5,32 +5,32 @@ { "expanded": "Not targeted, e.g. spam or financially motivated malware.", "value": "not-targeted", - "numerical_value": 0 + "numerical_value": 1 }, { "expanded": "Targeted but not customized. Sent with a message that is obviously false with little to no validation required.", "value": "targeted-but-not-customized", - "numerical_value": 1 + "numerical_value": 25 }, { "expanded": "Targeted and poorly customized. Content is generally relevant to the target. May look questionable.", "value": "targeted-and-poorly-customized", - "numerical_value": 2 + "numerical_value": 50 }, { "expanded": "Targeted and customized. May use a real person/organization or content to convince the target the message is legitimate. Content is specifically relevant to the target and looks legitimate.", "value": "targeted-and-customized", - "numerical_value": 3 + "numerical_value": 65 }, { "expanded": "Targeted and well-customized. Uses a real person/organization and content to convince the target the message is legitimate. Probably directly addressing the recipient. Content is specifically relevant to the target, looks legitimate, and can be externally referenced (e.g. by a website). May be sent from a hacked account.", "value": "targeted-and-well-customized", - "numerical_value": 4 + "numerical_value": 85 }, { "expanded": "Targeted and highly customized using sensitive data. Individually targeted and customized, likely using inside/sensitive information that is directly relevant to the target.", "value": "targeted-and-highly-customized-using-sensitive-data", - "numerical_value": 5 + "numerical_value": 100 } ], "predicate": "targeting-sophistication-base-value" @@ -45,22 +45,22 @@ { "expanded": "The sample contains a simple method of protection, such as one of the following: code protection using publicly available tools where the reverse method is available, such as UPX packing; simple anti-reversing techniques such as not using import tables, or a call to IsDebuggerPresent(); self-disabling in the presence of AV software.", "value": "the-sample-contains-a-simple-method-of-protection", - "numerical_value": 1.25 + "numerical_value": 25 }, { "expanded": "The sample contains multiple minor code protection techniques (anti-reversing tricks, packing, VM / reversing tools detection) that require some low-level knowledge. This level includes malware where code that contains the core functionality of the program is decrypted only in memory.", "value": "the-sample-contains-multiple-minor-code-protection-techniques", - "numerical_value": 1.5 + "numerical_value": 50 }, { "expanded": "The sample contains minor code protection techniques along with at least one advanced protection method such as rootkit functionality or a custom virtualized packer.", "value": "the-sample-contains-minor-code-protection-techniques-plus-one-advanced", - "numerical_value": 1.75 + "numerical_value": 75 }, { "expanded": "The sample contains multiple advanced protection techniques, e.g. rootkit capability, virtualized packer, multiple anti-reversing techniques, and is clearly designed by a professional software engineering team.", "value": "the-sample-contains-multiple-advanced-protection-techniques", - "numerical_value": 2 + "numerical_value": 100 } ], "predicate": "technical-sophistication-multiplier" @@ -78,9 +78,10 @@ "value": "technical-sophistication-multiplier" } ], - "version": 1, + "version": 2, "refs": [ - "https://citizenlab.org/2013/10/targeted-threat-index/" + "https://citizenlab.org/2013/10/targeted-threat-index/", + "https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-hardy.pdf" ], "description": "The Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victim’s computer. The TTI metric was first introduced at SecTor 2013 by Seth Hardy as part of the talk “RATastrophe: Monitoring a Malware Menagerie” along with Katie Kleemola and Greg Wiseman.", "namespace": "targeted-threat-index" diff --git a/threats-to-dns/machinetag.json b/threats-to-dns/machinetag.json new file mode 100644 index 0000000..85f9ce3 --- /dev/null +++ b/threats-to-dns/machinetag.json @@ -0,0 +1,129 @@ +{ + "namespace": "threats-to-dns", + "expanded": "Threats to DNS", + "description": "An overview of some of the known attacks related to DNS as described by Torabi, S., Boukhtouta, A., Assi, C., & Debbabi, M. (2018) in Detecting Internet Abuse by Analyzing Passive DNS Traffic: A Survey of Implemented Systems. IEEE Communications Surveys & Tutorials, 1–1. doi:10.1109/comst.2018.2849614", + "version": 1, + "predicates": [ + { + "value": "dns-protocol-attacks", + "description": "DNS protocol attacks", + "expanded": "DNS protocol attacks" + }, + { + "value": "dns-server-attacks", + "description": "DNS server attacks", + "expanded": "DNS server attacks" + }, + { + "value": "dns-abuse-or-misuse", + "description": "DNS abuse/misuse" + } + ], + "values": [ + { + "predicate": "dns-protocol-attacks", + "entry": [ + { + "value": "man-in-the-middle-attack", + "expanded": "Man-in-the-middle attack", + "description": "Man-in-the-middle attack" + }, + { + "value": "dns-spoofing", + "expanded": "DNS spoofing", + "description": "DNS spoofing" + }, + { + "value": "dns-rebinding", + "expanded": "DNS rebinding", + "description": "DNS rebinding" + } + ] + }, + { + "predicate": "dns-server-attacks", + "entry": [ + { + "value": "server-dos-and-ddos", + "expanded": "Server DoS & DDoS", + "description": "Server DoS & DDoS" + }, + { + "value": "server-hijacking", + "expanded": "Server hijacking", + "description": "Server hijacking" + }, + { + "value": "cache-poisoning", + "expanded": "Cache poisoning", + "description": "Cache poisoning" + } + ] + }, + { + "predicate": "dns-abuse-or-misuse", + "entry": [ + { + "value": "domain-name-registration-abuse-cybersquatting", + "expanded": "Domain name registration abuse such as cybersquatting", + "description": "Domain name registration abuse such as cybersquatting" + }, + { + "value": "domain-name-registration-abuse-typosquatting", + "expanded": "Domain name registration abuse such as typosquatting", + "description": "Domain name registration abuse such as typosquatting" + }, + { + "value": "domain-name-registration-abuse-domain-reputation-and-re-registration", + "expanded": "Domain name registration abuse as domain reputation and re-registration", + "description": "Domain name registration abuse as domain reputation and re-gistration" + }, + { + "value": "dns-reflection-dns-amplification", + "expanded": "DNS reflection - DNS amplification", + "description": "DNS reflection - DNS amplification" + }, + { + "value": "malicious-or-compromised-domains-ips-malicious-botnets-c2", + "expanded": "Malicious or compromised domains/IPs - Malicious botnets (C&C servers)", + "description": "Malicious or compromised domains/IPs - Malicious botnets (C&C servers)" + }, + { + "value": "malicious-or-compromised-domains-ips-fast-flux-domains", + "expanded": "Malicious or compromised domains/IPs - Malicious fast-flux domain & networks", + "description": "Malicious or compromised domains/IPs - Malicious fast-flux domain & networks" + }, + { + "value": "malicious-or-compromised-domains-ips-malicious-dgas", + "expanded": "Malicious or compromised domains/IPs - Malicious DGAs", + "description": "Malicious or compromised domains/IPs - Malicious DGAs" + }, + { + "value": "covert-channels-malicious-dns-tunneling", + "expanded": "Covert channels - Malicious DNS tunneling", + "description": "Covert channels - Malicious DNS tunneling" + }, + { + "value": "covert-channels-malicious-payload-distribution", + "expanded": "Covert channels - Malicious DNS tunneling", + "description": "Covert channels - Malicious DNS tunneling" + }, + { + "value": "benign-services-applications-malicious-dns-resolvers", + "expanded": "Benign services and applications - Malicious DNS resolvers", + "description": "Benign services and applications - Malicious DNS resolvers" + }, + { + "value": "benign-services-applications-malicious-scanners", + "expanded": "Benign services and applications - Malicious scanners", + "description": "Benign services and applications - Malicious scanners" + }, + { + "value": "benign-services-applications-url-shorteners", + "expanded": "Benign services and applications - URL shorteners", + "description": "Benign services and applications - URL shorteners" + } + ] + } + ] +} diff --git a/vocabulaire-des-probabilites-estimatives/machinetag.json b/vocabulaire-des-probabilites-estimatives/machinetag.json index 81b4e03..87086b9 100644 --- a/vocabulaire-des-probabilites-estimatives/machinetag.json +++ b/vocabulaire-des-probabilites-estimatives/machinetag.json @@ -4,23 +4,28 @@ "entry": [ { "expanded": "Presque aucune chance - Quasi impossible Presque impossible Minces chances Très douteux Très peu probable Très improbable Improbable Peu de chances - 7 % (marge d’erreur d’environ 5 %)", - "value": "presque-aucune-chance" + "value": "presque-aucune-chance", + "numerical_value": 7 }, { "expanded": "Probablement pas - Invraisemblable Peu probable - 30 % (marge d’erreur d’environ 10 %)", - "value": "probablement-pas" + "value": "probablement-pas", + "numerical_value": 30 }, { "expanded": "Chances à peu près égales - une chance sur deux - 50% (marge d’erreur d’environ 10 %)", - "value": "chances-à-peu-près-egales" + "value": "chances-à-peu-près-egales", + "numerical_value": 50 }, { "expanded": "Probable - Vraisemblable Probable - 75 % (marge d’erreur d’environ 12 %)", - "value": "probable" + "value": "probable", + "numerical_value": 75 }, { "expanded": "Quasi certaine - Certain Presque certain Très probable - 93% (marge d’erreur d’environ 6 %)", - "value": "quasi-certaine" + "value": "quasi-certaine", + "numerical_value": 93 } ], "predicate": "degré-de-probabilité" @@ -33,7 +38,7 @@ "value": "degré-de-probabilité" } ], - "version": 1, + "version": 2, "description": "Ce vocabulaire attribue des valeurs en pourcentage à certains énoncés de probabilité", "expanded": "Vocabulaire des probabilités estimatives", "namespace": "vocabulaire-des-probabilites-estimatives", diff --git a/workflow/machinetag.json b/workflow/machinetag.json index bc1c7ae..a4c8c3b 100644 --- a/workflow/machinetag.json +++ b/workflow/machinetag.json @@ -2,7 +2,7 @@ "namespace": "workflow", "expanded": "workflow to support analysis", "description": "Workflow support language is a common language to support intelligence analysts to perform their analysis on data and information.", - "version": 8, + "version": 9, "predicates": [ { "value": "todo", @@ -55,10 +55,18 @@ "value": "create-missing-misp-galaxy-cluster", "expanded": "Create missing MISP galaxy cluster about the information tagged" }, + { + "value": "create-missing-misp-galaxy-cluster-relationship", + "expanded": "create missing MISP galaxy cluster relationships (e.g. relationships between MISP clusters)" + }, { "value": "create-missing-misp-galaxy", "expanded": "Create missing MISP galaxy at large about the information tagged (e.g. a new category of malware or activity)" }, + { + "value": "create-missing-relationship", + "expanded": "Create missing relationship about the information tagged (e.g. create new relationship between MISP objects)" + }, { "value": "add-context", "expanded": "Add contextual information about the information tagged" @@ -90,6 +98,14 @@ { "value": "additional-task", "expanded": "Used to point an additional task that can not be describe by the rest of the taxonomy and need to be done" + }, + { + "value": "create-event", + "expanded": "A new MISP event need to be created from the tag reference" + }, + { + "value": "preserve-evidence", + "expanded": "Preseve evidence mentioned in the information tagged" } ] }, @@ -107,6 +123,10 @@ { "value": "draft", "expanded": "Draft means the information tagged can be released as a preliminary version or outline" + }, + { + "value": "ongoing", + "expanded": "Analyst is currently working on this analysis. To remove when there is no more work to be done by the analyst." } ] }