Merge branch 'main'

master
Alexandre Dulaunoy 2024-03-13 16:42:47 +01:00
commit b5a87d228a
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
59 changed files with 24325 additions and 908 deletions

289
.gitchangelog.rc Normal file
View File

@ -0,0 +1,289 @@
# -*- coding: utf-8; mode: python -*-
##
## Format
##
## ACTION: [AUDIENCE:] COMMIT_MSG [!TAG ...]
##
## Description
##
## ACTION is one of 'chg', 'fix', 'new'
##
## Is WHAT the change is about.
##
## 'chg' is for refactor, small improvement, cosmetic changes...
## 'fix' is for bug fixes
## 'new' is for new features, big improvement
##
## AUDIENCE is optional and one of 'dev', 'usr', 'pkg', 'test', 'doc'|'docs'
##
## Is WHO is concerned by the change.
##
## 'dev' is for developpers (API changes, refactors...)
## 'usr' is for final users (UI changes)
## 'pkg' is for packagers (packaging changes)
## 'test' is for testers (test only related changes)
## 'doc' is for doc guys (doc only changes)
##
## COMMIT_MSG is ... well ... the commit message itself.
##
## TAGs are additionnal adjective as 'refactor' 'minor' 'cosmetic'
##
## They are preceded with a '!' or a '@' (prefer the former, as the
## latter is wrongly interpreted in github.) Commonly used tags are:
##
## 'refactor' is obviously for refactoring code only
## 'minor' is for a very meaningless change (a typo, adding a comment)
## 'cosmetic' is for cosmetic driven change (re-indentation, 80-col...)
## 'wip' is for partial functionality but complete subfunctionality.
##
## Example:
##
## new: usr: support of bazaar implemented
## chg: re-indentend some lines !cosmetic
## new: dev: updated code to be compatible with last version of killer lib.
## fix: pkg: updated year of licence coverage.
## new: test: added a bunch of test around user usability of feature X.
## fix: typo in spelling my name in comment. !minor
##
## Please note that multi-line commit message are supported, and only the
## first line will be considered as the "summary" of the commit message. So
## tags, and other rules only applies to the summary. The body of the commit
## message will be displayed in the changelog without reformatting.
##
## ``ignore_regexps`` is a line of regexps
##
## Any commit having its full commit message matching any regexp listed here
## will be ignored and won't be reported in the changelog.
##
ignore_regexps = [
r'@minor', r'!minor',
r'@cosmetic', r'!cosmetic',
r'@refactor', r'!refactor',
r'@wip', r'!wip',
r'^([cC]hg|[fF]ix|[nN]ew)\s*:\s*[p|P]kg:',
r'^([cC]hg|[fF]ix|[nN]ew)\s*:\s*[d|D]ev:',
r'^(.{3,3}\s*:)?\s*[fF]irst commit.?\s*$',
]
## ``section_regexps`` is a list of 2-tuples associating a string label and a
## list of regexp
##
## Commit messages will be classified in sections thanks to this. Section
## titles are the label, and a commit is classified under this section if any
## of the regexps associated is matching.
##
## Please note that ``section_regexps`` will only classify commits and won't
## make any changes to the contents. So you'll probably want to go check
## ``subject_process`` (or ``body_process``) to do some changes to the subject,
## whenever you are tweaking this variable.
##
section_regexps = [
('New', [
r'^[nN]ew\s*:\s*((dev|use?r|pkg|test|doc|docs)\s*:\s*)?([^\n]*)$',
]),
('Changes', [
r'^[cC]hg\s*:\s*((dev|use?r|pkg|test|doc|docs)\s*:\s*)?([^\n]*)$',
]),
('Fix', [
r'^[fF]ix\s*:\s*((dev|use?r|pkg|test|doc|docs)\s*:\s*)?([^\n]*)$',
]),
('Other', None ## Match all lines
),
]
## ``body_process`` is a callable
##
## This callable will be given the original body and result will
## be used in the changelog.
##
## Available constructs are:
##
## - any python callable that take one txt argument and return txt argument.
##
## - ReSub(pattern, replacement): will apply regexp substitution.
##
## - Indent(chars=" "): will indent the text with the prefix
## Please remember that template engines gets also to modify the text and
## will usually indent themselves the text if needed.
##
## - Wrap(regexp=r"\n\n"): re-wrap text in separate paragraph to fill 80-Columns
##
## - noop: do nothing
##
## - ucfirst: ensure the first letter is uppercase.
## (usually used in the ``subject_process`` pipeline)
##
## - final_dot: ensure text finishes with a dot
## (usually used in the ``subject_process`` pipeline)
##
## - strip: remove any spaces before or after the content of the string
##
## - SetIfEmpty(msg="No commit message."): will set the text to
## whatever given ``msg`` if the current text is empty.
##
## Additionally, you can `pipe` the provided filters, for instance:
#body_process = Wrap(regexp=r'\n(?=\w+\s*:)') | Indent(chars=" ")
#body_process = Wrap(regexp=r'\n(?=\w+\s*:)')
#body_process = noop
body_process = ReSub(r'((^|\n)[A-Z]\w+(-\w+)*: .*(\n\s+.*)*)+$', r'') | strip
## ``subject_process`` is a callable
##
## This callable will be given the original subject and result will
## be used in the changelog.
##
## Available constructs are those listed in ``body_process`` doc.
subject_process = (strip |
ReSub(r'^([cC]hg|[fF]ix|[nN]ew)\s*:\s*((dev|use?r|pkg|test|doc|docs)\s*:\s*)?([^\n@]*)(@[a-z]+\s+)*$', r'\4') |
SetIfEmpty("No commit message.") | ucfirst | final_dot)
## ``tag_filter_regexp`` is a regexp
##
## Tags that will be used for the changelog must match this regexp.
##
tag_filter_regexp = r'^v[0-9]+\.[0-9]+\.[0-9]+$'
## ``unreleased_version_label`` is a string or a callable that outputs a string
##
## This label will be used as the changelog Title of the last set of changes
## between last valid tag and HEAD if any.
unreleased_version_label = "%%version%% (unreleased)"
## ``output_engine`` is a callable
##
## This will change the output format of the generated changelog file
##
## Available choices are:
##
## - rest_py
##
## Legacy pure python engine, outputs ReSTructured text.
## This is the default.
##
## - mustache(<template_name>)
##
## Template name could be any of the available templates in
## ``templates/mustache/*.tpl``.
## Requires python package ``pystache``.
## Examples:
## - mustache("markdown")
## - mustache("restructuredtext")
##
## - makotemplate(<template_name>)
##
## Template name could be any of the available templates in
## ``templates/mako/*.tpl``.
## Requires python package ``mako``.
## Examples:
## - makotemplate("restructuredtext")
##
#output_engine = rest_py
#output_engine = mustache("restructuredtext")
output_engine = mustache("markdown")
#output_engine = makotemplate("restructuredtext")
## ``include_merge`` is a boolean
##
## This option tells git-log whether to include merge commits in the log.
## The default is to include them.
include_merge = True
## ``log_encoding`` is a string identifier
##
## This option tells gitchangelog what encoding is outputed by ``git log``.
## The default is to be clever about it: it checks ``git config`` for
## ``i18n.logOutputEncoding``, and if not found will default to git's own
## default: ``utf-8``.
#log_encoding = 'utf-8'
## ``publish`` is a callable
##
## Sets what ``gitchangelog`` should do with the output generated by
## the output engine. ``publish`` is a callable taking one argument
## that is an interator on lines from the output engine.
##
## Some helper callable are provided:
##
## Available choices are:
##
## - stdout
##
## Outputs directly to standard output
## (This is the default)
##
## - FileInsertAtFirstRegexMatch(file, pattern, idx=lamda m: m.start())
##
## Creates a callable that will parse given file for the given
## regex pattern and will insert the output in the file.
## ``idx`` is a callable that receive the matching object and
## must return a integer index point where to insert the
## the output in the file. Default is to return the position of
## the start of the matched string.
##
## - FileRegexSubst(file, pattern, replace, flags)
##
## Apply a replace inplace in the given file. Your regex pattern must
## take care of everything and might be more complex. Check the README
## for a complete copy-pastable example.
##
# publish = FileInsertIntoFirstRegexMatch(
# "CHANGELOG.rst",
# r'/(?P<rev>[0-9]+\.[0-9]+(\.[0-9]+)?)\s+\([0-9]+-[0-9]{2}-[0-9]{2}\)\n--+\n/',
# idx=lambda m: m.start(1)
# )
#publish = stdout
## ``revs`` is a list of callable or a list of string
##
## callable will be called to resolve as strings and allow dynamical
## computation of these. The result will be used as revisions for
## gitchangelog (as if directly stated on the command line). This allows
## to filter exaclty which commits will be read by gitchangelog.
##
## To get a full documentation on the format of these strings, please
## refer to the ``git rev-list`` arguments. There are many examples.
##
## Using callables is especially useful, for instance, if you
## are using gitchangelog to generate incrementally your changelog.
##
## Some helpers are provided, you can use them::
##
## - FileFirstRegexMatch(file, pattern): will return a callable that will
## return the first string match for the given pattern in the given file.
## If you use named sub-patterns in your regex pattern, it'll output only
## the string matching the regex pattern named "rev".
##
## - Caret(rev): will return the rev prefixed by a "^", which is a
## way to remove the given revision and all its ancestor.
##
## Please note that if you provide a rev-list on the command line, it'll
## replace this value (which will then be ignored).
##
## If empty, then ``gitchangelog`` will act as it had to generate a full
## changelog.
##
## The default is to use all commits to make the changelog.
#revs = ["^1.0.3", ]
#revs = [
# Caret(
# FileFirstRegexMatch(
# "CHANGELOG.rst",
# r"(?P<rev>[0-9]+\.[0-9]+(\.[0-9]+)?)\s+\([0-9]+-[0-9]{2}-[0-9]{2}\)\n--+\n")),
# "HEAD"
#]
revs = []

41
.github/workflows/codeql.yml vendored Normal file
View File

@ -0,0 +1,41 @@
name: "CodeQL"
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
schedule:
- cron: "50 22 * * 5"
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ python ]
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
queries: +security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@v2
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
category: "/language:${{ matrix.language }}"

View File

@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: [3.6, 3.7, 3.8, 3.9]
python-version: [3.8, 3.9, '3.10']
steps:

243
GrayZone/machinetag.json Normal file
View File

@ -0,0 +1,243 @@
{
"namespace": "GrayZone",
"description": "Gray Zone of Active defense includes all elements which lay between reactive defense elements and offensive operations. It does fill the gray spot between them. Taxo may be used for active defense planning or modeling.",
"version": 3,
"predicates": [
{
"value": "Adversary Emulation",
"expanded": "Adversary Emulation"
},
{
"value": "Beacons",
"expanded": "Beacons"
},
{
"value": "Deterrence",
"expanded": "Deterrence"
},
{
"value": "Deception",
"expanded": "Deception"
},
{
"value": "Tarpits, Sandboxes and Honeypots",
"expanded": "Tarpits, Sandboxes and Honeypots"
},
{
"value": "Threat Intelligence",
"expanded": "Threat Intelligence"
},
{
"value": "Threat Hunting",
"expanded": "Threat Hunting"
},
{
"value": "Adversary Takedowns",
"expanded": "Adversary Takedowns"
},
{
"value": "Ransomware",
"expanded": "Ransomware"
},
{
"value": "Rescue Missions",
"expanded": "Rescue Missions"
},
{
"value": "Sanctions, Indictments & Trade Remedies",
"expanded": "Sanctions, Indictments & Trade Remedies"
}
],
"values": [
{
"predicate": "Adversary Emulation",
"entry": [
{
"value": "Threat Modeling",
"expanded": "Arch threat modeling",
"description": "Modeling threat in services or/and in applications"
},
{
"value": "Purple Teaming",
"expanded": "Purple team collaboration",
"description": "Collaboration between red and blue team"
},
{
"value": "Blue Team",
"expanded": "Blue Team activities",
"description": "Defenders team actions, TTPs etc."
},
{
"value": "Red Team",
"expanded": "Red Team activities",
"description": "Actions, TTPs etc.of Red Team"
}
]
},
{
"predicate": "Beacons",
"entry": [
{
"value": "Inform",
"expanded": "Information from beacon",
"description": "Provide defender with informations about beacon user, intentional or not"
},
{
"value": "Notify",
"expanded": "Notification from beacon",
"description": "Beacon will just send alert, that has been accessed"
}
]
},
{
"predicate": "Deterrence",
"entry": [
{
"value": "by Retaliation",
"expanded": "Retaliation risk",
"description": "Adversary is threatened by retaliation if it will continue in actions"
},
{
"value": "by Denial",
"expanded": "Risk of Denial",
"description": "Deny action ever happened - example: if the attribution is important for adversary"
},
{
"value": "by Entanglement",
"expanded": "Risk of reputation loss",
"description": "By continuing in action adversary may be exhibited to punishment from defenders ally"
}
]
},
{
"predicate": "Deception",
"entry": [
{
"value": "Deception",
"expanded": "Deceptive actions",
"description": "Confuse adversary by deception, can be either whole campaign or just simple word in internal manuals"
},
{
"value": "Denial",
"expanded": "Suppress anything",
"description": "You can deny any part of infrastructure or whole including servers, personal computers, users, machine accounts etc."
},
{
"value": "CounterDeception",
"expanded": "Answer to deception",
"description": "Answer to deception from adversary is counter-deception, for example: answer to phish with shadow user account to uncover next adversary actions"
},
{
"value": "Counter-Deception",
"expanded": "Active counterdeception",
"description": "Answer to adversary deception and his tactical goals, example: if You know the adversary goal(extraction) You can plant documents with fake content to enable damage on adversary sources (fake blueprints of engine, which explode on purpose)"
}
]
},
{
"predicate": "Tarpits, Sandboxes and Honeypots",
"entry": [
{
"value": "Honeypots",
"expanded": "Honeypots",
"description": "Emulating technical resources as services or whole machines or identities"
},
{
"value": "Sandboxes",
"expanded": "Sandboxes",
"description": "Place for secure detonation of anything"
},
{
"value": "Tarpits",
"expanded": "Slow Downs",
"description": "You can slow adversary from action for example by sending slow responses to request"
}
]
},
{
"predicate": "Threat Intelligence",
"entry": [
{
"value": "Passive - OSINT",
"expanded": "OpenSourceINTelligence",
"description": "Use of OSINT for creating of Threat Intelligence"
},
{
"value": "Passive - platforms",
"expanded": "Platforms for TI",
"description": "Save, share and collaborate on threat intelligence platforms"
},
{
"value": "Counter-Intelligence public",
"expanded": "Counter Intelligence",
"description": "Active retrieval of Threat Intelligence for purpose of defense collected with available public resources - example: active monitoring of web services to uncover action before happen (forum hacktivist group)"
},
{
"value": "Counter-Intelligence government",
"expanded": "Counter Intelligence",
"description": "Active retrieval of Threat Intelligence for purpose of defense collected with non-public resources - example: cooperation between secret services in EU"
}
]
},
{
"predicate": "Threat Hunting",
"entry": [
{
"value": "Threat Hunting",
"expanded": "Threat Hunting",
"description": "Threat Hunting is the activity of active search for possible signs of adversary in environment"
}
]
},
{
"predicate": "Adversary Takedowns",
"entry": [
{
"value": "Botnet Takedowns",
"expanded": "Botnet Takedowns",
"description": "Activity with approval of legal governmental entities ie. courts to stop unwanted actions or prevent them"
},
{
"value": "Domain Takedowns",
"expanded": "Domain Takedowns",
"description": "Activity with approval of legal governmental entities ie. courts to stop unwanted actions or prevent them"
},
{
"value": "Infrastructure Takedowns",
"expanded": "Whole environment takedowns",
"description": "Activity with approval of legal governmental entities ie. courts to stop unwanted actions or prevent them"
}
]
},
{
"predicate": "Ransomware",
"entry": [
{
"value": "Ransomware",
"expanded": "Ransomware by defenders",
"description": "Activity with approval of legal governmental entities ie. courts to stop unwanted actions or prevent them"
}
]
},
{
"predicate": "Rescue Missions",
"entry": [
{
"value": "Rescue Missions",
"expanded": "Rescue Missions",
"description": "Activity with approval of legal governmental entities ie. courts to stop unwanted actions or prevent them"
}
]
},
{
"predicate": "Sanctions, Indictments & Trade Remedies",
"entry": [
{
"value": "Sanctions, Indictments & Trade Remedies",
"expanded": "Business and diplomatic actions and counteractions",
"description": "Activity with approval of legal governmental entities ie. courts, states, governments to stop unwanted actions or prevent them"
}
]
}
]
}

View File

@ -18,10 +18,15 @@
"name": "DML",
"version": 1
},
{
"description": "Gray Zone of Active defense includes all elements which lay between reactive defense elements and offensive operations. It does fill the gray spot between them. Taxo may be used for active defense planning or modeling.",
"name": "GrayZone",
"version": 3
},
{
"description": "The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.",
"name": "PAP",
"version": 2
"version": 3
},
{
"description": "The access method used to remotely access a system.",
@ -63,6 +68,16 @@
"name": "approved-category-of-action",
"version": 1
},
{
"description": "This taxonomy was designed to describe artificial satellites",
"name": "artificial-satellites",
"version": 1
},
{
"description": "A taxonomy describing security threats or incidents against the aviation sector.",
"name": "aviation",
"version": 1
},
{
"description": "Custom taxonomy for types of binary file.",
"name": "binary-class",
@ -74,9 +89,14 @@
"version": 2
},
{
"description": "CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection",
"description": "CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection.",
"name": "circl",
"version": 5
"version": 6
},
{
"description": "La presente taxonomia es la primera versión disponible para el Centro Nacional de Seguridad Digital del Perú.",
"name": "cnsd",
"version": 20220513
},
{
"description": "Course of action taken within organization to discover, detect, deny, disrupt, degrade, deceive and/or destroy an attack.",
@ -101,7 +121,12 @@
{
"description": "A Course Of Action analysis considers six potential courses of action for the development of a cyber security capability.",
"name": "course-of-action",
"version": 2
"version": 3
},
{
"description": "Crowdsec IP address classifications and behaviors taxonomy.",
"name": "crowdsec",
"version": 1
},
{
"description": "Threats targetting cryptocurrency, based on CipherTrace report.",
@ -149,9 +174,9 @@
"version": 1
},
{
"description": "Criminal motivation on the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project",
"description": "Criminal motivation and content detection the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project and extended by the JRC (Joint Research Centre) of the European Commission.",
"name": "dark-web",
"version": 3
"version": 6
},
{
"description": "Data classification for data potentially at risk of exfiltration based on table 2.1 of Solving Cyber Risk book.",
@ -173,6 +198,21 @@
"name": "de-vs",
"version": 1
},
{
"description": "Taxonomy of Death Possibilities",
"name": "death-possibilities",
"version": 1
},
{
"description": "Deception is an important component of information operations, valuable for both offense and defense. ",
"name": "deception",
"version": 1
},
{
"description": "A taxonomy to describe domain-generation algorithms often called DGA. Ref: A Comprehensive Measurement Study of Domain Generating Malware Daniel Plohmann and others.",
"name": "dga",
"version": 2
},
{
"description": "DHS critical sectors as in https://www.dhs.gov/critical-infrastructure-sectors",
"name": "dhs-ciip-sectors",
@ -183,6 +223,11 @@
"name": "diamond-model",
"version": 1
},
{
"description": "The diamond model for influence operations analysis is a framework that leads analysts and researchers toward a comprehensive understanding of a malign influence campaign by addressing the socio-political, technical, and psychological aspects of the campaign. The diamond model for influence operations analysis consists of 5 components: 4 corners and a core element. The 4 corners are divided into 2 axes: influencer and audience on the socio-political axis, capabilities and infrastructure on the technical axis. Narrative makes up the core of the diamond.",
"name": "diamond-model-for-influence-operations",
"version": 1
},
{
"description": "A subset of Information Security Marking Metadata ISM as required by Executive Order (EO) 13526. As described by DNI.gov as Data Encoding Specifications for Information Security Marking Metadata in Controlled Vocabulary Enumeration Values for ISM",
"name": "dni-ism",
@ -193,6 +238,11 @@
"name": "domain-abuse",
"version": 2
},
{
"description": "This taxonomy aims to list doping substances",
"name": "doping-substances",
"version": 2
},
{
"description": "A taxonomy based on the superclass and class of drugs. Based on https://www.drugbank.ca/releases/latest",
"name": "drugs",
@ -256,12 +306,12 @@
{
"description": "Exercise is a taxonomy to describe if the information is part of one or more cyber or crisis exercise.",
"name": "exercise",
"version": 8
"version": 11
},
{
"description": "Reasons why an event has been extended. ",
"description": "Reasons why an event has been extended. This taxonomy must be used on the extended event. The competitive analysis aspect is from Psychology of Intelligence Analysis by Richard J. Heuer, Jr. ref:http://www.foo.be/docs/intelligence/PsychofIntelNew.pdf",
"name": "extended-event",
"version": 1
"version": 2
},
{
"description": "The purpose of this taxonomy is to jointly tabulate both the of these failure modes in a single place. Intentional failures wherein the failure is caused by an active adversary attempting to subvert the system to attain her goals either to misclassify the result, infer private training data, or to steal the underlying algorithm. Unintentional failures wherein the failure is because an ML system produces a formally correct but completely unsafe outcome.",
@ -271,13 +321,18 @@
{
"description": "This taxonomy aims to ballpark the expected amount of false positives.",
"name": "false-positive",
"version": 5
"version": 7
},
{
"description": "List of known file types.",
"name": "file-type",
"version": 1
},
{
"description": "Financial taxonomy to describe financial services, infrastructure and financial scope.",
"name": "financial",
"version": 7
},
{
"description": "Flesch Reading Ease is a revised system for determining the comprehension difficulty of written material. The scoring of the flesh score can have a maximum of 121.22 and there is no limit on how low a score can be (negative score are valid).",
"name": "flesch-reading-ease",
@ -291,7 +346,7 @@
{
"description": "French gov information classification system",
"name": "fr-classif",
"version": 3
"version": 6
},
{
"description": "Taxonomy related to the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)",
@ -368,6 +423,11 @@
"name": "infoleak",
"version": 7
},
{
"description": "Taxonomy for tagging information by its origin: human-generated or AI-generated.",
"name": "information-origin",
"version": 2
},
{
"description": "Taxonomy to classify the information security data sources.",
"name": "information-security-data-source",
@ -378,6 +438,26 @@
"name": "information-security-indicators",
"version": 1
},
{
"description": "Describes the target of cyber training and education.",
"name": "interactive-cyber-training-audience",
"version": 1
},
{
"description": "The technical setup consists of environment structure, deployment, and orchestration.",
"name": "interactive-cyber-training-technical-setup",
"version": 1
},
{
"description": "The training environment details the environment around the training, consisting of training type and scenario.",
"name": "interactive-cyber-training-training-environment",
"version": 1
},
{
"description": "The training setup further describes the training itself with the scoring, roles, the training mode as well as the customization level.",
"name": "interactive-cyber-training-training-setup",
"version": 1
},
{
"description": "The interception method used to intercept traffic.",
"name": "interception-method",
@ -433,6 +513,11 @@
"name": "misp",
"version": 12
},
{
"description": "MISP workflow taxonomy to support result of workflow execution.",
"name": "misp-workflow",
"version": 3
},
{
"description": "MONARC Threats Taxonomy",
"name": "monarc-threat",
@ -463,6 +548,11 @@
"name": "nis",
"version": 2
},
{
"description": "The taxonomy is meant for large scale cybersecurity incidents, as mentioned in the Commission Recommendation of 13 May 2022, also known as the provisional agreement. It has two core parts: The nature of the incident, i.e. the underlying cause, that triggered the incident, and the impact of the incident, i.e. the impact on services, in which sector(s) of economy and society.",
"name": "nis2",
"version": 3
},
{
"description": "Open Threat Taxonomy v1.1 base on James Tarala of SANS http://www.auditscripts.com/resources/open_threat_taxonomy_v1.1a.pdf, https://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Using-Open-Tools-to-Convert-Threat-Intelligence-into-Practical-Defenses-James-Tarala-SANS-Institute.pdf, https://www.youtube.com/watch?v=5rdGOOFC_yE, and https://www.rsaconference.com/writable/presentations/file_upload/str-r04_using-an-open-source-threat-model-for-prioritized-defense-final.pdf",
"name": "open_threat",
@ -491,18 +581,38 @@
{
"description": "Taxonomy to classify phishing attacks including techniques, collection mechanisms and analysis status.",
"name": "phishing",
"version": 4
"version": 5
},
{
"description": "Non-exhaustive taxonomy of natural poison",
"name": "poison-taxonomy",
"version": 1
},
{
"description": "A political spectrum is a system to characterize and classify different political positions in relation to one another.",
"name": "political-spectrum",
"version": 1
},
{
"description": "After an incident is scored, it is assigned a priority level. The six levels listed below are aligned with NCCIC, DHS, and the CISS to help provide a common lexicon when discussing incidents. This priority assignment drives NCCIC urgency, pre-approved incident response offerings, reporting requirements, and recommendations for leadership escalation. Generally, incident priority distribution should follow a similar pattern to the graph below. Based on https://www.us-cert.gov/NCCIC-Cyber-Incident-Scoring-System.",
"name": "priority-level",
"version": 2
},
{
"description": "PyOTI automated enrichment schemes for point in time classification of indicators.",
"name": "pyoti",
"version": 3
},
{
"description": "Ransomware is used to define ransomware types and the elements that compose them.",
"name": "ransomware",
"version": 6
},
{
"description": "The seven roles seen in most ransomware incidents.",
"name": "ransomware-roles",
"version": 1
},
{
"description": "Add a retenion time to events to automatically remove the IDS-flag on ip-dst or ip-src attributes. We calculate the time elapsed based on the date of the event. Supported time units are: d(ays), w(eeks), m(onths), y(ears). The numerical_value is just for sorting in the web-interface and is not used for calculations.",
"name": "retention",
@ -511,7 +621,7 @@
{
"description": "Reference Security Incident Classification Taxonomy",
"name": "rsit",
"version": 1002
"version": 1003
},
{
"description": "Status of events used in Request Tracker.",
@ -519,9 +629,9 @@
"version": 2
},
{
"description": "Runtime or software packer used to combine compressed data with the decompression code. The decompression code can add additional obfuscations mechanisms including polymorphic-packer or other obfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries.",
"description": "Runtime or software packer used to combine compressed or encrypted data with the decompression or decryption code. This code can add additional obfuscations mechanisms including polymorphic-packer or other obfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries.",
"name": "runtime-packer",
"version": 1
"version": 2
},
{
"description": "Flags describing the sample",
@ -538,11 +648,31 @@
"name": "scrippsco2-sampling-stations",
"version": 1
},
{
"description": "Sentinel indicator threat types.",
"name": "sentinel-threattype",
"version": 1
},
{
"description": "Threat taxonomy in the scope of securing smart airports by ENISA. https://www.enisa.europa.eu/publications/securing-smart-airports",
"name": "smart-airports-threats",
"version": 1
},
{
"description": "Attack vectors used in social engineering as described in 'A Taxonomy of Social Engineering Defense Mechanisms' by Dalal Alharthi and others.",
"name": "social-engineering-attack-vectors",
"version": 1
},
{
"description": "SRB-CERT Taxonomy - Schemes of Classification in Incident Response and Detection",
"name": "srbcert",
"version": 3
},
{
"description": "A spectrum of state responsibility to more directly tie the goals of attribution to the needs of policymakers.",
"name": "state-responsibility",
"version": 1
},
{
"description": "Classification based on malware stealth techniques. Described in https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf",
"name": "stealth_malware",
@ -561,7 +691,7 @@
{
"description": "Thales Group Taxonomy - was designed with the aim of enabling desired sharing and preventing unwanted sharing between Thales Group security communities.",
"name": "thales_group",
"version": 2
"version": 4
},
{
"description": "The ThreatMatch Sectors, Incident types, Malware types and Alert types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.",
@ -574,9 +704,9 @@
"version": 1
},
{
"description": "The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time.",
"description": "The Traffic Light Protocol (TLP) (v2.0) was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. Information sharing happens from an information source, towards one or more recipients. TLP is a set of four standard labels (a fifth label is included in amber to limit the diffusion) used to indicate the sharing boundaries to be applied by the recipients. Only labels listed in this standard are considered valid by FIRST. This taxonomy includes additional labels for backward compatibility which are no more validated by FIRST SIG.",
"name": "tlp",
"version": 5
"version": 10
},
{
"description": "Taxonomy to describe Tor network infrastructure",
@ -593,6 +723,11 @@
"name": "type",
"version": 1
},
{
"description": "The Unified Kill Chain is a refinement to the Kill Chain.",
"name": "unified-kill-chain",
"version": 1
},
{
"description": "The Use Case Applicability categories reflect standard resolution categories, to clearly display alerting rule configuration problems.",
"name": "use-case-applicability",
@ -616,9 +751,9 @@
{
"description": "Workflow support language is a common language to support intelligence analysts to perform their analysis on data and information.",
"name": "workflow",
"version": 10
"version": 12
}
],
"url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/main/",
"version": "20210621"
"version": "20240304"
}

View File

@ -2,23 +2,28 @@
"namespace": "PAP",
"expanded": "Permissible Actions Protocol",
"description": "The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.",
"version": 2,
"version": 3,
"exclusive": true,
"predicates": [
{
"value": "RED",
"expanded": "(PAP:RED) Non-detectable actions only. Recipients may not use PAP:RED information on the network. Only passive actions on logs, that are not detectable from the outside.",
"colour": "#ff0000"
"colour": "#ff2b2b"
},
{
"value": "AMBER",
"expanded": "(PAP:AMBER) Passive cross check. Recipients may use PAP:AMBER information for conducting online checks, like using services provided by third parties (e.g. VirusTotal), or set up a monitoring honeypot.",
"colour": "#ffa800"
"colour": "#ffc000"
},
{
"value": "GREEN",
"expanded": "(PAP:GREEN) Active actions allowed. Recipients may use PAP:GREEN information to ping the target, block incoming/outgoing traffic from/to the target or specifically configure honeypots to interact with the target.",
"colour": "#00ad1c"
"colour": "#33ff00"
},
{
"value": "CLEAR",
"expanded": "(PAP:CLEAR) No restrictions in using this information.",
"colour": "#ffffff"
},
{
"value": "WHITE",

155
README.md
View File

@ -4,7 +4,7 @@
MISP Taxonomies is a set of common classification libraries to tag, classify and organise information. Taxonomy allows to express the same vocabulary among a distributed set of users and organisations.
Taxonomies that can be used in [MISP](https://github.com/MISP/MISP) (2.4) and other information sharing tool and expressed in Machine Tags (Triple Tags). A machine tag is composed of a namespace (MUST), a predicate (MUST) and an (OPTIONAL) value. Machine tags are often called triple tag due to their format.
Taxonomies that can be used in [MISP](https://github.com/MISP/MISP) and other information sharing tool, are expressed in Machine Tags (Triple Tags). A machine tag is composed of a namespace (MUST), a predicate (MUST) and an (OPTIONAL) value. Machine tags are often called triple tag due to their format.
![Overview of the MISP taxonomies](tools/docs/images/taxonomy-explanation.png)
@ -15,22 +15,27 @@ The following taxonomies can be used in MISP (as local or distributed tags) or i
### CERT-XLM
[CERT-XLM](https://github.com/MISP/misp-taxonomies/tree/main/CERT-XLM) :
CERT-XLM Security Incident Classification. [Overview](https://www.misp-project.org/taxonomies.html#_CERT_XLM)
CERT-XLM Security Incident Classification. [Overview](https://www.misp-project.org/taxonomies.html#_cert_xlm)
### DFRLab-dichotomies-of-disinformation
[DFRLab-dichotomies-of-disinformation](https://github.com/MISP/misp-taxonomies/tree/main/DFRLab-dichotomies-of-disinformation) :
DFRLab Dichotomies of Disinformation. [Overview](https://www.misp-project.org/taxonomies.html#_DFRLab_dichotomies_of_disinformation)
DFRLab Dichotomies of Disinformation. [Overview](https://www.misp-project.org/taxonomies.html#_dfrlab_dichotomies_of_disinformation)
### DML
[DML](https://github.com/MISP/misp-taxonomies/tree/main/DML) :
The Detection Maturity Level (DML) model is a capability maturity model for referencing ones maturity in detecting cyber attacks. It's designed for organizations who perform intel-driven detection and response and who put an emphasis on having a mature detection program. [Overview](https://www.misp-project.org/taxonomies.html#_DML)
The Detection Maturity Level (DML) model is a capability maturity model for referencing ones maturity in detecting cyber attacks. It's designed for organizations who perform intel-driven detection and response and who put an emphasis on having a mature detection program. [Overview](https://www.misp-project.org/taxonomies.html#_dml)
### GrayZone
[GrayZone](https://github.com/MISP/misp-taxonomies/tree/main/GrayZone) :
Gray Zone of Active defense includes all elements which lay between reactive defense elements and offensive operations. It does fill the gray spot between them. Taxo may be used for active defense planning or modeling. [Overview](https://www.misp-project.org/taxonomies.html#_grayzone)
### PAP
[PAP](https://github.com/MISP/misp-taxonomies/tree/main/PAP) :
The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used. [Overview](https://www.misp-project.org/taxonomies.html#_PAP)
The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used. [Overview](https://www.misp-project.org/taxonomies.html#_pap)
### access-method
@ -72,6 +77,16 @@ A series of assessment predicates describing the analyst capabilities to perform
[approved-category-of-action](https://github.com/MISP/misp-taxonomies/tree/main/approved-category-of-action) :
A pre-approved category of action for indicators being shared with partners (MIMIC). [Overview](https://www.misp-project.org/taxonomies.html#_approved_category_of_action)
### artificial-satellites
[artificial-satellites](https://github.com/MISP/misp-taxonomies/tree/main/artificial-satellites) :
This taxonomy was designed to describe artificial satellites [Overview](https://www.misp-project.org/taxonomies.html#_artificial_satellites)
### aviation
[aviation](https://github.com/MISP/misp-taxonomies/tree/main/aviation) :
A taxonomy describing security threats or incidents against the aviation sector. [Overview](https://www.misp-project.org/taxonomies.html#_aviation)
### binary-class
[binary-class](https://github.com/MISP/misp-taxonomies/tree/main/binary-class) :
@ -85,7 +100,12 @@ Internal taxonomy for CCCS. [Overview](https://www.misp-project.org/taxonomies.h
### circl
[circl](https://github.com/MISP/misp-taxonomies/tree/main/circl) :
CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection [Overview](https://www.misp-project.org/taxonomies.html#_circl)
CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection. [Overview](https://www.misp-project.org/taxonomies.html#_circl)
### cnsd
[cnsd](https://github.com/MISP/misp-taxonomies/tree/main/cnsd) :
La presente taxonomia es la primera versión disponible para el Centro Nacional de Seguridad Digital del Perú. [Overview](https://www.misp-project.org/taxonomies.html#_cnsd)
### coa
@ -112,6 +132,11 @@ The COPINE Scale is a rating system created in Ireland and used in the United Ki
[course-of-action](https://github.com/MISP/misp-taxonomies/tree/main/course-of-action) :
A Course Of Action analysis considers six potential courses of action for the development of a cyber security capability. [Overview](https://www.misp-project.org/taxonomies.html#_course_of_action)
### crowdsec
[crowdsec](https://github.com/MISP/misp-taxonomies/tree/main/crowdsec) :
Crowdsec IP address classifications and behaviors taxonomy. [Overview](https://www.misp-project.org/taxonomies.html#_crowdsec)
### cryptocurrency-threat
[cryptocurrency-threat](https://github.com/MISP/misp-taxonomies/tree/main/cryptocurrency-threat) :
@ -160,7 +185,7 @@ Taxonomy to describe desired actions for Cytomic Orion [Overview](https://www.mi
### dark-web
[dark-web](https://github.com/MISP/misp-taxonomies/tree/main/dark-web) :
Criminal motivation on the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project [Overview](https://www.misp-project.org/taxonomies.html#_dark_web)
Criminal motivation and content detection the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project and extended by the JRC (Joint Research Centre) of the European Commission. [Overview](https://www.misp-project.org/taxonomies.html#_dark_web)
### data-classification
@ -182,6 +207,21 @@ Distributed Denial of Service - or short: DDoS - taxonomy supports the descripti
[de-vs](https://github.com/MISP/misp-taxonomies/tree/main/de-vs) :
German (DE) Government classification markings (VS). [Overview](https://www.misp-project.org/taxonomies.html#_de_vs)
### death-possibilities
[death-possibilities](https://github.com/MISP/misp-taxonomies/tree/main/death-possibilities) :
Taxonomy of Death Possibilities [Overview](https://www.misp-project.org/taxonomies.html#_death_possibilities)
### deception
[deception](https://github.com/MISP/misp-taxonomies/tree/main/deception) :
Deception is an important component of information operations, valuable for both offense and defense. [Overview](https://www.misp-project.org/taxonomies.html#_deception)
### dga
[dga](https://github.com/MISP/misp-taxonomies/tree/main/dga) :
A taxonomy to describe domain-generation algorithms often called DGA. Ref: A Comprehensive Measurement Study of Domain Generating Malware Daniel Plohmann and others. [Overview](https://www.misp-project.org/taxonomies.html#_dga)
### dhs-ciip-sectors
[dhs-ciip-sectors](https://github.com/MISP/misp-taxonomies/tree/main/dhs-ciip-sectors) :
@ -192,6 +232,11 @@ DHS critical sectors as in https://www.dhs.gov/critical-infrastructure-sectors [
[diamond-model](https://github.com/MISP/misp-taxonomies/tree/main/diamond-model) :
The Diamond Model for Intrusion Analysis establishes the basic atomic element of any intrusion activity, the event, composed of four core features: adversary, infrastructure, capability, and victim. [Overview](https://www.misp-project.org/taxonomies.html#_diamond_model)
### diamond-model-for-influence-operations
[diamond-model-for-influence-operations](https://github.com/MISP/misp-taxonomies/tree/main/diamond-model-for-influence-operations) :
The diamond model for influence operations analysis is a framework that leads analysts and researchers toward a comprehensive understanding of a malign influence campaign by addressing the socio-political, technical, and psychological aspects of the campaign. The diamond model for influence operations analysis consists of 5 components: 4 corners and a core element. The 4 corners are divided into 2 axes: influencer and audience on the socio-political axis, capabilities and infrastructure on the technical axis. Narrative makes up the core of the diamond. [Overview](https://www.misp-project.org/taxonomies.html#_diamond_model_for_influence_operations)
### dni-ism
[dni-ism](https://github.com/MISP/misp-taxonomies/tree/main/dni-ism) :
@ -202,6 +247,11 @@ A subset of Information Security Marking Metadata ISM as required by Executive O
[domain-abuse](https://github.com/MISP/misp-taxonomies/tree/main/domain-abuse) :
Domain Name Abuse - taxonomy to tag domain names used for cybercrime. [Overview](https://www.misp-project.org/taxonomies.html#_domain_abuse)
### doping-substances
[doping-substances](https://github.com/MISP/misp-taxonomies/tree/main/doping-substances) :
This taxonomy aims to list doping substances [Overview](https://www.misp-project.org/taxonomies.html#_doping_substances)
### drugs
[drugs](https://github.com/MISP/misp-taxonomies/tree/main/drugs) :
@ -270,7 +320,7 @@ Exercise is a taxonomy to describe if the information is part of one or more cyb
### extended-event
[extended-event](https://github.com/MISP/misp-taxonomies/tree/main/extended-event) :
Reasons why an event has been extended. [Overview](https://www.misp-project.org/taxonomies.html#_extended_event)
Reasons why an event has been extended. This taxonomy must be used on the extended event. The competitive analysis aspect is from Psychology of Intelligence Analysis by Richard J. Heuer, Jr. ref:http://www.foo.be/docs/intelligence/PsychofIntelNew.pdf [Overview](https://www.misp-project.org/taxonomies.html#_extended_event)
### failure-mode-in-machine-learning
@ -287,6 +337,11 @@ This taxonomy aims to ballpark the expected amount of false positives. [Overview
[file-type](https://github.com/MISP/misp-taxonomies/tree/main/file-type) :
List of known file types. [Overview](https://www.misp-project.org/taxonomies.html#_file_type)
### financial
[financial](https://github.com/MISP/misp-taxonomies/tree/main/financial) :
Financial taxonomy to describe financial services, infrastructure and financial scope. [Overview](https://www.misp-project.org/taxonomies.html#_financial)
### flesch-reading-ease
[flesch-reading-ease](https://github.com/MISP/misp-taxonomies/tree/main/flesch-reading-ease) :
@ -377,6 +432,11 @@ How an incident is classified in its process to be resolved. The taxonomy is ins
[infoleak](https://github.com/MISP/misp-taxonomies/tree/main/infoleak) :
A taxonomy describing information leaks and especially information classified as being potentially leaked. The taxonomy is based on the work by CIRCL on the AIL framework. The taxonomy aim is to be used at large to improve classification of leaked information. [Overview](https://www.misp-project.org/taxonomies.html#_infoleak)
### information-origin
[information-origin](https://github.com/MISP/misp-taxonomies/tree/main/information-origin) :
Taxonomy for tagging information by its origin: human-generated or AI-generated. [Overview](https://www.misp-project.org/taxonomies.html#_information_origin)
### information-security-data-source
[information-security-data-source](https://github.com/MISP/misp-taxonomies/tree/main/information-security-data-source) :
@ -387,6 +447,26 @@ Taxonomy to classify the information security data sources. [Overview](https://w
[information-security-indicators](https://github.com/MISP/misp-taxonomies/tree/main/information-security-indicators) :
A full set of operational indicators for organizations to use to benchmark their security posture. [Overview](https://www.misp-project.org/taxonomies.html#_information_security_indicators)
### interactive-cyber-training-audience
[interactive-cyber-training-audience](https://github.com/MISP/misp-taxonomies/tree/main/interactive-cyber-training-audience) :
Describes the target of cyber training and education. [Overview](https://www.misp-project.org/taxonomies.html#_interactive_cyber_training_audience)
### interactive-cyber-training-technical-setup
[interactive-cyber-training-technical-setup](https://github.com/MISP/misp-taxonomies/tree/main/interactive-cyber-training-technical-setup) :
The technical setup consists of environment structure, deployment, and orchestration. [Overview](https://www.misp-project.org/taxonomies.html#_interactive_cyber_training_technical_setup)
### interactive-cyber-training-training-environment
[interactive-cyber-training-training-environment](https://github.com/MISP/misp-taxonomies/tree/main/interactive-cyber-training-training-environment) :
The training environment details the environment around the training, consisting of training type and scenario. [Overview](https://www.misp-project.org/taxonomies.html#_interactive_cyber_training_training_environment)
### interactive-cyber-training-training-setup
[interactive-cyber-training-training-setup](https://github.com/MISP/misp-taxonomies/tree/main/interactive-cyber-training-training-setup) :
The training setup further describes the training itself with the scoring, roles, the training mode as well as the customization level. [Overview](https://www.misp-project.org/taxonomies.html#_interactive_cyber_training_training_setup)
### interception-method
[interception-method](https://github.com/MISP/misp-taxonomies/tree/main/interception-method) :
@ -442,6 +522,11 @@ classification for the identification of type of misinformation among websites.
[misp](https://github.com/MISP/misp-taxonomies/tree/main/misp) :
MISP taxonomy to infer with MISP behavior or operation. [Overview](https://www.misp-project.org/taxonomies.html#_misp)
### misp-workflow
[misp-workflow](https://github.com/MISP/misp-taxonomies/tree/main/misp-workflow) :
MISP workflow taxonomy to support result of workflow execution. [Overview](https://www.misp-project.org/taxonomies.html#_misp_workflow)
### monarc-threat
[monarc-threat](https://github.com/MISP/misp-taxonomies/tree/main/monarc-threat) :
@ -472,6 +557,11 @@ NATO classification markings. [Overview](https://www.misp-project.org/taxonomies
[nis](https://github.com/MISP/misp-taxonomies/tree/main/nis) :
The taxonomy is meant for large scale cybersecurity incidents, as mentioned in the Commission Recommendation of 13 September 2017, also known as the blueprint. It has two core parts: The nature of the incident, i.e. the underlying cause, that triggered the incident, and the impact of the incident, i.e. the impact on services, in which sector(s) of economy and society. [Overview](https://www.misp-project.org/taxonomies.html#_nis)
### nis2
[nis2](https://github.com/MISP/misp-taxonomies/tree/main/nis2) :
The taxonomy is meant for large scale cybersecurity incidents, as mentioned in the Commission Recommendation of 13 May 2022, also known as the provisional agreement. It has two core parts: The nature of the incident, i.e. the underlying cause, that triggered the incident, and the impact of the incident, i.e. the impact on services, in which sector(s) of economy and society. [Overview](https://www.misp-project.org/taxonomies.html#_nis2)
### open_threat
[open_threat](https://github.com/MISP/misp-taxonomies/tree/main/open_threat) :
@ -502,16 +592,36 @@ Penetration test (pentest) classification. [Overview](https://www.misp-project.o
[phishing](https://github.com/MISP/misp-taxonomies/tree/main/phishing) :
Taxonomy to classify phishing attacks including techniques, collection mechanisms and analysis status. [Overview](https://www.misp-project.org/taxonomies.html#_phishing)
### poison-taxonomy
[poison-taxonomy](https://github.com/MISP/misp-taxonomies/tree/main/poison-taxonomy) :
Non-exhaustive taxonomy of natural poison [Overview](https://www.misp-project.org/taxonomies.html#_poison_taxonomy)
### political-spectrum
[political-spectrum](https://github.com/MISP/misp-taxonomies/tree/main/political-spectrum) :
A political spectrum is a system to characterize and classify different political positions in relation to one another. [Overview](https://www.misp-project.org/taxonomies.html#_political_spectrum)
### priority-level
[priority-level](https://github.com/MISP/misp-taxonomies/tree/main/priority-level) :
After an incident is scored, it is assigned a priority level. The six levels listed below are aligned with NCCIC, DHS, and the CISS to help provide a common lexicon when discussing incidents. This priority assignment drives NCCIC urgency, pre-approved incident response offerings, reporting requirements, and recommendations for leadership escalation. Generally, incident priority distribution should follow a similar pattern to the graph below. Based on https://www.us-cert.gov/NCCIC-Cyber-Incident-Scoring-System. [Overview](https://www.misp-project.org/taxonomies.html#_priority_level)
### pyoti
[pyoti](https://github.com/MISP/misp-taxonomies/tree/main/pyoti) :
PyOTI automated enrichment schemes for point in time classification of indicators. [Overview](https://www.misp-project.org/taxonomies.html#_pyoti)
### ransomware
[ransomware](https://github.com/MISP/misp-taxonomies/tree/main/ransomware) :
Ransomware is used to define ransomware types and the elements that compose them. [Overview](https://www.misp-project.org/taxonomies.html#_ransomware)
### ransomware-roles
[ransomware-roles](https://github.com/MISP/misp-taxonomies/tree/main/ransomware-roles) :
The seven roles seen in most ransomware incidents. [Overview](https://www.misp-project.org/taxonomies.html#_ransomware_roles)
### retention
[retention](https://github.com/MISP/misp-taxonomies/tree/main/retention) :
@ -530,7 +640,7 @@ Status of events used in Request Tracker. [Overview](https://www.misp-project.or
### runtime-packer
[runtime-packer](https://github.com/MISP/misp-taxonomies/tree/main/runtime-packer) :
Runtime or software packer used to combine compressed data with the decompression code. The decompression code can add additional obfuscations mechanisms including polymorphic-packer or other obfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries. [Overview](https://www.misp-project.org/taxonomies.html#_runtime_packer)
Runtime or software packer used to combine compressed or encrypted data with the decompression or decryption code. This code can add additional obfuscations mechanisms including polymorphic-packer or other obfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries. [Overview](https://www.misp-project.org/taxonomies.html#_runtime_packer)
### scrippsco2-fgc
@ -547,11 +657,31 @@ Flags describing the sample for isotopic data (C14, O18) [Overview](https://www.
[scrippsco2-sampling-stations](https://github.com/MISP/misp-taxonomies/tree/main/scrippsco2-sampling-stations) :
Sampling stations of the Scripps CO2 Program [Overview](https://www.misp-project.org/taxonomies.html#_scrippsco2_sampling_stations)
### sentinel-threattype
[sentinel-threattype](https://github.com/MISP/misp-taxonomies/tree/main/sentinel-threattype) :
Sentinel indicator threat types. [Overview](https://www.misp-project.org/taxonomies.html#_sentinel_threattype)
### smart-airports-threats
[smart-airports-threats](https://github.com/MISP/misp-taxonomies/tree/main/smart-airports-threats) :
Threat taxonomy in the scope of securing smart airports by ENISA. https://www.enisa.europa.eu/publications/securing-smart-airports [Overview](https://www.misp-project.org/taxonomies.html#_smart_airports_threats)
### social-engineering-attack-vectors
[social-engineering-attack-vectors](https://github.com/MISP/misp-taxonomies/tree/main/social-engineering-attack-vectors) :
Attack vectors used in social engineering as described in 'A Taxonomy of Social Engineering Defense Mechanisms' by Dalal Alharthi and others. [Overview](https://www.misp-project.org/taxonomies.html#_social_engineering_attack_vectors)
### srbcert
[srbcert](https://github.com/MISP/misp-taxonomies/tree/main/srbcert) :
SRB-CERT Taxonomy - Schemes of Classification in Incident Response and Detection [Overview](https://www.misp-project.org/taxonomies.html#_srbcert)
### state-responsibility
[state-responsibility](https://github.com/MISP/misp-taxonomies/tree/main/state-responsibility) :
A spectrum of state responsibility to more directly tie the goals of attribution to the needs of policymakers. [Overview](https://www.misp-project.org/taxonomies.html#_state_responsibility)
### stealth_malware
[stealth_malware](https://github.com/MISP/misp-taxonomies/tree/main/stealth_malware) :
@ -585,7 +715,7 @@ An overview of some of the known attacks related to DNS as described by Torabi,
### tlp
[tlp](https://github.com/MISP/misp-taxonomies/tree/main/tlp) :
The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time. [Overview](https://www.misp-project.org/taxonomies.html#_tlp)
The Traffic Light Protocol (TLP) (v2.0) was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. Information sharing happens from an information source, towards one or more recipients. TLP is a set of four standard labels (a fifth label is included in amber to limit the diffusion) used to indicate the sharing boundaries to be applied by the recipients. Only labels listed in this standard are considered valid by FIRST. This taxonomy includes additional labels for backward compatibility which are no more validated by FIRST SIG. [Overview](https://www.misp-project.org/taxonomies.html#_tlp)
### tor
@ -602,6 +732,11 @@ The Indicator of Trust provides insight about data on what can be trusted and kn
[type](https://github.com/MISP/misp-taxonomies/tree/main/type) :
Taxonomy to describe different types of intelligence gathering discipline which can be described the origin of intelligence. [Overview](https://www.misp-project.org/taxonomies.html#_type)
### unified-kill-chain
[unified-kill-chain](https://github.com/MISP/misp-taxonomies/tree/main/unified-kill-chain) :
The Unified Kill Chain is a refinement to the Kill Chain. [Overview](https://www.misp-project.org/taxonomies.html#_unified_kill_chain)
### use-case-applicability
[use-case-applicability](https://github.com/MISP/misp-taxonomies/tree/main/use-case-applicability) :

File diff suppressed because it is too large Load Diff

397
aviation/machinetag.json Normal file
View File

@ -0,0 +1,397 @@
{
"predicates": [
{
"expanded": "Target",
"value": "target"
},
{
"expanded": "Target systems",
"value": "target-systems"
},
{
"expanded": "Target Sub Systems",
"value": "target-sub-systems"
},
{
"value": "impact",
"expanded": "Impact",
"exclusive": true
},
{
"value": "likelihood",
"expanded": "Likelihood",
"exclusive": true
},
{
"expanded": "Criticality",
"value": "criticality"
},
{
"value": "certainty",
"expanded": "Certainty",
"exclusive": true
}
],
"version": 1,
"description": "A taxonomy describing security threats or incidents against the aviation sector.",
"namespace": "aviation",
"values": [
{
"predicate": "target",
"entry": [
{
"value": "airline",
"expanded": "airline",
"description": "airlines or airline groups"
},
{
"value": "airspace users",
"expanded": "Airspace Users",
"description": "Airspace users other than airlines like drone, helicopter, baloon operators"
},
{
"value": "airport",
"expanded": "Airport",
"description": "Airports or airport operators"
},
{
"value": "ansp",
"expanded": "Air Navigation Service Provider",
"description": "Air Navigation Service Provider who is managing the airspace of a country or a specific region"
},
{
"value": "international-association",
"expanded": "International Association",
"description": "International associations related with aviation sector"
},
{
"value": "caa",
"expanded": "Civil Aviation Authority",
"description": "Civil Aviation Authority who is responsible for regulation the aviation of a country"
},
{
"value": "manufacturer",
"expanded": "Manufacturer",
"description": "Manufacturers who produce aircrafts,aircraft or ATM related components"
},
{
"value": "service-provider",
"expanded": "Service Provider",
"description": "Service providers who provide different services to the aviation stakeholders"
},
{
"value": "network-manager",
"expanded": "Network Manager",
"description": "Network Manager manages ATM network functions (airspace design, flow management) as well as scarce resources"
},
{
"value": "military",
"expanded": "Military",
"description": "Military aviation"
}
]
},
{
"predicate": "target-systems",
"entry": [
{
"value": "ATM",
"expanded": "ATM - Air Traffic Management",
"description": "Air traffic management systems which manage airspace"
},
{
"value": "AIS",
"expanded": "AIS - Aeronautical Information Service",
"description": "Aeronatutical Infromation Service whose objective is to ensure the flow of aeronautical information and data necessary for the safety, regularity and efficiency of international air navigation"
},
{
"value": "MET",
"expanded": "MET - Meteorological Service",
"description": "Meteorological service which provides meteo data to the airspace users"
},
{
"value": "SAR",
"expanded": "SAR - Search and Rescue",
"description": "Search and rescue (SAR) service is provided to the survivors of aircraft accidents as well as aircraft in distress (and their occupants) regardless of their nationality"
},
{
"value": "CNS",
"expanded": "CNS - Communication, Navigation and Surveillance",
"description": "The main functions of ATM: Communication, Navigation and Surveillance"
},
{
"value": "airport-management-systems",
"expanded": "Airport Management Systems",
"description": "Airport IT and OT systems that manage airport internal operations"
},
{
"value": "airport-online-services",
"expanded": "Airport Online Services",
"description": "Airport online service that helps external users to reach airport services"
},
{
"value": "airport-fids-systems",
"expanded": "Airport Flight Information Display Systems",
"description": "Airport Flight Information Display Systems that guide the passangers about flights"
},
{
"value": "airline-management-systems",
"expanded": "Airline Management Systems",
"description": "Airline Management Systems that manage airline intenal operations"
},
{
"value": "airline-online-services",
"expanded": "Airline Online Services",
"description": "Airline Online Services that helps external users to reach airlines services"
}
]
},
{
"predicate": "target-sub-systems",
"entry": [
{
"value": "ATM:NewPENS",
"expanded": "ATM New PENS(Pan-European Network Service)",
"description": "ATM New PENS(Pan-European Network Service) which is private network for aviation stakeholders"
},
{
"value": "ATM:SWIM",
"expanded": "ATM SWIM(Sytem Wide Information Management)",
"description": "ATM SWIM(System Wide Information Management) is the system that enables seamless information access and interchange between all providers and users of ATM information and services"
},
{
"value": "ATM:ATS:ATC",
"expanded": "ATM ATS(Air Traffic Service) ATC - Air Traffic Control",
"description": "ATM ATS(Air Traffic Service) ATC - Air Traffic Control systems"
},
{
"value": "ATM:ATS:FIS",
"expanded": "ATM ATS FIS - Flight Information Services",
"description": "ATM ATS FIS - Flight Information Services systems"
},
{
"value": "ATM:ATS:ALRS",
"expanded": "ATM ATS ALRS - Alerting Services",
"description": "ATM ATS ALRS - Alerting Services systems"
},
{
"value": "ATM:ATS:ATFM",
"expanded": "ATM ATS ATFM(Air Traffic Flow Management)",
"description": "ATM ATS ATFM(Air Traffic Flow Management) systems "
},
{
"value": "ATM:ATS:ASM",
"expanded": "ATM ATS ASM(Airspace management)",
"description": "ATM ATS ASM(Airspace management) systems "
},
{
"value": "CNS:COM:Ground-Ground",
"expanded": "CNS COM Ground-Ground",
"description": "Ground-ground communication systems"
},
{
"value": "CNS:COM:Ground-Air",
"expanded": "CNS COM Ground Air",
"description": "Ground-Air communication systems"
},
{
"value": "CNS:COM:Air-Air",
"expanded": "CNS COM Air Air",
"description": "Air-Air Communication systems"
},
{
"value": "CNS:COM:Asterix",
"expanded": "CNS COM Asterix",
"description": "Asterix radar data protocol processing systems"
},
{
"value": "CNS:COM:VDL",
"expanded": "CNS COM VDL",
"description": "Very High Frequency Data link"
},
{
"value": "CNS:SUR:ADS-B",
"expanded": "CNS SUR ADS-B(Automatic Dependent Surveillance-Broadcast)",
"description": "ADS-B Automatic Dependent Surveillance-Broadcast) protocol"
},
{
"value": "CNS:SUR:ADS-C",
"expanded": "CNS SUR ADS-C(Automatic dependent surveillance-contract)",
"description": "ADS-C Automatic Dependent Surveillance-contract"
},
{
"value": "CNS:SUR:Radar",
"expanded": "CNS SUR Radar",
"description": "Radar related systems"
},
{
"value": "CNS:SUR:PR",
"expanded": "CNS SUR PR(Primary Radar)",
"description": "Primary Radar related systems"
},
{
"value": "CNS:SUR:SSR",
"expanded": "CNS SUR SSR(Secondary Surveillance Radar)",
"description": "Secondary Surveillance Radar related systems"
},
{
"value": "CNS:Nav:GNSS",
"expanded": "CNS Nav GNSS(Global Navigation Satellite Systems)",
"description": "GNSS(Global Naviation Satellite Systems) related systems"
},
{
"value": "CNS:Nav:GPS",
"expanded": "CNS Nav GPS(Global Positioning Systems)",
"description": "GPS(Global Positioning Systems) related systems"
},
{
"value": "CNS:Nav:GLONASS",
"expanded": "CNS Nav GLONASS(GLObal NAvigation Satellite Systems)",
"description": "GLONASS(GLObal NAvigation Satellite Systems) related systems"
},
{
"value": "CNS:Nav:ILS",
"expanded": "CNS Nav ILS(Instrument landing systems)",
"description": "ILS(Instrument landing systems) related systems"
},
{
"value": "CNS:Nav:GLS",
"expanded": "CNS Nav GLS (GNSS dependent landing systems",
"description": "GLS(GNSS dependent landing systems) related systems"
}
]
},
{
"predicate": "impact",
"entry": [
{
"value": "trivial",
"expanded": "Trivial"
},
{
"value": "minor",
"expanded": "Minor"
},
{
"value": "moderate",
"expanded": "Moderate"
},
{
"value": "major",
"expanded": "Major"
},
{
"value": "extreme",
"expanded": "Extreme"
}
]
},
{
"predicate": "likelihood",
"entry": [
{
"value": "almost-no-chance",
"expanded": "Almost no chance - remote - 01-05%",
"numerical_value": 0
},
{
"value": "very-unlikely",
"expanded": "Very unlikely - highly improbable - 05-20%",
"numerical_value": 5
},
{
"value": "unlikely",
"expanded": "Unlikely - improbable (improbably) - 20-45%",
"numerical_value": 20
},
{
"value": "roughly-even-chance",
"expanded": "Roughly even change - roughly even odds - 45-55%",
"numerical_value": 45
},
{
"value": "likely",
"expanded": "Likely - probable (probably) - 55-80%",
"numerical_value": 55
},
{
"value": "very-likely",
"expanded": "Very likely - highly probable - 80-95%",
"numerical_value": 80
},
{
"value": "almost-certain",
"expanded": "Almost certain(ly) - nearly certain - 95-99%",
"numerical_value": 95
}
]
},
{
"predicate": "criticality",
"entry": [
{
"value": "safety-critical",
"expanded": "Safety Critical",
"description": "Criticality level that threatens human life"
},
{
"value": "mission-critical",
"expanded": "Mission Critical",
"description": "Criticality level that affects the critical services impacting the airspace management"
},
{
"value": "business-critical",
"expanded": "business Critical",
"description": "Criticality level that affects business functions"
}
]
},
{
"entry": [
{
"description": "Certainty",
"expanded": "Certainty (probability equals 1 - 100%)",
"value": "100",
"numerical_value": 100
},
{
"description": "Almost certain",
"expanded": "Almost certain (probability equals 0.93 - 93%)",
"value": "93",
"numerical_value": 93
},
{
"description": "Probable",
"expanded": "Probable (probability equals 0.75 - 75%)",
"value": "75",
"numerical_value": 75
},
{
"description": "Chances about even",
"expanded": "Chances about even (probability equals 0.50 - 50%)",
"value": "50",
"numerical_value": 50
},
{
"description": "Probably not",
"expanded": "Probably not (probability equals 0.30 - 30%)",
"value": "30",
"numerical_value": 30
},
{
"description": "Almost certainly not",
"expanded": "Almost certainly not (probability equals 0.07 - 7%)",
"value": "7",
"numerical_value": 7
},
{
"description": "Impossibility",
"expanded": "Impossibility (probability equals 0 - 0%)",
"value": "0",
"numerical_value": 0
}
],
"predicate": "certainty"
}
]
}

View File

@ -1,7 +1,7 @@
{
"namespace": "circl",
"description": "CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection",
"version": 5,
"description": "CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection.",
"version": 6,
"predicates": [
{
"value": "incident-classification",
@ -10,6 +10,11 @@
{
"value": "topic",
"expanded": "Topic"
},
{
"value": "significant",
"expanded": "Significant",
"description": "Significant topic which has been evaluated to have a certain level of significancy which can have or had a severe impact."
}
],
"values": [

230
cnsd/machinetag.json Normal file
View File

@ -0,0 +1,230 @@
{
"values": [
{
"entry": [
{
"description": "Correo electrónico masivo no solicitado, el destinatario no ha otorgado un permiso verificable",
"expanded": "Spam",
"value": "spam"
},
{
"description": "Ofrecer o instalar copias de software, u otros materiales sin licencia o derechos adquiridos de autor",
"expanded": "Copyright",
"value": "copyright"
},
{
"description": "Comprende los incidentes relacionados con la explotación sexual infantil, glorificación de la violencia o incitación al terrorismo.",
"expanded": "Explotación sexual infantil, racismo e incitación a la violencia.",
"value": "explotacion sexual infantil"
}
],
"predicate": "Contenido abusivo"
},
{
"entry": [
{
"description": "Inundaciones ICMP y SYN, los ataques Teardrop y los bombardeos por correo, y los ataques DDoS que se originan por bots.",
"expanded": "DoS/DDoS",
"value": "DoS/DDoS"
},
{
"description": "La disponibilidad tambien puede verse afectada por acciones locales o por fuerza mayor.",
"expanded": "sabotaje",
"value": "sabotaje"
}
],
"predicate": "Disponibilidad"
},
{
"entry": [
{
"description": "Mal uso o uso no autorizado de recursos, incluidas empresas con fines de lucro, cadenas de ganancias o esquemas piramidales.",
"expanded": "Mal-Uso",
"value": "mal-uso"
},
{
"description": "Una entidad u organización asume o se atribuye ilegitimamente la identidad de otra para beneficiarse de ella.",
"expanded": "Repres-Falsa",
"value": "repres-falsa"
}
],
"predicate": "Fraude"
},
{
"entry": [
{
"description": "Son ataques que interceptan y acceden a la información durante la transmisión.",
"expanded": "Acc-No-autorizado",
"value": "acc-no-autorizado"
},
{
"description": "El error humano de configuración de software puede ser una causa.",
"expanded": "Modi-Elim-No-Autorizada",
"value": "modi-elim-no-autorizada"
}
],
"predicate": "Fuga de información"
},
{
"entry": [
{
"description": "Un intento de comprometer un sistema o interrumpir cualquier servicio mediante la explotación de vulnerabilidades.",
"expanded": "Explot-Vulnerab",
"value": "explot-vulnerab"
},
{
"description": "Múltiples intentos de inicio de sesión (adivinar, descifrar contraseñas, fuerza bruta).",
"expanded": "Intento-Inicio-Sesión",
"value": "intento-inicio-sesión"
}
],
"predicate": "Intentos de intrusión"
},
{
"entry": [
{
"description": "Un intento de comprometer un sistema o interrumpir cualquier servicio mediante la explotación de vulnerabilidades.",
"expanded": "Explot-Extra-Vulnerab",
"value": "explot-extra-vulnerab"
},
{
"description": "Compromiso de un sistema en el que el atacante ha adquirido privilegios, accesa y sustrae de datos del centro de datos.",
"expanded": "Comprometer-Cuenta",
"value": "comprometer-cuenta"
}
],
"predicate": "Intrusión"
},
{
"entry": [
{
"description": "Se através de dispositivos extraibles, descargas de internet, adjuntos en correos, por scripts y vulneabilidades XSS.",
"expanded": "Infección",
"value": "infección"
},
{
"description": "Se presenta cuando un recurso de la organización es utilizado para la distribución de malware.",
"expanded": "Distribución",
"value": "distribución"
},
{
"description": "Conexión con servidor de mando y Control, mediante malware o sistemas infectados.",
"expanded": "C&C",
"value": "c&c"
},
{
"description": "Intercambio de información a nivel de red local o pública, cuyo origen o destino no este plenamente identificado.",
"expanded": "Conexión-Maliciosa",
"value": "conexión-maliciosa"
},
{
"description": "No se puede determinar.",
"expanded": "Indeterminado",
"value": "indeterminado"
}
],
"predicate": "Malware"
},
{
"entry": [
{
"description": "Se através de dispositivos extraibles, descargas de internet, adjuntos en correos, por scripts y vulneabilidades XSS.",
"expanded": "Scanning",
"value": "scanning"
},
{
"description": "Se presenta cuando un recurso de la organización es utilizado para la distribución de malware.",
"expanded": "Sniffing",
"value": "sniffing"
},
{
"description": "Conexión con servidor de mando y Control, mediante malware o sistemas infectados.",
"expanded": "Phishing",
"value": "phishing"
}
],
"predicate": "Recopilación de información"
},
{
"entry": [
{
"description": "Incidente no encontrado en la lista.",
"expanded": "Inc-No-Listado",
"value": "inc-no-listado"
},
{
"description": "Incidente que no se puede determinar o clasificar.",
"expanded": "Inc-Indeter",
"value": "inc-indeter"
},
{
"description": "Amenaza Avanzada Persistente (APT), ataques dirigidos contra entidades u organizaciones concretas, con mecanismos sofisticados.",
"expanded": "APT",
"value": "APT"
},
{
"description": "Uso de redes o sistemas de información con fines de caracter terrorista.",
"expanded": "Ciberterrorismo",
"value": "ciberterrorismo"
},
{
"description": "Daños en activos críticos nacionales, comprende el borrado, dañado, alteración, supresión o inaccesibilidad a un activo crítico.",
"expanded": "Danos-en-Activos",
"value": "danos-en-activos"
}
],
"predicate": "Otros"
}
],
"predicates": [
{
"description": "Comprende aquellos incidentes de contenido comercial no autorizados, comentarios ofensivos, violencia y/o delitos sexuales.",
"expanded": "Contenido abusivo",
"value": "Contenido abusivo"
},
{
"description": "Las operaciones se retrasan o el sistema se bloquea debido al gran número de peticiones concurrentes u orquestadas.",
"expanded": "Disponibilidad",
"value": "Disponibilidad"
},
{
"description": "Uso no autorizado de un bien o servicio, violación de derechos de autor o propiedad, suplantación de identidad.",
"expanded": "Fraude",
"value": "Fraude"
},
{
"description": "Pérdida de los datos e información, debido al acceso o conocimiento del contenido por parte de personas no autorizadas.",
"expanded": "Fuga de información",
"value": "Fuga de información"
},
{
"description": "Intento de comprometer la confidencialidad, integridad y disponibilidad de un activo de información.",
"expanded": "Intentos de intrusión",
"value": "Intentos de intrusión"
},
{
"description": "Se manifiesta el claro acceso a cuentas de usuarios con el propósito de comprometer la información crítica del negocio.",
"expanded": "Intrusión",
"value": "Intrusión"
},
{
"description": "Incidente relacionado con el uso de software que se incluye o inserta intencionalmente en el sistema para causar daño.",
"expanded": "Malware",
"value": "Malware"
},
{
"description": "Comprende aquellos incidentes relacionados con el uso de analizadores de paquetes, ingenieria social o ataques de fuerza bruta.",
"expanded": "Recopilación de información",
"value": "Recopilación de información"
},
{
"value": "Otros",
"expanded": "Otros",
"description": "Otros"
}
],
"version": 20220513,
"description": "La presente taxonomia es la primera versión disponible para el Centro Nacional de Seguridad Digital del Perú.",
"expanded": "CNSD Taxonomia de Incidentes de Seguridad Digital",
"namespace": "cnsd"
}

View File

@ -2,7 +2,7 @@
"namespace": "course-of-action",
"expanded": "Courses of Action",
"description": "A Course Of Action analysis considers six potential courses of action for the development of a cyber security capability.",
"version": 2,
"version": 3,
"predicates": [
{
"value": "passive",
@ -21,6 +21,10 @@
"value": "discover",
"expanded": "The discover action is a 'historical look at the data'. This action heavily relies on your capability to store logs for a reasonable amount of time and have them accessible for searching. Typically, this type of action is applied against security information and event management (SIEM) or stored network data. The goal is to determine whether you have seen a specific indicator in the past."
},
{
"value": "nodiscover",
"expanded": "The no-discover action is a negation of discover in case you want to explicit prohibit 'historical look at the data'. The goal is to exclude a specific indicator from searches of historical data."
},
{
"value": "detect",
"expanded": "The passive action is setting up detection rules of an indicator for future traffic. These actions are most often executed via an intrusion detection system (IDS) or a specific logging rule on your firewall or application. It can also be configured as an alert in a SIEM when a specific condition is triggered."

309
crowdsec/machinetag.json Normal file
View File

@ -0,0 +1,309 @@
{
"version": 1,
"namespace": "crowdsec",
"description": "Crowdsec IP address classifications and behaviors taxonomy.",
"predicates": [
{
"value": "behavior",
"expanded": "Behavior",
"description": "Attack categories and behaviors associated with an IP address."
},
{
"value": "false-positive",
"expanded": "False positive",
"description": "Defines whether an IP address is a known false positive."
},
{
"value": "classification",
"expanded": "Classification",
"description": "Category associated to an IP address."
}
],
"values": [
{
"predicate": "behavior",
"entry": [
{
"value": "database-bruteforce",
"expanded": "Database Bruteforce",
"description": "IP has been reported for performing brute force on databases."
},
{
"value": "ftp-bruteforce",
"expanded": "FTP Bruteforce",
"description": "IP has been reported for performing brute force on FTP services."
},
{
"value": "generic-exploit",
"expanded": "Exploitation attempt",
"description": "IP has been reported trying to exploit known vulnerability/CVE on unspecified protocol."
},
{
"value": "http-bruteforce",
"expanded": "HTTP Bruteforce",
"description": "IP has been reported for performing a HTTP brute force attack (either generic http probing or applicative related brute force)."
},
{
"value": "http-crawl",
"expanded": "HTTP Crawl",
"description": "IP has been reported for performing aggressive crawling of web applications."
},
{
"value": "http-exploit",
"expanded": "HTTP Exploit",
"description": "IP has been reported for attempting to exploit a vulnerability in a web application."
},
{
"value": "http-scan",
"expanded": "HTTP Scan",
"description": "IP has been reported for performing actions related to HTTP vulnerability scanning and discovery."
},
{
"value": "http-spam",
"expanded": "Web form spam",
"description": "IP has been reported trying to perform spam via web forms/forums."
},
{
"value": "iot-bruteforce",
"expanded": "IOT Bruteforce",
"description": "IP has been reported for performing brute force on IOT management interfaces."
},
{
"value": "ldap-bruteforce",
"expanded": "LDAP Bruteforce",
"description": "IP has been reported for performing brute force on ldap services."
},
{
"value": "pop3/imap-bruteforce",
"expanded": "POP3/IMAP Bruteforce",
"description": "IP has been reported for performing a POP3/IMAP brute force attack."
},
{
"value": "sip-bruteforce",
"expanded": "SIP Bruteforce",
"description": "IP has been reported for performing a SIP (VOIP) brute force attack."
},
{
"value": "smb-bruteforce",
"expanded": "SMB Bruteforce",
"description": "IP has been reported for performing brute force on samba services."
},
{
"value": "smtp-spam",
"expanded": "SMTP spam",
"description": "IP has been reported trying to perform spam SMTP service."
},
{
"value": "ssh-bruteforce",
"expanded": "SSH Bruteforce",
"description": "IP has been reported for performing brute force on ssh services."
},
{
"value": "tcp-scan",
"expanded": "TCP Scan",
"description": "IP has been reported for performing TCP port scanning."
},
{
"value": "telnet-bruteforce",
"expanded": "TELNET Bruteforce",
"description": "IP has been reported for performing brute force on telnet services."
},
{
"value": "vm-management-bruteforce",
"expanded": "VM Management Bruteforce",
"description": "IP has been reported for performing brute force on virtual environement management applications."
},
{
"value": "windows-bruteforce",
"expanded": "SMB/RDP bruteforce",
"description": "IP has been reported for performing brute force on Windows (samba, remote desktop) services."
}
]
},
{
"predicate": "false-positive",
"entry": [
{
"value": "cdn-cloudflare_exit_node",
"expanded": "Cloudflare CDN",
"description": "IP is a Cloudflare CDN exit IP and should not be flagged as a threat."
},
{
"value": "cdn-exit_node",
"expanded": "CDN exit node",
"description": "IP is a CDN exit IP and should not be flagged as a threat."
},
{
"value": "ip-private_range",
"expanded": "Private IP address range",
"description": "This IP address is in a private IP range"
},
{
"value": "msp-scanner",
"expanded": "Legitimate Scanner",
"description": "IP belongs to a known 'legitimate' scanner (MSP) and should not be flagged as a threat."
},
{
"value": "seo-crawler",
"expanded": "SEO crawler",
"description": "IP belongs to a known SEO crawler and should not be flagged as a threat."
},
{
"value": "seo-duckduckbot",
"expanded": "Duckduckbot SEO crawler",
"description": "IP belongs to Duckduckbot SEO crawler and should not be flagged as a threat."
},
{
"value": "seo-pinterest",
"expanded": "Pinterest crawler",
"description": "IP belongs to Pinterest crawler and should not be flagged as a threat."
}
]
},
{
"predicate": "classification",
"entry": [
{
"value": "community-blocklist",
"expanded": "CrowdSec Community Blocklist",
"description": "IP belong to the CrowdSec Community Blocklist"
},
{
"value": "profile-insecure_services",
"expanded": "Dangerous Services Exposed",
"description": "IP exposes dangerous services (vnc, telnet, rdp), possibly due to a misconfiguration or because it's a honeypot."
},
{
"value": "profile-many_services",
"expanded": "Many Services Exposed",
"description": "IP exposes many open port, possibly due to a misconfiguration or because it's a honeypot."
},
{
"value": "proxy-tor",
"expanded": "TOR exit node",
"description": "IP is being flagged as a TOR exit node."
},
{
"value": "proxy-vpn",
"expanded": "VPN",
"description": "IP exposes a VPN service or is being flagged as one."
},
{
"value": "range-data_center",
"expanded": "Data Center",
"description": "IP is known to be hosted in a data center."
},
{
"value": "scanner-alphastrike",
"expanded": "Known Security Company",
"description": "IP belongs to a company that scans internet : AlphaSrike."
},
{
"value": "scanner-binaryedge",
"expanded": "Known Security Company",
"description": "IP belongs to a company that scans internet : binaryedge."
},
{
"value": "scanner-censys",
"expanded": "Known Security Company",
"description": "IP belongs to a company that scans internet : Censys."
},
{
"value": "scanner-cert.ssi.gouv.fr",
"expanded": "Known CERT",
"description": "IP belongs to an entity that scans internet : cert.ssi.gouv.fr."
},
{
"value": "scanner-cisa.dhs.gov",
"expanded": "Known CERT",
"description": "IP belongs to an entity that scans internet : cisa.dhs.gov."
},
{
"value": "scanner-internet-census",
"expanded": "Known Security Company",
"description": "IP belongs to a company that scans internet : internet-census."
},
{
"value": "scanner-leakix",
"expanded": "Known Security Company",
"description": "IP belongs to a company that scans internet : leakix."
},
{
"value": "scanner-legit",
"expanded": "Legit scanner",
"description": "IP belongs to a company that scans internet"
},
{
"value": "scanner-shadowserver.org",
"expanded": "Known Security Company",
"description": "IP belongs to an entity that scans internet : www.shadowserver.org."
},
{
"value": "scanner-shodan",
"expanded": "Known Security Company",
"description": "IP belongs to a company that scans internet : Shodan."
},
{
"value": "scanner-stretchoid",
"expanded": "Known Security Company",
"description": "IP belongs to an entity that scans internet : stretchoid."
},
{
"value": "profile-fake_rdns",
"expanded": "Fake RDNS",
"description": "IP is using a fake RDNS"
},
{
"value": "profile-nxdomain",
"expanded": "NXDOMAIN",
"description": "RDNS doesn't exist"
},
{
"value": "profile-router",
"expanded": "Router",
"description": "IP belongs to a router exping services on the internet"
},
{
"value": "profile-proxy",
"expanded": "Proxy",
"description": "IP exposes services that are commonly used by proxies"
},
{
"value": "profile-jupiter-vpn",
"expanded": "JupiterVPN",
"description": "IP belongs to a jupiter vpn"
},
{
"value": "device-cyberoam",
"expanded": "Cyberoam",
"description": "IP belongs to a Cyberoam router"
},
{
"value": "device-microtik",
"expanded": "Mikrotik",
"description": "IP belongs to a Mikrotik router"
},
{
"value": "device-asuswrt",
"expanded": "AsusWRT",
"description": "IP belongs to a AsusWRT router"
},
{
"value": "device-hikvision",
"expanded": "Hikvision",
"description": "IP belongs to a Hikvision camera"
},
{
"value": "device-ipcam",
"expanded": "IpCamera",
"description": "IP belongs to a IP camera"
},
{
"value": "profile-likely_botnet",
"expanded": "Likely Botnet",
"description": "IP is likely to belong to a botnet (based on behaviour and/or characteristics)"
}
]
}
]
}

View File

@ -46,6 +46,10 @@
{
"value": "Rag Pull",
"expanded": "Crypto scam that occurs when a team pumps their projects token before disappearing with the funds, leaving their investors with a valueless asset."
},
{
"value": "Pig Butchering Scam",
"expanded": "Cryptocurrency investment fraud that lures individuals into investing their money in seemingly legitimate and profitable ventures."
}
],
"refs": [

View File

@ -1,8 +1,8 @@
{
"namespace": "dark-web",
"expanded": "Dark Web",
"description": "Criminal motivation on the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project",
"version": 4,
"description": "Criminal motivation and content detection the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project and extended by the JRC (Joint Research Centre) of the European Commission.",
"version": 6,
"predicates": [
{
"value": "topic",
@ -18,6 +18,16 @@
"value": "structure",
"description": "Structure of the materials tagged",
"expanded": "Structure"
},
{
"value": "service",
"description": "Information related to an Dark-Web service",
"expanded": "Service"
},
{
"value": "content",
"description": "Identifiable entities and information contained in a Dark-Web service",
"expanded": "Content"
}
],
"values": [
@ -26,182 +36,182 @@
"entry": [
{
"value": "drugs-narcotics",
"expanded": "Drugs/Narcotics",
"expanded": "drugsNarcotics",
"description": "Illegal drugs/chemical compounds for consumption/ingestion - either via blanket unlawfulness (e.g. proscribed drugs) or via unlawful access (e.g. prescription-only/restricted medications sold without lawful accessibility)."
},
{
"value": "electronics",
"expanded": "Electronics",
"expanded": "electronics",
"description": "Electronics and high tech materials, described or to sell for example."
},
{
"value": "finance",
"expanded": "Finance",
"expanded": "finance",
"description": "Any monetary/currency/exchangeable materials. Includes carding, Paypal etc."
},
{
"value": "finance-crypto",
"expanded": "CryptoFinance",
"expanded": "cryptoFinance",
"description": "Any monetary/currency/exchangeable materials based on cryptocurrencies. Includes Bitcoin, Litecoin etc."
},
{
"value": "credit-card",
"expanded": "Credit-Card",
"expanded": "creditCard",
"description": "Credit cards and payments materials"
},
{
"value": "cash-in",
"expanded": "Cash-in",
"expanded": "cashIn",
"description": "Buying parts of assets, conversion from liquid assets, currency, etc."
},
{
"value": "cash-out",
"expanded": "Cash-out",
"expanded": "cashOut",
"description": "Selling parts of assets, conversion to liquid assets, currency, etc."
},
{
"value": "escrow",
"expanded": "Escrow",
"expanded": "escrow",
"description": "Third party keeping assets in behalf of two other parties making a transactions."
},
{
"value": "hacking",
"expanded": "Hacking",
"expanded": "hacking",
"description": "Materials relating to the illegal access to or alteration of data and/or electronic services."
},
{
"value": "identification-credentials",
"expanded": "Identification/Credentials",
"expanded": "identificationCredentials",
"description": "Materials used for providing/establishing identification with third parties. Examples include passports, driver licenses and login credentials."
},
{
"value": "intellectual-property-copyright-materials",
"expanded": "Intellectual Property/Copyright Materials",
"expanded": "intellectualPropertyCopyrightMaterials",
"description": "Otherwise lawful materials stored, transferred or made available without consent of their legal rights holders."
},
{
"value": "pornography-adult",
"expanded": "Pornography - Adult",
"expanded": "pornographyAdult",
"description": "Lawful, ethical pornography (i.e. involving only consenting adults)."
},
{
"value": "pornography-child-exploitation",
"expanded": "Pornography - Child (Child Exploitation)",
"expanded": "pornographyChild(ChildExploitation)",
"description": "Child abuse materials (aka child pornography), including 'fantasy' fiction materials, CGI. Also includes the provision/offering of child abuse materials and/or activities"
},
{
"value": "pornography-illicit-or-illegal",
"expanded": "Pornography - Illicit or Illegal",
"expanded": "pornographyIllicitOrIllegal",
"description": "Illegal pornography NOT including children/child abuse. Includes bestiality, stolen/revenge porn, hidden cameras etc."
},
{
"value": "search-engine-index",
"expanded": "Search Engine/Index",
"expanded": "searchEngineIndex",
"description": "Site providing links/references to other sites/services. Referred to as a nexus by (Moore and Rid, 2016)"
},
{
"value": "unclear",
"expanded": "Unclear",
"expanded": "unclear",
"description": "Unable to completely establish topic of material."
},
{
"value": "extremism",
"expanded": "Extremism",
"expanded": "extremism",
"description": "Illegal or of concern levels of extremist ideology. Note this does not provide blanket coverage of fundamentalist ideologies and dogma - only those associated with illegal acts. Socialist/anarchist/religious materials (for example) will not be included unless inclusive or indicative of associated illegal conduct, such as hate crimes."
},
{
"value": "violence",
"expanded": "Violence",
"expanded": "violence",
"description": "Materials relating to violence against persons or property."
},
{
"value": "weapons",
"expanded": "Weapons",
"expanded": "weapons",
"description": "Materials specifically associated with materials and/or items for use in violent acts against persons or property. Examples include firearms and bomb-making ingredients."
},
{
"value": "softwares",
"expanded": "Softwares",
"expanded": "softwares",
"description": "Illegal or armful software distribution"
},
{
"value": "counteir-feit-materials",
"expanded": "Counter-feit materials",
"expanded": "counterFeitMaterials",
"description": "Fake identification papers."
},
{
"value": "gambling",
"expanded": "Gambling",
"expanded": "gambling",
"description": "Games involving money"
},
{
"value": "library",
"expanded": "Library",
"expanded": "library",
"description": "Library or list of books"
},
{
"value": "other-not-illegal",
"expanded": "Other not illegal",
"expanded": "otherNotIllegal",
"description": "Material not of interest to law enforcement - e.g. personal sites, Facebook mirrors."
},
{
"value": "legitimate",
"expanded": "Legitimate",
"expanded": "legitimate",
"description": "Legitimate websites"
},
{
"value": "chat",
"expanded": "Chats platforms",
"expanded": "chatsPlatforms",
"description": "Chats space or equivalent, which are not forums"
},
{
"value": "mixer",
"expanded": "Mixer",
"expanded": "mixer",
"description": "Anonymization tools for crypto-currencies transactions"
},
{
"value": "mystery-box",
"expanded": "Mystery-Box",
"expanded": "mysteryBox",
"description": "Mystery Box seller"
},
{
"value": "anonymizer",
"expanded": "Anonymizer",
"expanded": "anonymizer",
"description": "Anonymization tools"
},
{
"value": "vpn-provider",
"expanded": "VPN-Provider",
"expanded": "vpnProvider",
"description": "Provides VPN services and related"
},
{
"value": "email-provider",
"expanded": "EMail-Provider",
"expanded": "emailProvider",
"description": "Provides e-mail services and related"
},
{
"value": "ponies",
"expanded": "Ponies",
"expanded": "ponies",
"description": "self-explanatory. It's ponies"
},
{
"value": "games",
"expanded": "Games",
"expanded": "games",
"description": "Flash or online games"
},
{
"value": "parody",
"expanded": "Parody or Joke",
"expanded": "parodyOrJoke",
"description": "Meme, Parody, Jokes, Trolling, ..."
},
{
"value": "whistleblower",
"expanded": "Whistleblower",
"expanded": "whistleblower",
"description": "Exposition and sharing of confidential information with protection of the witness in mind"
},
{
"value": "ransomware-group",
"expanded": "Ransomware Group",
"expanded": "ransomwareGroup",
"description": "Ransomware group PR or leak website"
}
]
@ -211,92 +221,92 @@
"entry": [
{
"value": "education-training",
"expanded": "Education & Training",
"expanded": "educationTraining",
"description": "Materials providing instruction - e.g. how to guides"
},
{
"value": "wiki",
"expanded": "Wiki",
"expanded": "wiki",
"description": "Wiki pages, documentation and information display"
},
{
"value": "forum",
"expanded": "Forum",
"expanded": "forum",
"description": "Sites specifically designed for multiple users to communicate as peers"
},
{
"value": "file-sharing",
"expanded": "File Sharing",
"expanded": "fileSharing",
"description": "General file sharing, typically (but not limited to) movie/image sharing"
},
{
"value": "hosting",
"expanded": "Hosting",
"expanded": "hosting",
"description": "Hosting providers, e-mails, websites, file-storage etc."
},
{
"value": "ddos-services",
"expanded": "DDoS-Services",
"expanded": "ddosServices",
"description": "Stresser, Booter, DDoSer, DDoS as a Service provider, DDoS tools, etc."
},
{
"value": "general",
"expanded": "General",
"expanded": "general",
"description": "Materials not covered by the other motivations. Typically, materials of a nature not of interest to law enforcement. For example, personal biography sites."
},
{
"value": "information-sharing-reportage",
"expanded": "Information Sharing/Reportage",
"expanded": "InformationSharingReportage",
"description": "Journalism/reporting on topics. Can include biased coverage, but obvious propaganda materials are covered by Recruitment/Advocacy."
},
{
"value": "scam",
"expanded": "Scam",
"expanded": "scam",
"description": "Intentional confidence trick to fraud people or group of people"
},
{
"value": "political-speech",
"expanded": "Political-Speech",
"expanded": "politicalSpeech",
"description": "Political, activism, without extremism."
},
{
"value": "conspirationist",
"expanded": "Conspirationist",
"expanded": "conspirationist",
"description": "Conspirationist content, fake news, etc."
},
{
"value": "hate-speech",
"expanded": "Hate-Speech",
"expanded": "hateSpeech",
"description": "Racism, violent, hate... speech."
},
{
"value": "religious",
"expanded": "Religious",
"expanded": "religious",
"description": "Religious, faith, doctrinal related content."
},
{
"value": "marketplace-for-sale",
"expanded": "Marketplace/For Sale",
"expanded": "marketplaceForSale",
"description": "Services/goods for sale, regardless of means of payment."
},
{
"value": "smuggling",
"expanded": "Smuggling",
"expanded": "smuggling",
"description": "Information or trading of wild animals, prohibited goods, ... "
},
{
"value": "recruitment-advocacy",
"expanded": "Recruitment/Advocacy",
"expanded": "recruitmentAdvocacy",
"description": "Propaganda"
},
{
"value": "system-placeholder",
"expanded": "System/Placeholder",
"expanded": "systemPlaceholder",
"description": "Automatically generated content, not designed for any identifiable purpose other than diagnostics - e.g. “It Works” message provided by default by Apache2"
},
{
"value": "unclear",
"expanded": "Unclear",
"expanded": "unclear",
"description": "Unable to completely establish motivation of material."
}
]
@ -306,55 +316,195 @@
"entry": [
{
"value": "incomplete",
"expanded": "Incomplete websites or information",
"expanded": "incomplete",
"description": "Websites and pages that are unable to load completely properly"
},
{
"value": "captcha",
"expanded": "Captcha and Solvers",
"expanded": "captcha",
"description": "Captchas and solvers elements"
},
{
"value": "login-forms",
"expanded": "Logins forms and gates",
"expanded": "loginForms",
"description": "Authentication pages, login page, login forms that block access to an internal part of a website."
},
{
"value": "contact-forms",
"expanded": "Contact forms and gates",
"expanded": "contactForms",
"description": "Forms to perform a contact request, send an e-mail, fill information, enter a password, ..."
},
{
"value": "encryption-keys",
"expanded": "Encryption and decryption keys",
"expanded": "encryptionKeys",
"description": "e.g. PGP Keys, passwords, ..."
},
{
"value": "police-notice",
"expanded": "Police Notice",
"expanded": "policeNotice",
"description": "Closed websites, with police-equivalent banners"
},
{
"value": "legal-statement",
"expanded": "Legal-Statement",
"expanded": "legalStatement",
"description": "RGPD statement, Privacy-policy, guidelines of a websites or forum..."
},
{
"value": "test",
"expanded": "Test",
"expanded": "test",
"description": "Test websites without any real consequences or effects"
},
{
"value": "videos",
"expanded": "Videos",
"expanded": "videos",
"description": "Videos and streaming"
},
{
"value": "ransomware-post",
"expanded": "ransomwarePost",
"description": "Ransomware post published by a ransomware group"
},
{
"value": "unclear",
"expanded": "Unclear",
"expanded": "unclear",
"description": "Unable to completely establish structure of material."
}
]
},
{
"predicate": "service",
"entry": [
{
"value": "url",
"expanded": "url",
"description": "Uniform Resource Locator (URL) of a dark-web. The url should indicate a protocol (http), a hostname (www.example.com), and a file name (index.html). Example: http://www.example.com/index.html"
},
{
"value": "content-type",
"expanded": "contentType",
"description": "Content-Type representaton headerused to indicate the original media type of the resource (prior to any content encoding applied for sending). https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Type"
},
{
"value": "path",
"expanded": "path",
"description": "The URL path is the string of information that comes after the top level domain name "
},
{
"value": "detection-date",
"expanded": "detectionDate",
"description": "Date in which the dark-web was detected. The date should be in ISO 8601 format. Example: 2019-01-01T00:00:00Z"
},
{
"value": "network-protocol",
"expanded": "networkProtocol",
"description": "Network protocol used to access the dark-web site (e.g., HTTP, HTTPS)"
},
{
"value": "port",
"expanded": "port",
"description": "Port number where the dark-web service is being offered"
},
{
"value": "network",
"expanded": "network",
"description": "Overlay network (darknet) that host the service or content"
},
{
"value": "found-at",
"expanded": "foundAt",
"description": "Domain or service where the dark-web where found at"
}
]
},
{
"predicate": "content",
"entry": [
{
"value": "sha1sum",
"expanded": "sha1sum",
"description": "SHA-1 (Secure Hash Algorithm 1) hash of the HTML or objectName content"
},
{
"value": "sha256sum",
"expanded": "sha256sum",
"description": "SHA-256 hash of the HTML or objectName content"
},
{
"value": "ssdeep",
"expanded": "ssdeep",
"description": "ssdeep fuzzy hash of the HTML or objectName content"
},
{
"value": "language",
"expanded": "language",
"description": "Detected language of the service in ISO 6391 Code. Example: en"
},
{
"value": "html",
"expanded": "html",
"description": "HyperText Markup Language (HTML) used in a website"
},
{
"value": "css",
"expanded": "css",
"description": "CSS (Cascading Style Sheets) used in a dark-web site"
},
{
"value": "text",
"expanded": "text",
"description": "Content of the dark-web service without HTML tags"
},
{
"value": "page-title",
"expanded": "pageTitle",
"description": "HTML <title> tag content of a dark-web site"
},
{
"value": "phone-number",
"expanded": "phoneNumber",
"description": "Phone number identified in the dark-web site"
},
{
"value": "creditCard",
"expanded": "creditCard",
"description": "Credit card identified in the dark-web site"
},
{
"value": "email",
"expanded": "email",
"description": "Email address identified in the dark-web site"
},
{
"value": "pgp-public-key-block",
"expanded": "pgpPublicKeyBlock",
"description": "PGP public key block identified in the dark-web site"
},
{
"value": "country",
"expanded": "country",
"description": "Associated country detected on the code of the dark-web site, following ISO 3166-1 alpha-2"
},
{
"value": "company-name",
"expanded": "companyName",
"description": "Company name identified in a dark-web site"
},
{
"value": "company-link",
"expanded": "companyLink",
"description": "Company link identified in a dark-web site"
},
{
"value": "victim-address",
"expanded": "victimAddress",
"description": "Business address identified in a dark-web site"
},
{
"value": "victim-TLD",
"expanded": "victimTLD",
"description": "Business Top Level Domain (TLD) of a company identified in a dark-web site"
}
]
}
]
}

File diff suppressed because it is too large Load Diff

243
deception/machinetag.json Normal file
View File

@ -0,0 +1,243 @@
{
"namespace": "deception",
"description": "Deception is an important component of information operations, valuable for both offense and defense. ",
"version": 1,
"refs": [
"https://faculty.nps.edu/ncrowe/rowe_iciw06.htm"
],
"expanded": "Deception",
"predicates": [
{
"value": "space",
"expanded": "Space",
"description": "Actions have associated locations, and deception can apply to those references."
},
{
"value": "time",
"expanded": "Time",
"description": "Many actions on computer are timestamped, and attackers and defenders can deceive in regard to those times. An attacker could change the times of events recorded in a log file or the directory information about files to conceal records of their activities."
},
{
"value": "participant",
"expanded": "Participant",
"description": "Actions have associated participants and the tools or objects by actions are accomplished."
},
{
"value": "causality",
"expanded": "Causality",
"description": "Deception in cause, purpose, and effect is important in many kinds of social-engineering attacks where false reasons like \"I have a deadline\" or \"It didn't work\" are given for requests for actions or information that aid the adversary. Deception in a contradiction action is not possible in cyberspace because commands do not generally relate actions."
},
{
"value": "quality",
"expanded": "Quality",
"description": "The \"quality\" semantic cases cover the manner in which actions are performed."
},
{
"value": "essence",
"expanded": "Essence",
"description": "Deception can occur in the ontological features of an action, its type and the context to which is belongs."
},
{
"value": "speech-act-theory",
"expanded": "Speech-Act-Theory",
"description": "Deception can involve semantic cases related to communication. Both internal and external preconditions provide useful deceptions by defenders since it is often hard to confirm deception in such conditions in cyberspace."
}
],
"values": [
{
"predicate": "space",
"entry": [
{
"value": "direction",
"expanded": "Direction",
"description": "direction of the action. Direction cases can arise with some actions that are supposedly one-way like file transfers."
},
{
"value": "location-at",
"expanded": "Location at",
"description": "Location where something occured"
},
{
"value": "location-from",
"expanded": "Location from",
"description": "Location where something started"
},
{
"value": "location-to",
"expanded": "Location to",
"description": "Location where something finished"
},
{
"value": "location-through",
"expanded": "Location through",
"description": "Location where some action passed through"
},
{
"value": "orientation",
"expanded": "Orientation",
"description": "Orientation (in some space). Orientation cases can arise with some actions that are supposedly one-way like file transfers."
}
]
},
{
"predicate": "time",
"entry": [
{
"value": "frequency",
"expanded": "Frequency",
"description": "Frequency of occurrence of a repeated action. Frequency is an excellent case for deception, as in denial-of-service attacks that greatly increase the frequency of requests or transactions to tie up computer resources."
},
{
"value": "time-at",
"expanded": "Time at",
"description": "Time at which something occurred"
},
{
"value": "time-from",
"expanded": "Time from",
"description": "Time at which something started"
},
{
"value": "time-to",
"expanded": "Time to",
"description": "Time at which something ended"
},
{
"value": "time-through",
"expanded": "Time through",
"description": "Time through which something occurred"
}
]
},
{
"predicate": "participant",
"entry": [
{
"value": "agent",
"expanded": "Agent",
"description": "Who initiates the action.Identification of participants responsible for actions (\"agents\") is a key problem in cyberspace, and is an easy target for deception."
},
{
"value": "beneficiary",
"expanded": "Beneficiary",
"description": "Who benefits. Deceptions involving the beneficiary of an action occur with phishing and other email scams."
},
{
"value": "experiencer",
"expanded": "Experiencer",
"description": "Who senses, experiences the action. Deception in the \"experiencer\" case occurs with secret monitoring of adversary activities."
},
{
"value": "instrument",
"expanded": "Instrument",
"description": "What helps accomplish the action. Deception is easy with the instrument case because details of how software accomplishes things are often hidden in cyberspace."
},
{
"value": "object",
"expanded": "Object",
"description": "What the action is done for. Deception in objects of the action is easy: Honeypots deceive as to the hardware and software objects of an attack, and \"bait\" data such as credit-card numbers can also be deceptive objects."
},
{
"value": "recipient",
"expanded": "Recipient",
"description": "Who receives the action. The recipient of an action in cyberspace is usually the object. "
}
]
},
{
"predicate": "causality",
"entry": [
{
"value": "cause",
"expanded": "Cause",
"description": "Cause of the action"
},
{
"value": "contradiction",
"expanded": "Contradiction",
"description": "What this action opposes if anything"
},
{
"value": "effect",
"expanded": "Effect",
"description": "Effect of the action"
},
{
"value": "purpose",
"expanded": "Purpose",
"description": "Purpose of the action"
}
]
},
{
"predicate": "quality",
"entry": [
{
"value": "accompaniment",
"expanded": "Accompaniment",
"description": "An additionnal object associated with the action"
},
{
"value": "content",
"expanded": "Content",
"description": "What is contained by th eaction object"
},
{
"value": "manner",
"expanded": "Manner",
"description": "The way in which action is done. (Deception in manner does not generally apply because the manner in which a command is issued or executed should not affect the outcome.)"
},
{
"value": "material",
"expanded": "Material",
"description": "The atomic units out of which the action is composed. Deception in material does not apply much because everything is represented as bits in cyberspace, though defenders can deceive this way by simulating commands rather than executing them."
},
{
"value": "measure",
"expanded": "Measure",
"description": "The mesurement associated with the action. Deception in measure (the amount of data) is important in denial-of-service attacks and can also done defensively by swamping the attacker with data."
},
{
"value": "order",
"expanded": "Order",
"description": "With respect to other actions"
},
{
"value": "value",
"expanded": "Value",
"description": "The data transmitted by the action (the software sense of the term). Deception in value (or subroutine \"argument\") can occur defensively as in a ploy of misunderstanding attacker commands."
}
]
},
{
"predicate": "essence",
"entry": [
{
"value": "supertype",
"expanded": "Supertype",
"description": "a generalization of the action type. Phishing email is an example of deception in supertype."
},
{
"value": "whole",
"expanded": "Whole",
"description": "of which the action is a part"
}
]
},
{
"predicate": "speech-act-theory",
"entry": [
{
"value": "external-precondition",
"expanded": "External precondition",
"description": "external precondition on the action. External preconditions are on the rest of the world such as the ability of a site to accept a particular user-supplied password. "
},
{
"value": "internal-precondition",
"expanded": "Internal precondition",
"description": "internal precondition, on the ability of the agent to perform the action. Internal preconditions are on the agent of the action, such as ability of a user to change their password."
}
]
}
]
}

64
dga/machinetag.json Normal file
View File

@ -0,0 +1,64 @@
{
"namespace": "dga",
"expanded": "Domain-Generation Algorithms",
"description": "A taxonomy to describe domain-generation algorithms often called DGA. Ref: A Comprehensive Measurement Study of Domain Generating Malware Daniel Plohmann and others.",
"version": 2,
"predicates": [
{
"value": "generation-scheme",
"expanded": "Generation scheme used for the DGA"
},
{
"value": "seeding",
"expanded": "Seeding scheme used for the DGA"
}
],
"values": [
{
"predicate": "generation-scheme",
"entry": [
{
"value": "arithmetic",
"expanded": "Arithmetic",
"description": "Calculate a sequence of values that either have a direct ASCII representation usable for a domain name or designate an offset in one or more hard- coded arrays, constituting the alphabet of the DGA. "
},
{
"value": "hash",
"expanded": "Hash",
"description": "Use the hexdigest representation of a hash to produce the domain."
},
{
"value": "wordlist",
"expanded": "Wordlist",
"description": "Concatenate a sequence of words from one or more wordlists, resulting in less randomly appealing and thus more camouflaging domains"
},
{
"value": "permutation",
"expanded": "Permutation",
"description": "derive all possible AGDs (Algorithmically-Generated Domain) through permutation of an initial domain name."
}
]
},
{
"predicate": "seeding",
"entry": [
{
"value": "time-dependent",
"expanded": "The DGA uses temporal information in the seeding for its domain generation, resulting in sets of domains with certain validity time spans."
},
{
"value": "time-independent",
"expanded": "The DGA does not rely on temporal information in the seeding for its domain generation, resulting in a single set of domains."
},
{
"value": "deterministic",
"expanded": "Given the implementation of the DGA and a seed, its full set of possible domains can be calculated at any point in time."
},
{
"value": "non-deterministic",
"expanded": "Domains depend on unpredictable seed input, e.g. on external dynamic information that can be published at a later time (e.g. via posting on social media), on data specific to the system it is executed on, or on arbitrary non-predictable PRNG output."
}
]
}
]
}

View File

@ -0,0 +1,31 @@
{
"namespace": "diamond-model-for-influence-operations",
"expanded": "The Diamond Model for Influence Operations Analysis",
"description": "The diamond model for influence operations analysis is a framework that leads analysts and researchers toward a comprehensive understanding of a malign influence campaign by addressing the socio-political, technical, and psychological aspects of the campaign. The diamond model for influence operations analysis consists of 5 components: 4 corners and a core element. The 4 corners are divided into 2 axes: influencer and audience on the socio-political axis, capabilities and infrastructure on the technical axis. Narrative makes up the core of the diamond.",
"version": 1,
"refs": [
"https://go.recordedfuture.com/hubfs/white-papers/diamond-model-influence-operations-analysis.pdf"
],
"predicates": [
{
"value": "Influencer",
"expanded": "The influencer is an individual or organization that is conducting malign influence activity."
},
{
"value": "Capabilities",
"expanded": "Capabilities are the influencers TTPs. Studying the way influencers plan, test, and execute their operations can enable analysts to be more proactive in defending against malign influence and to discern how to neutralize harmful narratives when they are identified. "
},
{
"value": "Infrastructure",
"expanded": "The infrastructure used by influencers can include print media, television, digital platforms like websites, mobile phones, mobile applications, and more. "
},
{
"value": "Audience",
"expanded": "The audience is the intended target of the influence operation. The audience can range in size from a single individual to a large international audience. "
},
{
"value": "Narrative",
"expanded": "The narrative is often key to identifying who would be affected by the story and who would be motivated to propagate that particular message. "
}
]
}

Binary file not shown.

After

Width:  |  Height:  |  Size: 10 KiB

View File

@ -0,0 +1,44 @@
# MISP_DopingSubstanceTaxonomy
This project aims to gather information about all the prohibited sports Doping Substances.
We collected all of the information on the [WADA website](https://www.wada-ama.org/en/prohibited-list).
To do that we have created a python script to scrap this website and generate a JSON file (Taxonomy).
This Taxonomy could be add in MISP to help sports organizations to fight against usage of doping substances.
## MISP
![logo](Misp-logo.png)
What is MISP ?
>A threat intelligence platform for sharing, storing and correlating
Indicators of Compromise of targeted attacks, threat intelligence,
financial fraud information, vulnerability information or even
counter-terrorism information. Discover how MISP is used today in
multiple organisations. Not only to store, share, collaborate on cyber
security indicators, malware analysis, but also to use the IoCs and
information to detect and prevent attacks, frauds or threats against ICT
infrastructures, organisations or people.
## JSON Generation
In order to build the JSON file, we created a Python script which scrap the WADA (World Anti-Doping Agency) s prohibited list.
Thanks to BeautifulSoup, a useful library that helps a lot when it comes to scrap HTLM documents, the script is able to get all the list of doping substances.
The file is created with PyTaxonomies, a MISP library that help to create valid JSON file according to the [MISP Platform](https://www.misp-project.org/taxonomies.html#_misp_taxonomies).
Finally, the script generates all predicates (doping categories) and the entries associated (the doping substances themselves).
## Installation
If you want to try it out yourself, you need to have both BeautifulSoup & PyTaxonomies installated.
## Authors
DELUS Thibaut : https://github.com/WooZyhh
JACOB Lucas : https://github.com/Chaamoxs

View File

@ -0,0 +1,63 @@
import json
import requests
from bs4 import BeautifulSoup
from pathlib import Path
from pytaxonomies import Entry, Predicate, Taxonomy
CONTENT_URL = 'https://www.wada-ama.org/en/prohibited-list'
TAXONOMY_DESCRIPTION = 'This taxonomy aims to list doping substances'
TAXONOMY_EXPANDED = 'Doping substances'
TAXONOMY_NAME = 'doping-substances'
ignore = ('NON-APPROVED SUBSTANCES', )
def list_predicates(articles):
predicates = {}
for article in articles:
title = article.find('p', attrs={'class': 'h3 panel-title'}).text
if title in ignore:
continue
predicate = Predicate()
predicate.predicate = title
div = article.find('div', attrs={'class': 'layout-wysiwyg'})
description = div.find('p')
predicate.description = description.find_next_sibling().text
predicates[title] = predicate
return predicates
def generate_taxonomy():
new_taxonomy = Taxonomy()
new_taxonomy.name = TAXONOMY_NAME
new_taxonomy.expanded = TAXONOMY_EXPANDED
new_taxonomy.description = TAXONOMY_DESCRIPTION
response = requests.get(CONTENT_URL)
soup = BeautifulSoup(response.text, 'html.parser')
articles = soup.findAll('article', attrs={'class': 'panel hide-reader'})
new_taxonomy.predicates = list_predicates(articles)
for article in articles:
title = article.find('p', attrs={'class': 'h3 panel-title'}).text
if title in ignore:
continue
products = article.findAll('li')
products_list = {}
for product in products:
entry = Entry()
entry.value = product.text
products_list[entry.value] = entry
new_taxonomy.predicates[title].entries = products_list
return new_taxonomy
if __name__ == '__main__':
taxonomy = generate_taxonomy()
taxonomy.version = 2
with open(Path(__file__).resolve().parent / 'machinetag.json', 'wt', encoding='utf-8') as f:
json.dump(taxonomy.to_dict(), f, indent=2, ensure_ascii=False)

File diff suppressed because it is too large Load Diff

View File

@ -45,6 +45,16 @@
{
"predicate": "cyber-europe",
"entry": [
{
"value": "2024",
"expanded": "2024",
"description": "7th pan European cyber crisis exercise: Cyber Europe 2024 (CE2024)"
},
{
"value": "2022",
"expanded": "2022",
"description": "6th pan European cyber crisis exercise: Cyber Europe 2022 (CE2022)"
},
{
"value": "2018",
"expanded": "2018",
@ -94,6 +104,21 @@
"value": "2021",
"expanded": "2021",
"description": "Locked Shields 2021"
},
{
"value": "2022",
"expanded": "2022",
"description": "Locked Shields 2022"
},
{
"value": "2023",
"expanded": "2023",
"description": "Locked Shields 2023"
},
{
"value": "2024",
"expanded": "2024",
"description": "Locked Shields 2024"
}
]
},
@ -183,7 +208,7 @@
]
}
],
"version": 8,
"version": 11,
"description": "Exercise is a taxonomy to describe if the information is part of one or more cyber or crisis exercise.",
"expanded": "Exercise",
"namespace": "exercise"

View File

@ -1,7 +1,7 @@
{
"namespace": "extended-event",
"description": "Reasons why an event has been extended. ",
"version": 1,
"description": "Reasons why an event has been extended. This taxonomy must be used on the extended event. The competitive analysis aspect is from Psychology of Intelligence Analysis by Richard J. Heuer, Jr. ref:http://www.foo.be/docs/intelligence/PsychofIntelNew.pdf",
"version": 2,
"predicates": [
{
"value": "competitive-analysis",
@ -25,6 +25,11 @@
"value": "update",
"expanded": "Update",
"description": "Original event is deprecated"
},
{
"value": "counter-analysis",
"expanded": "Counter analysis",
"description": "This extended event is a counter analysis of the original one. The author disagrees with the original statement."
}
],
"values": [
@ -34,22 +39,22 @@
{
"value": "devil-advocate",
"expanded": "Devil's advocate",
"description": "Is a competitive analysis of devil's advocate type."
"description": "Is a competitive analysis of devil's advocate type. A devils advocate is someone who defends a minority point of view."
},
{
"value": "absurd-reasoning",
"expanded": "Absurd reasoning",
"description": "Is a competitive analysis of absurd reasoning type"
"description": "Is a competitive analysis of absurd reasoning type."
},
{
"value": "role-playing",
"expanded": "Role playing",
"description": "Is a competitive analysis of role playing type"
"description": "Is a competitive analysis of role playing type. Role playing is commonly used to overcome con- straints and inhibitions that limit the range of ones thinking. Playing a role changes “where you sit.” It also gives one license to think and act differently."
},
{
"value": "crystal-ball",
"expanded": "Crystal ball",
"description": "Is a competitive analysis of crystal ball type"
"description": "Is a competitive analysis of crystal ball type. The crystal ball approach works in much the same way as thinking backwards. Imagine that a “perfect” intelligence source (such as a crystal ball) has told you a certain assumption is wrong. You must then develop a scenario to explain how this could be true. If you can develop a plausible scenario, this suggests your assumption is open to some question."
}
]
},
@ -59,7 +64,7 @@
{
"value": "automatic-expansion",
"expanded": "Automatic expansion",
"description": "This extended event is composed of elements derived from automatic expanxions services"
"description": "This extended event is composed of elements derived from automatic expansions services"
},
{
"value": "aggressive-pivoting",

View File

@ -1,7 +1,7 @@
{
"namespace": "false-positive",
"description": "This taxonomy aims to ballpark the expected amount of false positives.",
"version": 5,
"version": 7,
"expanded": "False positive",
"predicates": [
{
@ -25,19 +25,29 @@
"value": "low",
"expanded": "Low",
"description": "The risk of having false positives in the tagged value is low.",
"numerical_value": 75
"numerical_value": 75,
"colour": "#33FF00"
},
{
"value": "medium",
"expanded": "Medium",
"description": "The risk of having false positives in the tagged value is medium.",
"numerical_value": 50
"numerical_value": 50,
"colour": "#FFFF00"
},
{
"value": "high",
"expanded": "High",
"description": "The risk of having false positives in the tagged value is high.",
"numerical_value": 25
"numerical_value": 25,
"colour": "#FF2B2B"
},
{
"value": "cannot-be-judged",
"expanded": "Risk cannot be judged",
"description": "The risk of having false positives in the tagged value cannot be judged.",
"numerical_value": 25,
"colour": "#FFC000"
}
]
},
@ -53,7 +63,7 @@
{
"value": "false",
"expanded": "False",
"description": "The flase positive is not confirmed.",
"description": "The false positive is not confirmed.",
"numerical_value": 50
}
]

View File

@ -107,6 +107,11 @@
"expanded": "internet",
"value": "xml"
},
{
"colour": "#11eded",
"expanded": "internet",
"value": "hta"
},
{
"colour": "#ccffeb",
"expanded": "internet",
@ -202,6 +207,11 @@
"expanded": "image",
"value": "gimp"
},
{
"colour": "#25c3e6",
"expanded": "image",
"value": "img"
},
{
"colour": "#80ffce",
"expanded": "image",
@ -362,11 +372,36 @@
"expanded": "document",
"value": "ps"
},
{
"colour": "#33ffb1",
"expanded": "document",
"value": "dot"
},
{
"colour": "#33ffb1",
"expanded": "document",
"value": "dotm"
},
{
"colour": "#33ffb1",
"expanded": "document",
"value": "dotx"
},
{
"colour": "#33ffb1",
"expanded": "document",
"value": "doc"
},
{
"colour": "#35b8f0",
"expanded": "document",
"value": "txt"
},
{
"colour": "#ccffeb",
"expanded": "document",
"value": "docm"
},
{
"colour": "#ccffeb",
"expanded": "document",
@ -397,6 +432,11 @@
"expanded": "document",
"value": "xlsx"
},
{
"colour": "#00663f",
"expanded": "document",
"value": "xlsm"
},
{
"colour": "#99ffd8",
"expanded": "document",
@ -437,6 +477,11 @@
"expanded": "bundle",
"value": "isoimage"
},
{
"colour": "#00b36e",
"expanded": "bundle",
"value": "txz"
},
{
"colour": "#00b36e",
"expanded": "bundle",
@ -447,6 +492,11 @@
"expanded": "bundle",
"value": "gzip"
},
{
"colour": "#33ffb1",
"expanded": "bundle",
"value": "tar"
},
{
"colour": "#33ffb1",
"expanded": "bundle",
@ -522,6 +572,11 @@
"expanded": "bundle",
"value": "xz"
},
{
"colour": "#33ffb1",
"expanded": "code",
"value": "bat"
},
{
"colour": "#33ffb1",
"expanded": "code",
@ -557,6 +612,11 @@
"expanded": "code",
"value": "cpp"
},
{
"colour": "#00cc7e",
"expanded": "code",
"value": "javascript"
},
{
"colour": "#00cc7e",
"expanded": "code",
@ -572,6 +632,11 @@
"expanded": "code",
"value": "pascal"
},
{
"colour": "#33b5a5",
"expanded": "code",
"value": "vbs"
},
{
"colour": "#b3ffe2",
"expanded": "code",
@ -592,6 +657,11 @@
"expanded": "code",
"value": "java-bytecode"
},
{
"colour": "#2e73db",
"expanded": "code",
"value": "ppa"
},
{
"colour": "#004d2f",
"expanded": "apple",
@ -645,7 +715,7 @@
{
"colour": "#00663f",
"expanded": "miscellaneous",
"value": "data"
"value": "dat"
}
],
"predicate": "type"

200
financial/machinetag.json Normal file
View File

@ -0,0 +1,200 @@
{
"predicates": [
{
"description": "Categories and types of services in the financial scope. An entity can be tag with one or more categories or types of services.",
"expanded": "Categories and types of services",
"value": "categories-and-types-of-services"
},
{
"description": "Geographical footprint of the financial entity.",
"expanded": "Geographical footprint",
"value": "geographical-footprint"
},
{
"description": "Online exposition of the financial entity.",
"expanded": "Online exposition",
"value": "online-exposition"
},
{
"description": "Physical presence of the financial entity.",
"expanded": "Physical presence",
"value": "physical-presence"
},
{
"description": "Services provided by the financial entity.",
"expanded": "Services",
"value": "services"
}
],
"values": [
{
"predicate": "categories-and-types-of-services",
"entry": [
{
"value": "banking",
"expanded": "Banking",
"description": "Financial entity described or/and regulated as banking."
},
{
"value": "private",
"expanded": "Private",
"description": "Financial entity engaged in private banking."
},
{
"value": "retail",
"expanded": "Retail",
"description": "Financial entity engaged in retail banking."
},
{
"value": "custodian-banking",
"expanded": "Custodian banking",
"description": "Financial entity having physical possessions of clients financial assets or instruments."
},
{
"value": "financial-market-infrastructure",
"expanded": "Financial market infrastructure",
"description": "Financial market infrastructure such as stock exchange, CSD"
},
{
"value": "asset-management",
"expanded": "Asset management",
"description": "Financial entity managing financial assets on behalf of others."
},
{
"value": "it-provider",
"expanded": "IT provider",
"description": "IT provider supporting financial entities and regulated in the financial legal framework (such as support PFS in Luxembourg)."
},
{
"value": "e-money-and-payment",
"expanded": "e-money and payment",
"description": "Financial entity managing electronic money as alternative to cash payment. (EU directive - Directive 2009/110/EC)"
},
{
"value": "other",
"expanded": "Other",
"description": "Other entity classified as financial entity with other activities not defined in this taxonomy."
}
]
},
{
"predicate": "geographical-footprint",
"entry": [
{
"value": "client-coverage-local",
"expanded": "Client coverage is local",
"description": "Client and customer coverage is local to the financial entity (such as a country)."
},
{
"value": "client-coverage-eu",
"expanded": "Client coverage in EU",
"description": "Client and customer coverage is limited to the European Union."
},
{
"value": "client-coverage-worldwide",
"expanded": "Client coverage is worldwide",
"description": "Client and customer coverage is worldwide."
},
{
"value": "corporate-structure-local",
"expanded": "Corporate structure is local",
"description": "Corporate structure is local to the financial entity (such as a country)."
},
{
"value": "corporate-structure-eu",
"expanded": "Corporate structure in EU",
"description": "Corporate structure is located in the European Union."
},
{
"value": "corporate-structure-worldwide",
"expanded": "Corporate structure is worldwide",
"description": "Corporate structure is located worldwide."
}
]
},
{
"predicate": "online-exposition",
"entry": [
{
"value": "limited",
"expanded": "Limited",
"description": "Online presence of the financial entity is limited such as just a public web server and/or email services."
},
{
"value": "extended",
"expanded": "Extended",
"description": "Online presence of the financial entity is extended with online services for the clients and customers but still with a physical presence."
},
{
"value": "crucial",
"expanded": "Crucial",
"description": "Online presence of the financial entity is crucial and business depends on online presence, extensive use of cloud computing, APIs, etc."
}
]
},
{
"predicate": "physical-presence",
"entry": [
{
"value": "atm",
"expanded": "Automated teller machines",
"description": "The financial entity owns and/or operates automated teller machines (ATM)."
},
{
"value": "pos",
"expanded": "Point of sale terminals",
"description": "The financial entity owns and/or operates point of sale terminals (POS)."
}
]
},
{
"predicate": "services",
"entry": [
{
"value": "settlement",
"expanded": "Settlement",
"description": "A financial entity providing settlement services."
},
{
"value": "collateral-management",
"expanded": "Collatoral management",
"description": "A financial entity providing collateral management services."
},
{
"value": "listing-operation-of-trading-platform",
"expanded": "Listing and operation of trading platform",
"description": "A financial entity providing listing and operation of trading platform."
},
{
"value": "credit-granting",
"expanded": "Credit granting",
"description": "A financial entity providing credit granting."
},
{
"value": "deposit-management",
"expanded": "Deposit management",
"description": "A financial entity providing deposit management."
},
{
"value": "custodian-banking",
"expanded": "Custodian banking",
"description": "A financial entity providing custodian banking."
},
{
"value": "payment-services",
"expanded": "Payment services",
"description": "A financial entity providing payment services."
},
{
"value": "investment-services",
"expanded": "Investment services",
"description": "A financial entity providing investment services."
}
]
}
],
"version": 7,
"description": "Financial taxonomy to describe financial services, infrastructure and financial scope.",
"expanded": "Financial",
"namespace": "financial"
}

View File

@ -3,65 +3,62 @@
{
"entry": [
{
"expanded": "TRES SECRET DEFENSE",
"value": "TRES_SECRET_DEFENSE"
"expanded": "TRES SECRET",
"value": "TRES_SECRET",
"colour": "#f54a4a"
},
{
"expanded": "SECRET DEFENSE",
"value": "SECRET_DEFENSE"
},
{
"expanded": "CONFIDENTIEL DEFENSE",
"value": "CONFIDENTIEL_DEFENSE"
}
],
"predicate": "classifiees-defense"
},
{
"entry": [
{
"expanded": "SECRET",
"value": "SECRET"
},
{
"expanded": "CONFIDENTIEL",
"value": "CONFIDENTIEL"
},
{
"expanded": "DIFFUSION RESTREINTE",
"value": "DIFFUSION_RESTREINTE"
"value": "SECRET",
"colour": "#f54a4a"
}
],
"predicate": "non-classifiees-defense"
"predicate": "classifiees"
},
{
"entry": [
{
"expanded": "NON CLASSIFIEES",
"value": "NON-CLASSIFIEES"
"expanded": "DIFFUSION RESTREINTE",
"value": "DIFFUSION_RESTREINTE",
"colour": "#f87272"
},
{
"expanded": "NON PROTEGE",
"value": "NON-PROTEGE",
"colour": "#f89595"
}
],
"predicate": "non-classifiees"
},
{
"entry": [
{
"expanded": "SPECIAL FRANCE",
"value": "SPECIAL_FRANCE",
"colour": "#0434cc"
}
],
"predicate": "special-france"
}
],
"predicates": [
{
"expanded": "Informations classifiées défense",
"value": "classifiees-defense",
"exclusive": true
},
{
"expanded": "Informations non classifiées defense",
"value": "non-classifiees-defense",
"expanded": "Informations classifiées",
"value": "classifiees",
"exclusive": true
},
{
"expanded": "Informations non classifiées",
"value": "non-classifiees",
"exclusive": true
},
{
"expanded": "Mention Spécial France",
"value": "special-france",
"exclusive": false
}
],
"version": 3,
"version": 6,
"description": "French gov information classification system",
"namespace": "fr-classif"
}

View File

@ -0,0 +1,25 @@
{
"namespace": "information-origin",
"description": "Taxonomy for tagging information by its origin: human-generated or AI-generated.",
"version": 2,
"predicates": [
{
"value": "human-generated",
"description": "Information that has been generated by a human.",
"expanded": "human generated",
"colour": "#33FF00"
},
{
"value": "AI-generated",
"description": "Information that has been generated by an AI LLM or similar technologies.",
"expanded": "AI generated",
"colour": "#FFC000"
},
{
"value": "uncertain-origin",
"description": "Information for which the origin is uncertain which can be machine or a human.",
"expanded": "uncertain origin",
"colour": "#FFC000"
}
]
}

View File

@ -2,7 +2,9 @@
"namespace": "interactive-cyber-training-audience",
"description": "Describes the target of cyber training and education.",
"version": 1,
"refs": ["https://arxiv.org/abs/2101.05538"],
"refs": [
"https://arxiv.org/abs/2101.05538"
],
"expanded": "Interactive Cyber Training - Audience",
"predicates": [
{

View File

@ -2,7 +2,9 @@
"namespace": "interactive-cyber-training-technical-setup",
"description": "The technical setup consists of environment structure, deployment, and orchestration.",
"version": 1,
"refs": ["https://arxiv.org/abs/2101.05538"],
"refs": [
"https://arxiv.org/abs/2101.05538"
],
"expanded": "Interactive Cyber Training - Technical Setup",
"predicates": [
{

View File

@ -2,7 +2,9 @@
"namespace": "interactive-cyber-training-training-environment",
"description": "The training environment details the environment around the training, consisting of training type and scenario.",
"version": 1,
"refs": ["https://arxiv.org/abs/2101.05538"],
"refs": [
"https://arxiv.org/abs/2101.05538"
],
"expanded": "Interactive Cyber Training - Training Environment",
"predicates": [
{
@ -14,7 +16,7 @@
"value": "scenario",
"expanded": "Scenario",
"description": "The scenario is a main component of cybersecurity training. Scenarios are needed to reach the goal of the training."
}x
}
],
"values": [
{
@ -103,8 +105,7 @@
{
"value": "problem-driven",
"expanded": "Style: Problem-Driven",
"description": "Describes the challenge within the training as Problem-driven.
"
"description": "Describes the challenge within the training as Problem-driven."
},
{
"value": "storyline-driven",
@ -113,77 +114,77 @@
},
{
"value": "challenges-target-network",
"expended": "Challenges: Network Target",
"expanded": "Challenges: Network Target",
"description": "The target in this challenge is network."
},
{
"value": "challenges-target-host",
"expended": "Challenges: Host Target",
"expanded": "Challenges: Host Target",
"description": "The target in this challenge is host."
},
{
"value": "challenges-target-application",
"expended": "Challenges: Application Target",
"expanded": "Challenges: Application Target",
"description": "The target in this challenge is application."
},
{
"value": "challenges-target-protocol",
"expended": "Challenges: Protocol Target",
"expanded": "Challenges: Protocol Target",
"description": "The target in this challenge is protocol."
},
{
"value": "challenges-target-data",
"expended": "Challenges: Data Target",
"expanded": "Challenges: Data Target",
"description": "The target in this challenge is data."
},
{
"value": "challenges-target-person",
"expended": "Challenges: Person Target",
"expanded": "Challenges: Person Target",
"description": "The target in this challenge is person."
},
{
"value": "challenges-target-physical",
"expended": "Challenges: Physical Target",
"expanded": "Challenges: Physical Target",
"description": "The target in this challenge is physical."
},
{
"value": "challenges-type-foot-printing",
"expended": "Challenges: Foot-printing Type",
"expanded": "Challenges: Foot-printing Type",
"description": "Foot-printing is needed to solve this challenge."
},
{
"value": "challenges-type-scanning",
"expended": "Challenges: Scanning Type",
"expanded": "Challenges: Scanning Type",
"description": "Scanning is needed to solve this challenge."
},
{
"value": "challenges-type-enumeration",
"expended": "Challenges: Enumeration Type",
"expanded": "Challenges: Enumeration Type",
"description": "Enumeration is needed to solve this challenge."
},
{
"value": "challenges-type-pivoting",
"expended": "Challenges: Pivoting Type",
"expanded": "Challenges: Pivoting Type",
"description": "Pivoting is needed to solve this challenge."
},
{
"value": "challenges-type-exploitation",
"expended": "Challenges: Exploitation Type",
"expanded": "Challenges: Exploitation Type",
"description": "Exploitation is needed to solve this challenge."
},
{
"value": "challenges-type-privilege-escalation",
"expended": "Challenges: Privilege escalation Type",
"expanded": "Challenges: Privilege escalation Type",
"description": "Privilege escalation is needed to solve this challenge."
},
{
"value": "challenges-type-covering-tracks",
"expended": "Challenges: Covering tracks Type",
"expanded": "Challenges: Covering tracks Type",
"description": "Covering tracks is needed to solve this challenge."
},
{
"value": "challenges-type-maintaining",
"expended": "Challenges: maintaining Type",
"expanded": "Challenges: maintaining Type",
"description": "Maintaining access is needed to solve this challenge."
}
]

View File

@ -1,9 +1,10 @@
{
"namespace": "interactive-cyber-training-training-setup",
"description": "The training setup further describes the training itself with the scoring, roles,
the training mode as well as the customization level.",
"description": "The training setup further describes the training itself with the scoring, roles, the training mode as well as the customization level.",
"version": 1,
"refs": ["https://arxiv.org/abs/2101.05538"],
"refs": [
"https://arxiv.org/abs/2101.05538"
],
"expanded": "Interactive Cyber Training - Training Setup",
"predicates": [
{

View File

@ -1,7 +1,7 @@
{
"namespace": "malware_classification",
"description": "Classification based on different categories. Based on https://www.sans.org/reading-room/whitepapers/incident/malware-101-viruses-32848",
"version": 2,
"version": 3,
"predicates": [
{
"value": "malware-category",

View File

@ -0,0 +1,94 @@
{
"namespace": "misp-workflow",
"expanded": "MISP workflow",
"description": "MISP workflow taxonomy to support result of workflow execution.",
"version": 3,
"predicates": [
{
"value": "action-taken",
"expanded": "Action taken",
"description": "Action taken during the workflow execution"
},
{
"value": "analysis",
"expanded": "Analysis",
"description": "Result of the analysis executed during the workflow execution"
},
{
"value": "mutability",
"expanded": "Mutability",
"description": "Describe if the workflow is allowed to modify data"
},
{
"value": "run",
"expanded": "Run",
"description": "Describe if the workflow is allowed to run on the data being passed"
}
],
"values": [
{
"predicate": "action-taken",
"entry": [
{
"value": "ids-flag-removed",
"expanded": "IDS flag removed"
},
{
"value": "ids-flag-added",
"expanded": "IDS flag added"
},
{
"value": "pushed-to-zmq",
"expanded": "Pushed to ZMQ"
},
{
"value": "email-sent",
"expanded": "Email sent"
},
{
"value": "webhook-triggered",
"expanded": "Webhook triggered"
},
{
"value": "execution-stopped",
"expanded": "Execution stopped"
}
]
},
{
"predicate": "analysis",
"entry": [
{
"value": "false-positive",
"expanded": "False positive"
},
{
"value": "highly-likely-positive",
"expanded": "Highly Likely Positive"
},
{
"value": "known-file-hash",
"expanded": "Known file hash"
}
]
},
{
"predicate": "mutability",
"entry": [
{
"value": "allowed",
"expanded": "Allowed"
}
]
},
{
"predicate": "run",
"entry": [
{
"value": "allowed",
"expanded": "Allowed"
}
]
}
]
}

384
nis2/machinetag.json Normal file
View File

@ -0,0 +1,384 @@
{
"namespace": "nis2",
"description": "The taxonomy is meant for large scale cybersecurity incidents, as mentioned in the Commission Recommendation of 13 May 2022, also known as the provisional agreement. It has two core parts: The nature of the incident, i.e. the underlying cause, that triggered the incident, and the impact of the incident, i.e. the impact on services, in which sector(s) of economy and society.",
"version": 3,
"predicates": [
{
"value": "impact-sectors-impacted",
"expanded": "Sectors impacted",
"description": "The impact on services, in the real world, indicating the sectors of the society and economy, where there is an impact on the services."
},
{
"value": "impact-subsectors-impacted",
"expanded": "Impact subsectors impacted",
"description": "Impact subsectors impacted"
},
{
"value": "important-entities",
"expanded": "Important entities",
"description": "Important entities"
},
{
"value": "impact-subsectors-important-entities",
"expanded": "Impact subsectors important entities",
"description": "Impact subsectors important entities"
},
{
"value": "impact-severity",
"expanded": "Severity of the impact",
"description": "The severity of the impact, nationally, in the real world, for society and/or the economy, i.e. the level of disruption for the country or a large region of the country, the level of risks for health and/or safety, the level of physical damages and/or financial costs.",
"exclusive": true
},
{
"value": "impact-outlook",
"expanded": "Outlook",
"description": "The outlook for the incident, the prognosis, for the coming hours, considering the impact in the real world, the impact on services, for the society and/or the economy",
"exclusive": true
},
{
"value": "nature-root-cause",
"expanded": "Root cause category",
"description": "The Root cause category is used to indicate what type event or threat triggered the incident.",
"exclusive": true
},
{
"value": "nature-severity",
"expanded": "Severity of the threat",
"description": "The severity of the threat is used to indicate, from a technical perspective, the potential impact, the risk associated with the threat. For example, the severity is high if an upcoming storm is exceptionally strong, if an observed DDoS attack is exceptionally powerful, or if a software vulnerability is easily exploited and present in many different systems. For example, in certain situations a critical software vulnerability would require concerted and urgent work by different organizations.",
"exclusive": true
},
{
"value": "test",
"expanded": "Test",
"description": "A test predicate meant to test interoperability between tools. Tags contained within this predicate are to be ignored."
}
],
"values": [
{
"predicate": "impact-sectors-impacted",
"entry": [
{
"value": "energy",
"expanded": "Energy",
"description": "The impact is in the Energy sector and its subsectors such as electricity, oil, or gas, for example, impacting electricity suppliers, power plants, distribution system operators, transmission system operators, oil transmission, natural gas distribution, etc."
},
{
"value": "transport",
"expanded": "Transport",
"description": "The impact is in the transport sector and subsectors such as air, rail, water, road, for example, impacting air traffic control systems, railway companies, maritime port authorities, road traffic management systems, etc."
},
{
"value": "banking",
"expanded": "Banking",
"description": "The impact is in the Banking sector, for example impacting banks, online banking, credit services, payment services, etc."
},
{
"value": "financial",
"expanded": "Financial market infrastructures",
"description": "The impact is in the Financial market infrastructure sector, for example, impacting traders, trading platforms, clearing services, etc."
},
{
"value": "health",
"expanded": "Health",
"description": "The impact is in the Health sector, for example, impacting hospitals, medical devices, medicine supply, pharmacies, etc."
},
{
"value": "drinking-water",
"expanded": "Drinking water",
"description": "The impact is in the Drinking water supply and distribution sector, for example impacting drinking water supply, drinking water distribution systems, etc."
},
{
"value": "waste-water",
"expanded": "Waste water",
"description": "The impact is in the Waste water supply and distribution sector, excluding distributors for whom distribution of water for human consumption"
},
{
"value": "digital-infrastructure",
"expanded": "Digital infrastructure",
"description": "The impact is in the Digital infrastructure sector, for example impacting internet exchange points, domain name systems, top level domain registries, etc."
},
{
"value": "public-administration",
"expanded": "Public administartion",
"description": "The impact is in the government sector, for example, impacting the functioning of public administrations, elections, or emergency services"
},
{
"value": "space",
"expanded": "Space",
"description": "The impact is in the space-based services"
}
]
},
{
"predicate": "impact-subsectors-impacted",
"entry": [
{
"value": "electricity",
"expanded": "Electricity undertaking",
"description": "Electricity undertaking means a natural or legal person who carries out at least one of the following functions: generation, transmission, distribution, aggregation, demand response, energy storage, supply or purchase of electricity"
},
{
"value": "district-heating-and-cooling",
"expanded": "The use of energy from renewable sources",
"description": "District heating or district cooling means the distribution of thermal energy in the form of steam, hot water or chilled liquids, from central or decentralised sources"
},
{
"value": "oil",
"expanded": "Operators of oil energy",
"description": "Operators transmission pipelines oil production, refining and treatment facilities, storage and transmission, central oil stockholding entities"
},
{
"value": "gas",
"expanded": "Operators of gas energy",
"description": "operators of distribution, transmission, storage of gas and LNG system operators"
},
{
"value": "hydrogen",
"expanded": "Operators of hydrogen energy",
"description": "Operators of hydrogen production, storage and transmission"
},
{
"value": "air",
"expanded": "Air trasportation",
"description": "Air carriers, airport managing bodies, airports, core airports and entities operating ancillary installations contained within airports, traffic management control operators providing air traffic control (ATC) services"
},
{
"value": "rail",
"expanded": "Rail transportation",
"description": "Infrastructure managers, railway undertakings including operators of service facilities"
},
{
"value": "water",
"expanded": "Water transportation",
"description": "Inland, sea and coastal passenger and freight water transport companies, managing bodies of ports including their port facilities, and entities operating works and equipment contained within ports, operators of vessel traffic services (VTS)"
},
{
"value": "road",
"expanded": "Road transportation",
"description": "Road authorities responsible for traffic management control, operators of Intelligent Transport Systems (ITS)"
},
{
"value": "banking-subsector",
"expanded": "Credits",
"description": "Credit institutions, i.e. an undertaking the business of which is to take deposits or other repayable funds from the public and to grant credits for its own account"
},
{
"value": "financial-subsector",
"expanded": "Finanacial market infrastructures",
"description": "Operators of trading venues, central counterparties (CCPs), i.e. a legal person that interposes itself between the counterparties to the contracts traded on one or more financial markets, becoming the buyer to every seller and the seller to every buyer"
},
{
"value": "health-subsector",
"expanded": "Health entities",
"description": "Healthcare providers, EU reference laboratories, entities carrying out research and development activities of medicinal products, entities manufacturing basic pharmaceutical products and pharmaceutical preparations, entities manufacturing medical devices considered as critical during a public health emergency"
},
{
"value": "drinking-water-subsector",
"expanded": "Drinking water entities",
"description": "Suppliers and distributors of water intended for human consumption"
},
{
"value": "waste-water-subsector",
"expanded": "Waste water entities",
"description": "Undertakings collecting, disposing or treating urban, domestic and industrial waste water"
},
{
"value": "digital-ifrastructure-subsector",
"expanded": "Digital infrastructure entities",
"description": "Internet Exchange Point providers (IXP), DNS service providers, Top-Level Domain (TLD) name registries, cloud computing service providers, Data centre service providers, content delivery network providers, providers of public electronic communications networks or providers of electronic communications services where their services are publicly available"
},
{
"value": "public-administration-subsector",
"expanded": "Public administration entities",
"description": "Public administration entities of central governments, Public administration entities of NUTS level 1 regions (population min. 3 million max. 7 million) and NUTS level 2 regions (population min. 800.000 max 3 million)"
},
{
"value": "space-subsector",
"expanded": "Space entities",
"description": "Operators of ground-based infrastructure, owned, managed and operated by Member States or by private parties, that support the provision of space-based services, excluding providers of public electronic communications networks. Public electronic communications network means an electronic communications network used wholly or mainly for the provision of publicly available electronic communications services which support the transfer of information between network termination points"
}
]
},
{
"predicate": "important-entities",
"entry": [
{
"value": "postal",
"expanded": "Postal service providers",
"description": "i.e. services involving the clearance, sorting, transport, and delivery of postal items"
},
{
"value": "waste",
"expanded": "Waste management",
"description": "Undertakings carrying out waste management excluding undertakings for whom waste management is not their principal economic activity. Waste management means the collection, transport, recovery, and disposal of waste, including the supervision of such operations and the aftercare of disposal sites, and including actions taken as a dealer or broker"
},
{
"value": "chemicals",
"expanded": "Manufacture, production and distribution of chemicals",
"description": "Undertakings carrying out the manufacture, production and distribution of chemicals. Producer means any natural or legal person who makes or assembles an article. Manufacturer means any natural or legal person who manufactures a substance. Distributor means any natural or legal person, including a retailer, who only stores and places on the market a substance, on its own or in a mixture, for third parties"
},
{
"value": "manufacturing",
"expanded": "Manufacture",
"description": "Entities manufacturing medical devices, computers, electrical equipment, machinery, motor vehicles, transport equipment "
},
{
"value": "digital",
"expanded": "Digital providers",
"description": "Providers of online marketplaces, providers of online search engines, providers of social networks"
}
]
},
{
"predicate": "impact-subsectors-important-entities",
"entry": [
{
"value": "medical-devices-manufacturing",
"expanded": "Manufacture of medical devices and in vitro diagnostic medical devices",
"description": "Entities manufacturing medical devices and entities manufacturing in vitro diagnostic medical devices"
},
{
"value": "computer-manufacturing",
"expanded": "Manufacture of computer, electronic and optical products",
"description": "Undertakings carrying out the manufacture of computers, electronical and optical products. This includes the manufacture of computers, computer peripherals, communications equipment, and similar electronic products, as well as the manufacture of components for such products. Also included is the manufacture of consumer electronics, measuring, testing, and navigating equipment, irradiation, electromedical and electrotherapeutic equipment, optical instruments and equipment, and the manufacture of magnetic and optical media"
},
{
"value": "electrical-equipment-manufacturing",
"expanded": "Manufacture of computer, electronic and optical products",
"description": "Undertakings carrying out the manufacture of electrical equipment. This includes the manufacture of products that generate, distribute, and use electrical power. Also included is the manufacture of electrical lighting, signalling equipment and electric household appliances"
},
{
"value": "machinery-equipment-manufacturing",
"expanded": "Manufacture of machinery and equipment N.E.C",
"description": "Undertakings carrying out the manufacture of machinery and equipment n.e.c. This includes the manufacture of machinery and equipment that act independently on materials either mechanically or thermally or perform operations on materials (such as handling, spraying, weighing, or packing), including their mechanical components that produce and apply force, and any specially manufactured primary parts. "
},
{
"value": "vehicles-trailers-manufacturing",
"expanded": "Manufacture of motor vehicles, trailers and semi-trailers",
"description": "Undertakings carrying out the manufacture of motor vehicles for transporting passengers or freight. The manufacture of various parts and accessories, as well as the manufacture of trailers and semi-trailers, is also included"
},
{
"value": "other-transport-manufacturing",
"expanded": "Manufacture of other transport equipment",
"description": "Undertakings carrying out the manufacture of motor vehicles for transporting passengers or freight. The manufacture of various parts and accessories, as well as the manufacture of trailers and semi-trailers, is also included"
}
]
},
{
"predicate": "impact-severity",
"entry": [
{
"value": "red",
"expanded": "Red",
"description": "Very large impact",
"colour": "#CC0033"
},
{
"value": "yellow",
"expanded": "Yellow",
"description": "Large impact.",
"colour": "#FFC000"
},
{
"value": "green",
"expanded": "Green",
"description": "Minor impact.",
"colour": "#339900"
},
{
"value": "white",
"expanded": "White",
"description": "No impact.",
"colour": "#ffffff"
}
]
},
{
"predicate": "impact-outlook",
"entry": [
{
"value": "improving",
"expanded": "Improving",
"description": "Severity of impact is expected to decrease in the next 6 hours.",
"colour": "#339900"
},
{
"value": "stable",
"expanded": "Stable",
"description": "Severity of impact is expected to remain the same in the 6 hours.",
"colour": "#FFC000"
},
{
"value": "worsening",
"expanded": "Worsening",
"description": "Severity of impact is expected to increase in the next 6 hours.",
"colour": "#CC0033"
}
]
},
{
"predicate": "nature-root-cause",
"entry": [
{
"value": "system-failures",
"expanded": "System failures",
"description": "The incident is due to a failure of a system, i.e. without external causes. For example a hardware failure, software bug, a flaw in a procedure, etc. triggered the incident."
},
{
"value": "natural-phenomena",
"expanded": "Natural phenomena",
"description": "The incident is due to a natural phenomenon. For example a storm, lightning, solar flare, flood, earthquake, wildfire, etc. triggered the incident."
},
{
"value": "human-errors",
"expanded": "Human errors",
"description": "The incident is due to a human error, i.e. system worked correctly, but was used wrong. For example, a mistake, or carelessness triggered the incident."
},
{
"value": "malicious-actions",
"expanded": "Malicious actions",
"description": "The incident is due to a malicious action. For example, a cyber-attack or physical attack, vandalism, sabotage, insider attack, theft, etc., triggered the incident."
},
{
"value": "third-party-failures",
"expanded": "Third party failures",
"description": "The incident is due to a disruption of a third party service, like a utility. For example a power cut, or an internet outage, etc. triggered the incident."
}
]
},
{
"predicate": "nature-severity",
"entry": [
{
"value": "high",
"expanded": "High",
"description": "High severity, potential impact is high.",
"colour": "#CC0033"
},
{
"value": "medium",
"expanded": "Medium",
"description": "Medium severity, potential impact is medium.",
"colour": "#FFC000"
},
{
"value": "low",
"expanded": "Low",
"description": "Low severity, potential impact is low.",
"colour": "#339900"
}
]
},
{
"predicate": "test",
"entry": [
{
"value": "test",
"expanded": "Test",
"description": "Test value meant for testing interoperability. Tags with this value are to be ignored.",
"colour": "#F81894"
}
]
}
]
}

View File

@ -0,0 +1,476 @@
{
"namespace": "poison-taxonomy",
"description": "Non-exhaustive taxonomy of natural poison",
"version": 1,
"predicates": [
{
"value": "Poisonous plant"
},
{
"value": "Poisonous fungus"
}
],
"values": [
{
"predicate": "Poisonous fungus",
"entry": [
{
"value": "Agaricus californicus/California "
},
{
"value": "Agaricus hondensis/Felt-ringed "
},
{
"value": "Agaricus menieri"
},
{
"value": "Agaricus moelleri"
},
{
"value": "Agaricus phaeolepidotus"
},
{
"value": "Agaricus placomyces"
},
{
"value": "Agaricus xanthodermus/Yellow-staining mushroom"
},
{
"value": "Amanita abrupta/American abrupt-bulbed Lepidella"
},
{
"value": "Amanita aprica/Sunshine amanita"
},
{
"value": "Amanita boudieri/Boudier's lepidella"
},
{
"value": "Amanita citrina"
},
{
"value": "Amanita cokeri/Coker's amanita"
},
{
"value": "Amanita cothurnata/Booted amanita"
},
{
"value": "Amanita echinocephala/European solitary amanita"
},
{
"value": "Amanita farinosa/Powdery Amanita"
},
{
"value": "Amanita flavorubescens"
},
{
"value": "Amanita gemmata/Gemmed Amanita"
},
{
"value": "Amanita gioiosa"
},
{
"value": "Amanita gracilior"
},
{
"value": "Amanita heterochroma/Eucalyptus fly agaric"
},
{
"value": "Amanita hongoi/Hongo's Amanita"
},
{
"value": "Amanita ibotengutake/Japanese ringed-bulbed Amanita"
},
{
"value": "Amanita muscaria/Fly agaric"
},
{
"value": "Amanita neoovoidea/East Asian egg amidella"
},
{
"value": "Amanita pantherina/Panther cap"
},
{
"value": "Amanita porphyria/Grey veiled Amanita"
},
{
"value": "Amanita pseudoporphyria/Hongo's false death cap"
},
{
"value": "Amanita pseudoregalis/False royal fly agaric"
},
{
"value": "Amanita pseudorubescens/False blusher"
},
{
"value": "Amanita regalis/Royal fly agaric"
},
{
"value": "Amanita smithiana/Smith's Amanita"
},
{
"value": "Ampulloclitocybe clavipes/Club-footed clitocybe"
},
{
"value": "Chlorophyllum molybdites/Green-spored parasol"
},
{
"value": "Clitocybe cerussata"
},
{
"value": "Clitocybe dealbata"
},
{
"value": "Coprinopsis alopecia"
},
{
"value": "Coprinopsis atramentaria/Common ink cap"
},
{
"value": "Coprinopsis romagnesiana/Scaly ink cap"
},
{
"value": "Cortinarius bolaris"
},
{
"value": "Cortinarius callisteus"
},
{
"value": "Cortinarius cinnabarinus"
},
{
"value": "Cortinarius cinnamomeofulvus"
},
{
"value": "Cortinarius cinnamomeoluteus"
},
{
"value": "Cortinarius cinnamomeus"
},
{
"value": "Cortinarius cruentus"
},
{
"value": "Cortinarius gentilis"
},
{
"value": "Cortinarius limonius"
},
{
"value": "Cortinarius malicorius"
},
{
"value": "Cortinarius mirandus"
},
{
"value": "Cortinarius palustris"
},
{
"value": "Cortinarius phoeniceus"
},
{
"value": "Cortinarius rubicundulus"
},
{
"value": "Cortinarius smithii/Smith's Cortinarius"
},
{
"value": "Cudonia circinans"
},
{
"value": "Gyromitra perlata/Pig's ears"
},
{
"value": "Echinoderma asperum/Freckled dapperling"
},
{
"value": "Echinoderma calcicola"
},
{
"value": "Entoloma albidum"
},
{
"value": "Entoloma rhodopolium/Wood pinkgill"
},
{
"value": "Entoloma sinuatum/Livid Entoloma"
},
{
"value": "Hebeloma crustuliniforme/Poison pie"
},
{
"value": "Hebeloma sinapizans/Rough-stalked hebeloma"
},
{
"value": "Helvella crispa/Elfin saddle"
},
{
"value": "Helvella dryophila/Oak-loving elfin saddle"
},
{
"value": "Helvella lactea"
},
{
"value": "Helvella lacunosa/Slate grey saddle"
},
{
"value": "Helvella vespertina/Western black elfin saddle"
},
{
"value": "Hapalopilus nidulans/Tender nesting polypore"
},
{
"value": "Hypholoma fasciculare/Sulphur tuft"
},
{
"value": "Hypholoma lateritium/Brick cap"
},
{
"value": "Hypholoma marginatum"
},
{
"value": "Hypholoma radicosum"
},
{
"value": "Imperator rhodopurpureus"
},
{
"value": "Imperator torosus"
},
{
"value": "Inocybe fibrosa"
},
{
"value": "Inocybe geophylla/Earthy inocybe"
},
{
"value": "Inocybe hystrix"
},
{
"value": "Inocybe lacera/Torn fibercap"
},
{
"value": "Inocybe lilacina"
},
{
"value": "Inocybe sublilacina"
},
{
"value": "Inocybe rimosa"
},
{
"value": "Inocybe sambucina"
},
{
"value": "Lactarius torminosus/Woolly milkcap"
},
{
"value": "Mycena diosma"
},
{
"value": "Mycena pura/Lilac bonnet"
},
{
"value": "Mycena rosea/Rosy bonnet"
},
{
"value": "Neonothopanus nambi"
},
{
"value": "Panaeolus cinctulus/banded mottlegill"
},
{
"value": "Psilocybe semilanceata/Liberty cap"
},
{
"value": "Omphalotus illudens/Jack-O'lantern mushroom"
},
{
"value": "Omphalotus japonicus/Tsukiyotake"
},
{
"value": "Omphalotus nidiformis/Ghost fungus"
},
{
"value": "Omphalotus olearius/Jack-O'lantern mushroom"
},
{
"value": "Omphalotus olivascens/Western jack-o'-lantern mushroom"
},
{
"value": "Paralepistopsis acromelalga"
},
{
"value": "Paralepistopsis amoenolens/Paralysis funnel"
},
{
"value": "Pholiotina rugosa"
},
{
"value": "Ramaria formosa/Beautiful clavaria"
},
{
"value": "Ramaria neoformosa"
},
{
"value": "Ramaria pallida"
},
{
"value": "Rubroboletus legaliae/Le Gal's bolete"
},
{
"value": "Rubroboletus lupinus/Wolves bolete"
},
{
"value": "Rubroboletus pulcherrimus"
},
{
"value": "Rubroboletus satanas/Satan's bolete"
},
{
"value": "Russula emetica/The sickener"
},
{
"value": "Russula subnigricans"
},
{
"value": "Sarcosphaera coronaria/Pink crown"
},
{
"value": "Tricholoma equestre/Yellow knight"
},
{
"value": "Tricholoma filamentosum"
},
{
"value": "Tricholoma pardinum/Tiger tricholoma"
},
{
"value": "Tricholoma muscarium"
},
{
"value": "Trogia venenata/Little white mushroom"
},
{
"value": "Turbinellus floccosus/Woolly false chanterelle"
},
{
"value": "Turbinellus kauffmanii"
},
{
"value": "Agrocybe arenicola"
},
{
"value": "Amanita albocreata/Ringless panther"
},
{
"value": "Amanita altipes/Yellow long-stem Amanita"
},
{
"value": "Amanita breckonii"
},
{
"value": "Amanita ceciliae/Snakeskin grisette"
},
{
"value": "Amanita eliae/Fries's Amanita"
},
{
"value": "Amanita flavoconia/Yellow-dust Amanita"
},
{
"value": "Amanita frostiana/Frost's Amanita"
},
{
"value": "Amanita nehuta/Mahori dust Amanita"
},
{
"value": "Amanita parcivolvata"
},
{
"value": "Amanita parvipantherina"
},
{
"value": "Amanita petalinivolva"
},
{
"value": "Amanita roseotincta"
},
{
"value": "Amanita rubrovolvata/Red volva Amanita"
},
{
"value": "Amanita subfrostiana/False Frost's Amanita"
},
{
"value": "Amanita velatipes"
},
{
"value": "Amanita viscidolutea"
},
{
"value": "Amanita wellsii/Wells's Amanita"
},
{
"value": "Amanita xanthocephala/Vermilion grisette"
},
{
"value": "Armillaria mellea/Honey fungus"
},
{
"value": "Calocera viscosa/Yellow stagshorn"
},
{
"value": "Chlorophyllum brunneum/Shaggy parasol"
},
{
"value": "Choiromyces venosus"
},
{
"value": "Clitocybe fragrans"
},
{
"value": "Clitocybe nebularis/Clouded agaric"
},
{
"value": "Conocybe subovalis"
},
{
"value": "Coprinellus micaceus/Mica cap"
},
{
"value": "Lactarius chrysorrheus/Yellowdrop milkcap"
},
{
"value": "Lactarius helvus/Fenugreek milkcap"
},
{
"value": "Lepiota cristata/Stinking dapperling"
},
{
"value": "Marasmius collinus"
},
{
"value": "Russula olivacea"
},
{
"value": "Russula viscida"
},
{
"value": "Schizophyllum commune"
},
{
"value": "Scleroderma citrinum/common earthball"
},
{
"value": "Stropharia aeruginosa/Verdigris agaric"
},
{
"value": "Suillus granulatus/Weeping bolete"
},
{
"value": "Tricholoma sulphureum/Gas agaric"
}
]
}
]
}

View File

@ -0,0 +1,157 @@
{
"namespace": "political-spectrum",
"description": "A political spectrum is a system to characterize and classify different political positions in relation to one another.",
"version": 1,
"expanded": "Political Spectrum",
"predicates": [
{
"value": "ideology",
"expanded": "Ideology",
"description": "Political ideologies are one of the major organizing features of political parties, and parties often officially align themselves with specific ideologies."
},
{
"value": "left-right-spectrum",
"expanded": "Left-Right spectrum",
"description": "The leftright political spectrum is a system of classifying political positions characteristic of left-right politics, ideologies and parties with emphasis placed on issues of social equality and social hierarchy."
}
],
"values": [
{
"predicate": "ideology",
"entry": [
{
"value": "agrarianism",
"expanded": "Agrarianism",
"colour": "#006400",
"description": "political and social philosophy that has promoted subsistence agriculture, smallholdings, egalitarianism, with agrarian political parties normally supporting the rights and sustainability of small farmers and poor peasants against the wealthy in society."
},
{
"value": "anarchism",
"expanded": "Anarchism",
"colour": "#000000",
"description": "Anarchism is a political philosophy and movement that is sceptical of authority and rejects all involuntary, coercive forms of hierarchy."
},
{
"value": "centrism",
"expanded": "Centrism",
"colour": "#9932CC",
"description": "Centrism is a political outlook or position that involves acceptance and/or support of a balance of social equality and a degree of social hierarchy, while opposing political changes which would result in a significant shift of society strongly to either the left or the right."
},
{
"value": "christian-democracy",
"expanded": "Christian Democracy",
"colour": "#FF7700",
"description": "combination of modern democratic ideas and traditional Christian values, incorporating social justice as well as the social teachings espoused by the Catholic, Lutheran, Reformed, Pentecostal and other denominational traditions of Christianity in various parts of the world. After World War II, Catholic and Protestant movements of neo-scholasticism and the Social Gospel, respectively, played a role in shaping Christian democracy."
},
{
"value": "communism",
"expanded": "Communism",
"colour": "#F50E0E",
"description": "Communism is a philosophical, social, political, and economic ideology and movement whose goal is the establishment of a communist society, namely a socioeconomic order structured upon the ideas of common ownership of the means of production and the absence of social classes, money, and the state."
},
{
"value": "conservatism",
"expanded": "Conservatism",
"colour": "#4584F2",
"description": "Conservatism is an aesthetic, cultural, social, and political philosophy, which seeks to promote and to preserve traditional social institutions. The central tenets of conservatism may vary in relation to the traditional values or practices of the culture and civilization in which it appears. In Western culture, conservatives seek to preserve a range of institutions such as organized religion, parliamentary government, and property rights. Adherents of conservatism often oppose modernism and seek a return to traditional values."
},
{
"value": "democratic-socialism",
"expanded": "Democratic socialism",
"colour": "#F50E0E",
"description": "Democratic socialism is a political philosophy that supports political democracy within a socially owned economy, with a particular emphasis on economic democracy, workplace democracy, and workers' self-management within a market socialist economy, or an alternative form of decentralised planned socialist economy."
},
{
"value": "fascism",
"expanded": "Fascism",
"colour": "#964B00",
"description": "Fascism is a form of far-right, authoritarian ultranationalism characterized by dictatorial power, forcible suppression of opposition, and strong regimentation of society and of the economy, which came to prominence in early 20th-century Europe.Fascists believe that liberal democracy is obsolete. They regard the complete mobilization of society under a totalitarian one-party state as necessary to prepare a nation for armed conflict and to respond effectively to economic difficulties."
},
{
"value": "feminism",
"expanded": "Feminism",
"colour": "#FFC0CB",
"description": "Feminism is a range of social movements and ideologies that aim to define and establish the political, economic, personal, and social equality of the sexes. Feminism incorporates the position that societies prioritize the male point of view, and that women are treated unjustly within those societies. Efforts to change that include fighting against gender stereotypes and establishing educational, professional, and interpersonal opportunities and outcomes for women that are equal to those for men."
},
{
"value": "green-politics",
"expanded": "Green politics",
"colour": "#006400",
"description": "Green politics, or ecopolitics, is a political ideology that aims to foster an ecologically sustainable society often, but not always, rooted in environmentalism, nonviolence, social justice and grassroots democracy."
},
{
"value": "islamism",
"expanded": "Islamism",
"colour": "#006400",
"description": "Islamism (also often called political Islam or Islamic fundamentalism) is a political ideology which posits that modern states and regions should be reconstituted in constitutional, economic and judicial terms, in accordance with what is conceived as a revival or a return to authentic Islamic practice in its totality."
},
{
"value": "liberalism",
"expanded": "Liberalism",
"colour": "#FFFF33",
"description": "Liberalism is a political and moral philosophy based on liberty, consent of the governed and equality before the law. Liberals espouse a wide array of views depending on their understanding of these principles, but they generally support individual rights (including civil rights and human rights), democracy, secularism, freedom of speech, freedom of the press, freedom of religion and a market economy."
},
{
"value": "libertarianism",
"expanded": "Libertarianism",
"colour": "#FFFF33",
"description": "Libertarianism is a political philosophy that upholds liberty as a core principle. Libertarians seek to maximize autonomy and political freedom, emphasizing free association, freedom of choice, individualism and voluntary association. Libertarians share a skepticism of authority and state power, but some libertarians diverge on the scope of their opposition to existing economic and political systems."
},
{
"value": "monarchism",
"expanded": "Monarchism",
"colour": "#9932CC",
"description": "Monarchism is the advocacy of the system of monarchy or monarchical rule."
},
{
"value": "pacifism",
"expanded": "Pacifism",
"colour": "#FFFFFF",
"description": "Pacifism covers a spectrum of views, including the belief that international disputes can and should be peacefully resolved, calls for the abolition of the institutions of the military and war, opposition to any organization of society through governmental force (anarchist or libertarian pacifism), rejection of the use of physical violence to obtain political, economic or social goals, the obliteration of force, and opposition to violence under any circumstance, even defence of self and others."
},
{
"value": "social-democracy",
"expanded": "Social democracy",
"colour": "#F50E0E",
"description": "Social democracy is a political, social, and economic philosophy within socialism that supports political and economic democracy. As a policy regime, it is described by academics as advocating economic and social interventions to promote social justice within the framework of a liberal-democratic polity and a capitalist-oriented mixed economy."
},
{
"value": "socialism",
"expanded": "Socialism",
"colour": "#F50E0E",
"description": "Socialism is a political, social, and economic philosophy encompassing a range of economic and social systems characterised by social ownership of the means of production. It includes the political theories and movements associated with such systems. Social ownership can be public, collective, cooperative, or of equity. While no single definition encapsulates the many types of socialism, social ownership is the one common element."
}
]
},
{
"predicate": "left-right-spectrum",
"entry": [
{
"value": "far-left",
"expanded": "Far-left",
"description": "There are different definitions of the far-left. It could represent the left of social democraty, or also limited to the left of communist parties. Sometimes it is also associated with some forms of anarchism and communims, or groupsthat advocate for revolutionary anti-capitalism and anti-globalization."
},
{
"value": "centre-left",
"expanded": "Centre-left",
"description": "Also refered as moderate-left politics. Believes in working within the established systems to improve social justice. Promotes a degree of social equality that it believes is achievable through promoting equal opportunity. Emphasizes that the achievement of equality requires personal responsibility in areas in control by the individual person through their abilities and talents as well as social responsibility in areas outside control by the person in their abilities or talents."
},
{
"value": "radical-centre",
"expanded": "Radical centre",
"description": "The radical in the term refers to a willingness on the part of most radical centrists to call for fundamental reform of institutions.[ The centrism refers to a belief that genuine solutions require realism and pragmatism, not just idealism and emotion. Radical centrists borrow ideas from the left and the right, often melding them together."
},
{
"value": "centre-right",
"expanded": "Centre-right",
"description": "Also referred to as moderate-right politics. Ideologies characterised as centre-right include liberal conservatism and some variants of liberalism and Christian democracy, among others."
},
{
"value": "far-right",
"expanded": "Far-right",
"description": "Referred to as the extreme right or right-wing extremism. Are usually described as anti-communist, authoritarian, ultranationalist, and having nativist ideologies and tendencies. Today far-right politics include neo-fascism, neo-Nazism, the Third Position, the alt-right, racial supremacism, and other ideologies or organizations that feature aspects of ultranationalist, chauvinist, xenophobic, theocratic, racist, homophobic, transphobic, or reactionary views."
}
]
}
]
}

395
pyoti/machinetag.json Normal file
View File

@ -0,0 +1,395 @@
{
"namespace": "pyoti",
"description": "PyOTI automated enrichment schemes for point in time classification of indicators.",
"version": 3,
"expanded": "PyOTI Enrichment",
"refs": [
"https://github.com/RH-ISAC/PyOTI",
"https://github.com/RH-ISAC/PyOTI/blob/main/examples/enrich_misp_event.py"
],
"predicates": [
{
"value": "checkdmarc",
"expanded": "CheckDMARC"
},
{
"value": "disposable-email",
"expanded": "Disposable Email Domain",
"description": "The email domain is from a disposable email service."
},
{
"value": "emailrepio",
"expanded": "EmailRepIO"
},
{
"value": "iris-investigate",
"expanded": "Iris Investigate"
},
{
"value": "virustotal",
"expanded": "VirusTotal"
},
{
"value": "circl-hashlookup",
"expanded": "CIRCL Hash Lookup"
},
{
"value": "reputation-block-list",
"expanded": "Reputation Block List"
},
{
"value": "abuseipdb",
"expanded": "AbuseIPDB"
},
{
"value": "greynoise-riot",
"expanded": "GreyNoise RIOT"
},
{
"value": "googlesafebrowsing",
"expanded": "Google Safe Browsing"
}
],
"values": [
{
"predicate": "checkdmarc",
"entry": [
{
"value": "spoofable",
"expanded": "Spoofable",
"description": "The email address can be spoofed (e.g. no strict SPF policy/DMARC is not enforced)."
}
]
},
{
"predicate": "emailrepio",
"entry": [
{
"value": "spoofable",
"expanded": "Spoofable",
"description": "The email address can be spoofed (e.g. no strict SPF policy/DMARC is not enforced)."
},
{
"value": "suspicious",
"expanded": "Suspicious",
"description": "The email address should be treated as suspicious or risky."
},
{
"value": "blacklisted",
"expanded": "Blacklisted",
"description": "The email address is believed to be malicious or spammy."
},
{
"value": "malicious-activity",
"expanded": "Malicious Activity",
"description": "The email address has exhibited malicious behavior (e.g. phishing/fraud)."
},
{
"value": "malicious-activity-recent",
"expanded": "Malicious Activity Recent",
"description": "The email address has exhibited malicious behavior in the last 90 days (e.g. in the case of temporal account takeovers)."
},
{
"value": "credentials-leaked",
"expanded": "Credentials Leaked",
"description": "The email address has had credentials leaked at some point in time (e.g. a data breach, pastebin, dark web, etc)."
},
{
"value": "credentials-leaked-recent",
"expanded": "Credentials Leaked Recent",
"description": "The email address has had credentials leaked in the last 90 days."
},
{
"value": "reputation-high",
"expanded": "Reputation High",
"description": "The email address has a high reputation."
},
{
"value": "reputation-medium",
"expanded": "Reputation Medium",
"description": "The email address has a medium reputation."
},
{
"value": "reputation-low",
"expanded": "Reputation Low",
"description": "The email address has a low reputation."
},
{
"value": "suspicious-tld",
"expanded": "Suspicious TLD",
"description": "The email address top-level domain is suspicious."
},
{
"value": "spam",
"expanded": "Spam",
"description": "The email address has exhibited spammy behavior (e.g. spam traps, login form abuse, etc)."
}
]
},
{
"predicate": "iris-investigate",
"entry": [
{
"value": "high",
"expanded": "High",
"description": "The domain risk score is high (76-100)."
},
{
"value": "medium-high",
"expanded": "Medium High",
"description": "The domain risk score is medium-high (51-75)."
},
{
"value": "medium",
"expanded": "Medium",
"description": "The domain risk score is medium (26-50)."
},
{
"value": "low",
"expanded": "Low",
"description": "The domain risk score is low (0-25)."
}
]
},
{
"predicate": "virustotal",
"entry": [
{
"value": "known-distributor",
"expanded": "Known Distributor",
"description": "The known-distributor entry indicates a file is from a known distributor."
},
{
"value": "valid-signature",
"expanded": "Valid Signature",
"description": "The valid-signature entry indicates a file is signed with a valid signature."
},
{
"value": "invalid-signature",
"expanded": "Invalid Signature",
"description": "The invalid-signature entry indicates a file is signed with an invalid signature."
}
]
},
{
"predicate": "circl-hashlookup",
"entry": [
{
"value": "high-trust",
"expanded": "High Trust",
"description": "The trust level is high (76-100)."
},
{
"value": "medium-high-trust",
"expanded": "Medium High Trust",
"description": "The trust level is medium-high (51-75)."
},
{
"value": "medium-trust",
"expanded": "Medium Trust",
"description": "The trust level is medium (26-50)."
},
{
"value": "low-trust",
"expanded": "Low Trust",
"description": "The trust level is low (0-25)."
}
]
},
{
"predicate": "reputation-block-list",
"entry": [
{
"value": "barracudacentral-brbl",
"expanded": "Barracuda Reputation Block List",
"description": "Barracuda Reputation Block List (BRBL) is a free DNSBL of IP addresses known to send spam. Barracuda Networks fights spam and created the BRBL to help stop the spread of spam."
},
{
"value": "spamcop-scbl",
"expanded": "SpamCop Blocking List",
"description": "The SpamCop Blocking List (SCBL) lists IP addresses which have transmitted reported email to SpamCop users. SpamCop, service providers and individual users then use the SCBL to block and filter unwanted email."
},
{
"value": "spamhaus-sbl",
"expanded": "Spamhaus Block List",
"description": "The Spamhaus Block List (SBL) Advisory is a database of IP addresses from which Spamhaus does not recommend the acceptance of electronic mail."
},
{
"value": "spamhaus-xbl",
"expanded": "Spamhaus Exploits Block List",
"description": "The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits."
},
{
"value": "spamhaus-pbl",
"expanded": "Spamhaus Policy Block List",
"description": "The Spamhaus PBL is a DNSBL database of end-user IP address ranges which should not be delivering unauthenticated SMTP email to any Internet mail server except those provided for specifically by an ISP for that customer's use."
},
{
"value": "spamhaus-css",
"expanded": "Spamhaus CSS",
"description": "The Spamhaus CSS list is an automatically produced dataset of IP addresses that are involved in sending low-reputation email. CSS mostly targets static spam emitters that are not covered in the PBL or XBL, such as snowshoe spam operations, but may also include other senders that display a risk to our users, such as compromised hosts."
},
{
"value": "spamhaus-drop",
"expanded": "Spamhaus Don't Route Or Peer",
"description": "Spamhaus Don't Route Or Peer (DROP) is an advisory 'drop all traffic' list. DROP is a tiny subset of the SBL which is designed for use by firewalls or routing equipment."
},
{
"value": "spamhaus-spam",
"expanded": "Spamhaus Domain Block List Spam Domain",
"description": "Spamhaus Domain Block List (DBL) is a list of domain names with poor reputations used for spam."
},
{
"value": "spamhaus-phish",
"expanded": "Spamhaus Domain Block List Phish Domain",
"description": "Spamhaus Domain Block List (DBL) is a list of domain names with poor reputations used for phishing."
},
{
"value": "spamhaus-malware",
"expanded": "Spamhaus Domain Block List Malware Domain",
"description": "Spamhaus Domain Block List (DBL) is a list of domain names with poor reputations used to serve malware."
},
{
"value": "spamhaus-botnet-c2",
"expanded": "Spamhaus Domain Block List Botnet C2 Domain",
"description": "Spamhaus Domain Block List (DBL) is a list of domain names with poor reputations used for botnet command and control."
},
{
"value": "spamhaus-abused-legit-spam",
"expanded": "Spamhaus Domain Block List Abused Legit Spam Domain",
"description": "Spamhaus Domain Block List (DBL) is a list of abused legitimate domain names with poor reputations used for spam."
},
{
"value": "spamhaus-abused-spammed-redirector",
"expanded": "Spamhaus Domain Block List Abused Spammed Redirector Domain",
"description": "Spamhaus Domain Block List (DBL) is a list of abused legitimate spammed domain names with poor reputations used as redirector domains."
},
{
"value": "spamhaus-abused-legit-phish",
"expanded": "Spamhaus Domain Block List Abused Legit Phish Domain",
"description": "Spamhaus Domain Block List (DBL) is a list of abused legitimate domain names with poor reputations used for phishing."
},
{
"value": "spamhaus-abused-legit-malware",
"expanded": "Spamhaus Domain Block List Abused Legit Malware Domain",
"description": "Spamhaus Domain Block List (DBL) is a list of abused legitimate domain names with poor reputations used to serve malware."
},
{
"value": "spamhaus-abused-legit-botnet-c2",
"expanded": "Spamhaus Domain Block List Abused Legit Botnet C2 Domain",
"description": "Spamhaus Domain Block List (DBL) is a list of abused legitimate domain names with poor reputations used for botnet command and control."
},
{
"value": "surbl-phish",
"expanded": "SURBL Phishing Sites",
"description": "Phishing data from multiple sources is included in this list. Data includes PhishTank, OITC, PhishLabs, Malware Domains and several other sources, including proprietary research by SURBL."
},
{
"value": "surbl-malware",
"expanded": "SURBL Malware Sites",
"description": "This list contains data from multiple sources that cover sites hosting malware. This includes OITC, abuse.ch, The DNS blackhole malicious site data from malwaredomains.com and others. Malware data also includes significant proprietary research by SURBL."
},
{
"value": "surbl-spam",
"expanded": "SURBL Spam Sites",
"description": "This list contains mainly general spam sites. It combines data from the formerly separate JP, WS, SC and AB lists. It also includes data from Internet security, anti-abuse, ISP, ESP and other communities, such as Telenor. Most of the data in this list comes from internal, proprietary research by SURBL."
},
{
"value": "surbl-abused-legit",
"expanded": "SURBL Abused Legit Sites",
"description": "This list contains data from multiple sources that cover cracked sites, including SURBL internal ones. Criminals steal credentials or abuse vulnerabilities to break into websites and add malicious content. Often cracked pages will redirect to spam sites or to other cracked sites. Cracked sites usually still contain the original legitimate content and may still be mentioned in legitimate emails, besides the malicious pages referenced in spam."
},
{
"value": "uribl-black",
"expanded": "URIBL Black",
"description": "URIBL Black list contains domain names belonging to and used by spammers, including but not restricted to those that appear in URIs found in Unsolicited Bulk and/or Commercial Email (UBE/UCE). This list has a goal of zero False Positives."
},
{
"value": "uribl-grey",
"expanded": "URIBL Grey",
"description": "URIBL Grey list contains domains found in UBE/UCE, and possibly honour opt-out requests. It may include ESPs which allow customers to import their recipient lists and may have no control over the subscription methods. This list can and probably will cause False Positives depending on your definition of UBE/UCE."
},
{
"value": "uribl-red",
"expanded": "URIBL Red",
"description": "URIBL Red list contains domains that actively show up in mail flow, are not listed on URIBL black, and are either: being monitored, very young (domain age via whois), or use whois privacy features to protect their identity. This list is automated in nature, so please use at your own risk."
},
{
"value": "uribl-multi",
"expanded": "URIBL Multi",
"description": "URIBL Multi list contains all of the public URIBL lists."
}
]
},
{
"predicate": "abuseipdb",
"entry": [
{
"value": "high",
"expanded": "High",
"description": "The IP abuse confidence score is high (76-100)."
},
{
"value": "medium-high",
"expanded": "Medium High",
"description": "The IP abuse confidence score is medium-high (51-75)."
},
{
"value": "medium",
"expanded": "Medium",
"description": "The IP abuse confidence score is medium (26-50)."
},
{
"value": "low",
"expanded": "Low",
"description": "The IP abuse confidence score is low (0-25)."
}
]
},
{
"predicate": "greynoise-riot",
"entry": [
{
"value": "trust-level-1",
"expanded": "Trust Level 1",
"description": "These IPs are trustworthy because the companies or services assigned are generally responsible for the interactions with this IP. Adding these ranges to an allow-list may make sense."
},
{
"value": "trust-level-2",
"expanded": "Trust Level 2",
"description": "These IPs are somewhat trustworthy because they are necessary for regular and common business internet use. Companies that own these IPs typically do not claim responsibility or have accountability for interactions with these IPs. Malicious actions may be associated with these IPs but adding this entire range to a block-list does not make sense."
}
]
},
{
"predicate": "googlesafebrowsing",
"entry": [
{
"value": "malware",
"expanded": "MALWARE",
"description": "Malware threat type."
},
{
"value": "social-engineering",
"expanded": "SOCIAL_ENGINEERING",
"description": "Social engineering threat type."
},
{
"value": "unwanted-software",
"expanded": "UNWANTED_SOFTWARE",
"description": "Unwanted software threat type."
},
{
"value": "potentially-harmful-application",
"expanded": "POTENTIALLY_HARMFUL_APPLICATION",
"description": "Potentially harmful application threat type."
},
{
"value": "unspecified",
"expanded": "THREAT_TYPE_UNSPECIFIED",
"description": "Unknown threat type."
}
]
}
]
}

View File

@ -0,0 +1,46 @@
{
"namespace": "ransomware-roles",
"expanded": "Ransomware Actor Roles",
"description": "The seven roles seen in most ransomware incidents.",
"refs": [
"https://www.northwave-security.com/"
],
"version": 1,
"predicates": [
{
"value": "1 - Initial Access Broker",
"expanded": "1 - Initial Access Broker",
"description": "Initial Access Brokers obtain the initial access to organizations. They monetize this access by offering it for sale to any actor."
},
{
"value": "2 - Ransomware Affiliate",
"expanded": "2 - Ransomware Affiliate",
"description": "Ransomware affiliates are responsible for obtaining control of a victim's network and monetizing it. They perform reconnaissance of the network as well as privilege escalation, and are responsible for destroying any backup options and deployment of ransomware. Ransomware Affiliates can make use of different ransomware families in different attacks."
},
{
"value": "3 - Data Manager",
"expanded": "3 - Data Manager",
"description": "Data managers are responsible for exfiltrating data as well as managing and leaking that exfiltrated data when necessary."
},
{
"value": "4 - Ransomware Operator",
"expanded": "4 - Ransomware Operator",
"description": "Ransomware Operators facilitate the ransomware business model by providing ransomware and hosting the infrastructure needed to run it."
},
{
"value": "5 - Negotiator",
"expanded": "5 - Negotiator",
"description": "Negotiators are responsible for interacting with the victim and coming to an agreement with the victim regarding the ransom payment."
},
{
"value": "6 - Chaser",
"expanded": "6 - Chaser",
"description": "Chasers put pressure on the victim by emailing and calling key employee. Chasers threaten these employees with continued attacks or publication of confidential data if the ransom is not payed."
},
{
"value": "7 - Accountant",
"expanded": "7 - Accountant",
"description": "Accountants launder the ransom."
}
]
}

View File

@ -1,15 +1,23 @@
{
"namespace": "runtime-packer",
"description": "Runtime or software packer used to combine compressed data with the decompression code. The decompression code can add additional obfuscations mechanisms including polymorphic-packer or other obfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries.",
"version": 1,
"description": "Runtime or software packer used to combine compressed or encrypted data with the decompression or decryption code. This code can add additional obfuscations mechanisms including polymorphic-packer or other obfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries.",
"version": 2,
"predicates": [
{
"value": "portable-executable",
"expanded": "Portable Executable (PE)"
"value": "dex",
"expanded": "Dalvik Executable (DEX)"
},
{
"value": "elf",
"expanded": "ELF"
"expanded": "Executable Linkable Format (ELF)"
},
{
"value": "macho",
"expanded": "Mach-object (Mach-O)"
},
{
"value": "pe",
"expanded": "Portable Executable (PE)"
},
{
"value": "cli-assembly",
@ -18,12 +26,99 @@
],
"values": [
{
"predicate": "portable-executable",
"predicate": "dex",
"entry": [
{
"value": "apk-protect",
"expanded": "APK Protect"
},
{
"value": "dexguard",
"expanded": "DexGuard"
},
{
"value": "dexprotector",
"expanded": "DexProtector"
}
]
},
{
"predicate": "elf",
"entry": [
{
"value": "bzexe",
"expanded": "BzExe"
},
{
"value": "ezuri",
"expanded": "Ezuri"
},
{
"value": "gzexe",
"expanded": "GzExe"
},
{
"value": "midgetpack",
"expanded": "MidgetPack"
},
{
"value": "pakkero",
"expanded": "Pakkero"
},
{
"value": "papaw",
"expanded": "Papaw"
},
{
"value": "shiva",
"expanded": "Shiva"
},
{
"value": "upx",
"expanded": "UPX"
}
]
},
{
"predicate": "macho",
"entry": [
{
"value": "eleckey",
"expanded": "ElecKey"
},
{
"value": "muncho",
"expanded": "Muncho"
},
{
"value": "mpress",
"expanded": "MPRESS"
},
{
"value": "upx",
"expanded": "UPX"
}
]
},
{
"predicate": "pe",
"entry": [
{
"value": ".netshrink",
"expanded": ".netshrink"
},
{
"value": "acprotect",
"expanded": "ACProtect"
},
{
"value": "alienyze",
"expanded": "Alienyze"
},
{
"value": "apack",
"expanded": "aPack"
},
{
"value": "armadillo",
"expanded": "Armadillo"
@ -33,8 +128,20 @@
"expanded": "ASPack"
},
{
"value": "aspr-asprotect",
"expanded": "ASPR (ASProtect)"
"value": "asprotect",
"expanded": "ASProtect"
},
{
"value": "autoit",
"expanded": "AutoIT"
},
{
"value": "axprotector",
"expanded": "AxProtector"
},
{
"value": "bero",
"expanded": "BeRo EXE Packer"
},
{
"value": "boxedapp-packer",
@ -44,14 +151,34 @@
"value": "cexe",
"expanded": "CExe"
},
{
"value": "code-virtualizer",
"expanded": "Code Virtualizer"
},
{
"value": "confuserex",
"expanded": "ConfuserEx"
},
{
"value": "dotbundle",
"expanded": "dotBundle"
},
{
"value": "dragon-armor",
"expanded": "Dragon Armor"
},
{
"value": "eleckey",
"expanded": "ElecKey"
},
{
"value": "enigma-protector",
"expanded": "Enigma Protector"
},
{
"value": "enigma-virtual-box",
"expanded": "Enigma Virtual Box"
},
{
"value": "exe-bundle",
"expanded": "EXE Bundle"
@ -60,6 +187,10 @@
"value": "exe-stealth",
"expanded": "EXE Stealth"
},
{
"value": "exe32pack",
"expanded": "EXE32Pack"
},
{
"value": "expressor",
"expanded": "eXPressor"
@ -69,32 +200,84 @@
"expanded": "FSG"
},
{
"value": "kkrunchy-src",
"expanded": "kkrunchy src"
"value": "hxor-packer",
"expanded": "hXOR Packer"
},
{
"value": "jdpack",
"expanded": "JDPack"
},
{
"value": "kkrunchy",
"expanded": "Kkrunchy"
},
{
"value": "liapp",
"expanded": "LIAPP"
},
{
"value": "mew",
"expanded": "MEW"
},
{
"value": "molebox",
"expanded": "MoleBox"
},
{
"value": "morphine",
"expanded": "Morphine"
},
{
"value": "mpress",
"expanded": "MPRESS"
},
{
"value": "neolite",
"expanded": "Neolite"
},
{
"value": "netcrypt",
"expanded": "NetCrypt"
},
{
"value": "nspack",
"expanded": "NSPack"
},
{
"value": "obsidium",
"expanded": "Obsidium"
},
{
"value": "packman",
"expanded": "Packman"
},
{
"value": "pecompact",
"expanded": "PECompact"
},
{
"value": "pelock",
"expanded": "PELock"
},
{
"value": "pepacker",
"expanded": "PE Packer"
},
{
"value": "peshield",
"expanded": "PEShield"
},
{
"value": "pespin",
"expanded": "PESpin"
},
{
"value": "petite",
"expanded": "Petite"
"expanded": "PEtite"
},
{
"value": "procrypt",
"expanded": "ProCrypt"
},
{
"value": "rlpack-basic",
@ -104,10 +287,26 @@
"value": "smart-packer-pro",
"expanded": "Smart Packer Pro"
},
{
"value": "squishy",
"expanded": "Squishy"
},
{
"value": "telock",
"expanded": "Telock"
},
{
"value": "themida",
"expanded": "Themida"
},
{
"value": "thinstall",
"expanded": "Thinstall"
},
{
"value": "upack",
"expanded": "UPack"
},
{
"value": "upx",
"expanded": "UPX"
@ -119,6 +318,18 @@
{
"value": "xcomp-xpack",
"expanded": "XComp/XPack"
},
{
"value": "yoda-crypter",
"expanded": "Yoda's Crypter"
},
{
"value": "yoda-protector",
"expanded": "Yoda's Protector"
},
{
"value": "zprotect",
"expanded": "ZProtect"
}
]
}

View File

@ -0,0 +1,56 @@
{
"namespace": "sentinel-threattype",
"expanded": "sentinel-threattype",
"description": "Sentinel indicator threat types.",
"version": 1,
"exclusive": true,
"refs": [
"https://learn.microsoft.com/en-us/graph/api/resources/tiindicator?view=graph-rest-beta#threattype-values"
],
"predicates": [
{
"value": "Botnet",
"expanded": "Indicator is detailing a botnet node/member."
},
{
"value": "C2",
"expanded": "Indicator is detailing a Command & Control node of a botnet."
},
{
"value": "CryptoMining",
"expanded": "Traffic involving this network address / URL is an indication of CyrptoMining / Resource abuse."
},
{
"value": "Darknet",
"expanded": "Indicator is that of a Darknet node/network."
},
{
"value": "DDoS",
"expanded": "Indicators relating to an active or upcoming DDoS campaign."
},
{
"value": "MaliciousUrl",
"expanded": "URL that is serving malware."
},
{
"value": "Malware",
"expanded": "Indicator describing a malicious file or files."
},
{
"value": "Phishing",
"expanded": "Indicators relating to a phishing campaign."
},
{
"value": "Proxy",
"expanded": "Indicator is that of a proxy service."
},
{
"value": "PUA",
"expanded": "Potentially Unwanted Application."
},
{
"value": "WatchList",
"expanded": "This is the generic bucket into which indicators are placed when it cannot be determined exactly what the threat is or will require manual interpretation. This should typically not be used by partners submitting data into the system."
}
]
}

View File

@ -0,0 +1,104 @@
{
"version": 1,
"description": "Attack vectors used in social engineering as described in 'A Taxonomy of Social Engineering Defense Mechanisms' by Dalal Alharthi and others.",
"expanded": "Social Engineering Attack Vectors",
"namespace": "social-engineering-attack-vectors",
"exclusive": false,
"predicates": [
{
"value": "technical",
"expanded": "Technical"
},
{
"value": "non-technical",
"expanded": "Non-technical"
}
],
"values": [
{
"predicate": "technical",
"entry": [
{
"value": "vishing",
"expanded": "Vishing"
},
{
"value": "spear-phishing",
"expanded": "Spear phishing"
},
{
"value": "interesting-software",
"expanded": "Interesting software"
},
{
"value": "baiting",
"expanded": "Baiting"
},
{
"value": "waterholing",
"expanded": "Waterholing"
},
{
"value": "phishing-and-trojan-email",
"expanded": "Phishing and Trojan email"
},
{
"value": "spam-email",
"expanded": "Spam Email"
},
{
"value": "popup-window",
"expanded": "Popup Window"
},
{
"value": "tailgating",
"expanded": "Tailgating"
}
]
},
{
"predicate": "non-technical",
"entry": [
{
"value": "pretexting-impersonation",
"expanded": "Pretexting/Impersonation"
},
{
"value": "hoaxing",
"expanded": "Hoaxing"
},
{
"value": "authoritative-voice",
"expanded": "Authoritative voice"
},
{
"value": "technical-expert",
"expanded": "Technical expert"
},
{
"value": "smudge-attack",
"expanded": "Smudge Attack"
},
{
"value": "dumpser-diving",
"expanded": "Dumpster Diving"
},
{
"value": "shoulder-surfing",
"expanded": "Shoulder surfing"
},
{
"value": "spying",
"expanded": "Spying"
},
{
"value": "support-staff",
"expanded": "Support staff"
}
]
}
],
"refs": [
"https://www.researchgate.net/publication/339224082_A_Taxonomy_of_Social_Engineering_Defense_Mechanisms"
]
}

193
srbcert/machinetag.json Normal file
View File

@ -0,0 +1,193 @@
{
"namespace": "srbcert",
"description": "SRB-CERT Taxonomy - Schemes of Classification in Incident Response and Detection",
"version": 3,
"predicates": [
{
"value": "incident-type",
"expanded": "Incident Type"
},
{
"value": "incident-criticality-level",
"expanded": "Incident Criticality Level"
}
],
"values": [
{
"predicate": "incident-type",
"entry": [
{
"value": "virus",
"expanded": "virus",
"description": "Virus is a piece of malicious code that aims to spread from computer to computer by attacking executable files and documents and can cause deliberate deletion of files from the hard drive and similar damage"
},
{
"value": "worm",
"expanded": "worm",
"description": "Worm is a program that contains malicious code that spreads over a network, in such a way that it can reproduce and transfer , which reproduces and transfers independently, i.e. it does not depend on the files of the infected person device. Worms spread to email addresses from the victim's contact list or exploit the vulnerabilities of network applications and, due to the high speed of propagation, serve for transmission of other types of malicious software "
},
{
"value": "ransomware",
"expanded": "Ransomware"
},
{
"value": "trojan",
"expanded": "Trojan"
},
{
"value": "spyware",
"expanded": "Spyware"
},
{
"value": "rootkit",
"expanded": "Rootkit"
},
{
"value": "malware",
"expanded": "Malware is a word derived from two words - Malicious Software, and represents any software that is written for malicious purposes, i.e. that aims to cause harm computer systems or networks"
},
{
"value": "port-scanning",
"expanded": "Port scanning"
},
{
"value": "sniffing",
"expanded": "Sniffing"
},
{
"value": "social-engineering",
"expanded": "Social engineering"
},
{
"value": "data-breaches",
"expanded": "Data breaches"
},
{
"value": "other-type-of-information-gathering",
"expanded": "Other type of information gathering"
},
{
"value": "phishing",
"expanded": "Phishing"
},
{
"value": "unauthorized-use-of-resources",
"expanded": "Unauthorized use of resources"
},
{
"value": "fraud",
"expanded": "Fraud"
},
{
"value": "exploiting-known-vulnerabilities",
"expanded": "Exploiting known vulnerabilities"
},
{
"value": "brute-force",
"expanded": "Brute force"
},
{
"value": "other-type-of-intrusion-attempts",
"expanded": "Other type of Intrusion Attempts"
},
{
"value": "privilege-account-compromise",
"expanded": "Privilege account compromise"
},
{
"value": "unprivileged-account-compromise",
"expanded": "Unprivileged account compromise"
},
{
"value": "application-compromise",
"expanded": "Application compromise"
},
{
"value": "botnet",
"expanded": "Botnet"
},
{
"value": "other-type-of-intrusions",
"expanded": "Other type of intrusions"
},
{
"value": "dos",
"expanded": "DoS"
},
{
"value": "ddos",
"expanded": "DDoS"
},
{
"value": "sabotage",
"expanded": "Sabotage"
},
{
"value": "outage",
"expanded": "Outage"
},
{
"value": "other-type-of-availability-incident",
"expanded": "Other type of Availability incident"
},
{
"value": "unauthorized-access-to-information",
"expanded": "Unauthorized access to information"
},
{
"value": "unauthorized-modification-of-information",
"expanded": "Unauthorized modification of information"
},
{
"value": "cryptographic-attack",
"expanded": "Cryptographic attack"
},
{
"value": "other-type-of-information-content-security-incident",
"expanded": "Other type of Information Content Security incident"
},
{
"value": "hardware-errors",
"expanded": "Hardware errors"
},
{
"value": "software-errors",
"expanded": "Software errors"
},
{
"value": "hardware-components-theft",
"expanded": "hardware-components-theft"
},
{
"value": "other",
"expanded": "Other"
}
]
},
{
"predicate": "incident-criticality-level",
"entry": [
{
"value": "low",
"expanded": "Low",
"numerical_value": 25
},
{
"value": "medium",
"expanded": "Medium",
"numerical_value": 50
},
{
"value": "high",
"expanded": "High",
"numerical_value": 75
},
{
"value": "very-high",
"expanded": "Very High",
"numerical_value": 100
}
]
}
]
}

View File

@ -0,0 +1,3 @@
# State Responsibility
The taxonomy is inspired on an article from Jason Healey in the Atlantic Council [Beyond Attribution: Seeking National Responsibility for Cyber Attacks](https://www.atlanticcouncil.org/wp-content/uploads/2012/02/022212_ACUS_NatlResponsibilityCyber.PDF).

View File

@ -0,0 +1,61 @@
{
"predicates": [
{
"description": "The national government will help stop the third-party attack, which may originate from its territory or merely be transiting through its networks. This responsibility is the most passive on the scale: though the government is cooperating, it still has some small share of responsibility for the insecure systems involved in the attack. In reality, nations cannot ensure the proper behavior of the tens or hundreds of millions of computers in their borders at all times.",
"expanded": "State-prohibited.",
"value": "state-prohibited."
},
{
"description": "The national government is cooperative and would stop the third-party attack but is unable to do so. The country might lack the proper laws, procedures, technical tools, or political will to use them. Though the nation could itself be a victim, it bears some passive responsibility for the attack, both for being unable to stop it and for having insecure systems in the first place.",
"expanded": "State-prohibited-but-inadequate",
"value": "state-prohibited-but-inadequate."
},
{
"description": "The national government knows about the third-party attacks but, as a matter of policy, is unwilling to take any official action. A government may even agree with the goals and results of the attackers and tip them off to avoid being detected.",
"expanded": "State-ignored",
"value": "state-ignored"
},
{
"description": "Third parties control and conduct the attack, but the national government encourages them to continue as a matter of policy. This encouragement could include editorials in state-run press or leadership publicly agreeing with the goals of the attacks; members of government cyber offensive or intelligence organizations may be encouraged to undertake supportive recreational hacking while off duty. The nation is unlikely to be cooperative in any investigation and is likely to tip off the attackers",
"expanded": "State-encouraged",
"value": "state-encouraged"
},
{
"description": "Third parties control and conduct the attack, but the state provides some support, such as informal coordination between like-minded individuals in the government and the attacking group. To further their policy while retaining plausible deniability, the government may encourage members of their cyber forces to undertake 'recreational hacking' while off duty.",
"expanded": "State-shaped",
"value": "state-shaped"
},
{
"description": "The national government coordinates the third-party attackers—usually out of public view—by 'suggesting' targets, timing, or other operational details. The government may also provide technical or tactical assistance. Similar to state-shaped attacks, the government may encourage its cyber forces to engage in recreational hacking during off hours",
"expanded": "State-coordinated",
"value": "state-coordinated"
},
{
"description": "The national government, as a matter of policy, directs third-party proxies to conduct the attack on its behalf. This is as “state-sponsored” as an attack can be, without direct attack from government cyber forces. Any attackers that are under state control could be considered to be de facto agents of the state under international law.",
"expanded": "State-ordered",
"value": "state-ordered"
},
{
"description": "Elements of cyber forces of the national government conduct the attack. In this case, however, they carry out attacks without the knowledge, or approval, of the national leadership, which may act to stop the attacks should they learn of them. For example, local units or junior officers could be taking the initiative to counterattack out of the senior officers sight. More worrisome, this category could include sophisticated and persistent attacks from large bureaucracies conducting attacks that are at odds with the national leadership. Based on current precedence, a state could likely be held responsible by international courts for such rogue attacks.",
"expanded": "State-rogue-conducted.",
"value": "state-rogue-conducted"
},
{
"description": "The national government, as a matter of policy, directly controls and conducts the attack using its own cyber forces",
"expanded": "State-executed",
"value": "state-executed"
},
{
"description": "The national government integrates third-party attackers and government cyber forces, with common command and control. Orders and coordination may be formal or informal, but the government is in control of selecting targets, timing, and tempo. The attackers are de facto agents of the state",
"expanded": "State-integrated",
"value": "state-integrated"
}
],
"refs": [
"https://www.atlanticcouncil.org/wp-content/uploads/2012/02/022212_ACUS_NatlResponsibilityCyber.PDF"
],
"version": 1,
"description": "A spectrum of state responsibility to more directly tie the goals of attribution to the needs of policymakers.",
"expanded": "The Spectrum of State Responsibility",
"namespace": "state-responsibility"
}

View File

@ -1,5 +1,5 @@
# Taxonomies
- Generation date: 2021-04-13
- Generation date: 2023-12-31
- license: CC-0
- description: Manifest file of MISP taxonomies available.
@ -55,13 +55,29 @@
- 2
- 1
- 0
### GrayZone
- description: Gray Zone of Active defense includes all elements which lay between reactive defense elements and offensive operations. It does fill the gray spot between them. Taxo may be used for active defense planning or modeling.
- version: 3
- Predicates
- Adversary Emulation
- Beacons
- Deterrence
- Deception
- Tarpits, Sandboxes and Honeypots
- Threat Intelligence
- Threat Hunting
- Adversary Takedowns
- Ransomware
- Rescue Missions
- Sanctions, Indictments & Trade Remedies
### PAP
- description: The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.
- version: 2
- version: 3
- Predicates
- RED
- AMBER
- GREEN
- CLEAR
- WHITE
### access-method
- description: The access method used to remotely access a system.
@ -154,6 +170,33 @@
- cat4
- cat5
- cat6
### artificial-satellites
- description: This taxonomy was designed to describe artificial satellites
- version: 1
- Predicates
- Meteorological and Earth observation
- Indian Space Research
- GEO
- Tracking
- Search & Rescue
- Earth Ressources
- Disaster Monitoring
- GNSS
- Space & Earth Science
- Geodetic
- Engineering
- Education
### aviation
- description: A taxonomy describing security threats or incidents against the aviation sector.
- version: 1
- Predicates
- target
- target-systems
- target-sub-systems
- impact
- likelihood
- criticality
- certainty
### binary-class
- description: Custom taxonomy for types of binary file.
- version: 2
@ -179,11 +222,25 @@
- severity
- threat-vector
### circl
- description: CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection
- version: 5
- description: CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection.
- version: 6
- Predicates
- incident-classification
- topic
- significant
### cnsd
- description: La presente taxonomia es la primera versión disponible para el Centro Nacional de Seguridad Digital del Perú.
- version: 20220513
- Predicates
- Contenido abusivo
- Disponibilidad
- Fraude
- Fuga de información
- Intentos de intrusión
- Intrusión
- Malware
- Recopilación de información
- Otros
### coa
- description: Course of action taken within organization to discover, detect, deny, disrupt, degrade, deceive and/or destroy an attack.
- version: 2
@ -229,10 +286,17 @@
- level-1
### course-of-action
- description: A Course Of Action analysis considers six potential courses of action for the development of a cyber security capability.
- version: 1
- version: 2
- Predicates
- passive
- active
### crowdsec
- description: Crowdsec IP address classifications and behaviors taxonomy.
- version: 1
- Predicates
- behavior
- false-positive
- classification
### cryptocurrency-threat
- description: Threats targetting cryptocurrency, based on CipherTrace report.
- version: 1
@ -247,6 +311,7 @@
- Decentralized Stable Coins
- Email Extortion and Bomb Threats
- Crypto Robbing Ransomware
- Pig Butchering Scam
### csirt-americas
- description: Taxonomía CSIRT Américas.
- version: 1
@ -316,12 +381,14 @@
- Predicates
- action
### dark-web
- description: Criminal motivation on the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project
- version: 3
- description: Criminal motivation and content detection the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project and extended by the JRC (Joint Research Centre) of the European Commission.
- version: 5
- Predicates
- topic
- motivation
- structure
- service
- content
### data-classification
- description: Data classification for data potentially at risk of exfiltration based on table 2.1 of Solving Cyber Risk book.
- version: 1
@ -347,6 +414,160 @@
- Predicates
- Einstufung
- Schutzwort
### death-possibilities
- description: Taxonomy of Death Possibilities
- version: 1
- Predicates
- (001-009) Intestinal infectious diseases
- (010-018) Tuberculosis
- (020-027) Zoonotic bacterial diseases
- (030-041) Other bacterial diseases
- (042-042) Human immunodeficiency virus [HIV] infection
- (045-049) Poliomyelitis and other non-arthropod-borne viral diseases of central nervous system
- (050-057) Viral diseases accompanied by exanthem
- (060-066) Arthropod-borne viral diseases
- (070-079) Other diseases due to viruses and Chlamydiae
- (080-088) Rickettsioses and other arthropod-borne diseases
- (090-099) Syphilis and other venereal diseases
- (100-104) Other spirochaetal diseases
- (110-118) Mycoses
- (120-129) Helminthiases
- (130-136) Other infectious and parasitic diseases
- (137-139) Late effects of infectious and parasitic diseases
- (140-149) Malignant neoplasm of lip, oral cavity and pharynx
- (150-159) Malignant neoplasm of digestive organs and peritoneum
- (160-165) Malignant neoplasm of respiratory and intrathoracic organs
- (170-176) Malignant neoplasm of bone, connective tissue, skin and breast
- (179-189) Malignant neoplasm of genito-urinary organs
- (190-199) Malignant neoplasm of other and unspecified sites
- (200-208) Malignant neoplasm of lymphatic and haematopoietic tissue
- (210-229) Benign neoplasms
- (230-234) Carcinoma in situ
- (235-238) Neoplasms of uncertain behaviour
- (239-239) Neoplasms of unspecified nature
- (240-246) Disorders of thyroid gland
- (250-259) Diseases of other endocrine glands
- (260-269) Nutritional deficiencies
- (270-279) Other metabolic disorders and immunity disorders
- (280-289) Diseases of blood and blood-forming organs
- (290-294) Organic psychotic conditions
- (295-299) Other psychoses
- (300-316) Neurotic disorders, personality disorders and other nonpsychotic mental disorders
- (317-319) Mental retardation
- (320-326) Inflammatory diseases of the central nervous system
- (330-337) Hereditary and degenerative diseases of the central nervous system
- (340-349) Other disorders of the central nervous system
- (350-359) Disorders of the peripheral nervous system
- (360-379) Disorders of the eye and adnexa
- (380-389) Diseases of the ear and mastoid process
- (390-392) Acute rheumatic fever
- (393-398) Chronic rheumatic heart disease
- (401-405) Hypertensive disease
- (410-414) Ischaemic heart disease
- (415-417) Diseases of pulmonary circulation
- (420-429) Other forms of heart disease
- (430-438) Cerebrovascular disease
- (440-448) Diseases of arteries, arterioles and capillaries
- (451-459) Diseases of veins and lymphatics, and other diseases of circulatory system
- (460-466) Acute respiratory infections
- (470-478) Other diseases of upper respiratory tract
- (480-487) Pneumonia and influenza
- (490-496) Chronic obstructive pulmonary disease and allied conditions
- (500-508) Pneumoconioses and other lung diseases due to external agents
- (510-519) Other diseases of respiratory system
- (520-529) Diseases of oral cavity, salivary glands and jaws
- (530-537) Diseases of oesophagus, stomach and duodenum
- (540-543) Appendicitis
- (550-553) Hernia of abdominal cavity
- (555-558) Non-infective enteritis and colitis
- (560-569) Other diseases of intestines and peritoneum
- (570-579) Other diseases of digestive system
- (580-589) Nephritis, nephrotic syndrome and nephrosis
- (590-599) Other diseases of urinary system
- (600-608) Diseases of male genital organs
- (610-611) Disorders of breast
- (614-616) Inflammatory disease of female pelvic organs
- (617-629) Other disorders of female genital tract
- (630-633) Ectopic and molar pregnancy
- (634-639) Other pregnancy with abortive outcome
- (640-648) Complications mainly related to pregnancy
- (650-659) Normal delivery and other indications for care in pregnancy, labour and delivery
- (660-669) Complications occurring mainly in the course of labour and delivery
- (670-677) Complications of the puerperium
- (680-686) Infections of skin and subcutaneous tissue
- (690-698) Other inflammatory conditions of skin and subcutaneous tissue
- (700-709) Other diseases of skin and subcutaneous tissue
- (710-719) Arthropathies and related disorders
- (720-724) Dorsopathies
- (725-729) Rheumatism, excluding the back
- (730-739) Osteopathies, chondropathies and acquired musculoskeletal deformities
- (740-759) Congenital anomalies
- (760-763) Maternal causes of perinatal morbidity and mortality
- (764-779) Other conditions originating in the perinatal period
- (780-789) Symptoms
- (790-796) Nonspecific abnormal findings
- (797-799) Ill-defined and unknown causes of morbidity and mortality
- (800-804) Fracture of skull
- (805-809) Fracture of neck and trunk
- (810-819) Fracture of upper limb
- (820-829) Fracture of lower limb
- (830-839) Dislocation
- (840-848) Sprains and strains of joints and adjacent muscles
- (850-854) Intracranial injury, excluding those with skull fracture
- (860-869) Internal injury of chest, abdomen and pelvis
- (870-879) Open wound of head, neck and trunk
- (880-887) Open wound of upper limb
- (890-897) Open wound of lower limb
- (900-904) Injury to blood vessels
- (905-909) Late effects of injuries, poisonings, toxic effects and other external causes
- (910-919) Superficial injury
- (920-924) Contusion with intact skin surface
- (925-929) Crushing injury
- (930-939) Effects of foreign body entering through orifice
- (940-949) Burns
- (950-957) Injury to nerves and spinal cord
- (958-959) Certain traumatic complications and unspecified injuries
- (960-979) Poisoning by drugs, medicaments and biological substances
- (980-989) Toxic effects of substances chiefly nonmedicinal as to source
- (990-995) Other and unspecified effects of external causes
- (996-999) Complications of surgical and medical care, not elsewhere classified
- (E800-E807) Railway accidents
- (E810-E819) Motor vehicle traffic accidents
- (E820-E825) Motor vehicle nontraffic accidents
- (E826-E829) Other road vehicle accidents
- (E830-E838) Water transport accidents
- (E840-E845) Air and space transport accidents
- (E846-E848) Vehicle accidents not elsewhere classifiable
- (E849-E858) Accidental poisoning by drugs, medicaments and biologicals
- (E860-E869) Accidental poisoning by other solid and liquid substances, gases and vapours
- (E870-E876) Misadventures to patients during surgical and medical care
- (E878-E879) Surgical and medical procedures as the cause of abnormal reaction of patient or later complication, without mention of misadventure at the time of procedure
- (E880-E888) Accidental falls
- (E890-E899) Accidents caused by fire and flames
- (E900-E909) Accidents due to natural and environmental factors
- (E910-E915) Accidents caused by submersion, suffocation and foreign bodies
- (E916-E928) Other accidents
- (E929-E929) Late effects of accidental injury
- (E930-E949) Drugs, medicaments and biological substances causing adverse effects in therapeutic use
- (E950-E959) Suicide and self-inflicted injury
- (E960-E969) Homicide and injury purposely inflicted by other persons
### deception
- description: Deception is an important component of information operations, valuable for both offense and defense.
- version: 1
- Predicates
- space
- time
- participant
- causality
- quality
- essence
- speech-act-theory
### dga
- description: A taxonomy to describe domain-generation algorithms often called DGA. Ref: A Comprehensive Measurement Study of Domain Generating Malware Daniel Plohmann and others.
- version: 2
- Predicates
- generation-scheme
- seeding
### dhs-ciip-sectors
- description: DHS critical sectors as in https://www.dhs.gov/critical-infrastructure-sectors
- version: 2
@ -361,6 +582,15 @@
- Capability
- Infrastructure
- Victim
### diamond-model-for-influence-operations
- description: The diamond model for influence operations analysis is a framework that leads analysts and researchers toward a comprehensive understanding of a malign influence campaign by addressing the socio-political, technical, and psychological aspects of the campaign. The diamond model for influence operations analysis consists of 5 components: 4 corners and a core element. The 4 corners are divided into 2 axes: influencer and audience on the socio-political axis, capabilities and infrastructure on the technical axis. Narrative makes up the core of the diamond.
- version: 1
- Predicates
- Influencer
- Capabilities
- Infrastructure
- Audience
- Narrative
### dni-ism
- description: A subset of Information Security Marking Metadata ISM as required by Executive Order (EO) 13526. As described by DNI.gov as Data Encoding Specifications for Information Security Marking Metadata in Controlled Vocabulary Enumeration Values for ISM
- version: 3
@ -375,11 +605,28 @@
- nonuscontrols
- dissem
### domain-abuse
- description: Domain Name Abuse - taxonomy to tag domain names used for cybercrime. Use europol-incident to tag abuse-activity
- version: 1
- description: Domain Name Abuse - taxonomy to tag domain names used for cybercrime.
- version: 2
- Predicates
- domain-status
- domain-access-method
### doping-substances
- description: This taxonomy aims to list doping substances
- version: 2
- Predicates
- anabolic agents
- peptide hormones, growth factors, related substances and mimetics
- beta-2 agonists
- hormone and metabolic modulators
- diuretics and masking agents
- manipulation of blood and blood components
- chemical and physical manipulation
- gene and cell doping
- stimulants
- narcotics
- cannabinoids
- glucocorticoids
- beta-blockers
### drugs
- description: A taxonomy based on the superclass and class of drugs. Based on https://www.drugbank.ca/releases/latest
- version: 2
@ -549,7 +796,7 @@
- event-class
### exercise
- description: Exercise is a taxonomy to describe if the information is part of one or more cyber or crisis exercise.
- version: 8
- version: 10
- Predicates
- cyber-europe
- cyber-storm
@ -560,14 +807,15 @@
- cyber-sopex
- generic
### extended-event
- description: Reasons why an event has been extended.
- version: 1
- description: Reasons why an event has been extended. This taxonomy must be used on the extended event. The competitive analysis aspect is from Psychology of Intelligence Analysis by Richard J. Heuer, Jr. ref:http://www.foo.be/docs/intelligence/PsychofIntelNew.pdf
- version: 2
- Predicates
- competitive-analysis
- extended-analysis
- human-readable
- chunked-event
- update
- counter-analysis
### failure-mode-in-machine-learning
- description: The purpose of this taxonomy is to jointly tabulate both the of these failure modes in a single place. Intentional failures wherein the failure is caused by an active adversary attempting to subvert the system to attain her goals either to misclassify the result, infer private training data, or to steal the underlying algorithm. Unintentional failures wherein the failure is because an ML system produces a formally correct but completely unsafe outcome.
- version: 1
@ -576,7 +824,7 @@
- unintended-failures-summary
### false-positive
- description: This taxonomy aims to ballpark the expected amount of false positives.
- version: 5
- version: 7
- Predicates
- risk
- confirmed
@ -585,6 +833,15 @@
- version: 1
- Predicates
- type
### financial
- description: Financial taxonomy to describe financial services, infrastructure and financial scope.
- version: 7
- Predicates
- categories-and-types-of-services
- geographical-footprint
- online-exposition
- physical-presence
- services
### flesch-reading-ease
- description: Flesch Reading Ease is a revised system for determining the comprehension difficulty of written material. The scoring of the flesh score can have a maximum of 121.22 and there is no limit on how low a score can be (negative score are valid).
- version: 2
@ -600,11 +857,11 @@
- anonymous-data
### fr-classif
- description: French gov information classification system
- version: 3
- version: 6
- Predicates
- classifiees-defense
- non-classifiees-defense
- classifiees
- non-classifiees
- special-france
### gdpr
- description: Taxonomy related to the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
- version: 0
@ -809,6 +1066,13 @@
- submission
- output-format
- certainty
### information-origin
- description: Taxonomy for tagging information by its origin: human-generated or AI-generated.
- version: 2
- Predicates
- human-generated
- AI-generated
- uncertain-origin
### information-security-data-source
- description: Taxonomy to classify the information security data sources.
- version: 1
@ -836,6 +1100,35 @@
- VTC
- VOR
- IMP
### interactive-cyber-training-audience
- description: Describes the target of cyber training and education.
- version: 1
- Predicates
- sector
- purpose
- proficiency-level
- target-audience
### interactive-cyber-training-technical-setup
- description: The technical setup consists of environment structure, deployment, and orchestration.
- version: 1
- Predicates
- environment-structure
- deployment
- orchestration
### interactive-cyber-training-training-environment
- description: The training environment details the environment around the training, consisting of training type and scenario.
- version: 1
- Predicates
- training-type
- scenario
### interactive-cyber-training-training-setup
- description: The training setup further describes the training itself with the scoring, roles, the training mode as well as the customization level.
- version: 1
- Predicates
- scoring
- roles
- training-mode
- customization-level
### interception-method
- description: The interception method used to intercept traffic.
- version: 1
@ -929,8 +1222,16 @@
- should-not-sync
- tool
- misp2yara
- ids
- event-type
- ids
### misp-workflow
- description: MISP workflow taxonomy to support result of workflow execution.
- version: 3
- Predicates
- action-taken
- analysis
- mutability
- run
### monarc-threat
- description: MONARC Threats Taxonomy
- version: 1
@ -975,6 +1276,19 @@
- nature-root-cause
- nature-severity
- test
### nis2
- description: The taxonomy is meant for large scale cybersecurity incidents, as mentioned in the Commission Recommendation of 13 May 2022, also known as the provisional agreement. It has two core parts: The nature of the incident, i.e. the underlying cause, that triggered the incident, and the impact of the incident, i.e. the impact on services, in which sector(s) of economy and society.
- version: 3
- Predicates
- impact-sectors-impacted
- impact-subsectors-impacted
- important-entities
- impact-subsectors-important-entities
- impact-severity
- impact-outlook
- nature-root-cause
- nature-severity
- test
### open_threat
- description: Open Threat Taxonomy v1.1 base on James Tarala of SANS http://www.auditscripts.com/resources/open_threat_taxonomy_v1.1a.pdf, https://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Using-Open-Tools-to-Convert-Threat-Intelligence-into-Practical-Defenses-James-Tarala-SANS-Institute.pdf, https://www.youtube.com/watch?v=5rdGOOFC_yE, and https://www.rsaconference.com/writable/presentations/file_upload/str-r04_using-an-open-source-threat-model-for-prioritized-defense-final.pdf
- version: 1
@ -1015,7 +1329,7 @@
- vulnerability
### phishing
- description: Taxonomy to classify phishing attacks including techniques, collection mechanisms and analysis status.
- version: 4
- version: 5
- Predicates
- techniques
- distribution
@ -1025,6 +1339,18 @@
- state
- psychological-acceptability
- principle-of-persuasion
### poison-taxonomy
- description: Non-exhaustive taxonomy of natural poison
- version: 1
- Predicates
- Poisonous plant
- Poisonous fungus
### political-spectrum
- description: A political spectrum is a system to characterize and classify different political positions in relation to one another.
- version: 1
- Predicates
- ideology
- left-right-spectrum
### priority-level
- description: After an incident is scored, it is assigned a priority level. The six levels listed below are aligned with NCCIC, DHS, and the CISS to help provide a common lexicon when discussing incidents. This priority assignment drives NCCIC urgency, pre-approved incident response offerings, reporting requirements, and recommendations for leadership escalation. Generally, incident priority distribution should follow a similar pattern to the graph below. Based on https://www.us-cert.gov/NCCIC-Cyber-Incident-Scoring-System.
- version: 2
@ -1036,6 +1362,20 @@
- low
- baseline-minor
- baseline-negligible
### pyoti
- description: PyOTI automated enrichment schemes for point in time classification of indicators.
- version: 3
- Predicates
- checkdmarc
- disposable-email
- emailrepio
- iris-investigate
- virustotal
- circl-hashlookup
- reputation-block-list
- abuseipdb
- greynoise-riot
- googlesafebrowsing
### ransomware
- description: Ransomware is used to define ransomware types and the elements that compose them.
- version: 6
@ -1048,6 +1388,17 @@
- infection
- communication
- malicious-action
### ransomware-roles
- description: The seven roles seen in most ransomware incidents.
- version: 1
- Predicates
- 1 - Initial Access Broker
- 2 - Ransomware Affiliate
- 3 - Data Manager
- 4 - Ransomware Operator
- 5 - Negotiator
- 6 - Chaser
- 7 - Accountant
### retention
- description: Add a retenion time to events to automatically remove the IDS-flag on ip-dst or ip-src attributes. We calculate the time elapsed based on the date of the event. Supported time units are: d(ays), w(eeks), m(onths), y(ears). The numerical_value is just for sorting in the web-interface and is not used for calculations.
- version: 3
@ -1065,7 +1416,7 @@
- 10y
### rsit
- description: Reference Security Incident Classification Taxonomy
- version: 1002
- version: 1003
- Predicates
- abusive-content
- malicious-code
@ -1084,11 +1435,13 @@
- Predicates
- event-status
### runtime-packer
- description: Runtime or software packer used to combine compressed data with the decompression code. The decompression code can add additional obfuscations mechanisms including polymorphic-packer or other obfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries.
- version: 1
- description: Runtime or software packer used to combine compressed or encrypted data with the decompression or decryption code. This code can add additional obfuscations mechanisms including polymorphic-packer or other obfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries.
- version: 2
- Predicates
- portable-executable
- dex
- elf
- macho
- pe
- cli-assembly
### scrippsco2-fgc
- description: Flags describing the sample
@ -1134,6 +1487,21 @@
- NZD
- PSA
- SPO
### sentinel-threattype
- description: Sentinel indicator threat types.
- version: 1
- Predicates
- Botnet
- C2
- CryptoMining
- Darknet
- DDoS
- MaliciousUrl
- Malware
- Phishing
- Proxy
- PUA
- WatchList
### smart-airports-threats
- description: Threat taxonomy in the scope of securing smart airports by ENISA. https://www.enisa.europa.eu/publications/securing-smart-airports
- version: 1
@ -1143,6 +1511,32 @@
- natural-and-social-phenomena
- third-party-failures
- malicious-actions
### social-engineering-attack-vectors
- description: Attack vectors used in social engineering as described in 'A Taxonomy of Social Engineering Defense Mechanisms' by Dalal Alharthi and others.
- version: 1
- Predicates
- technical
- non-technical
### srbcert
- description: SRB-CERT Taxonomy - Schemes of Classification in Incident Response and Detection
- version: 3
- Predicates
- incident-type
- incident-criticality-level
### state-responsibility
- description: A spectrum of state responsibility to more directly tie the goals of attribution to the needs of policymakers.
- version: 1
- Predicates
- state-prohibited.
- state-prohibited-but-inadequate.
- state-ignored
- state-encouraged
- state-shaped
- state-coordinated
- state-ordered
- state-rogue-conducted
- state-executed
- state-integrated
### stealth_malware
- description: Classification based on malware stealth techniques. Described in https://vxheaven.org/lib/pdf/Introducing%20Stealth%20Malware%20Taxonomy.pdf
- version: 1
@ -1159,9 +1553,23 @@
- Predicates
- targeting-sophistication-base-value
- technical-sophistication-multiplier
### ThreatMatch
### thales_group
- description: Thales Group Taxonomy - was designed with the aim of enabling desired sharing and preventing unwanted sharing between Thales Group security communities.
- version: 4
- Predicates
- distribution
- to_block
- minarm
- acn
- sigpart
- a_isac
- intercert_france
- ioc_confidence
- tlp:black
- Watcher
### threatmatch
- description: The ThreatMatch Sectors, Incident types, Malware types and Alert types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.
- version: 1
- version: 3
- Predicates
- sector
- incident-type
@ -1175,14 +1583,17 @@
- dns-server-attacks
- dns-abuse-or-misuse
### tlp
- description: The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time.
- version: 5
- description: The Traffic Light Protocol (TLP) (v2.0) was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. Information sharing happens from an information source, towards one or more recipients. TLP is a set of four standard labels (a fifth label is included in amber to limit the diffusion) used to indicate the sharing boundaries to be applied by the recipients. Only labels listed in this standard are considered valid by FIRST. This taxonomy includes additional labels for backward compatibility which are no more validated by FIRST SIG.
- version: 10
- Predicates
- red
- amber
- amber+strict
- green
- white
- clear
- ex:chr
- unclear
### tor
- description: Taxonomy to describe Tor network infrastructure
- version: 1
@ -1210,6 +1621,13 @@
- IMINT
- MASINT
- FININT
### unified-kill-chain
- description: The Unified Kill Chain is a refinement to the Kill Chain.
- version: 1
- Predicates
- Initial Foothold
- Network Propagation
- Action on Objectives
### use-case-applicability
- description: The Use Case Applicability categories reflect standard resolution categories, to clearly display alerting rule configuration problems.
- version: 1
@ -1289,9 +1707,9 @@
- description: VMRay taxonomies to map VMRay Thread Identifier scores and artifacts.
- version: 1
- Predicates
- artifact
- verdict
- vti_analysis_score
- artifact
### vocabulaire-des-probabilites-estimatives
- description: Ce vocabulaire attribue des valeurs en pourcentage à certains énoncés de probabilité
- version: 3
@ -1299,7 +1717,7 @@
- degré-de-probabilité
### workflow
- description: Workflow support language is a common language to support intelligence analysts to perform their analysis on data and information.
- version: 10
- version: 12
- Predicates
- todo
- state

View File

@ -32,6 +32,20 @@
"value": "sigpart",
"numerical_value": 7
},
{
"colour": "#043C86",
"description": "This TAG will insure you to share ONLY to the Thales Group ISAC alliance. Distribution: All communities",
"expanded": "Use it when you want to share to the Thales Group ISAC alliance ONLY. Distribution: All communities",
"value": "a_isac",
"numerical_value": 8
},
{
"colour": "#12294D",
"description": "This TAG will insure you to share ONLY to the Thales Group InterCERT France alliance. Distribution: All communities",
"expanded": "Use it when you want to share to the Thales Group InterCERT France alliance ONLY. Distribution: All communities",
"value": "intercert_france",
"numerical_value": 9
},
{
"colour": "#75646A",
"description": "Distribution: All communities",
@ -44,14 +58,14 @@
"description": "Distribution: Restricted Sharing Group",
"expanded": "(TLP:BLACK) Information cannot be effectively acted outside of strict and reduced circle of a trust. Distribution: Restricted Sharing Group",
"value": "tlp:black",
"numerical_value": 11
"numerical_value": 13
},
{
"colour": "#375a7f",
"description": "Distribution: All communities",
"expanded": "Use it when this came from Watcher Platform. Distribution: All communities",
"value": "Watcher",
"numerical_value": 12
"numerical_value": 14
}
],
"values": [
@ -94,17 +108,17 @@
{
"value": "high",
"expanded": "High",
"numerical_value": 8
"numerical_value": 10
},
{
"value": "medium",
"expanded": "Medium",
"numerical_value": 9
"numerical_value": 11
},
{
"value": "low",
"expanded": "Low",
"numerical_value": 10
"numerical_value": 12
}
]
}
@ -112,7 +126,7 @@
"refs": [
"https://www.thalesgroup.com/en/cert"
],
"version": 2,
"version": 4,
"description": "Thales Group Taxonomy - was designed with the aim of enabling desired sharing and preventing unwanted sharing between Thales Group security communities.",
"expanded": "Thales Group Taxonomy",
"namespace": "thales_group"

View File

@ -437,8 +437,8 @@
"expanded": "Actor Campaigns"
},
{
"value": "Credential Breaches",
"expanded": "Credential Breaches"
"value": "Credential Breach",
"expanded": "Credential Breach"
},
{
"value": "DDoS",
@ -453,41 +453,29 @@
"expanded": "General Notification"
},
{
"value": "High Impact Vulnerabilities",
"expanded": "High Impact Vulnerabilities"
"value": "Vulnerability",
"expanded": "Vulnerability"
},
{
"value": "Information Leakages",
"expanded": "Information Leakages"
},
{
"value": "Malware Analysis",
"expanded": "Malware Analysis"
"value": "Malware",
"expanded": "Malware"
},
{
"value": "Nefarious Domains",
"expanded": "Nefarious Domains"
"value": "Suspicious Domain",
"expanded": "Suspicious Domain"
},
{
"value": "Nefarious Forum Mention",
"expanded": "Nefarious Forum Mention"
},
{
"value": "Pastebin Dumps",
"expanded": "Pastebin Dumps"
"value": "Forum Mention",
"expanded": "Forum Mention"
},
{
"value": "Phishing Attempts",
"expanded": "Phishing Attempts"
},
{
"value": "PII Exposure",
"expanded": "PII Exposure"
},
{
"value": "Sensitive Information Disclosures",
"expanded": "Sensitive Information Disclosures"
},
{
"value": "Social Media Alerts",
"expanded": "Social Media Alerts"
@ -501,12 +489,28 @@
"expanded": "Technical Exposure"
},
{
"value": "Threat Actor Updates",
"expanded": "Threat Actor Updates"
"value": "Threat Actor Update",
"expanded": "Threat Actor Update"
},
{
"value": "Trigger Events",
"expanded": "Trigger Events"
"value": "Direct Targeting ",
"expanded": "Direct Targeting "
},
{
"value": "Protest Activity",
"expanded": "Protest Activity"
},
{
"value": "Violent Event",
"expanded": "Violent Event"
},
{
"value": "Strategic Event",
"expanded": "Strategic Event"
},
{
"value": "Insider Threat",
"expanded": "Insider Threat"
}
]
}

View File

@ -1,41 +1,58 @@
{
"predicates": [
{
"colour": "#CC0033",
"description": "Not for disclosure, restricted to participants only. Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.",
"expanded": "(TLP:RED) Information exclusively and directly given to (a group of) individual recipients. Sharing outside is not legitimate.",
"colour": "#FF2B2B",
"description": "For the eyes and ears of individual recipients only, no further disclosure. Sources may use TLP:RED when information cannot be effectively acted upon without significant risk for the privacy, reputation, or operations of the organizations involved. Recipients may therefore not share TLP:RED information with anyone else. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting.",
"expanded": "(TLP:RED) For the eyes and ears of individual recipients only, no further disclosure.",
"value": "red"
},
{
"colour": "#FFC000",
"description": "Limited disclosure, restricted to participants organizations. Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.",
"expanded": "(TLP:AMBER) Information exclusively given to an organization; sharing limited within the organization to be effectively acted upon.",
"description": "Limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients. Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risk to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may share TLP:AMBER information with members of their own organization and its clients, but only on a need-to-know basis to protect their organization and its clients and prevent further harm. Note that TLP:AMBER+STRICT restricts sharing to the organization only.",
"expanded": "(TLP:AMBER) Limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients.",
"value": "amber"
},
{
"colour": "#339900",
"description": "Limited disclosure, restricted to the community. Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.",
"expanded": "(TLP:GREEN) Information given to a community or a group of organizations at large. The information cannot be publicly released.",
"colour": "#FFC000",
"description": "Limited disclosure, recipients can only spread this on a need-to-know basis within their organization. Sources may use TLP:AMBER+STRICT when information requires support to be effectively acted upon, yet carries risk to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may share TLP:AMBER+STRICT information with members of their own organization.",
"expanded": "(TLP:AMBER+STRICT) Limited disclosure, recipients can only spread this on a need-to-know basis within their organization.",
"value": "amber+strict"
},
{
"colour": "#33FF00",
"description": "Limited disclosure, recipients can spread this within their community. Sources may use TLP:GREEN when information is useful to increase awareness within their wider community. Recipients may share TLP:GREEN information with peers and partner organizations within their community, but not via publicly accessible channels. TLP:GREEN information may not be shared outside of the community. Note: when “community” is not defined, assume the cybersecurity/defense community.",
"expanded": "(TLP:GREEN) Limited disclosure, recipients can spread this within their community.",
"value": "green"
},
{
"colour": "#ffffff",
"description": "Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.",
"description": "Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. The version 2.0 of TLP doesn't mention anymore this tag which is most probably compatible with new TLP:CLEAR tag.",
"expanded": "(TLP:WHITE) Information can be shared publicly in accordance with the law.",
"value": "white"
},
{
"colour": "#ffffff",
"description": "Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.",
"expanded": "(TLP:CLEAR) Recipients can spread this to the world, there is no limit on disclosure.",
"value": "clear"
},
{
"colour": "#d208f4",
"expanded": "(TLP:EX:CHR) Information extended with a specific tag called Chatham House Rule (CHR). When this specific CHR tag is mentioned, the attribution (the source of information) must not be disclosed. This additional rule is at the discretion of the initial sender who can decide to apply or not the CHR tag.",
"value": "ex:chr"
},
{
"colour": "#7e7eae",
"expanded": "(TLP:UNCLEAR) Community, Organization, Clients, and Recipients are all so confused what the appropriate disclosure level is, and if this or that indicator can or cannot be shared. Assumptions are rampant and the confusion is so high that a chi-square test might in fact be required to ensure the randomness of the mess before labelling this case TLP:UNCLEAR.",
"value": "unclear"
}
],
"refs": [
"https://www.first.org/tlp"
],
"version": 5,
"description": "The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time.",
"version": 10,
"description": "The Traffic Light Protocol (TLP) (v2.0) was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. Information sharing happens from an information source, towards one or more recipients. TLP is a set of four standard labels (a fifth label is included in amber to limit the diffusion) used to indicate the sharing boundaries to be applied by the recipients. Only labels listed in this standard are considered valid by FIRST. This taxonomy includes additional labels for backward compatibility which are no more validated by FIRST SIG.",
"expanded": "Traffic Light Protocol",
"namespace": "tlp",
"exclusive": true
"exclusive": true,
"namespace": "tlp"
}

View File

@ -1,7 +1,7 @@
python3 machinetag.py -a >a.txt
asciidoctor a.txt
asciidoctor-pdf -a allow-uri-read a.txt
cp a.html ../../misp-website/taxonomies.html
cp a.pdf ../../misp-website/taxonomies.pdf
cp a.html ../../misp-website-new/static/taxonomies.html
cp a.pdf ../../misp-website-new/static/taxonomies.pdf
scp a.html circl@cpab.circl.lu:/var/www/nwww.circl.lu/doc/misp-taxonomies/index.html
scp a.pdf circl@cpab.circl.lu://var/www/nwww.circl.lu/doc/misp-taxonomies/taxonomies.pdf

View File

@ -4,7 +4,7 @@
# Python script parsing the MISP taxonomies expressed in Machine Tags (Triple
# Tags) to list all valid tags from a specific taxonomy.
#
# Copyright (c) 2015-2017 Alexandre Dulaunoy - a@foo.be
# Copyright (c) 2015-2022 Alexandre Dulaunoy - a@foo.be
#
# Redistribution and use in source and binary forms, with or without modification,
# are permitted provided that the following conditions are met:
@ -30,42 +30,73 @@ import json
import os.path
import argparse
import os
import sys
skip_list = ["death-possibilities", "poison-taxonomy", "doping-substances"]
taxonomies = []
# Get our current directory from file location
thisDir = os.path.dirname(__file__)
for folder in os.listdir(os.path.join(thisDir, '../')):
if os.path.isfile(os.path.join(thisDir, '../', folder, 'machinetag.json')):
argParser = argparse.ArgumentParser(
description="Dump Machine Tags (Triple Tags) from MISP taxonomies",
epilog="Available taxonomies are {0}".format(taxonomies),
)
argParser.add_argument("-e", action="store_true", help="Include expanded tags")
argParser.add_argument(
"-a", action="store_true", help="Generate asciidoctor document from MISP taxonomies"
)
argParser.add_argument("-v", action="store_true", help="Include descriptions")
argParser.add_argument("-n", default=False, help="Show only the specified namespace")
argParser.add_argument(
"--disable-skip-list",
default=False,
action="store_true",
help="disable default skip list",
)
args = argParser.parse_args()
if args.disable_skip_list:
skip_list = ""
for folder in os.listdir(os.path.join(thisDir, "../")):
if os.path.isfile(os.path.join(thisDir, "../", folder, "machinetag.json")):
if folder in skip_list:
continue
taxonomies.append(folder)
taxonomies.sort()
argParser = argparse.ArgumentParser(description='Dump Machine Tags (Triple Tags) from MISP taxonomies', epilog='Available taxonomies are {0}'.format(taxonomies))
argParser.add_argument('-e', action='store_true', help='Include expanded tags')
argParser.add_argument('-a', action='store_true', help='Generate asciidoctor document from MISP taxonomies')
argParser.add_argument('-v', action='store_true', help='Include descriptions')
argParser.add_argument('-n', default=False, help='Show only the specified namespace')
args = argParser.parse_args()
doc = ''
doc = ""
if args.a:
dedication = "\n[dedication]\n== Funding and Support\nThe MISP project is financially and resource supported by https://www.circl.lu/[CIRCL Computer Incident Response Center Luxembourg ].\n\nimage:{images-misp}logo.png[CIRCL logo]\n\nA CEF (Connecting Europe Facility) funding under CEF-TC-2016-3 - Cyber Security has been granted from 1st September 2017 until 31th August 2019 as ***Improving MISP as building blocks for next-generation information sharing***.\n\nimage:{images-misp}en_cef.png[CEF funding]\n\nIf you are interested to co-fund projects around MISP, feel free to get in touch with us.\n\n"
doc = doc + ":toc: right\n"
doc = doc + ":toclevels: 1\n"
doc = doc + ":icons: font\n"
doc = doc + ":images-cdn: https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/logos/\n"
doc = (
doc
+ ":images-cdn: https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/logos/\n"
)
doc = doc + ":images-misp: https://www.misp-project.org/assets/images/\n"
doc = doc + "= MISP taxonomies and classification as machine tags\n\n"
doc = doc + "= Introduction\n"
doc = doc + "\nimage::{images-cdn}misp-logo.png[MISP logo]\n"
doc = doc + "The MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators, financial fraud or counter-terrorism information. The MISP project includes multiple sub-projects to support the operational requirements of analysts and improve the overall quality of information shared.\n\n"
doc = (
doc
+ "The MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators, financial fraud or counter-terrorism information. The MISP project includes multiple sub-projects to support the operational requirements of analysts and improve the overall quality of information shared.\n\n"
)
doc = doc + ""
doc = "{} {} {} {}".format(doc, "\nTaxonomies that can be used in MISP (2.4) and other information sharing tool and expressed in Machine Tags (Triple Tags).",
doc = "{} {} {} {}".format(
doc,
"\nTaxonomies that can be used in MISP (2.4) and other information sharing tool and expressed in Machine Tags (Triple Tags).",
"A machine tag is composed of a namespace (MUST), a predicate (MUST) and an (OPTIONAL) value.",
"Machine tags are often called triple tag due to their format.\n")
doc = doc + "The following document is generated from the machine-readable JSON describing the https://github.com/MISP/misp-taxonomies[MISP taxonomies]."
"Machine tags are often called triple tag due to their format.\n",
)
doc = (
doc
+ "The following document is generated from the machine-readable JSON describing the https://github.com/MISP/misp-taxonomies[MISP taxonomies]."
)
doc = doc + "\n\n"
doc = doc + "<<<\n"
doc = doc + dedication
@ -78,31 +109,37 @@ if args.n:
taxonomies.append(args.n)
def asciidoc(content=False, adoc=doc, t='title', toplevel=False):
def asciidoc(content=False, adoc=doc, t="title", toplevel=False):
if not args.a:
return False
adoc = adoc + "\n"
if t == 'title':
content = '==== ' + content
elif t == 'predicate':
content = '=== ' + content
elif t == 'namespace':
content = '== ' + content + '\n'
content = "{}\n{}{} {}{}{} {}".format(content, 'NOTE: ', namespace, 'namespace available in JSON format at https://github.com/MISP/misp-taxonomies/blob/main/',
namespace, '/machinetag.json[*this location*]. The JSON format can be freely reused in your application',
'or automatically enabled in https://www.github.com/MISP/MISP[MISP] taxonomy.')
elif t == 'description' and toplevel is True:
if t == "title":
content = "==== " + content
elif t == "predicate":
content = "=== " + content
elif t == "namespace":
content = "== " + content + "\n"
content = "{}\n{}{} {}{}{} {}".format(
content,
"NOTE: ",
namespace,
"namespace available in JSON format at https://github.com/MISP/misp-taxonomies/blob/main/",
namespace,
"/machinetag.json[*this location*]. The JSON format can be freely reused in your application",
"or automatically enabled in https://www.github.com/MISP/MISP[MISP] taxonomy.",
)
elif t == "description" and toplevel is True:
content = "\n{} \n".format(content)
elif t == 'description' and toplevel is False:
elif t == "description" and toplevel is False:
try:
(n, value) = content.split(":", 1)
content = "\n{} \n".format(value)
except:
content = "\n{} \n".format(content)
elif t == 'numerical_value':
elif t == "numerical_value":
(n, value) = content.split(":", 1)
content = "\nAssociated numerical value=\"{}\" \n".format(value)
elif t == 'exclusive':
content = '\nAssociated numerical value="{}" \n'.format(value)
elif t == "exclusive":
(n, value) = content.split(":", 1)
if n:
content = "\nIMPORTANT: Exclusive flag set which means the values or predicate below must be set exclusively.\n"
@ -115,79 +152,178 @@ def machineTag(namespace=False, predicate=False, value=None):
if namespace is False or predicate is False:
return None
if value is None:
return (u'{0}:{1}'.format(namespace, predicate))
return "{0}:{1}".format(namespace, predicate)
else:
return (u'{0}:{1}=\"{2}\"'.format(namespace, predicate, value))
return '{0}:{1}="{2}"'.format(namespace, predicate, value)
for taxonomy in taxonomies:
if taxonomy in skip_list:
sys.stderr.write(f"Skip {taxonomy}")
continue
filename = os.path.join(thisDir, "../", taxonomy, "machinetag.json")
with open(filename) as fp:
t = json.load(fp)
namespace = t['namespace']
if t.get('expanded'):
expanded_namespace = t['expanded']
namespace = t["namespace"]
if t.get("expanded"):
expanded_namespace = t["expanded"]
else:
expanded_namespace = namespace
if args.a:
doc = asciidoc(content=t['namespace'], adoc=doc, t='namespace')
doc = asciidoc(content=t['description'], adoc=doc, t='description', toplevel = True)
if t.get('exclusive'):
doc = asciidoc(content=machineTag(namespace=namespace, predicate=t['exclusive']), adoc=doc, t='exclusive')
doc = asciidoc(content=t["namespace"], adoc=doc, t="namespace")
doc = asciidoc(
content=t["description"], adoc=doc, t="description", toplevel=True
)
if t.get("exclusive"):
doc = asciidoc(
content=machineTag(namespace=namespace, predicate=t["exclusive"]),
adoc=doc,
t="exclusive",
)
if args.v:
print('{0}'.format(t['description']))
for predicate in t['predicates']:
print("{0}".format(t["description"]))
for predicate in t["predicates"]:
if args.a:
doc = asciidoc(content=predicate['value'], adoc=doc, t='predicate')
if predicate.get('description'):
doc = asciidoc(content=machineTag(namespace=namespace, predicate=predicate['description']), adoc=doc, t='description')
if predicate.get('exclusive'):
doc = asciidoc(content=machineTag(namespace=namespace, predicate=predicate['exclusive']), adoc=doc, t='exclusive')
doc = asciidoc(content=predicate["value"], adoc=doc, t="predicate")
if predicate.get("description"):
doc = asciidoc(
content=machineTag(
namespace=namespace, predicate=predicate["description"]
),
adoc=doc,
t="description",
)
if predicate.get("exclusive"):
doc = asciidoc(
content=machineTag(
namespace=namespace, predicate=predicate["exclusive"]
),
adoc=doc,
t="exclusive",
)
if t.get('values') is None:
if t.get("values") is None:
if args.a:
doc = asciidoc(content=machineTag(namespace=namespace, predicate=predicate['value']), adoc=doc)
doc = asciidoc(content=machineTag(namespace=namespace, predicate=predicate['expanded']), adoc=doc, t='description')
if predicate.get('description'):
doc = asciidoc(content=machineTag(namespace=namespace, predicate=predicate['description']), adoc=doc, t='description')
if predicate.get('numerical_value'):
doc = asciidoc(content=machineTag(namespace=namespace, predicate=predicate['numerical_value']), adoc=doc, t='description')
if predicate.get('exclusive'):
doc = asciidoc(content=machineTag(namespace=namespace, predicate=predicate['exclusive']), adoc=adoc, t='exclusive')
doc = asciidoc(
content=machineTag(
namespace=namespace, predicate=predicate["value"]
),
adoc=doc,
)
doc = asciidoc(
content=machineTag(
namespace=namespace, predicate=predicate["expanded"]
),
adoc=doc,
t="description",
)
if predicate.get("description"):
doc = asciidoc(
content=machineTag(
namespace=namespace, predicate=predicate["description"]
),
adoc=doc,
t="description",
)
if predicate.get("numerical_value"):
doc = asciidoc(
content=machineTag(
namespace=namespace, predicate=predicate["numerical_value"]
),
adoc=doc,
t="description",
)
if predicate.get("exclusive"):
doc = asciidoc(
content=machineTag(
namespace=namespace, predicate=predicate["exclusive"]
),
adoc=doc,
t="exclusive",
)
else:
print(machineTag(namespace=namespace, predicate=predicate['value']))
print(machineTag(namespace=namespace, predicate=predicate["value"]))
if args.e:
print("--> " + machineTag(namespace=expanded_namespace, predicate=predicate['expanded']))
if predicate.get('description'):
print("--> " + predicate['description'])
print(
"--> "
+ machineTag(
namespace=expanded_namespace, predicate=predicate["expanded"]
)
)
if predicate.get("description"):
print("--> " + predicate["description"])
else:
for e in t['values']:
if e['predicate'] == predicate['value']:
if 'expanded' in predicate:
expanded = predicate['expanded']
for v in e['entry']:
if args.a and 'expanded' in v:
doc = asciidoc(content=machineTag(namespace=namespace, predicate=e['predicate'], value=v['value']), adoc=doc)
doc = asciidoc(content=machineTag(namespace=namespace, predicate=v['expanded']), adoc=doc, t='description')
if 'description' in v:
doc = asciidoc(content=machineTag(namespace=namespace, predicate=v['description']), adoc=doc, t='description')
if v.get('numerical_value'):
doc = asciidoc(content=machineTag(namespace=namespace, predicate=v['numerical_value']), adoc=doc, t='numerical_value')
for e in t["values"]:
if e["predicate"] == predicate["value"]:
if "expanded" in predicate:
expanded = predicate["expanded"]
for v in e["entry"]:
if args.a and "expanded" in v:
doc = asciidoc(
content=machineTag(
namespace=namespace,
predicate=e["predicate"],
value=v["value"],
),
adoc=doc,
)
doc = asciidoc(
content=machineTag(
namespace=namespace, predicate=v["expanded"]
),
adoc=doc,
t="description",
)
if "description" in v:
doc = asciidoc(
content=machineTag(
namespace=namespace, predicate=v["description"]
),
adoc=doc,
t="description",
)
if v.get("numerical_value"):
doc = asciidoc(
content=machineTag(
namespace=namespace,
predicate=v["numerical_value"],
),
adoc=doc,
t="numerical_value",
)
else:
print(machineTag(namespace=namespace, predicate=e['predicate'], value=v['value']))
print(
machineTag(
namespace=namespace,
predicate=e["predicate"],
value=v["value"],
)
)
if args.e:
if'expanded' in v:
print("--> " + machineTag(namespace=namespace, predicate=expanded, value=v['expanded']))
if "expanded" in v:
print(
"--> "
+ machineTag(
namespace=namespace,
predicate=expanded,
value=v["expanded"],
)
)
with open('../mapping/mapping.json') as mapping:
with open("../mapping/mapping.json") as mapping:
m = json.load(mapping)
output = '\n= Mapping of taxonomies\n'
output = '{}{}'.format(output, 'Analysts relying on taxonomies don\'t always know the appropriate namespace to use but know which value to use for classification. The MISP mapping taxonomy allows to map a single classification into a series of machine-tag synonyms.\n')
output = "\n= Mapping of taxonomies\n"
output = "{}{}".format(
output,
"Analysts relying on taxonomies don't always know the appropriate namespace to use but know which value to use for classification. The MISP mapping taxonomy allows to map a single classification into a series of machine-tag synonyms.\n",
)
for value in sorted(m.keys()):
output = '{}{} **{}**{}{}\n'.format(output,'\n.Mapping table - ',value,'\n|===\n|',value)
for mapped in m[value]['values']:
output = '{}|{}\n'.format(output,mapped)
output = '{}|===\n'.format(output)
output = "{}{} **{}**{}{}\n".format(
output, "\n.Mapping table - ", value, "\n|===\n|", value
)
for mapped in m[value]["values"]:
output = "{}|{}\n".format(output, mapped)
output = "{}|===\n".format(output)
doc = doc + output
if args.a:

View File

@ -9,4 +9,4 @@ with open(filename) as fp:
for taxo in sorted(t['taxonomies'], key=lambda k: k['name']):
print("### {}".format(taxo['name']))
print()
print("[{}](https://github.com/MISP/misp-taxonomies/tree/main/{}) :\n{} [Overview](https://www.misp-project.org/taxonomies.html#_{})\n".format(taxo['name'], taxo['name'], taxo['description'], re.sub(r'-', '_',taxo['name'])))
print("[{}](https://github.com/MISP/misp-taxonomies/tree/main/{}) :\n{} [Overview](https://www.misp-project.org/taxonomies.html#_{})\n".format(taxo['name'], taxo['name'], taxo['description'], re.sub(r'-', '_',taxo['name'].lower())))

View File

@ -0,0 +1,113 @@
{
"namespace": "unified-kill-chain",
"expanded": "Unified Kill Chain",
"description": "The Unified Kill Chain is a refinement to the Kill Chain.",
"version": 1,
"predicates": [
{
"value": "Initial Foothold",
"expanded": "Initial Foothold"
},
{
"value": "Network Propagation",
"expanded": "Network Propagation"
},
{
"value": "Action on Objectives",
"expanded": "Action on Objectives"
}
],
"values": [
{
"predicate": "Initial Foothold",
"entry": [
{
"expanded": "Reconnaissance",
"value": "reconnaissance"
},
{
"expanded": "Weaponization",
"value": "weaponization"
},
{
"expanded": "Delivery",
"value": "delivery"
},
{
"expanded": "Social Engineering",
"value": "social-engineering"
},
{
"expanded": "Exploitation",
"value": "exploitation"
},
{
"expanded": "Persistence",
"value": "persistence"
},
{
"expanded": "Defense Evasion",
"value": "defense-evasion"
},
{
"expanded": "Command & Control",
"value": "command-control"
}
]
},
{
"predicate": "Network Propagation",
"entry": [
{
"expanded": "Pivoting",
"value": "pivoting"
},
{
"expanded": "Discovery",
"value": "discovery"
},
{
"expanded": "Privilege Escalation",
"value": "privilege-escalation"
},
{
"expanded": "Execution",
"value": "execution"
},
{
"expanded": "Credential Access",
"value": "credential-access"
},
{
"expanded": "Lateral Movement",
"value": "lateral-movement"
}
]
},
{
"predicate": "Action on Objectives",
"entry": [
{
"expanded": "Access",
"value": "access"
},
{
"expanded": "Collection",
"value": "collection"
},
{
"expanded": "Exfiltration",
"value": "exfiltration"
},
{
"expanded": "Impact",
"value": "impact"
},
{
"expanded": "Objectives",
"value": "objectives"
}
]
}
]
}

18
validate_all.py Normal file
View File

@ -0,0 +1,18 @@
import sys
import glob
import json
from jsonschema import validate
schema = json.load(open("schema.json", "r"))
for taxonomy_file in glob.glob('./*/machinetag.json'):
print("Checking {}".format(taxonomy_file))
taxonomy = json.load(open(taxonomy_file, "r"))
validate(instance=taxonomy, schema=schema)
if "values" in taxonomy:
predicates = [predicate["value"] for predicate in taxonomy["predicates"]]
for value in taxonomy["values"]:
if value["predicate"] not in predicates:
print("ERROR: Predicate `{}` is missing".format(value["predicate"]))
sys.exit(1)

View File

@ -8,7 +8,7 @@ set -x
diffs=`git status --porcelain | wc -l`
if ! [ $diffs -eq 0 ]; then
echo "Please make sure you run ./jq_all_the_things.sh before commiting."
echo "Please make sure you run ./jq_all_the_things.sh before committing."
exit 1
fi
@ -20,11 +20,6 @@ if ! [ $((directories-2)) -eq $manifest_entries ]; then
exit 1
fi
for dir in */machinetag.json
do
echo -n "${dir}: "
jsonschema -i ${dir} schema.json
echo ''
done
python3 validate_all.py
jsonschema -i mapping/mapping.json schema_mapping.json

View File

@ -2,7 +2,7 @@
"namespace": "workflow",
"expanded": "workflow to support analysis",
"description": "Workflow support language is a common language to support intelligence analysts to perform their analysis on data and information.",
"version": 10,
"version": 12,
"predicates": [
{
"value": "todo",
@ -115,19 +115,27 @@
"entry": [
{
"value": "incomplete",
"expanded": "Incomplete means that the information tagged is incomplete and has potential to be completed by other analysts, technical processes or the current analysts performing the analysis"
"expanded": "Incomplete means that the information tagged is incomplete and has potential to be completed by other analysts, technical processes or the current analysts performing the analysis."
},
{
"value": "complete",
"expanded": "Complete means that the information tagged reach a state of completeness with the current capabilities of the analyst"
"expanded": "Complete means that the information tagged reach a state of completeness with the current capabilities of the analyst."
},
{
"value": "draft",
"expanded": "Draft means the information tagged can be released as a preliminary version or outline"
"expanded": "Draft means the information tagged can be released as a preliminary version or outline."
},
{
"value": "ongoing",
"expanded": "Analyst is currently working on this analysis. To remove when there is no more work to be done by the analyst."
},
{
"value": "rejected",
"expanded": "Analyst rejected the process. The object will not reach state of completeness."
},
{
"value": "release",
"expanded": "Analyst approved the information to be released. Like a MISP event to be released and published."
}
]
}