Improve consistency when lising the predicates, remove duplicates

* SeekmoSearchAssistant was here twice in ms-caro-malware-full * Mult was here twice in ms-caro-malware-full * CouponRuc was here twice in ms-caro-malware-full * mobile-malware was here twice in enisa * spear-phishing-attacks was here twice in enisa
2017-07-25 14:51:53 +02:00 · 2017-07-25 14:51:53 +02:00 · c7525b0260
parent 7df2111cbb
commit c7525b0260
9 changed files with 96 additions and 96 deletions
--- a/adversary/machinetag.json
+++ b/adversary/machinetag.json
@ -8,16 +8,16 @@
      "expanded": "Infrastructure Status"
    },
    {
-      "value": "infrastructure-type",
-      "expanded": "Infrastructure Type"
+      "value": "infrastructure-action",
+      "expanded": "Infrastructure Action"
    },
    {
      "value": "infrastructure-state",
      "expanded": "Infrastructure State"
    },
    {
-      "value": "infrastructure-action",
-      "expanded": "Infrastructure Action"
+      "value": "infrastructure-type",
+      "expanded": "Infrastructure Type"
    }
  ],
  "values": [
--- a/dni-ism/machinetag.json
+++ b/dni-ism/machinetag.json
@ -11,13 +11,21 @@
      "value": "classification:us",
      "expanded": "ClassificationUS"
    },
+    {
+      "value": "scicontrols",
+      "expanded": "SCIControls"
+    },
    {
      "value": "complies:with",
      "expanded": "CompliesWith"
    },
    {
-      "value": "dissem",
-      "expanded": "Dissem"
+      "value": "atomicenergymarkings",
+      "expanded": "atomicEnergyMarkings"
+    },
+    {
+      "value": "notice",
+      "expanded": "Notice"
    },
    {
      "value": "nonic",
@ -28,16 +36,8 @@
      "expanded": "NonUSControls"
    },
    {
-      "value": "notice",
-      "expanded": "Notice"
-    },
-    {
-      "value": "scicontrols",
-      "expanded": "SCIControls"
-    },
-    {
-      "value": "atomicenergymarkings",
-      "expanded": "atomicEnergyMarkings"
+      "value": "dissem",
+      "expanded": "Dissem"
    }
  ],
  "values": [
@ -170,6 +170,7 @@
      ]
    },
    {
+      "predicate": "atomicenergymarkings",
      "entry": [
        {
          "expanded": "RESTRICTED DATA",
@ -195,10 +196,10 @@
          "expanded": "TRANSCLASSIFIED FOREIGN NUCLEAR INFORMATION",
          "value": "TFNI"
        }
-      ],
-      "predicate": "atomicenergymarkings"
+      ]
    },
    {
+      "predicate": "notice",
      "entry": [
        {
          "expanded": "FISA Warning statement",
@ -280,10 +281,10 @@
          "expanded": "COMSEC Notice",
          "value": "COMSEC"
        }
-      ],
-      "predicate": "notice"
+      ]
    },
    {
+      "predicate": "nonic",
      "entry": [
        {
          "expanded": "NAVAL NUCLEAR PROPULSION INFORMATION",
@ -321,8 +322,7 @@
          "expanded": "SENSITIVE SECURITY INFORMATION",
          "value": "SSI"
        }
-      ],
-      "predicate": "nonic"
+      ]
    },
    {
      "predicate": "nonuscontrols",
--- a/domain-abuse/machinetag.json
+++ b/domain-abuse/machinetag.json
@ -4,15 +4,15 @@
  "description": "Domain Name Abuse - taxonomy to tag domain names used for cybercrime. Use europol-incident to tag abuse-activity",
  "version": 1,
  "predicates": [
-    {
-      "value": "domain-access-method",
-      "description": "Domain Access - describes how the adversary has gained access to the domain name",
-      "expanded": "Domain access method"
-    },
    {
      "value": "domain-status",
      "description": "Domain status - describes the registration status of the domain name",
      "expanded": "Domain status"
+    },
+    {
+      "value": "domain-access-method",
+      "description": "Domain Access - describes how the adversary has gained access to the domain name",
+      "expanded": "Domain access method"
    }
  ],
  "values": [
--- a/ecsirt/machinetag.json
+++ b/ecsirt/machinetag.json
@ -137,18 +137,30 @@
    }
  ],
  "predicates": [
+    {
+      "expanded": "Fraud",
+      "value": "fraud"
+    },
+    {
+      "expanded": "Availability",
+      "value": "availability"
+    },
    {
      "expanded": "Abusive Content",
      "value": "abusive-content"
    },
-    {
-      "expanded": "Malicious Code",
-      "value": "malicious-code"
-    },
    {
      "expanded": "Information Gathering",
      "value": "information-gathering"
    },
+    {
+      "expanded": "Information Content Security",
+      "value": "information-content-security"
+    },
+    {
+      "expanded": "Malicious Code",
+      "value": "malicious-code"
+    },
    {
      "expanded": "Intrusion Attempts",
      "value": "intrusion-attempts"
@ -157,26 +169,14 @@
      "expanded": "Intrusions",
      "value": "intrusions"
    },
-    {
-      "expanded": "Availability",
-      "value": "availability"
-    },
    {
      "expanded": "Information Security",
      "value": "information-security"
    },
-    {
-      "expanded": "Information Content Security",
-      "value": "information-content-security"
-    },
    {
      "expanded": "Vulnerable",
      "value": "vulnerable"
    },
-    {
-      "expanded": "Fraud",
-      "value": "fraud"
-    },
    {
      "expanded": "Other",
      "value": "other"
--- a/enisa/machinetag.json
+++ b/enisa/machinetag.json
@ -848,13 +848,13 @@
          "description": "Threat of sophisticated, targeted attack which combine many attack techniques."
        },
        {
-          "value": "mobile-malware",
-          "expanded": "Mobile malware",
+          "value": "mobile-malware-exfiltration",
+          "expanded": "Mobile malware (exfiltration)",
          "description": "Threat of mobile software that aims to gather information about a person or organization without their knowledge."
        },
        {
-          "value": "spear-phishing-attacks",
-          "expanded": "Spear phishing attacks",
+          "value": "spear-phishing-attacks-targeted",
+          "expanded": "Spear phishing attacks (targeted)",
          "description": "Threat of attack focused on a single user or department within an organization, coming from someone within the company in a position of trust and requesting information such as login, IDs and passwords."
        },
        {
@ -916,18 +916,18 @@
      "expanded": "Eavesdropping/ Interception/ Hijacking",
      "value": "eavesdropping-interception-hijacking"
    },
-    {
-      "description": "Threats of nefarious activities that require use of tools by the attacker. These attacks require installation of additional tools/software or performing additional steps on the victim's IT infrastructure/software.",
-      "expanded": "Nefarious Activity/ Abuse",
-      "value": "nefarious-activity-abuse"
-    },
    {
      "description": "Threat of financial or legal penalty or loss of trust of customers and collaborators due to legislation.",
      "expanded": "Legal",
      "value": "legal"
+    },
+    {
+      "description": "Threats of nefarious activities that require use of tools by the attacker. These attacks require installation of additional tools/software or performing additional steps on the victim's IT infrastructure/software.",
+      "expanded": "Nefarious Activity/ Abuse",
+      "value": "nefarious-activity-abuse"
    }
  ],
-  "version": 201601,
+  "version": 20170725,
  "description": "The present threat taxonomy is an initial version that has been developed on the basis of available ENISA material. This material has been used as an ENISA-internal structuring aid for information collection and threat consolidation purposes. It emerged in the time period 2012-2015.",
  "expanded": "ENISA Threat Taxonomy",
  "namespace": "enisa"
--- a/iep/machinetag.json
+++ b/iep/machinetag.json
@ -3,36 +3,6 @@
  "description": "Forum of Incident Response and Security Teams (FIRST) Information Exchange Policy (IEP) framework",
  "version": 2,
  "predicates": [
-    {
-      "value": "id",
-      "expanded": "POLICY ID",
-      "description": "Provides a unique ID to identify a specific IEP implementation."
-    },
-    {
-      "value": "version",
-      "expanded": "POLICY VERSION",
-      "description": "States the version of the IEP framework that has been used."
-    },
-    {
-      "value": "name",
-      "expanded": "POLICY NAME",
-      "description": "This statement can be used to provide a name for an IEP implementation."
-    },
-    {
-      "value": "start-date",
-      "expanded": "POLICY START DATE",
-      "description": "States the UTC date that the IEP is effective from."
-    },
-    {
-      "value": "end-date",
-      "expanded": "POLICY END DATE",
-      "description": "States the UTC date that the IEP is effective until."
-    },
-    {
-      "value": "reference",
-      "expanded": "POLICY REFERENCE",
-      "description": "This statement can be used to provide a URL reference to the specific IEP implementation."
-    },
    {
      "value": "commercial-use",
      "expanded": "COMMERCIAL USE",
@ -82,6 +52,36 @@
      "value": "unmodified-resale",
      "expanded": "UNMODIFIED RESALE",
      "description": "States whether the recipient MAY or MUST NOT resell the information received unmodified or in a semantically equivalent format."
+    },
+    {
+      "value": "start-date",
+      "expanded": "POLICY START DATE",
+      "description": "States the UTC date that the IEP is effective from."
+    },
+    {
+      "value": "end-date",
+      "expanded": "POLICY END DATE",
+      "description": "States the UTC date that the IEP is effective until."
+    },
+    {
+      "value": "reference",
+      "expanded": "POLICY REFERENCE",
+      "description": "This statement can be used to provide a URL reference to the specific IEP implementation."
+    },
+    {
+      "value": "name",
+      "expanded": "POLICY NAME",
+      "description": "This statement can be used to provide a name for an IEP implementation."
+    },
+    {
+      "value": "version",
+      "expanded": "POLICY VERSION",
+      "description": "States the version of the IEP framework that has been used."
+    },
+    {
+      "value": "id",
+      "expanded": "POLICY ID",
+      "description": "Provides a unique ID to identify a specific IEP implementation."
    }
  ],
  "values": [
--- a/misp/machinetag.json
+++ b/misp/machinetag.json
@ -109,6 +109,11 @@
      "expanded": "API related tag influencing the MISP behavior of the API.",
      "value": "api"
    },
+    {
+      "description": "Expansion tag incluencing the MISP behavior using expansion modules",
+      "expanded": "Expansion",
+      "value": "expansion"
+    },
    {
      "expanded": "Information related to the contributor.",
      "value": "contributor"
@ -125,11 +130,6 @@
      "description": "Event with this tag should not be synced to other MISP instances",
      "expanded": "Should not sync",
      "value": "should-not-sync"
-    },
-    {
-      "description": "Expansion tag incluencing the MISP behavior using expansion modules",
-      "expanded": "Expansion",
-      "value": "expansion"
    }
  ],
  "version": 4,
--- a/ms-caro-malware-full/machinetag.json
+++ b/ms-caro-malware-full/machinetag.json
@ -1,7 +1,7 @@
 {
  "namespace": "ms-caro-malware-full",
  "description": "Malware Type and Platform classification based on Microsoft's implementation of the Computer Antivirus Research Organization (CARO) Naming Scheme and Malware Terminology. Based on https://www.microsoft.com/en-us/security/portal/mmpc/shared/malwarenaming.aspx, https://www.microsoft.com/security/portal/mmpc/shared/glossary.aspx, https://www.microsoft.com/security/portal/mmpc/shared/objectivecriteria.aspx, and http://www.caro.org/definitions/index.html. Malware families are extracted from Microsoft SIRs since 2008 based on https://www.microsoft.com/security/sir/archive/default.aspx and https://www.microsoft.com/en-us/security/portal/threat/threats.aspx. Note that SIRs do NOT include all Microsoft malware families.",
-  "version": 1,
+  "version": 2,
  "predicates": [
    {
      "value": "malware-type",
@ -687,7 +687,7 @@
          "expanded": "2008 - A detection for the DameWare Mini Remote Control tools. This program was detected by definitions prior to 1.147.1889.0 as it violated the guidelines by which Microsoft identified unwanted software. Based on analysis using current guidelines, the program does not have unwanted behaviors. Microsoft has released definition 1.147.1889.0 which no longer detects this program."
        },
        {
-          "value": "SeekmoSearchAssistant",
+          "value": "SeekmoSearchAssistant_Repack",
          "expanded": "2008 - A detection that is triggered by modified (that is, edited and re-packed) remote control programs based on DameWare Mini Remote Control, a commercial software product"
        },
        {
@ -1611,7 +1611,7 @@
          "expanded": "2012 VOL13 - A malicious program that affects mobile devices running the Android operating system. It may be bundled with clean applications, and is capable of allowing a remote attacker to gain access to the mobile device."
        },
        {
-          "value": "Mult",
+          "value": "Mult_JS",
          "expanded": "2012 VOL13 - A generic detection for various exploits written in the JavaScript language."
        },
        {
@ -2107,7 +2107,7 @@
          "expanded": "2015 VOL19 - A detection for the Superfish VisualDiscovery advertising program that was preinstalled on some Lenovo laptops sold in 2014 and 2015. It installs a compromised trusted root certificate on the computer, which can be used to conduct man-in-the-middle attacks on the computer."
        },
        {
-          "value": "CouponRuc",
+          "value": "CouponRuc_new",
          "expanded": "2015 VOL19 - A browser modifier that changes browser settings and may also modify some computer and Internet settings."
        },
        {
--- a/passivetotal/machinetag.json
+++ b/passivetotal/machinetag.json
@ -12,13 +12,13 @@
      "value": "ever-comprimised",
      "expanded": "Ever Comprimised?"
    },
-    {
-      "value": "class",
-      "expanded": "Classification"
-    },
    {
      "value": "dynamic-dns",
      "expanded": "Dynamic DNS"
+    },
+    {
+      "value": "class",
+      "expanded": "Classification"
    }
  ],
  "values": [