Compare commits
190 Commits
Author | SHA1 | Date |
---|---|---|
Alexandre Dulaunoy | b5a87d228a | |
Alexandre Dulaunoy | 6f141c736c | |
Alexandre Dulaunoy | 9f4f72c175 | |
V | c5566e0d03 | |
Alexandre Dulaunoy | 5f580a3bb5 | |
Alexandre Dulaunoy | 5fc23d4795 | |
Alexandre Dulaunoy | a62a3bdad7 | |
Alexandre Dulaunoy | 5e93071832 | |
JRC-T2 | 08cab31a89 | |
Alexandre Dulaunoy | 8cd705ba62 | |
Alexandre Dulaunoy | 6b593ea8c1 | |
Hendrik Baecker | 41e8bdc4f3 | |
Alexandre Dulaunoy | 3d61b20e7e | |
Alexandre Dulaunoy | 92948d2cba | |
Christian Studer | 47ca23022b | |
Christian Studer | 32b2afd795 | |
Alexandre Dulaunoy | 8d957d224e | |
Alexandre Dulaunoy | 6efa8c3075 | |
Alexandre Dulaunoy | 873fc6209f | |
Alexandre Dulaunoy | d4b54e3f63 | |
Alexandre Dulaunoy | 9f481f4aee | |
Alexandre Dulaunoy | e8892b6cf9 | |
Alexandre Dulaunoy | 8be1cf5cab | |
Christian Studer | 65e8a70bb9 | |
Christian Studer | 13951549f3 | |
Christian Studer | b42760a412 | |
Raphaël Vinot | 84fd295534 | |
Alexandre Dulaunoy | 903ada058d | |
dhondta | cb2132f32f | |
dhondta | 97aba06ca5 | |
dhondta | 95bcc0cc5f | |
dhondta | 6d2ad30f7d | |
Alexandre Dulaunoy | 26626a3715 | |
Alexandre Dulaunoy | 8d8433399f | |
Sami Mokaddem | 59ec473a5f | |
Sami Mokaddem | 5d35f6b841 | |
Alexandre Dulaunoy | 1472de2c10 | |
V | 135f62cace | |
V | d44ef96000 | |
Alexandre Dulaunoy | f731aba646 | |
V | e7dd87231e | |
Alexandre Dulaunoy | bb5d823ee4 | |
Christian Studer | 4cf88d7928 | |
Christian Studer | 4a307cd528 | |
Christian Studer | 30e8643cce | |
Christian Studer | 6b77005beb | |
Alexandre Dulaunoy | 46e4128897 | |
Alexandre Dulaunoy | 6bd1809df9 | |
Alexandre Dulaunoy | 37478964fd | |
Alexandre Dulaunoy | c02fc66988 | |
aaronkaplan | a391724d5c | |
Alexandre Dulaunoy | 996606ad2c | |
JRC-T2 | 06cf2926fc | |
Alexandre Dulaunoy | f9371afc05 | |
Alexandre Dulaunoy | 151462bf0e | |
paulingega-sa | 6477e0d9d4 | |
Alexandre Dulaunoy | 14f1349fad | |
Alexandre Dulaunoy | f5f5e310ee | |
Alexandre Dulaunoy | e4d0c58076 | |
Alexandre Dulaunoy | a85955e991 | |
Raphaël Vinot | a33dd623d1 | |
Raphaël Vinot | 9ffbde8510 | |
Alexandre Dulaunoy | 7222d44107 | |
Alexandre Dulaunoy | 7aeaa0b890 | |
LGTM Migrator | 6c226a4c92 | |
Alexandre Dulaunoy | 3564a85d6f | |
Koen Van Impe | 80c44735cc | |
Koen Van Impe | f18fbb3878 | |
Koen Van Impe | 04a5878739 | |
Koen Van Impe | 25db95cbb6 | |
Alexandre Dulaunoy | d67923e466 | |
Alexandre Dulaunoy | b2ed54990f | |
Alexandre Dulaunoy | d5833e9730 | |
Félix Herrenschmidt | 07c9ae5b0d | |
Alexandre Dulaunoy | b44753d57a | |
Jakub Onderka | ac93571dbc | |
Alexandre Dulaunoy | 57b125782c | |
Alexandre Dulaunoy | c7a13ea0bc | |
Alexandre Dulaunoy | f35eec052a | |
Alexandre Dulaunoy | 81b3e49247 | |
Alexandre Dulaunoy | ebae7c1f3b | |
Robert Nixon | ab2255b8f0 | |
Robert Nixon | 4e96197001 | |
Robert Nixon | 5a5716bf39 | |
Robert Nixon | 1381354373 | |
Robert Nixon | c9053d3fd9 | |
Félix Herrenschmidt | 2f38999f9e | |
Félix Herrenschmidt | 1dca6b77f1 | |
Alexandre Dulaunoy | 4d42d7d619 | |
Alexandre Dulaunoy | f771941734 | |
Alexandre Dulaunoy | eb6e250b8c | |
Alexandre Dulaunoy | f82547e72b | |
Alexandre Dulaunoy | 0c53aa893a | |
Alexandre Dulaunoy | dfdcbbf9c8 | |
Robert Nixon | eccb9186ac | |
Robert Nixon | 5002736456 | |
Alexandre Dulaunoy | 7d379245b7 | |
Robert Nixon | d235301e7d | |
Robert Nixon | 9b25ee4a7d | |
Alexandre Dulaunoy | fb22347f95 | |
Robert Nixon | 3b6f927033 | |
Alexandre Dulaunoy | aa251b6a40 | |
Sami Mokaddem | 93309b58c4 | |
Alexandre Dulaunoy | fc12a106f5 | |
Alexandre Dulaunoy | 8c113c5b86 | |
Alexandre Dulaunoy | 2e666690ca | |
Alexandre Dulaunoy | 856d303ee4 | |
Alexandre Dulaunoy | 8b57801204 | |
goodlandsecurity | d5e9cdd92b | |
goodlandsecurity | 7add543acc | |
goodlandsecurity | 22b6287d7a | |
Alexandre Dulaunoy | d94688040c | |
goodlandsecurity | 76a9897638 | |
goodlandsecurity | 500e61caaf | |
goodlandsecurity | 3e443dd286 | |
Alexandre Dulaunoy | f4fb812c37 | |
Alexandre Dulaunoy | a4c00258b2 | |
Alexandre Dulaunoy | 594c4cba82 | |
Alexandre Dulaunoy | e646d458e3 | |
Alexandre Dulaunoy | fb16aab4ea | |
Alexandre Dulaunoy | 7732d32c7c | |
goodlandsecurity | 402c6ca144 | |
Alexandre Dulaunoy | 0c1b3f1f3a | |
Alexandre Dulaunoy | 0e7688e652 | |
Alexandre Dulaunoy | 5d72c5e901 | |
Raphaël Vinot | 87916c2eb9 | |
Alexandre Dulaunoy | 80f2a19308 | |
Alexandre Dulaunoy | 778c0508cf | |
Alexandre Dulaunoy | d3fd3f6419 | |
Alexandre Dulaunoy | 0bf91e429b | |
Alexandre Dulaunoy | beeabcaf22 | |
Alexandre Dulaunoy | 392b52f6e8 | |
Alexandre Dulaunoy | 98443dbe30 | |
Alexandre Dulaunoy | a71490fab7 | |
Alexandre Dulaunoy | 259752b073 | |
jelervasquez | d9761fa947 | |
Alexandre Dulaunoy | 20ffb6980f | |
Alexandre Dulaunoy | 4984b1a009 | |
Alexandre Dulaunoy | 5908b6585c | |
Alexandre Dulaunoy | 62d4cd2e41 | |
Alexandre Dulaunoy | 8f9fa33469 | |
Alexandre Dulaunoy | edeb9428ee | |
jelervasquez | 47efdddca7 | |
Alexandre Dulaunoy | d7f816e07d | |
Alexandre Dulaunoy | dfeabc16be | |
Alexandre Dulaunoy | d27175e3ef | |
Alexandre Dulaunoy | 6115189a1c | |
Alexandre Dulaunoy | d60ac77a94 | |
Alexandre Dulaunoy | d22887f55e | |
Alexandre Dulaunoy | a29b08ef77 | |
Alexandre Dulaunoy | 7b47d136c2 | |
Alexandre Dulaunoy | b62e125310 | |
th3r3d | 92d4d18c15 | |
Alexandre Dulaunoy | 885d959a12 | |
Alexandre Dulaunoy | a50c0dc8ef | |
Alexandre Dulaunoy | 6023e6f662 | |
Mélanie MERGEN | 9778e976f8 | |
Mélanie MERGEN | e9a4d5b99d | |
Mélanie MERGEN | b3089f3594 | |
Mélanie MERGEN | 91da221f00 | |
Mélanie MERGEN | 1af7b8326e | |
solsdii | 1c86af3522 | |
solsdii | f7d204f042 | |
solsdii | 2563fd2f5b | |
solsdii | a19ff846bd | |
solsdii | 27ba5723fe | |
Alexandre Dulaunoy | 92d74aa5fc | |
Alexandre Dulaunoy | c60bf07d19 | |
Alexandre Dulaunoy | fb1cd292dc | |
matthijsvp | 95ac05727d | |
matthijsvp | d74c6aeaaa | |
Matthijs van P | 044b83ab9b | |
matthijsvp | cb615a84c2 | |
matthijsvp | 406c601319 | |
Matthijs van P | bcc4a1220c | |
matthijsvp | f188f54878 | |
Alexandre Dulaunoy | 4657903c47 | |
osboxes.org | f0bfb5093f | |
osboxes.org | 21e9087627 | |
osboxes.org | 7aee60091d | |
osboxes.org | 2421d63a1b | |
Alexandre Dulaunoy | 966ba20e80 | |
osboxes.org | 745e8484b8 | |
M2O2 | 666e80bc01 | |
osboxes.org | f3e5f7283c | |
M2O2 | 9ace30cafa | |
matthijsvp | 6e2195e524 | |
matthijsvp | aaf3a6e36b | |
matthijsvp | 7258275fc0 | |
Alexandre Dulaunoy | 6da2a75fc4 |
|
@ -0,0 +1,41 @@
|
|||
name: "CodeQL"
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ "main" ]
|
||||
pull_request:
|
||||
branches: [ "main" ]
|
||||
schedule:
|
||||
- cron: "50 22 * * 5"
|
||||
|
||||
jobs:
|
||||
analyze:
|
||||
name: Analyze
|
||||
runs-on: ubuntu-latest
|
||||
permissions:
|
||||
actions: read
|
||||
contents: read
|
||||
security-events: write
|
||||
|
||||
strategy:
|
||||
fail-fast: false
|
||||
matrix:
|
||||
language: [ python ]
|
||||
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@v2
|
||||
with:
|
||||
languages: ${{ matrix.language }}
|
||||
queries: +security-and-quality
|
||||
|
||||
- name: Autobuild
|
||||
uses: github/codeql-action/autobuild@v2
|
||||
|
||||
- name: Perform CodeQL Analysis
|
||||
uses: github/codeql-action/analyze@v2
|
||||
with:
|
||||
category: "/language:${{ matrix.language }}"
|
|
@ -12,7 +12,7 @@ jobs:
|
|||
runs-on: ubuntu-latest
|
||||
strategy:
|
||||
matrix:
|
||||
python-version: [3.6, 3.7, 3.8, 3.9]
|
||||
python-version: [3.8, 3.9, '3.10']
|
||||
|
||||
steps:
|
||||
|
||||
|
|
|
@ -0,0 +1,243 @@
|
|||
{
|
||||
"namespace": "GrayZone",
|
||||
"description": "Gray Zone of Active defense includes all elements which lay between reactive defense elements and offensive operations. It does fill the gray spot between them. Taxo may be used for active defense planning or modeling.",
|
||||
"version": 3,
|
||||
"predicates": [
|
||||
{
|
||||
"value": "Adversary Emulation",
|
||||
"expanded": "Adversary Emulation"
|
||||
},
|
||||
{
|
||||
"value": "Beacons",
|
||||
"expanded": "Beacons"
|
||||
},
|
||||
{
|
||||
"value": "Deterrence",
|
||||
"expanded": "Deterrence"
|
||||
},
|
||||
{
|
||||
"value": "Deception",
|
||||
"expanded": "Deception"
|
||||
},
|
||||
{
|
||||
"value": "Tarpits, Sandboxes and Honeypots",
|
||||
"expanded": "Tarpits, Sandboxes and Honeypots"
|
||||
},
|
||||
{
|
||||
"value": "Threat Intelligence",
|
||||
"expanded": "Threat Intelligence"
|
||||
},
|
||||
{
|
||||
"value": "Threat Hunting",
|
||||
"expanded": "Threat Hunting"
|
||||
},
|
||||
{
|
||||
"value": "Adversary Takedowns",
|
||||
"expanded": "Adversary Takedowns"
|
||||
},
|
||||
{
|
||||
"value": "Ransomware",
|
||||
"expanded": "Ransomware"
|
||||
},
|
||||
{
|
||||
"value": "Rescue Missions",
|
||||
"expanded": "Rescue Missions"
|
||||
},
|
||||
{
|
||||
"value": "Sanctions, Indictments & Trade Remedies",
|
||||
"expanded": "Sanctions, Indictments & Trade Remedies"
|
||||
}
|
||||
],
|
||||
"values": [
|
||||
{
|
||||
"predicate": "Adversary Emulation",
|
||||
"entry": [
|
||||
{
|
||||
"value": "Threat Modeling",
|
||||
"expanded": "Arch threat modeling",
|
||||
"description": "Modeling threat in services or/and in applications"
|
||||
},
|
||||
{
|
||||
"value": "Purple Teaming",
|
||||
"expanded": "Purple team collaboration",
|
||||
"description": "Collaboration between red and blue team"
|
||||
},
|
||||
{
|
||||
"value": "Blue Team",
|
||||
"expanded": "Blue Team activities",
|
||||
"description": "Defenders team actions, TTPs etc."
|
||||
},
|
||||
{
|
||||
"value": "Red Team",
|
||||
"expanded": "Red Team activities",
|
||||
"description": "Actions, TTPs etc.of Red Team"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "Beacons",
|
||||
"entry": [
|
||||
{
|
||||
"value": "Inform",
|
||||
"expanded": "Information from beacon",
|
||||
"description": "Provide defender with informations about beacon user, intentional or not"
|
||||
},
|
||||
{
|
||||
"value": "Notify",
|
||||
"expanded": "Notification from beacon",
|
||||
"description": "Beacon will just send alert, that has been accessed"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "Deterrence",
|
||||
"entry": [
|
||||
{
|
||||
"value": "by Retaliation",
|
||||
"expanded": "Retaliation risk",
|
||||
"description": "Adversary is threatened by retaliation if it will continue in actions"
|
||||
},
|
||||
{
|
||||
"value": "by Denial",
|
||||
"expanded": "Risk of Denial",
|
||||
"description": "Deny action ever happened - example: if the attribution is important for adversary"
|
||||
},
|
||||
{
|
||||
"value": "by Entanglement",
|
||||
"expanded": "Risk of reputation loss",
|
||||
"description": "By continuing in action adversary may be exhibited to punishment from defenders ally"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "Deception",
|
||||
"entry": [
|
||||
{
|
||||
"value": "Deception",
|
||||
"expanded": "Deceptive actions",
|
||||
"description": "Confuse adversary by deception, can be either whole campaign or just simple word in internal manuals"
|
||||
},
|
||||
{
|
||||
"value": "Denial",
|
||||
"expanded": "Suppress anything",
|
||||
"description": "You can deny any part of infrastructure or whole including servers, personal computers, users, machine accounts etc."
|
||||
},
|
||||
{
|
||||
"value": "CounterDeception",
|
||||
"expanded": "Answer to deception",
|
||||
"description": "Answer to deception from adversary is counter-deception, for example: answer to phish with shadow user account to uncover next adversary actions"
|
||||
},
|
||||
{
|
||||
"value": "Counter-Deception",
|
||||
"expanded": "Active counterdeception",
|
||||
"description": "Answer to adversary deception and his tactical goals, example: if You know the adversary goal(extraction) You can plant documents with fake content to enable damage on adversary sources (fake blueprints of engine, which explode on purpose)"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "Tarpits, Sandboxes and Honeypots",
|
||||
"entry": [
|
||||
{
|
||||
"value": "Honeypots",
|
||||
"expanded": "Honeypots",
|
||||
"description": "Emulating technical resources as services or whole machines or identities"
|
||||
},
|
||||
{
|
||||
"value": "Sandboxes",
|
||||
"expanded": "Sandboxes",
|
||||
"description": "Place for secure detonation of anything"
|
||||
},
|
||||
{
|
||||
"value": "Tarpits",
|
||||
"expanded": "Slow Downs",
|
||||
"description": "You can slow adversary from action for example by sending slow responses to request"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "Threat Intelligence",
|
||||
"entry": [
|
||||
{
|
||||
"value": "Passive - OSINT",
|
||||
"expanded": "OpenSourceINTelligence",
|
||||
"description": "Use of OSINT for creating of Threat Intelligence"
|
||||
},
|
||||
{
|
||||
"value": "Passive - platforms",
|
||||
"expanded": "Platforms for TI",
|
||||
"description": "Save, share and collaborate on threat intelligence platforms"
|
||||
},
|
||||
{
|
||||
"value": "Counter-Intelligence public",
|
||||
"expanded": "Counter Intelligence",
|
||||
"description": "Active retrieval of Threat Intelligence for purpose of defense collected with available public resources - example: active monitoring of web services to uncover action before happen (forum hacktivist group)"
|
||||
},
|
||||
{
|
||||
"value": "Counter-Intelligence government",
|
||||
"expanded": "Counter Intelligence",
|
||||
"description": "Active retrieval of Threat Intelligence for purpose of defense collected with non-public resources - example: cooperation between secret services in EU"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "Threat Hunting",
|
||||
"entry": [
|
||||
{
|
||||
"value": "Threat Hunting",
|
||||
"expanded": "Threat Hunting",
|
||||
"description": "Threat Hunting is the activity of active search for possible signs of adversary in environment"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "Adversary Takedowns",
|
||||
"entry": [
|
||||
{
|
||||
"value": "Botnet Takedowns",
|
||||
"expanded": "Botnet Takedowns",
|
||||
"description": "Activity with approval of legal governmental entities ie. courts to stop unwanted actions or prevent them"
|
||||
},
|
||||
{
|
||||
"value": "Domain Takedowns",
|
||||
"expanded": "Domain Takedowns",
|
||||
"description": "Activity with approval of legal governmental entities ie. courts to stop unwanted actions or prevent them"
|
||||
},
|
||||
{
|
||||
"value": "Infrastructure Takedowns",
|
||||
"expanded": "Whole environment takedowns",
|
||||
"description": "Activity with approval of legal governmental entities ie. courts to stop unwanted actions or prevent them"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "Ransomware",
|
||||
"entry": [
|
||||
{
|
||||
"value": "Ransomware",
|
||||
"expanded": "Ransomware by defenders",
|
||||
"description": "Activity with approval of legal governmental entities ie. courts to stop unwanted actions or prevent them"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "Rescue Missions",
|
||||
"entry": [
|
||||
{
|
||||
"value": "Rescue Missions",
|
||||
"expanded": "Rescue Missions",
|
||||
"description": "Activity with approval of legal governmental entities ie. courts to stop unwanted actions or prevent them"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "Sanctions, Indictments & Trade Remedies",
|
||||
"entry": [
|
||||
{
|
||||
"value": "Sanctions, Indictments & Trade Remedies",
|
||||
"expanded": "Business and diplomatic actions and counteractions",
|
||||
"description": "Activity with approval of legal governmental entities ie. courts, states, governments to stop unwanted actions or prevent them"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
127
MANIFEST.json
127
MANIFEST.json
|
@ -18,10 +18,15 @@
|
|||
"name": "DML",
|
||||
"version": 1
|
||||
},
|
||||
{
|
||||
"description": "Gray Zone of Active defense includes all elements which lay between reactive defense elements and offensive operations. It does fill the gray spot between them. Taxo may be used for active defense planning or modeling.",
|
||||
"name": "GrayZone",
|
||||
"version": 3
|
||||
},
|
||||
{
|
||||
"description": "The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.",
|
||||
"name": "PAP",
|
||||
"version": 2
|
||||
"version": 3
|
||||
},
|
||||
{
|
||||
"description": "The access method used to remotely access a system.",
|
||||
|
@ -63,6 +68,16 @@
|
|||
"name": "approved-category-of-action",
|
||||
"version": 1
|
||||
},
|
||||
{
|
||||
"description": "This taxonomy was designed to describe artificial satellites",
|
||||
"name": "artificial-satellites",
|
||||
"version": 1
|
||||
},
|
||||
{
|
||||
"description": "A taxonomy describing security threats or incidents against the aviation sector.",
|
||||
"name": "aviation",
|
||||
"version": 1
|
||||
},
|
||||
{
|
||||
"description": "Custom taxonomy for types of binary file.",
|
||||
"name": "binary-class",
|
||||
|
@ -74,9 +89,14 @@
|
|||
"version": 2
|
||||
},
|
||||
{
|
||||
"description": "CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection",
|
||||
"description": "CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection.",
|
||||
"name": "circl",
|
||||
"version": 5
|
||||
"version": 6
|
||||
},
|
||||
{
|
||||
"description": "La presente taxonomia es la primera versión disponible para el Centro Nacional de Seguridad Digital del Perú.",
|
||||
"name": "cnsd",
|
||||
"version": 20220513
|
||||
},
|
||||
{
|
||||
"description": "Course of action taken within organization to discover, detect, deny, disrupt, degrade, deceive and/or destroy an attack.",
|
||||
|
@ -101,7 +121,12 @@
|
|||
{
|
||||
"description": "A Course Of Action analysis considers six potential courses of action for the development of a cyber security capability.",
|
||||
"name": "course-of-action",
|
||||
"version": 2
|
||||
"version": 3
|
||||
},
|
||||
{
|
||||
"description": "Crowdsec IP address classifications and behaviors taxonomy.",
|
||||
"name": "crowdsec",
|
||||
"version": 1
|
||||
},
|
||||
{
|
||||
"description": "Threats targetting cryptocurrency, based on CipherTrace report.",
|
||||
|
@ -149,9 +174,9 @@
|
|||
"version": 1
|
||||
},
|
||||
{
|
||||
"description": "Criminal motivation on the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project",
|
||||
"description": "Criminal motivation and content detection the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project and extended by the JRC (Joint Research Centre) of the European Commission.",
|
||||
"name": "dark-web",
|
||||
"version": 4
|
||||
"version": 6
|
||||
},
|
||||
{
|
||||
"description": "Data classification for data potentially at risk of exfiltration based on table 2.1 of Solving Cyber Risk book.",
|
||||
|
@ -173,11 +198,21 @@
|
|||
"name": "de-vs",
|
||||
"version": 1
|
||||
},
|
||||
{
|
||||
"description": "Taxonomy of Death Possibilities",
|
||||
"name": "death-possibilities",
|
||||
"version": 1
|
||||
},
|
||||
{
|
||||
"description": "Deception is an important component of information operations, valuable for both offense and defense. ",
|
||||
"name": "deception",
|
||||
"version": 1
|
||||
},
|
||||
{
|
||||
"description": "A taxonomy to describe domain-generation algorithms often called DGA. Ref: A Comprehensive Measurement Study of Domain Generating Malware Daniel Plohmann and others.",
|
||||
"name": "dga",
|
||||
"version": 2
|
||||
},
|
||||
{
|
||||
"description": "DHS critical sectors as in https://www.dhs.gov/critical-infrastructure-sectors",
|
||||
"name": "dhs-ciip-sectors",
|
||||
|
@ -188,6 +223,11 @@
|
|||
"name": "diamond-model",
|
||||
"version": 1
|
||||
},
|
||||
{
|
||||
"description": "The diamond model for influence operations analysis is a framework that leads analysts and researchers toward a comprehensive understanding of a malign influence campaign by addressing the socio-political, technical, and psychological aspects of the campaign. The diamond model for influence operations analysis consists of 5 components: 4 corners and a core element. The 4 corners are divided into 2 axes: influencer and audience on the socio-political axis, capabilities and infrastructure on the technical axis. Narrative makes up the core of the diamond.",
|
||||
"name": "diamond-model-for-influence-operations",
|
||||
"version": 1
|
||||
},
|
||||
{
|
||||
"description": "A subset of Information Security Marking Metadata ISM as required by Executive Order (EO) 13526. As described by DNI.gov as Data Encoding Specifications for Information Security Marking Metadata in Controlled Vocabulary Enumeration Values for ISM",
|
||||
"name": "dni-ism",
|
||||
|
@ -198,6 +238,11 @@
|
|||
"name": "domain-abuse",
|
||||
"version": 2
|
||||
},
|
||||
{
|
||||
"description": "This taxonomy aims to list doping substances",
|
||||
"name": "doping-substances",
|
||||
"version": 2
|
||||
},
|
||||
{
|
||||
"description": "A taxonomy based on the superclass and class of drugs. Based on https://www.drugbank.ca/releases/latest",
|
||||
"name": "drugs",
|
||||
|
@ -261,12 +306,12 @@
|
|||
{
|
||||
"description": "Exercise is a taxonomy to describe if the information is part of one or more cyber or crisis exercise.",
|
||||
"name": "exercise",
|
||||
"version": 10
|
||||
"version": 11
|
||||
},
|
||||
{
|
||||
"description": "Reasons why an event has been extended. ",
|
||||
"description": "Reasons why an event has been extended. This taxonomy must be used on the extended event. The competitive analysis aspect is from Psychology of Intelligence Analysis by Richard J. Heuer, Jr. ref:http://www.foo.be/docs/intelligence/PsychofIntelNew.pdf",
|
||||
"name": "extended-event",
|
||||
"version": 1
|
||||
"version": 2
|
||||
},
|
||||
{
|
||||
"description": "The purpose of this taxonomy is to jointly tabulate both the of these failure modes in a single place. Intentional failures wherein the failure is caused by an active adversary attempting to subvert the system to attain her goals – either to misclassify the result, infer private training data, or to steal the underlying algorithm. Unintentional failures wherein the failure is because an ML system produces a formally correct but completely unsafe outcome.",
|
||||
|
@ -276,13 +321,18 @@
|
|||
{
|
||||
"description": "This taxonomy aims to ballpark the expected amount of false positives.",
|
||||
"name": "false-positive",
|
||||
"version": 5
|
||||
"version": 7
|
||||
},
|
||||
{
|
||||
"description": "List of known file types.",
|
||||
"name": "file-type",
|
||||
"version": 1
|
||||
},
|
||||
{
|
||||
"description": "Financial taxonomy to describe financial services, infrastructure and financial scope.",
|
||||
"name": "financial",
|
||||
"version": 7
|
||||
},
|
||||
{
|
||||
"description": "Flesch Reading Ease is a revised system for determining the comprehension difficulty of written material. The scoring of the flesh score can have a maximum of 121.22 and there is no limit on how low a score can be (negative score are valid).",
|
||||
"name": "flesch-reading-ease",
|
||||
|
@ -373,6 +423,11 @@
|
|||
"name": "infoleak",
|
||||
"version": 7
|
||||
},
|
||||
{
|
||||
"description": "Taxonomy for tagging information by its origin: human-generated or AI-generated.",
|
||||
"name": "information-origin",
|
||||
"version": 2
|
||||
},
|
||||
{
|
||||
"description": "Taxonomy to classify the information security data sources.",
|
||||
"name": "information-security-data-source",
|
||||
|
@ -458,6 +513,11 @@
|
|||
"name": "misp",
|
||||
"version": 12
|
||||
},
|
||||
{
|
||||
"description": "MISP workflow taxonomy to support result of workflow execution.",
|
||||
"name": "misp-workflow",
|
||||
"version": 3
|
||||
},
|
||||
{
|
||||
"description": "MONARC Threats Taxonomy",
|
||||
"name": "monarc-threat",
|
||||
|
@ -488,6 +548,11 @@
|
|||
"name": "nis",
|
||||
"version": 2
|
||||
},
|
||||
{
|
||||
"description": "The taxonomy is meant for large scale cybersecurity incidents, as mentioned in the Commission Recommendation of 13 May 2022, also known as the provisional agreement. It has two core parts: The nature of the incident, i.e. the underlying cause, that triggered the incident, and the impact of the incident, i.e. the impact on services, in which sector(s) of economy and society.",
|
||||
"name": "nis2",
|
||||
"version": 3
|
||||
},
|
||||
{
|
||||
"description": "Open Threat Taxonomy v1.1 base on James Tarala of SANS http://www.auditscripts.com/resources/open_threat_taxonomy_v1.1a.pdf, https://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Using-Open-Tools-to-Convert-Threat-Intelligence-into-Practical-Defenses-James-Tarala-SANS-Institute.pdf, https://www.youtube.com/watch?v=5rdGOOFC_yE, and https://www.rsaconference.com/writable/presentations/file_upload/str-r04_using-an-open-source-threat-model-for-prioritized-defense-final.pdf",
|
||||
"name": "open_threat",
|
||||
|
@ -518,6 +583,11 @@
|
|||
"name": "phishing",
|
||||
"version": 5
|
||||
},
|
||||
{
|
||||
"description": "Non-exhaustive taxonomy of natural poison",
|
||||
"name": "poison-taxonomy",
|
||||
"version": 1
|
||||
},
|
||||
{
|
||||
"description": "A political spectrum is a system to characterize and classify different political positions in relation to one another.",
|
||||
"name": "political-spectrum",
|
||||
|
@ -528,11 +598,21 @@
|
|||
"name": "priority-level",
|
||||
"version": 2
|
||||
},
|
||||
{
|
||||
"description": "PyOTI automated enrichment schemes for point in time classification of indicators.",
|
||||
"name": "pyoti",
|
||||
"version": 3
|
||||
},
|
||||
{
|
||||
"description": "Ransomware is used to define ransomware types and the elements that compose them.",
|
||||
"name": "ransomware",
|
||||
"version": 6
|
||||
},
|
||||
{
|
||||
"description": "The seven roles seen in most ransomware incidents.",
|
||||
"name": "ransomware-roles",
|
||||
"version": 1
|
||||
},
|
||||
{
|
||||
"description": "Add a retenion time to events to automatically remove the IDS-flag on ip-dst or ip-src attributes. We calculate the time elapsed based on the date of the event. Supported time units are: d(ays), w(eeks), m(onths), y(ears). The numerical_value is just for sorting in the web-interface and is not used for calculations.",
|
||||
"name": "retention",
|
||||
|
@ -551,7 +631,7 @@
|
|||
{
|
||||
"description": "Runtime or software packer used to combine compressed or encrypted data with the decompression or decryption code. This code can add additional obfuscations mechanisms including polymorphic-packer or other obfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries.",
|
||||
"name": "runtime-packer",
|
||||
"version": 1
|
||||
"version": 2
|
||||
},
|
||||
{
|
||||
"description": "Flags describing the sample",
|
||||
|
@ -568,11 +648,26 @@
|
|||
"name": "scrippsco2-sampling-stations",
|
||||
"version": 1
|
||||
},
|
||||
{
|
||||
"description": "Sentinel indicator threat types.",
|
||||
"name": "sentinel-threattype",
|
||||
"version": 1
|
||||
},
|
||||
{
|
||||
"description": "Threat taxonomy in the scope of securing smart airports by ENISA. https://www.enisa.europa.eu/publications/securing-smart-airports",
|
||||
"name": "smart-airports-threats",
|
||||
"version": 1
|
||||
},
|
||||
{
|
||||
"description": "Attack vectors used in social engineering as described in 'A Taxonomy of Social Engineering Defense Mechanisms' by Dalal Alharthi and others.",
|
||||
"name": "social-engineering-attack-vectors",
|
||||
"version": 1
|
||||
},
|
||||
{
|
||||
"description": "SRB-CERT Taxonomy - Schemes of Classification in Incident Response and Detection",
|
||||
"name": "srbcert",
|
||||
"version": 3
|
||||
},
|
||||
{
|
||||
"description": "A spectrum of state responsibility to more directly tie the goals of attribution to the needs of policymakers.",
|
||||
"name": "state-responsibility",
|
||||
|
@ -596,7 +691,7 @@
|
|||
{
|
||||
"description": "Thales Group Taxonomy - was designed with the aim of enabling desired sharing and preventing unwanted sharing between Thales Group security communities.",
|
||||
"name": "thales_group",
|
||||
"version": 2
|
||||
"version": 4
|
||||
},
|
||||
{
|
||||
"description": "The ThreatMatch Sectors, Incident types, Malware types and Alert types are applicable for any ThreatMatch instances and should be used for all CIISI and TIBER Projects.",
|
||||
|
@ -609,9 +704,9 @@
|
|||
"version": 1
|
||||
},
|
||||
{
|
||||
"description": "The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time.",
|
||||
"description": "The Traffic Light Protocol (TLP) (v2.0) was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. Information sharing happens from an information source, towards one or more recipients. TLP is a set of four standard labels (a fifth label is included in amber to limit the diffusion) used to indicate the sharing boundaries to be applied by the recipients. Only labels listed in this standard are considered valid by FIRST. This taxonomy includes additional labels for backward compatibility which are no more validated by FIRST SIG.",
|
||||
"name": "tlp",
|
||||
"version": 5
|
||||
"version": 10
|
||||
},
|
||||
{
|
||||
"description": "Taxonomy to describe Tor network infrastructure",
|
||||
|
@ -656,9 +751,9 @@
|
|||
{
|
||||
"description": "Workflow support language is a common language to support intelligence analysts to perform their analysis on data and information.",
|
||||
"name": "workflow",
|
||||
"version": 11
|
||||
"version": 12
|
||||
}
|
||||
],
|
||||
"url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/main/",
|
||||
"version": "20220129"
|
||||
"version": "20240304"
|
||||
}
|
||||
|
|
|
@ -2,23 +2,28 @@
|
|||
"namespace": "PAP",
|
||||
"expanded": "Permissible Actions Protocol",
|
||||
"description": "The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.",
|
||||
"version": 2,
|
||||
"version": 3,
|
||||
"exclusive": true,
|
||||
"predicates": [
|
||||
{
|
||||
"value": "RED",
|
||||
"expanded": "(PAP:RED) Non-detectable actions only. Recipients may not use PAP:RED information on the network. Only passive actions on logs, that are not detectable from the outside.",
|
||||
"colour": "#ff0000"
|
||||
"colour": "#ff2b2b"
|
||||
},
|
||||
{
|
||||
"value": "AMBER",
|
||||
"expanded": "(PAP:AMBER) Passive cross check. Recipients may use PAP:AMBER information for conducting online checks, like using services provided by third parties (e.g. VirusTotal), or set up a monitoring honeypot.",
|
||||
"colour": "#ffa800"
|
||||
"colour": "#ffc000"
|
||||
},
|
||||
{
|
||||
"value": "GREEN",
|
||||
"expanded": "(PAP:GREEN) Active actions allowed. Recipients may use PAP:GREEN information to ping the target, block incoming/outgoing traffic from/to the target or specifically configure honeypots to interact with the target.",
|
||||
"colour": "#00ad1c"
|
||||
"colour": "#33ff00"
|
||||
},
|
||||
{
|
||||
"value": "CLEAR",
|
||||
"expanded": "(PAP:CLEAR) No restrictions in using this information.",
|
||||
"colour": "#ffffff"
|
||||
},
|
||||
{
|
||||
"value": "WHITE",
|
||||
|
|
105
README.md
105
README.md
|
@ -27,6 +27,11 @@ DFRLab Dichotomies of Disinformation. [Overview](https://www.misp-project.org/ta
|
|||
[DML](https://github.com/MISP/misp-taxonomies/tree/main/DML) :
|
||||
The Detection Maturity Level (DML) model is a capability maturity model for referencing ones maturity in detecting cyber attacks. It's designed for organizations who perform intel-driven detection and response and who put an emphasis on having a mature detection program. [Overview](https://www.misp-project.org/taxonomies.html#_dml)
|
||||
|
||||
### GrayZone
|
||||
|
||||
[GrayZone](https://github.com/MISP/misp-taxonomies/tree/main/GrayZone) :
|
||||
Gray Zone of Active defense includes all elements which lay between reactive defense elements and offensive operations. It does fill the gray spot between them. Taxo may be used for active defense planning or modeling. [Overview](https://www.misp-project.org/taxonomies.html#_grayzone)
|
||||
|
||||
### PAP
|
||||
|
||||
[PAP](https://github.com/MISP/misp-taxonomies/tree/main/PAP) :
|
||||
|
@ -72,6 +77,16 @@ A series of assessment predicates describing the analyst capabilities to perform
|
|||
[approved-category-of-action](https://github.com/MISP/misp-taxonomies/tree/main/approved-category-of-action) :
|
||||
A pre-approved category of action for indicators being shared with partners (MIMIC). [Overview](https://www.misp-project.org/taxonomies.html#_approved_category_of_action)
|
||||
|
||||
### artificial-satellites
|
||||
|
||||
[artificial-satellites](https://github.com/MISP/misp-taxonomies/tree/main/artificial-satellites) :
|
||||
This taxonomy was designed to describe artificial satellites [Overview](https://www.misp-project.org/taxonomies.html#_artificial_satellites)
|
||||
|
||||
### aviation
|
||||
|
||||
[aviation](https://github.com/MISP/misp-taxonomies/tree/main/aviation) :
|
||||
A taxonomy describing security threats or incidents against the aviation sector. [Overview](https://www.misp-project.org/taxonomies.html#_aviation)
|
||||
|
||||
### binary-class
|
||||
|
||||
[binary-class](https://github.com/MISP/misp-taxonomies/tree/main/binary-class) :
|
||||
|
@ -85,7 +100,12 @@ Internal taxonomy for CCCS. [Overview](https://www.misp-project.org/taxonomies.h
|
|||
### circl
|
||||
|
||||
[circl](https://github.com/MISP/misp-taxonomies/tree/main/circl) :
|
||||
CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection [Overview](https://www.misp-project.org/taxonomies.html#_circl)
|
||||
CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection. [Overview](https://www.misp-project.org/taxonomies.html#_circl)
|
||||
|
||||
### cnsd
|
||||
|
||||
[cnsd](https://github.com/MISP/misp-taxonomies/tree/main/cnsd) :
|
||||
La presente taxonomia es la primera versión disponible para el Centro Nacional de Seguridad Digital del Perú. [Overview](https://www.misp-project.org/taxonomies.html#_cnsd)
|
||||
|
||||
### coa
|
||||
|
||||
|
@ -112,6 +132,11 @@ The COPINE Scale is a rating system created in Ireland and used in the United Ki
|
|||
[course-of-action](https://github.com/MISP/misp-taxonomies/tree/main/course-of-action) :
|
||||
A Course Of Action analysis considers six potential courses of action for the development of a cyber security capability. [Overview](https://www.misp-project.org/taxonomies.html#_course_of_action)
|
||||
|
||||
### crowdsec
|
||||
|
||||
[crowdsec](https://github.com/MISP/misp-taxonomies/tree/main/crowdsec) :
|
||||
Crowdsec IP address classifications and behaviors taxonomy. [Overview](https://www.misp-project.org/taxonomies.html#_crowdsec)
|
||||
|
||||
### cryptocurrency-threat
|
||||
|
||||
[cryptocurrency-threat](https://github.com/MISP/misp-taxonomies/tree/main/cryptocurrency-threat) :
|
||||
|
@ -160,7 +185,7 @@ Taxonomy to describe desired actions for Cytomic Orion [Overview](https://www.mi
|
|||
### dark-web
|
||||
|
||||
[dark-web](https://github.com/MISP/misp-taxonomies/tree/main/dark-web) :
|
||||
Criminal motivation on the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project [Overview](https://www.misp-project.org/taxonomies.html#_dark_web)
|
||||
Criminal motivation and content detection the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project and extended by the JRC (Joint Research Centre) of the European Commission. [Overview](https://www.misp-project.org/taxonomies.html#_dark_web)
|
||||
|
||||
### data-classification
|
||||
|
||||
|
@ -182,11 +207,21 @@ Distributed Denial of Service - or short: DDoS - taxonomy supports the descripti
|
|||
[de-vs](https://github.com/MISP/misp-taxonomies/tree/main/de-vs) :
|
||||
German (DE) Government classification markings (VS). [Overview](https://www.misp-project.org/taxonomies.html#_de_vs)
|
||||
|
||||
### death-possibilities
|
||||
|
||||
[death-possibilities](https://github.com/MISP/misp-taxonomies/tree/main/death-possibilities) :
|
||||
Taxonomy of Death Possibilities [Overview](https://www.misp-project.org/taxonomies.html#_death_possibilities)
|
||||
|
||||
### deception
|
||||
|
||||
[deception](https://github.com/MISP/misp-taxonomies/tree/main/deception) :
|
||||
Deception is an important component of information operations, valuable for both offense and defense. [Overview](https://www.misp-project.org/taxonomies.html#_deception)
|
||||
|
||||
### dga
|
||||
|
||||
[dga](https://github.com/MISP/misp-taxonomies/tree/main/dga) :
|
||||
A taxonomy to describe domain-generation algorithms often called DGA. Ref: A Comprehensive Measurement Study of Domain Generating Malware Daniel Plohmann and others. [Overview](https://www.misp-project.org/taxonomies.html#_dga)
|
||||
|
||||
### dhs-ciip-sectors
|
||||
|
||||
[dhs-ciip-sectors](https://github.com/MISP/misp-taxonomies/tree/main/dhs-ciip-sectors) :
|
||||
|
@ -197,6 +232,11 @@ DHS critical sectors as in https://www.dhs.gov/critical-infrastructure-sectors [
|
|||
[diamond-model](https://github.com/MISP/misp-taxonomies/tree/main/diamond-model) :
|
||||
The Diamond Model for Intrusion Analysis establishes the basic atomic element of any intrusion activity, the event, composed of four core features: adversary, infrastructure, capability, and victim. [Overview](https://www.misp-project.org/taxonomies.html#_diamond_model)
|
||||
|
||||
### diamond-model-for-influence-operations
|
||||
|
||||
[diamond-model-for-influence-operations](https://github.com/MISP/misp-taxonomies/tree/main/diamond-model-for-influence-operations) :
|
||||
The diamond model for influence operations analysis is a framework that leads analysts and researchers toward a comprehensive understanding of a malign influence campaign by addressing the socio-political, technical, and psychological aspects of the campaign. The diamond model for influence operations analysis consists of 5 components: 4 corners and a core element. The 4 corners are divided into 2 axes: influencer and audience on the socio-political axis, capabilities and infrastructure on the technical axis. Narrative makes up the core of the diamond. [Overview](https://www.misp-project.org/taxonomies.html#_diamond_model_for_influence_operations)
|
||||
|
||||
### dni-ism
|
||||
|
||||
[dni-ism](https://github.com/MISP/misp-taxonomies/tree/main/dni-ism) :
|
||||
|
@ -207,6 +247,11 @@ A subset of Information Security Marking Metadata ISM as required by Executive O
|
|||
[domain-abuse](https://github.com/MISP/misp-taxonomies/tree/main/domain-abuse) :
|
||||
Domain Name Abuse - taxonomy to tag domain names used for cybercrime. [Overview](https://www.misp-project.org/taxonomies.html#_domain_abuse)
|
||||
|
||||
### doping-substances
|
||||
|
||||
[doping-substances](https://github.com/MISP/misp-taxonomies/tree/main/doping-substances) :
|
||||
This taxonomy aims to list doping substances [Overview](https://www.misp-project.org/taxonomies.html#_doping_substances)
|
||||
|
||||
### drugs
|
||||
|
||||
[drugs](https://github.com/MISP/misp-taxonomies/tree/main/drugs) :
|
||||
|
@ -275,7 +320,7 @@ Exercise is a taxonomy to describe if the information is part of one or more cyb
|
|||
### extended-event
|
||||
|
||||
[extended-event](https://github.com/MISP/misp-taxonomies/tree/main/extended-event) :
|
||||
Reasons why an event has been extended. [Overview](https://www.misp-project.org/taxonomies.html#_extended_event)
|
||||
Reasons why an event has been extended. This taxonomy must be used on the extended event. The competitive analysis aspect is from Psychology of Intelligence Analysis by Richard J. Heuer, Jr. ref:http://www.foo.be/docs/intelligence/PsychofIntelNew.pdf [Overview](https://www.misp-project.org/taxonomies.html#_extended_event)
|
||||
|
||||
### failure-mode-in-machine-learning
|
||||
|
||||
|
@ -292,6 +337,11 @@ This taxonomy aims to ballpark the expected amount of false positives. [Overview
|
|||
[file-type](https://github.com/MISP/misp-taxonomies/tree/main/file-type) :
|
||||
List of known file types. [Overview](https://www.misp-project.org/taxonomies.html#_file_type)
|
||||
|
||||
### financial
|
||||
|
||||
[financial](https://github.com/MISP/misp-taxonomies/tree/main/financial) :
|
||||
Financial taxonomy to describe financial services, infrastructure and financial scope. [Overview](https://www.misp-project.org/taxonomies.html#_financial)
|
||||
|
||||
### flesch-reading-ease
|
||||
|
||||
[flesch-reading-ease](https://github.com/MISP/misp-taxonomies/tree/main/flesch-reading-ease) :
|
||||
|
@ -382,6 +432,11 @@ How an incident is classified in its process to be resolved. The taxonomy is ins
|
|||
[infoleak](https://github.com/MISP/misp-taxonomies/tree/main/infoleak) :
|
||||
A taxonomy describing information leaks and especially information classified as being potentially leaked. The taxonomy is based on the work by CIRCL on the AIL framework. The taxonomy aim is to be used at large to improve classification of leaked information. [Overview](https://www.misp-project.org/taxonomies.html#_infoleak)
|
||||
|
||||
### information-origin
|
||||
|
||||
[information-origin](https://github.com/MISP/misp-taxonomies/tree/main/information-origin) :
|
||||
Taxonomy for tagging information by its origin: human-generated or AI-generated. [Overview](https://www.misp-project.org/taxonomies.html#_information_origin)
|
||||
|
||||
### information-security-data-source
|
||||
|
||||
[information-security-data-source](https://github.com/MISP/misp-taxonomies/tree/main/information-security-data-source) :
|
||||
|
@ -467,6 +522,11 @@ classification for the identification of type of misinformation among websites.
|
|||
[misp](https://github.com/MISP/misp-taxonomies/tree/main/misp) :
|
||||
MISP taxonomy to infer with MISP behavior or operation. [Overview](https://www.misp-project.org/taxonomies.html#_misp)
|
||||
|
||||
### misp-workflow
|
||||
|
||||
[misp-workflow](https://github.com/MISP/misp-taxonomies/tree/main/misp-workflow) :
|
||||
MISP workflow taxonomy to support result of workflow execution. [Overview](https://www.misp-project.org/taxonomies.html#_misp_workflow)
|
||||
|
||||
### monarc-threat
|
||||
|
||||
[monarc-threat](https://github.com/MISP/misp-taxonomies/tree/main/monarc-threat) :
|
||||
|
@ -497,6 +557,11 @@ NATO classification markings. [Overview](https://www.misp-project.org/taxonomies
|
|||
[nis](https://github.com/MISP/misp-taxonomies/tree/main/nis) :
|
||||
The taxonomy is meant for large scale cybersecurity incidents, as mentioned in the Commission Recommendation of 13 September 2017, also known as the blueprint. It has two core parts: The nature of the incident, i.e. the underlying cause, that triggered the incident, and the impact of the incident, i.e. the impact on services, in which sector(s) of economy and society. [Overview](https://www.misp-project.org/taxonomies.html#_nis)
|
||||
|
||||
### nis2
|
||||
|
||||
[nis2](https://github.com/MISP/misp-taxonomies/tree/main/nis2) :
|
||||
The taxonomy is meant for large scale cybersecurity incidents, as mentioned in the Commission Recommendation of 13 May 2022, also known as the provisional agreement. It has two core parts: The nature of the incident, i.e. the underlying cause, that triggered the incident, and the impact of the incident, i.e. the impact on services, in which sector(s) of economy and society. [Overview](https://www.misp-project.org/taxonomies.html#_nis2)
|
||||
|
||||
### open_threat
|
||||
|
||||
[open_threat](https://github.com/MISP/misp-taxonomies/tree/main/open_threat) :
|
||||
|
@ -527,6 +592,11 @@ Penetration test (pentest) classification. [Overview](https://www.misp-project.o
|
|||
[phishing](https://github.com/MISP/misp-taxonomies/tree/main/phishing) :
|
||||
Taxonomy to classify phishing attacks including techniques, collection mechanisms and analysis status. [Overview](https://www.misp-project.org/taxonomies.html#_phishing)
|
||||
|
||||
### poison-taxonomy
|
||||
|
||||
[poison-taxonomy](https://github.com/MISP/misp-taxonomies/tree/main/poison-taxonomy) :
|
||||
Non-exhaustive taxonomy of natural poison [Overview](https://www.misp-project.org/taxonomies.html#_poison_taxonomy)
|
||||
|
||||
### political-spectrum
|
||||
|
||||
[political-spectrum](https://github.com/MISP/misp-taxonomies/tree/main/political-spectrum) :
|
||||
|
@ -537,11 +607,21 @@ A political spectrum is a system to characterize and classify different politica
|
|||
[priority-level](https://github.com/MISP/misp-taxonomies/tree/main/priority-level) :
|
||||
After an incident is scored, it is assigned a priority level. The six levels listed below are aligned with NCCIC, DHS, and the CISS to help provide a common lexicon when discussing incidents. This priority assignment drives NCCIC urgency, pre-approved incident response offerings, reporting requirements, and recommendations for leadership escalation. Generally, incident priority distribution should follow a similar pattern to the graph below. Based on https://www.us-cert.gov/NCCIC-Cyber-Incident-Scoring-System. [Overview](https://www.misp-project.org/taxonomies.html#_priority_level)
|
||||
|
||||
### pyoti
|
||||
|
||||
[pyoti](https://github.com/MISP/misp-taxonomies/tree/main/pyoti) :
|
||||
PyOTI automated enrichment schemes for point in time classification of indicators. [Overview](https://www.misp-project.org/taxonomies.html#_pyoti)
|
||||
|
||||
### ransomware
|
||||
|
||||
[ransomware](https://github.com/MISP/misp-taxonomies/tree/main/ransomware) :
|
||||
Ransomware is used to define ransomware types and the elements that compose them. [Overview](https://www.misp-project.org/taxonomies.html#_ransomware)
|
||||
|
||||
### ransomware-roles
|
||||
|
||||
[ransomware-roles](https://github.com/MISP/misp-taxonomies/tree/main/ransomware-roles) :
|
||||
The seven roles seen in most ransomware incidents. [Overview](https://www.misp-project.org/taxonomies.html#_ransomware_roles)
|
||||
|
||||
### retention
|
||||
|
||||
[retention](https://github.com/MISP/misp-taxonomies/tree/main/retention) :
|
||||
|
@ -560,7 +640,7 @@ Status of events used in Request Tracker. [Overview](https://www.misp-project.or
|
|||
### runtime-packer
|
||||
|
||||
[runtime-packer](https://github.com/MISP/misp-taxonomies/tree/main/runtime-packer) :
|
||||
Runtime or software packer used to combine compressed data with the decompression code. The decompression code can add additional obfuscations mechanisms including polymorphic-packer or other obfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries. [Overview](https://www.misp-project.org/taxonomies.html#_runtime_packer)
|
||||
Runtime or software packer used to combine compressed or encrypted data with the decompression or decryption code. This code can add additional obfuscations mechanisms including polymorphic-packer or other obfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries. [Overview](https://www.misp-project.org/taxonomies.html#_runtime_packer)
|
||||
|
||||
### scrippsco2-fgc
|
||||
|
||||
|
@ -577,11 +657,26 @@ Flags describing the sample for isotopic data (C14, O18) [Overview](https://www.
|
|||
[scrippsco2-sampling-stations](https://github.com/MISP/misp-taxonomies/tree/main/scrippsco2-sampling-stations) :
|
||||
Sampling stations of the Scripps CO2 Program [Overview](https://www.misp-project.org/taxonomies.html#_scrippsco2_sampling_stations)
|
||||
|
||||
### sentinel-threattype
|
||||
|
||||
[sentinel-threattype](https://github.com/MISP/misp-taxonomies/tree/main/sentinel-threattype) :
|
||||
Sentinel indicator threat types. [Overview](https://www.misp-project.org/taxonomies.html#_sentinel_threattype)
|
||||
|
||||
### smart-airports-threats
|
||||
|
||||
[smart-airports-threats](https://github.com/MISP/misp-taxonomies/tree/main/smart-airports-threats) :
|
||||
Threat taxonomy in the scope of securing smart airports by ENISA. https://www.enisa.europa.eu/publications/securing-smart-airports [Overview](https://www.misp-project.org/taxonomies.html#_smart_airports_threats)
|
||||
|
||||
### social-engineering-attack-vectors
|
||||
|
||||
[social-engineering-attack-vectors](https://github.com/MISP/misp-taxonomies/tree/main/social-engineering-attack-vectors) :
|
||||
Attack vectors used in social engineering as described in 'A Taxonomy of Social Engineering Defense Mechanisms' by Dalal Alharthi and others. [Overview](https://www.misp-project.org/taxonomies.html#_social_engineering_attack_vectors)
|
||||
|
||||
### srbcert
|
||||
|
||||
[srbcert](https://github.com/MISP/misp-taxonomies/tree/main/srbcert) :
|
||||
SRB-CERT Taxonomy - Schemes of Classification in Incident Response and Detection [Overview](https://www.misp-project.org/taxonomies.html#_srbcert)
|
||||
|
||||
### state-responsibility
|
||||
|
||||
[state-responsibility](https://github.com/MISP/misp-taxonomies/tree/main/state-responsibility) :
|
||||
|
@ -620,7 +715,7 @@ An overview of some of the known attacks related to DNS as described by Torabi,
|
|||
### tlp
|
||||
|
||||
[tlp](https://github.com/MISP/misp-taxonomies/tree/main/tlp) :
|
||||
The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time. [Overview](https://www.misp-project.org/taxonomies.html#_tlp)
|
||||
The Traffic Light Protocol (TLP) (v2.0) was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. Information sharing happens from an information source, towards one or more recipients. TLP is a set of four standard labels (a fifth label is included in amber to limit the diffusion) used to indicate the sharing boundaries to be applied by the recipients. Only labels listed in this standard are considered valid by FIRST. This taxonomy includes additional labels for backward compatibility which are no more validated by FIRST SIG. [Overview](https://www.misp-project.org/taxonomies.html#_tlp)
|
||||
|
||||
### tor
|
||||
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,397 @@
|
|||
{
|
||||
"predicates": [
|
||||
{
|
||||
"expanded": "Target",
|
||||
"value": "target"
|
||||
},
|
||||
{
|
||||
"expanded": "Target systems",
|
||||
"value": "target-systems"
|
||||
},
|
||||
{
|
||||
"expanded": "Target Sub Systems",
|
||||
"value": "target-sub-systems"
|
||||
},
|
||||
{
|
||||
"value": "impact",
|
||||
"expanded": "Impact",
|
||||
"exclusive": true
|
||||
},
|
||||
{
|
||||
"value": "likelihood",
|
||||
"expanded": "Likelihood",
|
||||
"exclusive": true
|
||||
},
|
||||
{
|
||||
"expanded": "Criticality",
|
||||
"value": "criticality"
|
||||
},
|
||||
{
|
||||
"value": "certainty",
|
||||
"expanded": "Certainty",
|
||||
"exclusive": true
|
||||
}
|
||||
],
|
||||
"version": 1,
|
||||
"description": "A taxonomy describing security threats or incidents against the aviation sector.",
|
||||
"namespace": "aviation",
|
||||
"values": [
|
||||
{
|
||||
"predicate": "target",
|
||||
"entry": [
|
||||
{
|
||||
"value": "airline",
|
||||
"expanded": "airline",
|
||||
"description": "airlines or airline groups"
|
||||
},
|
||||
{
|
||||
"value": "airspace users",
|
||||
"expanded": "Airspace Users",
|
||||
"description": "Airspace users other than airlines like drone, helicopter, baloon operators"
|
||||
},
|
||||
{
|
||||
"value": "airport",
|
||||
"expanded": "Airport",
|
||||
"description": "Airports or airport operators"
|
||||
},
|
||||
{
|
||||
"value": "ansp",
|
||||
"expanded": "Air Navigation Service Provider",
|
||||
"description": "Air Navigation Service Provider who is managing the airspace of a country or a specific region"
|
||||
},
|
||||
{
|
||||
"value": "international-association",
|
||||
"expanded": "International Association",
|
||||
"description": "International associations related with aviation sector"
|
||||
},
|
||||
{
|
||||
"value": "caa",
|
||||
"expanded": "Civil Aviation Authority",
|
||||
"description": "Civil Aviation Authority who is responsible for regulation the aviation of a country"
|
||||
},
|
||||
{
|
||||
"value": "manufacturer",
|
||||
"expanded": "Manufacturer",
|
||||
"description": "Manufacturers who produce aircrafts,aircraft or ATM related components"
|
||||
},
|
||||
{
|
||||
"value": "service-provider",
|
||||
"expanded": "Service Provider",
|
||||
"description": "Service providers who provide different services to the aviation stakeholders"
|
||||
},
|
||||
{
|
||||
"value": "network-manager",
|
||||
"expanded": "Network Manager",
|
||||
"description": "Network Manager manages ATM network functions (airspace design, flow management) as well as scarce resources"
|
||||
},
|
||||
{
|
||||
"value": "military",
|
||||
"expanded": "Military",
|
||||
"description": "Military aviation"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "target-systems",
|
||||
"entry": [
|
||||
{
|
||||
"value": "ATM",
|
||||
"expanded": "ATM - Air Traffic Management",
|
||||
"description": "Air traffic management systems which manage airspace"
|
||||
},
|
||||
{
|
||||
"value": "AIS",
|
||||
"expanded": "AIS - Aeronautical Information Service",
|
||||
"description": "Aeronatutical Infromation Service whose objective is to ensure the flow of aeronautical information and data necessary for the safety, regularity and efficiency of international air navigation"
|
||||
},
|
||||
{
|
||||
"value": "MET",
|
||||
"expanded": "MET - Meteorological Service",
|
||||
"description": "Meteorological service which provides meteo data to the airspace users"
|
||||
},
|
||||
{
|
||||
"value": "SAR",
|
||||
"expanded": "SAR - Search and Rescue",
|
||||
"description": "Search and rescue (SAR) service is provided to the survivors of aircraft accidents as well as aircraft in distress (and their occupants) regardless of their nationality"
|
||||
},
|
||||
{
|
||||
"value": "CNS",
|
||||
"expanded": "CNS - Communication, Navigation and Surveillance",
|
||||
"description": "The main functions of ATM: Communication, Navigation and Surveillance"
|
||||
},
|
||||
{
|
||||
"value": "airport-management-systems",
|
||||
"expanded": "Airport Management Systems",
|
||||
"description": "Airport IT and OT systems that manage airport internal operations"
|
||||
},
|
||||
{
|
||||
"value": "airport-online-services",
|
||||
"expanded": "Airport Online Services",
|
||||
"description": "Airport online service that helps external users to reach airport services"
|
||||
},
|
||||
{
|
||||
"value": "airport-fids-systems",
|
||||
"expanded": "Airport Flight Information Display Systems",
|
||||
"description": "Airport Flight Information Display Systems that guide the passangers about flights"
|
||||
},
|
||||
{
|
||||
"value": "airline-management-systems",
|
||||
"expanded": "Airline Management Systems",
|
||||
"description": "Airline Management Systems that manage airline intenal operations"
|
||||
},
|
||||
{
|
||||
"value": "airline-online-services",
|
||||
"expanded": "Airline Online Services",
|
||||
"description": "Airline Online Services that helps external users to reach airlines services"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "target-sub-systems",
|
||||
"entry": [
|
||||
{
|
||||
"value": "ATM:NewPENS",
|
||||
"expanded": "ATM New PENS(Pan-European Network Service)",
|
||||
"description": "ATM New PENS(Pan-European Network Service) which is private network for aviation stakeholders"
|
||||
},
|
||||
{
|
||||
"value": "ATM:SWIM",
|
||||
"expanded": "ATM SWIM(Sytem Wide Information Management)",
|
||||
"description": "ATM SWIM(System Wide Information Management) is the system that enables seamless information access and interchange between all providers and users of ATM information and services"
|
||||
},
|
||||
{
|
||||
"value": "ATM:ATS:ATC",
|
||||
"expanded": "ATM ATS(Air Traffic Service) ATC - Air Traffic Control",
|
||||
"description": "ATM ATS(Air Traffic Service) ATC - Air Traffic Control systems"
|
||||
},
|
||||
{
|
||||
"value": "ATM:ATS:FIS",
|
||||
"expanded": "ATM ATS FIS - Flight Information Services",
|
||||
"description": "ATM ATS FIS - Flight Information Services systems"
|
||||
},
|
||||
{
|
||||
"value": "ATM:ATS:ALRS",
|
||||
"expanded": "ATM ATS ALRS - Alerting Services",
|
||||
"description": "ATM ATS ALRS - Alerting Services systems"
|
||||
},
|
||||
{
|
||||
"value": "ATM:ATS:ATFM",
|
||||
"expanded": "ATM ATS ATFM(Air Traffic Flow Management)",
|
||||
"description": "ATM ATS ATFM(Air Traffic Flow Management) systems "
|
||||
},
|
||||
{
|
||||
"value": "ATM:ATS:ASM",
|
||||
"expanded": "ATM ATS ASM(Airspace management)",
|
||||
"description": "ATM ATS ASM(Airspace management) systems "
|
||||
},
|
||||
{
|
||||
"value": "CNS:COM:Ground-Ground",
|
||||
"expanded": "CNS COM Ground-Ground",
|
||||
"description": "Ground-ground communication systems"
|
||||
},
|
||||
{
|
||||
"value": "CNS:COM:Ground-Air",
|
||||
"expanded": "CNS COM Ground Air",
|
||||
"description": "Ground-Air communication systems"
|
||||
},
|
||||
{
|
||||
"value": "CNS:COM:Air-Air",
|
||||
"expanded": "CNS COM Air Air",
|
||||
"description": "Air-Air Communication systems"
|
||||
},
|
||||
{
|
||||
"value": "CNS:COM:Asterix",
|
||||
"expanded": "CNS COM Asterix",
|
||||
"description": "Asterix radar data protocol processing systems"
|
||||
},
|
||||
{
|
||||
"value": "CNS:COM:VDL",
|
||||
"expanded": "CNS COM VDL",
|
||||
"description": "Very High Frequency Data link"
|
||||
},
|
||||
{
|
||||
"value": "CNS:SUR:ADS-B",
|
||||
"expanded": "CNS SUR ADS-B(Automatic Dependent Surveillance-Broadcast)",
|
||||
"description": "ADS-B Automatic Dependent Surveillance-Broadcast) protocol"
|
||||
},
|
||||
{
|
||||
"value": "CNS:SUR:ADS-C",
|
||||
"expanded": "CNS SUR ADS-C(Automatic dependent surveillance-contract)",
|
||||
"description": "ADS-C Automatic Dependent Surveillance-contract"
|
||||
},
|
||||
{
|
||||
"value": "CNS:SUR:Radar",
|
||||
"expanded": "CNS SUR Radar",
|
||||
"description": "Radar related systems"
|
||||
},
|
||||
{
|
||||
"value": "CNS:SUR:PR",
|
||||
"expanded": "CNS SUR PR(Primary Radar)",
|
||||
"description": "Primary Radar related systems"
|
||||
},
|
||||
{
|
||||
"value": "CNS:SUR:SSR",
|
||||
"expanded": "CNS SUR SSR(Secondary Surveillance Radar)",
|
||||
"description": "Secondary Surveillance Radar related systems"
|
||||
},
|
||||
{
|
||||
"value": "CNS:Nav:GNSS",
|
||||
"expanded": "CNS Nav GNSS(Global Navigation Satellite Systems)",
|
||||
"description": "GNSS(Global Naviation Satellite Systems) related systems"
|
||||
},
|
||||
{
|
||||
"value": "CNS:Nav:GPS",
|
||||
"expanded": "CNS Nav GPS(Global Positioning Systems)",
|
||||
"description": "GPS(Global Positioning Systems) related systems"
|
||||
},
|
||||
{
|
||||
"value": "CNS:Nav:GLONASS",
|
||||
"expanded": "CNS Nav GLONASS(GLObal NAvigation Satellite Systems)",
|
||||
"description": "GLONASS(GLObal NAvigation Satellite Systems) related systems"
|
||||
},
|
||||
{
|
||||
"value": "CNS:Nav:ILS",
|
||||
"expanded": "CNS Nav ILS(Instrument landing systems)",
|
||||
"description": "ILS(Instrument landing systems) related systems"
|
||||
},
|
||||
{
|
||||
"value": "CNS:Nav:GLS",
|
||||
"expanded": "CNS Nav GLS (GNSS dependent landing systems",
|
||||
"description": "GLS(GNSS dependent landing systems) related systems"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "impact",
|
||||
"entry": [
|
||||
{
|
||||
"value": "trivial",
|
||||
"expanded": "Trivial"
|
||||
},
|
||||
{
|
||||
"value": "minor",
|
||||
"expanded": "Minor"
|
||||
},
|
||||
{
|
||||
"value": "moderate",
|
||||
"expanded": "Moderate"
|
||||
},
|
||||
{
|
||||
"value": "major",
|
||||
"expanded": "Major"
|
||||
},
|
||||
{
|
||||
"value": "extreme",
|
||||
"expanded": "Extreme"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "likelihood",
|
||||
"entry": [
|
||||
{
|
||||
"value": "almost-no-chance",
|
||||
"expanded": "Almost no chance - remote - 01-05%",
|
||||
"numerical_value": 0
|
||||
},
|
||||
{
|
||||
"value": "very-unlikely",
|
||||
"expanded": "Very unlikely - highly improbable - 05-20%",
|
||||
"numerical_value": 5
|
||||
},
|
||||
{
|
||||
"value": "unlikely",
|
||||
"expanded": "Unlikely - improbable (improbably) - 20-45%",
|
||||
"numerical_value": 20
|
||||
},
|
||||
{
|
||||
"value": "roughly-even-chance",
|
||||
"expanded": "Roughly even change - roughly even odds - 45-55%",
|
||||
"numerical_value": 45
|
||||
},
|
||||
{
|
||||
"value": "likely",
|
||||
"expanded": "Likely - probable (probably) - 55-80%",
|
||||
"numerical_value": 55
|
||||
},
|
||||
{
|
||||
"value": "very-likely",
|
||||
"expanded": "Very likely - highly probable - 80-95%",
|
||||
"numerical_value": 80
|
||||
},
|
||||
{
|
||||
"value": "almost-certain",
|
||||
"expanded": "Almost certain(ly) - nearly certain - 95-99%",
|
||||
"numerical_value": 95
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "criticality",
|
||||
"entry": [
|
||||
{
|
||||
"value": "safety-critical",
|
||||
"expanded": "Safety Critical",
|
||||
"description": "Criticality level that threatens human life"
|
||||
},
|
||||
{
|
||||
"value": "mission-critical",
|
||||
"expanded": "Mission Critical",
|
||||
"description": "Criticality level that affects the critical services impacting the airspace management"
|
||||
},
|
||||
{
|
||||
"value": "business-critical",
|
||||
"expanded": "business Critical",
|
||||
"description": "Criticality level that affects business functions"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"entry": [
|
||||
{
|
||||
"description": "Certainty",
|
||||
"expanded": "Certainty (probability equals 1 - 100%)",
|
||||
"value": "100",
|
||||
"numerical_value": 100
|
||||
},
|
||||
{
|
||||
"description": "Almost certain",
|
||||
"expanded": "Almost certain (probability equals 0.93 - 93%)",
|
||||
"value": "93",
|
||||
"numerical_value": 93
|
||||
},
|
||||
{
|
||||
"description": "Probable",
|
||||
"expanded": "Probable (probability equals 0.75 - 75%)",
|
||||
"value": "75",
|
||||
"numerical_value": 75
|
||||
},
|
||||
{
|
||||
"description": "Chances about even",
|
||||
"expanded": "Chances about even (probability equals 0.50 - 50%)",
|
||||
"value": "50",
|
||||
"numerical_value": 50
|
||||
},
|
||||
{
|
||||
"description": "Probably not",
|
||||
"expanded": "Probably not (probability equals 0.30 - 30%)",
|
||||
"value": "30",
|
||||
"numerical_value": 30
|
||||
},
|
||||
{
|
||||
"description": "Almost certainly not",
|
||||
"expanded": "Almost certainly not (probability equals 0.07 - 7%)",
|
||||
"value": "7",
|
||||
"numerical_value": 7
|
||||
},
|
||||
{
|
||||
"description": "Impossibility",
|
||||
"expanded": "Impossibility (probability equals 0 - 0%)",
|
||||
"value": "0",
|
||||
"numerical_value": 0
|
||||
}
|
||||
],
|
||||
"predicate": "certainty"
|
||||
}
|
||||
]
|
||||
}
|
|
@ -1,7 +1,7 @@
|
|||
{
|
||||
"namespace": "circl",
|
||||
"description": "CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection",
|
||||
"version": 5,
|
||||
"description": "CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection.",
|
||||
"version": 6,
|
||||
"predicates": [
|
||||
{
|
||||
"value": "incident-classification",
|
||||
|
@ -10,6 +10,11 @@
|
|||
{
|
||||
"value": "topic",
|
||||
"expanded": "Topic"
|
||||
},
|
||||
{
|
||||
"value": "significant",
|
||||
"expanded": "Significant",
|
||||
"description": "Significant topic which has been evaluated to have a certain level of significancy which can have or had a severe impact."
|
||||
}
|
||||
],
|
||||
"values": [
|
||||
|
|
|
@ -0,0 +1,230 @@
|
|||
{
|
||||
"values": [
|
||||
{
|
||||
"entry": [
|
||||
{
|
||||
"description": "Correo electrónico masivo no solicitado, el destinatario no ha otorgado un permiso verificable",
|
||||
"expanded": "Spam",
|
||||
"value": "spam"
|
||||
},
|
||||
{
|
||||
"description": "Ofrecer o instalar copias de software, u otros materiales sin licencia o derechos adquiridos de autor",
|
||||
"expanded": "Copyright",
|
||||
"value": "copyright"
|
||||
},
|
||||
{
|
||||
"description": "Comprende los incidentes relacionados con la explotación sexual infantil, glorificación de la violencia o incitación al terrorismo.",
|
||||
"expanded": "Explotación sexual infantil, racismo e incitación a la violencia.",
|
||||
"value": "explotacion sexual infantil"
|
||||
}
|
||||
],
|
||||
"predicate": "Contenido abusivo"
|
||||
},
|
||||
{
|
||||
"entry": [
|
||||
{
|
||||
"description": "Inundaciones ICMP y SYN, los ataques Teardrop y los bombardeos por correo, y los ataques DDoS que se originan por bots.",
|
||||
"expanded": "DoS/DDoS",
|
||||
"value": "DoS/DDoS"
|
||||
},
|
||||
{
|
||||
"description": "La disponibilidad tambien puede verse afectada por acciones locales o por fuerza mayor.",
|
||||
"expanded": "sabotaje",
|
||||
"value": "sabotaje"
|
||||
}
|
||||
],
|
||||
"predicate": "Disponibilidad"
|
||||
},
|
||||
{
|
||||
"entry": [
|
||||
{
|
||||
"description": "Mal uso o uso no autorizado de recursos, incluidas empresas con fines de lucro, cadenas de ganancias o esquemas piramidales.",
|
||||
"expanded": "Mal-Uso",
|
||||
"value": "mal-uso"
|
||||
},
|
||||
{
|
||||
"description": "Una entidad u organización asume o se atribuye ilegitimamente la identidad de otra para beneficiarse de ella.",
|
||||
"expanded": "Repres-Falsa",
|
||||
"value": "repres-falsa"
|
||||
}
|
||||
],
|
||||
"predicate": "Fraude"
|
||||
},
|
||||
{
|
||||
"entry": [
|
||||
{
|
||||
"description": "Son ataques que interceptan y acceden a la información durante la transmisión.",
|
||||
"expanded": "Acc-No-autorizado",
|
||||
"value": "acc-no-autorizado"
|
||||
},
|
||||
{
|
||||
"description": "El error humano de configuración de software puede ser una causa.",
|
||||
"expanded": "Modi-Elim-No-Autorizada",
|
||||
"value": "modi-elim-no-autorizada"
|
||||
}
|
||||
],
|
||||
"predicate": "Fuga de información"
|
||||
},
|
||||
{
|
||||
"entry": [
|
||||
{
|
||||
"description": "Un intento de comprometer un sistema o interrumpir cualquier servicio mediante la explotación de vulnerabilidades.",
|
||||
"expanded": "Explot-Vulnerab",
|
||||
"value": "explot-vulnerab"
|
||||
},
|
||||
{
|
||||
"description": "Múltiples intentos de inicio de sesión (adivinar, descifrar contraseñas, fuerza bruta).",
|
||||
"expanded": "Intento-Inicio-Sesión",
|
||||
"value": "intento-inicio-sesión"
|
||||
}
|
||||
],
|
||||
"predicate": "Intentos de intrusión"
|
||||
},
|
||||
{
|
||||
"entry": [
|
||||
{
|
||||
"description": "Un intento de comprometer un sistema o interrumpir cualquier servicio mediante la explotación de vulnerabilidades.",
|
||||
"expanded": "Explot-Extra-Vulnerab",
|
||||
"value": "explot-extra-vulnerab"
|
||||
},
|
||||
{
|
||||
"description": "Compromiso de un sistema en el que el atacante ha adquirido privilegios, accesa y sustrae de datos del centro de datos.",
|
||||
"expanded": "Comprometer-Cuenta",
|
||||
"value": "comprometer-cuenta"
|
||||
}
|
||||
],
|
||||
"predicate": "Intrusión"
|
||||
},
|
||||
{
|
||||
"entry": [
|
||||
{
|
||||
"description": "Se através de dispositivos extraibles, descargas de internet, adjuntos en correos, por scripts y vulneabilidades XSS.",
|
||||
"expanded": "Infección",
|
||||
"value": "infección"
|
||||
},
|
||||
{
|
||||
"description": "Se presenta cuando un recurso de la organización es utilizado para la distribución de malware.",
|
||||
"expanded": "Distribución",
|
||||
"value": "distribución"
|
||||
},
|
||||
{
|
||||
"description": "Conexión con servidor de mando y Control, mediante malware o sistemas infectados.",
|
||||
"expanded": "C&C",
|
||||
"value": "c&c"
|
||||
},
|
||||
{
|
||||
"description": "Intercambio de información a nivel de red local o pública, cuyo origen o destino no este plenamente identificado.",
|
||||
"expanded": "Conexión-Maliciosa",
|
||||
"value": "conexión-maliciosa"
|
||||
},
|
||||
{
|
||||
"description": "No se puede determinar.",
|
||||
"expanded": "Indeterminado",
|
||||
"value": "indeterminado"
|
||||
}
|
||||
],
|
||||
"predicate": "Malware"
|
||||
},
|
||||
{
|
||||
"entry": [
|
||||
{
|
||||
"description": "Se através de dispositivos extraibles, descargas de internet, adjuntos en correos, por scripts y vulneabilidades XSS.",
|
||||
"expanded": "Scanning",
|
||||
"value": "scanning"
|
||||
},
|
||||
{
|
||||
"description": "Se presenta cuando un recurso de la organización es utilizado para la distribución de malware.",
|
||||
"expanded": "Sniffing",
|
||||
"value": "sniffing"
|
||||
},
|
||||
{
|
||||
"description": "Conexión con servidor de mando y Control, mediante malware o sistemas infectados.",
|
||||
"expanded": "Phishing",
|
||||
"value": "phishing"
|
||||
}
|
||||
],
|
||||
"predicate": "Recopilación de información"
|
||||
},
|
||||
{
|
||||
"entry": [
|
||||
{
|
||||
"description": "Incidente no encontrado en la lista.",
|
||||
"expanded": "Inc-No-Listado",
|
||||
"value": "inc-no-listado"
|
||||
},
|
||||
{
|
||||
"description": "Incidente que no se puede determinar o clasificar.",
|
||||
"expanded": "Inc-Indeter",
|
||||
"value": "inc-indeter"
|
||||
},
|
||||
{
|
||||
"description": "Amenaza Avanzada Persistente (APT), ataques dirigidos contra entidades u organizaciones concretas, con mecanismos sofisticados.",
|
||||
"expanded": "APT",
|
||||
"value": "APT"
|
||||
},
|
||||
{
|
||||
"description": "Uso de redes o sistemas de información con fines de caracter terrorista.",
|
||||
"expanded": "Ciberterrorismo",
|
||||
"value": "ciberterrorismo"
|
||||
},
|
||||
{
|
||||
"description": "Daños en activos críticos nacionales, comprende el borrado, dañado, alteración, supresión o inaccesibilidad a un activo crítico.",
|
||||
"expanded": "Danos-en-Activos",
|
||||
"value": "danos-en-activos"
|
||||
}
|
||||
],
|
||||
"predicate": "Otros"
|
||||
}
|
||||
],
|
||||
"predicates": [
|
||||
{
|
||||
"description": "Comprende aquellos incidentes de contenido comercial no autorizados, comentarios ofensivos, violencia y/o delitos sexuales.",
|
||||
"expanded": "Contenido abusivo",
|
||||
"value": "Contenido abusivo"
|
||||
},
|
||||
{
|
||||
"description": "Las operaciones se retrasan o el sistema se bloquea debido al gran número de peticiones concurrentes u orquestadas.",
|
||||
"expanded": "Disponibilidad",
|
||||
"value": "Disponibilidad"
|
||||
},
|
||||
{
|
||||
"description": "Uso no autorizado de un bien o servicio, violación de derechos de autor o propiedad, suplantación de identidad.",
|
||||
"expanded": "Fraude",
|
||||
"value": "Fraude"
|
||||
},
|
||||
{
|
||||
"description": "Pérdida de los datos e información, debido al acceso o conocimiento del contenido por parte de personas no autorizadas.",
|
||||
"expanded": "Fuga de información",
|
||||
"value": "Fuga de información"
|
||||
},
|
||||
{
|
||||
"description": "Intento de comprometer la confidencialidad, integridad y disponibilidad de un activo de información.",
|
||||
"expanded": "Intentos de intrusión",
|
||||
"value": "Intentos de intrusión"
|
||||
},
|
||||
{
|
||||
"description": "Se manifiesta el claro acceso a cuentas de usuarios con el propósito de comprometer la información crítica del negocio.",
|
||||
"expanded": "Intrusión",
|
||||
"value": "Intrusión"
|
||||
},
|
||||
{
|
||||
"description": "Incidente relacionado con el uso de software que se incluye o inserta intencionalmente en el sistema para causar daño.",
|
||||
"expanded": "Malware",
|
||||
"value": "Malware"
|
||||
},
|
||||
{
|
||||
"description": "Comprende aquellos incidentes relacionados con el uso de analizadores de paquetes, ingenieria social o ataques de fuerza bruta.",
|
||||
"expanded": "Recopilación de información",
|
||||
"value": "Recopilación de información"
|
||||
},
|
||||
{
|
||||
"value": "Otros",
|
||||
"expanded": "Otros",
|
||||
"description": "Otros"
|
||||
}
|
||||
],
|
||||
"version": 20220513,
|
||||
"description": "La presente taxonomia es la primera versión disponible para el Centro Nacional de Seguridad Digital del Perú.",
|
||||
"expanded": "CNSD Taxonomia de Incidentes de Seguridad Digital",
|
||||
"namespace": "cnsd"
|
||||
}
|
|
@ -2,7 +2,7 @@
|
|||
"namespace": "course-of-action",
|
||||
"expanded": "Courses of Action",
|
||||
"description": "A Course Of Action analysis considers six potential courses of action for the development of a cyber security capability.",
|
||||
"version": 2,
|
||||
"version": 3,
|
||||
"predicates": [
|
||||
{
|
||||
"value": "passive",
|
||||
|
@ -21,6 +21,10 @@
|
|||
"value": "discover",
|
||||
"expanded": "The discover action is a 'historical look at the data'. This action heavily relies on your capability to store logs for a reasonable amount of time and have them accessible for searching. Typically, this type of action is applied against security information and event management (SIEM) or stored network data. The goal is to determine whether you have seen a specific indicator in the past."
|
||||
},
|
||||
{
|
||||
"value": "nodiscover",
|
||||
"expanded": "The no-discover action is a negation of discover in case you want to explicit prohibit 'historical look at the data'. The goal is to exclude a specific indicator from searches of historical data."
|
||||
},
|
||||
{
|
||||
"value": "detect",
|
||||
"expanded": "The passive action is setting up detection rules of an indicator for future traffic. These actions are most often executed via an intrusion detection system (IDS) or a specific logging rule on your firewall or application. It can also be configured as an alert in a SIEM when a specific condition is triggered."
|
||||
|
|
|
@ -0,0 +1,309 @@
|
|||
{
|
||||
"version": 1,
|
||||
"namespace": "crowdsec",
|
||||
"description": "Crowdsec IP address classifications and behaviors taxonomy.",
|
||||
"predicates": [
|
||||
{
|
||||
"value": "behavior",
|
||||
"expanded": "Behavior",
|
||||
"description": "Attack categories and behaviors associated with an IP address."
|
||||
},
|
||||
{
|
||||
"value": "false-positive",
|
||||
"expanded": "False positive",
|
||||
"description": "Defines whether an IP address is a known false positive."
|
||||
},
|
||||
{
|
||||
"value": "classification",
|
||||
"expanded": "Classification",
|
||||
"description": "Category associated to an IP address."
|
||||
}
|
||||
],
|
||||
"values": [
|
||||
{
|
||||
"predicate": "behavior",
|
||||
"entry": [
|
||||
{
|
||||
"value": "database-bruteforce",
|
||||
"expanded": "Database Bruteforce",
|
||||
"description": "IP has been reported for performing brute force on databases."
|
||||
},
|
||||
{
|
||||
"value": "ftp-bruteforce",
|
||||
"expanded": "FTP Bruteforce",
|
||||
"description": "IP has been reported for performing brute force on FTP services."
|
||||
},
|
||||
{
|
||||
"value": "generic-exploit",
|
||||
"expanded": "Exploitation attempt",
|
||||
"description": "IP has been reported trying to exploit known vulnerability/CVE on unspecified protocol."
|
||||
},
|
||||
{
|
||||
"value": "http-bruteforce",
|
||||
"expanded": "HTTP Bruteforce",
|
||||
"description": "IP has been reported for performing a HTTP brute force attack (either generic http probing or applicative related brute force)."
|
||||
},
|
||||
{
|
||||
"value": "http-crawl",
|
||||
"expanded": "HTTP Crawl",
|
||||
"description": "IP has been reported for performing aggressive crawling of web applications."
|
||||
},
|
||||
{
|
||||
"value": "http-exploit",
|
||||
"expanded": "HTTP Exploit",
|
||||
"description": "IP has been reported for attempting to exploit a vulnerability in a web application."
|
||||
},
|
||||
{
|
||||
"value": "http-scan",
|
||||
"expanded": "HTTP Scan",
|
||||
"description": "IP has been reported for performing actions related to HTTP vulnerability scanning and discovery."
|
||||
},
|
||||
{
|
||||
"value": "http-spam",
|
||||
"expanded": "Web form spam",
|
||||
"description": "IP has been reported trying to perform spam via web forms/forums."
|
||||
},
|
||||
{
|
||||
"value": "iot-bruteforce",
|
||||
"expanded": "IOT Bruteforce",
|
||||
"description": "IP has been reported for performing brute force on IOT management interfaces."
|
||||
},
|
||||
{
|
||||
"value": "ldap-bruteforce",
|
||||
"expanded": "LDAP Bruteforce",
|
||||
"description": "IP has been reported for performing brute force on ldap services."
|
||||
},
|
||||
{
|
||||
"value": "pop3/imap-bruteforce",
|
||||
"expanded": "POP3/IMAP Bruteforce",
|
||||
"description": "IP has been reported for performing a POP3/IMAP brute force attack."
|
||||
},
|
||||
{
|
||||
"value": "sip-bruteforce",
|
||||
"expanded": "SIP Bruteforce",
|
||||
"description": "IP has been reported for performing a SIP (VOIP) brute force attack."
|
||||
},
|
||||
{
|
||||
"value": "smb-bruteforce",
|
||||
"expanded": "SMB Bruteforce",
|
||||
"description": "IP has been reported for performing brute force on samba services."
|
||||
},
|
||||
{
|
||||
"value": "smtp-spam",
|
||||
"expanded": "SMTP spam",
|
||||
"description": "IP has been reported trying to perform spam SMTP service."
|
||||
},
|
||||
{
|
||||
"value": "ssh-bruteforce",
|
||||
"expanded": "SSH Bruteforce",
|
||||
"description": "IP has been reported for performing brute force on ssh services."
|
||||
},
|
||||
{
|
||||
"value": "tcp-scan",
|
||||
"expanded": "TCP Scan",
|
||||
"description": "IP has been reported for performing TCP port scanning."
|
||||
},
|
||||
{
|
||||
"value": "telnet-bruteforce",
|
||||
"expanded": "TELNET Bruteforce",
|
||||
"description": "IP has been reported for performing brute force on telnet services."
|
||||
},
|
||||
{
|
||||
"value": "vm-management-bruteforce",
|
||||
"expanded": "VM Management Bruteforce",
|
||||
"description": "IP has been reported for performing brute force on virtual environement management applications."
|
||||
},
|
||||
{
|
||||
"value": "windows-bruteforce",
|
||||
"expanded": "SMB/RDP bruteforce",
|
||||
"description": "IP has been reported for performing brute force on Windows (samba, remote desktop) services."
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "false-positive",
|
||||
"entry": [
|
||||
{
|
||||
"value": "cdn-cloudflare_exit_node",
|
||||
"expanded": "Cloudflare CDN",
|
||||
"description": "IP is a Cloudflare CDN exit IP and should not be flagged as a threat."
|
||||
},
|
||||
{
|
||||
"value": "cdn-exit_node",
|
||||
"expanded": "CDN exit node",
|
||||
"description": "IP is a CDN exit IP and should not be flagged as a threat."
|
||||
},
|
||||
{
|
||||
"value": "ip-private_range",
|
||||
"expanded": "Private IP address range",
|
||||
"description": "This IP address is in a private IP range"
|
||||
},
|
||||
{
|
||||
"value": "msp-scanner",
|
||||
"expanded": "Legitimate Scanner",
|
||||
"description": "IP belongs to a known 'legitimate' scanner (MSP) and should not be flagged as a threat."
|
||||
},
|
||||
{
|
||||
"value": "seo-crawler",
|
||||
"expanded": "SEO crawler",
|
||||
"description": "IP belongs to a known SEO crawler and should not be flagged as a threat."
|
||||
},
|
||||
{
|
||||
"value": "seo-duckduckbot",
|
||||
"expanded": "Duckduckbot SEO crawler",
|
||||
"description": "IP belongs to Duckduckbot SEO crawler and should not be flagged as a threat."
|
||||
},
|
||||
{
|
||||
"value": "seo-pinterest",
|
||||
"expanded": "Pinterest crawler",
|
||||
"description": "IP belongs to Pinterest crawler and should not be flagged as a threat."
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "classification",
|
||||
"entry": [
|
||||
{
|
||||
"value": "community-blocklist",
|
||||
"expanded": "CrowdSec Community Blocklist",
|
||||
"description": "IP belong to the CrowdSec Community Blocklist"
|
||||
},
|
||||
{
|
||||
"value": "profile-insecure_services",
|
||||
"expanded": "Dangerous Services Exposed",
|
||||
"description": "IP exposes dangerous services (vnc, telnet, rdp), possibly due to a misconfiguration or because it's a honeypot."
|
||||
},
|
||||
{
|
||||
"value": "profile-many_services",
|
||||
"expanded": "Many Services Exposed",
|
||||
"description": "IP exposes many open port, possibly due to a misconfiguration or because it's a honeypot."
|
||||
},
|
||||
{
|
||||
"value": "proxy-tor",
|
||||
"expanded": "TOR exit node",
|
||||
"description": "IP is being flagged as a TOR exit node."
|
||||
},
|
||||
{
|
||||
"value": "proxy-vpn",
|
||||
"expanded": "VPN",
|
||||
"description": "IP exposes a VPN service or is being flagged as one."
|
||||
},
|
||||
{
|
||||
"value": "range-data_center",
|
||||
"expanded": "Data Center",
|
||||
"description": "IP is known to be hosted in a data center."
|
||||
},
|
||||
{
|
||||
"value": "scanner-alphastrike",
|
||||
"expanded": "Known Security Company",
|
||||
"description": "IP belongs to a company that scans internet : AlphaSrike."
|
||||
},
|
||||
{
|
||||
"value": "scanner-binaryedge",
|
||||
"expanded": "Known Security Company",
|
||||
"description": "IP belongs to a company that scans internet : binaryedge."
|
||||
},
|
||||
{
|
||||
"value": "scanner-censys",
|
||||
"expanded": "Known Security Company",
|
||||
"description": "IP belongs to a company that scans internet : Censys."
|
||||
},
|
||||
{
|
||||
"value": "scanner-cert.ssi.gouv.fr",
|
||||
"expanded": "Known CERT",
|
||||
"description": "IP belongs to an entity that scans internet : cert.ssi.gouv.fr."
|
||||
},
|
||||
{
|
||||
"value": "scanner-cisa.dhs.gov",
|
||||
"expanded": "Known CERT",
|
||||
"description": "IP belongs to an entity that scans internet : cisa.dhs.gov."
|
||||
},
|
||||
{
|
||||
"value": "scanner-internet-census",
|
||||
"expanded": "Known Security Company",
|
||||
"description": "IP belongs to a company that scans internet : internet-census."
|
||||
},
|
||||
{
|
||||
"value": "scanner-leakix",
|
||||
"expanded": "Known Security Company",
|
||||
"description": "IP belongs to a company that scans internet : leakix."
|
||||
},
|
||||
{
|
||||
"value": "scanner-legit",
|
||||
"expanded": "Legit scanner",
|
||||
"description": "IP belongs to a company that scans internet"
|
||||
},
|
||||
{
|
||||
"value": "scanner-shadowserver.org",
|
||||
"expanded": "Known Security Company",
|
||||
"description": "IP belongs to an entity that scans internet : www.shadowserver.org."
|
||||
},
|
||||
{
|
||||
"value": "scanner-shodan",
|
||||
"expanded": "Known Security Company",
|
||||
"description": "IP belongs to a company that scans internet : Shodan."
|
||||
},
|
||||
{
|
||||
"value": "scanner-stretchoid",
|
||||
"expanded": "Known Security Company",
|
||||
"description": "IP belongs to an entity that scans internet : stretchoid."
|
||||
},
|
||||
{
|
||||
"value": "profile-fake_rdns",
|
||||
"expanded": "Fake RDNS",
|
||||
"description": "IP is using a fake RDNS"
|
||||
},
|
||||
{
|
||||
"value": "profile-nxdomain",
|
||||
"expanded": "NXDOMAIN",
|
||||
"description": "RDNS doesn't exist"
|
||||
},
|
||||
{
|
||||
"value": "profile-router",
|
||||
"expanded": "Router",
|
||||
"description": "IP belongs to a router exping services on the internet"
|
||||
},
|
||||
{
|
||||
"value": "profile-proxy",
|
||||
"expanded": "Proxy",
|
||||
"description": "IP exposes services that are commonly used by proxies"
|
||||
},
|
||||
{
|
||||
"value": "profile-jupiter-vpn",
|
||||
"expanded": "JupiterVPN",
|
||||
"description": "IP belongs to a jupiter vpn"
|
||||
},
|
||||
{
|
||||
"value": "device-cyberoam",
|
||||
"expanded": "Cyberoam",
|
||||
"description": "IP belongs to a Cyberoam router"
|
||||
},
|
||||
{
|
||||
"value": "device-microtik",
|
||||
"expanded": "Mikrotik",
|
||||
"description": "IP belongs to a Mikrotik router"
|
||||
},
|
||||
{
|
||||
"value": "device-asuswrt",
|
||||
"expanded": "AsusWRT",
|
||||
"description": "IP belongs to a AsusWRT router"
|
||||
},
|
||||
{
|
||||
"value": "device-hikvision",
|
||||
"expanded": "Hikvision",
|
||||
"description": "IP belongs to a Hikvision camera"
|
||||
},
|
||||
{
|
||||
"value": "device-ipcam",
|
||||
"expanded": "IpCamera",
|
||||
"description": "IP belongs to a IP camera"
|
||||
},
|
||||
{
|
||||
"value": "profile-likely_botnet",
|
||||
"expanded": "Likely Botnet",
|
||||
"description": "IP is likely to belong to a botnet (based on behaviour and/or characteristics)"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -42,6 +42,14 @@
|
|||
{
|
||||
"value": "Crypto Robbing Ransomware",
|
||||
"expanded": "Cyber-extortionists began distributing new malware that empties cryptocurrency wallets and steals private keys while holding user data hostage."
|
||||
},
|
||||
{
|
||||
"value": "Rag Pull",
|
||||
"expanded": "Crypto scam that occurs when a team pumps their project’s token before disappearing with the funds, leaving their investors with a valueless asset."
|
||||
},
|
||||
{
|
||||
"value": "Pig Butchering Scam",
|
||||
"expanded": "Cryptocurrency investment fraud that lures individuals into investing their money in seemingly legitimate and profitable ventures."
|
||||
}
|
||||
],
|
||||
"refs": [
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
{
|
||||
"namespace": "dark-web",
|
||||
"expanded": "Dark Web",
|
||||
"description": "Criminal motivation on the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project",
|
||||
"version": 4,
|
||||
"description": "Criminal motivation and content detection the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project and extended by the JRC (Joint Research Centre) of the European Commission.",
|
||||
"version": 6,
|
||||
"predicates": [
|
||||
{
|
||||
"value": "topic",
|
||||
|
@ -18,6 +18,16 @@
|
|||
"value": "structure",
|
||||
"description": "Structure of the materials tagged",
|
||||
"expanded": "Structure"
|
||||
},
|
||||
{
|
||||
"value": "service",
|
||||
"description": "Information related to an Dark-Web service",
|
||||
"expanded": "Service"
|
||||
},
|
||||
{
|
||||
"value": "content",
|
||||
"description": "Identifiable entities and information contained in a Dark-Web service",
|
||||
"expanded": "Content"
|
||||
}
|
||||
],
|
||||
"values": [
|
||||
|
@ -26,182 +36,182 @@
|
|||
"entry": [
|
||||
{
|
||||
"value": "drugs-narcotics",
|
||||
"expanded": "Drugs/Narcotics",
|
||||
"expanded": "drugsNarcotics",
|
||||
"description": "Illegal drugs/chemical compounds for consumption/ingestion - either via blanket unlawfulness (e.g. proscribed drugs) or via unlawful access (e.g. prescription-only/restricted medications sold without lawful accessibility)."
|
||||
},
|
||||
{
|
||||
"value": "electronics",
|
||||
"expanded": "Electronics",
|
||||
"expanded": "electronics",
|
||||
"description": "Electronics and high tech materials, described or to sell for example."
|
||||
},
|
||||
{
|
||||
"value": "finance",
|
||||
"expanded": "Finance",
|
||||
"expanded": "finance",
|
||||
"description": "Any monetary/currency/exchangeable materials. Includes carding, Paypal etc."
|
||||
},
|
||||
{
|
||||
"value": "finance-crypto",
|
||||
"expanded": "CryptoFinance",
|
||||
"expanded": "cryptoFinance",
|
||||
"description": "Any monetary/currency/exchangeable materials based on cryptocurrencies. Includes Bitcoin, Litecoin etc."
|
||||
},
|
||||
{
|
||||
"value": "credit-card",
|
||||
"expanded": "Credit-Card",
|
||||
"expanded": "creditCard",
|
||||
"description": "Credit cards and payments materials"
|
||||
},
|
||||
{
|
||||
"value": "cash-in",
|
||||
"expanded": "Cash-in",
|
||||
"expanded": "cashIn",
|
||||
"description": "Buying parts of assets, conversion from liquid assets, currency, etc."
|
||||
},
|
||||
{
|
||||
"value": "cash-out",
|
||||
"expanded": "Cash-out",
|
||||
"expanded": "cashOut",
|
||||
"description": "Selling parts of assets, conversion to liquid assets, currency, etc."
|
||||
},
|
||||
{
|
||||
"value": "escrow",
|
||||
"expanded": "Escrow",
|
||||
"expanded": "escrow",
|
||||
"description": "Third party keeping assets in behalf of two other parties making a transactions."
|
||||
},
|
||||
{
|
||||
"value": "hacking",
|
||||
"expanded": "Hacking",
|
||||
"expanded": "hacking",
|
||||
"description": "Materials relating to the illegal access to or alteration of data and/or electronic services."
|
||||
},
|
||||
{
|
||||
"value": "identification-credentials",
|
||||
"expanded": "Identification/Credentials",
|
||||
"expanded": "identificationCredentials",
|
||||
"description": "Materials used for providing/establishing identification with third parties. Examples include passports, driver licenses and login credentials."
|
||||
},
|
||||
{
|
||||
"value": "intellectual-property-copyright-materials",
|
||||
"expanded": "Intellectual Property/Copyright Materials",
|
||||
"expanded": "intellectualPropertyCopyrightMaterials",
|
||||
"description": "Otherwise lawful materials stored, transferred or made available without consent of their legal rights holders."
|
||||
},
|
||||
{
|
||||
"value": "pornography-adult",
|
||||
"expanded": "Pornography - Adult",
|
||||
"expanded": "pornographyAdult",
|
||||
"description": "Lawful, ethical pornography (i.e. involving only consenting adults)."
|
||||
},
|
||||
{
|
||||
"value": "pornography-child-exploitation",
|
||||
"expanded": "Pornography - Child (Child Exploitation)",
|
||||
"expanded": "pornographyChild(ChildExploitation)",
|
||||
"description": "Child abuse materials (aka child pornography), including 'fantasy' fiction materials, CGI. Also includes the provision/offering of child abuse materials and/or activities"
|
||||
},
|
||||
{
|
||||
"value": "pornography-illicit-or-illegal",
|
||||
"expanded": "Pornography - Illicit or Illegal",
|
||||
"expanded": "pornographyIllicitOrIllegal",
|
||||
"description": "Illegal pornography NOT including children/child abuse. Includes bestiality, stolen/revenge porn, hidden cameras etc."
|
||||
},
|
||||
{
|
||||
"value": "search-engine-index",
|
||||
"expanded": "Search Engine/Index",
|
||||
"expanded": "searchEngineIndex",
|
||||
"description": "Site providing links/references to other sites/services. Referred to as a ‘nexus’ by (Moore and Rid, 2016)"
|
||||
},
|
||||
{
|
||||
"value": "unclear",
|
||||
"expanded": "Unclear",
|
||||
"expanded": "unclear",
|
||||
"description": "Unable to completely establish topic of material."
|
||||
},
|
||||
{
|
||||
"value": "extremism",
|
||||
"expanded": "Extremism",
|
||||
"expanded": "extremism",
|
||||
"description": "Illegal or ‘of concern’ levels of extremist ideology. Note this does not provide blanket coverage of fundamentalist ideologies and dogma - only those associated with illegal acts. Socialist/anarchist/religious materials (for example) will not be included unless inclusive or indicative of associated illegal conduct, such as hate crimes."
|
||||
},
|
||||
{
|
||||
"value": "violence",
|
||||
"expanded": "Violence",
|
||||
"expanded": "violence",
|
||||
"description": "Materials relating to violence against persons or property."
|
||||
},
|
||||
{
|
||||
"value": "weapons",
|
||||
"expanded": "Weapons",
|
||||
"expanded": "weapons",
|
||||
"description": "Materials specifically associated with materials and/or items for use in violent acts against persons or property. Examples include firearms and bomb-making ingredients."
|
||||
},
|
||||
{
|
||||
"value": "softwares",
|
||||
"expanded": "Softwares",
|
||||
"expanded": "softwares",
|
||||
"description": "Illegal or armful software distribution"
|
||||
},
|
||||
{
|
||||
"value": "counteir-feit-materials",
|
||||
"expanded": "Counter-feit materials",
|
||||
"expanded": "counterFeitMaterials",
|
||||
"description": "Fake identification papers."
|
||||
},
|
||||
{
|
||||
"value": "gambling",
|
||||
"expanded": "Gambling",
|
||||
"expanded": "gambling",
|
||||
"description": "Games involving money"
|
||||
},
|
||||
{
|
||||
"value": "library",
|
||||
"expanded": "Library",
|
||||
"expanded": "library",
|
||||
"description": "Library or list of books"
|
||||
},
|
||||
{
|
||||
"value": "other-not-illegal",
|
||||
"expanded": "Other not illegal",
|
||||
"expanded": "otherNotIllegal",
|
||||
"description": "Material not of interest to law enforcement - e.g. personal sites, Facebook mirrors."
|
||||
},
|
||||
{
|
||||
"value": "legitimate",
|
||||
"expanded": "Legitimate",
|
||||
"expanded": "legitimate",
|
||||
"description": "Legitimate websites"
|
||||
},
|
||||
{
|
||||
"value": "chat",
|
||||
"expanded": "Chats platforms",
|
||||
"expanded": "chatsPlatforms",
|
||||
"description": "Chats space or equivalent, which are not forums"
|
||||
},
|
||||
{
|
||||
"value": "mixer",
|
||||
"expanded": "Mixer",
|
||||
"expanded": "mixer",
|
||||
"description": "Anonymization tools for crypto-currencies transactions"
|
||||
},
|
||||
{
|
||||
"value": "mystery-box",
|
||||
"expanded": "Mystery-Box",
|
||||
"expanded": "mysteryBox",
|
||||
"description": "Mystery Box seller"
|
||||
},
|
||||
{
|
||||
"value": "anonymizer",
|
||||
"expanded": "Anonymizer",
|
||||
"expanded": "anonymizer",
|
||||
"description": "Anonymization tools"
|
||||
},
|
||||
{
|
||||
"value": "vpn-provider",
|
||||
"expanded": "VPN-Provider",
|
||||
"expanded": "vpnProvider",
|
||||
"description": "Provides VPN services and related"
|
||||
},
|
||||
{
|
||||
"value": "email-provider",
|
||||
"expanded": "EMail-Provider",
|
||||
"expanded": "emailProvider",
|
||||
"description": "Provides e-mail services and related"
|
||||
},
|
||||
{
|
||||
"value": "ponies",
|
||||
"expanded": "Ponies",
|
||||
"expanded": "ponies",
|
||||
"description": "self-explanatory. It's ponies"
|
||||
},
|
||||
{
|
||||
"value": "games",
|
||||
"expanded": "Games",
|
||||
"expanded": "games",
|
||||
"description": "Flash or online games"
|
||||
},
|
||||
{
|
||||
"value": "parody",
|
||||
"expanded": "Parody or Joke",
|
||||
"expanded": "parodyOrJoke",
|
||||
"description": "Meme, Parody, Jokes, Trolling, ..."
|
||||
},
|
||||
{
|
||||
"value": "whistleblower",
|
||||
"expanded": "Whistleblower",
|
||||
"expanded": "whistleblower",
|
||||
"description": "Exposition and sharing of confidential information with protection of the witness in mind"
|
||||
},
|
||||
{
|
||||
"value": "ransomware-group",
|
||||
"expanded": "Ransomware Group",
|
||||
"expanded": "ransomwareGroup",
|
||||
"description": "Ransomware group PR or leak website"
|
||||
}
|
||||
]
|
||||
|
@ -211,92 +221,92 @@
|
|||
"entry": [
|
||||
{
|
||||
"value": "education-training",
|
||||
"expanded": "Education & Training",
|
||||
"expanded": "educationTraining",
|
||||
"description": "Materials providing instruction - e.g. ‘how to’ guides"
|
||||
},
|
||||
{
|
||||
"value": "wiki",
|
||||
"expanded": "Wiki",
|
||||
"expanded": "wiki",
|
||||
"description": "Wiki pages, documentation and information display"
|
||||
},
|
||||
{
|
||||
"value": "forum",
|
||||
"expanded": "Forum",
|
||||
"expanded": "forum",
|
||||
"description": "Sites specifically designed for multiple users to communicate as peers"
|
||||
},
|
||||
{
|
||||
"value": "file-sharing",
|
||||
"expanded": "File Sharing",
|
||||
"expanded": "fileSharing",
|
||||
"description": "General file sharing, typically (but not limited to) movie/image sharing"
|
||||
},
|
||||
{
|
||||
"value": "hosting",
|
||||
"expanded": "Hosting",
|
||||
"expanded": "hosting",
|
||||
"description": "Hosting providers, e-mails, websites, file-storage etc."
|
||||
},
|
||||
{
|
||||
"value": "ddos-services",
|
||||
"expanded": "DDoS-Services",
|
||||
"expanded": "ddosServices",
|
||||
"description": "Stresser, Booter, DDoSer, DDoS as a Service provider, DDoS tools, etc."
|
||||
},
|
||||
{
|
||||
"value": "general",
|
||||
"expanded": "General",
|
||||
"expanded": "general",
|
||||
"description": "Materials not covered by the other motivations. Typically, materials of a nature not of interest to law enforcement. For example, personal biography sites."
|
||||
},
|
||||
{
|
||||
"value": "information-sharing-reportage",
|
||||
"expanded": "Information Sharing/Reportage",
|
||||
"expanded": "InformationSharingReportage",
|
||||
"description": "Journalism/reporting on topics. Can include biased coverage, but obvious propaganda materials are covered by Recruitment/Advocacy."
|
||||
},
|
||||
{
|
||||
"value": "scam",
|
||||
"expanded": "Scam",
|
||||
"expanded": "scam",
|
||||
"description": "Intentional confidence trick to fraud people or group of people"
|
||||
},
|
||||
{
|
||||
"value": "political-speech",
|
||||
"expanded": "Political-Speech",
|
||||
"expanded": "politicalSpeech",
|
||||
"description": "Political, activism, without extremism."
|
||||
},
|
||||
{
|
||||
"value": "conspirationist",
|
||||
"expanded": "Conspirationist",
|
||||
"expanded": "conspirationist",
|
||||
"description": "Conspirationist content, fake news, etc."
|
||||
},
|
||||
{
|
||||
"value": "hate-speech",
|
||||
"expanded": "Hate-Speech",
|
||||
"expanded": "hateSpeech",
|
||||
"description": "Racism, violent, hate... speech."
|
||||
},
|
||||
{
|
||||
"value": "religious",
|
||||
"expanded": "Religious",
|
||||
"expanded": "religious",
|
||||
"description": "Religious, faith, doctrinal related content."
|
||||
},
|
||||
{
|
||||
"value": "marketplace-for-sale",
|
||||
"expanded": "Marketplace/For Sale",
|
||||
"expanded": "marketplaceForSale",
|
||||
"description": "Services/goods for sale, regardless of means of payment."
|
||||
},
|
||||
{
|
||||
"value": "smuggling",
|
||||
"expanded": "Smuggling",
|
||||
"expanded": "smuggling",
|
||||
"description": "Information or trading of wild animals, prohibited goods, ... "
|
||||
},
|
||||
{
|
||||
"value": "recruitment-advocacy",
|
||||
"expanded": "Recruitment/Advocacy",
|
||||
"expanded": "recruitmentAdvocacy",
|
||||
"description": "Propaganda"
|
||||
},
|
||||
{
|
||||
"value": "system-placeholder",
|
||||
"expanded": "System/Placeholder",
|
||||
"expanded": "systemPlaceholder",
|
||||
"description": "Automatically generated content, not designed for any identifiable purpose other than diagnostics - e.g. “It Works” message provided by default by Apache2"
|
||||
},
|
||||
{
|
||||
"value": "unclear",
|
||||
"expanded": "Unclear",
|
||||
"expanded": "unclear",
|
||||
"description": "Unable to completely establish motivation of material."
|
||||
}
|
||||
]
|
||||
|
@ -306,55 +316,195 @@
|
|||
"entry": [
|
||||
{
|
||||
"value": "incomplete",
|
||||
"expanded": "Incomplete websites or information",
|
||||
"expanded": "incomplete",
|
||||
"description": "Websites and pages that are unable to load completely properly"
|
||||
},
|
||||
{
|
||||
"value": "captcha",
|
||||
"expanded": "Captcha and Solvers",
|
||||
"expanded": "captcha",
|
||||
"description": "Captchas and solvers elements"
|
||||
},
|
||||
{
|
||||
"value": "login-forms",
|
||||
"expanded": "Logins forms and gates",
|
||||
"expanded": "loginForms",
|
||||
"description": "Authentication pages, login page, login forms that block access to an internal part of a website."
|
||||
},
|
||||
{
|
||||
"value": "contact-forms",
|
||||
"expanded": "Contact forms and gates",
|
||||
"expanded": "contactForms",
|
||||
"description": "Forms to perform a contact request, send an e-mail, fill information, enter a password, ..."
|
||||
},
|
||||
{
|
||||
"value": "encryption-keys",
|
||||
"expanded": "Encryption and decryption keys",
|
||||
"expanded": "encryptionKeys",
|
||||
"description": "e.g. PGP Keys, passwords, ..."
|
||||
},
|
||||
{
|
||||
"value": "police-notice",
|
||||
"expanded": "Police Notice",
|
||||
"expanded": "policeNotice",
|
||||
"description": "Closed websites, with police-equivalent banners"
|
||||
},
|
||||
{
|
||||
"value": "legal-statement",
|
||||
"expanded": "Legal-Statement",
|
||||
"expanded": "legalStatement",
|
||||
"description": "RGPD statement, Privacy-policy, guidelines of a websites or forum..."
|
||||
},
|
||||
{
|
||||
"value": "test",
|
||||
"expanded": "Test",
|
||||
"expanded": "test",
|
||||
"description": "Test websites without any real consequences or effects"
|
||||
},
|
||||
{
|
||||
"value": "videos",
|
||||
"expanded": "Videos",
|
||||
"expanded": "videos",
|
||||
"description": "Videos and streaming"
|
||||
},
|
||||
{
|
||||
"value": "ransomware-post",
|
||||
"expanded": "ransomwarePost",
|
||||
"description": "Ransomware post published by a ransomware group"
|
||||
},
|
||||
{
|
||||
"value": "unclear",
|
||||
"expanded": "Unclear",
|
||||
"expanded": "unclear",
|
||||
"description": "Unable to completely establish structure of material."
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "service",
|
||||
"entry": [
|
||||
{
|
||||
"value": "url",
|
||||
"expanded": "url",
|
||||
"description": "Uniform Resource Locator (URL) of a dark-web. The url should indicate a protocol (http), a hostname (www.example.com), and a file name (index.html). Example: http://www.example.com/index.html"
|
||||
},
|
||||
{
|
||||
"value": "content-type",
|
||||
"expanded": "contentType",
|
||||
"description": "Content-Type representaton headerused to indicate the original media type of the resource (prior to any content encoding applied for sending). https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Type"
|
||||
},
|
||||
{
|
||||
"value": "path",
|
||||
"expanded": "path",
|
||||
"description": "The URL path is the string of information that comes after the top level domain name "
|
||||
},
|
||||
{
|
||||
"value": "detection-date",
|
||||
"expanded": "detectionDate",
|
||||
"description": "Date in which the dark-web was detected. The date should be in ISO 8601 format. Example: 2019-01-01T00:00:00Z"
|
||||
},
|
||||
{
|
||||
"value": "network-protocol",
|
||||
"expanded": "networkProtocol",
|
||||
"description": "Network protocol used to access the dark-web site (e.g., HTTP, HTTPS)"
|
||||
},
|
||||
{
|
||||
"value": "port",
|
||||
"expanded": "port",
|
||||
"description": "Port number where the dark-web service is being offered"
|
||||
},
|
||||
{
|
||||
"value": "network",
|
||||
"expanded": "network",
|
||||
"description": "Overlay network (darknet) that host the service or content"
|
||||
},
|
||||
{
|
||||
"value": "found-at",
|
||||
"expanded": "foundAt",
|
||||
"description": "Domain or service where the dark-web where found at"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "content",
|
||||
"entry": [
|
||||
{
|
||||
"value": "sha1sum",
|
||||
"expanded": "sha1sum",
|
||||
"description": "SHA-1 (Secure Hash Algorithm 1) hash of the HTML or objectName content"
|
||||
},
|
||||
{
|
||||
"value": "sha256sum",
|
||||
"expanded": "sha256sum",
|
||||
"description": "SHA-256 hash of the HTML or objectName content"
|
||||
},
|
||||
{
|
||||
"value": "ssdeep",
|
||||
"expanded": "ssdeep",
|
||||
"description": "ssdeep fuzzy hash of the HTML or objectName content"
|
||||
},
|
||||
{
|
||||
"value": "language",
|
||||
"expanded": "language",
|
||||
"description": "Detected language of the service in ISO 639‑1 Code. Example: en"
|
||||
},
|
||||
{
|
||||
"value": "html",
|
||||
"expanded": "html",
|
||||
"description": "HyperText Markup Language (HTML) used in a website"
|
||||
},
|
||||
{
|
||||
"value": "css",
|
||||
"expanded": "css",
|
||||
"description": "CSS (Cascading Style Sheets) used in a dark-web site"
|
||||
},
|
||||
{
|
||||
"value": "text",
|
||||
"expanded": "text",
|
||||
"description": "Content of the dark-web service without HTML tags"
|
||||
},
|
||||
{
|
||||
"value": "page-title",
|
||||
"expanded": "pageTitle",
|
||||
"description": "HTML <title> tag content of a dark-web site"
|
||||
},
|
||||
{
|
||||
"value": "phone-number",
|
||||
"expanded": "phoneNumber",
|
||||
"description": "Phone number identified in the dark-web site"
|
||||
},
|
||||
{
|
||||
"value": "creditCard",
|
||||
"expanded": "creditCard",
|
||||
"description": "Credit card identified in the dark-web site"
|
||||
},
|
||||
{
|
||||
"value": "email",
|
||||
"expanded": "email",
|
||||
"description": "Email address identified in the dark-web site"
|
||||
},
|
||||
{
|
||||
"value": "pgp-public-key-block",
|
||||
"expanded": "pgpPublicKeyBlock",
|
||||
"description": "PGP public key block identified in the dark-web site"
|
||||
},
|
||||
{
|
||||
"value": "country",
|
||||
"expanded": "country",
|
||||
"description": "Associated country detected on the code of the dark-web site, following ISO 3166-1 alpha-2"
|
||||
},
|
||||
{
|
||||
"value": "company-name",
|
||||
"expanded": "companyName",
|
||||
"description": "Company name identified in a dark-web site"
|
||||
},
|
||||
{
|
||||
"value": "company-link",
|
||||
"expanded": "companyLink",
|
||||
"description": "Company link identified in a dark-web site"
|
||||
},
|
||||
{
|
||||
"value": "victim-address",
|
||||
"expanded": "victimAddress",
|
||||
"description": "Business address identified in a dark-web site"
|
||||
},
|
||||
{
|
||||
"value": "victim-TLD",
|
||||
"expanded": "victimTLD",
|
||||
"description": "Business Top Level Domain (TLD) of a company identified in a dark-web site"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,64 @@
|
|||
{
|
||||
"namespace": "dga",
|
||||
"expanded": "Domain-Generation Algorithms",
|
||||
"description": "A taxonomy to describe domain-generation algorithms often called DGA. Ref: A Comprehensive Measurement Study of Domain Generating Malware Daniel Plohmann and others.",
|
||||
"version": 2,
|
||||
"predicates": [
|
||||
{
|
||||
"value": "generation-scheme",
|
||||
"expanded": "Generation scheme used for the DGA"
|
||||
},
|
||||
{
|
||||
"value": "seeding",
|
||||
"expanded": "Seeding scheme used for the DGA"
|
||||
}
|
||||
],
|
||||
"values": [
|
||||
{
|
||||
"predicate": "generation-scheme",
|
||||
"entry": [
|
||||
{
|
||||
"value": "arithmetic",
|
||||
"expanded": "Arithmetic",
|
||||
"description": "Calculate a sequence of values that either have a direct ASCII representation usable for a domain name or designate an offset in one or more hard- coded arrays, constituting the alphabet of the DGA. "
|
||||
},
|
||||
{
|
||||
"value": "hash",
|
||||
"expanded": "Hash",
|
||||
"description": "Use the hexdigest representation of a hash to produce the domain."
|
||||
},
|
||||
{
|
||||
"value": "wordlist",
|
||||
"expanded": "Wordlist",
|
||||
"description": "Concatenate a sequence of words from one or more wordlists, resulting in less randomly appealing and thus more camouflaging domains"
|
||||
},
|
||||
{
|
||||
"value": "permutation",
|
||||
"expanded": "Permutation",
|
||||
"description": "derive all possible AGDs (Algorithmically-Generated Domain) through permutation of an initial domain name."
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "seeding",
|
||||
"entry": [
|
||||
{
|
||||
"value": "time-dependent",
|
||||
"expanded": "The DGA uses temporal information in the seeding for its domain generation, resulting in sets of domains with certain validity time spans."
|
||||
},
|
||||
{
|
||||
"value": "time-independent",
|
||||
"expanded": "The DGA does not rely on temporal information in the seeding for its domain generation, resulting in a single set of domains."
|
||||
},
|
||||
{
|
||||
"value": "deterministic",
|
||||
"expanded": "Given the implementation of the DGA and a seed, its full set of possible domains can be calculated at any point in time."
|
||||
},
|
||||
{
|
||||
"value": "non-deterministic",
|
||||
"expanded": "Domains depend on unpredictable seed input, e.g. on external dynamic information that can be published at a later time (e.g. via posting on social media), on data specific to the system it is executed on, or on arbitrary non-predictable PRNG output."
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,31 @@
|
|||
{
|
||||
"namespace": "diamond-model-for-influence-operations",
|
||||
"expanded": "The Diamond Model for Influence Operations Analysis",
|
||||
"description": "The diamond model for influence operations analysis is a framework that leads analysts and researchers toward a comprehensive understanding of a malign influence campaign by addressing the socio-political, technical, and psychological aspects of the campaign. The diamond model for influence operations analysis consists of 5 components: 4 corners and a core element. The 4 corners are divided into 2 axes: influencer and audience on the socio-political axis, capabilities and infrastructure on the technical axis. Narrative makes up the core of the diamond.",
|
||||
"version": 1,
|
||||
"refs": [
|
||||
"https://go.recordedfuture.com/hubfs/white-papers/diamond-model-influence-operations-analysis.pdf"
|
||||
],
|
||||
"predicates": [
|
||||
{
|
||||
"value": "Influencer",
|
||||
"expanded": "The influencer is an individual or organization that is conducting malign influence activity."
|
||||
},
|
||||
{
|
||||
"value": "Capabilities",
|
||||
"expanded": "Capabilities are the influencer’s TTPs. Studying the way influencers plan, test, and execute their operations can enable analysts to be more proactive in defending against malign influence and to discern how to neutralize harmful narratives when they are identified. "
|
||||
},
|
||||
{
|
||||
"value": "Infrastructure",
|
||||
"expanded": "The infrastructure used by influencers can include print media, television, digital platforms like websites, mobile phones, mobile applications, and more. "
|
||||
},
|
||||
{
|
||||
"value": "Audience",
|
||||
"expanded": "The audience is the intended target of the influence operation. The audience can range in size from a single individual to a large international audience. "
|
||||
},
|
||||
{
|
||||
"value": "Narrative",
|
||||
"expanded": "The narrative is often key to identifying who would be affected by the story and who would be motivated to propagate that particular message. "
|
||||
}
|
||||
]
|
||||
}
|
Binary file not shown.
After Width: | Height: | Size: 10 KiB |
|
@ -0,0 +1,44 @@
|
|||
# MISP_DopingSubstanceTaxonomy
|
||||
|
||||
This project aims to gather information about all the prohibited sports Doping Substances.
|
||||
|
||||
We collected all of the information on the [WADA website](https://www.wada-ama.org/en/prohibited-list).
|
||||
|
||||
To do that we have created a python script to scrap this website and generate a JSON file (Taxonomy).
|
||||
|
||||
This Taxonomy could be add in MISP to help sports organizations to fight against usage of doping substances.
|
||||
|
||||
## MISP
|
||||
|
||||
![logo](Misp-logo.png)
|
||||
|
||||
What is MISP ?
|
||||
|
||||
>A threat intelligence platform for sharing, storing and correlating
|
||||
Indicators of Compromise of targeted attacks, threat intelligence,
|
||||
financial fraud information, vulnerability information or even
|
||||
counter-terrorism information. Discover how MISP is used today in
|
||||
multiple organisations. Not only to store, share, collaborate on cyber
|
||||
security indicators, malware analysis, but also to use the IoCs and
|
||||
information to detect and prevent attacks, frauds or threats against ICT
|
||||
infrastructures, organisations or people.
|
||||
|
||||
## JSON Generation
|
||||
|
||||
In order to build the JSON file, we created a Python script which scrap the WADA (World Anti-Doping Agency) ‘s prohibited list.
|
||||
|
||||
Thanks to BeautifulSoup, a useful library that helps a lot when it comes to scrap HTLM documents, the script is able to get all the list of doping substances.
|
||||
|
||||
The file is created with PyTaxonomies, a MISP library that help to create valid JSON file according to the [MISP Platform](https://www.misp-project.org/taxonomies.html#_misp_taxonomies).
|
||||
|
||||
Finally, the script generates all predicates (doping categories) and the entries associated (the doping substances themselves).
|
||||
|
||||
## Installation
|
||||
|
||||
If you want to try it out yourself, you need to have both BeautifulSoup & PyTaxonomies installated.
|
||||
|
||||
## Authors
|
||||
|
||||
DELUS Thibaut : https://github.com/WooZyhh
|
||||
|
||||
JACOB Lucas : https://github.com/Chaamoxs
|
|
@ -0,0 +1,63 @@
|
|||
import json
|
||||
import requests
|
||||
from bs4 import BeautifulSoup
|
||||
from pathlib import Path
|
||||
from pytaxonomies import Entry, Predicate, Taxonomy
|
||||
|
||||
CONTENT_URL = 'https://www.wada-ama.org/en/prohibited-list'
|
||||
|
||||
TAXONOMY_DESCRIPTION = 'This taxonomy aims to list doping substances'
|
||||
TAXONOMY_EXPANDED = 'Doping substances'
|
||||
TAXONOMY_NAME = 'doping-substances'
|
||||
|
||||
ignore = ('NON-APPROVED SUBSTANCES', )
|
||||
|
||||
|
||||
def list_predicates(articles):
|
||||
predicates = {}
|
||||
for article in articles:
|
||||
title = article.find('p', attrs={'class': 'h3 panel-title'}).text
|
||||
if title in ignore:
|
||||
continue
|
||||
predicate = Predicate()
|
||||
predicate.predicate = title
|
||||
div = article.find('div', attrs={'class': 'layout-wysiwyg'})
|
||||
description = div.find('p')
|
||||
predicate.description = description.find_next_sibling().text
|
||||
predicates[title] = predicate
|
||||
return predicates
|
||||
|
||||
|
||||
def generate_taxonomy():
|
||||
new_taxonomy = Taxonomy()
|
||||
|
||||
new_taxonomy.name = TAXONOMY_NAME
|
||||
new_taxonomy.expanded = TAXONOMY_EXPANDED
|
||||
new_taxonomy.description = TAXONOMY_DESCRIPTION
|
||||
|
||||
response = requests.get(CONTENT_URL)
|
||||
soup = BeautifulSoup(response.text, 'html.parser')
|
||||
articles = soup.findAll('article', attrs={'class': 'panel hide-reader'})
|
||||
|
||||
new_taxonomy.predicates = list_predicates(articles)
|
||||
|
||||
for article in articles:
|
||||
title = article.find('p', attrs={'class': 'h3 panel-title'}).text
|
||||
if title in ignore:
|
||||
continue
|
||||
products = article.findAll('li')
|
||||
products_list = {}
|
||||
for product in products:
|
||||
entry = Entry()
|
||||
entry.value = product.text
|
||||
products_list[entry.value] = entry
|
||||
new_taxonomy.predicates[title].entries = products_list
|
||||
|
||||
return new_taxonomy
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
taxonomy = generate_taxonomy()
|
||||
taxonomy.version = 2
|
||||
with open(Path(__file__).resolve().parent / 'machinetag.json', 'wt', encoding='utf-8') as f:
|
||||
json.dump(taxonomy.to_dict(), f, indent=2, ensure_ascii=False)
|
File diff suppressed because it is too large
Load Diff
|
@ -45,6 +45,11 @@
|
|||
{
|
||||
"predicate": "cyber-europe",
|
||||
"entry": [
|
||||
{
|
||||
"value": "2024",
|
||||
"expanded": "2024",
|
||||
"description": "7th pan European cyber crisis exercise: Cyber Europe 2024 (CE2024)"
|
||||
},
|
||||
{
|
||||
"value": "2022",
|
||||
"expanded": "2022",
|
||||
|
@ -104,6 +109,16 @@
|
|||
"value": "2022",
|
||||
"expanded": "2022",
|
||||
"description": "Locked Shields 2022"
|
||||
},
|
||||
{
|
||||
"value": "2023",
|
||||
"expanded": "2023",
|
||||
"description": "Locked Shields 2023"
|
||||
},
|
||||
{
|
||||
"value": "2024",
|
||||
"expanded": "2024",
|
||||
"description": "Locked Shields 2024"
|
||||
}
|
||||
]
|
||||
},
|
||||
|
@ -193,7 +208,7 @@
|
|||
]
|
||||
}
|
||||
],
|
||||
"version": 10,
|
||||
"version": 11,
|
||||
"description": "Exercise is a taxonomy to describe if the information is part of one or more cyber or crisis exercise.",
|
||||
"expanded": "Exercise",
|
||||
"namespace": "exercise"
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{
|
||||
"namespace": "extended-event",
|
||||
"description": "Reasons why an event has been extended. ",
|
||||
"version": 1,
|
||||
"description": "Reasons why an event has been extended. This taxonomy must be used on the extended event. The competitive analysis aspect is from Psychology of Intelligence Analysis by Richard J. Heuer, Jr. ref:http://www.foo.be/docs/intelligence/PsychofIntelNew.pdf",
|
||||
"version": 2,
|
||||
"predicates": [
|
||||
{
|
||||
"value": "competitive-analysis",
|
||||
|
@ -25,6 +25,11 @@
|
|||
"value": "update",
|
||||
"expanded": "Update",
|
||||
"description": "Original event is deprecated"
|
||||
},
|
||||
{
|
||||
"value": "counter-analysis",
|
||||
"expanded": "Counter analysis",
|
||||
"description": "This extended event is a counter analysis of the original one. The author disagrees with the original statement."
|
||||
}
|
||||
],
|
||||
"values": [
|
||||
|
@ -34,22 +39,22 @@
|
|||
{
|
||||
"value": "devil-advocate",
|
||||
"expanded": "Devil's advocate",
|
||||
"description": "Is a competitive analysis of devil's advocate type."
|
||||
"description": "Is a competitive analysis of devil's advocate type. A devil’s advocate is someone who defends a minority point of view."
|
||||
},
|
||||
{
|
||||
"value": "absurd-reasoning",
|
||||
"expanded": "Absurd reasoning",
|
||||
"description": "Is a competitive analysis of absurd reasoning type"
|
||||
"description": "Is a competitive analysis of absurd reasoning type."
|
||||
},
|
||||
{
|
||||
"value": "role-playing",
|
||||
"expanded": "Role playing",
|
||||
"description": "Is a competitive analysis of role playing type"
|
||||
"description": "Is a competitive analysis of role playing type. Role playing is commonly used to overcome con- straints and inhibitions that limit the range of one’s thinking. Playing a role changes “where you sit.” It also gives one license to think and act differently."
|
||||
},
|
||||
{
|
||||
"value": "crystal-ball",
|
||||
"expanded": "Crystal ball",
|
||||
"description": "Is a competitive analysis of crystal ball type"
|
||||
"description": "Is a competitive analysis of crystal ball type. The crystal ball approach works in much the same way as thinking backwards. Imagine that a “perfect” intelligence source (such as a crystal ball) has told you a certain assumption is wrong. You must then develop a scenario to explain how this could be true. If you can develop a plausible scenario, this suggests your assumption is open to some question."
|
||||
}
|
||||
]
|
||||
},
|
||||
|
@ -59,7 +64,7 @@
|
|||
{
|
||||
"value": "automatic-expansion",
|
||||
"expanded": "Automatic expansion",
|
||||
"description": "This extended event is composed of elements derived from automatic expanxions services"
|
||||
"description": "This extended event is composed of elements derived from automatic expansions services"
|
||||
},
|
||||
{
|
||||
"value": "aggressive-pivoting",
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{
|
||||
"namespace": "false-positive",
|
||||
"description": "This taxonomy aims to ballpark the expected amount of false positives.",
|
||||
"version": 5,
|
||||
"version": 7,
|
||||
"expanded": "False positive",
|
||||
"predicates": [
|
||||
{
|
||||
|
@ -25,19 +25,29 @@
|
|||
"value": "low",
|
||||
"expanded": "Low",
|
||||
"description": "The risk of having false positives in the tagged value is low.",
|
||||
"numerical_value": 75
|
||||
"numerical_value": 75,
|
||||
"colour": "#33FF00"
|
||||
},
|
||||
{
|
||||
"value": "medium",
|
||||
"expanded": "Medium",
|
||||
"description": "The risk of having false positives in the tagged value is medium.",
|
||||
"numerical_value": 50
|
||||
"numerical_value": 50,
|
||||
"colour": "#FFFF00"
|
||||
},
|
||||
{
|
||||
"value": "high",
|
||||
"expanded": "High",
|
||||
"description": "The risk of having false positives in the tagged value is high.",
|
||||
"numerical_value": 25
|
||||
"numerical_value": 25,
|
||||
"colour": "#FF2B2B"
|
||||
},
|
||||
{
|
||||
"value": "cannot-be-judged",
|
||||
"expanded": "Risk cannot be judged",
|
||||
"description": "The risk of having false positives in the tagged value cannot be judged.",
|
||||
"numerical_value": 25,
|
||||
"colour": "#FFC000"
|
||||
}
|
||||
]
|
||||
},
|
||||
|
@ -53,7 +63,7 @@
|
|||
{
|
||||
"value": "false",
|
||||
"expanded": "False",
|
||||
"description": "The flase positive is not confirmed.",
|
||||
"description": "The false positive is not confirmed.",
|
||||
"numerical_value": 50
|
||||
}
|
||||
]
|
||||
|
|
|
@ -107,6 +107,11 @@
|
|||
"expanded": "internet",
|
||||
"value": "xml"
|
||||
},
|
||||
{
|
||||
"colour": "#11eded",
|
||||
"expanded": "internet",
|
||||
"value": "hta"
|
||||
},
|
||||
{
|
||||
"colour": "#ccffeb",
|
||||
"expanded": "internet",
|
||||
|
@ -202,6 +207,11 @@
|
|||
"expanded": "image",
|
||||
"value": "gimp"
|
||||
},
|
||||
{
|
||||
"colour": "#25c3e6",
|
||||
"expanded": "image",
|
||||
"value": "img"
|
||||
},
|
||||
{
|
||||
"colour": "#80ffce",
|
||||
"expanded": "image",
|
||||
|
@ -362,11 +372,36 @@
|
|||
"expanded": "document",
|
||||
"value": "ps"
|
||||
},
|
||||
{
|
||||
"colour": "#33ffb1",
|
||||
"expanded": "document",
|
||||
"value": "dot"
|
||||
},
|
||||
{
|
||||
"colour": "#33ffb1",
|
||||
"expanded": "document",
|
||||
"value": "dotm"
|
||||
},
|
||||
{
|
||||
"colour": "#33ffb1",
|
||||
"expanded": "document",
|
||||
"value": "dotx"
|
||||
},
|
||||
{
|
||||
"colour": "#33ffb1",
|
||||
"expanded": "document",
|
||||
"value": "doc"
|
||||
},
|
||||
{
|
||||
"colour": "#35b8f0",
|
||||
"expanded": "document",
|
||||
"value": "txt"
|
||||
},
|
||||
{
|
||||
"colour": "#ccffeb",
|
||||
"expanded": "document",
|
||||
"value": "docm"
|
||||
},
|
||||
{
|
||||
"colour": "#ccffeb",
|
||||
"expanded": "document",
|
||||
|
@ -397,6 +432,11 @@
|
|||
"expanded": "document",
|
||||
"value": "xlsx"
|
||||
},
|
||||
{
|
||||
"colour": "#00663f",
|
||||
"expanded": "document",
|
||||
"value": "xlsm"
|
||||
},
|
||||
{
|
||||
"colour": "#99ffd8",
|
||||
"expanded": "document",
|
||||
|
@ -437,6 +477,11 @@
|
|||
"expanded": "bundle",
|
||||
"value": "isoimage"
|
||||
},
|
||||
{
|
||||
"colour": "#00b36e",
|
||||
"expanded": "bundle",
|
||||
"value": "txz"
|
||||
},
|
||||
{
|
||||
"colour": "#00b36e",
|
||||
"expanded": "bundle",
|
||||
|
@ -447,6 +492,11 @@
|
|||
"expanded": "bundle",
|
||||
"value": "gzip"
|
||||
},
|
||||
{
|
||||
"colour": "#33ffb1",
|
||||
"expanded": "bundle",
|
||||
"value": "tar"
|
||||
},
|
||||
{
|
||||
"colour": "#33ffb1",
|
||||
"expanded": "bundle",
|
||||
|
@ -522,6 +572,11 @@
|
|||
"expanded": "bundle",
|
||||
"value": "xz"
|
||||
},
|
||||
{
|
||||
"colour": "#33ffb1",
|
||||
"expanded": "code",
|
||||
"value": "bat"
|
||||
},
|
||||
{
|
||||
"colour": "#33ffb1",
|
||||
"expanded": "code",
|
||||
|
@ -557,6 +612,11 @@
|
|||
"expanded": "code",
|
||||
"value": "cpp"
|
||||
},
|
||||
{
|
||||
"colour": "#00cc7e",
|
||||
"expanded": "code",
|
||||
"value": "javascript"
|
||||
},
|
||||
{
|
||||
"colour": "#00cc7e",
|
||||
"expanded": "code",
|
||||
|
@ -572,6 +632,11 @@
|
|||
"expanded": "code",
|
||||
"value": "pascal"
|
||||
},
|
||||
{
|
||||
"colour": "#33b5a5",
|
||||
"expanded": "code",
|
||||
"value": "vbs"
|
||||
},
|
||||
{
|
||||
"colour": "#b3ffe2",
|
||||
"expanded": "code",
|
||||
|
@ -592,6 +657,11 @@
|
|||
"expanded": "code",
|
||||
"value": "java-bytecode"
|
||||
},
|
||||
{
|
||||
"colour": "#2e73db",
|
||||
"expanded": "code",
|
||||
"value": "ppa"
|
||||
},
|
||||
{
|
||||
"colour": "#004d2f",
|
||||
"expanded": "apple",
|
||||
|
@ -645,7 +715,7 @@
|
|||
{
|
||||
"colour": "#00663f",
|
||||
"expanded": "miscellaneous",
|
||||
"value": "data"
|
||||
"value": "dat"
|
||||
}
|
||||
],
|
||||
"predicate": "type"
|
||||
|
|
|
@ -0,0 +1,200 @@
|
|||
{
|
||||
"predicates": [
|
||||
{
|
||||
"description": "Categories and types of services in the financial scope. An entity can be tag with one or more categories or types of services.",
|
||||
"expanded": "Categories and types of services",
|
||||
"value": "categories-and-types-of-services"
|
||||
},
|
||||
{
|
||||
"description": "Geographical footprint of the financial entity.",
|
||||
"expanded": "Geographical footprint",
|
||||
"value": "geographical-footprint"
|
||||
},
|
||||
{
|
||||
"description": "Online exposition of the financial entity.",
|
||||
"expanded": "Online exposition",
|
||||
"value": "online-exposition"
|
||||
},
|
||||
{
|
||||
"description": "Physical presence of the financial entity.",
|
||||
"expanded": "Physical presence",
|
||||
"value": "physical-presence"
|
||||
},
|
||||
{
|
||||
"description": "Services provided by the financial entity.",
|
||||
"expanded": "Services",
|
||||
"value": "services"
|
||||
}
|
||||
],
|
||||
"values": [
|
||||
{
|
||||
"predicate": "categories-and-types-of-services",
|
||||
"entry": [
|
||||
{
|
||||
"value": "banking",
|
||||
"expanded": "Banking",
|
||||
"description": "Financial entity described or/and regulated as banking."
|
||||
},
|
||||
{
|
||||
"value": "private",
|
||||
"expanded": "Private",
|
||||
"description": "Financial entity engaged in private banking."
|
||||
},
|
||||
{
|
||||
"value": "retail",
|
||||
"expanded": "Retail",
|
||||
"description": "Financial entity engaged in retail banking."
|
||||
},
|
||||
{
|
||||
"value": "custodian-banking",
|
||||
"expanded": "Custodian banking",
|
||||
"description": "Financial entity having physical possessions of clients financial assets or instruments."
|
||||
},
|
||||
{
|
||||
"value": "financial-market-infrastructure",
|
||||
"expanded": "Financial market infrastructure",
|
||||
"description": "Financial market infrastructure such as stock exchange, CSD"
|
||||
},
|
||||
{
|
||||
"value": "asset-management",
|
||||
"expanded": "Asset management",
|
||||
"description": "Financial entity managing financial assets on behalf of others."
|
||||
},
|
||||
{
|
||||
"value": "it-provider",
|
||||
"expanded": "IT provider",
|
||||
"description": "IT provider supporting financial entities and regulated in the financial legal framework (such as support PFS in Luxembourg)."
|
||||
},
|
||||
{
|
||||
"value": "e-money-and-payment",
|
||||
"expanded": "e-money and payment",
|
||||
"description": "Financial entity managing electronic money as alternative to cash payment. (EU directive - Directive 2009/110/EC)"
|
||||
},
|
||||
{
|
||||
"value": "other",
|
||||
"expanded": "Other",
|
||||
"description": "Other entity classified as financial entity with other activities not defined in this taxonomy."
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "geographical-footprint",
|
||||
"entry": [
|
||||
{
|
||||
"value": "client-coverage-local",
|
||||
"expanded": "Client coverage is local",
|
||||
"description": "Client and customer coverage is local to the financial entity (such as a country)."
|
||||
},
|
||||
{
|
||||
"value": "client-coverage-eu",
|
||||
"expanded": "Client coverage in EU",
|
||||
"description": "Client and customer coverage is limited to the European Union."
|
||||
},
|
||||
{
|
||||
"value": "client-coverage-worldwide",
|
||||
"expanded": "Client coverage is worldwide",
|
||||
"description": "Client and customer coverage is worldwide."
|
||||
},
|
||||
{
|
||||
"value": "corporate-structure-local",
|
||||
"expanded": "Corporate structure is local",
|
||||
"description": "Corporate structure is local to the financial entity (such as a country)."
|
||||
},
|
||||
{
|
||||
"value": "corporate-structure-eu",
|
||||
"expanded": "Corporate structure in EU",
|
||||
"description": "Corporate structure is located in the European Union."
|
||||
},
|
||||
{
|
||||
"value": "corporate-structure-worldwide",
|
||||
"expanded": "Corporate structure is worldwide",
|
||||
"description": "Corporate structure is located worldwide."
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "online-exposition",
|
||||
"entry": [
|
||||
{
|
||||
"value": "limited",
|
||||
"expanded": "Limited",
|
||||
"description": "Online presence of the financial entity is limited such as just a public web server and/or email services."
|
||||
},
|
||||
{
|
||||
"value": "extended",
|
||||
"expanded": "Extended",
|
||||
"description": "Online presence of the financial entity is extended with online services for the clients and customers but still with a physical presence."
|
||||
},
|
||||
{
|
||||
"value": "crucial",
|
||||
"expanded": "Crucial",
|
||||
"description": "Online presence of the financial entity is crucial and business depends on online presence, extensive use of cloud computing, APIs, etc."
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "physical-presence",
|
||||
"entry": [
|
||||
{
|
||||
"value": "atm",
|
||||
"expanded": "Automated teller machines",
|
||||
"description": "The financial entity owns and/or operates automated teller machines (ATM)."
|
||||
},
|
||||
{
|
||||
"value": "pos",
|
||||
"expanded": "Point of sale terminals",
|
||||
"description": "The financial entity owns and/or operates point of sale terminals (POS)."
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "services",
|
||||
"entry": [
|
||||
{
|
||||
"value": "settlement",
|
||||
"expanded": "Settlement",
|
||||
"description": "A financial entity providing settlement services."
|
||||
},
|
||||
{
|
||||
"value": "collateral-management",
|
||||
"expanded": "Collatoral management",
|
||||
"description": "A financial entity providing collateral management services."
|
||||
},
|
||||
{
|
||||
"value": "listing-operation-of-trading-platform",
|
||||
"expanded": "Listing and operation of trading platform",
|
||||
"description": "A financial entity providing listing and operation of trading platform."
|
||||
},
|
||||
{
|
||||
"value": "credit-granting",
|
||||
"expanded": "Credit granting",
|
||||
"description": "A financial entity providing credit granting."
|
||||
},
|
||||
{
|
||||
"value": "deposit-management",
|
||||
"expanded": "Deposit management",
|
||||
"description": "A financial entity providing deposit management."
|
||||
},
|
||||
{
|
||||
"value": "custodian-banking",
|
||||
"expanded": "Custodian banking",
|
||||
"description": "A financial entity providing custodian banking."
|
||||
},
|
||||
{
|
||||
"value": "payment-services",
|
||||
"expanded": "Payment services",
|
||||
"description": "A financial entity providing payment services."
|
||||
},
|
||||
{
|
||||
"value": "investment-services",
|
||||
"expanded": "Investment services",
|
||||
"description": "A financial entity providing investment services."
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"version": 7,
|
||||
"description": "Financial taxonomy to describe financial services, infrastructure and financial scope.",
|
||||
"expanded": "Financial",
|
||||
"namespace": "financial"
|
||||
}
|
|
@ -0,0 +1,25 @@
|
|||
{
|
||||
"namespace": "information-origin",
|
||||
"description": "Taxonomy for tagging information by its origin: human-generated or AI-generated.",
|
||||
"version": 2,
|
||||
"predicates": [
|
||||
{
|
||||
"value": "human-generated",
|
||||
"description": "Information that has been generated by a human.",
|
||||
"expanded": "human generated",
|
||||
"colour": "#33FF00"
|
||||
},
|
||||
{
|
||||
"value": "AI-generated",
|
||||
"description": "Information that has been generated by an AI LLM or similar technologies.",
|
||||
"expanded": "AI generated",
|
||||
"colour": "#FFC000"
|
||||
},
|
||||
{
|
||||
"value": "uncertain-origin",
|
||||
"description": "Information for which the origin is uncertain which can be machine or a human.",
|
||||
"expanded": "uncertain origin",
|
||||
"colour": "#FFC000"
|
||||
}
|
||||
]
|
||||
}
|
|
@ -1,7 +1,7 @@
|
|||
{
|
||||
"namespace": "malware_classification",
|
||||
"description": "Classification based on different categories. Based on https://www.sans.org/reading-room/whitepapers/incident/malware-101-viruses-32848",
|
||||
"version": 2,
|
||||
"version": 3,
|
||||
"predicates": [
|
||||
{
|
||||
"value": "malware-category",
|
||||
|
@ -52,6 +52,10 @@
|
|||
"value": "Adware",
|
||||
"expanded": "Adware"
|
||||
},
|
||||
{
|
||||
"value": "Stalkerware",
|
||||
"expanded": "Stalkerware"
|
||||
},
|
||||
{
|
||||
"value": "Spyware",
|
||||
"expanded": "Spyware"
|
||||
|
|
|
@ -0,0 +1,94 @@
|
|||
{
|
||||
"namespace": "misp-workflow",
|
||||
"expanded": "MISP workflow",
|
||||
"description": "MISP workflow taxonomy to support result of workflow execution.",
|
||||
"version": 3,
|
||||
"predicates": [
|
||||
{
|
||||
"value": "action-taken",
|
||||
"expanded": "Action taken",
|
||||
"description": "Action taken during the workflow execution"
|
||||
},
|
||||
{
|
||||
"value": "analysis",
|
||||
"expanded": "Analysis",
|
||||
"description": "Result of the analysis executed during the workflow execution"
|
||||
},
|
||||
{
|
||||
"value": "mutability",
|
||||
"expanded": "Mutability",
|
||||
"description": "Describe if the workflow is allowed to modify data"
|
||||
},
|
||||
{
|
||||
"value": "run",
|
||||
"expanded": "Run",
|
||||
"description": "Describe if the workflow is allowed to run on the data being passed"
|
||||
}
|
||||
],
|
||||
"values": [
|
||||
{
|
||||
"predicate": "action-taken",
|
||||
"entry": [
|
||||
{
|
||||
"value": "ids-flag-removed",
|
||||
"expanded": "IDS flag removed"
|
||||
},
|
||||
{
|
||||
"value": "ids-flag-added",
|
||||
"expanded": "IDS flag added"
|
||||
},
|
||||
{
|
||||
"value": "pushed-to-zmq",
|
||||
"expanded": "Pushed to ZMQ"
|
||||
},
|
||||
{
|
||||
"value": "email-sent",
|
||||
"expanded": "Email sent"
|
||||
},
|
||||
{
|
||||
"value": "webhook-triggered",
|
||||
"expanded": "Webhook triggered"
|
||||
},
|
||||
{
|
||||
"value": "execution-stopped",
|
||||
"expanded": "Execution stopped"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "analysis",
|
||||
"entry": [
|
||||
{
|
||||
"value": "false-positive",
|
||||
"expanded": "False positive"
|
||||
},
|
||||
{
|
||||
"value": "highly-likely-positive",
|
||||
"expanded": "Highly Likely Positive"
|
||||
},
|
||||
{
|
||||
"value": "known-file-hash",
|
||||
"expanded": "Known file hash"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "mutability",
|
||||
"entry": [
|
||||
{
|
||||
"value": "allowed",
|
||||
"expanded": "Allowed"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "run",
|
||||
"entry": [
|
||||
{
|
||||
"value": "allowed",
|
||||
"expanded": "Allowed"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,384 @@
|
|||
{
|
||||
"namespace": "nis2",
|
||||
"description": "The taxonomy is meant for large scale cybersecurity incidents, as mentioned in the Commission Recommendation of 13 May 2022, also known as the provisional agreement. It has two core parts: The nature of the incident, i.e. the underlying cause, that triggered the incident, and the impact of the incident, i.e. the impact on services, in which sector(s) of economy and society.",
|
||||
"version": 3,
|
||||
"predicates": [
|
||||
{
|
||||
"value": "impact-sectors-impacted",
|
||||
"expanded": "Sectors impacted",
|
||||
"description": "The impact on services, in the real world, indicating the sectors of the society and economy, where there is an impact on the services."
|
||||
},
|
||||
{
|
||||
"value": "impact-subsectors-impacted",
|
||||
"expanded": "Impact subsectors impacted",
|
||||
"description": "Impact subsectors impacted"
|
||||
},
|
||||
{
|
||||
"value": "important-entities",
|
||||
"expanded": "Important entities",
|
||||
"description": "Important entities"
|
||||
},
|
||||
{
|
||||
"value": "impact-subsectors-important-entities",
|
||||
"expanded": "Impact subsectors important entities",
|
||||
"description": "Impact subsectors important entities"
|
||||
},
|
||||
{
|
||||
"value": "impact-severity",
|
||||
"expanded": "Severity of the impact",
|
||||
"description": "The severity of the impact, nationally, in the real world, for society and/or the economy, i.e. the level of disruption for the country or a large region of the country, the level of risks for health and/or safety, the level of physical damages and/or financial costs.",
|
||||
"exclusive": true
|
||||
},
|
||||
{
|
||||
"value": "impact-outlook",
|
||||
"expanded": "Outlook",
|
||||
"description": "The outlook for the incident, the prognosis, for the coming hours, considering the impact in the real world, the impact on services, for the society and/or the economy",
|
||||
"exclusive": true
|
||||
},
|
||||
{
|
||||
"value": "nature-root-cause",
|
||||
"expanded": "Root cause category",
|
||||
"description": "The Root cause category is used to indicate what type event or threat triggered the incident.",
|
||||
"exclusive": true
|
||||
},
|
||||
{
|
||||
"value": "nature-severity",
|
||||
"expanded": "Severity of the threat",
|
||||
"description": "The severity of the threat is used to indicate, from a technical perspective, the potential impact, the risk associated with the threat. For example, the severity is high if an upcoming storm is exceptionally strong, if an observed DDoS attack is exceptionally powerful, or if a software vulnerability is easily exploited and present in many different systems. For example, in certain situations a critical software vulnerability would require concerted and urgent work by different organizations.",
|
||||
"exclusive": true
|
||||
},
|
||||
{
|
||||
"value": "test",
|
||||
"expanded": "Test",
|
||||
"description": "A test predicate meant to test interoperability between tools. Tags contained within this predicate are to be ignored."
|
||||
}
|
||||
],
|
||||
"values": [
|
||||
{
|
||||
"predicate": "impact-sectors-impacted",
|
||||
"entry": [
|
||||
{
|
||||
"value": "energy",
|
||||
"expanded": "Energy",
|
||||
"description": "The impact is in the Energy sector and its subsectors such as electricity, oil, or gas, for example, impacting electricity suppliers, power plants, distribution system operators, transmission system operators, oil transmission, natural gas distribution, etc."
|
||||
},
|
||||
{
|
||||
"value": "transport",
|
||||
"expanded": "Transport",
|
||||
"description": "The impact is in the transport sector and subsectors such as air, rail, water, road, for example, impacting air traffic control systems, railway companies, maritime port authorities, road traffic management systems, etc."
|
||||
},
|
||||
{
|
||||
"value": "banking",
|
||||
"expanded": "Banking",
|
||||
"description": "The impact is in the Banking sector, for example impacting banks, online banking, credit services, payment services, etc."
|
||||
},
|
||||
{
|
||||
"value": "financial",
|
||||
"expanded": "Financial market infrastructures",
|
||||
"description": "The impact is in the Financial market infrastructure sector, for example, impacting traders, trading platforms, clearing services, etc."
|
||||
},
|
||||
{
|
||||
"value": "health",
|
||||
"expanded": "Health",
|
||||
"description": "The impact is in the Health sector, for example, impacting hospitals, medical devices, medicine supply, pharmacies, etc."
|
||||
},
|
||||
{
|
||||
"value": "drinking-water",
|
||||
"expanded": "Drinking water",
|
||||
"description": "The impact is in the Drinking water supply and distribution sector, for example impacting drinking water supply, drinking water distribution systems, etc."
|
||||
},
|
||||
{
|
||||
"value": "waste-water",
|
||||
"expanded": "Waste water",
|
||||
"description": "The impact is in the Waste water supply and distribution sector, excluding distributors for whom distribution of water for human consumption"
|
||||
},
|
||||
{
|
||||
"value": "digital-infrastructure",
|
||||
"expanded": "Digital infrastructure",
|
||||
"description": "The impact is in the Digital infrastructure sector, for example impacting internet exchange points, domain name systems, top level domain registries, etc."
|
||||
},
|
||||
{
|
||||
"value": "public-administration",
|
||||
"expanded": "Public administartion",
|
||||
"description": "The impact is in the government sector, for example, impacting the functioning of public administrations, elections, or emergency services"
|
||||
},
|
||||
{
|
||||
"value": "space",
|
||||
"expanded": "Space",
|
||||
"description": "The impact is in the space-based services"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "impact-subsectors-impacted",
|
||||
"entry": [
|
||||
{
|
||||
"value": "electricity",
|
||||
"expanded": "Electricity undertaking",
|
||||
"description": "Electricity undertaking means a natural or legal person who carries out at least one of the following functions: generation, transmission, distribution, aggregation, demand response, energy storage, supply or purchase of electricity"
|
||||
},
|
||||
{
|
||||
"value": "district-heating-and-cooling",
|
||||
"expanded": "The use of energy from renewable sources",
|
||||
"description": "District heating’ or ‘district cooling’ means the distribution of thermal energy in the form of steam, hot water or chilled liquids, from central or decentralised sources"
|
||||
},
|
||||
{
|
||||
"value": "oil",
|
||||
"expanded": "Operators of oil energy",
|
||||
"description": "Operators transmission pipelines oil production, refining and treatment facilities, storage and transmission, central oil stockholding entities"
|
||||
},
|
||||
{
|
||||
"value": "gas",
|
||||
"expanded": "Operators of gas energy",
|
||||
"description": "operators of distribution, transmission, storage of gas and LNG system operators"
|
||||
},
|
||||
{
|
||||
"value": "hydrogen",
|
||||
"expanded": "Operators of hydrogen energy",
|
||||
"description": "Operators of hydrogen production, storage and transmission"
|
||||
},
|
||||
{
|
||||
"value": "air",
|
||||
"expanded": "Air trasportation",
|
||||
"description": "Air carriers, airport managing bodies, airports, core airports and entities operating ancillary installations contained within airports, traffic management control operators providing air traffic control (ATC) services"
|
||||
},
|
||||
{
|
||||
"value": "rail",
|
||||
"expanded": "Rail transportation",
|
||||
"description": "Infrastructure managers, railway undertakings including operators of service facilities"
|
||||
},
|
||||
{
|
||||
"value": "water",
|
||||
"expanded": "Water transportation",
|
||||
"description": "Inland, sea and coastal passenger and freight water transport companies, managing bodies of ports including their port facilities, and entities operating works and equipment contained within ports, operators of vessel traffic services (VTS)"
|
||||
},
|
||||
{
|
||||
"value": "road",
|
||||
"expanded": "Road transportation",
|
||||
"description": "Road authorities responsible for traffic management control, operators of Intelligent Transport Systems (ITS)"
|
||||
},
|
||||
{
|
||||
"value": "banking-subsector",
|
||||
"expanded": "Credits",
|
||||
"description": "Credit institutions, i.e. an undertaking the business of which is to take deposits or other repayable funds from the public and to grant credits for its own account"
|
||||
},
|
||||
{
|
||||
"value": "financial-subsector",
|
||||
"expanded": "Finanacial market infrastructures",
|
||||
"description": "Operators of trading venues, central counterparties (CCPs), i.e. a legal person that interposes itself between the counterparties to the contracts traded on one or more financial markets, becoming the buyer to every seller and the seller to every buyer"
|
||||
},
|
||||
{
|
||||
"value": "health-subsector",
|
||||
"expanded": "Health entities",
|
||||
"description": "Healthcare providers, EU reference laboratories, entities carrying out research and development activities of medicinal products, entities manufacturing basic pharmaceutical products and pharmaceutical preparations, entities manufacturing medical devices considered as critical during a public health emergency"
|
||||
},
|
||||
{
|
||||
"value": "drinking-water-subsector",
|
||||
"expanded": "Drinking water entities",
|
||||
"description": "Suppliers and distributors of water intended for human consumption"
|
||||
},
|
||||
{
|
||||
"value": "waste-water-subsector",
|
||||
"expanded": "Waste water entities",
|
||||
"description": "Undertakings collecting, disposing or treating urban, domestic and industrial waste water"
|
||||
},
|
||||
{
|
||||
"value": "digital-ifrastructure-subsector",
|
||||
"expanded": "Digital infrastructure entities",
|
||||
"description": "Internet Exchange Point providers (IXP), DNS service providers, Top-Level Domain (TLD) name registries, cloud computing service providers, Data centre service providers, content delivery network providers, providers of public electronic communications networks or providers of electronic communications services where their services are publicly available"
|
||||
},
|
||||
{
|
||||
"value": "public-administration-subsector",
|
||||
"expanded": "Public administration entities",
|
||||
"description": "Public administration entities of central governments, Public administration entities of NUTS level 1 regions (population min. 3 million – max. 7 million) and NUTS level 2 regions (population min. 800.000 – max 3 million)"
|
||||
},
|
||||
{
|
||||
"value": "space-subsector",
|
||||
"expanded": "Space entities",
|
||||
"description": "Operators of ground-based infrastructure, owned, managed and operated by Member States or by private parties, that support the provision of space-based services, excluding providers of public electronic communications networks. ‘Public electronic communications network’ means an electronic communications network used wholly or mainly for the provision of publicly available electronic communications services which support the transfer of information between network termination points"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "important-entities",
|
||||
"entry": [
|
||||
{
|
||||
"value": "postal",
|
||||
"expanded": "Postal service providers",
|
||||
"description": "i.e. services involving the clearance, sorting, transport, and delivery of postal items"
|
||||
},
|
||||
{
|
||||
"value": "waste",
|
||||
"expanded": "Waste management",
|
||||
"description": "Undertakings carrying out waste management excluding undertakings for whom waste management is not their principal economic activity. ‘Waste management’ means the collection, transport, recovery, and disposal of waste, including the supervision of such operations and the aftercare of disposal sites, and including actions taken as a dealer or broker"
|
||||
},
|
||||
{
|
||||
"value": "chemicals",
|
||||
"expanded": "Manufacture, production and distribution of chemicals",
|
||||
"description": "Undertakings carrying out the manufacture, production and distribution of chemicals. ‘Producer’ means any natural or legal person who makes or assembles an article. ‘Manufacturer’ means any natural or legal person who manufactures a substance. ‘Distributor’ means any natural or legal person, including a retailer, who only stores and places on the market a substance, on its own or in a mixture, for third parties"
|
||||
},
|
||||
{
|
||||
"value": "manufacturing",
|
||||
"expanded": "Manufacture",
|
||||
"description": "Entities manufacturing medical devices, computers, electrical equipment, machinery, motor vehicles, transport equipment "
|
||||
},
|
||||
{
|
||||
"value": "digital",
|
||||
"expanded": "Digital providers",
|
||||
"description": "Providers of online marketplaces, providers of online search engines, providers of social networks"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "impact-subsectors-important-entities",
|
||||
"entry": [
|
||||
{
|
||||
"value": "medical-devices-manufacturing",
|
||||
"expanded": "Manufacture of medical devices and in vitro diagnostic medical devices",
|
||||
"description": "Entities manufacturing medical devices and entities manufacturing in vitro diagnostic medical devices"
|
||||
},
|
||||
{
|
||||
"value": "computer-manufacturing",
|
||||
"expanded": "Manufacture of computer, electronic and optical products",
|
||||
"description": "Undertakings carrying out the manufacture of computers, electronical and optical products. This includes the manufacture of computers, computer peripherals, communications equipment, and similar electronic products, as well as the manufacture of components for such products. Also included is the manufacture of consumer electronics, measuring, testing, and navigating equipment, irradiation, electromedical and electrotherapeutic equipment, optical instruments and equipment, and the manufacture of magnetic and optical media"
|
||||
},
|
||||
{
|
||||
"value": "electrical-equipment-manufacturing",
|
||||
"expanded": "Manufacture of computer, electronic and optical products",
|
||||
"description": "Undertakings carrying out the manufacture of electrical equipment. This includes the manufacture of products that generate, distribute, and use electrical power. Also included is the manufacture of electrical lighting, signalling equipment and electric household appliances"
|
||||
},
|
||||
{
|
||||
"value": "machinery-equipment-manufacturing",
|
||||
"expanded": "Manufacture of machinery and equipment N.E.C",
|
||||
"description": "Undertakings carrying out the manufacture of machinery and equipment n.e.c. This includes the manufacture of machinery and equipment that act independently on materials either mechanically or thermally or perform operations on materials (such as handling, spraying, weighing, or packing), including their mechanical components that produce and apply force, and any specially manufactured primary parts. "
|
||||
},
|
||||
{
|
||||
"value": "vehicles-trailers-manufacturing",
|
||||
"expanded": "Manufacture of motor vehicles, trailers and semi-trailers",
|
||||
"description": "Undertakings carrying out the manufacture of motor vehicles for transporting passengers or freight. The manufacture of various parts and accessories, as well as the manufacture of trailers and semi-trailers, is also included"
|
||||
},
|
||||
{
|
||||
"value": "other-transport-manufacturing",
|
||||
"expanded": "Manufacture of other transport equipment",
|
||||
"description": "Undertakings carrying out the manufacture of motor vehicles for transporting passengers or freight. The manufacture of various parts and accessories, as well as the manufacture of trailers and semi-trailers, is also included"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "impact-severity",
|
||||
"entry": [
|
||||
{
|
||||
"value": "red",
|
||||
"expanded": "Red",
|
||||
"description": "Very large impact",
|
||||
"colour": "#CC0033"
|
||||
},
|
||||
{
|
||||
"value": "yellow",
|
||||
"expanded": "Yellow",
|
||||
"description": "Large impact.",
|
||||
"colour": "#FFC000"
|
||||
},
|
||||
{
|
||||
"value": "green",
|
||||
"expanded": "Green",
|
||||
"description": "Minor impact.",
|
||||
"colour": "#339900"
|
||||
},
|
||||
{
|
||||
"value": "white",
|
||||
"expanded": "White",
|
||||
"description": "No impact.",
|
||||
"colour": "#ffffff"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "impact-outlook",
|
||||
"entry": [
|
||||
{
|
||||
"value": "improving",
|
||||
"expanded": "Improving",
|
||||
"description": "Severity of impact is expected to decrease in the next 6 hours.",
|
||||
"colour": "#339900"
|
||||
},
|
||||
{
|
||||
"value": "stable",
|
||||
"expanded": "Stable",
|
||||
"description": "Severity of impact is expected to remain the same in the 6 hours.",
|
||||
"colour": "#FFC000"
|
||||
},
|
||||
{
|
||||
"value": "worsening",
|
||||
"expanded": "Worsening",
|
||||
"description": "Severity of impact is expected to increase in the next 6 hours.",
|
||||
"colour": "#CC0033"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "nature-root-cause",
|
||||
"entry": [
|
||||
{
|
||||
"value": "system-failures",
|
||||
"expanded": "System failures",
|
||||
"description": "The incident is due to a failure of a system, i.e. without external causes. For example a hardware failure, software bug, a flaw in a procedure, etc. triggered the incident."
|
||||
},
|
||||
{
|
||||
"value": "natural-phenomena",
|
||||
"expanded": "Natural phenomena",
|
||||
"description": "The incident is due to a natural phenomenon. For example a storm, lightning, solar flare, flood, earthquake, wildfire, etc. triggered the incident."
|
||||
},
|
||||
{
|
||||
"value": "human-errors",
|
||||
"expanded": "Human errors",
|
||||
"description": "The incident is due to a human error, i.e. system worked correctly, but was used wrong. For example, a mistake, or carelessness triggered the incident."
|
||||
},
|
||||
{
|
||||
"value": "malicious-actions",
|
||||
"expanded": "Malicious actions",
|
||||
"description": "The incident is due to a malicious action. For example, a cyber-attack or physical attack, vandalism, sabotage, insider attack, theft, etc., triggered the incident."
|
||||
},
|
||||
{
|
||||
"value": "third-party-failures",
|
||||
"expanded": "Third party failures",
|
||||
"description": "The incident is due to a disruption of a third party service, like a utility. For example a power cut, or an internet outage, etc. triggered the incident."
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "nature-severity",
|
||||
"entry": [
|
||||
{
|
||||
"value": "high",
|
||||
"expanded": "High",
|
||||
"description": "High severity, potential impact is high.",
|
||||
"colour": "#CC0033"
|
||||
},
|
||||
{
|
||||
"value": "medium",
|
||||
"expanded": "Medium",
|
||||
"description": "Medium severity, potential impact is medium.",
|
||||
"colour": "#FFC000"
|
||||
},
|
||||
{
|
||||
"value": "low",
|
||||
"expanded": "Low",
|
||||
"description": "Low severity, potential impact is low.",
|
||||
"colour": "#339900"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "test",
|
||||
"entry": [
|
||||
{
|
||||
"value": "test",
|
||||
"expanded": "Test",
|
||||
"description": "Test value meant for testing interoperability. Tags with this value are to be ignored.",
|
||||
"colour": "#F81894"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,476 @@
|
|||
{
|
||||
"namespace": "poison-taxonomy",
|
||||
"description": "Non-exhaustive taxonomy of natural poison",
|
||||
"version": 1,
|
||||
"predicates": [
|
||||
{
|
||||
"value": "Poisonous plant"
|
||||
},
|
||||
{
|
||||
"value": "Poisonous fungus"
|
||||
}
|
||||
],
|
||||
"values": [
|
||||
{
|
||||
"predicate": "Poisonous fungus",
|
||||
"entry": [
|
||||
{
|
||||
"value": "Agaricus californicus/California "
|
||||
},
|
||||
{
|
||||
"value": "Agaricus hondensis/Felt-ringed "
|
||||
},
|
||||
{
|
||||
"value": "Agaricus menieri"
|
||||
},
|
||||
{
|
||||
"value": "Agaricus moelleri"
|
||||
},
|
||||
{
|
||||
"value": "Agaricus phaeolepidotus"
|
||||
},
|
||||
{
|
||||
"value": "Agaricus placomyces"
|
||||
},
|
||||
{
|
||||
"value": "Agaricus xanthodermus/Yellow-staining mushroom"
|
||||
},
|
||||
{
|
||||
"value": "Amanita abrupta/American abrupt-bulbed Lepidella"
|
||||
},
|
||||
{
|
||||
"value": "Amanita aprica/Sunshine amanita"
|
||||
},
|
||||
{
|
||||
"value": "Amanita boudieri/Boudier's lepidella"
|
||||
},
|
||||
{
|
||||
"value": "Amanita citrina"
|
||||
},
|
||||
{
|
||||
"value": "Amanita cokeri/Coker's amanita"
|
||||
},
|
||||
{
|
||||
"value": "Amanita cothurnata/Booted amanita"
|
||||
},
|
||||
{
|
||||
"value": "Amanita echinocephala/European solitary amanita"
|
||||
},
|
||||
{
|
||||
"value": "Amanita farinosa/Powdery Amanita"
|
||||
},
|
||||
{
|
||||
"value": "Amanita flavorubescens"
|
||||
},
|
||||
{
|
||||
"value": "Amanita gemmata/Gemmed Amanita"
|
||||
},
|
||||
{
|
||||
"value": "Amanita gioiosa"
|
||||
},
|
||||
{
|
||||
"value": "Amanita gracilior"
|
||||
},
|
||||
{
|
||||
"value": "Amanita heterochroma/Eucalyptus fly agaric"
|
||||
},
|
||||
{
|
||||
"value": "Amanita hongoi/Hongo's Amanita"
|
||||
},
|
||||
{
|
||||
"value": "Amanita ibotengutake/Japanese ringed-bulbed Amanita"
|
||||
},
|
||||
{
|
||||
"value": "Amanita muscaria/Fly agaric"
|
||||
},
|
||||
{
|
||||
"value": "Amanita neoovoidea/East Asian egg amidella"
|
||||
},
|
||||
{
|
||||
"value": "Amanita pantherina/Panther cap"
|
||||
},
|
||||
{
|
||||
"value": "Amanita porphyria/Grey veiled Amanita"
|
||||
},
|
||||
{
|
||||
"value": "Amanita pseudoporphyria/Hongo's false death cap"
|
||||
},
|
||||
{
|
||||
"value": "Amanita pseudoregalis/False royal fly agaric"
|
||||
},
|
||||
{
|
||||
"value": "Amanita pseudorubescens/False blusher"
|
||||
},
|
||||
{
|
||||
"value": "Amanita regalis/Royal fly agaric"
|
||||
},
|
||||
{
|
||||
"value": "Amanita smithiana/Smith's Amanita"
|
||||
},
|
||||
{
|
||||
"value": "Ampulloclitocybe clavipes/Club-footed clitocybe"
|
||||
},
|
||||
{
|
||||
"value": "Chlorophyllum molybdites/Green-spored parasol"
|
||||
},
|
||||
{
|
||||
"value": "Clitocybe cerussata"
|
||||
},
|
||||
{
|
||||
"value": "Clitocybe dealbata"
|
||||
},
|
||||
{
|
||||
"value": "Coprinopsis alopecia"
|
||||
},
|
||||
{
|
||||
"value": "Coprinopsis atramentaria/Common ink cap"
|
||||
},
|
||||
{
|
||||
"value": "Coprinopsis romagnesiana/Scaly ink cap"
|
||||
},
|
||||
{
|
||||
"value": "Cortinarius bolaris"
|
||||
},
|
||||
{
|
||||
"value": "Cortinarius callisteus"
|
||||
},
|
||||
{
|
||||
"value": "Cortinarius cinnabarinus"
|
||||
},
|
||||
{
|
||||
"value": "Cortinarius cinnamomeofulvus"
|
||||
},
|
||||
{
|
||||
"value": "Cortinarius cinnamomeoluteus"
|
||||
},
|
||||
{
|
||||
"value": "Cortinarius cinnamomeus"
|
||||
},
|
||||
{
|
||||
"value": "Cortinarius cruentus"
|
||||
},
|
||||
{
|
||||
"value": "Cortinarius gentilis"
|
||||
},
|
||||
{
|
||||
"value": "Cortinarius limonius"
|
||||
},
|
||||
{
|
||||
"value": "Cortinarius malicorius"
|
||||
},
|
||||
{
|
||||
"value": "Cortinarius mirandus"
|
||||
},
|
||||
{
|
||||
"value": "Cortinarius palustris"
|
||||
},
|
||||
{
|
||||
"value": "Cortinarius phoeniceus"
|
||||
},
|
||||
{
|
||||
"value": "Cortinarius rubicundulus"
|
||||
},
|
||||
{
|
||||
"value": "Cortinarius smithii/Smith's Cortinarius"
|
||||
},
|
||||
{
|
||||
"value": "Cudonia circinans"
|
||||
},
|
||||
{
|
||||
"value": "Gyromitra perlata/Pig's ears"
|
||||
},
|
||||
{
|
||||
"value": "Echinoderma asperum/Freckled dapperling"
|
||||
},
|
||||
{
|
||||
"value": "Echinoderma calcicola"
|
||||
},
|
||||
{
|
||||
"value": "Entoloma albidum"
|
||||
},
|
||||
{
|
||||
"value": "Entoloma rhodopolium/Wood pinkgill"
|
||||
},
|
||||
{
|
||||
"value": "Entoloma sinuatum/Livid Entoloma"
|
||||
},
|
||||
{
|
||||
"value": "Hebeloma crustuliniforme/Poison pie"
|
||||
},
|
||||
{
|
||||
"value": "Hebeloma sinapizans/Rough-stalked hebeloma"
|
||||
},
|
||||
{
|
||||
"value": "Helvella crispa/Elfin saddle"
|
||||
},
|
||||
{
|
||||
"value": "Helvella dryophila/Oak-loving elfin saddle"
|
||||
},
|
||||
{
|
||||
"value": "Helvella lactea"
|
||||
},
|
||||
{
|
||||
"value": "Helvella lacunosa/Slate grey saddle"
|
||||
},
|
||||
{
|
||||
"value": "Helvella vespertina/Western black elfin saddle"
|
||||
},
|
||||
{
|
||||
"value": "Hapalopilus nidulans/Tender nesting polypore"
|
||||
},
|
||||
{
|
||||
"value": "Hypholoma fasciculare/Sulphur tuft"
|
||||
},
|
||||
{
|
||||
"value": "Hypholoma lateritium/Brick cap"
|
||||
},
|
||||
{
|
||||
"value": "Hypholoma marginatum"
|
||||
},
|
||||
{
|
||||
"value": "Hypholoma radicosum"
|
||||
},
|
||||
{
|
||||
"value": "Imperator rhodopurpureus"
|
||||
},
|
||||
{
|
||||
"value": "Imperator torosus"
|
||||
},
|
||||
{
|
||||
"value": "Inocybe fibrosa"
|
||||
},
|
||||
{
|
||||
"value": "Inocybe geophylla/Earthy inocybe"
|
||||
},
|
||||
{
|
||||
"value": "Inocybe hystrix"
|
||||
},
|
||||
{
|
||||
"value": "Inocybe lacera/Torn fibercap"
|
||||
},
|
||||
{
|
||||
"value": "Inocybe lilacina"
|
||||
},
|
||||
{
|
||||
"value": "Inocybe sublilacina"
|
||||
},
|
||||
{
|
||||
"value": "Inocybe rimosa"
|
||||
},
|
||||
{
|
||||
"value": "Inocybe sambucina"
|
||||
},
|
||||
{
|
||||
"value": "Lactarius torminosus/Woolly milkcap"
|
||||
},
|
||||
{
|
||||
"value": "Mycena diosma"
|
||||
},
|
||||
{
|
||||
"value": "Mycena pura/Lilac bonnet"
|
||||
},
|
||||
{
|
||||
"value": "Mycena rosea/Rosy bonnet"
|
||||
},
|
||||
{
|
||||
"value": "Neonothopanus nambi"
|
||||
},
|
||||
{
|
||||
"value": "Panaeolus cinctulus/banded mottlegill"
|
||||
},
|
||||
{
|
||||
"value": "Psilocybe semilanceata/Liberty cap"
|
||||
},
|
||||
{
|
||||
"value": "Omphalotus illudens/Jack-O'lantern mushroom"
|
||||
},
|
||||
{
|
||||
"value": "Omphalotus japonicus/Tsukiyotake"
|
||||
},
|
||||
{
|
||||
"value": "Omphalotus nidiformis/Ghost fungus"
|
||||
},
|
||||
{
|
||||
"value": "Omphalotus olearius/Jack-O'lantern mushroom"
|
||||
},
|
||||
{
|
||||
"value": "Omphalotus olivascens/Western jack-o'-lantern mushroom"
|
||||
},
|
||||
{
|
||||
"value": "Paralepistopsis acromelalga"
|
||||
},
|
||||
{
|
||||
"value": "Paralepistopsis amoenolens/Paralysis funnel"
|
||||
},
|
||||
{
|
||||
"value": "Pholiotina rugosa"
|
||||
},
|
||||
{
|
||||
"value": "Ramaria formosa/Beautiful clavaria"
|
||||
},
|
||||
{
|
||||
"value": "Ramaria neoformosa"
|
||||
},
|
||||
{
|
||||
"value": "Ramaria pallida"
|
||||
},
|
||||
{
|
||||
"value": "Rubroboletus legaliae/Le Gal's bolete"
|
||||
},
|
||||
{
|
||||
"value": "Rubroboletus lupinus/Wolves bolete"
|
||||
},
|
||||
{
|
||||
"value": "Rubroboletus pulcherrimus"
|
||||
},
|
||||
{
|
||||
"value": "Rubroboletus satanas/Satan's bolete"
|
||||
},
|
||||
{
|
||||
"value": "Russula emetica/The sickener"
|
||||
},
|
||||
{
|
||||
"value": "Russula subnigricans"
|
||||
},
|
||||
{
|
||||
"value": "Sarcosphaera coronaria/Pink crown"
|
||||
},
|
||||
{
|
||||
"value": "Tricholoma equestre/Yellow knight"
|
||||
},
|
||||
{
|
||||
"value": "Tricholoma filamentosum"
|
||||
},
|
||||
{
|
||||
"value": "Tricholoma pardinum/Tiger tricholoma"
|
||||
},
|
||||
{
|
||||
"value": "Tricholoma muscarium"
|
||||
},
|
||||
{
|
||||
"value": "Trogia venenata/Little white mushroom"
|
||||
},
|
||||
{
|
||||
"value": "Turbinellus floccosus/Woolly false chanterelle"
|
||||
},
|
||||
{
|
||||
"value": "Turbinellus kauffmanii"
|
||||
},
|
||||
{
|
||||
"value": "Agrocybe arenicola"
|
||||
},
|
||||
{
|
||||
"value": "Amanita albocreata/Ringless panther"
|
||||
},
|
||||
{
|
||||
"value": "Amanita altipes/Yellow long-stem Amanita"
|
||||
},
|
||||
{
|
||||
"value": "Amanita breckonii"
|
||||
},
|
||||
{
|
||||
"value": "Amanita ceciliae/Snakeskin grisette"
|
||||
},
|
||||
{
|
||||
"value": "Amanita eliae/Fries's Amanita"
|
||||
},
|
||||
{
|
||||
"value": "Amanita flavoconia/Yellow-dust Amanita"
|
||||
},
|
||||
{
|
||||
"value": "Amanita frostiana/Frost's Amanita"
|
||||
},
|
||||
{
|
||||
"value": "Amanita nehuta/Mahori dust Amanita"
|
||||
},
|
||||
{
|
||||
"value": "Amanita parcivolvata"
|
||||
},
|
||||
{
|
||||
"value": "Amanita parvipantherina"
|
||||
},
|
||||
{
|
||||
"value": "Amanita petalinivolva"
|
||||
},
|
||||
{
|
||||
"value": "Amanita roseotincta"
|
||||
},
|
||||
{
|
||||
"value": "Amanita rubrovolvata/Red volva Amanita"
|
||||
},
|
||||
{
|
||||
"value": "Amanita subfrostiana/False Frost's Amanita"
|
||||
},
|
||||
{
|
||||
"value": "Amanita velatipes"
|
||||
},
|
||||
{
|
||||
"value": "Amanita viscidolutea"
|
||||
},
|
||||
{
|
||||
"value": "Amanita wellsii/Wells's Amanita"
|
||||
},
|
||||
{
|
||||
"value": "Amanita xanthocephala/Vermilion grisette"
|
||||
},
|
||||
{
|
||||
"value": "Armillaria mellea/Honey fungus"
|
||||
},
|
||||
{
|
||||
"value": "Calocera viscosa/Yellow stagshorn"
|
||||
},
|
||||
{
|
||||
"value": "Chlorophyllum brunneum/Shaggy parasol"
|
||||
},
|
||||
{
|
||||
"value": "Choiromyces venosus"
|
||||
},
|
||||
{
|
||||
"value": "Clitocybe fragrans"
|
||||
},
|
||||
{
|
||||
"value": "Clitocybe nebularis/Clouded agaric"
|
||||
},
|
||||
{
|
||||
"value": "Conocybe subovalis"
|
||||
},
|
||||
{
|
||||
"value": "Coprinellus micaceus/Mica cap"
|
||||
},
|
||||
{
|
||||
"value": "Lactarius chrysorrheus/Yellowdrop milkcap"
|
||||
},
|
||||
{
|
||||
"value": "Lactarius helvus/Fenugreek milkcap"
|
||||
},
|
||||
{
|
||||
"value": "Lepiota cristata/Stinking dapperling"
|
||||
},
|
||||
{
|
||||
"value": "Marasmius collinus"
|
||||
},
|
||||
{
|
||||
"value": "Russula olivacea"
|
||||
},
|
||||
{
|
||||
"value": "Russula viscida"
|
||||
},
|
||||
{
|
||||
"value": "Schizophyllum commune"
|
||||
},
|
||||
{
|
||||
"value": "Scleroderma citrinum/common earthball"
|
||||
},
|
||||
{
|
||||
"value": "Stropharia aeruginosa/Verdigris agaric"
|
||||
},
|
||||
{
|
||||
"value": "Suillus granulatus/Weeping bolete"
|
||||
},
|
||||
{
|
||||
"value": "Tricholoma sulphureum/Gas agaric"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,395 @@
|
|||
{
|
||||
"namespace": "pyoti",
|
||||
"description": "PyOTI automated enrichment schemes for point in time classification of indicators.",
|
||||
"version": 3,
|
||||
"expanded": "PyOTI Enrichment",
|
||||
"refs": [
|
||||
"https://github.com/RH-ISAC/PyOTI",
|
||||
"https://github.com/RH-ISAC/PyOTI/blob/main/examples/enrich_misp_event.py"
|
||||
],
|
||||
"predicates": [
|
||||
{
|
||||
"value": "checkdmarc",
|
||||
"expanded": "CheckDMARC"
|
||||
},
|
||||
{
|
||||
"value": "disposable-email",
|
||||
"expanded": "Disposable Email Domain",
|
||||
"description": "The email domain is from a disposable email service."
|
||||
},
|
||||
{
|
||||
"value": "emailrepio",
|
||||
"expanded": "EmailRepIO"
|
||||
},
|
||||
{
|
||||
"value": "iris-investigate",
|
||||
"expanded": "Iris Investigate"
|
||||
},
|
||||
{
|
||||
"value": "virustotal",
|
||||
"expanded": "VirusTotal"
|
||||
},
|
||||
{
|
||||
"value": "circl-hashlookup",
|
||||
"expanded": "CIRCL Hash Lookup"
|
||||
},
|
||||
{
|
||||
"value": "reputation-block-list",
|
||||
"expanded": "Reputation Block List"
|
||||
},
|
||||
{
|
||||
"value": "abuseipdb",
|
||||
"expanded": "AbuseIPDB"
|
||||
},
|
||||
{
|
||||
"value": "greynoise-riot",
|
||||
"expanded": "GreyNoise RIOT"
|
||||
},
|
||||
{
|
||||
"value": "googlesafebrowsing",
|
||||
"expanded": "Google Safe Browsing"
|
||||
}
|
||||
],
|
||||
"values": [
|
||||
{
|
||||
"predicate": "checkdmarc",
|
||||
"entry": [
|
||||
{
|
||||
"value": "spoofable",
|
||||
"expanded": "Spoofable",
|
||||
"description": "The email address can be spoofed (e.g. no strict SPF policy/DMARC is not enforced)."
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "emailrepio",
|
||||
"entry": [
|
||||
{
|
||||
"value": "spoofable",
|
||||
"expanded": "Spoofable",
|
||||
"description": "The email address can be spoofed (e.g. no strict SPF policy/DMARC is not enforced)."
|
||||
},
|
||||
{
|
||||
"value": "suspicious",
|
||||
"expanded": "Suspicious",
|
||||
"description": "The email address should be treated as suspicious or risky."
|
||||
},
|
||||
{
|
||||
"value": "blacklisted",
|
||||
"expanded": "Blacklisted",
|
||||
"description": "The email address is believed to be malicious or spammy."
|
||||
},
|
||||
{
|
||||
"value": "malicious-activity",
|
||||
"expanded": "Malicious Activity",
|
||||
"description": "The email address has exhibited malicious behavior (e.g. phishing/fraud)."
|
||||
},
|
||||
{
|
||||
"value": "malicious-activity-recent",
|
||||
"expanded": "Malicious Activity Recent",
|
||||
"description": "The email address has exhibited malicious behavior in the last 90 days (e.g. in the case of temporal account takeovers)."
|
||||
},
|
||||
{
|
||||
"value": "credentials-leaked",
|
||||
"expanded": "Credentials Leaked",
|
||||
"description": "The email address has had credentials leaked at some point in time (e.g. a data breach, pastebin, dark web, etc)."
|
||||
},
|
||||
{
|
||||
"value": "credentials-leaked-recent",
|
||||
"expanded": "Credentials Leaked Recent",
|
||||
"description": "The email address has had credentials leaked in the last 90 days."
|
||||
},
|
||||
{
|
||||
"value": "reputation-high",
|
||||
"expanded": "Reputation High",
|
||||
"description": "The email address has a high reputation."
|
||||
},
|
||||
{
|
||||
"value": "reputation-medium",
|
||||
"expanded": "Reputation Medium",
|
||||
"description": "The email address has a medium reputation."
|
||||
},
|
||||
{
|
||||
"value": "reputation-low",
|
||||
"expanded": "Reputation Low",
|
||||
"description": "The email address has a low reputation."
|
||||
},
|
||||
{
|
||||
"value": "suspicious-tld",
|
||||
"expanded": "Suspicious TLD",
|
||||
"description": "The email address top-level domain is suspicious."
|
||||
},
|
||||
{
|
||||
"value": "spam",
|
||||
"expanded": "Spam",
|
||||
"description": "The email address has exhibited spammy behavior (e.g. spam traps, login form abuse, etc)."
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "iris-investigate",
|
||||
"entry": [
|
||||
{
|
||||
"value": "high",
|
||||
"expanded": "High",
|
||||
"description": "The domain risk score is high (76-100)."
|
||||
},
|
||||
{
|
||||
"value": "medium-high",
|
||||
"expanded": "Medium High",
|
||||
"description": "The domain risk score is medium-high (51-75)."
|
||||
},
|
||||
{
|
||||
"value": "medium",
|
||||
"expanded": "Medium",
|
||||
"description": "The domain risk score is medium (26-50)."
|
||||
},
|
||||
{
|
||||
"value": "low",
|
||||
"expanded": "Low",
|
||||
"description": "The domain risk score is low (0-25)."
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "virustotal",
|
||||
"entry": [
|
||||
{
|
||||
"value": "known-distributor",
|
||||
"expanded": "Known Distributor",
|
||||
"description": "The known-distributor entry indicates a file is from a known distributor."
|
||||
},
|
||||
{
|
||||
"value": "valid-signature",
|
||||
"expanded": "Valid Signature",
|
||||
"description": "The valid-signature entry indicates a file is signed with a valid signature."
|
||||
},
|
||||
{
|
||||
"value": "invalid-signature",
|
||||
"expanded": "Invalid Signature",
|
||||
"description": "The invalid-signature entry indicates a file is signed with an invalid signature."
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "circl-hashlookup",
|
||||
"entry": [
|
||||
{
|
||||
"value": "high-trust",
|
||||
"expanded": "High Trust",
|
||||
"description": "The trust level is high (76-100)."
|
||||
},
|
||||
{
|
||||
"value": "medium-high-trust",
|
||||
"expanded": "Medium High Trust",
|
||||
"description": "The trust level is medium-high (51-75)."
|
||||
},
|
||||
{
|
||||
"value": "medium-trust",
|
||||
"expanded": "Medium Trust",
|
||||
"description": "The trust level is medium (26-50)."
|
||||
},
|
||||
{
|
||||
"value": "low-trust",
|
||||
"expanded": "Low Trust",
|
||||
"description": "The trust level is low (0-25)."
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "reputation-block-list",
|
||||
"entry": [
|
||||
{
|
||||
"value": "barracudacentral-brbl",
|
||||
"expanded": "Barracuda Reputation Block List",
|
||||
"description": "Barracuda Reputation Block List (BRBL) is a free DNSBL of IP addresses known to send spam. Barracuda Networks fights spam and created the BRBL to help stop the spread of spam."
|
||||
},
|
||||
{
|
||||
"value": "spamcop-scbl",
|
||||
"expanded": "SpamCop Blocking List",
|
||||
"description": "The SpamCop Blocking List (SCBL) lists IP addresses which have transmitted reported email to SpamCop users. SpamCop, service providers and individual users then use the SCBL to block and filter unwanted email."
|
||||
},
|
||||
{
|
||||
"value": "spamhaus-sbl",
|
||||
"expanded": "Spamhaus Block List",
|
||||
"description": "The Spamhaus Block List (SBL) Advisory is a database of IP addresses from which Spamhaus does not recommend the acceptance of electronic mail."
|
||||
},
|
||||
{
|
||||
"value": "spamhaus-xbl",
|
||||
"expanded": "Spamhaus Exploits Block List",
|
||||
"description": "The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits."
|
||||
},
|
||||
{
|
||||
"value": "spamhaus-pbl",
|
||||
"expanded": "Spamhaus Policy Block List",
|
||||
"description": "The Spamhaus PBL is a DNSBL database of end-user IP address ranges which should not be delivering unauthenticated SMTP email to any Internet mail server except those provided for specifically by an ISP for that customer's use."
|
||||
},
|
||||
{
|
||||
"value": "spamhaus-css",
|
||||
"expanded": "Spamhaus CSS",
|
||||
"description": "The Spamhaus CSS list is an automatically produced dataset of IP addresses that are involved in sending low-reputation email. CSS mostly targets static spam emitters that are not covered in the PBL or XBL, such as snowshoe spam operations, but may also include other senders that display a risk to our users, such as compromised hosts."
|
||||
},
|
||||
{
|
||||
"value": "spamhaus-drop",
|
||||
"expanded": "Spamhaus Don't Route Or Peer",
|
||||
"description": "Spamhaus Don't Route Or Peer (DROP) is an advisory 'drop all traffic' list. DROP is a tiny subset of the SBL which is designed for use by firewalls or routing equipment."
|
||||
},
|
||||
{
|
||||
"value": "spamhaus-spam",
|
||||
"expanded": "Spamhaus Domain Block List Spam Domain",
|
||||
"description": "Spamhaus Domain Block List (DBL) is a list of domain names with poor reputations used for spam."
|
||||
},
|
||||
{
|
||||
"value": "spamhaus-phish",
|
||||
"expanded": "Spamhaus Domain Block List Phish Domain",
|
||||
"description": "Spamhaus Domain Block List (DBL) is a list of domain names with poor reputations used for phishing."
|
||||
},
|
||||
{
|
||||
"value": "spamhaus-malware",
|
||||
"expanded": "Spamhaus Domain Block List Malware Domain",
|
||||
"description": "Spamhaus Domain Block List (DBL) is a list of domain names with poor reputations used to serve malware."
|
||||
},
|
||||
{
|
||||
"value": "spamhaus-botnet-c2",
|
||||
"expanded": "Spamhaus Domain Block List Botnet C2 Domain",
|
||||
"description": "Spamhaus Domain Block List (DBL) is a list of domain names with poor reputations used for botnet command and control."
|
||||
},
|
||||
{
|
||||
"value": "spamhaus-abused-legit-spam",
|
||||
"expanded": "Spamhaus Domain Block List Abused Legit Spam Domain",
|
||||
"description": "Spamhaus Domain Block List (DBL) is a list of abused legitimate domain names with poor reputations used for spam."
|
||||
},
|
||||
{
|
||||
"value": "spamhaus-abused-spammed-redirector",
|
||||
"expanded": "Spamhaus Domain Block List Abused Spammed Redirector Domain",
|
||||
"description": "Spamhaus Domain Block List (DBL) is a list of abused legitimate spammed domain names with poor reputations used as redirector domains."
|
||||
},
|
||||
{
|
||||
"value": "spamhaus-abused-legit-phish",
|
||||
"expanded": "Spamhaus Domain Block List Abused Legit Phish Domain",
|
||||
"description": "Spamhaus Domain Block List (DBL) is a list of abused legitimate domain names with poor reputations used for phishing."
|
||||
},
|
||||
{
|
||||
"value": "spamhaus-abused-legit-malware",
|
||||
"expanded": "Spamhaus Domain Block List Abused Legit Malware Domain",
|
||||
"description": "Spamhaus Domain Block List (DBL) is a list of abused legitimate domain names with poor reputations used to serve malware."
|
||||
},
|
||||
{
|
||||
"value": "spamhaus-abused-legit-botnet-c2",
|
||||
"expanded": "Spamhaus Domain Block List Abused Legit Botnet C2 Domain",
|
||||
"description": "Spamhaus Domain Block List (DBL) is a list of abused legitimate domain names with poor reputations used for botnet command and control."
|
||||
},
|
||||
{
|
||||
"value": "surbl-phish",
|
||||
"expanded": "SURBL Phishing Sites",
|
||||
"description": "Phishing data from multiple sources is included in this list. Data includes PhishTank, OITC, PhishLabs, Malware Domains and several other sources, including proprietary research by SURBL."
|
||||
},
|
||||
{
|
||||
"value": "surbl-malware",
|
||||
"expanded": "SURBL Malware Sites",
|
||||
"description": "This list contains data from multiple sources that cover sites hosting malware. This includes OITC, abuse.ch, The DNS blackhole malicious site data from malwaredomains.com and others. Malware data also includes significant proprietary research by SURBL."
|
||||
},
|
||||
{
|
||||
"value": "surbl-spam",
|
||||
"expanded": "SURBL Spam Sites",
|
||||
"description": "This list contains mainly general spam sites. It combines data from the formerly separate JP, WS, SC and AB lists. It also includes data from Internet security, anti-abuse, ISP, ESP and other communities, such as Telenor. Most of the data in this list comes from internal, proprietary research by SURBL."
|
||||
},
|
||||
{
|
||||
"value": "surbl-abused-legit",
|
||||
"expanded": "SURBL Abused Legit Sites",
|
||||
"description": "This list contains data from multiple sources that cover cracked sites, including SURBL internal ones. Criminals steal credentials or abuse vulnerabilities to break into websites and add malicious content. Often cracked pages will redirect to spam sites or to other cracked sites. Cracked sites usually still contain the original legitimate content and may still be mentioned in legitimate emails, besides the malicious pages referenced in spam."
|
||||
},
|
||||
{
|
||||
"value": "uribl-black",
|
||||
"expanded": "URIBL Black",
|
||||
"description": "URIBL Black list contains domain names belonging to and used by spammers, including but not restricted to those that appear in URIs found in Unsolicited Bulk and/or Commercial Email (UBE/UCE). This list has a goal of zero False Positives."
|
||||
},
|
||||
{
|
||||
"value": "uribl-grey",
|
||||
"expanded": "URIBL Grey",
|
||||
"description": "URIBL Grey list contains domains found in UBE/UCE, and possibly honour opt-out requests. It may include ESPs which allow customers to import their recipient lists and may have no control over the subscription methods. This list can and probably will cause False Positives depending on your definition of UBE/UCE."
|
||||
},
|
||||
{
|
||||
"value": "uribl-red",
|
||||
"expanded": "URIBL Red",
|
||||
"description": "URIBL Red list contains domains that actively show up in mail flow, are not listed on URIBL black, and are either: being monitored, very young (domain age via whois), or use whois privacy features to protect their identity. This list is automated in nature, so please use at your own risk."
|
||||
},
|
||||
{
|
||||
"value": "uribl-multi",
|
||||
"expanded": "URIBL Multi",
|
||||
"description": "URIBL Multi list contains all of the public URIBL lists."
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "abuseipdb",
|
||||
"entry": [
|
||||
{
|
||||
"value": "high",
|
||||
"expanded": "High",
|
||||
"description": "The IP abuse confidence score is high (76-100)."
|
||||
},
|
||||
{
|
||||
"value": "medium-high",
|
||||
"expanded": "Medium High",
|
||||
"description": "The IP abuse confidence score is medium-high (51-75)."
|
||||
},
|
||||
{
|
||||
"value": "medium",
|
||||
"expanded": "Medium",
|
||||
"description": "The IP abuse confidence score is medium (26-50)."
|
||||
},
|
||||
{
|
||||
"value": "low",
|
||||
"expanded": "Low",
|
||||
"description": "The IP abuse confidence score is low (0-25)."
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "greynoise-riot",
|
||||
"entry": [
|
||||
{
|
||||
"value": "trust-level-1",
|
||||
"expanded": "Trust Level 1",
|
||||
"description": "These IPs are trustworthy because the companies or services assigned are generally responsible for the interactions with this IP. Adding these ranges to an allow-list may make sense."
|
||||
},
|
||||
{
|
||||
"value": "trust-level-2",
|
||||
"expanded": "Trust Level 2",
|
||||
"description": "These IPs are somewhat trustworthy because they are necessary for regular and common business internet use. Companies that own these IPs typically do not claim responsibility or have accountability for interactions with these IPs. Malicious actions may be associated with these IPs but adding this entire range to a block-list does not make sense."
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "googlesafebrowsing",
|
||||
"entry": [
|
||||
{
|
||||
"value": "malware",
|
||||
"expanded": "MALWARE",
|
||||
"description": "Malware threat type."
|
||||
},
|
||||
{
|
||||
"value": "social-engineering",
|
||||
"expanded": "SOCIAL_ENGINEERING",
|
||||
"description": "Social engineering threat type."
|
||||
},
|
||||
{
|
||||
"value": "unwanted-software",
|
||||
"expanded": "UNWANTED_SOFTWARE",
|
||||
"description": "Unwanted software threat type."
|
||||
},
|
||||
{
|
||||
"value": "potentially-harmful-application",
|
||||
"expanded": "POTENTIALLY_HARMFUL_APPLICATION",
|
||||
"description": "Potentially harmful application threat type."
|
||||
},
|
||||
{
|
||||
"value": "unspecified",
|
||||
"expanded": "THREAT_TYPE_UNSPECIFIED",
|
||||
"description": "Unknown threat type."
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,46 @@
|
|||
{
|
||||
"namespace": "ransomware-roles",
|
||||
"expanded": "Ransomware Actor Roles",
|
||||
"description": "The seven roles seen in most ransomware incidents.",
|
||||
"refs": [
|
||||
"https://www.northwave-security.com/"
|
||||
],
|
||||
"version": 1,
|
||||
"predicates": [
|
||||
{
|
||||
"value": "1 - Initial Access Broker",
|
||||
"expanded": "1 - Initial Access Broker",
|
||||
"description": "Initial Access Brokers obtain the initial access to organizations. They monetize this access by offering it for sale to any actor."
|
||||
},
|
||||
{
|
||||
"value": "2 - Ransomware Affiliate",
|
||||
"expanded": "2 - Ransomware Affiliate",
|
||||
"description": "Ransomware affiliates are responsible for obtaining control of a victim's network and monetizing it. They perform reconnaissance of the network as well as privilege escalation, and are responsible for destroying any backup options and deployment of ransomware. Ransomware Affiliates can make use of different ransomware families in different attacks."
|
||||
},
|
||||
{
|
||||
"value": "3 - Data Manager",
|
||||
"expanded": "3 - Data Manager",
|
||||
"description": "Data managers are responsible for exfiltrating data as well as managing and leaking that exfiltrated data when necessary."
|
||||
},
|
||||
{
|
||||
"value": "4 - Ransomware Operator",
|
||||
"expanded": "4 - Ransomware Operator",
|
||||
"description": "Ransomware Operators facilitate the ransomware business model by providing ransomware and hosting the infrastructure needed to run it."
|
||||
},
|
||||
{
|
||||
"value": "5 - Negotiator",
|
||||
"expanded": "5 - Negotiator",
|
||||
"description": "Negotiators are responsible for interacting with the victim and coming to an agreement with the victim regarding the ransom payment."
|
||||
},
|
||||
{
|
||||
"value": "6 - Chaser",
|
||||
"expanded": "6 - Chaser",
|
||||
"description": "Chasers put pressure on the victim by emailing and calling key employee. Chasers threaten these employees with continued attacks or publication of confidential data if the ransom is not payed."
|
||||
},
|
||||
{
|
||||
"value": "7 - Accountant",
|
||||
"expanded": "7 - Accountant",
|
||||
"description": "Accountants launder the ransom."
|
||||
}
|
||||
]
|
||||
}
|
|
@ -1,12 +1,8 @@
|
|||
{
|
||||
"namespace": "runtime-packer",
|
||||
"description": "Runtime or software packer used to combine compressed or encrypted data with the decompression or decryption code. This code can add additional obfuscations mechanisms including polymorphic-packer or other obfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries.",
|
||||
"version": 1,
|
||||
"version": 2,
|
||||
"predicates": [
|
||||
{
|
||||
"value": "portable-executable",
|
||||
"expanded": "Portable Executable (PE)"
|
||||
},
|
||||
{
|
||||
"value": "dex",
|
||||
"expanded": "Dalvik Executable (DEX)"
|
||||
|
@ -16,9 +12,13 @@
|
|||
"expanded": "Executable Linkable Format (ELF)"
|
||||
},
|
||||
{
|
||||
"value": "mach-o",
|
||||
"value": "macho",
|
||||
"expanded": "Mach-object (Mach-O)"
|
||||
},
|
||||
{
|
||||
"value": "pe",
|
||||
"expanded": "Portable Executable (PE)"
|
||||
},
|
||||
{
|
||||
"value": "cli-assembly",
|
||||
"expanded": "CLI assembly"
|
||||
|
@ -26,12 +26,91 @@
|
|||
],
|
||||
"values": [
|
||||
{
|
||||
"predicate": "portable-executable",
|
||||
"predicate": "dex",
|
||||
"entry": [
|
||||
{
|
||||
"value": "apk-protect",
|
||||
"expanded": "APK Protect"
|
||||
},
|
||||
{
|
||||
"value": "dexguard",
|
||||
"expanded": "DexGuard"
|
||||
},
|
||||
{
|
||||
"value": "dexprotector",
|
||||
"expanded": "DexProtector"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "elf",
|
||||
"entry": [
|
||||
{
|
||||
"value": "bzexe",
|
||||
"expanded": "BzExe"
|
||||
},
|
||||
{
|
||||
"value": "ezuri",
|
||||
"expanded": "Ezuri"
|
||||
},
|
||||
{
|
||||
"value": "gzexe",
|
||||
"expanded": "GzExe"
|
||||
},
|
||||
{
|
||||
"value": "midgetpack",
|
||||
"expanded": "MidgetPack"
|
||||
},
|
||||
{
|
||||
"value": "pakkero",
|
||||
"expanded": "Pakkero"
|
||||
},
|
||||
{
|
||||
"value": "papaw",
|
||||
"expanded": "Papaw"
|
||||
},
|
||||
{
|
||||
"value": "shiva",
|
||||
"expanded": "Shiva"
|
||||
},
|
||||
{
|
||||
"value": "upx",
|
||||
"expanded": "UPX"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "macho",
|
||||
"entry": [
|
||||
{
|
||||
"value": "eleckey",
|
||||
"expanded": "ElecKey"
|
||||
},
|
||||
{
|
||||
"value": "muncho",
|
||||
"expanded": "Muncho"
|
||||
},
|
||||
{
|
||||
"value": "mpress",
|
||||
"expanded": "MPRESS"
|
||||
},
|
||||
{
|
||||
"value": "upx",
|
||||
"expanded": "UPX"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "pe",
|
||||
"entry": [
|
||||
{
|
||||
"value": ".netshrink",
|
||||
"expanded": ".netshrink"
|
||||
},
|
||||
{
|
||||
"value": "acprotect",
|
||||
"expanded": "ACProtect"
|
||||
},
|
||||
{
|
||||
"value": "alienyze",
|
||||
"expanded": "Alienyze"
|
||||
|
@ -40,10 +119,6 @@
|
|||
"value": "apack",
|
||||
"expanded": "aPack"
|
||||
},
|
||||
{
|
||||
"value": "apk-protect",
|
||||
"expanded": "APK Protect"
|
||||
},
|
||||
{
|
||||
"value": "armadillo",
|
||||
"expanded": "Armadillo"
|
||||
|
@ -53,13 +128,17 @@
|
|||
"expanded": "ASPack"
|
||||
},
|
||||
{
|
||||
"value": "aspr-asprotect",
|
||||
"expanded": "ASPR (ASProtect)"
|
||||
"value": "asprotect",
|
||||
"expanded": "ASProtect"
|
||||
},
|
||||
{
|
||||
"value": "autoit",
|
||||
"expanded": "AutoIT"
|
||||
},
|
||||
{
|
||||
"value": "axprotector",
|
||||
"expanded": "AxProtector"
|
||||
},
|
||||
{
|
||||
"value": "bero",
|
||||
"expanded": "BeRo EXE Packer"
|
||||
|
@ -77,21 +156,29 @@
|
|||
"expanded": "Code Virtualizer"
|
||||
},
|
||||
{
|
||||
"value": "dexguard",
|
||||
"expanded": "DexGuard"
|
||||
},
|
||||
{
|
||||
"value": "dexprotector",
|
||||
"expanded": "DexProtector"
|
||||
"value": "confuserex",
|
||||
"expanded": "ConfuserEx"
|
||||
},
|
||||
{
|
||||
"value": "dotbundle",
|
||||
"expanded": "dotBundle"
|
||||
},
|
||||
{
|
||||
"value": "dragon-armor",
|
||||
"expanded": "Dragon Armor"
|
||||
},
|
||||
{
|
||||
"value": "eleckey",
|
||||
"expanded": "ElecKey"
|
||||
},
|
||||
{
|
||||
"value": "enigma-protector",
|
||||
"expanded": "Enigma Protector"
|
||||
},
|
||||
{
|
||||
"value": "enigma-virtual-box",
|
||||
"expanded": "Enigma Virtual Box"
|
||||
},
|
||||
{
|
||||
"value": "exe-bundle",
|
||||
"expanded": "EXE Bundle"
|
||||
|
@ -100,6 +187,10 @@
|
|||
"value": "exe-stealth",
|
||||
"expanded": "EXE Stealth"
|
||||
},
|
||||
{
|
||||
"value": "exe32pack",
|
||||
"expanded": "EXE32Pack"
|
||||
},
|
||||
{
|
||||
"value": "expressor",
|
||||
"expanded": "eXPressor"
|
||||
|
@ -109,8 +200,12 @@
|
|||
"expanded": "FSG"
|
||||
},
|
||||
{
|
||||
"value": "gzexe",
|
||||
"expanded": "GzExe"
|
||||
"value": "hxor-packer",
|
||||
"expanded": "hXOR Packer"
|
||||
},
|
||||
{
|
||||
"value": "jdpack",
|
||||
"expanded": "JDPack"
|
||||
},
|
||||
{
|
||||
"value": "kkrunchy",
|
||||
|
@ -124,10 +219,26 @@
|
|||
"value": "mew",
|
||||
"expanded": "MEW"
|
||||
},
|
||||
{
|
||||
"value": "molebox",
|
||||
"expanded": "MoleBox"
|
||||
},
|
||||
{
|
||||
"value": "morphine",
|
||||
"expanded": "Morphine"
|
||||
},
|
||||
{
|
||||
"value": "mpress",
|
||||
"expanded": "MPRESS"
|
||||
},
|
||||
{
|
||||
"value": "neolite",
|
||||
"expanded": "Neolite"
|
||||
},
|
||||
{
|
||||
"value": "netcrypt",
|
||||
"expanded": "NetCrypt"
|
||||
},
|
||||
{
|
||||
"value": "nspack",
|
||||
"expanded": "NSPack"
|
||||
|
@ -136,6 +247,10 @@
|
|||
"value": "obsidium",
|
||||
"expanded": "Obsidium"
|
||||
},
|
||||
{
|
||||
"value": "packman",
|
||||
"expanded": "Packman"
|
||||
},
|
||||
{
|
||||
"value": "pecompact",
|
||||
"expanded": "PECompact"
|
||||
|
@ -144,6 +259,10 @@
|
|||
"value": "pelock",
|
||||
"expanded": "PELock"
|
||||
},
|
||||
{
|
||||
"value": "pepacker",
|
||||
"expanded": "PE Packer"
|
||||
},
|
||||
{
|
||||
"value": "peshield",
|
||||
"expanded": "PEShield"
|
||||
|
@ -156,6 +275,10 @@
|
|||
"value": "petite",
|
||||
"expanded": "PEtite"
|
||||
},
|
||||
{
|
||||
"value": "procrypt",
|
||||
"expanded": "ProCrypt"
|
||||
},
|
||||
{
|
||||
"value": "rlpack-basic",
|
||||
"expanded": "RLPack Basic"
|
||||
|
@ -164,10 +287,22 @@
|
|||
"value": "smart-packer-pro",
|
||||
"expanded": "Smart Packer Pro"
|
||||
},
|
||||
{
|
||||
"value": "squishy",
|
||||
"expanded": "Squishy"
|
||||
},
|
||||
{
|
||||
"value": "telock",
|
||||
"expanded": "Telock"
|
||||
},
|
||||
{
|
||||
"value": "themida",
|
||||
"expanded": "Themida"
|
||||
},
|
||||
{
|
||||
"value": "thinstall",
|
||||
"expanded": "Thinstall"
|
||||
},
|
||||
{
|
||||
"value": "upack",
|
||||
"expanded": "UPack"
|
||||
|
|
|
@ -0,0 +1,56 @@
|
|||
{
|
||||
"namespace": "sentinel-threattype",
|
||||
"expanded": "sentinel-threattype",
|
||||
"description": "Sentinel indicator threat types.",
|
||||
"version": 1,
|
||||
"exclusive": true,
|
||||
"refs": [
|
||||
"https://learn.microsoft.com/en-us/graph/api/resources/tiindicator?view=graph-rest-beta#threattype-values"
|
||||
],
|
||||
"predicates": [
|
||||
{
|
||||
"value": "Botnet",
|
||||
"expanded": "Indicator is detailing a botnet node/member."
|
||||
},
|
||||
{
|
||||
"value": "C2",
|
||||
"expanded": "Indicator is detailing a Command & Control node of a botnet."
|
||||
},
|
||||
{
|
||||
"value": "CryptoMining",
|
||||
"expanded": "Traffic involving this network address / URL is an indication of CyrptoMining / Resource abuse."
|
||||
},
|
||||
{
|
||||
"value": "Darknet",
|
||||
"expanded": "Indicator is that of a Darknet node/network."
|
||||
},
|
||||
{
|
||||
"value": "DDoS",
|
||||
"expanded": "Indicators relating to an active or upcoming DDoS campaign."
|
||||
},
|
||||
{
|
||||
"value": "MaliciousUrl",
|
||||
"expanded": "URL that is serving malware."
|
||||
},
|
||||
{
|
||||
"value": "Malware",
|
||||
"expanded": "Indicator describing a malicious file or files."
|
||||
},
|
||||
{
|
||||
"value": "Phishing",
|
||||
"expanded": "Indicators relating to a phishing campaign."
|
||||
},
|
||||
{
|
||||
"value": "Proxy",
|
||||
"expanded": "Indicator is that of a proxy service."
|
||||
},
|
||||
{
|
||||
"value": "PUA",
|
||||
"expanded": "Potentially Unwanted Application."
|
||||
},
|
||||
{
|
||||
"value": "WatchList",
|
||||
"expanded": "This is the generic bucket into which indicators are placed when it cannot be determined exactly what the threat is or will require manual interpretation. This should typically not be used by partners submitting data into the system."
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,104 @@
|
|||
{
|
||||
"version": 1,
|
||||
"description": "Attack vectors used in social engineering as described in 'A Taxonomy of Social Engineering Defense Mechanisms' by Dalal Alharthi and others.",
|
||||
"expanded": "Social Engineering Attack Vectors",
|
||||
"namespace": "social-engineering-attack-vectors",
|
||||
"exclusive": false,
|
||||
"predicates": [
|
||||
{
|
||||
"value": "technical",
|
||||
"expanded": "Technical"
|
||||
},
|
||||
{
|
||||
"value": "non-technical",
|
||||
"expanded": "Non-technical"
|
||||
}
|
||||
],
|
||||
"values": [
|
||||
{
|
||||
"predicate": "technical",
|
||||
"entry": [
|
||||
{
|
||||
"value": "vishing",
|
||||
"expanded": "Vishing"
|
||||
},
|
||||
{
|
||||
"value": "spear-phishing",
|
||||
"expanded": "Spear phishing"
|
||||
},
|
||||
{
|
||||
"value": "interesting-software",
|
||||
"expanded": "Interesting software"
|
||||
},
|
||||
{
|
||||
"value": "baiting",
|
||||
"expanded": "Baiting"
|
||||
},
|
||||
{
|
||||
"value": "waterholing",
|
||||
"expanded": "Waterholing"
|
||||
},
|
||||
{
|
||||
"value": "phishing-and-trojan-email",
|
||||
"expanded": "Phishing and Trojan email"
|
||||
},
|
||||
{
|
||||
"value": "spam-email",
|
||||
"expanded": "Spam Email"
|
||||
},
|
||||
{
|
||||
"value": "popup-window",
|
||||
"expanded": "Popup Window"
|
||||
},
|
||||
{
|
||||
"value": "tailgating",
|
||||
"expanded": "Tailgating"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "non-technical",
|
||||
"entry": [
|
||||
{
|
||||
"value": "pretexting-impersonation",
|
||||
"expanded": "Pretexting/Impersonation"
|
||||
},
|
||||
{
|
||||
"value": "hoaxing",
|
||||
"expanded": "Hoaxing"
|
||||
},
|
||||
{
|
||||
"value": "authoritative-voice",
|
||||
"expanded": "Authoritative voice"
|
||||
},
|
||||
{
|
||||
"value": "technical-expert",
|
||||
"expanded": "Technical expert"
|
||||
},
|
||||
{
|
||||
"value": "smudge-attack",
|
||||
"expanded": "Smudge Attack"
|
||||
},
|
||||
{
|
||||
"value": "dumpser-diving",
|
||||
"expanded": "Dumpster Diving"
|
||||
},
|
||||
{
|
||||
"value": "shoulder-surfing",
|
||||
"expanded": "Shoulder surfing"
|
||||
},
|
||||
{
|
||||
"value": "spying",
|
||||
"expanded": "Spying"
|
||||
},
|
||||
{
|
||||
"value": "support-staff",
|
||||
"expanded": "Support staff"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"refs": [
|
||||
"https://www.researchgate.net/publication/339224082_A_Taxonomy_of_Social_Engineering_Defense_Mechanisms"
|
||||
]
|
||||
}
|
|
@ -0,0 +1,193 @@
|
|||
{
|
||||
"namespace": "srbcert",
|
||||
"description": "SRB-CERT Taxonomy - Schemes of Classification in Incident Response and Detection",
|
||||
"version": 3,
|
||||
"predicates": [
|
||||
{
|
||||
"value": "incident-type",
|
||||
"expanded": "Incident Type"
|
||||
},
|
||||
{
|
||||
"value": "incident-criticality-level",
|
||||
"expanded": "Incident Criticality Level"
|
||||
}
|
||||
],
|
||||
"values": [
|
||||
{
|
||||
"predicate": "incident-type",
|
||||
"entry": [
|
||||
{
|
||||
"value": "virus",
|
||||
"expanded": "virus",
|
||||
"description": "Virus is a piece of malicious code that aims to spread from computer to computer by attacking executable files and documents and can cause deliberate deletion of files from the hard drive and similar damage"
|
||||
},
|
||||
{
|
||||
"value": "worm",
|
||||
"expanded": "worm",
|
||||
"description": "Worm is a program that contains malicious code that spreads over a network, in such a way that it can reproduce and transfer , which reproduces and transfers independently, i.e. it does not depend on the files of the infected person device. Worms spread to email addresses from the victim's contact list or exploit the vulnerabilities of network applications and, due to the high speed of propagation, serve for transmission of other types of malicious software "
|
||||
},
|
||||
{
|
||||
"value": "ransomware",
|
||||
"expanded": "Ransomware"
|
||||
},
|
||||
{
|
||||
"value": "trojan",
|
||||
"expanded": "Trojan"
|
||||
},
|
||||
{
|
||||
"value": "spyware",
|
||||
"expanded": "Spyware"
|
||||
},
|
||||
{
|
||||
"value": "rootkit",
|
||||
"expanded": "Rootkit"
|
||||
},
|
||||
{
|
||||
"value": "malware",
|
||||
"expanded": "Malware is a word derived from two words - Malicious Software, and represents any software that is written for malicious purposes, i.e. that aims to cause harm computer systems or networks"
|
||||
},
|
||||
{
|
||||
"value": "port-scanning",
|
||||
"expanded": "Port scanning"
|
||||
},
|
||||
{
|
||||
"value": "sniffing",
|
||||
"expanded": "Sniffing"
|
||||
},
|
||||
{
|
||||
"value": "social-engineering",
|
||||
"expanded": "Social engineering"
|
||||
},
|
||||
{
|
||||
"value": "data-breaches",
|
||||
"expanded": "Data breaches"
|
||||
},
|
||||
{
|
||||
"value": "other-type-of-information-gathering",
|
||||
"expanded": "Other type of information gathering"
|
||||
},
|
||||
{
|
||||
"value": "phishing",
|
||||
"expanded": "Phishing"
|
||||
},
|
||||
{
|
||||
"value": "unauthorized-use-of-resources",
|
||||
"expanded": "Unauthorized use of resources"
|
||||
},
|
||||
{
|
||||
"value": "fraud",
|
||||
"expanded": "Fraud"
|
||||
},
|
||||
{
|
||||
"value": "exploiting-known-vulnerabilities",
|
||||
"expanded": "Exploiting known vulnerabilities"
|
||||
},
|
||||
{
|
||||
"value": "brute-force",
|
||||
"expanded": "Brute force"
|
||||
},
|
||||
{
|
||||
"value": "other-type-of-intrusion-attempts",
|
||||
"expanded": "Other type of Intrusion Attempts"
|
||||
},
|
||||
{
|
||||
"value": "privilege-account-compromise",
|
||||
"expanded": "Privilege account compromise"
|
||||
},
|
||||
{
|
||||
"value": "unprivileged-account-compromise",
|
||||
"expanded": "Unprivileged account compromise"
|
||||
},
|
||||
{
|
||||
"value": "application-compromise",
|
||||
"expanded": "Application compromise"
|
||||
},
|
||||
{
|
||||
"value": "botnet",
|
||||
"expanded": "Botnet"
|
||||
},
|
||||
{
|
||||
"value": "other-type-of-intrusions",
|
||||
"expanded": "Other type of intrusions"
|
||||
},
|
||||
{
|
||||
"value": "dos",
|
||||
"expanded": "DoS"
|
||||
},
|
||||
{
|
||||
"value": "ddos",
|
||||
"expanded": "DDoS"
|
||||
},
|
||||
{
|
||||
"value": "sabotage",
|
||||
"expanded": "Sabotage"
|
||||
},
|
||||
{
|
||||
"value": "outage",
|
||||
"expanded": "Outage"
|
||||
},
|
||||
{
|
||||
"value": "other-type-of-availability-incident",
|
||||
"expanded": "Other type of Availability incident"
|
||||
},
|
||||
{
|
||||
"value": "unauthorized-access-to-information",
|
||||
"expanded": "Unauthorized access to information"
|
||||
},
|
||||
{
|
||||
"value": "unauthorized-modification-of-information",
|
||||
"expanded": "Unauthorized modification of information"
|
||||
},
|
||||
{
|
||||
"value": "cryptographic-attack",
|
||||
"expanded": "Cryptographic attack"
|
||||
},
|
||||
{
|
||||
"value": "other-type-of-information-content-security-incident",
|
||||
"expanded": "Other type of Information Content Security incident"
|
||||
},
|
||||
{
|
||||
"value": "hardware-errors",
|
||||
"expanded": "Hardware errors"
|
||||
},
|
||||
{
|
||||
"value": "software-errors",
|
||||
"expanded": "Software errors"
|
||||
},
|
||||
{
|
||||
"value": "hardware-components-theft",
|
||||
"expanded": "hardware-components-theft"
|
||||
},
|
||||
{
|
||||
"value": "other",
|
||||
"expanded": "Other"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"predicate": "incident-criticality-level",
|
||||
"entry": [
|
||||
{
|
||||
"value": "low",
|
||||
"expanded": "Low",
|
||||
"numerical_value": 25
|
||||
},
|
||||
{
|
||||
"value": "medium",
|
||||
"expanded": "Medium",
|
||||
"numerical_value": 50
|
||||
},
|
||||
{
|
||||
"value": "high",
|
||||
"expanded": "High",
|
||||
"numerical_value": 75
|
||||
},
|
||||
{
|
||||
"value": "very-high",
|
||||
"expanded": "Very High",
|
||||
"numerical_value": 100
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
371
summary.md
371
summary.md
|
@ -1,5 +1,5 @@
|
|||
# Taxonomies
|
||||
- Generation date: 2022-01-22
|
||||
- Generation date: 2023-12-31
|
||||
- license: CC-0
|
||||
- description: Manifest file of MISP taxonomies available.
|
||||
|
||||
|
@ -55,13 +55,29 @@
|
|||
- 2
|
||||
- 1
|
||||
- 0
|
||||
### GrayZone
|
||||
- description: Gray Zone of Active defense includes all elements which lay between reactive defense elements and offensive operations. It does fill the gray spot between them. Taxo may be used for active defense planning or modeling.
|
||||
- version: 3
|
||||
- Predicates
|
||||
- Adversary Emulation
|
||||
- Beacons
|
||||
- Deterrence
|
||||
- Deception
|
||||
- Tarpits, Sandboxes and Honeypots
|
||||
- Threat Intelligence
|
||||
- Threat Hunting
|
||||
- Adversary Takedowns
|
||||
- Ransomware
|
||||
- Rescue Missions
|
||||
- Sanctions, Indictments & Trade Remedies
|
||||
### PAP
|
||||
- description: The Permissible Actions Protocol - or short: PAP - was designed to indicate how the received information can be used.
|
||||
- version: 2
|
||||
- version: 3
|
||||
- Predicates
|
||||
- RED
|
||||
- AMBER
|
||||
- GREEN
|
||||
- CLEAR
|
||||
- WHITE
|
||||
### access-method
|
||||
- description: The access method used to remotely access a system.
|
||||
|
@ -154,6 +170,33 @@
|
|||
- cat4
|
||||
- cat5
|
||||
- cat6
|
||||
### artificial-satellites
|
||||
- description: This taxonomy was designed to describe artificial satellites
|
||||
- version: 1
|
||||
- Predicates
|
||||
- Meteorological and Earth observation
|
||||
- Indian Space Research
|
||||
- GEO
|
||||
- Tracking
|
||||
- Search & Rescue
|
||||
- Earth Ressources
|
||||
- Disaster Monitoring
|
||||
- GNSS
|
||||
- Space & Earth Science
|
||||
- Geodetic
|
||||
- Engineering
|
||||
- Education
|
||||
### aviation
|
||||
- description: A taxonomy describing security threats or incidents against the aviation sector.
|
||||
- version: 1
|
||||
- Predicates
|
||||
- target
|
||||
- target-systems
|
||||
- target-sub-systems
|
||||
- impact
|
||||
- likelihood
|
||||
- criticality
|
||||
- certainty
|
||||
### binary-class
|
||||
- description: Custom taxonomy for types of binary file.
|
||||
- version: 2
|
||||
|
@ -179,11 +222,25 @@
|
|||
- severity
|
||||
- threat-vector
|
||||
### circl
|
||||
- description: CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection
|
||||
- version: 5
|
||||
- description: CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection.
|
||||
- version: 6
|
||||
- Predicates
|
||||
- incident-classification
|
||||
- topic
|
||||
- significant
|
||||
### cnsd
|
||||
- description: La presente taxonomia es la primera versión disponible para el Centro Nacional de Seguridad Digital del Perú.
|
||||
- version: 20220513
|
||||
- Predicates
|
||||
- Contenido abusivo
|
||||
- Disponibilidad
|
||||
- Fraude
|
||||
- Fuga de información
|
||||
- Intentos de intrusión
|
||||
- Intrusión
|
||||
- Malware
|
||||
- Recopilación de información
|
||||
- Otros
|
||||
### coa
|
||||
- description: Course of action taken within organization to discover, detect, deny, disrupt, degrade, deceive and/or destroy an attack.
|
||||
- version: 2
|
||||
|
@ -233,6 +290,13 @@
|
|||
- Predicates
|
||||
- passive
|
||||
- active
|
||||
### crowdsec
|
||||
- description: Crowdsec IP address classifications and behaviors taxonomy.
|
||||
- version: 1
|
||||
- Predicates
|
||||
- behavior
|
||||
- false-positive
|
||||
- classification
|
||||
### cryptocurrency-threat
|
||||
- description: Threats targetting cryptocurrency, based on CipherTrace report.
|
||||
- version: 1
|
||||
|
@ -247,6 +311,7 @@
|
|||
- Decentralized Stable Coins
|
||||
- Email Extortion and Bomb Threats
|
||||
- Crypto Robbing Ransomware
|
||||
- Pig Butchering Scam
|
||||
### csirt-americas
|
||||
- description: Taxonomía CSIRT Américas.
|
||||
- version: 1
|
||||
|
@ -316,12 +381,14 @@
|
|||
- Predicates
|
||||
- action
|
||||
### dark-web
|
||||
- description: Criminal motivation on the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project
|
||||
- version: 4
|
||||
- description: Criminal motivation and content detection the dark web: A categorisation model for law enforcement. ref: Janis Dalins, Campbell Wilson, Mark Carman. Taxonomy updated by MISP Project and extended by the JRC (Joint Research Centre) of the European Commission.
|
||||
- version: 5
|
||||
- Predicates
|
||||
- topic
|
||||
- motivation
|
||||
- structure
|
||||
- service
|
||||
- content
|
||||
### data-classification
|
||||
- description: Data classification for data potentially at risk of exfiltration based on table 2.1 of Solving Cyber Risk book.
|
||||
- version: 1
|
||||
|
@ -347,6 +414,143 @@
|
|||
- Predicates
|
||||
- Einstufung
|
||||
- Schutzwort
|
||||
### death-possibilities
|
||||
- description: Taxonomy of Death Possibilities
|
||||
- version: 1
|
||||
- Predicates
|
||||
- (001-009) Intestinal infectious diseases
|
||||
- (010-018) Tuberculosis
|
||||
- (020-027) Zoonotic bacterial diseases
|
||||
- (030-041) Other bacterial diseases
|
||||
- (042-042) Human immunodeficiency virus [HIV] infection
|
||||
- (045-049) Poliomyelitis and other non-arthropod-borne viral diseases of central nervous system
|
||||
- (050-057) Viral diseases accompanied by exanthem
|
||||
- (060-066) Arthropod-borne viral diseases
|
||||
- (070-079) Other diseases due to viruses and Chlamydiae
|
||||
- (080-088) Rickettsioses and other arthropod-borne diseases
|
||||
- (090-099) Syphilis and other venereal diseases
|
||||
- (100-104) Other spirochaetal diseases
|
||||
- (110-118) Mycoses
|
||||
- (120-129) Helminthiases
|
||||
- (130-136) Other infectious and parasitic diseases
|
||||
- (137-139) Late effects of infectious and parasitic diseases
|
||||
- (140-149) Malignant neoplasm of lip, oral cavity and pharynx
|
||||
- (150-159) Malignant neoplasm of digestive organs and peritoneum
|
||||
- (160-165) Malignant neoplasm of respiratory and intrathoracic organs
|
||||
- (170-176) Malignant neoplasm of bone, connective tissue, skin and breast
|
||||
- (179-189) Malignant neoplasm of genito-urinary organs
|
||||
- (190-199) Malignant neoplasm of other and unspecified sites
|
||||
- (200-208) Malignant neoplasm of lymphatic and haematopoietic tissue
|
||||
- (210-229) Benign neoplasms
|
||||
- (230-234) Carcinoma in situ
|
||||
- (235-238) Neoplasms of uncertain behaviour
|
||||
- (239-239) Neoplasms of unspecified nature
|
||||
- (240-246) Disorders of thyroid gland
|
||||
- (250-259) Diseases of other endocrine glands
|
||||
- (260-269) Nutritional deficiencies
|
||||
- (270-279) Other metabolic disorders and immunity disorders
|
||||
- (280-289) Diseases of blood and blood-forming organs
|
||||
- (290-294) Organic psychotic conditions
|
||||
- (295-299) Other psychoses
|
||||
- (300-316) Neurotic disorders, personality disorders and other nonpsychotic mental disorders
|
||||
- (317-319) Mental retardation
|
||||
- (320-326) Inflammatory diseases of the central nervous system
|
||||
- (330-337) Hereditary and degenerative diseases of the central nervous system
|
||||
- (340-349) Other disorders of the central nervous system
|
||||
- (350-359) Disorders of the peripheral nervous system
|
||||
- (360-379) Disorders of the eye and adnexa
|
||||
- (380-389) Diseases of the ear and mastoid process
|
||||
- (390-392) Acute rheumatic fever
|
||||
- (393-398) Chronic rheumatic heart disease
|
||||
- (401-405) Hypertensive disease
|
||||
- (410-414) Ischaemic heart disease
|
||||
- (415-417) Diseases of pulmonary circulation
|
||||
- (420-429) Other forms of heart disease
|
||||
- (430-438) Cerebrovascular disease
|
||||
- (440-448) Diseases of arteries, arterioles and capillaries
|
||||
- (451-459) Diseases of veins and lymphatics, and other diseases of circulatory system
|
||||
- (460-466) Acute respiratory infections
|
||||
- (470-478) Other diseases of upper respiratory tract
|
||||
- (480-487) Pneumonia and influenza
|
||||
- (490-496) Chronic obstructive pulmonary disease and allied conditions
|
||||
- (500-508) Pneumoconioses and other lung diseases due to external agents
|
||||
- (510-519) Other diseases of respiratory system
|
||||
- (520-529) Diseases of oral cavity, salivary glands and jaws
|
||||
- (530-537) Diseases of oesophagus, stomach and duodenum
|
||||
- (540-543) Appendicitis
|
||||
- (550-553) Hernia of abdominal cavity
|
||||
- (555-558) Non-infective enteritis and colitis
|
||||
- (560-569) Other diseases of intestines and peritoneum
|
||||
- (570-579) Other diseases of digestive system
|
||||
- (580-589) Nephritis, nephrotic syndrome and nephrosis
|
||||
- (590-599) Other diseases of urinary system
|
||||
- (600-608) Diseases of male genital organs
|
||||
- (610-611) Disorders of breast
|
||||
- (614-616) Inflammatory disease of female pelvic organs
|
||||
- (617-629) Other disorders of female genital tract
|
||||
- (630-633) Ectopic and molar pregnancy
|
||||
- (634-639) Other pregnancy with abortive outcome
|
||||
- (640-648) Complications mainly related to pregnancy
|
||||
- (650-659) Normal delivery and other indications for care in pregnancy, labour and delivery
|
||||
- (660-669) Complications occurring mainly in the course of labour and delivery
|
||||
- (670-677) Complications of the puerperium
|
||||
- (680-686) Infections of skin and subcutaneous tissue
|
||||
- (690-698) Other inflammatory conditions of skin and subcutaneous tissue
|
||||
- (700-709) Other diseases of skin and subcutaneous tissue
|
||||
- (710-719) Arthropathies and related disorders
|
||||
- (720-724) Dorsopathies
|
||||
- (725-729) Rheumatism, excluding the back
|
||||
- (730-739) Osteopathies, chondropathies and acquired musculoskeletal deformities
|
||||
- (740-759) Congenital anomalies
|
||||
- (760-763) Maternal causes of perinatal morbidity and mortality
|
||||
- (764-779) Other conditions originating in the perinatal period
|
||||
- (780-789) Symptoms
|
||||
- (790-796) Nonspecific abnormal findings
|
||||
- (797-799) Ill-defined and unknown causes of morbidity and mortality
|
||||
- (800-804) Fracture of skull
|
||||
- (805-809) Fracture of neck and trunk
|
||||
- (810-819) Fracture of upper limb
|
||||
- (820-829) Fracture of lower limb
|
||||
- (830-839) Dislocation
|
||||
- (840-848) Sprains and strains of joints and adjacent muscles
|
||||
- (850-854) Intracranial injury, excluding those with skull fracture
|
||||
- (860-869) Internal injury of chest, abdomen and pelvis
|
||||
- (870-879) Open wound of head, neck and trunk
|
||||
- (880-887) Open wound of upper limb
|
||||
- (890-897) Open wound of lower limb
|
||||
- (900-904) Injury to blood vessels
|
||||
- (905-909) Late effects of injuries, poisonings, toxic effects and other external causes
|
||||
- (910-919) Superficial injury
|
||||
- (920-924) Contusion with intact skin surface
|
||||
- (925-929) Crushing injury
|
||||
- (930-939) Effects of foreign body entering through orifice
|
||||
- (940-949) Burns
|
||||
- (950-957) Injury to nerves and spinal cord
|
||||
- (958-959) Certain traumatic complications and unspecified injuries
|
||||
- (960-979) Poisoning by drugs, medicaments and biological substances
|
||||
- (980-989) Toxic effects of substances chiefly nonmedicinal as to source
|
||||
- (990-995) Other and unspecified effects of external causes
|
||||
- (996-999) Complications of surgical and medical care, not elsewhere classified
|
||||
- (E800-E807) Railway accidents
|
||||
- (E810-E819) Motor vehicle traffic accidents
|
||||
- (E820-E825) Motor vehicle nontraffic accidents
|
||||
- (E826-E829) Other road vehicle accidents
|
||||
- (E830-E838) Water transport accidents
|
||||
- (E840-E845) Air and space transport accidents
|
||||
- (E846-E848) Vehicle accidents not elsewhere classifiable
|
||||
- (E849-E858) Accidental poisoning by drugs, medicaments and biologicals
|
||||
- (E860-E869) Accidental poisoning by other solid and liquid substances, gases and vapours
|
||||
- (E870-E876) Misadventures to patients during surgical and medical care
|
||||
- (E878-E879) Surgical and medical procedures as the cause of abnormal reaction of patient or later complication, without mention of misadventure at the time of procedure
|
||||
- (E880-E888) Accidental falls
|
||||
- (E890-E899) Accidents caused by fire and flames
|
||||
- (E900-E909) Accidents due to natural and environmental factors
|
||||
- (E910-E915) Accidents caused by submersion, suffocation and foreign bodies
|
||||
- (E916-E928) Other accidents
|
||||
- (E929-E929) Late effects of accidental injury
|
||||
- (E930-E949) Drugs, medicaments and biological substances causing adverse effects in therapeutic use
|
||||
- (E950-E959) Suicide and self-inflicted injury
|
||||
- (E960-E969) Homicide and injury purposely inflicted by other persons
|
||||
### deception
|
||||
- description: Deception is an important component of information operations, valuable for both offense and defense.
|
||||
- version: 1
|
||||
|
@ -358,6 +562,12 @@
|
|||
- quality
|
||||
- essence
|
||||
- speech-act-theory
|
||||
### dga
|
||||
- description: A taxonomy to describe domain-generation algorithms often called DGA. Ref: A Comprehensive Measurement Study of Domain Generating Malware Daniel Plohmann and others.
|
||||
- version: 2
|
||||
- Predicates
|
||||
- generation-scheme
|
||||
- seeding
|
||||
### dhs-ciip-sectors
|
||||
- description: DHS critical sectors as in https://www.dhs.gov/critical-infrastructure-sectors
|
||||
- version: 2
|
||||
|
@ -372,6 +582,15 @@
|
|||
- Capability
|
||||
- Infrastructure
|
||||
- Victim
|
||||
### diamond-model-for-influence-operations
|
||||
- description: The diamond model for influence operations analysis is a framework that leads analysts and researchers toward a comprehensive understanding of a malign influence campaign by addressing the socio-political, technical, and psychological aspects of the campaign. The diamond model for influence operations analysis consists of 5 components: 4 corners and a core element. The 4 corners are divided into 2 axes: influencer and audience on the socio-political axis, capabilities and infrastructure on the technical axis. Narrative makes up the core of the diamond.
|
||||
- version: 1
|
||||
- Predicates
|
||||
- Influencer
|
||||
- Capabilities
|
||||
- Infrastructure
|
||||
- Audience
|
||||
- Narrative
|
||||
### dni-ism
|
||||
- description: A subset of Information Security Marking Metadata ISM as required by Executive Order (EO) 13526. As described by DNI.gov as Data Encoding Specifications for Information Security Marking Metadata in Controlled Vocabulary Enumeration Values for ISM
|
||||
- version: 3
|
||||
|
@ -391,6 +610,23 @@
|
|||
- Predicates
|
||||
- domain-status
|
||||
- domain-access-method
|
||||
### doping-substances
|
||||
- description: This taxonomy aims to list doping substances
|
||||
- version: 2
|
||||
- Predicates
|
||||
- anabolic agents
|
||||
- peptide hormones, growth factors, related substances and mimetics
|
||||
- beta-2 agonists
|
||||
- hormone and metabolic modulators
|
||||
- diuretics and masking agents
|
||||
- manipulation of blood and blood components
|
||||
- chemical and physical manipulation
|
||||
- gene and cell doping
|
||||
- stimulants
|
||||
- narcotics
|
||||
- cannabinoids
|
||||
- glucocorticoids
|
||||
- beta-blockers
|
||||
### drugs
|
||||
- description: A taxonomy based on the superclass and class of drugs. Based on https://www.drugbank.ca/releases/latest
|
||||
- version: 2
|
||||
|
@ -571,14 +807,15 @@
|
|||
- cyber-sopex
|
||||
- generic
|
||||
### extended-event
|
||||
- description: Reasons why an event has been extended.
|
||||
- version: 1
|
||||
- description: Reasons why an event has been extended. This taxonomy must be used on the extended event. The competitive analysis aspect is from Psychology of Intelligence Analysis by Richard J. Heuer, Jr. ref:http://www.foo.be/docs/intelligence/PsychofIntelNew.pdf
|
||||
- version: 2
|
||||
- Predicates
|
||||
- competitive-analysis
|
||||
- extended-analysis
|
||||
- human-readable
|
||||
- chunked-event
|
||||
- update
|
||||
- counter-analysis
|
||||
### failure-mode-in-machine-learning
|
||||
- description: The purpose of this taxonomy is to jointly tabulate both the of these failure modes in a single place. Intentional failures wherein the failure is caused by an active adversary attempting to subvert the system to attain her goals – either to misclassify the result, infer private training data, or to steal the underlying algorithm. Unintentional failures wherein the failure is because an ML system produces a formally correct but completely unsafe outcome.
|
||||
- version: 1
|
||||
|
@ -587,7 +824,7 @@
|
|||
- unintended-failures-summary
|
||||
### false-positive
|
||||
- description: This taxonomy aims to ballpark the expected amount of false positives.
|
||||
- version: 5
|
||||
- version: 7
|
||||
- Predicates
|
||||
- risk
|
||||
- confirmed
|
||||
|
@ -596,6 +833,15 @@
|
|||
- version: 1
|
||||
- Predicates
|
||||
- type
|
||||
### financial
|
||||
- description: Financial taxonomy to describe financial services, infrastructure and financial scope.
|
||||
- version: 7
|
||||
- Predicates
|
||||
- categories-and-types-of-services
|
||||
- geographical-footprint
|
||||
- online-exposition
|
||||
- physical-presence
|
||||
- services
|
||||
### flesch-reading-ease
|
||||
- description: Flesch Reading Ease is a revised system for determining the comprehension difficulty of written material. The scoring of the flesh score can have a maximum of 121.22 and there is no limit on how low a score can be (negative score are valid).
|
||||
- version: 2
|
||||
|
@ -820,6 +1066,13 @@
|
|||
- submission
|
||||
- output-format
|
||||
- certainty
|
||||
### information-origin
|
||||
- description: Taxonomy for tagging information by its origin: human-generated or AI-generated.
|
||||
- version: 2
|
||||
- Predicates
|
||||
- human-generated
|
||||
- AI-generated
|
||||
- uncertain-origin
|
||||
### information-security-data-source
|
||||
- description: Taxonomy to classify the information security data sources.
|
||||
- version: 1
|
||||
|
@ -971,6 +1224,14 @@
|
|||
- misp2yara
|
||||
- event-type
|
||||
- ids
|
||||
### misp-workflow
|
||||
- description: MISP workflow taxonomy to support result of workflow execution.
|
||||
- version: 3
|
||||
- Predicates
|
||||
- action-taken
|
||||
- analysis
|
||||
- mutability
|
||||
- run
|
||||
### monarc-threat
|
||||
- description: MONARC Threats Taxonomy
|
||||
- version: 1
|
||||
|
@ -1015,6 +1276,19 @@
|
|||
- nature-root-cause
|
||||
- nature-severity
|
||||
- test
|
||||
### nis2
|
||||
- description: The taxonomy is meant for large scale cybersecurity incidents, as mentioned in the Commission Recommendation of 13 May 2022, also known as the provisional agreement. It has two core parts: The nature of the incident, i.e. the underlying cause, that triggered the incident, and the impact of the incident, i.e. the impact on services, in which sector(s) of economy and society.
|
||||
- version: 3
|
||||
- Predicates
|
||||
- impact-sectors-impacted
|
||||
- impact-subsectors-impacted
|
||||
- important-entities
|
||||
- impact-subsectors-important-entities
|
||||
- impact-severity
|
||||
- impact-outlook
|
||||
- nature-root-cause
|
||||
- nature-severity
|
||||
- test
|
||||
### open_threat
|
||||
- description: Open Threat Taxonomy v1.1 base on James Tarala of SANS http://www.auditscripts.com/resources/open_threat_taxonomy_v1.1a.pdf, https://files.sans.org/summit/Threat_Hunting_Incident_Response_Summit_2016/PDFs/Using-Open-Tools-to-Convert-Threat-Intelligence-into-Practical-Defenses-James-Tarala-SANS-Institute.pdf, https://www.youtube.com/watch?v=5rdGOOFC_yE, and https://www.rsaconference.com/writable/presentations/file_upload/str-r04_using-an-open-source-threat-model-for-prioritized-defense-final.pdf
|
||||
- version: 1
|
||||
|
@ -1065,6 +1339,12 @@
|
|||
- state
|
||||
- psychological-acceptability
|
||||
- principle-of-persuasion
|
||||
### poison-taxonomy
|
||||
- description: Non-exhaustive taxonomy of natural poison
|
||||
- version: 1
|
||||
- Predicates
|
||||
- Poisonous plant
|
||||
- Poisonous fungus
|
||||
### political-spectrum
|
||||
- description: A political spectrum is a system to characterize and classify different political positions in relation to one another.
|
||||
- version: 1
|
||||
|
@ -1082,6 +1362,20 @@
|
|||
- low
|
||||
- baseline-minor
|
||||
- baseline-negligible
|
||||
### pyoti
|
||||
- description: PyOTI automated enrichment schemes for point in time classification of indicators.
|
||||
- version: 3
|
||||
- Predicates
|
||||
- checkdmarc
|
||||
- disposable-email
|
||||
- emailrepio
|
||||
- iris-investigate
|
||||
- virustotal
|
||||
- circl-hashlookup
|
||||
- reputation-block-list
|
||||
- abuseipdb
|
||||
- greynoise-riot
|
||||
- googlesafebrowsing
|
||||
### ransomware
|
||||
- description: Ransomware is used to define ransomware types and the elements that compose them.
|
||||
- version: 6
|
||||
|
@ -1094,6 +1388,17 @@
|
|||
- infection
|
||||
- communication
|
||||
- malicious-action
|
||||
### ransomware-roles
|
||||
- description: The seven roles seen in most ransomware incidents.
|
||||
- version: 1
|
||||
- Predicates
|
||||
- 1 - Initial Access Broker
|
||||
- 2 - Ransomware Affiliate
|
||||
- 3 - Data Manager
|
||||
- 4 - Ransomware Operator
|
||||
- 5 - Negotiator
|
||||
- 6 - Chaser
|
||||
- 7 - Accountant
|
||||
### retention
|
||||
- description: Add a retenion time to events to automatically remove the IDS-flag on ip-dst or ip-src attributes. We calculate the time elapsed based on the date of the event. Supported time units are: d(ays), w(eeks), m(onths), y(ears). The numerical_value is just for sorting in the web-interface and is not used for calculations.
|
||||
- version: 3
|
||||
|
@ -1130,11 +1435,13 @@
|
|||
- Predicates
|
||||
- event-status
|
||||
### runtime-packer
|
||||
- description: Runtime or software packer used to combine compressed data with the decompression code. The decompression code can add additional obfuscations mechanisms including polymorphic-packer or other obfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries.
|
||||
- version: 1
|
||||
- description: Runtime or software packer used to combine compressed or encrypted data with the decompression or decryption code. This code can add additional obfuscations mechanisms including polymorphic-packer or other obfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries.
|
||||
- version: 2
|
||||
- Predicates
|
||||
- portable-executable
|
||||
- dex
|
||||
- elf
|
||||
- macho
|
||||
- pe
|
||||
- cli-assembly
|
||||
### scrippsco2-fgc
|
||||
- description: Flags describing the sample
|
||||
|
@ -1180,6 +1487,21 @@
|
|||
- NZD
|
||||
- PSA
|
||||
- SPO
|
||||
### sentinel-threattype
|
||||
- description: Sentinel indicator threat types.
|
||||
- version: 1
|
||||
- Predicates
|
||||
- Botnet
|
||||
- C2
|
||||
- CryptoMining
|
||||
- Darknet
|
||||
- DDoS
|
||||
- MaliciousUrl
|
||||
- Malware
|
||||
- Phishing
|
||||
- Proxy
|
||||
- PUA
|
||||
- WatchList
|
||||
### smart-airports-threats
|
||||
- description: Threat taxonomy in the scope of securing smart airports by ENISA. https://www.enisa.europa.eu/publications/securing-smart-airports
|
||||
- version: 1
|
||||
|
@ -1189,6 +1511,18 @@
|
|||
- natural-and-social-phenomena
|
||||
- third-party-failures
|
||||
- malicious-actions
|
||||
### social-engineering-attack-vectors
|
||||
- description: Attack vectors used in social engineering as described in 'A Taxonomy of Social Engineering Defense Mechanisms' by Dalal Alharthi and others.
|
||||
- version: 1
|
||||
- Predicates
|
||||
- technical
|
||||
- non-technical
|
||||
### srbcert
|
||||
- description: SRB-CERT Taxonomy - Schemes of Classification in Incident Response and Detection
|
||||
- version: 3
|
||||
- Predicates
|
||||
- incident-type
|
||||
- incident-criticality-level
|
||||
### state-responsibility
|
||||
- description: A spectrum of state responsibility to more directly tie the goals of attribution to the needs of policymakers.
|
||||
- version: 1
|
||||
|
@ -1221,13 +1555,15 @@
|
|||
- technical-sophistication-multiplier
|
||||
### thales_group
|
||||
- description: Thales Group Taxonomy - was designed with the aim of enabling desired sharing and preventing unwanted sharing between Thales Group security communities.
|
||||
- version: 2
|
||||
- version: 4
|
||||
- Predicates
|
||||
- distribution
|
||||
- to_block
|
||||
- minarm
|
||||
- acn
|
||||
- sigpart
|
||||
- a_isac
|
||||
- intercert_france
|
||||
- ioc_confidence
|
||||
- tlp:black
|
||||
- Watcher
|
||||
|
@ -1247,14 +1583,17 @@
|
|||
- dns-server-attacks
|
||||
- dns-abuse-or-misuse
|
||||
### tlp
|
||||
- description: The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time.
|
||||
- version: 5
|
||||
- description: The Traffic Light Protocol (TLP) (v2.0) was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. Information sharing happens from an information source, towards one or more recipients. TLP is a set of four standard labels (a fifth label is included in amber to limit the diffusion) used to indicate the sharing boundaries to be applied by the recipients. Only labels listed in this standard are considered valid by FIRST. This taxonomy includes additional labels for backward compatibility which are no more validated by FIRST SIG.
|
||||
- version: 10
|
||||
- Predicates
|
||||
- red
|
||||
- amber
|
||||
- amber+strict
|
||||
- green
|
||||
- white
|
||||
- clear
|
||||
- ex:chr
|
||||
- unclear
|
||||
### tor
|
||||
- description: Taxonomy to describe Tor network infrastructure
|
||||
- version: 1
|
||||
|
@ -1378,7 +1717,7 @@
|
|||
- degré-de-probabilité
|
||||
### workflow
|
||||
- description: Workflow support language is a common language to support intelligence analysts to perform their analysis on data and information.
|
||||
- version: 11
|
||||
- version: 12
|
||||
- Predicates
|
||||
- todo
|
||||
- state
|
|
@ -32,6 +32,20 @@
|
|||
"value": "sigpart",
|
||||
"numerical_value": 7
|
||||
},
|
||||
{
|
||||
"colour": "#043C86",
|
||||
"description": "This TAG will insure you to share ONLY to the Thales Group ISAC alliance. Distribution: All communities",
|
||||
"expanded": "Use it when you want to share to the Thales Group ISAC alliance ONLY. Distribution: All communities",
|
||||
"value": "a_isac",
|
||||
"numerical_value": 8
|
||||
},
|
||||
{
|
||||
"colour": "#12294D",
|
||||
"description": "This TAG will insure you to share ONLY to the Thales Group InterCERT France alliance. Distribution: All communities",
|
||||
"expanded": "Use it when you want to share to the Thales Group InterCERT France alliance ONLY. Distribution: All communities",
|
||||
"value": "intercert_france",
|
||||
"numerical_value": 9
|
||||
},
|
||||
{
|
||||
"colour": "#75646A",
|
||||
"description": "Distribution: All communities",
|
||||
|
@ -44,14 +58,14 @@
|
|||
"description": "Distribution: Restricted Sharing Group",
|
||||
"expanded": "(TLP:BLACK) Information cannot be effectively acted outside of strict and reduced circle of a trust. Distribution: Restricted Sharing Group",
|
||||
"value": "tlp:black",
|
||||
"numerical_value": 11
|
||||
"numerical_value": 13
|
||||
},
|
||||
{
|
||||
"colour": "#375a7f",
|
||||
"description": "Distribution: All communities",
|
||||
"expanded": "Use it when this came from Watcher Platform. Distribution: All communities",
|
||||
"value": "Watcher",
|
||||
"numerical_value": 12
|
||||
"numerical_value": 14
|
||||
}
|
||||
],
|
||||
"values": [
|
||||
|
@ -94,17 +108,17 @@
|
|||
{
|
||||
"value": "high",
|
||||
"expanded": "High",
|
||||
"numerical_value": 8
|
||||
"numerical_value": 10
|
||||
},
|
||||
{
|
||||
"value": "medium",
|
||||
"expanded": "Medium",
|
||||
"numerical_value": 9
|
||||
"numerical_value": 11
|
||||
},
|
||||
{
|
||||
"value": "low",
|
||||
"expanded": "Low",
|
||||
"numerical_value": 10
|
||||
"numerical_value": 12
|
||||
}
|
||||
]
|
||||
}
|
||||
|
@ -112,7 +126,7 @@
|
|||
"refs": [
|
||||
"https://www.thalesgroup.com/en/cert"
|
||||
],
|
||||
"version": 2,
|
||||
"version": 4,
|
||||
"description": "Thales Group Taxonomy - was designed with the aim of enabling desired sharing and preventing unwanted sharing between Thales Group security communities.",
|
||||
"expanded": "Thales Group Taxonomy",
|
||||
"namespace": "thales_group"
|
||||
|
|
|
@ -437,8 +437,8 @@
|
|||
"expanded": "Actor Campaigns"
|
||||
},
|
||||
{
|
||||
"value": "Credential Breaches",
|
||||
"expanded": "Credential Breaches"
|
||||
"value": "Credential Breach",
|
||||
"expanded": "Credential Breach"
|
||||
},
|
||||
{
|
||||
"value": "DDoS",
|
||||
|
@ -453,41 +453,29 @@
|
|||
"expanded": "General Notification"
|
||||
},
|
||||
{
|
||||
"value": "High Impact Vulnerabilities",
|
||||
"expanded": "High Impact Vulnerabilities"
|
||||
"value": "Vulnerability",
|
||||
"expanded": "Vulnerability"
|
||||
},
|
||||
{
|
||||
"value": "Information Leakages",
|
||||
"expanded": "Information Leakages"
|
||||
},
|
||||
{
|
||||
"value": "Malware Analysis",
|
||||
"expanded": "Malware Analysis"
|
||||
"value": "Malware",
|
||||
"expanded": "Malware"
|
||||
},
|
||||
{
|
||||
"value": "Nefarious Domains",
|
||||
"expanded": "Nefarious Domains"
|
||||
"value": "Suspicious Domain",
|
||||
"expanded": "Suspicious Domain"
|
||||
},
|
||||
{
|
||||
"value": "Nefarious Forum Mention",
|
||||
"expanded": "Nefarious Forum Mention"
|
||||
},
|
||||
{
|
||||
"value": "Pastebin Dumps",
|
||||
"expanded": "Pastebin Dumps"
|
||||
"value": "Forum Mention",
|
||||
"expanded": "Forum Mention"
|
||||
},
|
||||
{
|
||||
"value": "Phishing Attempts",
|
||||
"expanded": "Phishing Attempts"
|
||||
},
|
||||
{
|
||||
"value": "PII Exposure",
|
||||
"expanded": "PII Exposure"
|
||||
},
|
||||
{
|
||||
"value": "Sensitive Information Disclosures",
|
||||
"expanded": "Sensitive Information Disclosures"
|
||||
},
|
||||
{
|
||||
"value": "Social Media Alerts",
|
||||
"expanded": "Social Media Alerts"
|
||||
|
@ -501,12 +489,28 @@
|
|||
"expanded": "Technical Exposure"
|
||||
},
|
||||
{
|
||||
"value": "Threat Actor Updates",
|
||||
"expanded": "Threat Actor Updates"
|
||||
"value": "Threat Actor Update",
|
||||
"expanded": "Threat Actor Update"
|
||||
},
|
||||
{
|
||||
"value": "Trigger Events",
|
||||
"expanded": "Trigger Events"
|
||||
"value": "Direct Targeting ",
|
||||
"expanded": "Direct Targeting "
|
||||
},
|
||||
{
|
||||
"value": "Protest Activity",
|
||||
"expanded": "Protest Activity"
|
||||
},
|
||||
{
|
||||
"value": "Violent Event",
|
||||
"expanded": "Violent Event"
|
||||
},
|
||||
{
|
||||
"value": "Strategic Event",
|
||||
"expanded": "Strategic Event"
|
||||
},
|
||||
{
|
||||
"value": "Insider Threat",
|
||||
"expanded": "Insider Threat"
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
|
@ -1,41 +1,58 @@
|
|||
{
|
||||
"predicates": [
|
||||
{
|
||||
"colour": "#CC0033",
|
||||
"description": "Not for disclosure, restricted to participants only. Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.",
|
||||
"expanded": "(TLP:RED) Information exclusively and directly given to (a group of) individual recipients. Sharing outside is not legitimate.",
|
||||
"colour": "#FF2B2B",
|
||||
"description": "For the eyes and ears of individual recipients only, no further disclosure. Sources may use TLP:RED when information cannot be effectively acted upon without significant risk for the privacy, reputation, or operations of the organizations involved. Recipients may therefore not share TLP:RED information with anyone else. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting.",
|
||||
"expanded": "(TLP:RED) For the eyes and ears of individual recipients only, no further disclosure.",
|
||||
"value": "red"
|
||||
},
|
||||
{
|
||||
"colour": "#FFC000",
|
||||
"description": "Limited disclosure, restricted to participants’ organizations. Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.",
|
||||
"expanded": "(TLP:AMBER) Information exclusively given to an organization; sharing limited within the organization to be effectively acted upon.",
|
||||
"description": "Limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients. Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risk to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may share TLP:AMBER information with members of their own organization and its clients, but only on a need-to-know basis to protect their organization and its clients and prevent further harm. Note that TLP:AMBER+STRICT restricts sharing to the organization only.",
|
||||
"expanded": "(TLP:AMBER) Limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients.",
|
||||
"value": "amber"
|
||||
},
|
||||
{
|
||||
"colour": "#339900",
|
||||
"description": "Limited disclosure, restricted to the community. Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.",
|
||||
"expanded": "(TLP:GREEN) Information given to a community or a group of organizations at large. The information cannot be publicly released.",
|
||||
"colour": "#FFC000",
|
||||
"description": "Limited disclosure, recipients can only spread this on a need-to-know basis within their organization. Sources may use TLP:AMBER+STRICT when information requires support to be effectively acted upon, yet carries risk to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may share TLP:AMBER+STRICT information with members of their own organization.",
|
||||
"expanded": "(TLP:AMBER+STRICT) Limited disclosure, recipients can only spread this on a need-to-know basis within their organization.",
|
||||
"value": "amber+strict"
|
||||
},
|
||||
{
|
||||
"colour": "#33FF00",
|
||||
"description": "Limited disclosure, recipients can spread this within their community. Sources may use TLP:GREEN when information is useful to increase awareness within their wider community. Recipients may share TLP:GREEN information with peers and partner organizations within their community, but not via publicly accessible channels. TLP:GREEN information may not be shared outside of the community. Note: when “community” is not defined, assume the cybersecurity/defense community.",
|
||||
"expanded": "(TLP:GREEN) Limited disclosure, recipients can spread this within their community.",
|
||||
"value": "green"
|
||||
},
|
||||
{
|
||||
"colour": "#ffffff",
|
||||
"description": "Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.",
|
||||
"description": "Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. The version 2.0 of TLP doesn't mention anymore this tag which is most probably compatible with new TLP:CLEAR tag.",
|
||||
"expanded": "(TLP:WHITE) Information can be shared publicly in accordance with the law.",
|
||||
"value": "white"
|
||||
},
|
||||
{
|
||||
"colour": "#ffffff",
|
||||
"description": "Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.",
|
||||
"expanded": "(TLP:CLEAR) Recipients can spread this to the world, there is no limit on disclosure.",
|
||||
"value": "clear"
|
||||
},
|
||||
{
|
||||
"colour": "#d208f4",
|
||||
"expanded": "(TLP:EX:CHR) Information extended with a specific tag called Chatham House Rule (CHR). When this specific CHR tag is mentioned, the attribution (the source of information) must not be disclosed. This additional rule is at the discretion of the initial sender who can decide to apply or not the CHR tag.",
|
||||
"value": "ex:chr"
|
||||
},
|
||||
{
|
||||
"colour": "#7e7eae",
|
||||
"expanded": "(TLP:UNCLEAR) Community, Organization, Clients, and Recipients are all so confused what the appropriate disclosure level is, and if this or that indicator can or cannot be shared. Assumptions are rampant and the confusion is so high that a chi-square test might in fact be required to ensure the randomness of the mess before labelling this case TLP:UNCLEAR.",
|
||||
"value": "unclear"
|
||||
}
|
||||
],
|
||||
"refs": [
|
||||
"https://www.first.org/tlp"
|
||||
],
|
||||
"version": 5,
|
||||
"description": "The Traffic Light Protocol - or short: TLP - was designed with the objective to create a favorable classification scheme for sharing sensitive information while keeping the control over its distribution at the same time.",
|
||||
"version": 10,
|
||||
"description": "The Traffic Light Protocol (TLP) (v2.0) was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. Information sharing happens from an information source, towards one or more recipients. TLP is a set of four standard labels (a fifth label is included in amber to limit the diffusion) used to indicate the sharing boundaries to be applied by the recipients. Only labels listed in this standard are considered valid by FIRST. This taxonomy includes additional labels for backward compatibility which are no more validated by FIRST SIG.",
|
||||
"expanded": "Traffic Light Protocol",
|
||||
"namespace": "tlp",
|
||||
"exclusive": true
|
||||
"exclusive": true,
|
||||
"namespace": "tlp"
|
||||
}
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
python3 machinetag.py -a >a.txt
|
||||
asciidoctor a.txt
|
||||
asciidoctor-pdf -a allow-uri-read a.txt
|
||||
cp a.html ../../misp-website/static/taxonomies.html
|
||||
cp a.pdf ../../misp-website/static/taxonomies.pdf
|
||||
cp a.html ../../misp-website-new/static/taxonomies.html
|
||||
cp a.pdf ../../misp-website-new/static/taxonomies.pdf
|
||||
scp a.html circl@cpab.circl.lu:/var/www/nwww.circl.lu/doc/misp-taxonomies/index.html
|
||||
scp a.pdf circl@cpab.circl.lu://var/www/nwww.circl.lu/doc/misp-taxonomies/taxonomies.pdf
|
||||
|
|
|
@ -26,7 +26,7 @@ def generateMarkdown(taxonomies):
|
|||
markdown_line_array.append("- license: %s" % 'CC-0')
|
||||
markdown_line_array.append("- description: %s" % 'Manifest file of MISP taxonomies available.')
|
||||
markdown_line_array.append("")
|
||||
|
||||
|
||||
markdown_line_array.append("## Taxonomies")
|
||||
markdown_line_array.append("")
|
||||
for taxonomy in taxonomies:
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
# Python script parsing the MISP taxonomies expressed in Machine Tags (Triple
|
||||
# Tags) to list all valid tags from a specific taxonomy.
|
||||
#
|
||||
# Copyright (c) 2015-2017 Alexandre Dulaunoy - a@foo.be
|
||||
# Copyright (c) 2015-2022 Alexandre Dulaunoy - a@foo.be
|
||||
#
|
||||
# Redistribution and use in source and binary forms, with or without modification,
|
||||
# are permitted provided that the following conditions are met:
|
||||
|
@ -30,42 +30,73 @@ import json
|
|||
import os.path
|
||||
import argparse
|
||||
import os
|
||||
import sys
|
||||
|
||||
skip_list = ["death-possibilities", "poison-taxonomy", "doping-substances"]
|
||||
taxonomies = []
|
||||
|
||||
# Get our current directory from file location
|
||||
thisDir = os.path.dirname(__file__)
|
||||
|
||||
for folder in os.listdir(os.path.join(thisDir, '../')):
|
||||
if os.path.isfile(os.path.join(thisDir, '../', folder, 'machinetag.json')):
|
||||
argParser = argparse.ArgumentParser(
|
||||
description="Dump Machine Tags (Triple Tags) from MISP taxonomies",
|
||||
epilog="Available taxonomies are {0}".format(taxonomies),
|
||||
)
|
||||
argParser.add_argument("-e", action="store_true", help="Include expanded tags")
|
||||
argParser.add_argument(
|
||||
"-a", action="store_true", help="Generate asciidoctor document from MISP taxonomies"
|
||||
)
|
||||
argParser.add_argument("-v", action="store_true", help="Include descriptions")
|
||||
argParser.add_argument("-n", default=False, help="Show only the specified namespace")
|
||||
argParser.add_argument(
|
||||
"--disable-skip-list",
|
||||
default=False,
|
||||
action="store_true",
|
||||
help="disable default skip list",
|
||||
)
|
||||
args = argParser.parse_args()
|
||||
|
||||
if args.disable_skip_list:
|
||||
skip_list = ""
|
||||
|
||||
for folder in os.listdir(os.path.join(thisDir, "../")):
|
||||
if os.path.isfile(os.path.join(thisDir, "../", folder, "machinetag.json")):
|
||||
if folder in skip_list:
|
||||
continue
|
||||
taxonomies.append(folder)
|
||||
|
||||
taxonomies.sort()
|
||||
|
||||
argParser = argparse.ArgumentParser(description='Dump Machine Tags (Triple Tags) from MISP taxonomies', epilog='Available taxonomies are {0}'.format(taxonomies))
|
||||
argParser.add_argument('-e', action='store_true', help='Include expanded tags')
|
||||
argParser.add_argument('-a', action='store_true', help='Generate asciidoctor document from MISP taxonomies')
|
||||
argParser.add_argument('-v', action='store_true', help='Include descriptions')
|
||||
argParser.add_argument('-n', default=False, help='Show only the specified namespace')
|
||||
args = argParser.parse_args()
|
||||
|
||||
doc = ''
|
||||
doc = ""
|
||||
if args.a:
|
||||
dedication = "\n[dedication]\n== Funding and Support\nThe MISP project is financially and resource supported by https://www.circl.lu/[CIRCL Computer Incident Response Center Luxembourg ].\n\nimage:{images-misp}logo.png[CIRCL logo]\n\nA CEF (Connecting Europe Facility) funding under CEF-TC-2016-3 - Cyber Security has been granted from 1st September 2017 until 31th August 2019 as ***Improving MISP as building blocks for next-generation information sharing***.\n\nimage:{images-misp}en_cef.png[CEF funding]\n\nIf you are interested to co-fund projects around MISP, feel free to get in touch with us.\n\n"
|
||||
doc = doc + ":toc: right\n"
|
||||
doc = doc + ":toclevels: 1\n"
|
||||
doc = doc + ":icons: font\n"
|
||||
doc = doc + ":images-cdn: https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/logos/\n"
|
||||
doc = (
|
||||
doc
|
||||
+ ":images-cdn: https://raw.githubusercontent.com/MISP/MISP/2.4/INSTALL/logos/\n"
|
||||
)
|
||||
doc = doc + ":images-misp: https://www.misp-project.org/assets/images/\n"
|
||||
doc = doc + "= MISP taxonomies and classification as machine tags\n\n"
|
||||
doc = doc + "= Introduction\n"
|
||||
doc = doc + "\nimage::{images-cdn}misp-logo.png[MISP logo]\n"
|
||||
doc = doc + "The MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators, financial fraud or counter-terrorism information. The MISP project includes multiple sub-projects to support the operational requirements of analysts and improve the overall quality of information shared.\n\n"
|
||||
doc = (
|
||||
doc
|
||||
+ "The MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators, financial fraud or counter-terrorism information. The MISP project includes multiple sub-projects to support the operational requirements of analysts and improve the overall quality of information shared.\n\n"
|
||||
)
|
||||
doc = doc + ""
|
||||
doc = "{} {} {} {}".format(doc, "\nTaxonomies that can be used in MISP (2.4) and other information sharing tool and expressed in Machine Tags (Triple Tags).",
|
||||
"A machine tag is composed of a namespace (MUST), a predicate (MUST) and an (OPTIONAL) value.",
|
||||
"Machine tags are often called triple tag due to their format.\n")
|
||||
doc = doc + "The following document is generated from the machine-readable JSON describing the https://github.com/MISP/misp-taxonomies[MISP taxonomies]."
|
||||
doc = "{} {} {} {}".format(
|
||||
doc,
|
||||
"\nTaxonomies that can be used in MISP (2.4) and other information sharing tool and expressed in Machine Tags (Triple Tags).",
|
||||
"A machine tag is composed of a namespace (MUST), a predicate (MUST) and an (OPTIONAL) value.",
|
||||
"Machine tags are often called triple tag due to their format.\n",
|
||||
)
|
||||
doc = (
|
||||
doc
|
||||
+ "The following document is generated from the machine-readable JSON describing the https://github.com/MISP/misp-taxonomies[MISP taxonomies]."
|
||||
)
|
||||
doc = doc + "\n\n"
|
||||
doc = doc + "<<<\n"
|
||||
doc = doc + dedication
|
||||
|
@ -78,31 +109,37 @@ if args.n:
|
|||
taxonomies.append(args.n)
|
||||
|
||||
|
||||
def asciidoc(content=False, adoc=doc, t='title', toplevel=False):
|
||||
def asciidoc(content=False, adoc=doc, t="title", toplevel=False):
|
||||
if not args.a:
|
||||
return False
|
||||
adoc = adoc + "\n"
|
||||
if t == 'title':
|
||||
content = '==== ' + content
|
||||
elif t == 'predicate':
|
||||
content = '=== ' + content
|
||||
elif t == 'namespace':
|
||||
content = '== ' + content + '\n'
|
||||
content = "{}\n{}{} {}{}{} {}".format(content, 'NOTE: ', namespace, 'namespace available in JSON format at https://github.com/MISP/misp-taxonomies/blob/main/',
|
||||
namespace, '/machinetag.json[*this location*]. The JSON format can be freely reused in your application',
|
||||
'or automatically enabled in https://www.github.com/MISP/MISP[MISP] taxonomy.')
|
||||
elif t == 'description' and toplevel is True:
|
||||
if t == "title":
|
||||
content = "==== " + content
|
||||
elif t == "predicate":
|
||||
content = "=== " + content
|
||||
elif t == "namespace":
|
||||
content = "== " + content + "\n"
|
||||
content = "{}\n{}{} {}{}{} {}".format(
|
||||
content,
|
||||
"NOTE: ",
|
||||
namespace,
|
||||
"namespace available in JSON format at https://github.com/MISP/misp-taxonomies/blob/main/",
|
||||
namespace,
|
||||
"/machinetag.json[*this location*]. The JSON format can be freely reused in your application",
|
||||
"or automatically enabled in https://www.github.com/MISP/MISP[MISP] taxonomy.",
|
||||
)
|
||||
elif t == "description" and toplevel is True:
|
||||
content = "\n{} \n".format(content)
|
||||
elif t == 'description' and toplevel is False:
|
||||
elif t == "description" and toplevel is False:
|
||||
try:
|
||||
(n, value) = content.split(":", 1)
|
||||
content = "\n{} \n".format(value)
|
||||
except:
|
||||
content = "\n{} \n".format(content)
|
||||
elif t == 'numerical_value':
|
||||
elif t == "numerical_value":
|
||||
(n, value) = content.split(":", 1)
|
||||
content = "\nAssociated numerical value=\"{}\" \n".format(value)
|
||||
elif t == 'exclusive':
|
||||
content = '\nAssociated numerical value="{}" \n'.format(value)
|
||||
elif t == "exclusive":
|
||||
(n, value) = content.split(":", 1)
|
||||
if n:
|
||||
content = "\nIMPORTANT: Exclusive flag set which means the values or predicate below must be set exclusively.\n"
|
||||
|
@ -115,79 +152,178 @@ def machineTag(namespace=False, predicate=False, value=None):
|
|||
if namespace is False or predicate is False:
|
||||
return None
|
||||
if value is None:
|
||||
return (u'{0}:{1}'.format(namespace, predicate))
|
||||
return "{0}:{1}".format(namespace, predicate)
|
||||
else:
|
||||
return (u'{0}:{1}=\"{2}\"'.format(namespace, predicate, value))
|
||||
return '{0}:{1}="{2}"'.format(namespace, predicate, value)
|
||||
|
||||
|
||||
for taxonomy in taxonomies:
|
||||
if taxonomy in skip_list:
|
||||
sys.stderr.write(f"Skip {taxonomy}")
|
||||
continue
|
||||
filename = os.path.join(thisDir, "../", taxonomy, "machinetag.json")
|
||||
with open(filename) as fp:
|
||||
t = json.load(fp)
|
||||
namespace = t['namespace']
|
||||
if t.get('expanded'):
|
||||
expanded_namespace = t['expanded']
|
||||
namespace = t["namespace"]
|
||||
if t.get("expanded"):
|
||||
expanded_namespace = t["expanded"]
|
||||
else:
|
||||
expanded_namespace = namespace
|
||||
if args.a:
|
||||
doc = asciidoc(content=t['namespace'], adoc=doc, t='namespace')
|
||||
doc = asciidoc(content=t['description'], adoc=doc, t='description', toplevel = True)
|
||||
if t.get('exclusive'):
|
||||
doc = asciidoc(content=machineTag(namespace=namespace, predicate=t['exclusive']), adoc=doc, t='exclusive')
|
||||
doc = asciidoc(content=t["namespace"], adoc=doc, t="namespace")
|
||||
doc = asciidoc(
|
||||
content=t["description"], adoc=doc, t="description", toplevel=True
|
||||
)
|
||||
if t.get("exclusive"):
|
||||
doc = asciidoc(
|
||||
content=machineTag(namespace=namespace, predicate=t["exclusive"]),
|
||||
adoc=doc,
|
||||
t="exclusive",
|
||||
)
|
||||
if args.v:
|
||||
print('{0}'.format(t['description']))
|
||||
for predicate in t['predicates']:
|
||||
print("{0}".format(t["description"]))
|
||||
for predicate in t["predicates"]:
|
||||
if args.a:
|
||||
doc = asciidoc(content=predicate['value'], adoc=doc, t='predicate')
|
||||
if predicate.get('description'):
|
||||
doc = asciidoc(content=machineTag(namespace=namespace, predicate=predicate['description']), adoc=doc, t='description')
|
||||
if predicate.get('exclusive'):
|
||||
doc = asciidoc(content=machineTag(namespace=namespace, predicate=predicate['exclusive']), adoc=doc, t='exclusive')
|
||||
doc = asciidoc(content=predicate["value"], adoc=doc, t="predicate")
|
||||
if predicate.get("description"):
|
||||
doc = asciidoc(
|
||||
content=machineTag(
|
||||
namespace=namespace, predicate=predicate["description"]
|
||||
),
|
||||
adoc=doc,
|
||||
t="description",
|
||||
)
|
||||
if predicate.get("exclusive"):
|
||||
doc = asciidoc(
|
||||
content=machineTag(
|
||||
namespace=namespace, predicate=predicate["exclusive"]
|
||||
),
|
||||
adoc=doc,
|
||||
t="exclusive",
|
||||
)
|
||||
|
||||
if t.get('values') is None:
|
||||
if t.get("values") is None:
|
||||
if args.a:
|
||||
doc = asciidoc(content=machineTag(namespace=namespace, predicate=predicate['value']), adoc=doc)
|
||||
doc = asciidoc(content=machineTag(namespace=namespace, predicate=predicate['expanded']), adoc=doc, t='description')
|
||||
if predicate.get('description'):
|
||||
doc = asciidoc(content=machineTag(namespace=namespace, predicate=predicate['description']), adoc=doc, t='description')
|
||||
if predicate.get('numerical_value'):
|
||||
doc = asciidoc(content=machineTag(namespace=namespace, predicate=predicate['numerical_value']), adoc=doc, t='description')
|
||||
if predicate.get('exclusive'):
|
||||
doc = asciidoc(content=machineTag(namespace=namespace, predicate=predicate['exclusive']), adoc=adoc, t='exclusive')
|
||||
doc = asciidoc(
|
||||
content=machineTag(
|
||||
namespace=namespace, predicate=predicate["value"]
|
||||
),
|
||||
adoc=doc,
|
||||
)
|
||||
doc = asciidoc(
|
||||
content=machineTag(
|
||||
namespace=namespace, predicate=predicate["expanded"]
|
||||
),
|
||||
adoc=doc,
|
||||
t="description",
|
||||
)
|
||||
if predicate.get("description"):
|
||||
doc = asciidoc(
|
||||
content=machineTag(
|
||||
namespace=namespace, predicate=predicate["description"]
|
||||
),
|
||||
adoc=doc,
|
||||
t="description",
|
||||
)
|
||||
if predicate.get("numerical_value"):
|
||||
doc = asciidoc(
|
||||
content=machineTag(
|
||||
namespace=namespace, predicate=predicate["numerical_value"]
|
||||
),
|
||||
adoc=doc,
|
||||
t="description",
|
||||
)
|
||||
if predicate.get("exclusive"):
|
||||
doc = asciidoc(
|
||||
content=machineTag(
|
||||
namespace=namespace, predicate=predicate["exclusive"]
|
||||
),
|
||||
adoc=doc,
|
||||
t="exclusive",
|
||||
)
|
||||
else:
|
||||
print(machineTag(namespace=namespace, predicate=predicate['value']))
|
||||
print(machineTag(namespace=namespace, predicate=predicate["value"]))
|
||||
if args.e:
|
||||
print("--> " + machineTag(namespace=expanded_namespace, predicate=predicate['expanded']))
|
||||
if predicate.get('description'):
|
||||
print("--> " + predicate['description'])
|
||||
print(
|
||||
"--> "
|
||||
+ machineTag(
|
||||
namespace=expanded_namespace, predicate=predicate["expanded"]
|
||||
)
|
||||
)
|
||||
if predicate.get("description"):
|
||||
print("--> " + predicate["description"])
|
||||
else:
|
||||
for e in t['values']:
|
||||
if e['predicate'] == predicate['value']:
|
||||
if 'expanded' in predicate:
|
||||
expanded = predicate['expanded']
|
||||
for v in e['entry']:
|
||||
if args.a and 'expanded' in v:
|
||||
doc = asciidoc(content=machineTag(namespace=namespace, predicate=e['predicate'], value=v['value']), adoc=doc)
|
||||
doc = asciidoc(content=machineTag(namespace=namespace, predicate=v['expanded']), adoc=doc, t='description')
|
||||
if 'description' in v:
|
||||
doc = asciidoc(content=machineTag(namespace=namespace, predicate=v['description']), adoc=doc, t='description')
|
||||
if v.get('numerical_value'):
|
||||
doc = asciidoc(content=machineTag(namespace=namespace, predicate=v['numerical_value']), adoc=doc, t='numerical_value')
|
||||
for e in t["values"]:
|
||||
if e["predicate"] == predicate["value"]:
|
||||
if "expanded" in predicate:
|
||||
expanded = predicate["expanded"]
|
||||
for v in e["entry"]:
|
||||
if args.a and "expanded" in v:
|
||||
doc = asciidoc(
|
||||
content=machineTag(
|
||||
namespace=namespace,
|
||||
predicate=e["predicate"],
|
||||
value=v["value"],
|
||||
),
|
||||
adoc=doc,
|
||||
)
|
||||
doc = asciidoc(
|
||||
content=machineTag(
|
||||
namespace=namespace, predicate=v["expanded"]
|
||||
),
|
||||
adoc=doc,
|
||||
t="description",
|
||||
)
|
||||
if "description" in v:
|
||||
doc = asciidoc(
|
||||
content=machineTag(
|
||||
namespace=namespace, predicate=v["description"]
|
||||
),
|
||||
adoc=doc,
|
||||
t="description",
|
||||
)
|
||||
if v.get("numerical_value"):
|
||||
doc = asciidoc(
|
||||
content=machineTag(
|
||||
namespace=namespace,
|
||||
predicate=v["numerical_value"],
|
||||
),
|
||||
adoc=doc,
|
||||
t="numerical_value",
|
||||
)
|
||||
else:
|
||||
print(machineTag(namespace=namespace, predicate=e['predicate'], value=v['value']))
|
||||
print(
|
||||
machineTag(
|
||||
namespace=namespace,
|
||||
predicate=e["predicate"],
|
||||
value=v["value"],
|
||||
)
|
||||
)
|
||||
if args.e:
|
||||
if'expanded' in v:
|
||||
print("--> " + machineTag(namespace=namespace, predicate=expanded, value=v['expanded']))
|
||||
if "expanded" in v:
|
||||
print(
|
||||
"--> "
|
||||
+ machineTag(
|
||||
namespace=namespace,
|
||||
predicate=expanded,
|
||||
value=v["expanded"],
|
||||
)
|
||||
)
|
||||
|
||||
with open('../mapping/mapping.json') as mapping:
|
||||
with open("../mapping/mapping.json") as mapping:
|
||||
m = json.load(mapping)
|
||||
output = '\n= Mapping of taxonomies\n'
|
||||
output = '{}{}'.format(output, 'Analysts relying on taxonomies don\'t always know the appropriate namespace to use but know which value to use for classification. The MISP mapping taxonomy allows to map a single classification into a series of machine-tag synonyms.\n')
|
||||
output = "\n= Mapping of taxonomies\n"
|
||||
output = "{}{}".format(
|
||||
output,
|
||||
"Analysts relying on taxonomies don't always know the appropriate namespace to use but know which value to use for classification. The MISP mapping taxonomy allows to map a single classification into a series of machine-tag synonyms.\n",
|
||||
)
|
||||
for value in sorted(m.keys()):
|
||||
output = '{}{} **{}**{}{}\n'.format(output,'\n.Mapping table - ',value,'\n|===\n|',value)
|
||||
for mapped in m[value]['values']:
|
||||
output = '{}|{}\n'.format(output,mapped)
|
||||
output = '{}|===\n'.format(output)
|
||||
output = "{}{} **{}**{}{}\n".format(
|
||||
output, "\n.Mapping table - ", value, "\n|===\n|", value
|
||||
)
|
||||
for mapped in m[value]["values"]:
|
||||
output = "{}|{}\n".format(output, mapped)
|
||||
output = "{}|===\n".format(output)
|
||||
doc = doc + output
|
||||
|
||||
if args.a:
|
||||
|
|
|
@ -0,0 +1,18 @@
|
|||
import sys
|
||||
import glob
|
||||
import json
|
||||
from jsonschema import validate
|
||||
|
||||
schema = json.load(open("schema.json", "r"))
|
||||
|
||||
for taxonomy_file in glob.glob('./*/machinetag.json'):
|
||||
print("Checking {}".format(taxonomy_file))
|
||||
taxonomy = json.load(open(taxonomy_file, "r"))
|
||||
validate(instance=taxonomy, schema=schema)
|
||||
|
||||
if "values" in taxonomy:
|
||||
predicates = [predicate["value"] for predicate in taxonomy["predicates"]]
|
||||
for value in taxonomy["values"]:
|
||||
if value["predicate"] not in predicates:
|
||||
print("ERROR: Predicate `{}` is missing".format(value["predicate"]))
|
||||
sys.exit(1)
|
|
@ -8,7 +8,7 @@ set -x
|
|||
diffs=`git status --porcelain | wc -l`
|
||||
|
||||
if ! [ $diffs -eq 0 ]; then
|
||||
echo "Please make sure you run ./jq_all_the_things.sh before commiting."
|
||||
echo "Please make sure you run ./jq_all_the_things.sh before committing."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
@ -20,11 +20,6 @@ if ! [ $((directories-2)) -eq $manifest_entries ]; then
|
|||
exit 1
|
||||
fi
|
||||
|
||||
for dir in */machinetag.json
|
||||
do
|
||||
echo -n "${dir}: "
|
||||
jsonschema -i ${dir} schema.json
|
||||
echo ''
|
||||
done
|
||||
python3 validate_all.py
|
||||
|
||||
jsonschema -i mapping/mapping.json schema_mapping.json
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
"namespace": "workflow",
|
||||
"expanded": "workflow to support analysis",
|
||||
"description": "Workflow support language is a common language to support intelligence analysts to perform their analysis on data and information.",
|
||||
"version": 11,
|
||||
"version": 12,
|
||||
"predicates": [
|
||||
{
|
||||
"value": "todo",
|
||||
|
@ -132,6 +132,10 @@
|
|||
{
|
||||
"value": "rejected",
|
||||
"expanded": "Analyst rejected the process. The object will not reach state of completeness."
|
||||
},
|
||||
{
|
||||
"value": "release",
|
||||
"expanded": "Analyst approved the information to be released. Like a MISP event to be released and published."
|
||||
}
|
||||
]
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue