144 lines
5.7 KiB
JSON
144 lines
5.7 KiB
JSON
{
|
|
"namespace": "workflow",
|
|
"expanded": "workflow to support analysis",
|
|
"description": "Workflow support language is a common language to support intelligence analysts to perform their analysis on data and information.",
|
|
"version": 12,
|
|
"predicates": [
|
|
{
|
|
"value": "todo",
|
|
"expanded": "Todo",
|
|
"description": "Todo are the actions to be performed by one or more analyst(s) to apply cognitive methods, evaluation(s), weightening information, to validate hypothesis or complete additional tasks to improve the overall information or data being tagged with a todo. "
|
|
},
|
|
{
|
|
"value": "state",
|
|
"expanded": "State",
|
|
"description": "State are the different states of the information or data being tagged.",
|
|
"exclusive": true
|
|
}
|
|
],
|
|
"values": [
|
|
{
|
|
"predicate": "todo",
|
|
"entry": [
|
|
{
|
|
"value": "expansion",
|
|
"expanded": "Expansion need to be applied to expand the information tagged"
|
|
},
|
|
{
|
|
"value": "review",
|
|
"expanded": "Additional review is required to reach a certain level of validation of the information tagged"
|
|
},
|
|
{
|
|
"value": "review-for-privacy",
|
|
"expanded": "Additional review is required to ensure privacy of the information tagged"
|
|
},
|
|
{
|
|
"value": "review-before-publication",
|
|
"expanded": "Review is required before publishing the information tagged"
|
|
},
|
|
{
|
|
"value": "release-requested",
|
|
"expanded": "Release of the information tagged is requested (often after the review process"
|
|
},
|
|
{
|
|
"value": "review-for-false-positive",
|
|
"expanded": "Review the the information tagged to limit the number of false-positives and potentially remove any IDS/automation flag to avoid automation of the false-positives"
|
|
},
|
|
{
|
|
"value": "review-the-source-credibility",
|
|
"expanded": "Review the source credibility and add the corresponding marking like admiralty-scale on the origin"
|
|
},
|
|
{
|
|
"value": "add-missing-misp-galaxy-cluster-values",
|
|
"expanded": "Add potential MISP galaxy cluster values missing about the information tagged"
|
|
},
|
|
{
|
|
"value": "create-missing-misp-galaxy-cluster",
|
|
"expanded": "Create missing MISP galaxy cluster about the information tagged"
|
|
},
|
|
{
|
|
"value": "create-missing-misp-galaxy-cluster-relationship",
|
|
"expanded": "create missing MISP galaxy cluster relationships (e.g. relationships between MISP clusters)"
|
|
},
|
|
{
|
|
"value": "create-missing-misp-galaxy",
|
|
"expanded": "Create missing MISP galaxy at large about the information tagged (e.g. a new category of malware or activity)"
|
|
},
|
|
{
|
|
"value": "create-missing-relationship",
|
|
"expanded": "Create missing relationship about the information tagged (e.g. create new relationship between MISP objects)"
|
|
},
|
|
{
|
|
"value": "add-context",
|
|
"expanded": "Add contextual information about the information tagged"
|
|
},
|
|
{
|
|
"value": "add-tagging",
|
|
"expanded": "Add adequate tagging and classification about the information tagged"
|
|
},
|
|
{
|
|
"value": "check-passive-dns-for-shared-hosting",
|
|
"expanded": "Check Passive DNS (or similar techniques) to review if the information tagged is used within shared hosting"
|
|
},
|
|
{
|
|
"value": "review-classification",
|
|
"expanded": "Review the classification of the information tagged to ensure adequate marking of the information before publication"
|
|
},
|
|
{
|
|
"value": "review-the-grammar",
|
|
"expanded": "Review the grammar of the information tagged to improve the overall quality"
|
|
},
|
|
{
|
|
"value": "do-not-delete",
|
|
"expanded": "Element that should not be deleted (without asking)"
|
|
},
|
|
{
|
|
"value": "add-mitre-attack-cluster",
|
|
"expanded": "Describe cyber adversary behavior using MITRE ATT&CK"
|
|
},
|
|
{
|
|
"value": "additional-task",
|
|
"expanded": "Used to point an additional task that can not be describe by the rest of the taxonomy and need to be done"
|
|
},
|
|
{
|
|
"value": "create-event",
|
|
"expanded": "A new MISP event need to be created from the tag reference"
|
|
},
|
|
{
|
|
"value": "preserve-evidence",
|
|
"expanded": "Preseve evidence mentioned in the information tagged"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"predicate": "state",
|
|
"entry": [
|
|
{
|
|
"value": "incomplete",
|
|
"expanded": "Incomplete means that the information tagged is incomplete and has potential to be completed by other analysts, technical processes or the current analysts performing the analysis."
|
|
},
|
|
{
|
|
"value": "complete",
|
|
"expanded": "Complete means that the information tagged reach a state of completeness with the current capabilities of the analyst."
|
|
},
|
|
{
|
|
"value": "draft",
|
|
"expanded": "Draft means the information tagged can be released as a preliminary version or outline."
|
|
},
|
|
{
|
|
"value": "ongoing",
|
|
"expanded": "Analyst is currently working on this analysis. To remove when there is no more work to be done by the analyst."
|
|
},
|
|
{
|
|
"value": "rejected",
|
|
"expanded": "Analyst rejected the process. The object will not reach state of completeness."
|
|
},
|
|
{
|
|
"value": "release",
|
|
"expanded": "Analyst approved the information to be released. Like a MISP event to be released and published."
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|