115 lines
3.1 KiB
JSON
115 lines
3.1 KiB
JSON
{
|
|
"namespace": "cssa",
|
|
"description": "The CSSA agreed sharing taxonomy.",
|
|
"version": 8,
|
|
"predicates": [
|
|
{
|
|
"value": "sharing-class",
|
|
"expanded": "Sharing Class"
|
|
},
|
|
{
|
|
"value": "report",
|
|
"expanded": "Report"
|
|
},
|
|
{
|
|
"value": "origin",
|
|
"expanded": "Origin"
|
|
},
|
|
{
|
|
"value": "analyse",
|
|
"expanded": "Please analyse sample",
|
|
"colour": "#fab74d"
|
|
}
|
|
],
|
|
"values": [
|
|
{
|
|
"predicate": "sharing-class",
|
|
"entry": [
|
|
{
|
|
"value": "high_profile",
|
|
"expanded": "Generated within the company during incident/case related investigations or forensic analysis or via malware reversing, validated by humans and highly contextualized.",
|
|
"colour": "#007695",
|
|
"numerical_value": 95
|
|
},
|
|
{
|
|
"value": "vetted",
|
|
"expanded": "Generated within the company, validated by a human prior to sharing, data points have been contextualized (to a degree) e.g. IPs are related to C2 or drop site.",
|
|
"colour": "#008aaf",
|
|
"numerical_value": 50
|
|
},
|
|
{
|
|
"value": "unvetted",
|
|
"expanded": "Generated within the company by automated means without human interaction e.g., by malware sandbox, honeypots, IDS, etc.",
|
|
"colour": "#00b3e2",
|
|
"numerical_value": 10
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"predicate": "report",
|
|
"entry": [
|
|
{
|
|
"value": "details",
|
|
"expanded": "Description of the incidence.",
|
|
"colour": "#fbc166"
|
|
},
|
|
{
|
|
"value": "link",
|
|
"expanded": "Link to the original report location.",
|
|
"colour": "#fbcb7f"
|
|
},
|
|
{
|
|
"value": "attached",
|
|
"expanded": "Attached report.",
|
|
"colour": "#fcd597"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"predicate": "origin",
|
|
"entry": [
|
|
{
|
|
"value": "manual_investigation",
|
|
"expanded": "Information gathered by an analyst/incident responder/forensic expert/etc.",
|
|
"colour": "#29775d"
|
|
},
|
|
{
|
|
"value": "honeypot",
|
|
"expanded": "Information coming out of honeypots.",
|
|
"colour": "#2f8a6c"
|
|
},
|
|
{
|
|
"value": "sandbox",
|
|
"expanded": "Information coming out of sandboxes.",
|
|
"colour": "#369d7b"
|
|
},
|
|
{
|
|
"value": "email",
|
|
"expanded": "Information coming out of email infrastructure.",
|
|
"colour": "#3db08a"
|
|
},
|
|
{
|
|
"value": "3rd-party",
|
|
"expanded": "Information from outside the company.",
|
|
"colour": "#46c098"
|
|
},
|
|
{
|
|
"value": "report",
|
|
"expanded": "Information coming from a report.",
|
|
"colour": "#22644e"
|
|
},
|
|
{
|
|
"value": "other",
|
|
"expanded": "If none of the other origins applies.",
|
|
"colour": "#59c6a2"
|
|
},
|
|
{
|
|
"value": "unknown",
|
|
"expanded": "Origin of the data unknown.",
|
|
"colour": "#6ccdad"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|