314 lines
12 KiB
JSON
314 lines
12 KiB
JSON
{
|
|
"namespace": "pyoti",
|
|
"description": "PyOTI automated enrichment schemes for point in time classification of indicators.",
|
|
"version": 1,
|
|
"expanded": "PyOTI Enrichment",
|
|
"refs": [
|
|
"https://github.com/RH-ISAC/PyOTI"
|
|
],
|
|
"predicates": [
|
|
{
|
|
"value": "checkdmarc",
|
|
"expanded": "CheckDMARC",
|
|
"description": "CheckDMARC validates SPF and DMARC DNS records."
|
|
},
|
|
{
|
|
"value": "disposable-email",
|
|
"expanded": "Disposable Email Domain",
|
|
"description": "The email domain is from a disposable email service."
|
|
},
|
|
{
|
|
"value": "emailrepio",
|
|
"expanded": "EmailRepIO",
|
|
"description": "EmailRep.io is a system of crawlers, scanners and enrichment services that collects data on email addresses, domains, and internet personas."
|
|
},
|
|
{
|
|
"value": "iris-investigate",
|
|
"expanded": "Iris Investigate",
|
|
"description": "Iris Investigate gives visibility into what type of risk the domain represents."
|
|
},
|
|
{
|
|
"value": "virustotal",
|
|
"expanded": "VirusTotal",
|
|
"description": "Analyze suspicious files and URLs to detect types of malware, automatically share them with the security community."
|
|
},
|
|
{
|
|
"value": "circl-hashlookup",
|
|
"expanded": "CIRCL Hash Lookup",
|
|
"description": "Lookup hash values against database of known files. NSRL RDS database is included, as well as many others."
|
|
},
|
|
{
|
|
"value": "reputation-block-list",
|
|
"expanded": "Reputation Block List",
|
|
"description": "Reputation Block Lists are lists of domains, URLs, and IP addresses that have been investigated and subsequently identified as posing security threats."
|
|
},
|
|
{
|
|
"value": "abuseipdb",
|
|
"expanded": "AbuseIPDB",
|
|
"description": "AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet."
|
|
},
|
|
{
|
|
"value": "greynoise-riot",
|
|
"expanded": "GreyNoise RIOT",
|
|
"description": "GreyNoise RIOT identifies IPs from known benign services and organizations that commonly cause false positives in network security and threat intelligence products."
|
|
},
|
|
{
|
|
"value": "googlesafebrowsing",
|
|
"expanded": "Google Safe Browsing",
|
|
"description": "Google Safe Browsing is a blacklist service provided by Google that provides lists of URLs for web resources that contain malware or phishing content."
|
|
}
|
|
],
|
|
"values": [
|
|
{
|
|
"predicate": "checkdmarc",
|
|
"entry": [
|
|
{
|
|
"value": "spoofable",
|
|
"expanded": "Spoofable",
|
|
"description": "The email address can be spoofed (e.g. no strict SPF policy/DMARC is not enforced)."
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"predicate": "emailrepio",
|
|
"entry": [
|
|
{
|
|
"value": "spoofable",
|
|
"expanded": "Spoofable",
|
|
"description": "The email address can be spoofed (e.g. no strict SPF policy/DMARC is not enforced)."
|
|
},
|
|
{
|
|
"value": "suspicious",
|
|
"expanded": "Suspicious",
|
|
"description": "The email address should be treated as suspicious or risky."
|
|
},
|
|
{
|
|
"value": "blacklisted",
|
|
"expanded": "Blacklisted",
|
|
"description": "The email address is believed to be malicious or spammy."
|
|
},
|
|
{
|
|
"value": "malicious-activity",
|
|
"expanded": "Malicious Activity",
|
|
"description": "The email address has exhibited malicious behavior (e.g. phishing/fraud)."
|
|
},
|
|
{
|
|
"value": "malicious-activity-recent",
|
|
"expanded": "Malicious Activity Recent",
|
|
"description": "The email address has exhibited malicious behavior in the last 90 days (e.g. in the case of temporal account takeovers)."
|
|
},
|
|
{
|
|
"value": "credentials-leaked",
|
|
"expanded": "Credentials Leaked",
|
|
"description": "The email address has had credentials leaked at some point in time (e.g. a data breach, pastebin, dark web, etc)."
|
|
},
|
|
{
|
|
"value": "credentials-leaked-recent",
|
|
"expanded": "Credentials Leaked Recent",
|
|
"description": "The email address has had credentials leaked in the last 90 days."
|
|
},
|
|
{
|
|
"value": "reputation-high",
|
|
"expanded": "Reputation High",
|
|
"description": "The email address has a high reputation."
|
|
},
|
|
{
|
|
"value": "reputation-medium",
|
|
"expanded": "Reputation Medium",
|
|
"description": "The email address has a medium reputation."
|
|
},
|
|
{
|
|
"value": "reputation-low",
|
|
"expanded": "Reputation Low",
|
|
"description": "The email address has a low reputation."
|
|
},
|
|
{
|
|
"value": "suspicious-tld",
|
|
"expanded": "Suspicious TLD",
|
|
"description": "The email address top-level domain is suspicious."
|
|
},
|
|
{
|
|
"value": "spam",
|
|
"expanded": "Spam",
|
|
"description": "The email address has exhibited spammy behavior (e.g. spam traps, login form abuse, etc)."
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"predicate": "iris-investigate",
|
|
"entry": [
|
|
{
|
|
"value": "high",
|
|
"expanded": "High",
|
|
"description": "The domain risk score is high (76-100)."
|
|
},
|
|
{
|
|
"value": "medium-high",
|
|
"expanded": "Medium High",
|
|
"description": "The domain risk score is medium-high (51-75)."
|
|
},
|
|
{
|
|
"value": "medium",
|
|
"expanded": "Medium",
|
|
"description": "The domain risk score is medium (26-50)."
|
|
},
|
|
{
|
|
"value": "low",
|
|
"expanded": "Low",
|
|
"description": "The domain risk score is low (0-25)."
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"predicate": "virustotal",
|
|
"entry": [
|
|
{
|
|
"value": "known-distributor",
|
|
"expanded": "Known Distributor",
|
|
"description": "The known-distributor entry indicates a file is from a known distributor."
|
|
},
|
|
{
|
|
"value": "valid-signature",
|
|
"expanded": "Valid Signature",
|
|
"description": "The valid-signature entry indicates a file is signed with a valid signature."
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"predicate": "circl-hashlookup",
|
|
"entry": [
|
|
{
|
|
"value": "high-trust",
|
|
"expanded": "High Trust",
|
|
"description": "The trust level is high (76-100)."
|
|
},
|
|
{
|
|
"value": "medium-high-trust",
|
|
"expanded": "Medium High Trust",
|
|
"description": "The trust level is medium-high (51-75)."
|
|
},
|
|
{
|
|
"value": "medium-trust",
|
|
"expanded": "Medium Trust",
|
|
"description": "The trust level is medium (26-50)."
|
|
},
|
|
{
|
|
"value": "low-trust",
|
|
"expanded": "Low Trust",
|
|
"description": "The trust level is low (0-25)."
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"predicate": "reputation-block-list",
|
|
"entry": [
|
|
{
|
|
"value": "barracudacentral-brbl",
|
|
"expanded": "Barracuda Reputation Block List",
|
|
"description": "Barracuda Reputation Block List (BRBL) is a free DNSBL of IP addresses known to send spam. Barracuda Networks fights spam and created the BRBL to help stop the spread of spam."
|
|
},
|
|
{
|
|
"value": "spamcop-scbl",
|
|
"expanded": "SpamCop Blocking List",
|
|
"description": "The SpamCop Blocking List (SCBL) lists IP addresses which have transmitted reported email to SpamCop users. SpamCop, service providers and individual users then use the SCBL to block and filter unwanted email."
|
|
},
|
|
{
|
|
"value": "spamhaus-sbl",
|
|
"expanded": "Spamhaus Block List",
|
|
"description": "The Spamhaus Block List (SBL) Advisory is a database of IP addresses from which Spamhaus does not recommend the acceptance of electronic mail."
|
|
},
|
|
{
|
|
"value": "spamhaus-xbl",
|
|
"expanded": "Spamhaus Exploits Block List",
|
|
"description": "The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits."
|
|
},
|
|
{
|
|
"value": "spamhaus-pbl",
|
|
"expanded": "Spamhaus Policy Block List",
|
|
"description": "The Spamhaus PBL is a DNSBL database of end-user IP address ranges which should not be delivering unauthenticated SMTP email to any Internet mail server except those provided for specifically by an ISP for that customer's use."
|
|
},
|
|
{
|
|
"value": "spamhaus-css",
|
|
"expanded": "Spamhaus CSS",
|
|
"description": "The Spamhaus CSS list is an automatically produced dataset of IP addresses that are involved in sending low-reputation email. CSS mostly targets static spam emitters that are not covered in the PBL or XBL, such as snowshoe spam operations, but may also include other senders that display a risk to our users, such as compromised hosts."
|
|
},
|
|
{
|
|
"value": "spamhaus-drop",
|
|
"expanded": "Spamhaus Don't Route Or Peer",
|
|
"description": "Spamhaus Don't Route Or Peer (DROP) is an advisory 'drop all traffic' list. DROP is a tiny subset of the SBL which is designed for use by firewalls or routing equipment."
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"predicate": "abuseipdb",
|
|
"entry": [
|
|
{
|
|
"value": "high",
|
|
"expanded": "High",
|
|
"description": "The IP abuse confidence score is high (76-100)."
|
|
},
|
|
{
|
|
"value": "medium-high",
|
|
"expanded": "Medium High",
|
|
"description": "The IP abuse confidence score is medium-high (51-75)."
|
|
},
|
|
{
|
|
"value": "medium",
|
|
"expanded": "Medium",
|
|
"description": "The IP abuse confidence score is medium (26-50)."
|
|
},
|
|
{
|
|
"value": "low",
|
|
"expanded": "Low",
|
|
"description": "The IP abuse confidence score is low (0-25)."
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"predicate": "greynoise-riot",
|
|
"entry": [
|
|
{
|
|
"value": "trust-level-1",
|
|
"expanded": "Trust Level 1",
|
|
"description": "These IPs are trustworthy because the companies or services assigned are generally responsible for the interactions with this IP. Adding these ranges to an allow-list may make sense."
|
|
},
|
|
{
|
|
"value": "trust-level-2",
|
|
"expanded": "Trust Level 2",
|
|
"description": "These IPs are somewhat trustworthy because they are necessary for regular and common business internet use. Companies that own these IPs typically do not claim responsibility or have accountability for interactions with these IPs. Malicious actions may be associated with these IPs but adding this entire range to a block-list does not make sense."
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"predicate": "googlesafebrowsing",
|
|
"entry": [
|
|
{
|
|
"value": "malware",
|
|
"expanded": "MALWARE",
|
|
"description": "Malware threat type."
|
|
},
|
|
{
|
|
"value": "social-engineering",
|
|
"expanded": "SOCIAL_ENGINEERING",
|
|
"description": "Social engineering threat type."
|
|
},
|
|
{
|
|
"value": "unwanted-software",
|
|
"expanded": "UNWANTED_SOFTWARE",
|
|
"description": "Unwanted software threat type."
|
|
},
|
|
{
|
|
"value": "potentially-harmful-application",
|
|
"expanded": "POTENTIALLY_HARMFUL_APPLICATION",
|
|
"description": "Potentially harmful application threat type."
|
|
},
|
|
{
|
|
"value": "unspecified",
|
|
"expanded": "THREAT_TYPE_UNSPECIFIED",
|
|
"description": "Unknown threat type."
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|