chg: taxonomies updated to the latest version

pull/8/head
Alexandre Dulaunoy 2018-12-22 15:01:07 +01:00
parent 90690e947c
commit 6609a3d63e
No known key found for this signature in database
GPG Key ID: 09E2CD4944E6CBCD
2 changed files with 139661 additions and 138185 deletions

View File

@ -523,6 +523,7 @@ body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-b
<li><a href="#_targeted_threat_index">targeted-threat-index</a></li> <li><a href="#_targeted_threat_index">targeted-threat-index</a></li>
<li><a href="#_tlp">tlp</a></li> <li><a href="#_tlp">tlp</a></li>
<li><a href="#_tor">tor</a></li> <li><a href="#_tor">tor</a></li>
<li><a href="#_use_case_applicability">use-case-applicability</a></li>
<li><a href="#_veris">veris</a></li> <li><a href="#_veris">veris</a></li>
<li><a href="#_vocabulaire_des_probabilites_estimatives">vocabulaire-des-probabilites-estimatives</a></li> <li><a href="#_vocabulaire_des_probabilites_estimatives">vocabulaire-des-probabilites-estimatives</a></li>
<li><a href="#_workflow">workflow</a></li> <li><a href="#_workflow">workflow</a></li>
@ -1366,7 +1367,7 @@ accessnow namespace available in JSON format at <a href="https://github.com/MISP
</table> </table>
</div> </div>
<div class="paragraph"> <div class="paragraph">
<p>Access Now</p> <p>Access Now classification to classify an issue (such as security, human rights, youth rights).</p>
</div> </div>
<div class="sect2"> <div class="sect2">
<h3 id="_anti_corruption_transparency">anti-corruption-transparency</h3> <h3 id="_anti_corruption_transparency">anti-corruption-transparency</h3>
@ -1720,7 +1721,7 @@ action-taken namespace available in JSON format at <a href="https://github.com/M
</table> </table>
</div> </div>
<div class="paragraph"> <div class="paragraph">
<p>Action taken</p> <p>Action taken in the case of a security incident (CSIRT perspective).</p>
</div> </div>
<div class="sect2"> <div class="sect2">
<h3 id="_informed_isphosting_service_provider">informed ISP/Hosting Service Provider</h3> <h3 id="_informed_isphosting_service_provider">informed ISP/Hosting Service Provider</h3>
@ -4751,10 +4752,8 @@ ddos namespace available in JSON format at <a href="https://github.com/MISP/misp
</tr> </tr>
</table> </table>
</div> </div>
<div class="literalblock"> <div class="paragraph">
<div class="content"> <p>Distributed Denial of Service - or short: DDoS - taxonomy supports the description of Denial of Service attacks and especially the types they belong too.</p>
<pre>Distributed Denial of Service - or short: DDoS - taxonomy supports the description of Denial of Service attacks and especially the types they belong too.</pre>
</div>
</div> </div>
<div class="sect2"> <div class="sect2">
<h3 id="_type_2">type</h3> <h3 id="_type_2">type</h3>
@ -5691,7 +5690,7 @@ economical-impact namespace available in JSON format at <a href="https://github.
</table> </table>
</div> </div>
<div class="paragraph"> <div class="paragraph">
<p>Economical impact is a taxonomy to describe the financial impact as positive or negative gain to the tagged information.</p> <p>Economical impact is a taxonomy to describe the financial impact as positive or negative gain to the tagged information (e.g. data exfiltration loss, a positive gain for an adversary).</p>
</div> </div>
<div class="sect2"> <div class="sect2">
<h3 id="_loss">loss</h3> <h3 id="_loss">loss</h3>
@ -5725,7 +5724,31 @@ economical-impact namespace available in JSON format at <a href="https://github.
<div class="sect3"> <div class="sect3">
<h4 id="_economical_impactlossless_than_1m_euro">economical-impact:loss="less-than-1M-euro"</h4> <h4 id="_economical_impactlossless_than_1m_euro">economical-impact:loss="less-than-1M-euro"</h4>
<div class="paragraph"> <div class="paragraph">
<p>Less than EUR 1 000 000</p> <p>Less than 1 million EUR</p>
</div>
</div>
<div class="sect3">
<h4 id="_economical_impactlossless_than_10m_euro">economical-impact:loss="less-than-10M-euro"</h4>
<div class="paragraph">
<p>Less than 10 million EUR</p>
</div>
</div>
<div class="sect3">
<h4 id="_economical_impactlossless_than_100m_euro">economical-impact:loss="less-than-100M-euro"</h4>
<div class="paragraph">
<p>Less than 100 million EUR</p>
</div>
</div>
<div class="sect3">
<h4 id="_economical_impactlossless_than_1b_euro">economical-impact:loss="less-than-1B-euro"</h4>
<div class="paragraph">
<p>Less than 1 billion EUR</p>
</div>
</div>
<div class="sect3">
<h4 id="_economical_impactlossmore_than_1b_euro">economical-impact:loss="more-than-1B-euro"</h4>
<div class="paragraph">
<p>More than 1 billion EUR</p>
</div> </div>
</div> </div>
</div> </div>
@ -5761,7 +5784,31 @@ economical-impact namespace available in JSON format at <a href="https://github.
<div class="sect3"> <div class="sect3">
<h4 id="_economical_impactgainless_than_1m_euro">economical-impact:gain="less-than-1M-euro"</h4> <h4 id="_economical_impactgainless_than_1m_euro">economical-impact:gain="less-than-1M-euro"</h4>
<div class="paragraph"> <div class="paragraph">
<p>Less than EUR 1 000 000</p> <p>Less than 1 million EUR</p>
</div>
</div>
<div class="sect3">
<h4 id="_economical_impactgainless_than_10m_euro">economical-impact:gain="less-than-10M-euro"</h4>
<div class="paragraph">
<p>Less than 10 million EUR</p>
</div>
</div>
<div class="sect3">
<h4 id="_economical_impactgainless_than_100m_euro">economical-impact:gain="less-than-100M-euro"</h4>
<div class="paragraph">
<p>Less than 100 million EUR</p>
</div>
</div>
<div class="sect3">
<h4 id="_economical_impactgainless_than_1b_euro">economical-impact:gain="less-than-1B-euro"</h4>
<div class="paragraph">
<p>Less than 1 billion EUR</p>
</div>
</div>
<div class="sect3">
<h4 id="_economical_impactgainmore_than_1b_euro">economical-impact:gain="more-than-1B-euro"</h4>
<div class="paragraph">
<p>More than 1 billion EUR</p>
</div> </div>
</div> </div>
</div> </div>
@ -22018,7 +22065,7 @@ pentest namespace available in JSON format at <a href="https://github.com/MISP/m
</table> </table>
</div> </div>
<div class="paragraph"> <div class="paragraph">
<p>pentest classification.</p> <p>Penetration test (pentest) classification.</p>
</div> </div>
<div class="sect2"> <div class="sect2">
<h3 id="_approach">approach</h3> <h3 id="_approach">approach</h3>
@ -24012,6 +24059,146 @@ tor namespace available in JSON format at <a href="https://github.com/MISP/misp-
</div> </div>
</div> </div>
<div class="sect1"> <div class="sect1">
<h2 id="_use_case_applicability">use-case-applicability</h2>
<div class="sectionbody">
<div class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
use-case-applicability namespace available in JSON format at <a href="https://github.com/MISP/misp-taxonomies/blob/master/use-case-applicability/machinetag.json"><strong>this location</strong></a>. The JSON format can be freely reused in your application or automatically enabled in <a href="https://www.github.com/MISP/MISP">MISP</a> taxonomy.
</td>
</tr>
</table>
</div>
<div class="paragraph">
<p>The Use Case Applicability categories reflect standard resolution categories, to clearly display alerting rule configuration problems.</p>
</div>
<div class="sect2">
<h3 id="_announced_administrativeuser_action">announced-administrative/user-action</h3>
<div class="paragraph">
<p>The process to communicate administrative activities or special user actions was in place and working correctly. Internal sensors are working and detecting privileged or irregular administrative behaviour.</p>
</div>
<div class="sect3">
<h4 id="_use_case_applicabilityannounced_administrativeuser_action">use-case-applicability:announced-administrative/user-action</h4>
<div class="paragraph">
<p>Announced administrative/user action</p>
</div>
<div class="paragraph">
<p>The process to communicate administrative activities or special user actions was in place and working correctly. Internal sensors are working and detecting privileged or irregular administrative behaviour.</p>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_unannounced_administrativeuser_action">unannounced-administrative/user-action</h3>
<div class="paragraph">
<p>Internal sensors have detected privileged or user activity, which was not previously communicated. This category also includes improper usage.</p>
</div>
<div class="sect3">
<h4 id="_use_case_applicabilityunannounced_administrativeuser_action">use-case-applicability:unannounced-administrative/user-action</h4>
<div class="paragraph">
<p>Unannounced administrative/user action</p>
</div>
<div class="paragraph">
<p>Internal sensors have detected privileged or user activity, which was not previously communicated. This category also includes improper usage.</p>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_log_management_rule_configuration_error">log-management-rule-configuration-error</h3>
<div class="paragraph">
<p>This category reflects false alerts that were raised due to configuration errors in the central log management system, often a SIEM, rule.</p>
</div>
<div class="sect3">
<h4 id="_use_case_applicabilitylog_management_rule_configuration_error">use-case-applicability:log-management-rule-configuration-error</h4>
<div class="paragraph">
<p>Log management rule configuration error</p>
</div>
<div class="paragraph">
<p>This category reflects false alerts that were raised due to configuration errors in the central log management system, often a SIEM, rule.</p>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_detection_devicerule_configuration_error">detection-device/rule-configuration-error</h3>
<div class="paragraph">
<p>This category reflects rules on detection devices, which are usually passive or active components of network security.</p>
</div>
<div class="sect3">
<h4 id="_use_case_applicabilitydetection_devicerule_configuration_error">use-case-applicability:detection-device/rule-configuration-error</h4>
<div class="paragraph">
<p>Detection device/rule configuration error</p>
</div>
<div class="paragraph">
<p>This category reflects rules on detection devices, which are usually passive or active components of network security.</p>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_bad_iocrule_pattern_value">bad-IOC/rule-pattern-value</h3>
<div class="paragraph">
<p>Products often require external indicator information or security feeds to be applied on active or passive infrastructure components to create alerts.</p>
</div>
<div class="sect3">
<h4 id="_use_case_applicabilitybad_iocrule_pattern_value">use-case-applicability:bad-IOC/rule-pattern-value</h4>
<div class="paragraph">
<p>Bad IOC/rule pattern value</p>
</div>
<div class="paragraph">
<p>Products often require external indicator information or security feeds to be applied on active or passive infrastructure components to create alerts.</p>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_test_alert">test-alert</h3>
<div class="paragraph">
<p>This alert reflects alerts created for testing purposes.</p>
</div>
<div class="sect3">
<h4 id="_use_case_applicabilitytest_alert">use-case-applicability:test-alert</h4>
<div class="paragraph">
<p>Test alert</p>
</div>
<div class="paragraph">
<p>This alert reflects alerts created for testing purposes.</p>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_confirmed_attack_with_ir_actions">confirmed-attack-with-IR-actions</h3>
<div class="paragraph">
<p>This alert represents the classic true positives, where all security controls in place were circumvented, a security control was lacking or a misconfiguration of a security element occurred.</p>
</div>
<div class="sect3">
<h4 id="_use_case_applicabilityconfirmed_attack_with_ir_actions">use-case-applicability:confirmed-attack-with-IR-actions</h4>
<div class="paragraph">
<p>Confirmed Attack with IR actions</p>
</div>
<div class="paragraph">
<p>This alert represents the classic true positives, where all security controls in place were circumvented, a security control was lacking or a misconfiguration of a security element occurred.</p>
</div>
</div>
</div>
<div class="sect2">
<h3 id="_confirmed_attack_attempt_without_ir_actions">confirmed-attack-attempt-without-IR-actions</h3>
<div class="paragraph">
<p>This category reflects an attempt by a threat actor, which in the end could be prevented by in place security measures but passed security controls associated with the delivery phase of the Cyber Kill Chain.</p>
</div>
<div class="sect3">
<h4 id="_use_case_applicabilityconfirmed_attack_attempt_without_ir_actions">use-case-applicability:confirmed-attack-attempt-without-IR-actions</h4>
<div class="paragraph">
<p>Confirmed Attack attempt without IR actions</p>
</div>
<div class="paragraph">
<p>This category reflects an attempt by a threat actor, which in the end could be prevented by in place security measures but passed security controls associated with the delivery phase of the Cyber Kill Chain.</p>
</div>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_veris">veris</h2> <h2 id="_veris">veris</h2>
<div class="sectionbody"> <div class="sectionbody">
<div class="admonitionblock note"> <div class="admonitionblock note">
@ -36933,7 +37120,7 @@ workflow namespace available in JSON format at <a href="https://github.com/MISP/
</div> </div>
<div id="footer"> <div id="footer">
<div id="footer-text"> <div id="footer-text">
Last updated 2018-11-10 15:10:44 CET Last updated 2018-12-22 14:58:42 CET
</div> </div>
</div> </div>
</body> </body>

File diff suppressed because it is too large Load Diff