Create osint Profile (#992)

#### Related Issue: 

#988 

#### Description of changes:

- Added `osint` object.
- Added `osint` Profile based on `osint` object.
- Added `signatures` object, an array of `signature` objects.
- Added `subdomains` object, an array of `subdomain` used to enumerate
DGA-generated domains.
- Added `whois` object.
- Added `contact` and array-typed `contacts` object for use with `whois`
object.
- Added `is_self_signed` Boolean attribute to `certificate` object.

Several dozen attributes were added to `dictionary` to support `whois`
and `contact`.

---------

Signed-off-by: Jonathan Rau <[email protected]>

CHANGELOG.md

@@ -46,11 +46,17 @@ Thankyou! -->
     1. Added `Event Log Activity` event class. #1014
     2. Added `Remediation Activity` `File Remediation Activity` `Process Remediation Activity` `Network Remediation Activity` event classes. #1066
 * #### Profiles
+    1. Added `osint` Profile based on `osint` object. #992
 * #### Objects
     1. Added `d3fend` `d3f_tactic` `d3f_technique` MITRE objects. #1066 
     2. Added `ja4_fingerprint` object. #834
     3. Added `ja4_fingerprint_list` as a list of `ja4_fingerprint` objects.  #834
     4. Added `ticket` object. #1068
+    5. Added `osint` object. #992
+    6. Added `signatures` object, an array of `signature` objects. #992
+    7. Added `whois` object. #992
+    8. Added `domain_contact` and array-typed `domain_contacts` object for use with `whois` object. #992
+
 * #### Platform Extensions
 
 ### Improved
@@ -289,4 +295,4 @@ Thankyou! -->
 
 ## [v1.0.0]
 
-Initial release of OCSF.
+Initial release of OCSF.

dictionary.json

@@ -1514,11 +1514,51 @@
       "description": "The Domain-based Message Authentication, Reporting and Conformance (DMARC) policy status.",
       "type": "string_t"
     },
+    "dnssec_status_id": {
+      "caption": "DNSSEC Status ID",
+      "description": "Describes the normalized status of DNS Security Extensions (DNSSEC) for a domain.",
+      "enum": {
+        "0": {
+          "caption": "Unknown",
+          "description": "The disposition is unknown."
+        },
+        "1": {
+          "caption": "Signed",
+          "description": "The related domain enables the signing of DNS records using DNSSEC."
+        },
+        "2": {
+          "caption": "Unsigned",
+          "description": "The related domain does not enable the signing of DNS records using DNSSEC."
+        },
+        "99": {
+          "caption": "Other",
+          "description": "The DNSSEC status is not mapped. See the <code>dnssec_status</code> attribute, which contains a data source specific value."
+        }
+      },
+      "sibling": "dnssec_status",
+      "type": "integer_t"
+    },
+    "dnssec_status": {
+      "caption": "DNSSEC Status",
+      "description": "The normalized value of dnssec_status_id.",
+      "type": "string_t"
+    },
     "domain": {
       "caption": "Domain",
       "description": "The name of the domain.",
       "type": "string_t"
     },
+    "domain_contact": {
+      "caption": "Domain Contact",
+      "description": "The contact information related to a domain registration, e.g., registrant, administrator, abuse, billing, or technical contact.",
+      "type": "domain_contact"
+    },
+    "domain_contacts": {
+      "caption": "Domain Contacts",
+      "description": "An array of <code>Domain Contact</code> objects.",
+      "is_array": true,
+      "type": "domain_contact"
+    },
     "driver": {
       "caption": "Kernel Driver",
       "description": "The driver that was loaded/unloaded into the kernel",
@@ -2187,6 +2227,11 @@
       "description": "The cookie attribute indicates that cookies are sent to the server only when the request is encrypted using the HTTPS protocol.",
       "type": "boolean_t"
     },
+    "is_self_signed": {
+      "caption": "Certificate Self-Signed",
+      "description": "Denotes whether a digital certificate is self-signed or signed by a known certificate authority (CA).",
+      "type": "boolean_t"
+    },
     "is_superseded": {
       "caption": "The patch is superseded.",
       "description": "The vendor patch has been replaced by another.",
@@ -2637,6 +2682,12 @@
       "description": "If running under a process namespace (such as in a container), the process identifier within that process namespace.",
       "type": "integer_t"
     },
+    "name_servers": {
+      "caption": "Name Servers",
+      "description": "A collection of name servers related to a domain registration or other record.",
+      "is_array": true,
+      "type": "string_t"
+    },
     "network_driver": {
       "caption": "Network Driver",
       "description": "The network driver used by the container. For example, bridge, overlay, host, none, etc.",
@@ -3779,6 +3830,12 @@
       "description": "The digital signature of the file.",
       "type": "digital_signature"
     },
+    "signatures": {
+      "caption": "Digital Signatures",
+      "description": "A collection of <code>Digital Signature</code> objects.",
+      "is_array": true,
+      "type": "digital_signature"
+    },
     "size": {
       "caption": "Size",
       "description": "The size of data, in bytes.",
@@ -3955,6 +4012,12 @@
       "description": "The subdomain portion of the URL. For example: <code>sub</code> in <code>https://sub.example.com</code> or <code>sub2.sub1</code> in <code>https://sub2.sub1.example.com</code>.",
       "type": "string_t"
     },
+    "subdomains": {
+      "caption": "Subdomains",
+      "description": "An array of subdomain strings. Can be used to collect several subdomains such as those from Domain Generation Algorithms (DGAs).",
+      "is_array": true,
+      "type": "string_t"
+    },
     "subject": {
       "caption": "Subject Details",
       "description": "The identifier of the subject. See specific usage.",
@@ -4045,6 +4108,12 @@
       "description": "The time when the entity was terminated. See specific usage.",
       "type": "timestamp_t"
     },
+    "osint": {
+      "caption": "OSINT",
+      "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+      "is_array": true,
+      "type": "osint"
+    },
     "tid": {
       "caption": "Thread ID",
       "description": "The Identifier of the thread associated with the event, as returned by the operating system.",
@@ -4070,6 +4139,11 @@
       "description": "The title of an entity. See specific usage.",
       "type": "string_t"
     },
+    "tlp": {
+      "caption": "Traffic Light Protocol",
+      "description": "The <a target='_blank' href='https://www.first.org/tlp/'>Traffic Light Protocol</a> was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. TLP provides a simple and intuitive schema for indicating with whom potentially sensitive information can be shared.",
+      "type": "string_t"
+    },
     "tls": {
       "caption": "TLS",
       "description": "The Transport Layer Security (TLS) attributes.",
@@ -4337,6 +4411,11 @@
       "type": "web_resource",
       "is_array": true
     },
+    "whois": {
+      "caption": "WHOIS",
+      "description": "The resources of a WHOIS record for a given domain. This can include domain names, IP address blocks, autonomous system information, and/or contact and registration information for a domain.",
+      "type": "whois"
+    },
     "x_forwarded_for": {
       "caption": "X-Forwarded-For",
       "description": "The X-Forwarded-For header identifying the originating IP address(es) of a client connecting to a web server through an HTTP proxy or a load balancer.",

events/base_event.json

@@ -5,14 +5,16 @@
   "name": "base_event",
   "profiles": [
     "cloud",
-    "datetime"
+    "datetime",
+    "osint"
   ],
   "attributes": {
     "$include": [
       "includes/classification.json",
       "includes/occurrence.json",
       "profiles/cloud.json",
-      "profiles/datetime.json"
+      "profiles/datetime.json",
+      "profiles/osint.json"
     ],
     "enrichments": {
       "group": "context",

objects/certificate.json

@@ -21,6 +21,9 @@
       "description": "The certificate issuer distinguished name.",
       "requirement": "required"
     },
+    "is_self_signed": {
+      "requirement": "recommended"
+    },
     "serial_number": {
       "description": "The serial number of the certificate used to create the digital signature.",
       "caption": "Certificate Serial Number",

objects/domain_contact.json

@@ -0,0 +1,60 @@
+{
+	"caption": "Domain Contact",
+	"description": "The contact information related to a domain registration, e.g., registrant, administrator, abuse, billing, or technical contact.",
+	"extends": "object",
+	"name": "domain_contact",
+	"attributes": {
+		"type_id": {
+			"caption": "Domain Contact Type ID",
+			"description": "The normalized domain contact type ID.",
+			"requirement": "required",
+			"enum": {
+				"1": {
+					"caption": "Registrant",
+					"description": "The contact information provided is for the domain registrant."
+				},
+				"2": {
+					"caption": "Administrative",
+					"description": "The contact information provided is for the domain administrator."
+				},
+				"3": {
+					"caption": "Technical",
+					"description": "The contact information provided is for the domain technical lead."
+				},
+				"4": {
+					"caption": "Billing",
+					"description": "The contact information provided is for the domain billing lead."
+				},
+				"5": {
+					"caption": "Abuse",
+					"description": "The contact information provided is for the domain abuse contact."
+				}
+			}
+		},
+		"type": {
+			"caption": "Domain Contact Type",
+			"description": "The Domain Contact type, normalized to the caption of the <code>type_id</code> value. In the case of 'Other', it is defined by the source",
+			"requirement": "optional"
+		},
+		"location": {
+			"caption": "Contact Location Information",
+			"description": "Location details for the contract such as the city, state/province, country, etc.",
+			"requirement": "recommended"
+		},
+		"email_addr": {
+			"caption": "Contact Email",
+			"requirement": "recommended"
+		},
+		"phone_number": {
+			"requirement": "optional"
+		},
+		"name": {
+			"description": "The individual or organization name for the contact.",
+			"requirement": "optional"
+		},
+		"uid": {
+			"description": "The unique identifier of the contact information, typically provided in WHOIS information.",
+			"requirement": "optional"
+		}
+	}
+}