From 4a5420bd7ba353e673809c19d1333e3981545900 Mon Sep 17 00:00:00 2001
From: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com>
Date: Fri, 31 May 2024 13:49:34 -0400
Subject: [PATCH] Create `osint` Profile (#992)
#### Related Issue:
#988
#### Description of changes:
- Added `osint` object.
- Added `osint` Profile based on `osint` object.
- Added `signatures` object, an array of `signature` objects.
- Added `subdomains` object, an array of `subdomain` used to enumerate
DGA-generated domains.
- Added `whois` object.
- Added `contact` and array-typed `contacts` object for use with `whois`
object.
- Added `is_self_signed` Boolean attribute to `certificate` object.
Several dozen attributes were added to `dictionary` to support `whois`
and `contact`.
---------
Signed-off-by: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com>
---
CHANGELOG.md | 8 +-
dictionary.json | 79 +++++++++++++++++
events/base_event.json | 6 +-
objects/certificate.json | 3 +
objects/domain_contact.json | 60 +++++++++++++
objects/osint.json | 171 ++++++++++++++++++++++++++++++++++++
objects/whois.json | 63 +++++++++++++
profiles/osint.json | 12 +++
8 files changed, 399 insertions(+), 3 deletions(-)
create mode 100644 objects/domain_contact.json
create mode 100644 objects/osint.json
create mode 100644 objects/whois.json
create mode 100644 profiles/osint.json
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 556b34ce1..ac1a190f0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -46,11 +46,17 @@ Thankyou! -->
1. Added `Event Log Activity` event class. #1014
2. Added `Remediation Activity` `File Remediation Activity` `Process Remediation Activity` `Network Remediation Activity` event classes. #1066
* #### Profiles
+ 1. Added `osint` Profile based on `osint` object. #992
* #### Objects
1. Added `d3fend` `d3f_tactic` `d3f_technique` MITRE objects. #1066
2. Added `ja4_fingerprint` object. #834
3. Added `ja4_fingerprint_list` as a list of `ja4_fingerprint` objects. #834
4. Added `ticket` object. #1068
+ 5. Added `osint` object. #992
+ 6. Added `signatures` object, an array of `signature` objects. #992
+ 7. Added `whois` object. #992
+ 8. Added `domain_contact` and array-typed `domain_contacts` object for use with `whois` object. #992
+
* #### Platform Extensions
### Improved
@@ -289,4 +295,4 @@ Thankyou! -->
## [v1.0.0]
-Initial release of OCSF.
+Initial release of OCSF.
\ No newline at end of file
diff --git a/dictionary.json b/dictionary.json
index c89b12101..047fe255b 100644
--- a/dictionary.json
+++ b/dictionary.json
@@ -1514,11 +1514,51 @@
"description": "The Domain-based Message Authentication, Reporting and Conformance (DMARC) policy status.",
"type": "string_t"
},
+ "dnssec_status_id": {
+ "caption": "DNSSEC Status ID",
+ "description": "Describes the normalized status of DNS Security Extensions (DNSSEC) for a domain.",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The disposition is unknown."
+ },
+ "1": {
+ "caption": "Signed",
+ "description": "The related domain enables the signing of DNS records using DNSSEC."
+ },
+ "2": {
+ "caption": "Unsigned",
+ "description": "The related domain does not enable the signing of DNS records using DNSSEC."
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The DNSSEC status is not mapped. See the dnssec_status
attribute, which contains a data source specific value."
+ }
+ },
+ "sibling": "dnssec_status",
+ "type": "integer_t"
+ },
+ "dnssec_status": {
+ "caption": "DNSSEC Status",
+ "description": "The normalized value of dnssec_status_id.",
+ "type": "string_t"
+ },
"domain": {
"caption": "Domain",
"description": "The name of the domain.",
"type": "string_t"
},
+ "domain_contact": {
+ "caption": "Domain Contact",
+ "description": "The contact information related to a domain registration, e.g., registrant, administrator, abuse, billing, or technical contact.",
+ "type": "domain_contact"
+ },
+ "domain_contacts": {
+ "caption": "Domain Contacts",
+ "description": "An array of Domain Contact
objects.",
+ "is_array": true,
+ "type": "domain_contact"
+ },
"driver": {
"caption": "Kernel Driver",
"description": "The driver that was loaded/unloaded into the kernel",
@@ -2187,6 +2227,11 @@
"description": "The cookie attribute indicates that cookies are sent to the server only when the request is encrypted using the HTTPS protocol.",
"type": "boolean_t"
},
+ "is_self_signed": {
+ "caption": "Certificate Self-Signed",
+ "description": "Denotes whether a digital certificate is self-signed or signed by a known certificate authority (CA).",
+ "type": "boolean_t"
+ },
"is_superseded": {
"caption": "The patch is superseded.",
"description": "The vendor patch has been replaced by another.",
@@ -2637,6 +2682,12 @@
"description": "If running under a process namespace (such as in a container), the process identifier within that process namespace.",
"type": "integer_t"
},
+ "name_servers": {
+ "caption": "Name Servers",
+ "description": "A collection of name servers related to a domain registration or other record.",
+ "is_array": true,
+ "type": "string_t"
+ },
"network_driver": {
"caption": "Network Driver",
"description": "The network driver used by the container. For example, bridge, overlay, host, none, etc.",
@@ -3779,6 +3830,12 @@
"description": "The digital signature of the file.",
"type": "digital_signature"
},
+ "signatures": {
+ "caption": "Digital Signatures",
+ "description": "A collection of Digital Signature
objects.",
+ "is_array": true,
+ "type": "digital_signature"
+ },
"size": {
"caption": "Size",
"description": "The size of data, in bytes.",
@@ -3955,6 +4012,12 @@
"description": "The subdomain portion of the URL. For example: sub
in https://sub.example.com
or sub2.sub1
in https://sub2.sub1.example.com
.",
"type": "string_t"
},
+ "subdomains": {
+ "caption": "Subdomains",
+ "description": "An array of subdomain strings. Can be used to collect several subdomains such as those from Domain Generation Algorithms (DGAs).",
+ "is_array": true,
+ "type": "string_t"
+ },
"subject": {
"caption": "Subject Details",
"description": "The identifier of the subject. See specific usage.",
@@ -4045,6 +4108,12 @@
"description": "The time when the entity was terminated. See specific usage.",
"type": "timestamp_t"
},
+ "osint": {
+ "caption": "OSINT",
+ "description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "is_array": true,
+ "type": "osint"
+ },
"tid": {
"caption": "Thread ID",
"description": "The Identifier of the thread associated with the event, as returned by the operating system.",
@@ -4070,6 +4139,11 @@
"description": "The title of an entity. See specific usage.",
"type": "string_t"
},
+ "tlp": {
+ "caption": "Traffic Light Protocol",
+ "description": "The Traffic Light Protocol was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. TLP provides a simple and intuitive schema for indicating with whom potentially sensitive information can be shared.",
+ "type": "string_t"
+ },
"tls": {
"caption": "TLS",
"description": "The Transport Layer Security (TLS) attributes.",
@@ -4337,6 +4411,11 @@
"type": "web_resource",
"is_array": true
},
+ "whois": {
+ "caption": "WHOIS",
+ "description": "The resources of a WHOIS record for a given domain. This can include domain names, IP address blocks, autonomous system information, and/or contact and registration information for a domain.",
+ "type": "whois"
+ },
"x_forwarded_for": {
"caption": "X-Forwarded-For",
"description": "The X-Forwarded-For header identifying the originating IP address(es) of a client connecting to a web server through an HTTP proxy or a load balancer.",
diff --git a/events/base_event.json b/events/base_event.json
index fef00766f..e2c9d32a8 100644
--- a/events/base_event.json
+++ b/events/base_event.json
@@ -5,14 +5,16 @@
"name": "base_event",
"profiles": [
"cloud",
- "datetime"
+ "datetime",
+ "osint"
],
"attributes": {
"$include": [
"includes/classification.json",
"includes/occurrence.json",
"profiles/cloud.json",
- "profiles/datetime.json"
+ "profiles/datetime.json",
+ "profiles/osint.json"
],
"enrichments": {
"group": "context",
diff --git a/objects/certificate.json b/objects/certificate.json
index 838d6f39a..ce8249844 100644
--- a/objects/certificate.json
+++ b/objects/certificate.json
@@ -21,6 +21,9 @@
"description": "The certificate issuer distinguished name.",
"requirement": "required"
},
+ "is_self_signed": {
+ "requirement": "recommended"
+ },
"serial_number": {
"description": "The serial number of the certificate used to create the digital signature.",
"caption": "Certificate Serial Number",
diff --git a/objects/domain_contact.json b/objects/domain_contact.json
new file mode 100644
index 000000000..7305462c1
--- /dev/null
+++ b/objects/domain_contact.json
@@ -0,0 +1,60 @@
+{
+ "caption": "Domain Contact",
+ "description": "The contact information related to a domain registration, e.g., registrant, administrator, abuse, billing, or technical contact.",
+ "extends": "object",
+ "name": "domain_contact",
+ "attributes": {
+ "type_id": {
+ "caption": "Domain Contact Type ID",
+ "description": "The normalized domain contact type ID.",
+ "requirement": "required",
+ "enum": {
+ "1": {
+ "caption": "Registrant",
+ "description": "The contact information provided is for the domain registrant."
+ },
+ "2": {
+ "caption": "Administrative",
+ "description": "The contact information provided is for the domain administrator."
+ },
+ "3": {
+ "caption": "Technical",
+ "description": "The contact information provided is for the domain technical lead."
+ },
+ "4": {
+ "caption": "Billing",
+ "description": "The contact information provided is for the domain billing lead."
+ },
+ "5": {
+ "caption": "Abuse",
+ "description": "The contact information provided is for the domain abuse contact."
+ }
+ }
+ },
+ "type": {
+ "caption": "Domain Contact Type",
+ "description": "The Domain Contact type, normalized to the caption of the type_id
value. In the case of 'Other', it is defined by the source",
+ "requirement": "optional"
+ },
+ "location": {
+ "caption": "Contact Location Information",
+ "description": "Location details for the contract such as the city, state/province, country, etc.",
+ "requirement": "recommended"
+ },
+ "email_addr": {
+ "caption": "Contact Email",
+ "requirement": "recommended"
+ },
+ "phone_number": {
+ "requirement": "optional"
+ },
+ "name": {
+ "description": "The individual or organization name for the contact.",
+ "requirement": "optional"
+ },
+ "uid": {
+ "description": "The unique identifier of the contact information, typically provided in WHOIS information.",
+ "requirement": "optional"
+ }
+ }
+}
\ No newline at end of file
diff --git a/objects/osint.json b/objects/osint.json
new file mode 100644
index 000000000..e38f5d3f7
--- /dev/null
+++ b/objects/osint.json
@@ -0,0 +1,171 @@
+{
+ "caption":"OSINT",
+ "name":"osint",
+ "description":"The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
+ "extends":"_entity",
+ "attributes":{
+ "type_id":{
+ "caption":"Indicator Type ID",
+ "description":"The OSINT indicator type ID.",
+ "requirement":"required",
+ "enum":{
+ "0":{
+ "caption":"Unknown",
+ "description":"The indicator type is ambiguous or there is not a related indicator for the OSINT object."
+ },
+ "1":{
+ "caption":"IP Address",
+ "description":"An IPv4 or IPv6 address."
+ },
+ "2":{
+ "caption":"Domain",
+ "description":"A full-qualified domain name (FQDN), subdomain, or partial domain."
+ },
+ "3":{
+ "caption":"Hostname",
+ "description":"A hostname or computer name."
+ },
+ "4":{
+ "caption":"Hash",
+ "description":"Any type of hash e.g., MD5, SHA1, SHA2, BLAKE, BLAKE2, etc. generated from a file, malware sample, request header, or otherwise."
+ },
+ "5":{
+ "caption":"URL",
+ "description":"A Uniform Resource Locator (URL) or Uniform Resource Indicator (URI)."
+ },
+ "6":{
+ "caption":"User Agent",
+ "description":"A User Agent typically seen in HTTP request headers."
+ },
+ "7":{
+ "caption":"Digital Certificate",
+ "description":"The serial number, fingerprint, or full content of an X.509 digital certificate."
+ },
+ "8":{
+ "caption":"Email",
+ "description":"The contents of an email or any related information to an email object."
+ },
+ "9":{
+ "caption":"Email Address",
+ "description":"An email address."
+ },
+ "10":{
+ "caption":"Vulnerability",
+ "description":"A CVE ID, CWE ID, or other identifier for a weakness, exploit, bug, or misconfiguration."
+ },
+ "99":{
+ "caption":"Other",
+ "description":"The indicator type is not directly listed."
+ }
+ }
+ },
+ "type":{
+ "description":"The OSINT indicator type.",
+ "requirement":"optional"
+ },
+ "value":{
+ "caption":"Indicator",
+ "description":"The actual indicator value in scope, e.g., a SHA-256 hash hexdigest or a domain name.",
+ "requirement":"required"
+ },
+ "tlp":{
+ "caption":"Traffic Light Protocol",
+ "description":"The Traffic Light Protocol was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. TLP provides a simple and intuitive schema for indicating with whom potentially sensitive information can be shared.",
+ "enum":{
+ "RED":{
+ "caption":"TLP:RED",
+ "description":"TLP:RED is for the eyes and ears of individual recipients only, no further disclosure. Sources may use TLP:RED when information cannot be effectively acted upon without significant risk for the privacy, reputation, or operations of the organizations involved. Recipients may therefore not share TLP:RED information with anyone else. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting."
+ },
+ "AMBER":{
+ "caption":"TLP:AMBER",
+ "description":"TLP:AMBER is for limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients. Note that TLP:AMBER+STRICT restricts sharing to the organization only. Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risk to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may share TLP:AMBER information with members of their own organization and its clients, but only on a need-to-know basis to protect their organization and its clients and prevent further harm. Note: if the source wants to restrict sharing to the organization only, they must specify TLP:AMBER+STRICT."
+ },
+ "AMBER STRICT":{
+ "caption":"TLP:AMBER+STRICT",
+ "description":"TLP:AMBER is for limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients. Note that TLP:AMBER+STRICT restricts sharing to the organization only. Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risk to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may share TLP:AMBER information with members of their own organization and its clients, but only on a need-to-know basis to protect their organization and its clients and prevent further harm. Note: if the source wants to restrict sharing to the organization only, they must specify TLP:AMBER+STRICT."
+ },
+ "GREEN":{
+ "caption":"TLP:GREEN",
+ "description":"TLP:GREEN is for limited disclosure, recipients can spread this within their community. Sources may use TLP:GREEN when information is useful to increase awareness within their wider community. Recipients may share TLP:GREEN information with peers and partner organizations within their community, but not via publicly accessible channels. TLP:GREEN information may not be shared outside of the community. Note: when “community” is not defined, assume the cybersecurity/defense community."
+ },
+ "CLEAR":{
+ "caption":"TLP:CLEAR",
+ "description":"TLP:CLEAR denotes that recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction."
+ }
+ },
+ "requirement":"recommended",
+ "type":"string_t"
+ },
+ "confidence_id":{
+ "description":"The normalized confidence refers to the accuracy of collected information related to the OSINT or how pertinent an indicator or analysis is to a specific event or finding. A low confidence means that the information collected or analysis conducted lacked detail or is not accurate enough to qualify an indicator as fully malicious.",
+ "requirement":"recommended"
+ },
+ "confidence":{
+ "description":"The confidence of an indicator being malicious and/or pertinent, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source or analyst.",
+ "requirement":"optional"
+ },
+ "vendor_name":{
+ "description":"The vendor name of a tool which generates intelligence or provides indicators.",
+ "requirement":"optional"
+ },
+ "src_url":{
+ "description":"The source URL of an indicator or OSINT analysis, e.g., a URL back to a TIP, report, or otherwise.",
+ "requirement":"optional"
+ },
+ "comment":{
+ "caption":"Analyst Comments",
+ "description":"Analyst commentary or source commentary about an indicator or OSINT analysis.",
+ "requirement":"optional"
+ },
+ "email":{
+ "caption":"Related Email",
+ "description":"Any email information pertinent to an indicator or OSINT analysis.",
+ "requirement":"optional"
+ },
+ "email_auth":{
+ "caption":"Related Email Authentication",
+ "description":"Any email authentication information pertinent to an indicator or OSINT analysis.",
+ "requirement":"optional"
+ },
+ "kill_chain":{
+ "description":"Lockheed Martin Kill Chain Phases pertinent to an indicator or OSINT analysis.",
+ "requirement":"optional"
+ },
+ "attacks":{
+ "description":"MITRE ATT&CK Tactics, Techniques, and/or Procedures (TTPs) pertinent to an indicator or OSINT analysis.",
+ "requirement":"optional"
+ },
+ "vulnerabilities":{
+ "caption":"Related Vulnerabilities",
+ "description":"Any vulnerabilities related to an indicator or OSINT analysis.",
+ "requirement":"optional"
+ },
+ "signatures":{
+ "caption":"Related Digital Signatures",
+ "description":"Any digital signatures or hashes related to an indicator or OSINT analysis.",
+ "requirement":"optional"
+ },
+ "subdomains":{
+ "caption":"Related Subdomains",
+ "description":"Any pertinent subdomain information - such as those generated by a Domain Generation Algorithm - related to an indicator or OSINT analysis.",
+ "requirement":"optional"
+ },
+ "answers":{
+ "caption":"Related DNS Answers",
+ "description":"Any pertinent DNS answers information related to an indicator or OSINT analysis.",
+ "requirement":"optional"
+ },
+ "whois":{
+ "description":"Any pertinent WHOIS information related to an indicator or OSINT analysis.",
+ "requirement":"optional"
+ },
+ "autonomous_system":{
+ "description":"Any pertinent autonomous system information related to an indicator or OSINT analysis.",
+ "requirement":"optional"
+ },
+ "location":{
+ "description":"Any pertinent geolocation information related to an indicator or OSINT analysis.",
+ "requirement":"optional"
+ }
+ }
+}
\ No newline at end of file
diff --git a/objects/whois.json b/objects/whois.json
new file mode 100644
index 000000000..703ccdfc9
--- /dev/null
+++ b/objects/whois.json
@@ -0,0 +1,63 @@
+{
+ "caption":"WHOIS",
+ "description":"The resources of a WHOIS record for a given domain. This can include domain names, IP address blocks, autonomous system information, and/or contact and registration information for a domain.",
+ "extends":"object",
+ "name":"whois",
+ "attributes":{
+ "autonomous_system":{
+ "description":"The autonomous system information associated with a domain.",
+ "requirement":"optional"
+ },
+ "domain_contacts":{
+ "requirement":"recommended"
+ },
+ "created_time":{
+ "caption":"Registered At",
+ "description":"When the domain was registered or WHOIS entry was created.",
+ "requirement":"recommended"
+ },
+ "dnssec_status_id":{
+ "requirement":"recommended"
+ },
+ "dnssec_status":{
+ "requirement":"optional"
+ },
+ "domain":{
+ "requirement":"recommended"
+ },
+ "email_addr":{
+ "caption":"Registrar Abuse Email Address",
+ "description":"The email address for the registrar's abuse contact",
+ "requirement":"optional"
+ },
+ "last_seen_time":{
+ "caption":"Last Updated At",
+ "requirement":"recommended",
+ "description":"When the WHOIS record was last updated or seen at."
+ },
+ "name_servers":{
+ "requirement":"recommended"
+ },
+ "phone_number":{
+ "caption":"Registrar Abuse Phone Number",
+ "description":"The phone number for the registrar's abuse contact",
+ "requirement":"optional"
+ },
+ "registrar":{
+ "requirement":"recommended"
+ },
+ "status":{
+ "caption":"Domain Status",
+ "description":"The status of a domain and its ability to be transferred, e.g., clientTransferProhibited
.",
+ "requirement":"recommended"
+ },
+ "subdomains":{
+ "requirement":"optional"
+ },
+ "subnet":{
+ "caption":"Subnet Block",
+ "description":"The IP address block (CIDR) associated with a domain.",
+ "requirement":"optional"
+ }
+ }
+}
\ No newline at end of file
diff --git a/profiles/osint.json b/profiles/osint.json
new file mode 100644
index 000000000..f4162cc5a
--- /dev/null
+++ b/profiles/osint.json
@@ -0,0 +1,12 @@
+{
+ "description": "The OSINT (Open Source Intelligence) profile contains one or more indicators and associated analysis and details, such as registrar (WHOIS) information and commentary about a hostname, or information about a digital certificate and its usage within a campaign. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers within the profile itself.",
+ "meta": "profile",
+ "caption": "OSINT",
+ "name": "osint",
+ "attributes": {
+ "osint": {
+ "requirement": "required",
+ "group": "primary"
+ }
+ }
+}
\ No newline at end of file