extending osint profile

dictionary.json

@@ -2518,6 +2518,12 @@
       "description": "The impact of the finding, valid range 0-100.",
       "type": "integer_t"
     },
+    "intrusion_sets": {
+      "caption": "Intrusion Sets",
+      "description": "A grouping of adversarial behaviors and resources believed to be associated with specific threat actors or campaigns. Intrusion sets often encompass multiple campaigns and are used to organize related activities under a common label.",
+      "type": "string_t",
+      "is_array": true
+    },
     "injection_type": {
       "caption": "Injection Type",
       "description": "The process injection method, normalized to the caption of the injection_type_id value. In the case of 'Other', it is defined by the event source.",
@@ -5132,6 +5138,11 @@
       "description": "The tree id is a unique SMB identifier which represents an open connection to a share.",
       "type": "string_t"
     },
+    "threat_actor": {
+      "caption": "Threat Actor",
+      "description": "The Threat Actor object describes the characteristics and metadata of a threat actor.",
+      "type": "threat_actor"
+    },
     "ttl": {
       "caption": "TTL",
       "description": "The time interval that the resource record may be cached. Zero value means that the resource record can only be used for the transaction in progress, and should not be cached.",
@@ -5226,6 +5237,11 @@
       "description": "The size in bytes of an attribute before truncation. See specific usage.",
       "type": "integer_t"
     },
+    "uploaded_time": {
+      "caption": "Uploaded Time",
+      "description": "The timestamp indicating when the associated indicator or intelligence was added to the system or repository.",
+      "type": "timestamp_t"
+    },
     "url": {
       "caption": "URL",
       "description": "The URL object that pertains to the event or object. See specific usage.",

objects/campaign.json

@@ -5,6 +5,7 @@
   "name": "campaign",
   "attributes": {
     "name": {
+      "description": "The name of a specific campaign associated with a cyber threat.",
       "requirement": "optional"
     }
   }

objects/osint.json

@@ -140,6 +140,10 @@
       "description":"Analyst commentary or source commentary about an indicator or OSINT analysis.",
       "requirement":"optional"
     },
+    "detection_pattern":{
+      "description": "Specifies the type of detection pattern used to identify the associated threat indicator. This field identifies whether the pattern is based on behavioral analysis, static indicators, or heuristic methods.",
+      "requirement": "optional"
+    },
     "email":{
       "caption":"Related Email",
       "description":"Any email information pertinent to an indicator or OSINT analysis.",
@@ -150,6 +154,9 @@
       "description":"Any email authentication information pertinent to an indicator or OSINT analysis.",
       "requirement":"optional"
     },
+    "intrusion_sets": {
+      "requirement": "optional"
+    },
     "kill_chain":{
       "description":"Lockheed Martin Kill Chain Phases pertinent to an indicator or OSINT analysis.",
       "requirement":"optional"
@@ -195,6 +202,10 @@
       "description":"Any pertinent file information related to an indicator or OSINT analysis.",
       "requirement":"optional"
     },
+    "risk_score":{
+      "description":"A numerical representation of the threat indicator’s risk or confidence level.",
+      "requirement":"optional"
+    },
     "related_analytics": {
       "caption": "Related Analytics",
       "description": "Any analytics related to an indicator or OSINT analysis.",
@@ -204,6 +215,13 @@
       "description":"Related reputational analysis from third-party engines and analysts for a given indicator or OSINT analysis.",
       "requirement":"optional"
     },
+    "uploaded_time":{
+      "requirement":"optional"
+    },
+    "severity":{
+      "description":"Represents the severity level of the threat indicator, typically reflecting its potential impact or damage.",
+      "requirement":"optional"
+    },
     "subnet":{
       "caption":"Related Subnet",
       "description":"A CIDR or network block related to an indicator or OSINT analysis.",
@@ -213,6 +231,9 @@
       "caption":"Related Script Data",
       "description":"Any pertinent script information related to an indicator or OSINT analysis.",
       "requirement":"optional"
+    },
+    "threat_actor":{
+      "requirement":"optional"
     }
   }
 }

objects/threat_actor.json

@@ -0,0 +1,44 @@
+{
+  "caption": "Threat Actor",
+  "description": "Threat actor is responsible for the observed malicious activity.",
+  "extends": "object",
+  "name": "threat_actor",
+  "attributes": {
+    "name": {
+      "description": "The name of the threat actor.",
+      "requirement": "optional"
+    },
+    "type": {
+      "caption": "Threat Actor Type",
+      "description": "The classification of the threat actor based on their motivations, capabilities, or affiliations. Common types include nation-state actors, cybercriminal groups, hacktivists, or insider threats.",
+      "requirement": "optional"
+    },
+    "type_id": {
+      "caption": "Threat Actor Type ID",
+      "description": "The normalized datastore resource type identifier.",
+      "requirement": "recommended",
+      "enum": {
+        "0": {
+          "caption": "Unknown",
+          "description": "The threat actor type is unknown."
+        },
+        "1": {
+          "caption": "Nation-state"
+        },
+        "2": {
+          "caption": "Cybercriminal"
+        },
+        "3": {
+          "caption": "Hacktivists"
+        },
+        "4": {
+          "caption": "Insider"
+        },
+        "99": {
+          "caption": "Other",
+          "description": "The threat actor type is not mapped."
+        }
+      }
+    }
+  }
+  }