From c253e3b3546fb8a77b9b56897c05fa9a50ceaea1 Mon Sep 17 00:00:00 2001 From: pavel jurka Date: Thu, 9 Jan 2025 14:51:29 +0100 Subject: [PATCH] extending osint profile --- dictionary.json | 16 ++++++++++++++ objects/campaign.json | 1 + objects/osint.json | 21 +++++++++++++++++++ objects/threat_actor.json | 44 +++++++++++++++++++++++++++++++++++++++ 4 files changed, 82 insertions(+) create mode 100644 objects/threat_actor.json diff --git a/dictionary.json b/dictionary.json index 86631cc43..db63f3254 100644 --- a/dictionary.json +++ b/dictionary.json @@ -2518,6 +2518,12 @@ "description": "The impact of the finding, valid range 0-100.", "type": "integer_t" }, + "intrusion_sets": { + "caption": "Intrusion Sets", + "description": "A grouping of adversarial behaviors and resources believed to be associated with specific threat actors or campaigns. Intrusion sets often encompass multiple campaigns and are used to organize related activities under a common label.", + "type": "string_t", + "is_array": true + }, "injection_type": { "caption": "Injection Type", "description": "The process injection method, normalized to the caption of the injection_type_id value. In the case of 'Other', it is defined by the event source.", @@ -5132,6 +5138,11 @@ "description": "The tree id is a unique SMB identifier which represents an open connection to a share.", "type": "string_t" }, + "threat_actor": { + "caption": "Threat Actor", + "description": "The Threat Actor object describes the characteristics and metadata of a threat actor.", + "type": "threat_actor" + }, "ttl": { "caption": "TTL", "description": "The time interval that the resource record may be cached. Zero value means that the resource record can only be used for the transaction in progress, and should not be cached.", @@ -5226,6 +5237,11 @@ "description": "The size in bytes of an attribute before truncation. See specific usage.", "type": "integer_t" }, + "uploaded_time": { + "caption": "Uploaded Time", + "description": "The timestamp indicating when the associated indicator or intelligence was added to the system or repository.", + "type": "timestamp_t" + }, "url": { "caption": "URL", "description": "The URL object that pertains to the event or object. See specific usage.", diff --git a/objects/campaign.json b/objects/campaign.json index 791db793d..760e31ea7 100644 --- a/objects/campaign.json +++ b/objects/campaign.json @@ -5,6 +5,7 @@ "name": "campaign", "attributes": { "name": { + "description": "The name of a specific campaign associated with a cyber threat.", "requirement": "optional" } } diff --git a/objects/osint.json b/objects/osint.json index ac06e5d9d..da6f5c565 100644 --- a/objects/osint.json +++ b/objects/osint.json @@ -140,6 +140,10 @@ "description":"Analyst commentary or source commentary about an indicator or OSINT analysis.", "requirement":"optional" }, + "detection_pattern":{ + "description": "Specifies the type of detection pattern used to identify the associated threat indicator. This field identifies whether the pattern is based on behavioral analysis, static indicators, or heuristic methods.", + "requirement": "optional" + }, "email":{ "caption":"Related Email", "description":"Any email information pertinent to an indicator or OSINT analysis.", @@ -150,6 +154,9 @@ "description":"Any email authentication information pertinent to an indicator or OSINT analysis.", "requirement":"optional" }, + "intrusion_sets": { + "requirement": "optional" + }, "kill_chain":{ "description":"Lockheed Martin Kill Chain Phases pertinent to an indicator or OSINT analysis.", "requirement":"optional" @@ -195,6 +202,10 @@ "description":"Any pertinent file information related to an indicator or OSINT analysis.", "requirement":"optional" }, + "risk_score":{ + "description":"A numerical representation of the threat indicator’s risk or confidence level.", + "requirement":"optional" + }, "related_analytics": { "caption": "Related Analytics", "description": "Any analytics related to an indicator or OSINT analysis.", @@ -204,6 +215,13 @@ "description":"Related reputational analysis from third-party engines and analysts for a given indicator or OSINT analysis.", "requirement":"optional" }, + "uploaded_time":{ + "requirement":"optional" + }, + "severity":{ + "description":"Represents the severity level of the threat indicator, typically reflecting its potential impact or damage.", + "requirement":"optional" + }, "subnet":{ "caption":"Related Subnet", "description":"A CIDR or network block related to an indicator or OSINT analysis.", @@ -213,6 +231,9 @@ "caption":"Related Script Data", "description":"Any pertinent script information related to an indicator or OSINT analysis.", "requirement":"optional" + }, + "threat_actor":{ + "requirement":"optional" } } } \ No newline at end of file diff --git a/objects/threat_actor.json b/objects/threat_actor.json new file mode 100644 index 000000000..3e722b4ae --- /dev/null +++ b/objects/threat_actor.json @@ -0,0 +1,44 @@ +{ + "caption": "Threat Actor", + "description": "Threat actor is responsible for the observed malicious activity.", + "extends": "object", + "name": "threat_actor", + "attributes": { + "name": { + "description": "The name of the threat actor.", + "requirement": "optional" + }, + "type": { + "caption": "Threat Actor Type", + "description": "The classification of the threat actor based on their motivations, capabilities, or affiliations. Common types include nation-state actors, cybercriminal groups, hacktivists, or insider threats.", + "requirement": "optional" + }, + "type_id": { + "caption": "Threat Actor Type ID", + "description": "The normalized datastore resource type identifier.", + "requirement": "recommended", + "enum": { + "0": { + "caption": "Unknown", + "description": "The threat actor type is unknown." + }, + "1": { + "caption": "Nation-state" + }, + "2": { + "caption": "Cybercriminal" + }, + "3": { + "caption": "Hacktivists" + }, + "4": { + "caption": "Insider" + }, + "99": { + "caption": "Other", + "description": "The threat actor type is not mapped." + } + } + } + } + } \ No newline at end of file