From 9a3c5c0ac998b20148d6ab0f7b7f2ee559db5785 Mon Sep 17 00:00:00 2001 From: Ambrose Bonnaire-Sergeant Date: Fri, 12 Jul 2024 13:07:18 -0500 Subject: [PATCH] doc --- doc/json/actor.json | 38 +- doc/json/asset.json | 22 +- doc/json/asset_mapping.json | 30 +- doc/json/asset_properties.json | 18 +- doc/json/attack_pattern.json | 36 +- doc/json/bundle.json | 1856 +++++++++++++++--------------- doc/json/campaign.json | 38 +- doc/json/casebook.json | 1832 +++++++++++++++-------------- doc/json/coa.json | 92 +- doc/json/feedback.json | 22 +- doc/json/incident.json | 54 +- doc/json/indicator.json | 54 +- doc/json/judgement.json | 34 +- doc/json/malware.json | 34 +- doc/json/note.json | 28 +- doc/json/relationship.json | 26 +- doc/json/sighting.json | 336 +++--- doc/json/target_record.json | 30 +- doc/json/tool.json | 34 +- doc/json/verdict.json | 10 +- doc/json/vulnerability.json | 148 +-- doc/json/weakness.json | 116 +- doc/structures/actor.md | 6 + doc/structures/asset.md | 1 + doc/structures/asset_mapping.md | 13 +- doc/structures/attack_pattern.md | 1 + doc/structures/bundle.md | 207 +++- doc/structures/campaign.md | 3 + doc/structures/casebook.md | 216 +++- doc/structures/coa.md | 13 + doc/structures/feedback.md | 1 + doc/structures/incident.md | 8 + doc/structures/indicator.md | 5 + doc/structures/judgement.md | 15 +- doc/structures/malware.md | 2 + doc/structures/relationship.md | 1 + doc/structures/sighting.md | 55 +- doc/structures/target_record.md | 10 +- doc/structures/tool.md | 1 + doc/structures/verdict.md | 11 +- doc/structures/vulnerability.md | 21 + doc/structures/weakness.md | 23 + project.clj | 2 +- 43 files changed, 2989 insertions(+), 2514 deletions(-) diff --git a/doc/json/actor.json b/doc/json/actor.json index b2648dad..76e7da6e 100644 --- a/doc/json/actor.json +++ b/doc/json/actor.json @@ -1,34 +1,28 @@ { - "confidence" : "string", - "tlp" : "string", - "aliases" : [ "string" ], - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", + "description" : "string", + "motivation" : "Ego", "valid_time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, - "revision" : 10, "identity" : { "description" : "string", "related_identities" : [ { "identity" : "string", - "confidence" : "string", + "confidence" : "High", "information_source" : "string", "relationship" : "string" } ] }, - "short_description" : "string", - "sophistication" : "string", + "sophistication" : "Aspirant", + "schema_version" : "1.3.18", + "revision" : 10, "planning_and_operational_support" : "string", - "schema_version" : "string", - "title" : "string", + "type" : "actor", "source" : "string", - "actor_types" : [ "string" ], - "type" : "string", - "intended_effect" : "string", - "source_uri" : "string", - "language" : "string", + "external_ids" : [ "string" ], + "short_description" : "string", + "title" : "string", "external_references" : [ { "source_name" : "string", "description" : "string", @@ -36,7 +30,13 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "motivation" : "string", - "description" : "string", - "external_ids" : [ "string" ] + "source_uri" : "string", + "intended_effect" : "Account Takeover", + "language" : "string", + "id" : "string", + "tlp" : "green", + "aliases" : [ "string" ], + "timestamp" : "2016-01-01T01:01:01.000Z", + "confidence" : "High", + "actor_types" : [ "Cyber Espionage Operations" ] } \ No newline at end of file diff --git a/doc/json/asset.json b/doc/json/asset.json index cff89996..87d16c99 100644 --- a/doc/json/asset.json +++ b/doc/json/asset.json @@ -1,20 +1,17 @@ { - "tlp" : "string", - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", + "description" : "string", + "asset_type" : "application", "valid_time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, + "schema_version" : "1.3.18", "revision" : 10, + "type" : "asset", + "source" : "string", + "external_ids" : [ "string" ], "short_description" : "string", - "schema_version" : "string", "title" : "string", - "source" : "string", - "type" : "string", - "source_uri" : "string", - "asset_type" : "string", - "language" : "string", "external_references" : [ { "source_name" : "string", "description" : "string", @@ -22,6 +19,9 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "description" : "string", - "external_ids" : [ "string" ] + "source_uri" : "string", + "language" : "string", + "id" : "string", + "tlp" : "green", + "timestamp" : "2016-01-01T01:01:01.000Z" } \ No newline at end of file diff --git a/doc/json/asset_mapping.json b/doc/json/asset_mapping.json index e82439cc..0538de44 100644 --- a/doc/json/asset_mapping.json +++ b/doc/json/asset_mapping.json @@ -1,26 +1,20 @@ { - "confidence" : "string", - "tlp" : "string", - "asset_ref" : "string", - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", + "asset_type" : "application", "valid_time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, + "stability" : "Managed", + "schema_version" : "1.3.18", "revision" : 10, - "specificity" : "string", "observable" : { - "value" : "string", - "type" : "string" + "value" : "1.2.3.4", + "type" : "ip" }, - "stability" : "string", - "schema_version" : "string", + "asset_ref" : "string", + "type" : "asset-mapping", "source" : "string", - "type" : "string", - "source_uri" : "string", - "asset_type" : "string", - "language" : "string", + "external_ids" : [ "string" ], "external_references" : [ { "source_name" : "string", "description" : "string", @@ -28,5 +22,11 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "external_ids" : [ "string" ] + "source_uri" : "string", + "language" : "string", + "id" : "string", + "tlp" : "green", + "timestamp" : "2016-01-01T01:01:01.000Z", + "specificity" : "Low", + "confidence" : "High" } \ No newline at end of file diff --git a/doc/json/asset_properties.json b/doc/json/asset_properties.json index 0c3ce988..4cad40c2 100644 --- a/doc/json/asset_properties.json +++ b/doc/json/asset_properties.json @@ -3,20 +3,16 @@ "name" : "string", "value" : "string" } ], - "tlp" : "string", - "asset_ref" : "string", - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", "valid_time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, + "schema_version" : "1.3.18", "revision" : 10, - "schema_version" : "string", + "asset_ref" : "string", + "type" : "asset-properties", "source" : "string", - "type" : "string", - "source_uri" : "string", - "language" : "string", + "external_ids" : [ "string" ], "external_references" : [ { "source_name" : "string", "description" : "string", @@ -24,5 +20,9 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "external_ids" : [ "string" ] + "source_uri" : "string", + "language" : "string", + "id" : "string", + "tlp" : "green", + "timestamp" : "2016-01-01T01:01:01.000Z" } \ No newline at end of file diff --git a/doc/json/attack_pattern.json b/doc/json/attack_pattern.json index 66cc129b..c41f0b72 100644 --- a/doc/json/attack_pattern.json +++ b/doc/json/attack_pattern.json @@ -1,23 +1,13 @@ { - "tlp" : "string", - "x_mitre_platforms" : [ "string" ], - "x_mitre_data_sources" : [ "string" ], - "kill_chain_phases" : [ { - "kill_chain_name" : "string", - "phase_name" : "string" - } ], - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", + "description" : "string", + "abstraction_level" : "aggregate", + "schema_version" : "1.3.18", "revision" : 10, - "x_mitre_contributors" : [ "string" ], - "abstraction_level" : "string", + "type" : "attack-pattern", + "source" : "string", + "external_ids" : [ "string" ], "short_description" : "string", - "schema_version" : "string", "title" : "string", - "source" : "string", - "type" : "string", - "source_uri" : "string", - "language" : "string", "external_references" : [ { "source_name" : "string", "description" : "string", @@ -25,6 +15,16 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "description" : "string", - "external_ids" : [ "string" ] + "source_uri" : "string", + "x_mitre_platforms" : [ "string" ], + "language" : "string", + "id" : "string", + "tlp" : "green", + "x_mitre_data_sources" : [ "string" ], + "kill_chain_phases" : [ { + "kill_chain_name" : "string", + "phase_name" : "string" + } ], + "x_mitre_contributors" : [ "string" ], + "timestamp" : "2016-01-01T01:01:01.000Z" } \ No newline at end of file diff --git a/doc/json/bundle.json b/doc/json/bundle.json index 72c49b7f..010fc398 100644 --- a/doc/json/bundle.json +++ b/doc/json/bundle.json @@ -1,66 +1,30 @@ { - "campaign_refs" : [ "string" ], - "asset_properties" : [ { - "properties" : [ { - "name" : "string", - "value" : "string" - } ], - "tlp" : "string", - "asset_ref" : "string", - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", + "description" : "string", + "valid_time" : { + "start_time" : "2016-01-01T01:01:01.000Z", + "end_time" : "2016-01-01T01:01:01.000Z" + }, + "asset_mapping_refs" : [ "string" ], + "note_refs" : [ "string" ], + "data_table_refs" : [ "string" ], + "attack_pattern_refs" : [ "string" ], + "sighting_refs" : [ "string" ], + "schema_version" : "1.3.18", + "revision" : 10, + "assets" : [ { + "description" : "string", + "asset_type" : "application", "valid_time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, + "schema_version" : "1.3.18", "revision" : 10, - "schema_version" : "string", + "type" : "asset", "source" : "string", - "type" : "string", - "source_uri" : "string", - "language" : "string", - "external_references" : [ { - "source_name" : "string", - "description" : "string", - "url" : "string", - "hashes" : [ "string" ], - "external_id" : "string" - } ], - "external_ids" : [ "string" ] - } ], - "tlp" : "string", - "incidents" : [ { - "confidence" : "string", - "tlp" : "string", - "techniques" : [ "string" ], - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", - "revision" : 10, - "categories" : [ "string" ], - "tactics" : [ "string" ], - "assignees" : [ "string" ], - "incident_time" : { - "opened" : "2016-01-01T01:01:01.000Z", - "discovered" : "2016-01-01T01:01:01.000Z", - "reported" : "2016-01-01T01:01:01.000Z", - "remediated" : "2016-01-01T01:01:01.000Z", - "closed" : "2016-01-01T01:01:01.000Z", - "rejected" : "2016-01-01T01:01:01.000Z" - }, - "discovery_method" : "string", - "status" : "string", + "external_ids" : [ "string" ], "short_description" : "string", - "promotion_method" : "string", - "schema_version" : "string", "title" : "string", - "source" : "string", - "type" : "string", - "meta" : { - "keyword" : "string" - }, - "intended_effect" : "string", - "source_uri" : "string", - "language" : "string", "external_references" : [ { "source_name" : "string", "description" : "string", @@ -68,33 +32,27 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "severity" : "string", - "description" : "string", - "external_ids" : [ "string" ], - "scores" : { - "keyword" : 10.0 - } + "source_uri" : "string", + "language" : "string", + "id" : "string", + "tlp" : "green", + "timestamp" : "2016-01-01T01:01:01.000Z" } ], - "vulnerability_refs" : [ "string" ], + "weakness_refs" : [ "string" ], + "tool_refs" : [ "string" ], + "target_record_refs" : [ "string" ], + "asset_refs" : [ "string" ], "tools" : [ { - "tlp" : "string", - "kill_chain_phases" : [ { - "kill_chain_name" : "string", - "phase_name" : "string" - } ], - "x_mitre_aliases" : [ "string" ], - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", + "description" : "string", + "labels" : [ "credential-exploitation" ], + "schema_version" : "1.3.18", "revision" : 10, - "labels" : [ "string" ], + "type" : "tool", + "x_mitre_aliases" : [ "string" ], + "source" : "string", + "external_ids" : [ "string" ], "short_description" : "string", - "schema_version" : "string", "title" : "string", - "source" : "string", - "type" : "string", - "tool_version" : "string", - "source_uri" : "string", - "language" : "string", "external_references" : [ { "source_name" : "string", "description" : "string", @@ -102,40 +60,39 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "description" : "string", - "external_ids" : [ "string" ] - } ], - "indicators" : [ { - "test_mechanisms" : [ "string" ], - "indicator_type" : [ "string" ], - "confidence" : "string", - "composite_indicator_expression" : { - "operator" : "string", - "indicator_ids" : [ "string" ] - }, - "tlp" : "string", - "negate" : true, + "source_uri" : "string", + "language" : "string", + "id" : "string", + "tool_version" : "string", + "tlp" : "green", "kill_chain_phases" : [ { "kill_chain_name" : "string", "phase_name" : "string" } ], + "timestamp" : "2016-01-01T01:01:01.000Z" + } ], + "indicators" : [ { + "description" : "string", "tags" : [ "string" ], - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", "valid_time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, + "producer" : "string", + "schema_version" : "1.3.18", "revision" : 10, + "type" : "indicator", + "test_mechanisms" : [ "string" ], + "source" : "string", + "external_ids" : [ "string" ], "short_description" : "string", - "producer" : "string", - "likely_impact" : "string", - "schema_version" : "string", + "composite_indicator_expression" : { + "operator" : "and", + "indicator_ids" : [ "string" ] + }, "title" : "string", - "source" : "string", - "type" : "string", - "source_uri" : "string", - "language" : "string", + "likely_impact" : "string", + "indicator_type" : [ "Anonymization" ], "external_references" : [ { "source_name" : "string", "description" : "string", @@ -143,49 +100,39 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "severity" : "string", - "description" : "string", - "external_ids" : [ "string" ], + "source_uri" : "string", + "language" : "string", + "id" : "string", + "severity" : "Critical", + "tlp" : "green", + "kill_chain_phases" : [ { + "kill_chain_name" : "string", + "phase_name" : "string" + } ], + "negate" : true, + "timestamp" : "2016-01-01T01:01:01.000Z", + "confidence" : "High", "specification" : { - "type" : "string", + "type" : "Judgement", "judgements" : [ "string" ], "required_judgements" : [ { - "confidence" : "string", + "confidence" : "High", "source" : "string", "relationship" : "string", "judgement_id" : "string" } ] } } ], - "relationship_refs" : [ "string" ], - "sighting_refs" : [ "string" ], - "note_refs" : [ "string" ], - "coa_refs" : [ "string" ], - "campaigns" : [ { - "confidence" : "string", - "tlp" : "string", - "campaign_type" : "string", - "activity" : [ { - "date_time" : "2016-01-01T01:01:01.000Z", - "description" : "string" - } ], - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", - "valid_time" : { - "start_time" : "2016-01-01T01:01:01.000Z", - "end_time" : "2016-01-01T01:01:01.000Z" - }, + "attack_patterns" : [ { + "description" : "string", + "abstraction_level" : "aggregate", + "schema_version" : "1.3.18", "revision" : 10, - "status" : "string", + "type" : "attack-pattern", + "source" : "string", + "external_ids" : [ "string" ], "short_description" : "string", - "names" : [ "string" ], - "schema_version" : "string", "title" : "string", - "source" : "string", - "type" : "string", - "intended_effect" : [ "string" ], - "source_uri" : "string", - "language" : "string", "external_references" : [ { "source_name" : "string", "description" : "string", @@ -193,24 +140,45 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "description" : "string", - "external_ids" : [ "string" ] - } ], - "attack_pattern_refs" : [ "string" ], - "judgement_refs" : [ "string" ], - "feedbacks" : [ { - "tlp" : "string", - "entity_id" : "string", + "source_uri" : "string", + "x_mitre_platforms" : [ "string" ], + "language" : "string", "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", + "tlp" : "green", + "x_mitre_data_sources" : [ "string" ], + "kill_chain_phases" : [ { + "kill_chain_name" : "string", + "phase_name" : "string" + } ], + "x_mitre_contributors" : [ "string" ], + "timestamp" : "2016-01-01T01:01:01.000Z" + } ], + "type" : "bundle", + "weaknesses" : [ { + "description" : "string", + "background_details" : "string", + "paradigms" : [ { + "prevalence" : "Often", + "name" : "string" + } ], + "abstraction_level" : "Base", + "architectures" : [ { + "prevalence" : "Often", + "name" : "string", + "class" : "Embedded" + } ], + "schema_version" : "1.3.18", "revision" : 10, - "feedback" : 10, - "schema_version" : "string", + "alternate_terms" : [ { + "term" : "string", + "description" : "string" + } ], + "likelihood" : "High", + "type" : "weakness", "source" : "string", - "type" : "string", - "reason" : "string", - "source_uri" : "string", - "language" : "string", + "external_ids" : [ "string" ], + "short_description" : "string", + "title" : "string", "external_references" : [ { "source_name" : "string", "description" : "string", @@ -218,70 +186,76 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "external_ids" : [ "string" ] - } ], - "coas" : [ { - "related_COAs" : [ { - "confidence" : "string", - "source" : "string", - "relationship" : "string", - "COA_id" : "string" + "functional_areas" : [ "Authentication" ], + "source_uri" : "string", + "modes_of_introduction" : [ { + "phase" : "Architecture and Design", + "note" : "string" } ], - "tlp" : "string", - "efficacy" : "string", - "structured_coa_type" : "string", + "structure" : "Chain", + "language" : "string", "id" : "string", + "notes" : [ { + "type" : "Applicable Platform", + "note" : "string" + } ], + "common_consequences" : [ { + "scopes" : [ "Access Control" ], + "impacts" : [ "Alter Execution Logic" ], + "likelihood" : "High", + "note" : "string" + } ], + "tlp" : "green", + "detection_methods" : [ { + "method" : "Architecture or Design Review", + "description" : "string", + "effectiveness" : "High", + "effectiveness_notes" : "string" + } ], + "operating_systems" : [ { + "prevalence" : "Often", + "name" : "string", + "version" : "string", + "cpe_id" : "string", + "class" : "Android" + } ], + "affected_resources" : [ "CPU" ], + "languages" : [ { + "prevalence" : "Often", + "name" : "string", + "class" : "Assembly" + } ], "timestamp" : "2016-01-01T01:01:01.000Z", + "potential_mitigations" : [ { + "description" : "string", + "phases" : [ "Architecture and Design" ], + "strategy" : "Attack Surface Reduction", + "effectiveness" : "Defense in Depth", + "effectiveness_notes" : "string" + } ], + "technologies" : [ { + "prevalence" : "Often", + "name" : "string" + } ] + } ], + "source" : "string", + "external_ids" : [ "string" ], + "feedback_refs" : [ "string" ], + "asset_properties" : [ { + "properties" : [ { + "name" : "string", + "value" : "string" + } ], "valid_time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, + "schema_version" : "1.3.18", "revision" : 10, - "open_c2_coa" : { - "type" : "string", - "id" : "string", - "action" : { - "type" : "string" - }, - "target" : { - "type" : "string", - "specifiers" : "string" - }, - "actuator" : { - "type" : "string", - "specifiers" : [ "string" ] - }, - "modifiers" : { - "destination" : "string", - "method" : [ "string" ], - "option" : "string", - "id" : "string", - "location" : "string", - "time" : { - "start_time" : "2016-01-01T01:01:01.000Z", - "end_time" : "2016-01-01T01:01:01.000Z" - }, - "duration" : "2016-01-01T01:01:01.000Z", - "delay" : "2016-01-01T01:01:01.000Z", - "source" : "string", - "response" : "string", - "additional_properties" : { - "context" : "string" - }, - "search" : "string", - "frequency" : "string" - } - }, - "cost" : "string", - "short_description" : "string", - "impact" : "string", - "objective" : [ "string" ], - "schema_version" : "string", - "title" : "string", + "asset_ref" : "string", + "type" : "asset-properties", "source" : "string", - "type" : "string", - "source_uri" : "string", - "language" : "string", + "external_ids" : [ "string" ], "external_references" : [ { "source_name" : "string", "description" : "string", @@ -289,128 +263,73 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "coa_type" : "string", - "description" : "string", + "source_uri" : "string", + "language" : "string", + "id" : "string", + "tlp" : "green", + "timestamp" : "2016-01-01T01:01:01.000Z" + } ], + "short_description" : "string", + "feedbacks" : [ { + "feedback" : -1, + "schema_version" : "1.3.18", + "revision" : 10, + "type" : "feedback", + "source" : "string", "external_ids" : [ "string" ], - "stage" : "string" + "external_references" : [ { + "source_name" : "string", + "description" : "string", + "url" : "string", + "hashes" : [ "string" ], + "external_id" : "string" + } ], + "reason" : "string", + "source_uri" : "string", + "language" : "string", + "id" : "string", + "tlp" : "green", + "entity_id" : "string", + "timestamp" : "2016-01-01T01:01:01.000Z" } ], - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", - "valid_time" : { - "start_time" : "2016-01-01T01:01:01.000Z", - "end_time" : "2016-01-01T01:01:01.000Z" - }, - "revision" : 10, - "weakness_refs" : [ "string" ], - "vulnerabilities" : [ { - "tlp" : "string", - "configurations" : { - "CVE_data_version" : "string", - "nodes" : [ { - "operator" : "string", - "cpe_match" : [ { - "vulnerable" : true, - "cpe23Uri" : "string", - "versionStartIncluding" : "string", - "versionEndIncluding" : "string", - "versionStartExcluding" : "string", - "versionEndExcluding" : "string" - } ], - "children" : [ { - "operator" : "string", - "cpe_match" : [ { - "vulnerable" : true, - "cpe23Uri" : "string", - "versionStartIncluding" : "string", - "versionEndIncluding" : "string", - "versionStartExcluding" : "string", - "versionEndExcluding" : "string" - } ], - "negate" : true - } ], - "negate" : true - } ] + "judgement_refs" : [ "string" ], + "title" : "string", + "coa_refs" : [ "string" ], + "external_references" : [ { + "source_name" : "string", + "description" : "string", + "url" : "string", + "hashes" : [ "string" ], + "external_id" : "string" + } ], + "verdicts" : [ { + "type" : "verdict", + "disposition" : 1, + "observable" : { + "value" : "1.2.3.4", + "type" : "ip" }, - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", + "judgement_id" : "string", + "disposition_name" : "Clean", + "valid_time" : { + "start_time" : "2016-01-01T01:01:01.000Z", + "end_time" : "2016-01-01T01:01:01.000Z" + } + } ], + "campaigns" : [ { + "description" : "string", + "valid_time" : { + "start_time" : "2016-01-01T01:01:01.000Z", + "end_time" : "2016-01-01T01:01:01.000Z" + }, + "schema_version" : "1.3.18", "revision" : 10, + "type" : "campaign", + "campaign_type" : "string", + "source" : "string", + "external_ids" : [ "string" ], "short_description" : "string", - "impact" : { - "cvss_v2" : { - "report_confidence" : "string", - "exploitability_score" : 10.0, - "availability_impact" : "string", - "access_vector" : "string", - "authentication" : "string", - "impact_score" : 10.0, - "exploitability" : "string", - "obtain_other_privilege" : true, - "availability_requirement" : "string", - "integrity_requirement" : "string", - "collateral_damage_potential" : "string", - "base_score" : 10.0, - "user_interaction_required" : true, - "environmental_vector_string" : "string", - "temporal_vector_string" : "string", - "base_severity" : "string", - "vector_string" : "string", - "confidentiality_requirement" : "string", - "integrity_impact" : "string", - "confidentiality_impact" : "string", - "obtain_all_privilege" : true, - "obtain_user_privilege" : true, - "access_complexity" : "string", - "remediation_level" : "string", - "target_distribution" : "string" - }, - "cvss_v3" : { - "modified_attack_vector" : "string", - "report_confidence" : "string", - "exploitability_score" : 10.0, - "availability_impact" : "string", - "user_interaction" : "string", - "impact_score" : 10.0, - "exploit_code_maturity" : "string", - "availability_requirement" : "string", - "integrity_requirement" : "string", - "modified_availability_impact" : "string", - "temporal_score" : 10.0, - "environmental_severity" : "string", - "modified_privileges_required" : "string", - "base_score" : 10.0, - "environmental_score" : 10.0, - "modified_attack_complexity" : "string", - "scope" : "string", - "modified_integrity_impact" : "string", - "base_severity" : "string", - "vector_string" : "string", - "modified_confidentiality_impact" : "string", - "confidentiality_requirement" : "string", - "integrity_impact" : "string", - "confidentiality_impact" : "string", - "privileges_required" : "string", - "attack_complexity" : "string", - "modified_scope" : "string", - "modified_user_interaction" : "string", - "attack_vector" : "string", - "temporal_severity" : "string", - "remediation_level" : "string" - } - }, - "last_modified_date" : "2016-01-01T01:01:01.000Z", - "schema_version" : "string", "title" : "string", - "source" : "string", - "type" : "string", - "published_date" : "2016-01-01T01:01:01.000Z", - "source_uri" : "string", - "cve" : { - "cve_data_meta" : { - "id" : "string", - "assigner" : "string" - } - }, - "language" : "string", "external_references" : [ { "source_name" : "string", "description" : "string", @@ -418,36 +337,46 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "description" : "string", - "external_ids" : [ "string" ] - } ], - "malware_refs" : [ "string" ], - "data_table_refs" : [ "string" ], - "target_record_refs" : [ "string" ], - "identity_assertions" : [ { - "tlp" : "string", - "assertions" : [ { - "name" : "string", - "value" : "string" + "activity" : [ { + "date_time" : "2016-01-01T01:01:01.000Z", + "description" : "string" } ], + "source_uri" : "string", + "intended_effect" : [ "Account Takeover" ], + "status" : "Future", + "language" : "string", "id" : "string", + "tlp" : "green", "timestamp" : "2016-01-01T01:01:01.000Z", + "confidence" : "High", + "names" : [ "string" ] + } ], + "source_uri" : "string", + "actors" : [ { + "description" : "string", + "motivation" : "Ego", "valid_time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, - "revision" : 10, "identity" : { - "observables" : [ { - "value" : "string", - "type" : "string" + "description" : "string", + "related_identities" : [ { + "identity" : "string", + "confidence" : "High", + "information_source" : "string", + "relationship" : "string" } ] }, - "schema_version" : "string", + "sophistication" : "Aspirant", + "schema_version" : "1.3.18", + "revision" : 10, + "planning_and_operational_support" : "string", + "type" : "actor", "source" : "string", - "type" : "string", - "source_uri" : "string", - "language" : "string", + "external_ids" : [ "string" ], + "short_description" : "string", + "title" : "string", "external_references" : [ { "source_name" : "string", "description" : "string", @@ -455,38 +384,63 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "external_ids" : [ "string" ] - } ], - "verdict_refs" : [ "string" ], - "short_description" : "string", - "tool_refs" : [ "string" ], - "target_records" : [ { - "tlp" : "string", + "source_uri" : "string", + "intended_effect" : "Account Takeover", + "language" : "string", "id" : "string", + "tlp" : "green", + "aliases" : [ "string" ], "timestamp" : "2016-01-01T01:01:01.000Z", + "confidence" : "High", + "actor_types" : [ "Cyber Espionage Operations" ] + } ], + "indicator_refs" : [ "string" ], + "actor_refs" : [ "string" ], + "language" : "string", + "data_tables" : [ { + "description" : "string", + "valid_time" : { + "start_time" : "2016-01-01T01:01:01.000Z", + "end_time" : "2016-01-01T01:01:01.000Z" + }, + "schema_version" : "1.3.18", "revision" : 10, - "short_description" : "string", - "targets" : [ { - "type" : "string", - "observables" : [ { - "value" : "string", - "type" : "string" - } ], - "observed_time" : { - "start_time" : "2016-01-01T01:01:01.000Z", - "end_time" : "2016-01-01T01:01:01.000Z" - }, - "os" : "string", - "internal" : true, - "sensor" : "string", - "source_uri" : "string" + "columns" : [ { + "name" : "string", + "type" : "integer", + "description" : "string", + "required" : true, + "short_description" : "string" } ], - "schema_version" : "string", - "title" : "string", + "type" : "data-table", "source" : "string", - "type" : "string", + "external_ids" : [ "string" ], + "short_description" : "string", + "title" : "string", + "external_references" : [ { + "source_name" : "string", + "description" : "string", + "url" : "string", + "hashes" : [ "string" ], + "external_id" : "string" + } ], + "rows" : [ [ "anything" ] ], "source_uri" : "string", "language" : "string", + "id" : "string", + "tlp" : "green", + "row_count" : 10, + "timestamp" : "2016-01-01T01:01:01.000Z" + } ], + "id" : "string", + "notes" : [ { + "schema_version" : "1.3.18", + "revision" : 10, + "content" : "string", + "note_class" : "keyword", + "type" : "note", + "source" : "string", + "external_ids" : [ "string" ], "external_references" : [ { "source_name" : "string", "description" : "string", @@ -494,76 +448,346 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "description" : "string", - "external_ids" : [ "string" ] + "author" : "string", + "source_uri" : "string", + "language" : "string", + "id" : "string", + "tlp" : "green", + "timestamp" : "2016-01-01T01:01:01.000Z", + "related_entities" : [ { + "entity_type" : "string", + "entity_id" : "string" + } ] } ], - "feedback_refs" : [ "string" ], - "sightings" : [ { - "observables" : [ { - "value" : "string", - "type" : "string" - } ], - "confidence" : "string", - "relations" : [ { - "origin" : "string", - "origin_uri" : "string", - "relation" : "string", - "relation_info" : { - "keyword" : { - "anything" : "anything" - } - }, - "source" : { - "value" : "string", - "type" : "string" - }, - "related" : { - "value" : "string", - "type" : "string" - } + "identity_assertions" : [ { + "valid_time" : { + "start_time" : "2016-01-01T01:01:01.000Z", + "end_time" : "2016-01-01T01:01:01.000Z" + }, + "identity" : { + "observables" : [ { + "value" : "1.2.3.4", + "type" : "ip" + } ] + }, + "schema_version" : "1.3.18", + "revision" : 10, + "type" : "identity-assertion", + "source" : "string", + "external_ids" : [ "string" ], + "external_references" : [ { + "source_name" : "string", + "description" : "string", + "url" : "string", + "hashes" : [ "string" ], + "external_id" : "string" } ], - "tlp" : "string", - "internal" : true, + "source_uri" : "string", + "language" : "string", "id" : "string", + "tlp" : "green", "timestamp" : "2016-01-01T01:01:01.000Z", + "assertions" : [ { + "name" : "cisco:ctr:ad:host_domain_name", + "value" : "string" + } ] + } ], + "judgements" : [ { + "valid_time" : { + "start_time" : "2016-01-01T01:01:01.000Z", + "end_time" : "2016-01-01T01:01:01.000Z" + }, + "schema_version" : "1.3.18", "revision" : 10, - "sensor" : "string", - "count" : 10, - "sensor_coordinates" : { - "type" : "string", - "observables" : [ { - "value" : "string", - "type" : "string" - } ], + "observable" : { + "value" : "1.2.3.4", + "type" : "ip" + }, + "reason_uri" : "string", + "type" : "judgement", + "source" : "string", + "external_ids" : [ "string" ], + "disposition" : 1, + "external_references" : [ { + "source_name" : "string", + "description" : "string", + "url" : "string", + "hashes" : [ "string" ], + "external_id" : "string" + } ], + "reason" : "string", + "source_uri" : "string", + "disposition_name" : "Clean", + "priority" : 10, + "language" : "string", + "id" : "string", + "severity" : "Critical", + "tlp" : "green", + "timestamp" : "2016-01-01T01:01:01.000Z", + "confidence" : "High" + } ], + "malwares" : [ { + "description" : "string", + "labels" : [ "adware" ], + "abstraction_level" : "family", + "schema_version" : "1.3.18", + "revision" : 10, + "type" : "malware", + "x_mitre_aliases" : [ "string" ], + "source" : "string", + "external_ids" : [ "string" ], + "short_description" : "string", + "title" : "string", + "external_references" : [ { + "source_name" : "string", + "description" : "string", + "url" : "string", + "hashes" : [ "string" ], + "external_id" : "string" + } ], + "source_uri" : "string", + "language" : "string", + "id" : "string", + "tlp" : "green", + "kill_chain_phases" : [ { + "kill_chain_name" : "string", + "phase_name" : "string" + } ], + "timestamp" : "2016-01-01T01:01:01.000Z" + } ], + "target_records" : [ { + "description" : "string", + "schema_version" : "1.3.18", + "revision" : 10, + "type" : "target-record", + "source" : "string", + "external_ids" : [ "string" ], + "targets" : [ { + "type" : "endpoint", + "observables" : [ { + "value" : "1.2.3.4", + "type" : "ip" + } ], + "observed_time" : { + "start_time" : "2016-01-01T01:01:01.000Z", + "end_time" : "2016-01-01T01:01:01.000Z" + }, + "os" : "string", + "internal" : false, + "sensor" : "string", + "source_uri" : "string" + } ], + "short_description" : "string", + "title" : "string", + "external_references" : [ { + "source_name" : "string", + "description" : "string", + "url" : "string", + "hashes" : [ "string" ], + "external_id" : "string" + } ], + "source_uri" : "string", + "language" : "string", + "id" : "string", + "tlp" : "green", + "timestamp" : "2016-01-01T01:01:01.000Z" + } ], + "asset_mappings" : [ { + "asset_type" : "application", + "valid_time" : { + "start_time" : "2016-01-01T01:01:01.000Z", + "end_time" : "2016-01-01T01:01:01.000Z" + }, + "stability" : "Managed", + "schema_version" : "1.3.18", + "revision" : 10, + "observable" : { + "value" : "1.2.3.4", + "type" : "ip" + }, + "asset_ref" : "string", + "type" : "asset-mapping", + "source" : "string", + "external_ids" : [ "string" ], + "external_references" : [ { + "source_name" : "string", + "description" : "string", + "url" : "string", + "hashes" : [ "string" ], + "external_id" : "string" + } ], + "source_uri" : "string", + "language" : "string", + "id" : "string", + "tlp" : "green", + "timestamp" : "2016-01-01T01:01:01.000Z", + "specificity" : "Low", + "confidence" : "High" + } ], + "relationship_refs" : [ "string" ], + "tlp" : "green", + "incidents" : [ { + "description" : "string", + "assignees" : [ "string" ], + "meta" : { + "keyword" : "string" + }, + "schema_version" : "1.3.18", + "revision" : 10, + "type" : "incident", + "source" : "string", + "external_ids" : [ "string" ], + "short_description" : "string", + "title" : "string", + "incident_time" : { + "opened" : "2016-01-01T01:01:01.000Z", + "discovered" : "2016-01-01T01:01:01.000Z", + "reported" : "2016-01-01T01:01:01.000Z", + "remediated" : "2016-01-01T01:01:01.000Z", + "closed" : "2016-01-01T01:01:01.000Z", + "rejected" : "2016-01-01T01:01:01.000Z" + }, + "external_references" : [ { + "source_name" : "string", + "description" : "string", + "url" : "string", + "hashes" : [ "string" ], + "external_id" : "string" + } ], + "discovery_method" : "Agent Disclosure", + "source_uri" : "string", + "intended_effect" : "Account Takeover", + "categories" : [ "Attrition" ], + "status" : "Closed", + "language" : "string", + "id" : "string", + "promotion_method" : "Automated", + "severity" : "Critical", + "tlp" : "green", + "scores" : { + "asset" : 10.0 + }, + "techniques" : [ "string" ], + "timestamp" : "2016-01-01T01:01:01.000Z", + "confidence" : "High", + "tactics" : [ "string" ] + } ], + "identity_assertion_refs" : [ "string" ], + "sightings" : [ { + "description" : "string", + "schema_version" : "1.3.18", + "revision" : 10, + "relations" : [ { + "origin" : "string", + "origin_uri" : "string", + "relation" : "Allocated", + "relation_info" : { + "keyword" : "anything" + }, + "source" : { + "value" : "1.2.3.4", + "type" : "ip" + }, + "related" : { + "value" : "1.2.3.4", + "type" : "ip" + } + } ], + "sensor_coordinates" : { + "type" : "endpoint", + "observables" : [ { + "value" : "1.2.3.4", + "type" : "ip" + } ], "os" : "string" }, + "observables" : [ { + "value" : "1.2.3.4", + "type" : "ip" + } ], + "type" : "sighting", + "source" : "string", + "external_ids" : [ "string" ], + "targets" : [ { + "type" : "endpoint", + "observables" : [ { + "value" : "1.2.3.4", + "type" : "ip" + } ], + "observed_time" : { + "start_time" : "2016-01-01T01:01:01.000Z", + "end_time" : "2016-01-01T01:01:01.000Z" + }, + "os" : "string" + } ], + "short_description" : "string", + "title" : "string", + "resolution" : "detected", + "internal" : false, + "external_references" : [ { + "source_name" : "string", + "description" : "string", + "url" : "string", + "hashes" : [ "string" ], + "external_id" : "string" + } ], + "source_uri" : "string", + "language" : "string", + "id" : "string", + "count" : 10, + "severity" : "Critical", + "tlp" : "green", "context" : { "http_events" : [ { - "process_id" : 10, "process_guid" : 10, + "traffic" : { + "destination_host_name" : "string", + "protocol" : 10, + "source_ip" : "string", + "destination_subnet" : "string", + "destination_ip" : "string", + "source_subnet" : "string", + "destination_port" : 10, + "direction" : "incoming", + "source_port" : 10 + }, + "method" : "CONNECT", + "time" : { + "start_time" : "2016-01-01T01:01:01.000Z", + "end_time" : "2016-01-01T01:01:01.000Z" + }, + "type" : "HTTPEvent", "host" : "string", + "process_name" : "string", + "process_id" : 10, "process_username" : "string", - "method" : "string", "query" : "string", "encrypted" : true, - "url_port" : 10, + "url_port" : 10 + } ], + "process_create_events" : [ { + "parent_process_name" : "string", + "process_guid" : 10, + "parent_process_guid" : 10, + "process_disposition" : "string", + "parent_process_size" : 10, + "process_size" : 10, "time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, - "type" : "string", + "parent_process_disposition" : "string", + "type" : "ProcessCreateEvent", + "parent_process_username" : "string", + "parent_process_id" : 10, + "parent_process_args" : "string", "process_name" : "string", - "traffic" : { - "protocol" : 10, - "destination_host_name" : "string", - "source_subnet" : "string", - "source_port" : 10, - "destination_ip" : "string", - "direction" : "string", - "destination_subnet" : "string", - "source_ip" : "string", - "destination_port" : 10 - } + "process_hash" : "string", + "process_id" : 10, + "parent_process_hash" : "string", + "process_username" : "string", + "parent_creation_time" : "2016-01-01T01:01:01.000Z", + "process_args" : "string" } ], "registry_delete_events" : [ { "time" : { @@ -575,88 +799,65 @@ "process_guid" : 10, "process_username" : "string", "registry_key" : "string", - "type" : "string", + "type" : "RegistryDeleteEvent", "registry_value" : "string" } ], - "registry_create_events" : [ { + "file_modify_events" : [ { + "file_name" : "string", + "process_guid" : 10, "time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, - "process_id" : 10, + "type" : "FileModifyEvent", + "file_path" : "string", "process_name" : "string", - "process_guid" : 10, + "process_id" : 10, "process_username" : "string", - "registry_key" : "string", - "type" : "string" + "failed" : false } ], - "file_modify_events" : [ { - "file_path" : "string", + "registry_set_events" : [ { + "process_guid" : 10, + "registry_data" : "string", + "time" : { + "start_time" : "2016-01-01T01:01:01.000Z", + "end_time" : "2016-01-01T01:01:01.000Z" + }, + "type" : "RegistrySetEvent", + "registry_data_length" : 10, + "registry_value" : "string", + "registry_key" : "string", + "process_name" : "string", "process_id" : 10, + "process_username" : "string" + } ], + "file_create_events" : [ { + "file_name" : "string", "process_guid" : 10, - "process_username" : "string", - "failed" : true, "time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, - "type" : "string", + "type" : "FileCreateEvent", + "file_path" : "string", "process_name" : "string", - "file_name" : "string" + "process_id" : 10, + "process_username" : "string", + "failed" : false } ], - "netflow_events" : [ { - "process_args" : "string", - "byte_count_in" : 10, - "parent_process_args" : "string", + "registry_create_events" : [ { + "time" : { + "start_time" : "2016-01-01T01:01:01.000Z", + "end_time" : "2016-01-01T01:01:01.000Z" + }, "process_id" : 10, + "process_name" : "string", "process_guid" : 10, - "parent_process_id" : 10, - "process_path" : "string", "process_username" : "string", - "byte_count_out" : 10, - "parent_process_account_type" : "string", - "parent_process_hash" : "string", - "time" : { - "start_time" : "2016-01-01T01:01:01.000Z", - "end_time" : "2016-01-01T01:01:01.000Z" - }, - "parent_process_name" : "string", - "parent_process_account" : "string", - "type" : "string", - "process_name" : "string", - "flow_time" : "2016-01-01T01:01:01.000Z", - "process_account_type" : "string", - "process_account" : "string", - "traffic" : { - "protocol" : 10, - "destination_host_name" : "string", - "source_subnet" : "string", - "source_port" : 10, - "destination_ip" : "string", - "direction" : "string", - "destination_subnet" : "string", - "source_ip" : "string", - "destination_port" : 10 - }, - "process_hash" : "string", - "parent_process_path" : "string" - } ], - "file_move_events" : [ { - "file_path" : "string", - "process_id" : 10, - "process_guid" : 10, - "new_name" : "string", - "process_username" : "string", - "old_name" : "string", - "time" : { - "start_time" : "2016-01-01T01:01:01.000Z", - "end_time" : "2016-01-01T01:01:01.000Z" - }, - "type" : "string", - "process_name" : "string", - "file_name" : "string" - } ], - "library_load_events" : [ { + "registry_key" : "string", + "type" : "RegistryCreateEvent" + } ], + "library_load_events" : [ { "time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" @@ -665,362 +866,122 @@ "process_name" : "string", "process_guid" : 10, "process_username" : "string", - "type" : "string", + "type" : "LibraryLoadEvent", "dll_library_name" : "string", "dll_library_path" : "string" } ], - "file_create_events" : [ { - "file_path" : "string", - "process_id" : 10, + "file_move_events" : [ { + "file_name" : "string", "process_guid" : 10, - "process_username" : "string", - "failed" : true, "time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, - "type" : "string", + "type" : "FileMoveEvent", + "old_name" : "string", + "file_path" : "string", "process_name" : "string", - "file_name" : "string" - } ], - "registry_set_events" : [ { - "registry_value" : "string", "process_id" : 10, - "process_guid" : 10, - "registry_key" : "string", "process_username" : "string", - "registry_data_length" : 10, - "time" : { - "start_time" : "2016-01-01T01:01:01.000Z", - "end_time" : "2016-01-01T01:01:01.000Z" - }, - "type" : "string", - "registry_data" : "string", - "process_name" : "string" + "new_name" : "string" } ], - "process_create_events" : [ { - "process_args" : "string", - "parent_process_args" : "string", - "process_disposition" : "string", - "process_id" : 10, + "file_delete_events" : [ { + "file_name" : "string", "process_guid" : 10, - "parent_process_id" : 10, - "process_username" : "string", - "parent_process_username" : "string", - "parent_process_guid" : 10, - "parent_process_hash" : "string", - "parent_creation_time" : "2016-01-01T01:01:01.000Z", - "process_size" : 10, - "parent_process_size" : 10, "time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, - "parent_process_name" : "string", - "type" : "string", - "parent_process_disposition" : "string", - "process_name" : "string", - "process_hash" : "string" - } ], - "file_delete_events" : [ { + "type" : "FileDeleteEvent", "file_path" : "string", + "process_name" : "string", "process_id" : 10, - "process_guid" : 10, "process_username" : "string", - "failed" : true, - "time" : { - "start_time" : "2016-01-01T01:01:01.000Z", - "end_time" : "2016-01-01T01:01:01.000Z" - }, - "type" : "string", - "process_name" : "string", - "file_name" : "string" + "failed" : false } ], - "registry_rename_events" : [ { + "netflow_events" : [ { + "parent_process_name" : "string", + "byte_count_in" : 10, + "process_guid" : 10, + "process_path" : "string", + "traffic" : { + "destination_host_name" : "string", + "protocol" : 10, + "source_ip" : "string", + "destination_subnet" : "string", + "destination_ip" : "string", + "source_subnet" : "string", + "destination_port" : 10, + "direction" : "incoming", + "source_port" : 10 + }, + "flow_time" : "2016-01-01T01:01:01.000Z", "time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, - "process_id" : 10, - "process_name" : "string", - "process_guid" : 10, - "process_username" : "string", - "registry_key" : "string", - "type" : "string", - "registry_old_key" : "string" - } ] - }, - "short_description" : "string", - "targets" : [ { - "type" : "string", - "observables" : [ { - "value" : "string", - "type" : "string" - } ], - "observed_time" : { - "start_time" : "2016-01-01T01:01:01.000Z", - "end_time" : "2016-01-01T01:01:01.000Z" - }, - "os" : "string" - } ], - "schema_version" : "string", - "title" : "string", - "source" : "string", - "type" : "string", - "source_uri" : "string", - "language" : "string", - "external_references" : [ { - "source_name" : "string", - "description" : "string", - "url" : "string", - "hashes" : [ "string" ], - "external_id" : "string" - } ], - "severity" : "string", - "observed_time" : { - "start_time" : "2016-01-01T01:01:01.000Z", - "end_time" : "2016-01-01T01:01:01.000Z" - }, - "data" : { - "columns" : [ { - "name" : "string", - "type" : "string", - "description" : "string", - "required" : true, - "short_description" : "string" - } ], - "rows" : [ [ { - "anything" : "anything" - } ] ], - "row_count" : 10 - }, - "description" : "string", - "external_ids" : [ "string" ], - "resolution" : "string" - } ], - "actor_refs" : [ "string" ], - "actors" : [ { - "confidence" : "string", - "tlp" : "string", - "aliases" : [ "string" ], - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", - "valid_time" : { - "start_time" : "2016-01-01T01:01:01.000Z", - "end_time" : "2016-01-01T01:01:01.000Z" - }, - "revision" : 10, - "identity" : { - "description" : "string", - "related_identities" : [ { - "identity" : "string", - "confidence" : "string", - "information_source" : "string", - "relationship" : "string" - } ] - }, - "short_description" : "string", - "sophistication" : "string", - "planning_and_operational_support" : "string", - "schema_version" : "string", - "title" : "string", - "source" : "string", - "actor_types" : [ "string" ], - "type" : "string", - "intended_effect" : "string", - "source_uri" : "string", - "language" : "string", - "external_references" : [ { - "source_name" : "string", - "description" : "string", - "url" : "string", - "hashes" : [ "string" ], - "external_id" : "string" - } ], - "motivation" : "string", - "description" : "string", - "external_ids" : [ "string" ] - } ], - "indicator_refs" : [ "string" ], - "schema_version" : "string", - "title" : "string", - "source" : "string", - "judgements" : [ { - "confidence" : "string", - "tlp" : "string", - "priority" : 10, - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", - "valid_time" : { - "start_time" : "2016-01-01T01:01:01.000Z", - "end_time" : "2016-01-01T01:01:01.000Z" - }, - "revision" : 10, - "disposition" : 10, - "observable" : { - "value" : "string", - "type" : "string" - }, - "disposition_name" : "string", - "schema_version" : "string", - "source" : "string", - "type" : "string", - "reason" : "string", - "source_uri" : "string", - "language" : "string", - "external_references" : [ { - "source_name" : "string", - "description" : "string", - "url" : "string", - "hashes" : [ "string" ], - "external_id" : "string" - } ], - "severity" : "string", - "reason_uri" : "string", - "external_ids" : [ "string" ] - } ], - "type" : "string", - "relationships" : [ { - "tlp" : "string", - "target_ref" : "string", - "relationship_type" : "string", - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", - "revision" : 10, - "source_ref" : "string", - "short_description" : "string", - "schema_version" : "string", - "title" : "string", - "source" : "string", - "type" : "string", - "source_uri" : "string", - "language" : "string", - "external_references" : [ { - "source_name" : "string", - "description" : "string", - "url" : "string", - "hashes" : [ "string" ], - "external_id" : "string" - } ], - "description" : "string", - "external_ids" : [ "string" ] - } ], - "identity_assertion_refs" : [ "string" ], - "weaknesses" : [ { - "detection_methods" : [ { - "method" : "string", - "description" : "string", - "effectiveness" : "string", - "effectiveness_notes" : "string" - } ], - "background_details" : "string", - "tlp" : "string", - "architectures" : [ { - "prevalence" : "string", - "name" : "string", - "class" : "string" - } ], - "affected_resources" : [ "string" ], - "structure" : "string", - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", - "revision" : 10, - "abstraction_level" : "string", - "alternate_terms" : [ { - "term" : "string", - "description" : "string" - } ], - "short_description" : "string", - "languages" : [ { - "prevalence" : "string", - "name" : "string", - "class" : "string" - } ], - "paradigms" : [ { - "prevalence" : "string", - "name" : "string" - } ], - "potential_mitigations" : [ { - "description" : "string", - "phases" : [ "string" ], - "strategy" : "string", - "effectiveness" : "string", - "effectiveness_notes" : "string" - } ], - "functional_areas" : [ "string" ], - "schema_version" : "string", - "title" : "string", - "source" : "string", - "type" : "string", - "common_consequences" : [ { - "scopes" : [ "string" ], - "impacts" : [ "string" ], - "likelihood" : "string", - "note" : "string" - } ], - "operating_systems" : [ { - "prevalence" : "string", - "name" : "string", - "version" : "string", - "cpe_id" : "string", - "class" : "string" - } ], - "likelihood" : "string", - "source_uri" : "string", - "notes" : [ { - "type" : "string", - "note" : "string" - } ], - "technologies" : [ { - "prevalence" : "string", - "name" : "string" - } ], - "language" : "string", - "external_references" : [ { - "source_name" : "string", - "description" : "string", - "url" : "string", - "hashes" : [ "string" ], - "external_id" : "string" - } ], - "modes_of_introduction" : [ { - "phase" : "string", - "note" : "string" - } ], - "description" : "string", - "external_ids" : [ "string" ] - } ], - "verdicts" : [ { - "type" : "string", - "disposition" : 10, - "observable" : { - "value" : "string", - "type" : "string" + "parent_process_account" : "string", + "type" : "NetflowEvent", + "process_account_type" : "string", + "parent_process_path" : "string", + "parent_process_id" : 10, + "parent_process_args" : "string", + "process_name" : "string", + "process_account" : "string", + "parent_process_account_type" : "string", + "process_hash" : "string", + "process_id" : 10, + "parent_process_hash" : "string", + "process_username" : "string", + "byte_count_out" : 10, + "process_args" : "string" + } ], + "registry_rename_events" : [ { + "time" : { + "start_time" : "2016-01-01T01:01:01.000Z", + "end_time" : "2016-01-01T01:01:01.000Z" + }, + "process_id" : 10, + "process_name" : "string", + "process_guid" : 10, + "process_username" : "string", + "registry_key" : "string", + "type" : "RegistryRenameEvent", + "registry_old_key" : "string" + } ] }, - "judgement_id" : "string", - "disposition_name" : "string", - "valid_time" : { - "start_time" : "2016-01-01T01:01:01.000Z", - "end_time" : "2016-01-01T01:01:01.000Z" - } - } ], - "assets" : [ { - "tlp" : "string", - "id" : "string", "timestamp" : "2016-01-01T01:01:01.000Z", - "valid_time" : { + "confidence" : "High", + "observed_time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, + "sensor" : "endpoint", + "data" : { + "columns" : [ { + "name" : "string", + "type" : "integer", + "description" : "string", + "required" : true, + "short_description" : "string" + } ], + "rows" : [ [ "anything" ] ], + "row_count" : 10 + } + } ], + "campaign_refs" : [ "string" ], + "vulnerability_refs" : [ "string" ], + "asset_properties_refs" : [ "string" ], + "relationships" : [ { + "description" : "string", + "schema_version" : "1.3.18", "revision" : 10, + "target_ref" : "string", + "type" : "relationship", + "source" : "string", + "external_ids" : [ "string" ], "short_description" : "string", - "schema_version" : "string", "title" : "string", - "source" : "string", - "type" : "string", - "source_uri" : "string", - "asset_type" : "string", - "language" : "string", "external_references" : [ { "source_name" : "string", "description" : "string", @@ -1028,58 +989,61 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "description" : "string", - "external_ids" : [ "string" ] - } ], - "asset_properties_refs" : [ "string" ], - "source_uri" : "string", - "notes" : [ { - "tlp" : "string", - "related_entities" : [ { - "entity_type" : "string", - "entity_id" : "string" - } ], - "author" : "string", - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", - "revision" : 10, - "note_class" : "keyword", - "content" : "string", - "schema_version" : "string", - "source" : "string", - "type" : "string", "source_uri" : "string", + "source_ref" : "string", "language" : "string", - "external_references" : [ { - "source_name" : "string", - "description" : "string", - "url" : "string", - "hashes" : [ "string" ], - "external_id" : "string" - } ], - "external_ids" : [ "string" ] - } ], - "incident_refs" : [ "string" ], - "attack_patterns" : [ { - "tlp" : "string", - "x_mitre_platforms" : [ "string" ], - "x_mitre_data_sources" : [ "string" ], - "kill_chain_phases" : [ { - "kill_chain_name" : "string", - "phase_name" : "string" - } ], "id" : "string", + "tlp" : "green", "timestamp" : "2016-01-01T01:01:01.000Z", + "relationship_type" : "attributed-to" + } ], + "timestamp" : "2016-01-01T01:01:01.000Z", + "verdict_refs" : [ "string" ], + "malware_refs" : [ "string" ], + "incident_refs" : [ "string" ], + "vulnerabilities" : [ { + "description" : "string", + "schema_version" : "1.3.18", "revision" : 10, - "x_mitre_contributors" : [ "string" ], - "abstraction_level" : "string", + "published_date" : "2016-01-01T01:01:01.000Z", + "cve" : { + "cve_data_meta" : { + "id" : "string", + "assigner" : "string" + } + }, + "configurations" : { + "CVE_data_version" : "string", + "nodes" : [ { + "operator" : "AND", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "string", + "versionStartIncluding" : "string", + "versionEndIncluding" : "string", + "versionStartExcluding" : "string", + "versionEndExcluding" : "string" + } ], + "children" : [ { + "operator" : "AND", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "string", + "versionStartIncluding" : "string", + "versionEndIncluding" : "string", + "versionStartExcluding" : "string", + "versionEndExcluding" : "string" + } ], + "negate" : true + } ], + "negate" : true + } ] + }, + "type" : "vulnerability", + "source" : "string", + "external_ids" : [ "string" ], "short_description" : "string", - "schema_version" : "string", "title" : "string", - "source" : "string", - "type" : "string", - "source_uri" : "string", - "language" : "string", "external_references" : [ { "source_name" : "string", "description" : "string", @@ -1087,36 +1051,96 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "description" : "string", - "external_ids" : [ "string" ] - } ], - "data_tables" : [ { - "tlp" : "string", - "row_count" : 10, - "columns" : [ { - "name" : "string", - "type" : "string", - "description" : "string", - "required" : true, - "short_description" : "string" - } ], + "source_uri" : "string", + "language" : "string", "id" : "string", + "tlp" : "green", "timestamp" : "2016-01-01T01:01:01.000Z", + "last_modified_date" : "2016-01-01T01:01:01.000Z", + "impact" : { + "cvss_v2" : { + "integrity_impact" : "complete", + "target_distribution" : "not_defined", + "availability_requirement" : "not_defined", + "exploitability" : "not_defined", + "access_complexity" : "low", + "temporal_vector_string" : "string", + "exploitability_score" : 10.0, + "impact_score" : 10.0, + "user_interaction_required" : true, + "environmental_vector_string" : "string", + "obtain_other_privilege" : true, + "availability_impact" : "complete", + "access_vector" : "network", + "base_severity" : "High", + "confidentiality_impact" : "complete", + "confidentiality_requirement" : "not_defined", + "report_confidence" : "not_defined", + "authentication" : "none", + "base_score" : 10.0, + "obtain_user_privilege" : true, + "obtain_all_privilege" : true, + "collateral_damage_potential" : "not_defined", + "remediation_level" : "not_defined", + "vector_string" : "string", + "integrity_requirement" : "not_defined" + }, + "cvss_v3" : { + "integrity_impact" : "high", + "modified_user_interaction" : "none", + "modified_scope" : "not_defined", + "availability_requirement" : "high", + "user_interaction" : "none", + "modified_integrity_impact" : "not_defined", + "privileges_required" : "high", + "exploitability_score" : 10.0, + "impact_score" : 10.0, + "environmental_severity" : "critical", + "modified_availability_impact" : "not_defined", + "availability_impact" : "high", + "scope" : "changed", + "exploit_code_maturity" : "functional", + "modified_attack_complexity" : "not_defined", + "base_severity" : "critical", + "confidentiality_impact" : "high", + "temporal_severity" : "critical", + "modified_confidentiality_impact" : "not_defined", + "confidentiality_requirement" : "high", + "report_confidence" : "confirmed", + "temporal_score" : 10.0, + "modified_privileges_required" : "not_defined", + "modified_attack_vector" : "not_defined", + "base_score" : 10.0, + "environmental_score" : 10.0, + "remediation_level" : "high", + "vector_string" : "string", + "integrity_requirement" : "high", + "attack_vector" : "adjacent_network", + "attack_complexity" : "high" + } + } + } ], + "coas" : [ { + "description" : "string", "valid_time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, + "stage" : "Containment", + "schema_version" : "1.3.18", "revision" : 10, + "efficacy" : "High", + "type" : "coa", + "related_COAs" : [ { + "confidence" : "High", + "source" : "string", + "relationship" : "string", + "COA_id" : "string" + } ], + "source" : "string", + "external_ids" : [ "string" ], "short_description" : "string", - "schema_version" : "string", "title" : "string", - "source" : "string", - "type" : "string", - "source_uri" : "string", - "rows" : [ [ { - "anything" : "anything" - } ] ], - "language" : "string", "external_references" : [ { "source_name" : "string", "description" : "string", @@ -1124,80 +1148,50 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "description" : "string", - "external_ids" : [ "string" ] - } ], - "language" : "string", - "external_references" : [ { - "source_name" : "string", - "description" : "string", - "url" : "string", - "hashes" : [ "string" ], - "external_id" : "string" - } ], - "asset_mapping_refs" : [ "string" ], - "malwares" : [ { - "tlp" : "string", - "kill_chain_phases" : [ { - "kill_chain_name" : "string", - "phase_name" : "string" - } ], - "x_mitre_aliases" : [ "string" ], - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", - "revision" : 10, - "abstraction_level" : "string", - "labels" : [ "string" ], - "short_description" : "string", - "schema_version" : "string", - "title" : "string", - "source" : "string", - "type" : "string", "source_uri" : "string", + "coa_type" : "Diplomatic Actions", "language" : "string", - "external_references" : [ { - "source_name" : "string", - "description" : "string", - "url" : "string", - "hashes" : [ "string" ], - "external_id" : "string" - } ], - "description" : "string", - "external_ids" : [ "string" ] - } ], - "description" : "string", - "external_ids" : [ "string" ], - "asset_refs" : [ "string" ], - "asset_mappings" : [ { - "confidence" : "string", - "tlp" : "string", - "asset_ref" : "string", "id" : "string", + "tlp" : "green", + "objective" : [ "string" ], + "cost" : "High", "timestamp" : "2016-01-01T01:01:01.000Z", - "valid_time" : { - "start_time" : "2016-01-01T01:01:01.000Z", - "end_time" : "2016-01-01T01:01:01.000Z" - }, - "revision" : 10, - "specificity" : "string", - "observable" : { - "value" : "string", - "type" : "string" + "open_c2_coa" : { + "type" : "structured_coa", + "id" : "string", + "action" : { + "type" : "alert" + }, + "target" : { + "type" : "amp_computer_guid", + "specifiers" : "string" + }, + "actuator" : { + "type" : "endpoint", + "specifiers" : [ "string" ] + }, + "modifiers" : { + "response" : "acknowledge", + "method" : [ "acl" ], + "additional_properties" : { + "context" : "string" + }, + "time" : { + "start_time" : "2016-01-01T01:01:01.000Z", + "end_time" : "2016-01-01T01:01:01.000Z" + }, + "frequency" : "string", + "duration" : "2016-01-01T01:01:01.000Z", + "source" : "string", + "search" : "cve", + "option" : "string", + "id" : "string", + "location" : "internal", + "delay" : "2016-01-01T01:01:01.000Z", + "destination" : "copy-to" + } }, - "stability" : "string", - "schema_version" : "string", - "source" : "string", - "type" : "string", - "source_uri" : "string", - "asset_type" : "string", - "language" : "string", - "external_references" : [ { - "source_name" : "string", - "description" : "string", - "url" : "string", - "hashes" : [ "string" ], - "external_id" : "string" - } ], - "external_ids" : [ "string" ] + "structured_coa_type" : "openc2", + "impact" : "string" } ] } \ No newline at end of file diff --git a/doc/json/campaign.json b/doc/json/campaign.json index fe04e011..17e03e87 100644 --- a/doc/json/campaign.json +++ b/doc/json/campaign.json @@ -1,28 +1,17 @@ { - "confidence" : "string", - "tlp" : "string", - "campaign_type" : "string", - "activity" : [ { - "date_time" : "2016-01-01T01:01:01.000Z", - "description" : "string" - } ], - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", + "description" : "string", "valid_time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, + "schema_version" : "1.3.18", "revision" : 10, - "status" : "string", + "type" : "campaign", + "campaign_type" : "string", + "source" : "string", + "external_ids" : [ "string" ], "short_description" : "string", - "names" : [ "string" ], - "schema_version" : "string", "title" : "string", - "source" : "string", - "type" : "string", - "intended_effect" : [ "string" ], - "source_uri" : "string", - "language" : "string", "external_references" : [ { "source_name" : "string", "description" : "string", @@ -30,6 +19,17 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "description" : "string", - "external_ids" : [ "string" ] + "activity" : [ { + "date_time" : "2016-01-01T01:01:01.000Z", + "description" : "string" + } ], + "source_uri" : "string", + "intended_effect" : [ "Account Takeover" ], + "status" : "Future", + "language" : "string", + "id" : "string", + "tlp" : "green", + "timestamp" : "2016-01-01T01:01:01.000Z", + "confidence" : "High", + "names" : [ "string" ] } \ No newline at end of file diff --git a/doc/json/casebook.json b/doc/json/casebook.json index e4cdf08b..13f85b97 100644 --- a/doc/json/casebook.json +++ b/doc/json/casebook.json @@ -1,80 +1,38 @@ { - "observables" : [ { - "value" : "string", - "type" : "string" - } ], - "tlp" : "string", - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", + "description" : "string", + "schema_version" : "1.3.18", "revision" : 10, "texts" : [ { "type" : "string", "text" : "string" } ], - "short_description" : "string", "bundle" : { - "campaign_refs" : [ "string" ], - "asset_properties" : [ { - "properties" : [ { - "name" : "string", - "value" : "string" - } ], - "tlp" : "string", - "asset_ref" : "string", - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", + "description" : "string", + "valid_time" : { + "start_time" : "2016-01-01T01:01:01.000Z", + "end_time" : "2016-01-01T01:01:01.000Z" + }, + "asset_mapping_refs" : [ "string" ], + "note_refs" : [ "string" ], + "data_table_refs" : [ "string" ], + "attack_pattern_refs" : [ "string" ], + "sighting_refs" : [ "string" ], + "schema_version" : "1.3.18", + "revision" : 10, + "assets" : [ { + "description" : "string", + "asset_type" : "application", "valid_time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, + "schema_version" : "1.3.18", "revision" : 10, - "schema_version" : "string", + "type" : "asset", "source" : "string", - "type" : "string", - "source_uri" : "string", - "language" : "string", - "external_references" : [ { - "source_name" : "string", - "description" : "string", - "url" : "string", - "hashes" : [ "string" ], - "external_id" : "string" - } ], - "external_ids" : [ "string" ] - } ], - "tlp" : "string", - "incidents" : [ { - "confidence" : "string", - "tlp" : "string", - "techniques" : [ "string" ], - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", - "revision" : 10, - "categories" : [ "string" ], - "tactics" : [ "string" ], - "assignees" : [ "string" ], - "incident_time" : { - "opened" : "2016-01-01T01:01:01.000Z", - "discovered" : "2016-01-01T01:01:01.000Z", - "reported" : "2016-01-01T01:01:01.000Z", - "remediated" : "2016-01-01T01:01:01.000Z", - "closed" : "2016-01-01T01:01:01.000Z", - "rejected" : "2016-01-01T01:01:01.000Z" - }, - "discovery_method" : "string", - "status" : "string", + "external_ids" : [ "string" ], "short_description" : "string", - "promotion_method" : "string", - "schema_version" : "string", "title" : "string", - "source" : "string", - "type" : "string", - "meta" : { - "keyword" : "string" - }, - "intended_effect" : "string", - "source_uri" : "string", - "language" : "string", "external_references" : [ { "source_name" : "string", "description" : "string", @@ -82,33 +40,27 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "severity" : "string", - "description" : "string", - "external_ids" : [ "string" ], - "scores" : { - "keyword" : 10.0 - } + "source_uri" : "string", + "language" : "string", + "id" : "string", + "tlp" : "green", + "timestamp" : "2016-01-01T01:01:01.000Z" } ], - "vulnerability_refs" : [ "string" ], + "weakness_refs" : [ "string" ], + "tool_refs" : [ "string" ], + "target_record_refs" : [ "string" ], + "asset_refs" : [ "string" ], "tools" : [ { - "tlp" : "string", - "kill_chain_phases" : [ { - "kill_chain_name" : "string", - "phase_name" : "string" - } ], - "x_mitre_aliases" : [ "string" ], - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", + "description" : "string", + "labels" : [ "credential-exploitation" ], + "schema_version" : "1.3.18", "revision" : 10, - "labels" : [ "string" ], + "type" : "tool", + "x_mitre_aliases" : [ "string" ], + "source" : "string", + "external_ids" : [ "string" ], "short_description" : "string", - "schema_version" : "string", "title" : "string", - "source" : "string", - "type" : "string", - "tool_version" : "string", - "source_uri" : "string", - "language" : "string", "external_references" : [ { "source_name" : "string", "description" : "string", @@ -116,40 +68,39 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "description" : "string", - "external_ids" : [ "string" ] - } ], - "indicators" : [ { - "test_mechanisms" : [ "string" ], - "indicator_type" : [ "string" ], - "confidence" : "string", - "composite_indicator_expression" : { - "operator" : "string", - "indicator_ids" : [ "string" ] - }, - "tlp" : "string", - "negate" : true, + "source_uri" : "string", + "language" : "string", + "id" : "string", + "tool_version" : "string", + "tlp" : "green", "kill_chain_phases" : [ { "kill_chain_name" : "string", "phase_name" : "string" } ], + "timestamp" : "2016-01-01T01:01:01.000Z" + } ], + "indicators" : [ { + "description" : "string", "tags" : [ "string" ], - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", "valid_time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, + "producer" : "string", + "schema_version" : "1.3.18", "revision" : 10, + "type" : "indicator", + "test_mechanisms" : [ "string" ], + "source" : "string", + "external_ids" : [ "string" ], "short_description" : "string", - "producer" : "string", - "likely_impact" : "string", - "schema_version" : "string", + "composite_indicator_expression" : { + "operator" : "and", + "indicator_ids" : [ "string" ] + }, "title" : "string", - "source" : "string", - "type" : "string", - "source_uri" : "string", - "language" : "string", + "likely_impact" : "string", + "indicator_type" : [ "Anonymization" ], "external_references" : [ { "source_name" : "string", "description" : "string", @@ -157,49 +108,162 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "severity" : "string", - "description" : "string", - "external_ids" : [ "string" ], + "source_uri" : "string", + "language" : "string", + "id" : "string", + "severity" : "Critical", + "tlp" : "green", + "kill_chain_phases" : [ { + "kill_chain_name" : "string", + "phase_name" : "string" + } ], + "negate" : true, + "timestamp" : "2016-01-01T01:01:01.000Z", + "confidence" : "High", "specification" : { - "type" : "string", + "type" : "Judgement", "judgements" : [ "string" ], "required_judgements" : [ { - "confidence" : "string", + "confidence" : "High", "source" : "string", "relationship" : "string", "judgement_id" : "string" } ] } } ], - "relationship_refs" : [ "string" ], - "sighting_refs" : [ "string" ], - "note_refs" : [ "string" ], - "coa_refs" : [ "string" ], - "campaigns" : [ { - "confidence" : "string", - "tlp" : "string", - "campaign_type" : "string", - "activity" : [ { - "date_time" : "2016-01-01T01:01:01.000Z", + "attack_patterns" : [ { + "description" : "string", + "abstraction_level" : "aggregate", + "schema_version" : "1.3.18", + "revision" : 10, + "type" : "attack-pattern", + "source" : "string", + "external_ids" : [ "string" ], + "short_description" : "string", + "title" : "string", + "external_references" : [ { + "source_name" : "string", + "description" : "string", + "url" : "string", + "hashes" : [ "string" ], + "external_id" : "string" + } ], + "source_uri" : "string", + "x_mitre_platforms" : [ "string" ], + "language" : "string", + "id" : "string", + "tlp" : "green", + "x_mitre_data_sources" : [ "string" ], + "kill_chain_phases" : [ { + "kill_chain_name" : "string", + "phase_name" : "string" + } ], + "x_mitre_contributors" : [ "string" ], + "timestamp" : "2016-01-01T01:01:01.000Z" + } ], + "type" : "bundle", + "weaknesses" : [ { + "description" : "string", + "background_details" : "string", + "paradigms" : [ { + "prevalence" : "Often", + "name" : "string" + } ], + "abstraction_level" : "Base", + "architectures" : [ { + "prevalence" : "Often", + "name" : "string", + "class" : "Embedded" + } ], + "schema_version" : "1.3.18", + "revision" : 10, + "alternate_terms" : [ { + "term" : "string", "description" : "string" } ], + "likelihood" : "High", + "type" : "weakness", + "source" : "string", + "external_ids" : [ "string" ], + "short_description" : "string", + "title" : "string", + "external_references" : [ { + "source_name" : "string", + "description" : "string", + "url" : "string", + "hashes" : [ "string" ], + "external_id" : "string" + } ], + "functional_areas" : [ "Authentication" ], + "source_uri" : "string", + "modes_of_introduction" : [ { + "phase" : "Architecture and Design", + "note" : "string" + } ], + "structure" : "Chain", + "language" : "string", "id" : "string", + "notes" : [ { + "type" : "Applicable Platform", + "note" : "string" + } ], + "common_consequences" : [ { + "scopes" : [ "Access Control" ], + "impacts" : [ "Alter Execution Logic" ], + "likelihood" : "High", + "note" : "string" + } ], + "tlp" : "green", + "detection_methods" : [ { + "method" : "Architecture or Design Review", + "description" : "string", + "effectiveness" : "High", + "effectiveness_notes" : "string" + } ], + "operating_systems" : [ { + "prevalence" : "Often", + "name" : "string", + "version" : "string", + "cpe_id" : "string", + "class" : "Android" + } ], + "affected_resources" : [ "CPU" ], + "languages" : [ { + "prevalence" : "Often", + "name" : "string", + "class" : "Assembly" + } ], "timestamp" : "2016-01-01T01:01:01.000Z", + "potential_mitigations" : [ { + "description" : "string", + "phases" : [ "Architecture and Design" ], + "strategy" : "Attack Surface Reduction", + "effectiveness" : "Defense in Depth", + "effectiveness_notes" : "string" + } ], + "technologies" : [ { + "prevalence" : "Often", + "name" : "string" + } ] + } ], + "source" : "string", + "external_ids" : [ "string" ], + "feedback_refs" : [ "string" ], + "asset_properties" : [ { + "properties" : [ { + "name" : "string", + "value" : "string" + } ], "valid_time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, + "schema_version" : "1.3.18", "revision" : 10, - "status" : "string", - "short_description" : "string", - "names" : [ "string" ], - "schema_version" : "string", - "title" : "string", + "asset_ref" : "string", + "type" : "asset-properties", "source" : "string", - "type" : "string", - "intended_effect" : [ "string" ], - "source_uri" : "string", - "language" : "string", + "external_ids" : [ "string" ], "external_references" : [ { "source_name" : "string", "description" : "string", @@ -207,24 +271,20 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "description" : "string", - "external_ids" : [ "string" ] + "source_uri" : "string", + "language" : "string", + "id" : "string", + "tlp" : "green", + "timestamp" : "2016-01-01T01:01:01.000Z" } ], - "attack_pattern_refs" : [ "string" ], - "judgement_refs" : [ "string" ], + "short_description" : "string", "feedbacks" : [ { - "tlp" : "string", - "entity_id" : "string", - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", + "feedback" : -1, + "schema_version" : "1.3.18", "revision" : 10, - "feedback" : 10, - "schema_version" : "string", + "type" : "feedback", "source" : "string", - "type" : "string", - "reason" : "string", - "source_uri" : "string", - "language" : "string", + "external_ids" : [ "string" ], "external_references" : [ { "source_name" : "string", "description" : "string", @@ -232,70 +292,52 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "external_ids" : [ "string" ] - } ], - "coas" : [ { - "related_COAs" : [ { - "confidence" : "string", - "source" : "string", - "relationship" : "string", - "COA_id" : "string" - } ], - "tlp" : "string", - "efficacy" : "string", - "structured_coa_type" : "string", + "reason" : "string", + "source_uri" : "string", + "language" : "string", "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", - "valid_time" : { - "start_time" : "2016-01-01T01:01:01.000Z", - "end_time" : "2016-01-01T01:01:01.000Z" - }, - "revision" : 10, - "open_c2_coa" : { - "type" : "string", - "id" : "string", - "action" : { - "type" : "string" - }, - "target" : { - "type" : "string", - "specifiers" : "string" - }, - "actuator" : { - "type" : "string", - "specifiers" : [ "string" ] - }, - "modifiers" : { - "destination" : "string", - "method" : [ "string" ], - "option" : "string", - "id" : "string", - "location" : "string", - "time" : { - "start_time" : "2016-01-01T01:01:01.000Z", - "end_time" : "2016-01-01T01:01:01.000Z" - }, - "duration" : "2016-01-01T01:01:01.000Z", - "delay" : "2016-01-01T01:01:01.000Z", - "source" : "string", - "response" : "string", - "additional_properties" : { - "context" : "string" - }, - "search" : "string", - "frequency" : "string" - } + "tlp" : "green", + "entity_id" : "string", + "timestamp" : "2016-01-01T01:01:01.000Z" + } ], + "judgement_refs" : [ "string" ], + "title" : "string", + "coa_refs" : [ "string" ], + "external_references" : [ { + "source_name" : "string", + "description" : "string", + "url" : "string", + "hashes" : [ "string" ], + "external_id" : "string" + } ], + "verdicts" : [ { + "type" : "verdict", + "disposition" : 1, + "observable" : { + "value" : "1.2.3.4", + "type" : "ip" + }, + "judgement_id" : "string", + "disposition_name" : "Clean", + "valid_time" : { + "start_time" : "2016-01-01T01:01:01.000Z", + "end_time" : "2016-01-01T01:01:01.000Z" + } + } ], + "campaigns" : [ { + "description" : "string", + "valid_time" : { + "start_time" : "2016-01-01T01:01:01.000Z", + "end_time" : "2016-01-01T01:01:01.000Z" }, - "cost" : "string", + "schema_version" : "1.3.18", + "revision" : 10, + "type" : "campaign", + "campaign_type" : "string", + "source" : "string", + "external_ids" : [ "string" ], "short_description" : "string", - "impact" : "string", - "objective" : [ "string" ], - "schema_version" : "string", "title" : "string", - "source" : "string", - "type" : "string", - "source_uri" : "string", - "language" : "string", "external_references" : [ { "source_name" : "string", "description" : "string", @@ -303,128 +345,86 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "coa_type" : "string", - "description" : "string", - "external_ids" : [ "string" ], - "stage" : "string" + "activity" : [ { + "date_time" : "2016-01-01T01:01:01.000Z", + "description" : "string" + } ], + "source_uri" : "string", + "intended_effect" : [ "Account Takeover" ], + "status" : "Future", + "language" : "string", + "id" : "string", + "tlp" : "green", + "timestamp" : "2016-01-01T01:01:01.000Z", + "confidence" : "High", + "names" : [ "string" ] } ], - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", - "valid_time" : { - "start_time" : "2016-01-01T01:01:01.000Z", - "end_time" : "2016-01-01T01:01:01.000Z" - }, - "revision" : 10, - "weakness_refs" : [ "string" ], - "vulnerabilities" : [ { - "tlp" : "string", - "configurations" : { - "CVE_data_version" : "string", - "nodes" : [ { - "operator" : "string", - "cpe_match" : [ { - "vulnerable" : true, - "cpe23Uri" : "string", - "versionStartIncluding" : "string", - "versionEndIncluding" : "string", - "versionStartExcluding" : "string", - "versionEndExcluding" : "string" - } ], - "children" : [ { - "operator" : "string", - "cpe_match" : [ { - "vulnerable" : true, - "cpe23Uri" : "string", - "versionStartIncluding" : "string", - "versionEndIncluding" : "string", - "versionStartExcluding" : "string", - "versionEndExcluding" : "string" - } ], - "negate" : true - } ], - "negate" : true + "source_uri" : "string", + "actors" : [ { + "description" : "string", + "motivation" : "Ego", + "valid_time" : { + "start_time" : "2016-01-01T01:01:01.000Z", + "end_time" : "2016-01-01T01:01:01.000Z" + }, + "identity" : { + "description" : "string", + "related_identities" : [ { + "identity" : "string", + "confidence" : "High", + "information_source" : "string", + "relationship" : "string" } ] }, - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", + "sophistication" : "Aspirant", + "schema_version" : "1.3.18", "revision" : 10, + "planning_and_operational_support" : "string", + "type" : "actor", + "source" : "string", + "external_ids" : [ "string" ], "short_description" : "string", - "impact" : { - "cvss_v2" : { - "report_confidence" : "string", - "exploitability_score" : 10.0, - "availability_impact" : "string", - "access_vector" : "string", - "authentication" : "string", - "impact_score" : 10.0, - "exploitability" : "string", - "obtain_other_privilege" : true, - "availability_requirement" : "string", - "integrity_requirement" : "string", - "collateral_damage_potential" : "string", - "base_score" : 10.0, - "user_interaction_required" : true, - "environmental_vector_string" : "string", - "temporal_vector_string" : "string", - "base_severity" : "string", - "vector_string" : "string", - "confidentiality_requirement" : "string", - "integrity_impact" : "string", - "confidentiality_impact" : "string", - "obtain_all_privilege" : true, - "obtain_user_privilege" : true, - "access_complexity" : "string", - "remediation_level" : "string", - "target_distribution" : "string" - }, - "cvss_v3" : { - "modified_attack_vector" : "string", - "report_confidence" : "string", - "exploitability_score" : 10.0, - "availability_impact" : "string", - "user_interaction" : "string", - "impact_score" : 10.0, - "exploit_code_maturity" : "string", - "availability_requirement" : "string", - "integrity_requirement" : "string", - "modified_availability_impact" : "string", - "temporal_score" : 10.0, - "environmental_severity" : "string", - "modified_privileges_required" : "string", - "base_score" : 10.0, - "environmental_score" : 10.0, - "modified_attack_complexity" : "string", - "scope" : "string", - "modified_integrity_impact" : "string", - "base_severity" : "string", - "vector_string" : "string", - "modified_confidentiality_impact" : "string", - "confidentiality_requirement" : "string", - "integrity_impact" : "string", - "confidentiality_impact" : "string", - "privileges_required" : "string", - "attack_complexity" : "string", - "modified_scope" : "string", - "modified_user_interaction" : "string", - "attack_vector" : "string", - "temporal_severity" : "string", - "remediation_level" : "string" - } - }, - "last_modified_date" : "2016-01-01T01:01:01.000Z", - "schema_version" : "string", "title" : "string", - "source" : "string", - "type" : "string", - "published_date" : "2016-01-01T01:01:01.000Z", + "external_references" : [ { + "source_name" : "string", + "description" : "string", + "url" : "string", + "hashes" : [ "string" ], + "external_id" : "string" + } ], "source_uri" : "string", - "cve" : { - "cve_data_meta" : { - "id" : "string", - "assigner" : "string" - } - }, + "intended_effect" : "Account Takeover", "language" : "string", + "id" : "string", + "tlp" : "green", + "aliases" : [ "string" ], + "timestamp" : "2016-01-01T01:01:01.000Z", + "confidence" : "High", + "actor_types" : [ "Cyber Espionage Operations" ] + } ], + "indicator_refs" : [ "string" ], + "actor_refs" : [ "string" ], + "language" : "string", + "data_tables" : [ { + "description" : "string", + "valid_time" : { + "start_time" : "2016-01-01T01:01:01.000Z", + "end_time" : "2016-01-01T01:01:01.000Z" + }, + "schema_version" : "1.3.18", + "revision" : 10, + "columns" : [ { + "name" : "string", + "type" : "integer", + "description" : "string", + "required" : true, + "short_description" : "string" + } ], + "type" : "data-table", + "source" : "string", + "external_ids" : [ "string" ], + "short_description" : "string", + "title" : "string", "external_references" : [ { "source_name" : "string", "description" : "string", @@ -432,36 +432,57 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "description" : "string", - "external_ids" : [ "string" ] + "rows" : [ [ "anything" ] ], + "source_uri" : "string", + "language" : "string", + "id" : "string", + "tlp" : "green", + "row_count" : 10, + "timestamp" : "2016-01-01T01:01:01.000Z" } ], - "malware_refs" : [ "string" ], - "data_table_refs" : [ "string" ], - "target_record_refs" : [ "string" ], - "identity_assertions" : [ { - "tlp" : "string", - "assertions" : [ { - "name" : "string", - "value" : "string" + "id" : "string", + "notes" : [ { + "schema_version" : "1.3.18", + "revision" : 10, + "content" : "string", + "note_class" : "keyword", + "type" : "note", + "source" : "string", + "external_ids" : [ "string" ], + "external_references" : [ { + "source_name" : "string", + "description" : "string", + "url" : "string", + "hashes" : [ "string" ], + "external_id" : "string" } ], + "author" : "string", + "source_uri" : "string", + "language" : "string", "id" : "string", + "tlp" : "green", "timestamp" : "2016-01-01T01:01:01.000Z", + "related_entities" : [ { + "entity_type" : "string", + "entity_id" : "string" + } ] + } ], + "identity_assertions" : [ { "valid_time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, - "revision" : 10, "identity" : { "observables" : [ { - "value" : "string", - "type" : "string" + "value" : "1.2.3.4", + "type" : "ip" } ] }, - "schema_version" : "string", + "schema_version" : "1.3.18", + "revision" : 10, + "type" : "identity-assertion", "source" : "string", - "type" : "string", - "source_uri" : "string", - "language" : "string", + "external_ids" : [ "string" ], "external_references" : [ { "source_name" : "string", "description" : "string", @@ -469,38 +490,32 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "external_ids" : [ "string" ] - } ], - "verdict_refs" : [ "string" ], - "short_description" : "string", - "tool_refs" : [ "string" ], - "target_records" : [ { - "tlp" : "string", + "source_uri" : "string", + "language" : "string", "id" : "string", + "tlp" : "green", "timestamp" : "2016-01-01T01:01:01.000Z", + "assertions" : [ { + "name" : "cisco:ctr:ad:host_domain_name", + "value" : "string" + } ] + } ], + "judgements" : [ { + "valid_time" : { + "start_time" : "2016-01-01T01:01:01.000Z", + "end_time" : "2016-01-01T01:01:01.000Z" + }, + "schema_version" : "1.3.18", "revision" : 10, - "short_description" : "string", - "targets" : [ { - "type" : "string", - "observables" : [ { - "value" : "string", - "type" : "string" - } ], - "observed_time" : { - "start_time" : "2016-01-01T01:01:01.000Z", - "end_time" : "2016-01-01T01:01:01.000Z" - }, - "os" : "string", - "internal" : true, - "sensor" : "string", - "source_uri" : "string" - } ], - "schema_version" : "string", - "title" : "string", + "observable" : { + "value" : "1.2.3.4", + "type" : "ip" + }, + "reason_uri" : "string", + "type" : "judgement", "source" : "string", - "type" : "string", - "source_uri" : "string", - "language" : "string", + "external_ids" : [ "string" ], + "disposition" : 1, "external_references" : [ { "source_name" : "string", "description" : "string", @@ -508,76 +523,279 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "description" : "string", - "external_ids" : [ "string" ] - } ], - "feedback_refs" : [ "string" ], - "sightings" : [ { - "observables" : [ { - "value" : "string", - "type" : "string" + "reason" : "string", + "source_uri" : "string", + "disposition_name" : "Clean", + "priority" : 10, + "language" : "string", + "id" : "string", + "severity" : "Critical", + "tlp" : "green", + "timestamp" : "2016-01-01T01:01:01.000Z", + "confidence" : "High" + } ], + "malwares" : [ { + "description" : "string", + "labels" : [ "adware" ], + "abstraction_level" : "family", + "schema_version" : "1.3.18", + "revision" : 10, + "type" : "malware", + "x_mitre_aliases" : [ "string" ], + "source" : "string", + "external_ids" : [ "string" ], + "short_description" : "string", + "title" : "string", + "external_references" : [ { + "source_name" : "string", + "description" : "string", + "url" : "string", + "hashes" : [ "string" ], + "external_id" : "string" + } ], + "source_uri" : "string", + "language" : "string", + "id" : "string", + "tlp" : "green", + "kill_chain_phases" : [ { + "kill_chain_name" : "string", + "phase_name" : "string" } ], - "confidence" : "string", + "timestamp" : "2016-01-01T01:01:01.000Z" + } ], + "target_records" : [ { + "description" : "string", + "schema_version" : "1.3.18", + "revision" : 10, + "type" : "target-record", + "source" : "string", + "external_ids" : [ "string" ], + "targets" : [ { + "type" : "endpoint", + "observables" : [ { + "value" : "1.2.3.4", + "type" : "ip" + } ], + "observed_time" : { + "start_time" : "2016-01-01T01:01:01.000Z", + "end_time" : "2016-01-01T01:01:01.000Z" + }, + "os" : "string", + "internal" : false, + "sensor" : "string", + "source_uri" : "string" + } ], + "short_description" : "string", + "title" : "string", + "external_references" : [ { + "source_name" : "string", + "description" : "string", + "url" : "string", + "hashes" : [ "string" ], + "external_id" : "string" + } ], + "source_uri" : "string", + "language" : "string", + "id" : "string", + "tlp" : "green", + "timestamp" : "2016-01-01T01:01:01.000Z" + } ], + "asset_mappings" : [ { + "asset_type" : "application", + "valid_time" : { + "start_time" : "2016-01-01T01:01:01.000Z", + "end_time" : "2016-01-01T01:01:01.000Z" + }, + "stability" : "Managed", + "schema_version" : "1.3.18", + "revision" : 10, + "observable" : { + "value" : "1.2.3.4", + "type" : "ip" + }, + "asset_ref" : "string", + "type" : "asset-mapping", + "source" : "string", + "external_ids" : [ "string" ], + "external_references" : [ { + "source_name" : "string", + "description" : "string", + "url" : "string", + "hashes" : [ "string" ], + "external_id" : "string" + } ], + "source_uri" : "string", + "language" : "string", + "id" : "string", + "tlp" : "green", + "timestamp" : "2016-01-01T01:01:01.000Z", + "specificity" : "Low", + "confidence" : "High" + } ], + "relationship_refs" : [ "string" ], + "tlp" : "green", + "incidents" : [ { + "description" : "string", + "assignees" : [ "string" ], + "meta" : { + "keyword" : "string" + }, + "schema_version" : "1.3.18", + "revision" : 10, + "type" : "incident", + "source" : "string", + "external_ids" : [ "string" ], + "short_description" : "string", + "title" : "string", + "incident_time" : { + "opened" : "2016-01-01T01:01:01.000Z", + "discovered" : "2016-01-01T01:01:01.000Z", + "reported" : "2016-01-01T01:01:01.000Z", + "remediated" : "2016-01-01T01:01:01.000Z", + "closed" : "2016-01-01T01:01:01.000Z", + "rejected" : "2016-01-01T01:01:01.000Z" + }, + "external_references" : [ { + "source_name" : "string", + "description" : "string", + "url" : "string", + "hashes" : [ "string" ], + "external_id" : "string" + } ], + "discovery_method" : "Agent Disclosure", + "source_uri" : "string", + "intended_effect" : "Account Takeover", + "categories" : [ "Attrition" ], + "status" : "Closed", + "language" : "string", + "id" : "string", + "promotion_method" : "Automated", + "severity" : "Critical", + "tlp" : "green", + "scores" : { + "asset" : 10.0 + }, + "techniques" : [ "string" ], + "timestamp" : "2016-01-01T01:01:01.000Z", + "confidence" : "High", + "tactics" : [ "string" ] + } ], + "identity_assertion_refs" : [ "string" ], + "sightings" : [ { + "description" : "string", + "schema_version" : "1.3.18", + "revision" : 10, "relations" : [ { "origin" : "string", "origin_uri" : "string", - "relation" : "string", + "relation" : "Allocated", "relation_info" : { - "keyword" : { - "anything" : "anything" - } + "keyword" : "anything" }, "source" : { - "value" : "string", - "type" : "string" + "value" : "1.2.3.4", + "type" : "ip" }, "related" : { - "value" : "string", - "type" : "string" + "value" : "1.2.3.4", + "type" : "ip" } } ], - "tlp" : "string", - "internal" : true, - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", - "revision" : 10, - "sensor" : "string", - "count" : 10, "sensor_coordinates" : { - "type" : "string", + "type" : "endpoint", "observables" : [ { - "value" : "string", - "type" : "string" + "value" : "1.2.3.4", + "type" : "ip" } ], "os" : "string" }, + "observables" : [ { + "value" : "1.2.3.4", + "type" : "ip" + } ], + "type" : "sighting", + "source" : "string", + "external_ids" : [ "string" ], + "targets" : [ { + "type" : "endpoint", + "observables" : [ { + "value" : "1.2.3.4", + "type" : "ip" + } ], + "observed_time" : { + "start_time" : "2016-01-01T01:01:01.000Z", + "end_time" : "2016-01-01T01:01:01.000Z" + }, + "os" : "string" + } ], + "short_description" : "string", + "title" : "string", + "resolution" : "detected", + "internal" : false, + "external_references" : [ { + "source_name" : "string", + "description" : "string", + "url" : "string", + "hashes" : [ "string" ], + "external_id" : "string" + } ], + "source_uri" : "string", + "language" : "string", + "id" : "string", + "count" : 10, + "severity" : "Critical", + "tlp" : "green", "context" : { "http_events" : [ { - "process_id" : 10, "process_guid" : 10, + "traffic" : { + "destination_host_name" : "string", + "protocol" : 10, + "source_ip" : "string", + "destination_subnet" : "string", + "destination_ip" : "string", + "source_subnet" : "string", + "destination_port" : 10, + "direction" : "incoming", + "source_port" : 10 + }, + "method" : "CONNECT", + "time" : { + "start_time" : "2016-01-01T01:01:01.000Z", + "end_time" : "2016-01-01T01:01:01.000Z" + }, + "type" : "HTTPEvent", "host" : "string", + "process_name" : "string", + "process_id" : 10, "process_username" : "string", - "method" : "string", "query" : "string", "encrypted" : true, - "url_port" : 10, + "url_port" : 10 + } ], + "process_create_events" : [ { + "parent_process_name" : "string", + "process_guid" : 10, + "parent_process_guid" : 10, + "process_disposition" : "string", + "parent_process_size" : 10, + "process_size" : 10, "time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, - "type" : "string", + "parent_process_disposition" : "string", + "type" : "ProcessCreateEvent", + "parent_process_username" : "string", + "parent_process_id" : 10, + "parent_process_args" : "string", "process_name" : "string", - "traffic" : { - "protocol" : 10, - "destination_host_name" : "string", - "source_subnet" : "string", - "source_port" : 10, - "destination_ip" : "string", - "direction" : "string", - "destination_subnet" : "string", - "source_ip" : "string", - "destination_port" : 10 - } + "process_hash" : "string", + "process_id" : 10, + "parent_process_hash" : "string", + "process_username" : "string", + "parent_creation_time" : "2016-01-01T01:01:01.000Z", + "process_args" : "string" } ], "registry_delete_events" : [ { "time" : { @@ -589,86 +807,63 @@ "process_guid" : 10, "process_username" : "string", "registry_key" : "string", - "type" : "string", + "type" : "RegistryDeleteEvent", "registry_value" : "string" } ], - "registry_create_events" : [ { + "file_modify_events" : [ { + "file_name" : "string", + "process_guid" : 10, "time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, - "process_id" : 10, + "type" : "FileModifyEvent", + "file_path" : "string", "process_name" : "string", - "process_guid" : 10, + "process_id" : 10, "process_username" : "string", - "registry_key" : "string", - "type" : "string" + "failed" : false } ], - "file_modify_events" : [ { - "file_path" : "string", - "process_id" : 10, + "registry_set_events" : [ { "process_guid" : 10, - "process_username" : "string", - "failed" : true, + "registry_data" : "string", "time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, - "type" : "string", + "type" : "RegistrySetEvent", + "registry_data_length" : 10, + "registry_value" : "string", + "registry_key" : "string", "process_name" : "string", - "file_name" : "string" - } ], - "netflow_events" : [ { - "process_args" : "string", - "byte_count_in" : 10, - "parent_process_args" : "string", "process_id" : 10, + "process_username" : "string" + } ], + "file_create_events" : [ { + "file_name" : "string", "process_guid" : 10, - "parent_process_id" : 10, - "process_path" : "string", - "process_username" : "string", - "byte_count_out" : 10, - "parent_process_account_type" : "string", - "parent_process_hash" : "string", "time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, - "parent_process_name" : "string", - "parent_process_account" : "string", - "type" : "string", - "process_name" : "string", - "flow_time" : "2016-01-01T01:01:01.000Z", - "process_account_type" : "string", - "process_account" : "string", - "traffic" : { - "protocol" : 10, - "destination_host_name" : "string", - "source_subnet" : "string", - "source_port" : 10, - "destination_ip" : "string", - "direction" : "string", - "destination_subnet" : "string", - "source_ip" : "string", - "destination_port" : 10 - }, - "process_hash" : "string", - "parent_process_path" : "string" - } ], - "file_move_events" : [ { + "type" : "FileCreateEvent", "file_path" : "string", + "process_name" : "string", "process_id" : 10, - "process_guid" : 10, - "new_name" : "string", "process_username" : "string", - "old_name" : "string", + "failed" : false + } ], + "registry_create_events" : [ { "time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, - "type" : "string", + "process_id" : 10, "process_name" : "string", - "file_name" : "string" + "process_guid" : 10, + "process_username" : "string", + "registry_key" : "string", + "type" : "RegistryCreateEvent" } ], "library_load_events" : [ { "time" : { @@ -679,362 +874,122 @@ "process_name" : "string", "process_guid" : 10, "process_username" : "string", - "type" : "string", + "type" : "LibraryLoadEvent", "dll_library_name" : "string", "dll_library_path" : "string" } ], - "file_create_events" : [ { - "file_path" : "string", - "process_id" : 10, + "file_move_events" : [ { + "file_name" : "string", "process_guid" : 10, - "process_username" : "string", - "failed" : true, "time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, - "type" : "string", + "type" : "FileMoveEvent", + "old_name" : "string", + "file_path" : "string", "process_name" : "string", - "file_name" : "string" - } ], - "registry_set_events" : [ { - "registry_value" : "string", "process_id" : 10, - "process_guid" : 10, - "registry_key" : "string", "process_username" : "string", - "registry_data_length" : 10, - "time" : { - "start_time" : "2016-01-01T01:01:01.000Z", - "end_time" : "2016-01-01T01:01:01.000Z" - }, - "type" : "string", - "registry_data" : "string", - "process_name" : "string" + "new_name" : "string" } ], - "process_create_events" : [ { - "process_args" : "string", - "parent_process_args" : "string", - "process_disposition" : "string", - "process_id" : 10, + "file_delete_events" : [ { + "file_name" : "string", "process_guid" : 10, - "parent_process_id" : 10, - "process_username" : "string", - "parent_process_username" : "string", - "parent_process_guid" : 10, - "parent_process_hash" : "string", - "parent_creation_time" : "2016-01-01T01:01:01.000Z", - "process_size" : 10, - "parent_process_size" : 10, "time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, - "parent_process_name" : "string", - "type" : "string", - "parent_process_disposition" : "string", - "process_name" : "string", - "process_hash" : "string" - } ], - "file_delete_events" : [ { + "type" : "FileDeleteEvent", "file_path" : "string", + "process_name" : "string", "process_id" : 10, - "process_guid" : 10, "process_username" : "string", - "failed" : true, - "time" : { - "start_time" : "2016-01-01T01:01:01.000Z", - "end_time" : "2016-01-01T01:01:01.000Z" - }, - "type" : "string", - "process_name" : "string", - "file_name" : "string" + "failed" : false } ], - "registry_rename_events" : [ { + "netflow_events" : [ { + "parent_process_name" : "string", + "byte_count_in" : 10, + "process_guid" : 10, + "process_path" : "string", + "traffic" : { + "destination_host_name" : "string", + "protocol" : 10, + "source_ip" : "string", + "destination_subnet" : "string", + "destination_ip" : "string", + "source_subnet" : "string", + "destination_port" : 10, + "direction" : "incoming", + "source_port" : 10 + }, + "flow_time" : "2016-01-01T01:01:01.000Z", "time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, - "process_id" : 10, + "parent_process_account" : "string", + "type" : "NetflowEvent", + "process_account_type" : "string", + "parent_process_path" : "string", + "parent_process_id" : 10, + "parent_process_args" : "string", "process_name" : "string", - "process_guid" : 10, + "process_account" : "string", + "parent_process_account_type" : "string", + "process_hash" : "string", + "process_id" : 10, + "parent_process_hash" : "string", "process_username" : "string", - "registry_key" : "string", - "type" : "string", - "registry_old_key" : "string" - } ] - }, - "short_description" : "string", - "targets" : [ { - "type" : "string", - "observables" : [ { - "value" : "string", - "type" : "string" - } ], - "observed_time" : { - "start_time" : "2016-01-01T01:01:01.000Z", - "end_time" : "2016-01-01T01:01:01.000Z" - }, - "os" : "string" - } ], - "schema_version" : "string", - "title" : "string", - "source" : "string", - "type" : "string", - "source_uri" : "string", - "language" : "string", - "external_references" : [ { - "source_name" : "string", - "description" : "string", - "url" : "string", - "hashes" : [ "string" ], - "external_id" : "string" - } ], - "severity" : "string", - "observed_time" : { - "start_time" : "2016-01-01T01:01:01.000Z", - "end_time" : "2016-01-01T01:01:01.000Z" - }, - "data" : { - "columns" : [ { - "name" : "string", - "type" : "string", - "description" : "string", - "required" : true, - "short_description" : "string" + "byte_count_out" : 10, + "process_args" : "string" } ], - "rows" : [ [ { - "anything" : "anything" - } ] ], - "row_count" : 10 - }, - "description" : "string", - "external_ids" : [ "string" ], - "resolution" : "string" - } ], - "actor_refs" : [ "string" ], - "actors" : [ { - "confidence" : "string", - "tlp" : "string", - "aliases" : [ "string" ], - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", - "valid_time" : { - "start_time" : "2016-01-01T01:01:01.000Z", - "end_time" : "2016-01-01T01:01:01.000Z" - }, - "revision" : 10, - "identity" : { - "description" : "string", - "related_identities" : [ { - "identity" : "string", - "confidence" : "string", - "information_source" : "string", - "relationship" : "string" - } ] - }, - "short_description" : "string", - "sophistication" : "string", - "planning_and_operational_support" : "string", - "schema_version" : "string", - "title" : "string", - "source" : "string", - "actor_types" : [ "string" ], - "type" : "string", - "intended_effect" : "string", - "source_uri" : "string", - "language" : "string", - "external_references" : [ { - "source_name" : "string", - "description" : "string", - "url" : "string", - "hashes" : [ "string" ], - "external_id" : "string" - } ], - "motivation" : "string", - "description" : "string", - "external_ids" : [ "string" ] - } ], - "indicator_refs" : [ "string" ], - "schema_version" : "string", - "title" : "string", - "source" : "string", - "judgements" : [ { - "confidence" : "string", - "tlp" : "string", - "priority" : 10, - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", - "valid_time" : { - "start_time" : "2016-01-01T01:01:01.000Z", - "end_time" : "2016-01-01T01:01:01.000Z" - }, - "revision" : 10, - "disposition" : 10, - "observable" : { - "value" : "string", - "type" : "string" - }, - "disposition_name" : "string", - "schema_version" : "string", - "source" : "string", - "type" : "string", - "reason" : "string", - "source_uri" : "string", - "language" : "string", - "external_references" : [ { - "source_name" : "string", - "description" : "string", - "url" : "string", - "hashes" : [ "string" ], - "external_id" : "string" - } ], - "severity" : "string", - "reason_uri" : "string", - "external_ids" : [ "string" ] - } ], - "type" : "string", - "relationships" : [ { - "tlp" : "string", - "target_ref" : "string", - "relationship_type" : "string", - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", - "revision" : 10, - "source_ref" : "string", - "short_description" : "string", - "schema_version" : "string", - "title" : "string", - "source" : "string", - "type" : "string", - "source_uri" : "string", - "language" : "string", - "external_references" : [ { - "source_name" : "string", - "description" : "string", - "url" : "string", - "hashes" : [ "string" ], - "external_id" : "string" - } ], - "description" : "string", - "external_ids" : [ "string" ] - } ], - "identity_assertion_refs" : [ "string" ], - "weaknesses" : [ { - "detection_methods" : [ { - "method" : "string", - "description" : "string", - "effectiveness" : "string", - "effectiveness_notes" : "string" - } ], - "background_details" : "string", - "tlp" : "string", - "architectures" : [ { - "prevalence" : "string", - "name" : "string", - "class" : "string" - } ], - "affected_resources" : [ "string" ], - "structure" : "string", - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", - "revision" : 10, - "abstraction_level" : "string", - "alternate_terms" : [ { - "term" : "string", - "description" : "string" - } ], - "short_description" : "string", - "languages" : [ { - "prevalence" : "string", - "name" : "string", - "class" : "string" - } ], - "paradigms" : [ { - "prevalence" : "string", - "name" : "string" - } ], - "potential_mitigations" : [ { - "description" : "string", - "phases" : [ "string" ], - "strategy" : "string", - "effectiveness" : "string", - "effectiveness_notes" : "string" - } ], - "functional_areas" : [ "string" ], - "schema_version" : "string", - "title" : "string", - "source" : "string", - "type" : "string", - "common_consequences" : [ { - "scopes" : [ "string" ], - "impacts" : [ "string" ], - "likelihood" : "string", - "note" : "string" - } ], - "operating_systems" : [ { - "prevalence" : "string", - "name" : "string", - "version" : "string", - "cpe_id" : "string", - "class" : "string" - } ], - "likelihood" : "string", - "source_uri" : "string", - "notes" : [ { - "type" : "string", - "note" : "string" - } ], - "technologies" : [ { - "prevalence" : "string", - "name" : "string" - } ], - "language" : "string", - "external_references" : [ { - "source_name" : "string", - "description" : "string", - "url" : "string", - "hashes" : [ "string" ], - "external_id" : "string" - } ], - "modes_of_introduction" : [ { - "phase" : "string", - "note" : "string" - } ], - "description" : "string", - "external_ids" : [ "string" ] - } ], - "verdicts" : [ { - "type" : "string", - "disposition" : 10, - "observable" : { - "value" : "string", - "type" : "string" + "registry_rename_events" : [ { + "time" : { + "start_time" : "2016-01-01T01:01:01.000Z", + "end_time" : "2016-01-01T01:01:01.000Z" + }, + "process_id" : 10, + "process_name" : "string", + "process_guid" : 10, + "process_username" : "string", + "registry_key" : "string", + "type" : "RegistryRenameEvent", + "registry_old_key" : "string" + } ] }, - "judgement_id" : "string", - "disposition_name" : "string", - "valid_time" : { - "start_time" : "2016-01-01T01:01:01.000Z", - "end_time" : "2016-01-01T01:01:01.000Z" - } - } ], - "assets" : [ { - "tlp" : "string", - "id" : "string", "timestamp" : "2016-01-01T01:01:01.000Z", - "valid_time" : { + "confidence" : "High", + "observed_time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, + "sensor" : "endpoint", + "data" : { + "columns" : [ { + "name" : "string", + "type" : "integer", + "description" : "string", + "required" : true, + "short_description" : "string" + } ], + "rows" : [ [ "anything" ] ], + "row_count" : 10 + } + } ], + "campaign_refs" : [ "string" ], + "vulnerability_refs" : [ "string" ], + "asset_properties_refs" : [ "string" ], + "relationships" : [ { + "description" : "string", + "schema_version" : "1.3.18", "revision" : 10, + "target_ref" : "string", + "type" : "relationship", + "source" : "string", + "external_ids" : [ "string" ], "short_description" : "string", - "schema_version" : "string", "title" : "string", - "source" : "string", - "type" : "string", - "source_uri" : "string", - "asset_type" : "string", - "language" : "string", "external_references" : [ { "source_name" : "string", "description" : "string", @@ -1042,58 +997,61 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "description" : "string", - "external_ids" : [ "string" ] - } ], - "asset_properties_refs" : [ "string" ], - "source_uri" : "string", - "notes" : [ { - "tlp" : "string", - "related_entities" : [ { - "entity_type" : "string", - "entity_id" : "string" - } ], - "author" : "string", - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", - "revision" : 10, - "note_class" : "keyword", - "content" : "string", - "schema_version" : "string", - "source" : "string", - "type" : "string", "source_uri" : "string", + "source_ref" : "string", "language" : "string", - "external_references" : [ { - "source_name" : "string", - "description" : "string", - "url" : "string", - "hashes" : [ "string" ], - "external_id" : "string" - } ], - "external_ids" : [ "string" ] - } ], - "incident_refs" : [ "string" ], - "attack_patterns" : [ { - "tlp" : "string", - "x_mitre_platforms" : [ "string" ], - "x_mitre_data_sources" : [ "string" ], - "kill_chain_phases" : [ { - "kill_chain_name" : "string", - "phase_name" : "string" - } ], "id" : "string", + "tlp" : "green", "timestamp" : "2016-01-01T01:01:01.000Z", + "relationship_type" : "attributed-to" + } ], + "timestamp" : "2016-01-01T01:01:01.000Z", + "verdict_refs" : [ "string" ], + "malware_refs" : [ "string" ], + "incident_refs" : [ "string" ], + "vulnerabilities" : [ { + "description" : "string", + "schema_version" : "1.3.18", "revision" : 10, - "x_mitre_contributors" : [ "string" ], - "abstraction_level" : "string", + "published_date" : "2016-01-01T01:01:01.000Z", + "cve" : { + "cve_data_meta" : { + "id" : "string", + "assigner" : "string" + } + }, + "configurations" : { + "CVE_data_version" : "string", + "nodes" : [ { + "operator" : "AND", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "string", + "versionStartIncluding" : "string", + "versionEndIncluding" : "string", + "versionStartExcluding" : "string", + "versionEndExcluding" : "string" + } ], + "children" : [ { + "operator" : "AND", + "cpe_match" : [ { + "vulnerable" : true, + "cpe23Uri" : "string", + "versionStartIncluding" : "string", + "versionEndIncluding" : "string", + "versionStartExcluding" : "string", + "versionEndExcluding" : "string" + } ], + "negate" : true + } ], + "negate" : true + } ] + }, + "type" : "vulnerability", + "source" : "string", + "external_ids" : [ "string" ], "short_description" : "string", - "schema_version" : "string", "title" : "string", - "source" : "string", - "type" : "string", - "source_uri" : "string", - "language" : "string", "external_references" : [ { "source_name" : "string", "description" : "string", @@ -1101,36 +1059,96 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "description" : "string", - "external_ids" : [ "string" ] - } ], - "data_tables" : [ { - "tlp" : "string", - "row_count" : 10, - "columns" : [ { - "name" : "string", - "type" : "string", - "description" : "string", - "required" : true, - "short_description" : "string" - } ], + "source_uri" : "string", + "language" : "string", "id" : "string", + "tlp" : "green", "timestamp" : "2016-01-01T01:01:01.000Z", + "last_modified_date" : "2016-01-01T01:01:01.000Z", + "impact" : { + "cvss_v2" : { + "integrity_impact" : "complete", + "target_distribution" : "not_defined", + "availability_requirement" : "not_defined", + "exploitability" : "not_defined", + "access_complexity" : "low", + "temporal_vector_string" : "string", + "exploitability_score" : 10.0, + "impact_score" : 10.0, + "user_interaction_required" : true, + "environmental_vector_string" : "string", + "obtain_other_privilege" : true, + "availability_impact" : "complete", + "access_vector" : "network", + "base_severity" : "High", + "confidentiality_impact" : "complete", + "confidentiality_requirement" : "not_defined", + "report_confidence" : "not_defined", + "authentication" : "none", + "base_score" : 10.0, + "obtain_user_privilege" : true, + "obtain_all_privilege" : true, + "collateral_damage_potential" : "not_defined", + "remediation_level" : "not_defined", + "vector_string" : "string", + "integrity_requirement" : "not_defined" + }, + "cvss_v3" : { + "integrity_impact" : "high", + "modified_user_interaction" : "none", + "modified_scope" : "not_defined", + "availability_requirement" : "high", + "user_interaction" : "none", + "modified_integrity_impact" : "not_defined", + "privileges_required" : "high", + "exploitability_score" : 10.0, + "impact_score" : 10.0, + "environmental_severity" : "critical", + "modified_availability_impact" : "not_defined", + "availability_impact" : "high", + "scope" : "changed", + "exploit_code_maturity" : "functional", + "modified_attack_complexity" : "not_defined", + "base_severity" : "critical", + "confidentiality_impact" : "high", + "temporal_severity" : "critical", + "modified_confidentiality_impact" : "not_defined", + "confidentiality_requirement" : "high", + "report_confidence" : "confirmed", + "temporal_score" : 10.0, + "modified_privileges_required" : "not_defined", + "modified_attack_vector" : "not_defined", + "base_score" : 10.0, + "environmental_score" : 10.0, + "remediation_level" : "high", + "vector_string" : "string", + "integrity_requirement" : "high", + "attack_vector" : "adjacent_network", + "attack_complexity" : "high" + } + } + } ], + "coas" : [ { + "description" : "string", "valid_time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, + "stage" : "Containment", + "schema_version" : "1.3.18", "revision" : 10, + "efficacy" : "High", + "type" : "coa", + "related_COAs" : [ { + "confidence" : "High", + "source" : "string", + "relationship" : "string", + "COA_id" : "string" + } ], + "source" : "string", + "external_ids" : [ "string" ], "short_description" : "string", - "schema_version" : "string", "title" : "string", - "source" : "string", - "type" : "string", - "source_uri" : "string", - "rows" : [ [ { - "anything" : "anything" - } ] ], - "language" : "string", "external_references" : [ { "source_name" : "string", "description" : "string", @@ -1138,89 +1156,62 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "description" : "string", - "external_ids" : [ "string" ] - } ], - "language" : "string", - "external_references" : [ { - "source_name" : "string", - "description" : "string", - "url" : "string", - "hashes" : [ "string" ], - "external_id" : "string" - } ], - "asset_mapping_refs" : [ "string" ], - "malwares" : [ { - "tlp" : "string", - "kill_chain_phases" : [ { - "kill_chain_name" : "string", - "phase_name" : "string" - } ], - "x_mitre_aliases" : [ "string" ], - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", - "revision" : 10, - "abstraction_level" : "string", - "labels" : [ "string" ], - "short_description" : "string", - "schema_version" : "string", - "title" : "string", - "source" : "string", - "type" : "string", "source_uri" : "string", + "coa_type" : "Diplomatic Actions", "language" : "string", - "external_references" : [ { - "source_name" : "string", - "description" : "string", - "url" : "string", - "hashes" : [ "string" ], - "external_id" : "string" - } ], - "description" : "string", - "external_ids" : [ "string" ] - } ], - "description" : "string", - "external_ids" : [ "string" ], - "asset_refs" : [ "string" ], - "asset_mappings" : [ { - "confidence" : "string", - "tlp" : "string", - "asset_ref" : "string", "id" : "string", + "tlp" : "green", + "objective" : [ "string" ], + "cost" : "High", "timestamp" : "2016-01-01T01:01:01.000Z", - "valid_time" : { - "start_time" : "2016-01-01T01:01:01.000Z", - "end_time" : "2016-01-01T01:01:01.000Z" - }, - "revision" : 10, - "specificity" : "string", - "observable" : { - "value" : "string", - "type" : "string" + "open_c2_coa" : { + "type" : "structured_coa", + "id" : "string", + "action" : { + "type" : "alert" + }, + "target" : { + "type" : "amp_computer_guid", + "specifiers" : "string" + }, + "actuator" : { + "type" : "endpoint", + "specifiers" : [ "string" ] + }, + "modifiers" : { + "response" : "acknowledge", + "method" : [ "acl" ], + "additional_properties" : { + "context" : "string" + }, + "time" : { + "start_time" : "2016-01-01T01:01:01.000Z", + "end_time" : "2016-01-01T01:01:01.000Z" + }, + "frequency" : "string", + "duration" : "2016-01-01T01:01:01.000Z", + "source" : "string", + "search" : "cve", + "option" : "string", + "id" : "string", + "location" : "internal", + "delay" : "2016-01-01T01:01:01.000Z", + "destination" : "copy-to" + } }, - "stability" : "string", - "schema_version" : "string", - "source" : "string", - "type" : "string", - "source_uri" : "string", - "asset_type" : "string", - "language" : "string", - "external_references" : [ { - "source_name" : "string", - "description" : "string", - "url" : "string", - "hashes" : [ "string" ], - "external_id" : "string" - } ], - "external_ids" : [ "string" ] + "structured_coa_type" : "openc2", + "impact" : "string" } ] }, - "schema_version" : "string", - "title" : "string", + "observables" : [ { + "value" : "1.2.3.4", + "type" : "ip" + } ], + "type" : "casebook", "source" : "string", - "type" : "string", - "source_uri" : "string", - "language" : "string", + "external_ids" : [ "string" ], + "short_description" : "string", + "title" : "string", "external_references" : [ { "source_name" : "string", "description" : "string", @@ -1228,6 +1219,9 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "description" : "string", - "external_ids" : [ "string" ] + "source_uri" : "string", + "language" : "string", + "id" : "string", + "tlp" : "green", + "timestamp" : "2016-01-01T01:01:01.000Z" } \ No newline at end of file diff --git a/doc/json/coa.json b/doc/json/coa.json index 93dc30a0..adf8ab55 100644 --- a/doc/json/coa.json +++ b/doc/json/coa.json @@ -1,74 +1,74 @@ { + "description" : "string", + "valid_time" : { + "start_time" : "2016-01-01T01:01:01.000Z", + "end_time" : "2016-01-01T01:01:01.000Z" + }, + "stage" : "Containment", + "schema_version" : "1.3.18", + "revision" : 10, + "efficacy" : "High", + "type" : "coa", "related_COAs" : [ { - "confidence" : "string", + "confidence" : "High", "source" : "string", "relationship" : "string", "COA_id" : "string" } ], - "tlp" : "string", - "efficacy" : "string", - "structured_coa_type" : "string", + "source" : "string", + "external_ids" : [ "string" ], + "short_description" : "string", + "title" : "string", + "external_references" : [ { + "source_name" : "string", + "description" : "string", + "url" : "string", + "hashes" : [ "string" ], + "external_id" : "string" + } ], + "source_uri" : "string", + "coa_type" : "Diplomatic Actions", + "language" : "string", "id" : "string", + "tlp" : "green", + "objective" : [ "string" ], + "cost" : "High", "timestamp" : "2016-01-01T01:01:01.000Z", - "valid_time" : { - "start_time" : "2016-01-01T01:01:01.000Z", - "end_time" : "2016-01-01T01:01:01.000Z" - }, - "revision" : 10, "open_c2_coa" : { - "type" : "string", + "type" : "structured_coa", "id" : "string", "action" : { - "type" : "string" + "type" : "alert" }, "target" : { - "type" : "string", + "type" : "amp_computer_guid", "specifiers" : "string" }, "actuator" : { - "type" : "string", + "type" : "endpoint", "specifiers" : [ "string" ] }, "modifiers" : { - "destination" : "string", - "method" : [ "string" ], - "option" : "string", - "id" : "string", - "location" : "string", + "response" : "acknowledge", + "method" : [ "acl" ], + "additional_properties" : { + "context" : "string" + }, "time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, + "frequency" : "string", "duration" : "2016-01-01T01:01:01.000Z", - "delay" : "2016-01-01T01:01:01.000Z", "source" : "string", - "response" : "string", - "additional_properties" : { - "context" : "string" - }, - "search" : "string", - "frequency" : "string" + "search" : "cve", + "option" : "string", + "id" : "string", + "location" : "internal", + "delay" : "2016-01-01T01:01:01.000Z", + "destination" : "copy-to" } }, - "cost" : "string", - "short_description" : "string", - "impact" : "string", - "objective" : [ "string" ], - "schema_version" : "string", - "title" : "string", - "source" : "string", - "type" : "string", - "source_uri" : "string", - "language" : "string", - "external_references" : [ { - "source_name" : "string", - "description" : "string", - "url" : "string", - "hashes" : [ "string" ], - "external_id" : "string" - } ], - "coa_type" : "string", - "description" : "string", - "external_ids" : [ "string" ], - "stage" : "string" + "structured_coa_type" : "openc2", + "impact" : "string" } \ No newline at end of file diff --git a/doc/json/feedback.json b/doc/json/feedback.json index 898670ba..011e4a7a 100644 --- a/doc/json/feedback.json +++ b/doc/json/feedback.json @@ -1,16 +1,10 @@ { - "tlp" : "string", - "entity_id" : "string", - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", + "feedback" : -1, + "schema_version" : "1.3.18", "revision" : 10, - "feedback" : 10, - "schema_version" : "string", + "type" : "feedback", "source" : "string", - "type" : "string", - "reason" : "string", - "source_uri" : "string", - "language" : "string", + "external_ids" : [ "string" ], "external_references" : [ { "source_name" : "string", "description" : "string", @@ -18,5 +12,11 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "external_ids" : [ "string" ] + "reason" : "string", + "source_uri" : "string", + "language" : "string", + "id" : "string", + "tlp" : "green", + "entity_id" : "string", + "timestamp" : "2016-01-01T01:01:01.000Z" } \ No newline at end of file diff --git a/doc/json/incident.json b/doc/json/incident.json index 26e7ef49..e05f0a1b 100644 --- a/doc/json/incident.json +++ b/doc/json/incident.json @@ -1,13 +1,16 @@ { - "confidence" : "string", - "tlp" : "string", - "techniques" : [ "string" ], - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", - "revision" : 10, - "categories" : [ "string" ], - "tactics" : [ "string" ], + "description" : "string", "assignees" : [ "string" ], + "meta" : { + "keyword" : "string" + }, + "schema_version" : "1.3.18", + "revision" : 10, + "type" : "incident", + "source" : "string", + "external_ids" : [ "string" ], + "short_description" : "string", + "title" : "string", "incident_time" : { "opened" : "2016-01-01T01:01:01.000Z", "discovered" : "2016-01-01T01:01:01.000Z", @@ -16,20 +19,6 @@ "closed" : "2016-01-01T01:01:01.000Z", "rejected" : "2016-01-01T01:01:01.000Z" }, - "discovery_method" : "string", - "status" : "string", - "short_description" : "string", - "promotion_method" : "string", - "schema_version" : "string", - "title" : "string", - "source" : "string", - "type" : "string", - "meta" : { - "keyword" : "string" - }, - "intended_effect" : "string", - "source_uri" : "string", - "language" : "string", "external_references" : [ { "source_name" : "string", "description" : "string", @@ -37,10 +26,21 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "severity" : "string", - "description" : "string", - "external_ids" : [ "string" ], + "discovery_method" : "Agent Disclosure", + "source_uri" : "string", + "intended_effect" : "Account Takeover", + "categories" : [ "Attrition" ], + "status" : "Closed", + "language" : "string", + "id" : "string", + "promotion_method" : "Automated", + "severity" : "Critical", + "tlp" : "green", "scores" : { - "keyword" : 10.0 - } + "asset" : 10.0 + }, + "techniques" : [ "string" ], + "timestamp" : "2016-01-01T01:01:01.000Z", + "confidence" : "High", + "tactics" : [ "string" ] } \ No newline at end of file diff --git a/doc/json/indicator.json b/doc/json/indicator.json index eb2bb185..66e021c9 100644 --- a/doc/json/indicator.json +++ b/doc/json/indicator.json @@ -1,34 +1,25 @@ { - "test_mechanisms" : [ "string" ], - "indicator_type" : [ "string" ], - "confidence" : "string", - "composite_indicator_expression" : { - "operator" : "string", - "indicator_ids" : [ "string" ] - }, - "tlp" : "string", - "negate" : true, - "kill_chain_phases" : [ { - "kill_chain_name" : "string", - "phase_name" : "string" - } ], + "description" : "string", "tags" : [ "string" ], - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", "valid_time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, + "producer" : "string", + "schema_version" : "1.3.18", "revision" : 10, + "type" : "indicator", + "test_mechanisms" : [ "string" ], + "source" : "string", + "external_ids" : [ "string" ], "short_description" : "string", - "producer" : "string", - "likely_impact" : "string", - "schema_version" : "string", + "composite_indicator_expression" : { + "operator" : "and", + "indicator_ids" : [ "string" ] + }, "title" : "string", - "source" : "string", - "type" : "string", - "source_uri" : "string", - "language" : "string", + "likely_impact" : "string", + "indicator_type" : [ "Anonymization" ], "external_references" : [ { "source_name" : "string", "description" : "string", @@ -36,14 +27,23 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "severity" : "string", - "description" : "string", - "external_ids" : [ "string" ], + "source_uri" : "string", + "language" : "string", + "id" : "string", + "severity" : "Critical", + "tlp" : "green", + "kill_chain_phases" : [ { + "kill_chain_name" : "string", + "phase_name" : "string" + } ], + "negate" : true, + "timestamp" : "2016-01-01T01:01:01.000Z", + "confidence" : "High", "specification" : { - "type" : "string", + "type" : "Judgement", "judgements" : [ "string" ], "required_judgements" : [ { - "confidence" : "string", + "confidence" : "High", "source" : "string", "relationship" : "string", "judgement_id" : "string" diff --git a/doc/json/judgement.json b/doc/json/judgement.json index bd6fd9d0..2c8909e7 100644 --- a/doc/json/judgement.json +++ b/doc/json/judgement.json @@ -1,26 +1,19 @@ { - "confidence" : "string", - "tlp" : "string", - "priority" : 10, - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", "valid_time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, + "schema_version" : "1.3.18", "revision" : 10, - "disposition" : 10, "observable" : { - "value" : "string", - "type" : "string" + "value" : "1.2.3.4", + "type" : "ip" }, - "disposition_name" : "string", - "schema_version" : "string", + "reason_uri" : "string", + "type" : "judgement", "source" : "string", - "type" : "string", - "reason" : "string", - "source_uri" : "string", - "language" : "string", + "external_ids" : [ "string" ], + "disposition" : 1, "external_references" : [ { "source_name" : "string", "description" : "string", @@ -28,7 +21,14 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "severity" : "string", - "reason_uri" : "string", - "external_ids" : [ "string" ] + "reason" : "string", + "source_uri" : "string", + "disposition_name" : "Clean", + "priority" : 10, + "language" : "string", + "id" : "string", + "severity" : "Critical", + "tlp" : "green", + "timestamp" : "2016-01-01T01:01:01.000Z", + "confidence" : "High" } \ No newline at end of file diff --git a/doc/json/malware.json b/doc/json/malware.json index 4f1517df..089b3a16 100644 --- a/doc/json/malware.json +++ b/doc/json/malware.json @@ -1,22 +1,15 @@ { - "tlp" : "string", - "kill_chain_phases" : [ { - "kill_chain_name" : "string", - "phase_name" : "string" - } ], - "x_mitre_aliases" : [ "string" ], - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", + "description" : "string", + "labels" : [ "adware" ], + "abstraction_level" : "family", + "schema_version" : "1.3.18", "revision" : 10, - "abstraction_level" : "string", - "labels" : [ "string" ], + "type" : "malware", + "x_mitre_aliases" : [ "string" ], + "source" : "string", + "external_ids" : [ "string" ], "short_description" : "string", - "schema_version" : "string", "title" : "string", - "source" : "string", - "type" : "string", - "source_uri" : "string", - "language" : "string", "external_references" : [ { "source_name" : "string", "description" : "string", @@ -24,6 +17,13 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "description" : "string", - "external_ids" : [ "string" ] + "source_uri" : "string", + "language" : "string", + "id" : "string", + "tlp" : "green", + "kill_chain_phases" : [ { + "kill_chain_name" : "string", + "phase_name" : "string" + } ], + "timestamp" : "2016-01-01T01:01:01.000Z" } \ No newline at end of file diff --git a/doc/json/note.json b/doc/json/note.json index 81058140..76a6ea6a 100644 --- a/doc/json/note.json +++ b/doc/json/note.json @@ -1,20 +1,11 @@ { - "tlp" : "string", - "related_entities" : [ { - "entity_type" : "string", - "entity_id" : "string" - } ], - "author" : "string", - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", + "schema_version" : "1.3.18", "revision" : 10, - "note_class" : "keyword", "content" : "string", - "schema_version" : "string", + "note_class" : "keyword", + "type" : "note", "source" : "string", - "type" : "string", - "source_uri" : "string", - "language" : "string", + "external_ids" : [ "string" ], "external_references" : [ { "source_name" : "string", "description" : "string", @@ -22,5 +13,14 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "external_ids" : [ "string" ] + "author" : "string", + "source_uri" : "string", + "language" : "string", + "id" : "string", + "tlp" : "green", + "timestamp" : "2016-01-01T01:01:01.000Z", + "related_entities" : [ { + "entity_type" : "string", + "entity_id" : "string" + } ] } \ No newline at end of file diff --git a/doc/json/relationship.json b/doc/json/relationship.json index d36d72e9..5b92944c 100644 --- a/doc/json/relationship.json +++ b/doc/json/relationship.json @@ -1,18 +1,13 @@ { - "tlp" : "string", - "target_ref" : "string", - "relationship_type" : "string", - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", + "description" : "string", + "schema_version" : "1.3.18", "revision" : 10, - "source_ref" : "string", + "target_ref" : "string", + "type" : "relationship", + "source" : "string", + "external_ids" : [ "string" ], "short_description" : "string", - "schema_version" : "string", "title" : "string", - "source" : "string", - "type" : "string", - "source_uri" : "string", - "language" : "string", "external_references" : [ { "source_name" : "string", "description" : "string", @@ -20,6 +15,11 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "description" : "string", - "external_ids" : [ "string" ] + "source_uri" : "string", + "source_ref" : "string", + "language" : "string", + "id" : "string", + "tlp" : "green", + "timestamp" : "2016-01-01T01:01:01.000Z", + "relationship_type" : "attributed-to" } \ No newline at end of file diff --git a/doc/json/sighting.json b/doc/json/sighting.json index bd2edafe..03bdf8f0 100644 --- a/doc/json/sighting.json +++ b/doc/json/sighting.json @@ -1,69 +1,118 @@ { - "observables" : [ { - "value" : "string", - "type" : "string" - } ], - "confidence" : "string", + "description" : "string", + "schema_version" : "1.3.18", + "revision" : 10, "relations" : [ { "origin" : "string", "origin_uri" : "string", - "relation" : "string", + "relation" : "Allocated", "relation_info" : { - "keyword" : { - "anything" : "anything" - } + "keyword" : "anything" }, "source" : { - "value" : "string", - "type" : "string" + "value" : "1.2.3.4", + "type" : "ip" }, "related" : { - "value" : "string", - "type" : "string" + "value" : "1.2.3.4", + "type" : "ip" } } ], - "tlp" : "string", - "internal" : true, - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", - "revision" : 10, - "sensor" : "string", - "count" : 10, "sensor_coordinates" : { - "type" : "string", + "type" : "endpoint", "observables" : [ { - "value" : "string", - "type" : "string" + "value" : "1.2.3.4", + "type" : "ip" } ], "os" : "string" }, + "observables" : [ { + "value" : "1.2.3.4", + "type" : "ip" + } ], + "type" : "sighting", + "source" : "string", + "external_ids" : [ "string" ], + "targets" : [ { + "type" : "endpoint", + "observables" : [ { + "value" : "1.2.3.4", + "type" : "ip" + } ], + "observed_time" : { + "start_time" : "2016-01-01T01:01:01.000Z", + "end_time" : "2016-01-01T01:01:01.000Z" + }, + "os" : "string" + } ], + "short_description" : "string", + "title" : "string", + "resolution" : "detected", + "internal" : false, + "external_references" : [ { + "source_name" : "string", + "description" : "string", + "url" : "string", + "hashes" : [ "string" ], + "external_id" : "string" + } ], + "source_uri" : "string", + "language" : "string", + "id" : "string", + "count" : 10, + "severity" : "Critical", + "tlp" : "green", "context" : { "http_events" : [ { - "process_id" : 10, "process_guid" : 10, + "traffic" : { + "destination_host_name" : "string", + "protocol" : 10, + "source_ip" : "string", + "destination_subnet" : "string", + "destination_ip" : "string", + "source_subnet" : "string", + "destination_port" : 10, + "direction" : "incoming", + "source_port" : 10 + }, + "method" : "CONNECT", + "time" : { + "start_time" : "2016-01-01T01:01:01.000Z", + "end_time" : "2016-01-01T01:01:01.000Z" + }, + "type" : "HTTPEvent", "host" : "string", + "process_name" : "string", + "process_id" : 10, "process_username" : "string", - "method" : "string", "query" : "string", "encrypted" : true, - "url_port" : 10, + "url_port" : 10 + } ], + "process_create_events" : [ { + "parent_process_name" : "string", + "process_guid" : 10, + "parent_process_guid" : 10, + "process_disposition" : "string", + "parent_process_size" : 10, + "process_size" : 10, "time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, - "type" : "string", + "parent_process_disposition" : "string", + "type" : "ProcessCreateEvent", + "parent_process_username" : "string", + "parent_process_id" : 10, + "parent_process_args" : "string", "process_name" : "string", - "traffic" : { - "protocol" : 10, - "destination_host_name" : "string", - "source_subnet" : "string", - "source_port" : 10, - "destination_ip" : "string", - "direction" : "string", - "destination_subnet" : "string", - "source_ip" : "string", - "destination_port" : 10 - } + "process_hash" : "string", + "process_id" : 10, + "parent_process_hash" : "string", + "process_username" : "string", + "parent_creation_time" : "2016-01-01T01:01:01.000Z", + "process_args" : "string" } ], "registry_delete_events" : [ { "time" : { @@ -75,86 +124,63 @@ "process_guid" : 10, "process_username" : "string", "registry_key" : "string", - "type" : "string", + "type" : "RegistryDeleteEvent", "registry_value" : "string" } ], - "registry_create_events" : [ { + "file_modify_events" : [ { + "file_name" : "string", + "process_guid" : 10, "time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, - "process_id" : 10, + "type" : "FileModifyEvent", + "file_path" : "string", "process_name" : "string", - "process_guid" : 10, + "process_id" : 10, "process_username" : "string", - "registry_key" : "string", - "type" : "string" + "failed" : false } ], - "file_modify_events" : [ { - "file_path" : "string", - "process_id" : 10, + "registry_set_events" : [ { "process_guid" : 10, - "process_username" : "string", - "failed" : true, + "registry_data" : "string", "time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, - "type" : "string", + "type" : "RegistrySetEvent", + "registry_data_length" : 10, + "registry_value" : "string", + "registry_key" : "string", "process_name" : "string", - "file_name" : "string" - } ], - "netflow_events" : [ { - "process_args" : "string", - "byte_count_in" : 10, - "parent_process_args" : "string", "process_id" : 10, + "process_username" : "string" + } ], + "file_create_events" : [ { + "file_name" : "string", "process_guid" : 10, - "parent_process_id" : 10, - "process_path" : "string", - "process_username" : "string", - "byte_count_out" : 10, - "parent_process_account_type" : "string", - "parent_process_hash" : "string", "time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, - "parent_process_name" : "string", - "parent_process_account" : "string", - "type" : "string", - "process_name" : "string", - "flow_time" : "2016-01-01T01:01:01.000Z", - "process_account_type" : "string", - "process_account" : "string", - "traffic" : { - "protocol" : 10, - "destination_host_name" : "string", - "source_subnet" : "string", - "source_port" : 10, - "destination_ip" : "string", - "direction" : "string", - "destination_subnet" : "string", - "source_ip" : "string", - "destination_port" : 10 - }, - "process_hash" : "string", - "parent_process_path" : "string" - } ], - "file_move_events" : [ { + "type" : "FileCreateEvent", "file_path" : "string", + "process_name" : "string", "process_id" : 10, - "process_guid" : 10, - "new_name" : "string", "process_username" : "string", - "old_name" : "string", + "failed" : false + } ], + "registry_create_events" : [ { "time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, - "type" : "string", + "process_id" : 10, "process_name" : "string", - "file_name" : "string" + "process_guid" : 10, + "process_username" : "string", + "registry_key" : "string", + "type" : "RegistryCreateEvent" } ], "library_load_events" : [ { "time" : { @@ -165,76 +191,75 @@ "process_name" : "string", "process_guid" : 10, "process_username" : "string", - "type" : "string", + "type" : "LibraryLoadEvent", "dll_library_name" : "string", "dll_library_path" : "string" } ], - "file_create_events" : [ { - "file_path" : "string", - "process_id" : 10, + "file_move_events" : [ { + "file_name" : "string", "process_guid" : 10, - "process_username" : "string", - "failed" : true, "time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, - "type" : "string", + "type" : "FileMoveEvent", + "old_name" : "string", + "file_path" : "string", "process_name" : "string", - "file_name" : "string" - } ], - "registry_set_events" : [ { - "registry_value" : "string", "process_id" : 10, - "process_guid" : 10, - "registry_key" : "string", "process_username" : "string", - "registry_data_length" : 10, - "time" : { - "start_time" : "2016-01-01T01:01:01.000Z", - "end_time" : "2016-01-01T01:01:01.000Z" - }, - "type" : "string", - "registry_data" : "string", - "process_name" : "string" + "new_name" : "string" } ], - "process_create_events" : [ { - "process_args" : "string", - "parent_process_args" : "string", - "process_disposition" : "string", - "process_id" : 10, + "file_delete_events" : [ { + "file_name" : "string", "process_guid" : 10, - "parent_process_id" : 10, - "process_username" : "string", - "parent_process_username" : "string", - "parent_process_guid" : 10, - "parent_process_hash" : "string", - "parent_creation_time" : "2016-01-01T01:01:01.000Z", - "process_size" : 10, - "parent_process_size" : 10, "time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, - "parent_process_name" : "string", - "type" : "string", - "parent_process_disposition" : "string", - "process_name" : "string", - "process_hash" : "string" - } ], - "file_delete_events" : [ { + "type" : "FileDeleteEvent", "file_path" : "string", + "process_name" : "string", "process_id" : 10, - "process_guid" : 10, "process_username" : "string", - "failed" : true, + "failed" : false + } ], + "netflow_events" : [ { + "parent_process_name" : "string", + "byte_count_in" : 10, + "process_guid" : 10, + "process_path" : "string", + "traffic" : { + "destination_host_name" : "string", + "protocol" : 10, + "source_ip" : "string", + "destination_subnet" : "string", + "destination_ip" : "string", + "source_subnet" : "string", + "destination_port" : 10, + "direction" : "incoming", + "source_port" : 10 + }, + "flow_time" : "2016-01-01T01:01:01.000Z", "time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, - "type" : "string", + "parent_process_account" : "string", + "type" : "NetflowEvent", + "process_account_type" : "string", + "parent_process_path" : "string", + "parent_process_id" : 10, + "parent_process_args" : "string", "process_name" : "string", - "file_name" : "string" + "process_account" : "string", + "parent_process_account_type" : "string", + "process_hash" : "string", + "process_id" : 10, + "parent_process_hash" : "string", + "process_username" : "string", + "byte_count_out" : 10, + "process_args" : "string" } ], "registry_rename_events" : [ { "time" : { @@ -246,55 +271,26 @@ "process_guid" : 10, "process_username" : "string", "registry_key" : "string", - "type" : "string", + "type" : "RegistryRenameEvent", "registry_old_key" : "string" } ] }, - "short_description" : "string", - "targets" : [ { - "type" : "string", - "observables" : [ { - "value" : "string", - "type" : "string" - } ], - "observed_time" : { - "start_time" : "2016-01-01T01:01:01.000Z", - "end_time" : "2016-01-01T01:01:01.000Z" - }, - "os" : "string" - } ], - "schema_version" : "string", - "title" : "string", - "source" : "string", - "type" : "string", - "source_uri" : "string", - "language" : "string", - "external_references" : [ { - "source_name" : "string", - "description" : "string", - "url" : "string", - "hashes" : [ "string" ], - "external_id" : "string" - } ], - "severity" : "string", + "timestamp" : "2016-01-01T01:01:01.000Z", + "confidence" : "High", "observed_time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, + "sensor" : "endpoint", "data" : { "columns" : [ { "name" : "string", - "type" : "string", + "type" : "integer", "description" : "string", "required" : true, "short_description" : "string" } ], - "rows" : [ [ { - "anything" : "anything" - } ] ], + "rows" : [ [ "anything" ] ], "row_count" : 10 - }, - "description" : "string", - "external_ids" : [ "string" ], - "resolution" : "string" + } } \ No newline at end of file diff --git a/doc/json/target_record.json b/doc/json/target_record.json index 4b8c0d4f..d698e338 100644 --- a/doc/json/target_record.json +++ b/doc/json/target_record.json @@ -1,30 +1,27 @@ { - "tlp" : "string", - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", + "description" : "string", + "schema_version" : "1.3.18", "revision" : 10, - "short_description" : "string", + "type" : "target-record", + "source" : "string", + "external_ids" : [ "string" ], "targets" : [ { - "type" : "string", + "type" : "endpoint", "observables" : [ { - "value" : "string", - "type" : "string" + "value" : "1.2.3.4", + "type" : "ip" } ], "observed_time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" }, "os" : "string", - "internal" : true, + "internal" : false, "sensor" : "string", "source_uri" : "string" } ], - "schema_version" : "string", + "short_description" : "string", "title" : "string", - "source" : "string", - "type" : "string", - "source_uri" : "string", - "language" : "string", "external_references" : [ { "source_name" : "string", "description" : "string", @@ -32,6 +29,9 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "description" : "string", - "external_ids" : [ "string" ] + "source_uri" : "string", + "language" : "string", + "id" : "string", + "tlp" : "green", + "timestamp" : "2016-01-01T01:01:01.000Z" } \ No newline at end of file diff --git a/doc/json/tool.json b/doc/json/tool.json index fcf4d668..81aa589b 100644 --- a/doc/json/tool.json +++ b/doc/json/tool.json @@ -1,22 +1,14 @@ { - "tlp" : "string", - "kill_chain_phases" : [ { - "kill_chain_name" : "string", - "phase_name" : "string" - } ], - "x_mitre_aliases" : [ "string" ], - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", + "description" : "string", + "labels" : [ "credential-exploitation" ], + "schema_version" : "1.3.18", "revision" : 10, - "labels" : [ "string" ], + "type" : "tool", + "x_mitre_aliases" : [ "string" ], + "source" : "string", + "external_ids" : [ "string" ], "short_description" : "string", - "schema_version" : "string", "title" : "string", - "source" : "string", - "type" : "string", - "tool_version" : "string", - "source_uri" : "string", - "language" : "string", "external_references" : [ { "source_name" : "string", "description" : "string", @@ -24,6 +16,14 @@ "hashes" : [ "string" ], "external_id" : "string" } ], - "description" : "string", - "external_ids" : [ "string" ] + "source_uri" : "string", + "language" : "string", + "id" : "string", + "tool_version" : "string", + "tlp" : "green", + "kill_chain_phases" : [ { + "kill_chain_name" : "string", + "phase_name" : "string" + } ], + "timestamp" : "2016-01-01T01:01:01.000Z" } \ No newline at end of file diff --git a/doc/json/verdict.json b/doc/json/verdict.json index a35ab619..1bed4b18 100644 --- a/doc/json/verdict.json +++ b/doc/json/verdict.json @@ -1,12 +1,12 @@ { - "type" : "string", - "disposition" : 10, + "type" : "verdict", + "disposition" : 1, "observable" : { - "value" : "string", - "type" : "string" + "value" : "1.2.3.4", + "type" : "ip" }, "judgement_id" : "string", - "disposition_name" : "string", + "disposition_name" : "Clean", "valid_time" : { "start_time" : "2016-01-01T01:01:01.000Z", "end_time" : "2016-01-01T01:01:01.000Z" diff --git a/doc/json/vulnerability.json b/doc/json/vulnerability.json index 3c41b87a..b038fbf0 100644 --- a/doc/json/vulnerability.json +++ b/doc/json/vulnerability.json @@ -1,9 +1,18 @@ { - "tlp" : "string", + "description" : "string", + "schema_version" : "1.3.18", + "revision" : 10, + "published_date" : "2016-01-01T01:01:01.000Z", + "cve" : { + "cve_data_meta" : { + "id" : "string", + "assigner" : "string" + } + }, "configurations" : { "CVE_data_version" : "string", "nodes" : [ { - "operator" : "string", + "operator" : "AND", "cpe_match" : [ { "vulnerable" : true, "cpe23Uri" : "string", @@ -13,7 +22,7 @@ "versionEndExcluding" : "string" } ], "children" : [ { - "operator" : "string", + "operator" : "AND", "cpe_match" : [ { "vulnerable" : true, "cpe23Uri" : "string", @@ -27,93 +36,84 @@ "negate" : true } ] }, + "type" : "vulnerability", + "source" : "string", + "external_ids" : [ "string" ], + "short_description" : "string", + "title" : "string", + "external_references" : [ { + "source_name" : "string", + "description" : "string", + "url" : "string", + "hashes" : [ "string" ], + "external_id" : "string" + } ], + "source_uri" : "string", + "language" : "string", "id" : "string", + "tlp" : "green", "timestamp" : "2016-01-01T01:01:01.000Z", - "revision" : 10, - "short_description" : "string", + "last_modified_date" : "2016-01-01T01:01:01.000Z", "impact" : { "cvss_v2" : { - "report_confidence" : "string", + "integrity_impact" : "complete", + "target_distribution" : "not_defined", + "availability_requirement" : "not_defined", + "exploitability" : "not_defined", + "access_complexity" : "low", + "temporal_vector_string" : "string", "exploitability_score" : 10.0, - "availability_impact" : "string", - "access_vector" : "string", - "authentication" : "string", "impact_score" : 10.0, - "exploitability" : "string", - "obtain_other_privilege" : true, - "availability_requirement" : "string", - "integrity_requirement" : "string", - "collateral_damage_potential" : "string", - "base_score" : 10.0, "user_interaction_required" : true, "environmental_vector_string" : "string", - "temporal_vector_string" : "string", - "base_severity" : "string", - "vector_string" : "string", - "confidentiality_requirement" : "string", - "integrity_impact" : "string", - "confidentiality_impact" : "string", - "obtain_all_privilege" : true, + "obtain_other_privilege" : true, + "availability_impact" : "complete", + "access_vector" : "network", + "base_severity" : "High", + "confidentiality_impact" : "complete", + "confidentiality_requirement" : "not_defined", + "report_confidence" : "not_defined", + "authentication" : "none", + "base_score" : 10.0, "obtain_user_privilege" : true, - "access_complexity" : "string", - "remediation_level" : "string", - "target_distribution" : "string" + "obtain_all_privilege" : true, + "collateral_damage_potential" : "not_defined", + "remediation_level" : "not_defined", + "vector_string" : "string", + "integrity_requirement" : "not_defined" }, "cvss_v3" : { - "modified_attack_vector" : "string", - "report_confidence" : "string", + "integrity_impact" : "high", + "modified_user_interaction" : "none", + "modified_scope" : "not_defined", + "availability_requirement" : "high", + "user_interaction" : "none", + "modified_integrity_impact" : "not_defined", + "privileges_required" : "high", "exploitability_score" : 10.0, - "availability_impact" : "string", - "user_interaction" : "string", "impact_score" : 10.0, - "exploit_code_maturity" : "string", - "availability_requirement" : "string", - "integrity_requirement" : "string", - "modified_availability_impact" : "string", + "environmental_severity" : "critical", + "modified_availability_impact" : "not_defined", + "availability_impact" : "high", + "scope" : "changed", + "exploit_code_maturity" : "functional", + "modified_attack_complexity" : "not_defined", + "base_severity" : "critical", + "confidentiality_impact" : "high", + "temporal_severity" : "critical", + "modified_confidentiality_impact" : "not_defined", + "confidentiality_requirement" : "high", + "report_confidence" : "confirmed", "temporal_score" : 10.0, - "environmental_severity" : "string", - "modified_privileges_required" : "string", + "modified_privileges_required" : "not_defined", + "modified_attack_vector" : "not_defined", "base_score" : 10.0, "environmental_score" : 10.0, - "modified_attack_complexity" : "string", - "scope" : "string", - "modified_integrity_impact" : "string", - "base_severity" : "string", + "remediation_level" : "high", "vector_string" : "string", - "modified_confidentiality_impact" : "string", - "confidentiality_requirement" : "string", - "integrity_impact" : "string", - "confidentiality_impact" : "string", - "privileges_required" : "string", - "attack_complexity" : "string", - "modified_scope" : "string", - "modified_user_interaction" : "string", - "attack_vector" : "string", - "temporal_severity" : "string", - "remediation_level" : "string" + "integrity_requirement" : "high", + "attack_vector" : "adjacent_network", + "attack_complexity" : "high" } - }, - "last_modified_date" : "2016-01-01T01:01:01.000Z", - "schema_version" : "string", - "title" : "string", - "source" : "string", - "type" : "string", - "published_date" : "2016-01-01T01:01:01.000Z", - "source_uri" : "string", - "cve" : { - "cve_data_meta" : { - "id" : "string", - "assigner" : "string" - } - }, - "language" : "string", - "external_references" : [ { - "source_name" : "string", - "description" : "string", - "url" : "string", - "hashes" : [ "string" ], - "external_id" : "string" - } ], - "description" : "string", - "external_ids" : [ "string" ] + } } \ No newline at end of file diff --git a/doc/json/weakness.json b/doc/json/weakness.json index 5275605a..1ae7089a 100644 --- a/doc/json/weakness.json +++ b/doc/json/weakness.json @@ -1,84 +1,84 @@ { - "detection_methods" : [ { - "method" : "string", - "description" : "string", - "effectiveness" : "string", - "effectiveness_notes" : "string" - } ], + "description" : "string", "background_details" : "string", - "tlp" : "string", + "paradigms" : [ { + "prevalence" : "Often", + "name" : "string" + } ], + "abstraction_level" : "Base", "architectures" : [ { - "prevalence" : "string", + "prevalence" : "Often", "name" : "string", - "class" : "string" + "class" : "Embedded" } ], - "affected_resources" : [ "string" ], - "structure" : "string", - "id" : "string", - "timestamp" : "2016-01-01T01:01:01.000Z", + "schema_version" : "1.3.18", "revision" : 10, - "abstraction_level" : "string", "alternate_terms" : [ { "term" : "string", "description" : "string" } ], + "likelihood" : "High", + "type" : "weakness", + "source" : "string", + "external_ids" : [ "string" ], "short_description" : "string", - "languages" : [ { - "prevalence" : "string", - "name" : "string", - "class" : "string" + "title" : "string", + "external_references" : [ { + "source_name" : "string", + "description" : "string", + "url" : "string", + "hashes" : [ "string" ], + "external_id" : "string" } ], - "paradigms" : [ { - "prevalence" : "string", - "name" : "string" + "functional_areas" : [ "Authentication" ], + "source_uri" : "string", + "modes_of_introduction" : [ { + "phase" : "Architecture and Design", + "note" : "string" } ], - "potential_mitigations" : [ { - "description" : "string", - "phases" : [ "string" ], - "strategy" : "string", - "effectiveness" : "string", - "effectiveness_notes" : "string" + "structure" : "Chain", + "language" : "string", + "id" : "string", + "notes" : [ { + "type" : "Applicable Platform", + "note" : "string" } ], - "functional_areas" : [ "string" ], - "schema_version" : "string", - "title" : "string", - "source" : "string", - "type" : "string", "common_consequences" : [ { - "scopes" : [ "string" ], - "impacts" : [ "string" ], - "likelihood" : "string", + "scopes" : [ "Access Control" ], + "impacts" : [ "Alter Execution Logic" ], + "likelihood" : "High", "note" : "string" } ], + "tlp" : "green", + "detection_methods" : [ { + "method" : "Architecture or Design Review", + "description" : "string", + "effectiveness" : "High", + "effectiveness_notes" : "string" + } ], "operating_systems" : [ { - "prevalence" : "string", + "prevalence" : "Often", "name" : "string", "version" : "string", "cpe_id" : "string", - "class" : "string" + "class" : "Android" } ], - "likelihood" : "string", - "source_uri" : "string", - "notes" : [ { - "type" : "string", - "note" : "string" - } ], - "technologies" : [ { - "prevalence" : "string", - "name" : "string" + "affected_resources" : [ "CPU" ], + "languages" : [ { + "prevalence" : "Often", + "name" : "string", + "class" : "Assembly" } ], - "language" : "string", - "external_references" : [ { - "source_name" : "string", + "timestamp" : "2016-01-01T01:01:01.000Z", + "potential_mitigations" : [ { "description" : "string", - "url" : "string", - "hashes" : [ "string" ], - "external_id" : "string" - } ], - "modes_of_introduction" : [ { - "phase" : "string", - "note" : "string" + "phases" : [ "Architecture and Design" ], + "strategy" : "Attack Surface Reduction", + "effectiveness" : "Defense in Depth", + "effectiveness_notes" : "string" } ], - "description" : "string", - "external_ids" : [ "string" ] + "technologies" : [ { + "prevalence" : "Often", + "name" : "string" + } ] } \ No newline at end of file diff --git a/doc/structures/actor.md b/doc/structures/actor.md index b28fc205..0069cb8a 100644 --- a/doc/structures/actor.md +++ b/doc/structures/actor.md @@ -38,6 +38,7 @@ * This entry's type is sequential (allows zero or more values) + * Default: Cyber Espionage Operations * Allowed Values: * Cyber Espionage Operations * Disgruntled Customer / User @@ -78,6 +79,7 @@ For example, an Actor entity can have high confidence if the organization's secu * This entry is optional + * Default: High * Allowed Values: * High * Info @@ -159,6 +161,7 @@ Represents the desired outcome or impact the threat actor is trying to achieve t * This entry is optional + * Default: Account Takeover * Allowed Values: * Account Takeover * Advantage @@ -205,6 +208,7 @@ The reason or purpose behind the malicious activity attributed to this Actor. By * This entry is optional + * Default: Ego * Allowed Values: * Ego * Financial or Economic @@ -277,6 +281,7 @@ If an attacker shows a high level of sophistication in reconnaissances, social e * This entry is optional + * Default: Aspirant * Allowed Values: * Aspirant * Expert @@ -512,6 +517,7 @@ Specifies the level of confidence in the assertion of the relationship between t * This entry is optional + * Default: High * Allowed Values: * High * Info diff --git a/doc/structures/asset.md b/doc/structures/asset.md index cb3d8ed7..55566e98 100644 --- a/doc/structures/asset.md +++ b/doc/structures/asset.md @@ -32,6 +32,7 @@ Type of the Asset: Device, Person, Application, etc. * This entry is required + * Default: application * Allowed Values: * application * data diff --git a/doc/structures/asset_mapping.md b/doc/structures/asset_mapping.md index a1c49a80..905fdbf1 100644 --- a/doc/structures/asset_mapping.md +++ b/doc/structures/asset_mapping.md @@ -44,6 +44,7 @@ Type of the mapped Asset: Device, Person, Application, etc. * This entry is required + * Default: application * Allowed Values: * application * data @@ -59,6 +60,7 @@ Level of confidence held in the characterization of this AssetMapping e.g.: is i * This entry is required + * Default: High * Allowed Values: * High * Info @@ -180,6 +182,7 @@ Denotes the level of how many assets potentially could have this same identifier * This entry is required + * Default: Low * Allowed Values: * Low * Medium @@ -193,6 +196,7 @@ Do we manage when it changes, or is it always a time bound assignment? * This entry is required + * Default: Managed * Allowed Values: * Managed * Physical @@ -348,17 +352,20 @@ If not present, the valid time position of the indicator does not have an upper | Property | Type | Description | Required? | | -------- | ---- | ----------- | --------- | -|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString| |✓| -|[value](#propertyvalue-string)|String| |✓| +|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString|The type of observable.|✓| +|[value](#propertyvalue-string)|String|The value of the observable.|✓| ## Property type ∷ ObservableTypeIdentifierString +The type of observable. + * This entry is required * *ObservableTypeIdentifier* Observable type names + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -419,6 +426,8 @@ If not present, the valid time position of the indicator does not have an upper ## Property value ∷ String +The value of the observable. + * This entry is required diff --git a/doc/structures/attack_pattern.md b/doc/structures/attack_pattern.md index 5f76cfa8..1f0a5279 100644 --- a/doc/structures/attack_pattern.md +++ b/doc/structures/attack_pattern.md @@ -36,6 +36,7 @@ The CAPEC abstraction level for patterns describing techniques to attack a syste * *AttackPatternAbstractions* Abstraction levels corresponding to CAPEC data describing attack-pattern objects. + * Default: aggregate * Allowed Values: * aggregate * category diff --git a/doc/structures/bundle.md b/doc/structures/bundle.md index 53f97941..8422a171 100644 --- a/doc/structures/bundle.md +++ b/doc/structures/bundle.md @@ -822,6 +822,7 @@ A URL reference to an external resource. * This entry's type is sequential (allows zero or more values) + * Default: Cyber Espionage Operations * Allowed Values: * Cyber Espionage Operations * Disgruntled Customer / User @@ -862,6 +863,7 @@ For example, an Actor entity can have high confidence if the organization's secu * This entry is optional + * Default: High * Allowed Values: * High * Info @@ -943,6 +945,7 @@ Represents the desired outcome or impact the threat actor is trying to achieve t * This entry is optional + * Default: Account Takeover * Allowed Values: * Account Takeover * Advantage @@ -989,6 +992,7 @@ The reason or purpose behind the malicious activity attributed to this Actor. By * This entry is optional + * Default: Ego * Allowed Values: * Ego * Financial or Economic @@ -1061,6 +1065,7 @@ If an attacker shows a high level of sophistication in reconnaissances, social e * This entry is optional + * Default: Aspirant * Allowed Values: * Aspirant * Expert @@ -1202,6 +1207,7 @@ Specifies the level of confidence in the assertion of the relationship between t * This entry is optional + * Default: High * Allowed Values: * High * Info @@ -1365,6 +1371,7 @@ Type of the Asset: Device, Person, Application, etc. * This entry is required + * Default: application * Allowed Values: * application * data @@ -1684,6 +1691,7 @@ Type of the mapped Asset: Device, Person, Application, etc. * This entry is required + * Default: application * Allowed Values: * application * data @@ -1699,6 +1707,7 @@ Level of confidence held in the characterization of this AssetMapping e.g.: is i * This entry is required + * Default: High * Allowed Values: * High * Info @@ -1820,6 +1829,7 @@ Denotes the level of how many assets potentially could have this same identifier * This entry is required + * Default: Low * Allowed Values: * Low * Medium @@ -1833,6 +1843,7 @@ Do we manage when it changes, or is it always a time bound assignment? * This entry is required + * Default: Managed * Allowed Values: * Managed * Physical @@ -1894,17 +1905,20 @@ For each asset, we allow for the assertion of time bound properties.This gives u | Property | Type | Description | Required? | | -------- | ---- | ----------- | --------- | -|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString| |✓| -|[value](#propertyvalue-string)|String| |✓| +|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString|The type of observable.|✓| +|[value](#propertyvalue-string)|String|The value of the observable.|✓| ## Property type ∷ ObservableTypeIdentifierString +The type of observable. + * This entry is required * *ObservableTypeIdentifier* Observable type names + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -1965,6 +1979,8 @@ For each asset, we allow for the assertion of time bound properties.This gives u ## Property value ∷ String +The value of the observable. + * This entry is required @@ -2407,6 +2423,7 @@ The CAPEC abstraction level for patterns describing techniques to attack a syste * *AttackPatternAbstractions* Abstraction levels corresponding to CAPEC data describing attack-pattern objects. + * Default: aggregate * Allowed Values: * aggregate * category @@ -2845,6 +2862,7 @@ Level of confidence held in the characterization of this Campaign. * This entry is optional + * Default: High * Allowed Values: * High * Info @@ -2913,6 +2931,7 @@ Characterizes the intended effect of this cyber threat campaign. * This entry's type is sequential (allows zero or more values) + * Default: Account Takeover * Allowed Values: * Account Takeover * Advantage @@ -3028,6 +3047,7 @@ Can have one of the following values: * This entry is optional + * Default: Future * Allowed Values: * Future * Historic @@ -3260,6 +3280,7 @@ The type of this COA * This entry is optional + * Default: Diplomatic Actions * Allowed Values: * Diplomatic Actions * Eradication @@ -3290,6 +3311,7 @@ Characterizes the estimated cost for applying this course of action. * This entry is optional + * Default: High * Allowed Values: * High * Info @@ -3317,6 +3339,7 @@ Effectiveness of this course of action in achieving its targeted objective. * This entry is optional + * Default: High * Allowed Values: * High * Info @@ -3481,6 +3504,7 @@ Specifies what stage in the cyber threat management lifecycle this Course Of Act * This entry is optional + * Default: Containment * Allowed Values: * Containment * Eradication @@ -3670,6 +3694,7 @@ For example, an entity containing information about a critical vulnerability in * This entry is optional + * Default: copy-to * Allowed Values: * copy-to * modify-to @@ -3709,6 +3734,7 @@ For example, an entity containing information about a critical vulnerability in * This entry is optional + * Default: internal * Allowed Values: * internal * perimeter @@ -3720,6 +3746,7 @@ For example, an entity containing information about a critical vulnerability in * This entry's type is sequential (allows zero or more values) + * Default: acl * Allowed Values: * acl * authenticated @@ -3749,6 +3776,7 @@ For example, an entity containing information about a critical vulnerability in * This entry is optional + * Default: acknowledge * Allowed Values: * acknowledge * command-ref @@ -3761,6 +3789,7 @@ For example, an entity containing information about a critical vulnerability in * This entry is optional + * Default: cve * Allowed Values: * cve * patch @@ -3859,6 +3888,7 @@ List of additional properties describing the actuator. * This entry is required + * Default: endpoint * Allowed Values: * endpoint * endpoint.digital-telephone-handset @@ -3932,6 +3962,7 @@ Observable types that can be acted upon. * This entry is required + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -4003,6 +4034,7 @@ Observable types that can be acted upon. * This entry is required + * Default: alert * Allowed Values: * alert * allow @@ -4066,6 +4098,7 @@ Observable types that can be acted upon. * This entry is optional + * Default: High * Allowed Values: * High * Info @@ -4251,6 +4284,7 @@ Similar to `external_ids` field with major differences: * This entry is required + * Default: -1 * Allowed Values: * -1 * 0 @@ -4484,6 +4518,7 @@ A set of categories for this incident. * This entry's type is sequential (allows zero or more values) + * Default: Attrition * Allowed Values: * Attrition * Denial of Service @@ -4521,6 +4556,7 @@ It is important to note that the `confidence` field is subjective and can be int * This entry is required + * Default: High * Allowed Values: * High * Info @@ -4548,6 +4584,7 @@ Identifies how the incident was discovered. * This entry is optional + * Default: Agent Disclosure * Allowed Values: * Agent Disclosure * Antivirus @@ -4629,6 +4666,7 @@ Specifies the suspected intended effect of this incident * This entry is optional + * Default: Account Takeover * Allowed Values: * Account Takeover * Advantage @@ -4687,6 +4725,7 @@ Describes method for promoting an Incident, whether manually or automatically. A * This entry is optional + * Default: Automated * Allowed Values: * Automated * Manual @@ -4734,6 +4773,7 @@ It is important to note that the `severity` field is subjective and can be inter * This entry is optional + * Default: Critical * Allowed Values: * Critical * High @@ -4781,6 +4821,7 @@ The `status` field represents the current state of an incident within the incide * This entry is required + * Default: Closed * Allowed Values: * Closed * Closed: Confirmed Threat @@ -4900,6 +4941,7 @@ For example, systems can have the following score types: * This entry is optional + * Default: :asset * Allowed Values: * :asset * :global @@ -5132,6 +5174,7 @@ level of confidence held in the accuracy of this Indicator. * This entry is optional + * Default: High * Allowed Values: * High * Info @@ -5200,6 +5243,7 @@ Specifies the type or types for this Indicator. * This entry's type is sequential (allows zero or more values) + * Default: Anonymization * Allowed Values: * Anonymization * C2 @@ -5298,6 +5342,7 @@ CTIM schema version for this entity. * This entry is optional + * Default: Critical * Allowed Values: * Critical * High @@ -5620,6 +5665,7 @@ The time range during which this Indicator is considered valid. * This entry is optional + * Default: High * Allowed Values: * High * Info @@ -5719,6 +5765,7 @@ The name of the phase in the kill chain. * This entry is required + * Default: and * Allowed Values: * and * not @@ -5863,6 +5910,7 @@ A URL reference to an external resource. * This entry is required + * Default: High * Allowed Values: * High * Info @@ -5881,6 +5929,7 @@ Matches :disposition_name as in {1 "Clean", 2 "Malicious", 3 "Suspicious", 4 "Co * *DispositionNumber* Numeric verdict identifiers. + * Default: 1 * Allowed Values: * 1 * 2 @@ -5895,6 +5944,7 @@ Matches :disposition_name as in {1 "Clean", 2 "Malicious", 3 "Suspicious", 4 "Co * *DispositionName* String verdict identifiers. + * Default: Clean * Allowed Values: * Clean * Common @@ -6014,6 +6064,7 @@ CTIM schema version for this entity. * This entry is required + * Default: Critical * Allowed Values: * Critical * High @@ -6129,17 +6180,20 @@ If not present, the valid time position of the indicator does not have an upper | Property | Type | Description | Required? | | -------- | ---- | ----------- | --------- | -|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString| |✓| -|[value](#propertyvalue-string)|String| |✓| +|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString|The type of observable.|✓| +|[value](#propertyvalue-string)|String|The value of the observable.|✓| ## Property type ∷ ObservableTypeIdentifierString +The type of observable. + * This entry is required * *ObservableTypeIdentifier* Observable type names + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -6200,6 +6254,8 @@ If not present, the valid time position of the indicator does not have an upper ## Property value ∷ String +The value of the observable. + * This entry is required @@ -6303,6 +6359,7 @@ Malware abstraction level. * *MalwareAbstractions* Malware Abstraction level + * Default: family * Allowed Values: * family * variant @@ -6381,6 +6438,7 @@ The type of malware being described. * *MalwareLabel* Malware label is an open vocabulary that represents different types and functions of malware. Malware labels are not mutually exclusive; a malware instance can be both spyware and a screen capture tool. + * Default: adware * Allowed Values: * adware * backdoor @@ -6993,6 +7051,7 @@ For example, if an incident involves an attack on a system in a country where a * This entry is required + * Default: attributed-to * Allowed Values: * attributed-to * based-on @@ -7232,6 +7291,7 @@ A URL reference to an external resource. * This entry is required + * Default: High * Allowed Values: * High * Info @@ -7431,6 +7491,7 @@ The OpenC2 Actuator name that best fits the device that is creating this sightin * *Sensor* The sensor/actuator name that best fits a device. + * Default: endpoint * Allowed Values: * endpoint * endpoint.digital-telephone-handset @@ -7494,6 +7555,7 @@ The OpenC2 Actuator name that best fits the device that is creating this sightin * This entry is optional + * Default: Critical * Allowed Values: * Critical * High @@ -8262,6 +8324,7 @@ Time of the observation. If the observation was made over a period of time, than * This entry is optional + * Default: CONNECT * Allowed Values: * CONNECT * GET @@ -8395,6 +8458,7 @@ Time of the observation. If the observation was made over a period of time, than * This entry is required + * Default: incoming * Allowed Values: * incoming * outgoing @@ -8715,6 +8779,7 @@ Time of the observation. If the observation was made over a period of time, than * This entry is required + * Default: incoming * Allowed Values: * incoming * outgoing @@ -9630,6 +9695,7 @@ Time of the observation. If the observation was made over a period of time, than * This entry is required + * Default: Allocated * Allowed Values: * Allocated * Allocated_By @@ -9797,17 +9863,20 @@ Time of the observation. If the observation was made over a period of time, than | Property | Type | Description | Required? | | -------- | ---- | ----------- | --------- | -|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString| |✓| -|[value](#propertyvalue-string)|String| |✓| +|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString|The type of observable.|✓| +|[value](#propertyvalue-string)|String|The value of the observable.|✓| ## Property type ∷ ObservableTypeIdentifierString +The type of observable. + * This entry is required * *ObservableTypeIdentifier* Observable type names + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -9849,6 +9918,7 @@ Time of the observation. If the observation was made over a period of time, than * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key @@ -9867,6 +9937,8 @@ Time of the observation. If the observation was made over a period of time, than ## Property value ∷ String +The value of the observable. + * This entry is required @@ -9878,17 +9950,20 @@ Time of the observation. If the observation was made over a period of time, than | Property | Type | Description | Required? | | -------- | ---- | ----------- | --------- | -|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString| |✓| -|[value](#propertyvalue-string)|String| |✓| +|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString|The type of observable.|✓| +|[value](#propertyvalue-string)|String|The value of the observable.|✓| ## Property type ∷ ObservableTypeIdentifierString +The type of observable. + * This entry is required * *ObservableTypeIdentifier* Observable type names + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -9930,6 +10005,7 @@ Time of the observation. If the observation was made over a period of time, than * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key @@ -9948,6 +10024,8 @@ Time of the observation. If the observation was made over a period of time, than ## Property value ∷ String +The value of the observable. + * This entry is required @@ -9974,17 +10052,20 @@ Time of the observation. If the observation was made over a period of time, than | Property | Type | Description | Required? | | -------- | ---- | ----------- | --------- | -|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString| |✓| -|[value](#propertyvalue-string)|String| |✓| +|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString|The type of observable.|✓| +|[value](#propertyvalue-string)|String|The value of the observable.|✓| ## Property type ∷ ObservableTypeIdentifierString +The type of observable. + * This entry is required * *ObservableTypeIdentifier* Observable type names + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -10026,6 +10107,7 @@ Time of the observation. If the observation was made over a period of time, than * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key @@ -10044,6 +10126,8 @@ Time of the observation. If the observation was made over a period of time, than ## Property value ∷ String +The value of the observable. + * This entry is required @@ -10096,6 +10180,7 @@ Time of the observation. If the observation was made over a period of time, than * *Sensor* The sensor/actuator name that best fits a device. + * Default: endpoint * Allowed Values: * endpoint * endpoint.digital-telephone-handset @@ -10182,17 +10267,20 @@ Time of the observation. If the observation was made over a period of time, than | Property | Type | Description | Required? | | -------- | ---- | ----------- | --------- | -|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString| |✓| -|[value](#propertyvalue-string)|String| |✓| +|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString|The type of observable.|✓| +|[value](#propertyvalue-string)|String|The value of the observable.|✓| ## Property type ∷ ObservableTypeIdentifierString +The type of observable. + * This entry is required * *ObservableTypeIdentifier* Observable type names + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -10234,6 +10322,7 @@ Time of the observation. If the observation was made over a period of time, than * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key @@ -10252,6 +10341,8 @@ Time of the observation. If the observation was made over a period of time, than ## Property value ∷ String +The value of the observable. + * This entry is required @@ -10293,6 +10384,7 @@ Time of the observation. If the observation was made over a period of time, than * *Sensor* The sensor/actuator name that best fits a device. + * Default: endpoint * Allowed Values: * endpoint * endpoint.digital-telephone-handset @@ -10347,17 +10439,20 @@ Time of the observation. If the observation was made over a period of time, than | Property | Type | Description | Required? | | -------- | ---- | ----------- | --------- | -|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString| |✓| -|[value](#propertyvalue-string)|String| |✓| +|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString|The type of observable.|✓| +|[value](#propertyvalue-string)|String|The value of the observable.|✓| ## Property type ∷ ObservableTypeIdentifierString +The type of observable. + * This entry is required * *ObservableTypeIdentifier* Observable type names + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -10399,6 +10494,7 @@ Time of the observation. If the observation was made over a period of time, than * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key @@ -10417,6 +10513,8 @@ Time of the observation. If the observation was made over a period of time, than ## Property value ∷ String +The value of the observable. + * This entry is required @@ -10514,6 +10612,7 @@ If `true`, the row entries for this column cannot contain `nulls`. Defaults to ` * This entry is required + * Default: integer * Allowed Values: * integer * markdown @@ -10852,6 +10951,7 @@ If not present, the valid time position of the indicator does not have an upper * *AssertionType* An open vocabulary containing well known assertion types + * Default: cisco:ctr:ad:host_domain_name * Allowed Values: * cisco:ctr:ad:host_domain_name * cisco:ctr:ad:host_resolved_dns @@ -10938,17 +11038,20 @@ If not present, the valid time position of the indicator does not have an upper | Property | Type | Description | Required? | | -------- | ---- | ----------- | --------- | -|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString| |✓| -|[value](#propertyvalue-string)|String| |✓| +|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString|The type of observable.|✓| +|[value](#propertyvalue-string)|String|The value of the observable.|✓| ## Property type ∷ ObservableTypeIdentifierString +The type of observable. + * This entry is required * *ObservableTypeIdentifier* Observable type names + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -10990,6 +11093,7 @@ If not present, the valid time position of the indicator does not have an upper * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key @@ -11008,6 +11112,8 @@ If not present, the valid time position of the indicator does not have an upper ## Property value ∷ String +The value of the observable. + * This entry is required @@ -11349,6 +11455,7 @@ The OpenC2 Actuator name that best fits the device that is creating this TargetR * *Sensor* The sensor/actuator name that best fits a device. + * Default: endpoint * Allowed Values: * endpoint * endpoint.digital-telephone-handset @@ -11435,17 +11542,20 @@ Time of the observation. If the observation was made over a period of time, than | Property | Type | Description | Required? | | -------- | ---- | ----------- | --------- | -|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString| |✓| -|[value](#propertyvalue-string)|String| |✓| +|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString|The type of observable.|✓| +|[value](#propertyvalue-string)|String|The value of the observable.|✓| ## Property type ∷ ObservableTypeIdentifierString +The type of observable. + * This entry is required * *ObservableTypeIdentifier* Observable type names + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -11487,6 +11597,7 @@ Time of the observation. If the observation was made over a period of time, than * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key @@ -11505,6 +11616,8 @@ Time of the observation. If the observation was made over a period of time, than ## Property value ∷ String +The value of the observable. + * This entry is required @@ -11672,6 +11785,7 @@ The kind(s) of tool(s) being described. * *ToolLabel* Tool labels describe the categories of tools that can be used to perform attacks. + * Default: credential-exploitation * Allowed Values: * credential-exploitation * denial-of-service @@ -11941,6 +12055,7 @@ A URL reference to an external resource. * *DispositionNumber* Numeric verdict identifiers. + * Default: 1 * Allowed Values: * 1 * 2 @@ -11957,6 +12072,7 @@ The disposition_name field is optional, but is intended to be shown to a user. * *DispositionName* String verdict identifiers. + * Default: Clean * Allowed Values: * Clean * Common @@ -12039,17 +12155,20 @@ If not present, the valid time position of the indicator does not have an upper | Property | Type | Description | Required? | | -------- | ---- | ----------- | --------- | -|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString| |✓| -|[value](#propertyvalue-string)|String| |✓| +|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString|The type of observable.|✓| +|[value](#propertyvalue-string)|String|The value of the observable.|✓| ## Property type ∷ ObservableTypeIdentifierString +The type of observable. + * This entry is required * *ObservableTypeIdentifier* Observable type names + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -12091,6 +12210,7 @@ If not present, the valid time position of the indicator does not have an upper * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key @@ -12109,6 +12229,8 @@ If not present, the valid time position of the indicator does not have an upper ## Property value ∷ String +The value of the observable. + * This entry is required @@ -12423,6 +12545,7 @@ If `true`, the row entries for this column cannot contain `nulls`. Defaults to ` * This entry is required + * Default: integer * Allowed Values: * integer * markdown @@ -12553,6 +12676,7 @@ Refers to the level of abstraction or granularity used to describe the weakness. - Compound: A Compound Weakness describes a weakness that combines two or more Base weaknesses to exploit a system. For example, a "Buffer-Overflow with Format-String Exploit" combines the Base weaknesses of "Buffer-Overflow" and "Format-String Vulnerability". By specifying the abstraction level, cybersec professionals can more easily identify weaknesses that are related and prioritize their response efforts based on the potential impact of the vulnerability. + * Default: Base * Allowed Values: * Base * Class @@ -12571,6 +12695,7 @@ Identifies system resources that can be affected by an exploit of this weakness. * *SystemResource* Defines a resource of a system. + * Default: CPU * Allowed Values: * CPU * File or Directory @@ -12690,6 +12815,7 @@ Identifies the functional area of the software in which the weakness is most lik * *FunctionalArea* Defines the different functional areas of software in which the weakness may appear. + * Default: Authentication * Allowed Values: * Authentication * Authorization @@ -12754,6 +12880,7 @@ Likelihood of exploit. * This entry is optional + * Default: High * Allowed Values: * High * Info @@ -12893,6 +13020,7 @@ Defines the structural nature of the weakness. - Composite: A composite weakness might involve multiple vulnerabilities that exist in different layers or components of a system. For example, a composite weakness in a web application might involve both an injection vulnerability and a cross-site scripting vulnerability. An attacker could use these weaknesses in tandem to steal data or take over the system. - Simple: A simple weakness might involve a single vulnerability or exploit that can be used to achieve a specific objective. An example of a simple weakness might be a buffer overflow vulnerability in a software application. If an attacker can exploit this vulnerability, they may be able to execute arbitrary code on the system. + * Default: Chain * Allowed Values: * Chain * Composite @@ -12986,6 +13114,7 @@ The fixed value weakness * *NoteType* Defines the different types of notes that can be associated with a weakness. + * Default: Applicable Platform * Allowed Values: * Applicable Platform * Maintenance @@ -13027,6 +13156,7 @@ Summarizes how effective the mitigation may be in preventing the weakness. * *Effectiveness* Related to how effective a mitigation may be in preventing the weakness. + * Default: Defense in Depth * Allowed Values: * Defense in Depth * High @@ -13054,6 +13184,7 @@ Indicates the development life cycle phase during which this particular mitigati * *SoftwarePhase* Defines the different regularities that guide the applicability of platforms. + * Default: Architecture and Design * Allowed Values: * Architecture and Design * Build and Compilation @@ -13080,6 +13211,7 @@ A general strategy for protecting a system to which this mitigation contributes. * *MitigationStrategy* Strategy for protecting a system to which a mitigation contributes. + * Default: Attack Surface Reduction * Allowed Values: * Attack Surface Reduction * Compilation or Build Hardening @@ -13128,6 +13260,7 @@ How effective the detection method may be in detecting the associated weakness. * *DetectionEffectiveness* Level of effectiveness that a detection method may have in detecting an associated weakness. + * Default: High * Allowed Values: * High * Limited @@ -13156,6 +13289,7 @@ Identifies the particular detection method being described. * *DetectionMethod* Method used to detect a weakness. + * Default: Architecture or Design Review * Allowed Values: * Architecture or Design Review * Automated Analysis @@ -13197,6 +13331,7 @@ Describes the technical impact that arises if an adversary succeeds in exploitin * This entry's type is sequential (allows zero or more values) + * Default: Alter Execution Logic * Allowed Values: * Alter Execution Logic * Bypass Protection Mechanism @@ -13228,6 +13363,7 @@ How likely the specific consequence is expected to be seen relative to the other * This entry is optional + * Default: High * Allowed Values: * High * Info @@ -13257,6 +13393,7 @@ Identifies the security property that is violated. * *ConsequenceScope* Defines the different areas of software security that can be affected by exploiting a weakness. + * Default: Access Control * Allowed Values: * Access Control * Accountability @@ -13297,6 +13434,7 @@ Identifies the point in the software life cycle at which the weakness may be int * *SoftwarePhase* Defines the different regularities that guide the applicability of platforms. + * Default: Architecture and Design * Allowed Values: * Architecture and Design * Build and Compilation @@ -13371,6 +13509,7 @@ Defines the different regularities that guide the applicability of platforms. * *Prevalence* Defines the different regularities that guide the applicability of platforms. + * Default: Often * Allowed Values: * Often * Rarely @@ -13406,6 +13545,7 @@ Defines the different regularities that guide the applicability of platforms. * *Prevalence* Defines the different regularities that guide the applicability of platforms. + * Default: Often * Allowed Values: * Often * Rarely @@ -13431,6 +13571,7 @@ Class of architecture * This entry is optional + * Default: Embedded * Allowed Values: * Embedded * Microcomputer @@ -13456,6 +13597,7 @@ Defines the different regularities that guide the applicability of platforms. * *Prevalence* Defines the different regularities that guide the applicability of platforms. + * Default: Often * Allowed Values: * Often * Rarely @@ -13482,6 +13624,7 @@ Defines the different regularities that guide the applicability of platforms. * *OperatingSystemClass* Class of Operating System. + * Default: Android * Allowed Values: * Android * Apple iOS @@ -13517,6 +13660,7 @@ Defines the different regularities that guide the applicability of platforms. * *Prevalence* Defines the different regularities that guide the applicability of platforms. + * Default: Often * Allowed Values: * Often * Rarely @@ -13551,6 +13695,7 @@ Class of language. * *LanguageClass* Class of source code language. + * Default: Assembly * Allowed Values: * Assembly * Compiled @@ -13576,6 +13721,7 @@ Defines the different regularities that guide the applicability of platforms. * *Prevalence* Defines the different regularities that guide the applicability of platforms. + * Default: Often * Allowed Values: * Often * Rarely @@ -13983,6 +14129,7 @@ Negates operator when true. * *cpe-node-operator-string* The operator string influences how seqs of cpe matches are related to one another. + * Default: AND * Allowed Values: * AND * OR @@ -14024,6 +14171,7 @@ Negates operator when true. * *cpe-node-operator-string* The operator string influences how seqs of cpe matches are related to one another. + * Default: AND * Allowed Values: * AND * OR @@ -14240,6 +14388,7 @@ describes the conditions beyond the attacker's control that must exist in order * *CVSSv3AttackComplexity* Describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. As described below, such conditions may require the collection of more information about the target, the presence of certain system configuration settings, or computational exceptions. Importantly, the assessment of this metric excludes any requirements for user interaction in order to exploit the vulnerability (such conditions are captured in the User Interaction metric). this metric value is largest for the least complex attacks. The list of possible values are: `low` Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component. `high` A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected. For example, a successful attack may depend on an attacker overcoming any of the following conditions: - The attacker must conduct target-specific reconnaissance. For example, on target configuration settings, sequence numbers, shared secrets, etc. - The attacker must prepare the target environment to improve exploit reliability. For example, repeated exploitation to win a race condition, or overcoming advanced exploit mitigation techniques. The attacker must inject herself into the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications (e.g. man in the middle attack). + * Default: high * Allowed Values: * high * low @@ -14254,6 +14403,7 @@ Reflects the context by which vulnerability exploitation is possible * *CVSSv3AttackVector* This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the Base score) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable component. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across the Internet is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater score. The list of possible values is: `network` A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed `remotely exploitable` and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers). An example of a network attack is an attacker causing a denial of service (DoS) by sending a specially crafted TCP packet from across the public Internet (e.g. CVE 2004 0230).`adjacent_network` A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11) or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router). An example of an Adjacent attack would be an ARP (IPv4) or neighbor discovery (IPv6) flood leading to a denial of service on the local LAN segment. See also CVE 2013 6014. `local` A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file. `physical` A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack) or persistent. An example of such an attack is a cold boot attack which allows an attacker to access to disk encryption keys after gaining physical access to the system, or peripheral attacks such as Firewire/USB Direct Memory Access attacks. + * Default: adjacent_network * Allowed Values: * adjacent_network * local @@ -14270,6 +14420,7 @@ measures the impact to the availability of the impacted component resulting from * *CVSSv3AvailabilityImpact* This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the impacted component, this metric refers to the loss of availability of the impacted component itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of an impacted component. The list of possible values is presented is: `high`: There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable). `low`: There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the impacted component are either partially available all of the time, or fully available only some of the time but overall there is no direct, serious consequence to the impacted component. `none`: There is no impact to availability within the impacted component. This metric value increases with the consequence to the impacted component. + * Default: high * Allowed Values: * high * low @@ -14283,6 +14434,7 @@ measures the impact to the availability of the impacted component resulting from * *CVSSv3SecurityRequirements* These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user's organization, measured in terms of Confidentiality, Integrity, and Availability. That is, if an IT asset supports a business function for which Availability is most important, the analyst can assign a greater value to Availability relative to Confidentiality and Integrity. Each security requirement has three possible values: Low, Medium, or High. The full effect on the environmental score is determined by the corresponding Modified Base Impact metrics. That is, these metrics modify the environmental score by reweighting the Modified Confidentiality, Integrity, and Availability impact metrics. For example, the Modified Confidentialityimpact (MC) metric has increased weight if the Confidentiality Requirement (CR) is High. Likewise, the Modified Confidentiality impact metric has decreased weight if the Confidentiality Requirement is Low. The Modified Confidentiality impact metric weighting is neutral if the Confidentiality Requirement is Medium. This same process is applied to the Integrity and Availability requirements.Note that the Confidentiality Requirement will not affect the Environmental score if the (Modified Base) confidentiality impact is set to None. Also, increasing the Confidentiality Requirement from Medium to Highwill not change the Environmental score when the (Modified Base) impact metrics are set to High. This is because the modified impact sub score (part of the Modified Base score that calculates impact) is already at a maximum value of 10. The list of possible values is: `not_defined`: Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. `high`: Loss of [Confidentiality / Integrity / Availability] is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). `medium`: Loss of [Confidentiality / Integrity / Availability] is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).`low`: Loss of [Confidentiality / Integrity / Availability] is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). For brevity, the same table is used for all three metrics. The greater the Security Requirement, the higher the score (recall that Medium is considered the default). + * Default: high * Allowed Values: * high * low @@ -14306,6 +14458,7 @@ The base score is a key metric in CVSS, which uses a scoring system to determine * This entry is required + * Default: critical * Allowed Values: * critical * high @@ -14322,6 +14475,7 @@ measures the impact to the confidentiality of the information resources managed * *CVSSv3ConfidentialityImpact* Measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The list of possible values is: `high`: There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server. `low`: There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component. `none`: There is no loss of confidentiality within the impacted component. This metric value increases with the degree of loss to the impacted component. + * Default: high * Allowed Values: * high * low @@ -14335,6 +14489,7 @@ measures the impact to the confidentiality of the information resources managed * *CVSSv3SecurityRequirements* These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user's organization, measured in terms of Confidentiality, Integrity, and Availability. That is, if an IT asset supports a business function for which Availability is most important, the analyst can assign a greater value to Availability relative to Confidentiality and Integrity. Each security requirement has three possible values: Low, Medium, or High. The full effect on the environmental score is determined by the corresponding Modified Base Impact metrics. That is, these metrics modify the environmental score by reweighting the Modified Confidentiality, Integrity, and Availability impact metrics. For example, the Modified Confidentialityimpact (MC) metric has increased weight if the Confidentiality Requirement (CR) is High. Likewise, the Modified Confidentiality impact metric has decreased weight if the Confidentiality Requirement is Low. The Modified Confidentiality impact metric weighting is neutral if the Confidentiality Requirement is Medium. This same process is applied to the Integrity and Availability requirements.Note that the Confidentiality Requirement will not affect the Environmental score if the (Modified Base) confidentiality impact is set to None. Also, increasing the Confidentiality Requirement from Medium to Highwill not change the Environmental score when the (Modified Base) impact metrics are set to High. This is because the modified impact sub score (part of the Modified Base score that calculates impact) is already at a maximum value of 10. The list of possible values is: `not_defined`: Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. `high`: Loss of [Confidentiality / Integrity / Availability] is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). `medium`: Loss of [Confidentiality / Integrity / Availability] is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).`low`: Loss of [Confidentiality / Integrity / Availability] is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). For brevity, the same table is used for all three metrics. The greater the Security Requirement, the higher the score (recall that Medium is considered the default). + * Default: high * Allowed Values: * high * low @@ -14356,6 +14511,7 @@ measures the impact to the confidentiality of the information resources managed * This entry is optional + * Default: critical * Allowed Values: * critical * high @@ -14372,6 +14528,7 @@ measures the likelihood of the vulnerability being attacked * *CVSSv3ExploitCodeMaturity* This metric measures the likelihood of the vulnerability being attacked, and is typically based on the current state of exploit techniques, exploit code availability, or active, 'in-the-wild' exploitation. Public availability of easy-to-use exploit code increases the number of potential attackers by including those who are unskilled, thereby increasing the severity of the vulnerability. Initially, real-world exploitation may only be theoretical. Publication of proof-of-concept code, functional exploit code, or sufficient technical details necessary to exploit the vulnerability may follow. Furthermore, the exploit code available may progress from a proof-of-concept demonstration to exploit code that is successful in exploiting the vulnerability consistently. In severe cases, it may be delivered as the payload of a network-based worm or virus or other automated attack tools. The list of possible values is: `not_defined`: Assigning this value to the metric will not influence the score. It is a signal to a scoring equation to skip this metric. `high`: Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely available. Exploit code works in every situation, or is actively being delivered via an autonomous agent (such as a worm or virus). Network-connected systems are likely to encounter scanning or exploitation attempts. Exploit development has reached the level of reliable, widely-available, easy-to-use automated tools. `functional`: Functional exploit code is available. The code works in most situations where the vulnerability exists. `proof_of_concept`: Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker. `unproven`: No exploit code is available, or an exploit is theoretical. + * Default: functional * Allowed Values: * functional * high @@ -14405,6 +14562,7 @@ measures the impact to integrity of a successfully exploited vulnerability * *CVSSv3IntegrityImpact* This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. The list of possible values is: `high`: There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component. `low`: Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component.`none`: There is no loss of integrity within the impacted component.this metric value increases with the consequence to the impacted component. + * Default: high * Allowed Values: * high * low @@ -14418,6 +14576,7 @@ measures the impact to integrity of a successfully exploited vulnerability * *CVSSv3SecurityRequirements* These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user's organization, measured in terms of Confidentiality, Integrity, and Availability. That is, if an IT asset supports a business function for which Availability is most important, the analyst can assign a greater value to Availability relative to Confidentiality and Integrity. Each security requirement has three possible values: Low, Medium, or High. The full effect on the environmental score is determined by the corresponding Modified Base Impact metrics. That is, these metrics modify the environmental score by reweighting the Modified Confidentiality, Integrity, and Availability impact metrics. For example, the Modified Confidentialityimpact (MC) metric has increased weight if the Confidentiality Requirement (CR) is High. Likewise, the Modified Confidentiality impact metric has decreased weight if the Confidentiality Requirement is Low. The Modified Confidentiality impact metric weighting is neutral if the Confidentiality Requirement is Medium. This same process is applied to the Integrity and Availability requirements.Note that the Confidentiality Requirement will not affect the Environmental score if the (Modified Base) confidentiality impact is set to None. Also, increasing the Confidentiality Requirement from Medium to Highwill not change the Environmental score when the (Modified Base) impact metrics are set to High. This is because the modified impact sub score (part of the Modified Base score that calculates impact) is already at a maximum value of 10. The list of possible values is: `not_defined`: Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. `high`: Loss of [Confidentiality / Integrity / Availability] is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). `medium`: Loss of [Confidentiality / Integrity / Availability] is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).`low`: Loss of [Confidentiality / Integrity / Availability] is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). For brevity, the same table is used for all three metrics. The greater the Security Requirement, the higher the score (recall that Medium is considered the default). + * Default: high * Allowed Values: * high * low @@ -14552,6 +14711,7 @@ modified user interaction * *CVSSv3ModifiedUserInteraction* The same values as User Interaction, as well as not_defined (the default) + * Default: none * Allowed Values: * none * not_defined @@ -14567,6 +14727,7 @@ describes the level of privileges an attacker must possess before successfully e * *CVSSv3PrivilegesRequired* This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. This metric is greatest if no privileges are required. The list of possible values is: `none`: The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack. `low`: The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources. `high`: The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files. + * Default: high * Allowed Values: * high * low @@ -14582,6 +14743,7 @@ Remediation Level of a vulnerability is an important factor for prioritization * *CVSSv3RemediationLevel* The Remediation Level of a vulnerability is an important factor for prioritization. The typical vulnerability is unpatched when initially published. Workarounds or hotfixes may offer interim remediation until an official patch or upgrade is issued. Each of these respective stages adjusts the temporal score downwards, reflecting the decreasing urgency as remediation becomes final. The list of possible values is: `not_defined`: Assigning this value to the metric will not influence the score. It is a signal to a scoring equation to skip this metric. `unavailable`: There is either no solution available or it is impossible to apply. `workaround`: There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate the vulnerability. `temporary_fix`: There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool, or workaround.`official_fix`: A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available. The less official and permanent a fix, the higher the vulnerability score. + * Default: high * Allowed Values: * high * not_defined @@ -14600,6 +14762,7 @@ measures the degree of confidence in the existence of the vulnerability and the * *CVSSv3ReportConfidence* Measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details. Sometimes only the existence of vulnerabilities are publicized, but without specific details. For example, an impact may be recognized as undesirable, but the root cause may not be known. The vulnerability may later be corroborated by research which suggests where the vulnerability may lie, though the research may not be certain. Finally, a vulnerability may be confirmed through acknowledgement by the author or vendor of the affected technology. The urgency of a vulnerability is higher when a vulnerability is known to exist with certainty. This metric also suggests the level of technical knowledge available to would-be attackers. The list of possible values is: `not_defined`: Assigning this value to the metric will not influence the score. It is a signal to a scoring equation to skip this metric. `confirmed`: Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source code is available to independently verify theassertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability. `reasonable`: Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all of the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified (proof-of-concept exploits may provide this). An example is a detailed write-up of research into a vulnerability with an explanation (possibly obfuscated or 'left as an exercise to the reader') that gives assurances on how to reproduce the results. `unknown`: There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences described. An example is a bug report which notes that an intermittent but non-reproducible crash occurs, with evidence of memory corruption suggesting that denial of service, or possible more serious impacts, may result. The more a vulnerability is validated by the vendor or other reputable sources, the higher the score. + * Default: confirmed * Allowed Values: * confirmed * reasonable @@ -14615,6 +14778,7 @@ the ability for a vulnerability in one software component to impact resources be * *CVSSv3Scope* An important property captured by CVSS v3.0 is the ability for a vulnerability in one software component to impact resources beyond its means, or privileges. This consequence is represented by the metric Authorization Scope, or simply Scope. Formally, Scope refers to the collection of privileges defined by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization. In some cases, the authorization may be simple or loosely controlled based upon predefined rules or standards. For example, in the case of Ethernet traffic sent to a network switch, the switch accepts traffic that arrives on its ports and is an authority that controls the traffic flow to other switch ports. When the vulnerability of a software component governed by one authorization scope is able to affect resources governed by another authorization scope, a Scope change has occurred. Intuitively, one may think of a scope change as breaking out of a sandbox, and an example would be a vulnerability in a virtual machine that enables an attacker to delete files on the host OS (perhaps even its own VM). In this example, there are two separate authorization authorities: one that defines and enforces privileges for the virtual machine and its users, and one that defines and enforces privileges for the host system within which the virtual machine runs. a scope change would not occur, for example, with a vulnerability in Microsoft Word that allows an attacker to compromise all system files of the host OS, because the same authority enforces privileges of the user's instance of Word, and the host's system files. The Base score is greater when a scope change has occurred. The list of possible values is: `unchanged`: An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same. `changed`: An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different. + * Default: changed * Allowed Values: * changed * unchanged @@ -14638,6 +14802,7 @@ temporal severity * This entry is optional + * Default: critical * Allowed Values: * critical * high @@ -14654,6 +14819,7 @@ captures the requirement for a user, other than the attacker, to participate in * *CVSSv3UserInteraction* Captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. This metric value is greatest when no user interaction is required. The list of possible values is: `none`: The vulnerable system can be exploited without interaction from any user. `required`: Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. For example, a successful exploit may only be possible during the installation of an application by a system administrator. + * Default: none * Allowed Values: * none * required @@ -14786,6 +14952,7 @@ The base score is a key metric in CVSS, which uses a scoring system to determine * This entry is required + * Default: High * Allowed Values: * High * Info diff --git a/doc/structures/campaign.md b/doc/structures/campaign.md index 482f23dc..327218ac 100644 --- a/doc/structures/campaign.md +++ b/doc/structures/campaign.md @@ -62,6 +62,7 @@ Level of confidence held in the characterization of this Campaign. * This entry is optional + * Default: High * Allowed Values: * High * Info @@ -130,6 +131,7 @@ Characterizes the intended effect of this cyber threat campaign. * This entry's type is sequential (allows zero or more values) + * Default: Account Takeover * Allowed Values: * Account Takeover * Advantage @@ -245,6 +247,7 @@ Can have one of the following values: * This entry is optional + * Default: Future * Allowed Values: * Future * Historic diff --git a/doc/structures/casebook.md b/doc/structures/casebook.md index 20bd3b68..8c8b9be8 100644 --- a/doc/structures/casebook.md +++ b/doc/structures/casebook.md @@ -285,17 +285,20 @@ A URL reference to an external resource. | Property | Type | Description | Required? | | -------- | ---- | ----------- | --------- | -|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString| |✓| -|[value](#propertyvalue-string)|String| |✓| +|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString|The type of observable.|✓| +|[value](#propertyvalue-string)|String|The value of the observable.|✓| ## Property type ∷ ObservableTypeIdentifierString +The type of observable. + * This entry is required * *ObservableTypeIdentifier* Observable type names + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -356,6 +359,8 @@ A URL reference to an external resource. ## Property value ∷ String +The value of the observable. + * This entry is required @@ -1452,6 +1457,7 @@ Negates operator when true. * *cpe-node-operator-string* The operator string influences how seqs of cpe matches are related to one another. + * Default: AND * Allowed Values: * AND * OR @@ -1493,6 +1499,7 @@ Negates operator when true. * *cpe-node-operator-string* The operator string influences how seqs of cpe matches are related to one another. + * Default: AND * Allowed Values: * AND * OR @@ -1709,6 +1716,7 @@ describes the conditions beyond the attacker's control that must exist in order * *CVSSv3AttackComplexity* Describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. As described below, such conditions may require the collection of more information about the target, the presence of certain system configuration settings, or computational exceptions. Importantly, the assessment of this metric excludes any requirements for user interaction in order to exploit the vulnerability (such conditions are captured in the User Interaction metric). this metric value is largest for the least complex attacks. The list of possible values are: `low` Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component. `high` A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected. For example, a successful attack may depend on an attacker overcoming any of the following conditions: - The attacker must conduct target-specific reconnaissance. For example, on target configuration settings, sequence numbers, shared secrets, etc. - The attacker must prepare the target environment to improve exploit reliability. For example, repeated exploitation to win a race condition, or overcoming advanced exploit mitigation techniques. The attacker must inject herself into the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications (e.g. man in the middle attack). + * Default: high * Allowed Values: * high * low @@ -1723,6 +1731,7 @@ Reflects the context by which vulnerability exploitation is possible * *CVSSv3AttackVector* This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the Base score) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable component. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across the Internet is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater score. The list of possible values is: `network` A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed `remotely exploitable` and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers). An example of a network attack is an attacker causing a denial of service (DoS) by sending a specially crafted TCP packet from across the public Internet (e.g. CVE 2004 0230).`adjacent_network` A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11) or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router). An example of an Adjacent attack would be an ARP (IPv4) or neighbor discovery (IPv6) flood leading to a denial of service on the local LAN segment. See also CVE 2013 6014. `local` A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file. `physical` A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack) or persistent. An example of such an attack is a cold boot attack which allows an attacker to access to disk encryption keys after gaining physical access to the system, or peripheral attacks such as Firewire/USB Direct Memory Access attacks. + * Default: adjacent_network * Allowed Values: * adjacent_network * local @@ -1739,6 +1748,7 @@ measures the impact to the availability of the impacted component resulting from * *CVSSv3AvailabilityImpact* This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the impacted component, this metric refers to the loss of availability of the impacted component itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of an impacted component. The list of possible values is presented is: `high`: There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable). `low`: There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the impacted component are either partially available all of the time, or fully available only some of the time but overall there is no direct, serious consequence to the impacted component. `none`: There is no impact to availability within the impacted component. This metric value increases with the consequence to the impacted component. + * Default: high * Allowed Values: * high * low @@ -1752,6 +1762,7 @@ measures the impact to the availability of the impacted component resulting from * *CVSSv3SecurityRequirements* These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user's organization, measured in terms of Confidentiality, Integrity, and Availability. That is, if an IT asset supports a business function for which Availability is most important, the analyst can assign a greater value to Availability relative to Confidentiality and Integrity. Each security requirement has three possible values: Low, Medium, or High. The full effect on the environmental score is determined by the corresponding Modified Base Impact metrics. That is, these metrics modify the environmental score by reweighting the Modified Confidentiality, Integrity, and Availability impact metrics. For example, the Modified Confidentialityimpact (MC) metric has increased weight if the Confidentiality Requirement (CR) is High. Likewise, the Modified Confidentiality impact metric has decreased weight if the Confidentiality Requirement is Low. The Modified Confidentiality impact metric weighting is neutral if the Confidentiality Requirement is Medium. This same process is applied to the Integrity and Availability requirements.Note that the Confidentiality Requirement will not affect the Environmental score if the (Modified Base) confidentiality impact is set to None. Also, increasing the Confidentiality Requirement from Medium to Highwill not change the Environmental score when the (Modified Base) impact metrics are set to High. This is because the modified impact sub score (part of the Modified Base score that calculates impact) is already at a maximum value of 10. The list of possible values is: `not_defined`: Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. `high`: Loss of [Confidentiality / Integrity / Availability] is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). `medium`: Loss of [Confidentiality / Integrity / Availability] is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).`low`: Loss of [Confidentiality / Integrity / Availability] is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). For brevity, the same table is used for all three metrics. The greater the Security Requirement, the higher the score (recall that Medium is considered the default). + * Default: high * Allowed Values: * high * low @@ -1775,6 +1786,7 @@ The base score is a key metric in CVSS, which uses a scoring system to determine * This entry is required + * Default: critical * Allowed Values: * critical * high @@ -1791,6 +1803,7 @@ measures the impact to the confidentiality of the information resources managed * *CVSSv3ConfidentialityImpact* Measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The list of possible values is: `high`: There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server. `low`: There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component. `none`: There is no loss of confidentiality within the impacted component. This metric value increases with the degree of loss to the impacted component. + * Default: high * Allowed Values: * high * low @@ -1804,6 +1817,7 @@ measures the impact to the confidentiality of the information resources managed * *CVSSv3SecurityRequirements* These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user's organization, measured in terms of Confidentiality, Integrity, and Availability. That is, if an IT asset supports a business function for which Availability is most important, the analyst can assign a greater value to Availability relative to Confidentiality and Integrity. Each security requirement has three possible values: Low, Medium, or High. The full effect on the environmental score is determined by the corresponding Modified Base Impact metrics. That is, these metrics modify the environmental score by reweighting the Modified Confidentiality, Integrity, and Availability impact metrics. For example, the Modified Confidentialityimpact (MC) metric has increased weight if the Confidentiality Requirement (CR) is High. Likewise, the Modified Confidentiality impact metric has decreased weight if the Confidentiality Requirement is Low. The Modified Confidentiality impact metric weighting is neutral if the Confidentiality Requirement is Medium. This same process is applied to the Integrity and Availability requirements.Note that the Confidentiality Requirement will not affect the Environmental score if the (Modified Base) confidentiality impact is set to None. Also, increasing the Confidentiality Requirement from Medium to Highwill not change the Environmental score when the (Modified Base) impact metrics are set to High. This is because the modified impact sub score (part of the Modified Base score that calculates impact) is already at a maximum value of 10. The list of possible values is: `not_defined`: Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. `high`: Loss of [Confidentiality / Integrity / Availability] is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). `medium`: Loss of [Confidentiality / Integrity / Availability] is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).`low`: Loss of [Confidentiality / Integrity / Availability] is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). For brevity, the same table is used for all three metrics. The greater the Security Requirement, the higher the score (recall that Medium is considered the default). + * Default: high * Allowed Values: * high * low @@ -1825,6 +1839,7 @@ measures the impact to the confidentiality of the information resources managed * This entry is optional + * Default: critical * Allowed Values: * critical * high @@ -1841,6 +1856,7 @@ measures the likelihood of the vulnerability being attacked * *CVSSv3ExploitCodeMaturity* This metric measures the likelihood of the vulnerability being attacked, and is typically based on the current state of exploit techniques, exploit code availability, or active, 'in-the-wild' exploitation. Public availability of easy-to-use exploit code increases the number of potential attackers by including those who are unskilled, thereby increasing the severity of the vulnerability. Initially, real-world exploitation may only be theoretical. Publication of proof-of-concept code, functional exploit code, or sufficient technical details necessary to exploit the vulnerability may follow. Furthermore, the exploit code available may progress from a proof-of-concept demonstration to exploit code that is successful in exploiting the vulnerability consistently. In severe cases, it may be delivered as the payload of a network-based worm or virus or other automated attack tools. The list of possible values is: `not_defined`: Assigning this value to the metric will not influence the score. It is a signal to a scoring equation to skip this metric. `high`: Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely available. Exploit code works in every situation, or is actively being delivered via an autonomous agent (such as a worm or virus). Network-connected systems are likely to encounter scanning or exploitation attempts. Exploit development has reached the level of reliable, widely-available, easy-to-use automated tools. `functional`: Functional exploit code is available. The code works in most situations where the vulnerability exists. `proof_of_concept`: Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker. `unproven`: No exploit code is available, or an exploit is theoretical. + * Default: functional * Allowed Values: * functional * high @@ -1874,6 +1890,7 @@ measures the impact to integrity of a successfully exploited vulnerability * *CVSSv3IntegrityImpact* This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. The list of possible values is: `high`: There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component. `low`: Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component.`none`: There is no loss of integrity within the impacted component.this metric value increases with the consequence to the impacted component. + * Default: high * Allowed Values: * high * low @@ -1887,6 +1904,7 @@ measures the impact to integrity of a successfully exploited vulnerability * *CVSSv3SecurityRequirements* These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user's organization, measured in terms of Confidentiality, Integrity, and Availability. That is, if an IT asset supports a business function for which Availability is most important, the analyst can assign a greater value to Availability relative to Confidentiality and Integrity. Each security requirement has three possible values: Low, Medium, or High. The full effect on the environmental score is determined by the corresponding Modified Base Impact metrics. That is, these metrics modify the environmental score by reweighting the Modified Confidentiality, Integrity, and Availability impact metrics. For example, the Modified Confidentialityimpact (MC) metric has increased weight if the Confidentiality Requirement (CR) is High. Likewise, the Modified Confidentiality impact metric has decreased weight if the Confidentiality Requirement is Low. The Modified Confidentiality impact metric weighting is neutral if the Confidentiality Requirement is Medium. This same process is applied to the Integrity and Availability requirements.Note that the Confidentiality Requirement will not affect the Environmental score if the (Modified Base) confidentiality impact is set to None. Also, increasing the Confidentiality Requirement from Medium to Highwill not change the Environmental score when the (Modified Base) impact metrics are set to High. This is because the modified impact sub score (part of the Modified Base score that calculates impact) is already at a maximum value of 10. The list of possible values is: `not_defined`: Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. `high`: Loss of [Confidentiality / Integrity / Availability] is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). `medium`: Loss of [Confidentiality / Integrity / Availability] is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).`low`: Loss of [Confidentiality / Integrity / Availability] is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). For brevity, the same table is used for all three metrics. The greater the Security Requirement, the higher the score (recall that Medium is considered the default). + * Default: high * Allowed Values: * high * low @@ -2021,6 +2039,7 @@ modified user interaction * *CVSSv3ModifiedUserInteraction* The same values as User Interaction, as well as not_defined (the default) + * Default: none * Allowed Values: * none * not_defined @@ -2036,6 +2055,7 @@ describes the level of privileges an attacker must possess before successfully e * *CVSSv3PrivilegesRequired* This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. This metric is greatest if no privileges are required. The list of possible values is: `none`: The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack. `low`: The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources. `high`: The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files. + * Default: high * Allowed Values: * high * low @@ -2051,6 +2071,7 @@ Remediation Level of a vulnerability is an important factor for prioritization * *CVSSv3RemediationLevel* The Remediation Level of a vulnerability is an important factor for prioritization. The typical vulnerability is unpatched when initially published. Workarounds or hotfixes may offer interim remediation until an official patch or upgrade is issued. Each of these respective stages adjusts the temporal score downwards, reflecting the decreasing urgency as remediation becomes final. The list of possible values is: `not_defined`: Assigning this value to the metric will not influence the score. It is a signal to a scoring equation to skip this metric. `unavailable`: There is either no solution available or it is impossible to apply. `workaround`: There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate the vulnerability. `temporary_fix`: There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool, or workaround.`official_fix`: A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available. The less official and permanent a fix, the higher the vulnerability score. + * Default: high * Allowed Values: * high * not_defined @@ -2069,6 +2090,7 @@ measures the degree of confidence in the existence of the vulnerability and the * *CVSSv3ReportConfidence* Measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details. Sometimes only the existence of vulnerabilities are publicized, but without specific details. For example, an impact may be recognized as undesirable, but the root cause may not be known. The vulnerability may later be corroborated by research which suggests where the vulnerability may lie, though the research may not be certain. Finally, a vulnerability may be confirmed through acknowledgement by the author or vendor of the affected technology. The urgency of a vulnerability is higher when a vulnerability is known to exist with certainty. This metric also suggests the level of technical knowledge available to would-be attackers. The list of possible values is: `not_defined`: Assigning this value to the metric will not influence the score. It is a signal to a scoring equation to skip this metric. `confirmed`: Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source code is available to independently verify theassertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability. `reasonable`: Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all of the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified (proof-of-concept exploits may provide this). An example is a detailed write-up of research into a vulnerability with an explanation (possibly obfuscated or 'left as an exercise to the reader') that gives assurances on how to reproduce the results. `unknown`: There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences described. An example is a bug report which notes that an intermittent but non-reproducible crash occurs, with evidence of memory corruption suggesting that denial of service, or possible more serious impacts, may result. The more a vulnerability is validated by the vendor or other reputable sources, the higher the score. + * Default: confirmed * Allowed Values: * confirmed * reasonable @@ -2084,6 +2106,7 @@ the ability for a vulnerability in one software component to impact resources be * *CVSSv3Scope* An important property captured by CVSS v3.0 is the ability for a vulnerability in one software component to impact resources beyond its means, or privileges. This consequence is represented by the metric Authorization Scope, or simply Scope. Formally, Scope refers to the collection of privileges defined by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization. In some cases, the authorization may be simple or loosely controlled based upon predefined rules or standards. For example, in the case of Ethernet traffic sent to a network switch, the switch accepts traffic that arrives on its ports and is an authority that controls the traffic flow to other switch ports. When the vulnerability of a software component governed by one authorization scope is able to affect resources governed by another authorization scope, a Scope change has occurred. Intuitively, one may think of a scope change as breaking out of a sandbox, and an example would be a vulnerability in a virtual machine that enables an attacker to delete files on the host OS (perhaps even its own VM). In this example, there are two separate authorization authorities: one that defines and enforces privileges for the virtual machine and its users, and one that defines and enforces privileges for the host system within which the virtual machine runs. a scope change would not occur, for example, with a vulnerability in Microsoft Word that allows an attacker to compromise all system files of the host OS, because the same authority enforces privileges of the user's instance of Word, and the host's system files. The Base score is greater when a scope change has occurred. The list of possible values is: `unchanged`: An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same. `changed`: An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different. + * Default: changed * Allowed Values: * changed * unchanged @@ -2107,6 +2130,7 @@ temporal severity * This entry is optional + * Default: critical * Allowed Values: * critical * high @@ -2123,6 +2147,7 @@ captures the requirement for a user, other than the attacker, to participate in * *CVSSv3UserInteraction* Captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. This metric value is greatest when no user interaction is required. The list of possible values is: `none`: The vulnerable system can be exploited without interaction from any user. `required`: Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. For example, a successful exploit may only be possible during the installation of an application by a system administrator. + * Default: none * Allowed Values: * none * required @@ -2255,6 +2280,7 @@ The base score is a key metric in CVSS, which uses a scoring system to determine * This entry is required + * Default: High * Allowed Values: * High * Info @@ -2635,6 +2661,7 @@ Refers to the level of abstraction or granularity used to describe the weakness. - Compound: A Compound Weakness describes a weakness that combines two or more Base weaknesses to exploit a system. For example, a "Buffer-Overflow with Format-String Exploit" combines the Base weaknesses of "Buffer-Overflow" and "Format-String Vulnerability". By specifying the abstraction level, cybersec professionals can more easily identify weaknesses that are related and prioritize their response efforts based on the potential impact of the vulnerability. + * Default: Base * Allowed Values: * Base * Class @@ -2653,6 +2680,7 @@ Identifies system resources that can be affected by an exploit of this weakness. * *SystemResource* Defines a resource of a system. + * Default: CPU * Allowed Values: * CPU * File or Directory @@ -2772,6 +2800,7 @@ Identifies the functional area of the software in which the weakness is most lik * *FunctionalArea* Defines the different functional areas of software in which the weakness may appear. + * Default: Authentication * Allowed Values: * Authentication * Authorization @@ -2836,6 +2865,7 @@ Likelihood of exploit. * This entry is optional + * Default: High * Allowed Values: * High * Info @@ -2975,6 +3005,7 @@ Defines the structural nature of the weakness. - Composite: A composite weakness might involve multiple vulnerabilities that exist in different layers or components of a system. For example, a composite weakness in a web application might involve both an injection vulnerability and a cross-site scripting vulnerability. An attacker could use these weaknesses in tandem to steal data or take over the system. - Simple: A simple weakness might involve a single vulnerability or exploit that can be used to achieve a specific objective. An example of a simple weakness might be a buffer overflow vulnerability in a software application. If an attacker can exploit this vulnerability, they may be able to execute arbitrary code on the system. + * Default: Chain * Allowed Values: * Chain * Composite @@ -3068,6 +3099,7 @@ The fixed value weakness * *NoteType* Defines the different types of notes that can be associated with a weakness. + * Default: Applicable Platform * Allowed Values: * Applicable Platform * Maintenance @@ -3109,6 +3141,7 @@ Summarizes how effective the mitigation may be in preventing the weakness. * *Effectiveness* Related to how effective a mitigation may be in preventing the weakness. + * Default: Defense in Depth * Allowed Values: * Defense in Depth * High @@ -3136,6 +3169,7 @@ Indicates the development life cycle phase during which this particular mitigati * *SoftwarePhase* Defines the different regularities that guide the applicability of platforms. + * Default: Architecture and Design * Allowed Values: * Architecture and Design * Build and Compilation @@ -3162,6 +3196,7 @@ A general strategy for protecting a system to which this mitigation contributes. * *MitigationStrategy* Strategy for protecting a system to which a mitigation contributes. + * Default: Attack Surface Reduction * Allowed Values: * Attack Surface Reduction * Compilation or Build Hardening @@ -3210,6 +3245,7 @@ How effective the detection method may be in detecting the associated weakness. * *DetectionEffectiveness* Level of effectiveness that a detection method may have in detecting an associated weakness. + * Default: High * Allowed Values: * High * Limited @@ -3238,6 +3274,7 @@ Identifies the particular detection method being described. * *DetectionMethod* Method used to detect a weakness. + * Default: Architecture or Design Review * Allowed Values: * Architecture or Design Review * Automated Analysis @@ -3279,6 +3316,7 @@ Describes the technical impact that arises if an adversary succeeds in exploitin * This entry's type is sequential (allows zero or more values) + * Default: Alter Execution Logic * Allowed Values: * Alter Execution Logic * Bypass Protection Mechanism @@ -3310,6 +3348,7 @@ How likely the specific consequence is expected to be seen relative to the other * This entry is optional + * Default: High * Allowed Values: * High * Info @@ -3339,6 +3378,7 @@ Identifies the security property that is violated. * *ConsequenceScope* Defines the different areas of software security that can be affected by exploiting a weakness. + * Default: Access Control * Allowed Values: * Access Control * Accountability @@ -3379,6 +3419,7 @@ Identifies the point in the software life cycle at which the weakness may be int * *SoftwarePhase* Defines the different regularities that guide the applicability of platforms. + * Default: Architecture and Design * Allowed Values: * Architecture and Design * Build and Compilation @@ -3453,6 +3494,7 @@ Defines the different regularities that guide the applicability of platforms. * *Prevalence* Defines the different regularities that guide the applicability of platforms. + * Default: Often * Allowed Values: * Often * Rarely @@ -3488,6 +3530,7 @@ Defines the different regularities that guide the applicability of platforms. * *Prevalence* Defines the different regularities that guide the applicability of platforms. + * Default: Often * Allowed Values: * Often * Rarely @@ -3513,6 +3556,7 @@ Class of architecture * This entry is optional + * Default: Embedded * Allowed Values: * Embedded * Microcomputer @@ -3538,6 +3582,7 @@ Defines the different regularities that guide the applicability of platforms. * *Prevalence* Defines the different regularities that guide the applicability of platforms. + * Default: Often * Allowed Values: * Often * Rarely @@ -3564,6 +3609,7 @@ Defines the different regularities that guide the applicability of platforms. * *OperatingSystemClass* Class of Operating System. + * Default: Android * Allowed Values: * Android * Apple iOS @@ -3599,6 +3645,7 @@ Defines the different regularities that guide the applicability of platforms. * *Prevalence* Defines the different regularities that guide the applicability of platforms. + * Default: Often * Allowed Values: * Often * Rarely @@ -3633,6 +3680,7 @@ Class of language. * *LanguageClass* Class of source code language. + * Default: Assembly * Allowed Values: * Assembly * Compiled @@ -3658,6 +3706,7 @@ Defines the different regularities that guide the applicability of platforms. * *Prevalence* Defines the different regularities that guide the applicability of platforms. + * Default: Often * Allowed Values: * Often * Rarely @@ -4037,6 +4086,7 @@ If `true`, the row entries for this column cannot contain `nulls`. Defaults to ` * This entry is required + * Default: integer * Allowed Values: * integer * markdown @@ -4131,6 +4181,7 @@ A URL reference to an external resource. * *DispositionNumber* Numeric verdict identifiers. + * Default: 1 * Allowed Values: * 1 * 2 @@ -4147,6 +4198,7 @@ The disposition_name field is optional, but is intended to be shown to a user. * *DispositionName* String verdict identifiers. + * Default: Clean * Allowed Values: * Clean * Common @@ -4229,17 +4281,20 @@ If not present, the valid time position of the indicator does not have an upper | Property | Type | Description | Required? | | -------- | ---- | ----------- | --------- | -|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString| |✓| -|[value](#propertyvalue-string)|String| |✓| +|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString|The type of observable.|✓| +|[value](#propertyvalue-string)|String|The value of the observable.|✓| ## Property type ∷ ObservableTypeIdentifierString +The type of observable. + * This entry is required * *ObservableTypeIdentifier* Observable type names + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -4300,6 +4355,8 @@ If not present, the valid time position of the indicator does not have an upper ## Property value ∷ String +The value of the observable. + * This entry is required @@ -4405,6 +4462,7 @@ The kind(s) of tool(s) being described. * *ToolLabel* Tool labels describe the categories of tools that can be used to perform attacks. + * Default: credential-exploitation * Allowed Values: * credential-exploitation * denial-of-service @@ -4925,6 +4983,7 @@ The OpenC2 Actuator name that best fits the device that is creating this TargetR * *Sensor* The sensor/actuator name that best fits a device. + * Default: endpoint * Allowed Values: * endpoint * endpoint.digital-telephone-handset @@ -5011,17 +5070,20 @@ Time of the observation. If the observation was made over a period of time, than | Property | Type | Description | Required? | | -------- | ---- | ----------- | --------- | -|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString| |✓| -|[value](#propertyvalue-string)|String| |✓| +|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString|The type of observable.|✓| +|[value](#propertyvalue-string)|String|The value of the observable.|✓| ## Property type ∷ ObservableTypeIdentifierString +The type of observable. + * This entry is required * *ObservableTypeIdentifier* Observable type names + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -5082,6 +5144,8 @@ Time of the observation. If the observation was made over a period of time, than ## Property value ∷ String +The value of the observable. + * This entry is required @@ -5384,6 +5448,7 @@ If not present, the valid time position of the indicator does not have an upper * *AssertionType* An open vocabulary containing well known assertion types + * Default: cisco:ctr:ad:host_domain_name * Allowed Values: * cisco:ctr:ad:host_domain_name * cisco:ctr:ad:host_resolved_dns @@ -5470,17 +5535,20 @@ If not present, the valid time position of the indicator does not have an upper | Property | Type | Description | Required? | | -------- | ---- | ----------- | --------- | -|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString| |✓| -|[value](#propertyvalue-string)|String| |✓| +|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString|The type of observable.|✓| +|[value](#propertyvalue-string)|String|The value of the observable.|✓| ## Property type ∷ ObservableTypeIdentifierString +The type of observable. + * This entry is required * *ObservableTypeIdentifier* Observable type names + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -5541,6 +5609,8 @@ If not present, the valid time position of the indicator does not have an upper ## Property value ∷ String +The value of the observable. + * This entry is required @@ -5650,6 +5720,7 @@ A URL reference to an external resource. * This entry is required + * Default: High * Allowed Values: * High * Info @@ -5849,6 +5920,7 @@ The OpenC2 Actuator name that best fits the device that is creating this sightin * *Sensor* The sensor/actuator name that best fits a device. + * Default: endpoint * Allowed Values: * endpoint * endpoint.digital-telephone-handset @@ -5912,6 +5984,7 @@ The OpenC2 Actuator name that best fits the device that is creating this sightin * This entry is optional + * Default: Critical * Allowed Values: * Critical * High @@ -6680,6 +6753,7 @@ Time of the observation. If the observation was made over a period of time, than * This entry is optional + * Default: CONNECT * Allowed Values: * CONNECT * GET @@ -6813,6 +6887,7 @@ Time of the observation. If the observation was made over a period of time, than * This entry is required + * Default: incoming * Allowed Values: * incoming * outgoing @@ -7133,6 +7208,7 @@ Time of the observation. If the observation was made over a period of time, than * This entry is required + * Default: incoming * Allowed Values: * incoming * outgoing @@ -8048,6 +8124,7 @@ Time of the observation. If the observation was made over a period of time, than * This entry is required + * Default: Allocated * Allowed Values: * Allocated * Allocated_By @@ -8215,17 +8292,20 @@ Time of the observation. If the observation was made over a period of time, than | Property | Type | Description | Required? | | -------- | ---- | ----------- | --------- | -|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString| |✓| -|[value](#propertyvalue-string)|String| |✓| +|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString|The type of observable.|✓| +|[value](#propertyvalue-string)|String|The value of the observable.|✓| ## Property type ∷ ObservableTypeIdentifierString +The type of observable. + * This entry is required * *ObservableTypeIdentifier* Observable type names + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -8267,6 +8347,7 @@ Time of the observation. If the observation was made over a period of time, than * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key @@ -8285,6 +8366,8 @@ Time of the observation. If the observation was made over a period of time, than ## Property value ∷ String +The value of the observable. + * This entry is required @@ -8296,17 +8379,20 @@ Time of the observation. If the observation was made over a period of time, than | Property | Type | Description | Required? | | -------- | ---- | ----------- | --------- | -|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString| |✓| -|[value](#propertyvalue-string)|String| |✓| +|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString|The type of observable.|✓| +|[value](#propertyvalue-string)|String|The value of the observable.|✓| ## Property type ∷ ObservableTypeIdentifierString +The type of observable. + * This entry is required * *ObservableTypeIdentifier* Observable type names + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -8348,6 +8434,7 @@ Time of the observation. If the observation was made over a period of time, than * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key @@ -8366,6 +8453,8 @@ Time of the observation. If the observation was made over a period of time, than ## Property value ∷ String +The value of the observable. + * This entry is required @@ -8392,17 +8481,20 @@ Time of the observation. If the observation was made over a period of time, than | Property | Type | Description | Required? | | -------- | ---- | ----------- | --------- | -|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString| |✓| -|[value](#propertyvalue-string)|String| |✓| +|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString|The type of observable.|✓| +|[value](#propertyvalue-string)|String|The value of the observable.|✓| ## Property type ∷ ObservableTypeIdentifierString +The type of observable. + * This entry is required * *ObservableTypeIdentifier* Observable type names + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -8444,6 +8536,7 @@ Time of the observation. If the observation was made over a period of time, than * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key @@ -8462,6 +8555,8 @@ Time of the observation. If the observation was made over a period of time, than ## Property value ∷ String +The value of the observable. + * This entry is required @@ -8514,6 +8609,7 @@ Time of the observation. If the observation was made over a period of time, than * *Sensor* The sensor/actuator name that best fits a device. + * Default: endpoint * Allowed Values: * endpoint * endpoint.digital-telephone-handset @@ -8600,17 +8696,20 @@ Time of the observation. If the observation was made over a period of time, than | Property | Type | Description | Required? | | -------- | ---- | ----------- | --------- | -|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString| |✓| -|[value](#propertyvalue-string)|String| |✓| +|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString|The type of observable.|✓| +|[value](#propertyvalue-string)|String|The value of the observable.|✓| ## Property type ∷ ObservableTypeIdentifierString +The type of observable. + * This entry is required * *ObservableTypeIdentifier* Observable type names + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -8652,6 +8751,7 @@ Time of the observation. If the observation was made over a period of time, than * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key @@ -8670,6 +8770,8 @@ Time of the observation. If the observation was made over a period of time, than ## Property value ∷ String +The value of the observable. + * This entry is required @@ -8711,6 +8813,7 @@ Time of the observation. If the observation was made over a period of time, than * *Sensor* The sensor/actuator name that best fits a device. + * Default: endpoint * Allowed Values: * endpoint * endpoint.digital-telephone-handset @@ -8765,17 +8868,20 @@ Time of the observation. If the observation was made over a period of time, than | Property | Type | Description | Required? | | -------- | ---- | ----------- | --------- | -|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString| |✓| -|[value](#propertyvalue-string)|String| |✓| +|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString|The type of observable.|✓| +|[value](#propertyvalue-string)|String|The value of the observable.|✓| ## Property type ∷ ObservableTypeIdentifierString +The type of observable. + * This entry is required * *ObservableTypeIdentifier* Observable type names + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -8817,6 +8923,7 @@ Time of the observation. If the observation was made over a period of time, than * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key @@ -8835,6 +8942,8 @@ Time of the observation. If the observation was made over a period of time, than ## Property value ∷ String +The value of the observable. + * This entry is required @@ -8932,6 +9041,7 @@ If `true`, the row entries for this column cannot contain `nulls`. Defaults to ` * This entry is required + * Default: integer * Allowed Values: * integer * markdown @@ -9128,6 +9238,7 @@ For example, if an incident involves an attack on a system in a country where a * This entry is required + * Default: attributed-to * Allowed Values: * attributed-to * based-on @@ -9634,6 +9745,7 @@ Malware abstraction level. * *MalwareAbstractions* Malware Abstraction level + * Default: family * Allowed Values: * family * variant @@ -9712,6 +9824,7 @@ The type of malware being described. * *MalwareLabel* Malware label is an open vocabulary that represents different types and functions of malware. Malware labels are not mutually exclusive; a malware instance can be both spyware and a screen capture tool. + * Default: adware * Allowed Values: * adware * backdoor @@ -10002,6 +10115,7 @@ A URL reference to an external resource. * This entry is required + * Default: High * Allowed Values: * High * Info @@ -10020,6 +10134,7 @@ Matches :disposition_name as in {1 "Clean", 2 "Malicious", 3 "Suspicious", 4 "Co * *DispositionNumber* Numeric verdict identifiers. + * Default: 1 * Allowed Values: * 1 * 2 @@ -10034,6 +10149,7 @@ Matches :disposition_name as in {1 "Clean", 2 "Malicious", 3 "Suspicious", 4 "Co * *DispositionName* String verdict identifiers. + * Default: Clean * Allowed Values: * Clean * Common @@ -10153,6 +10269,7 @@ CTIM schema version for this entity. * This entry is required + * Default: Critical * Allowed Values: * Critical * High @@ -10268,17 +10385,20 @@ If not present, the valid time position of the indicator does not have an upper | Property | Type | Description | Required? | | -------- | ---- | ----------- | --------- | -|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString| |✓| -|[value](#propertyvalue-string)|String| |✓| +|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString|The type of observable.|✓| +|[value](#propertyvalue-string)|String|The value of the observable.|✓| ## Property type ∷ ObservableTypeIdentifierString +The type of observable. + * This entry is required * *ObservableTypeIdentifier* Observable type names + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -10320,6 +10440,7 @@ If not present, the valid time position of the indicator does not have an upper * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key @@ -10338,6 +10459,8 @@ If not present, the valid time position of the indicator does not have an upper ## Property value ∷ String +The value of the observable. + * This entry is required @@ -10471,6 +10594,7 @@ level of confidence held in the accuracy of this Indicator. * This entry is optional + * Default: High * Allowed Values: * High * Info @@ -10539,6 +10663,7 @@ Specifies the type or types for this Indicator. * This entry's type is sequential (allows zero or more values) + * Default: Anonymization * Allowed Values: * Anonymization * C2 @@ -10637,6 +10762,7 @@ CTIM schema version for this entity. * This entry is optional + * Default: Critical * Allowed Values: * Critical * High @@ -10959,6 +11085,7 @@ The time range during which this Indicator is considered valid. * This entry is optional + * Default: High * Allowed Values: * High * Info @@ -11058,6 +11185,7 @@ The name of the phase in the kill chain. * This entry is required + * Default: and * Allowed Values: * and * not @@ -11217,6 +11345,7 @@ A set of categories for this incident. * This entry's type is sequential (allows zero or more values) + * Default: Attrition * Allowed Values: * Attrition * Denial of Service @@ -11254,6 +11383,7 @@ It is important to note that the `confidence` field is subjective and can be int * This entry is required + * Default: High * Allowed Values: * High * Info @@ -11281,6 +11411,7 @@ Identifies how the incident was discovered. * This entry is optional + * Default: Agent Disclosure * Allowed Values: * Agent Disclosure * Antivirus @@ -11362,6 +11493,7 @@ Specifies the suspected intended effect of this incident * This entry is optional + * Default: Account Takeover * Allowed Values: * Account Takeover * Advantage @@ -11420,6 +11552,7 @@ Describes method for promoting an Incident, whether manually or automatically. A * This entry is optional + * Default: Automated * Allowed Values: * Automated * Manual @@ -11467,6 +11600,7 @@ It is important to note that the `severity` field is subjective and can be inter * This entry is optional + * Default: Critical * Allowed Values: * Critical * High @@ -11514,6 +11648,7 @@ The `status` field represents the current state of an incident within the incide * This entry is required + * Default: Closed * Allowed Values: * Closed * Closed: Confirmed Threat @@ -11633,6 +11768,7 @@ For example, systems can have the following score types: * This entry is optional + * Default: :asset * Allowed Values: * :asset * :global @@ -11866,6 +12002,7 @@ Similar to `external_ids` field with major differences: * This entry is required + * Default: -1 * Allowed Values: * -1 * 0 @@ -12081,6 +12218,7 @@ The type of this COA * This entry is optional + * Default: Diplomatic Actions * Allowed Values: * Diplomatic Actions * Eradication @@ -12111,6 +12249,7 @@ Characterizes the estimated cost for applying this course of action. * This entry is optional + * Default: High * Allowed Values: * High * Info @@ -12138,6 +12277,7 @@ Effectiveness of this course of action in achieving its targeted objective. * This entry is optional + * Default: High * Allowed Values: * High * Info @@ -12302,6 +12442,7 @@ Specifies what stage in the cyber threat management lifecycle this Course Of Act * This entry is optional + * Default: Containment * Allowed Values: * Containment * Eradication @@ -12491,6 +12632,7 @@ For example, an entity containing information about a critical vulnerability in * This entry is optional + * Default: copy-to * Allowed Values: * copy-to * modify-to @@ -12530,6 +12672,7 @@ For example, an entity containing information about a critical vulnerability in * This entry is optional + * Default: internal * Allowed Values: * internal * perimeter @@ -12541,6 +12684,7 @@ For example, an entity containing information about a critical vulnerability in * This entry's type is sequential (allows zero or more values) + * Default: acl * Allowed Values: * acl * authenticated @@ -12570,6 +12714,7 @@ For example, an entity containing information about a critical vulnerability in * This entry is optional + * Default: acknowledge * Allowed Values: * acknowledge * command-ref @@ -12582,6 +12727,7 @@ For example, an entity containing information about a critical vulnerability in * This entry is optional + * Default: cve * Allowed Values: * cve * patch @@ -12680,6 +12826,7 @@ List of additional properties describing the actuator. * This entry is required + * Default: endpoint * Allowed Values: * endpoint * endpoint.digital-telephone-handset @@ -12753,6 +12900,7 @@ Observable types that can be acted upon. * This entry is required + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -12794,6 +12942,7 @@ Observable types that can be acted upon. * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key @@ -12823,6 +12972,7 @@ Observable types that can be acted upon. * This entry is required + * Default: alert * Allowed Values: * alert * allow @@ -12886,6 +13036,7 @@ Observable types that can be acted upon. * This entry is optional + * Default: High * Allowed Values: * High * Info @@ -13067,6 +13218,7 @@ Level of confidence held in the characterization of this Campaign. * This entry is optional + * Default: High * Allowed Values: * High * Info @@ -13135,6 +13287,7 @@ Characterizes the intended effect of this cyber threat campaign. * This entry's type is sequential (allows zero or more values) + * Default: Account Takeover * Allowed Values: * Account Takeover * Advantage @@ -13250,6 +13403,7 @@ Can have one of the following values: * This entry is optional + * Default: Future * Allowed Values: * Future * Historic @@ -13478,6 +13632,7 @@ The CAPEC abstraction level for patterns describing techniques to attack a syste * *AttackPatternAbstractions* Abstraction levels corresponding to CAPEC data describing attack-pattern objects. + * Default: aggregate * Allowed Values: * aggregate * category @@ -14204,6 +14359,7 @@ Type of the mapped Asset: Device, Person, Application, etc. * This entry is required + * Default: application * Allowed Values: * application * data @@ -14219,6 +14375,7 @@ Level of confidence held in the characterization of this AssetMapping e.g.: is i * This entry is required + * Default: High * Allowed Values: * High * Info @@ -14340,6 +14497,7 @@ Denotes the level of how many assets potentially could have this same identifier * This entry is required + * Default: Low * Allowed Values: * Low * Medium @@ -14353,6 +14511,7 @@ Do we manage when it changes, or is it always a time bound assignment? * This entry is required + * Default: Managed * Allowed Values: * Managed * Physical @@ -14414,17 +14573,20 @@ For each asset, we allow for the assertion of time bound properties.This gives u | Property | Type | Description | Required? | | -------- | ---- | ----------- | --------- | -|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString| |✓| -|[value](#propertyvalue-string)|String| |✓| +|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString|The type of observable.|✓| +|[value](#propertyvalue-string)|String|The value of the observable.|✓| ## Property type ∷ ObservableTypeIdentifierString +The type of observable. + * This entry is required * *ObservableTypeIdentifier* Observable type names + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -14466,6 +14628,7 @@ For each asset, we allow for the assertion of time bound properties.This gives u * process_hash * process_name * process_path + * process_uid * process_username * processor_id * registry_key @@ -14484,6 +14647,8 @@ For each asset, we allow for the assertion of time bound properties.This gives u ## Property value ∷ String +The value of the observable. + * This entry is required @@ -14616,6 +14781,7 @@ Type of the Asset: Device, Person, Application, etc. * This entry is required + * Default: application * Allowed Values: * application * data @@ -14929,6 +15095,7 @@ A URL reference to an external resource. * This entry's type is sequential (allows zero or more values) + * Default: Cyber Espionage Operations * Allowed Values: * Cyber Espionage Operations * Disgruntled Customer / User @@ -14969,6 +15136,7 @@ For example, an Actor entity can have high confidence if the organization's secu * This entry is optional + * Default: High * Allowed Values: * High * Info @@ -15050,6 +15218,7 @@ Represents the desired outcome or impact the threat actor is trying to achieve t * This entry is optional + * Default: Account Takeover * Allowed Values: * Account Takeover * Advantage @@ -15096,6 +15265,7 @@ The reason or purpose behind the malicious activity attributed to this Actor. By * This entry is optional + * Default: Ego * Allowed Values: * Ego * Financial or Economic @@ -15168,6 +15338,7 @@ If an attacker shows a high level of sophistication in reconnaissances, social e * This entry is optional + * Default: Aspirant * Allowed Values: * Aspirant * Expert @@ -15309,6 +15480,7 @@ Specifies the level of confidence in the assertion of the relationship between t * This entry is optional + * Default: High * Allowed Values: * High * Info diff --git a/doc/structures/coa.md b/doc/structures/coa.md index 6f21a4e8..3ee5f09e 100644 --- a/doc/structures/coa.md +++ b/doc/structures/coa.md @@ -40,6 +40,7 @@ The type of this COA * This entry is optional + * Default: Diplomatic Actions * Allowed Values: * Diplomatic Actions * Eradication @@ -70,6 +71,7 @@ Characterizes the estimated cost for applying this course of action. * This entry is optional + * Default: High * Allowed Values: * High * Info @@ -97,6 +99,7 @@ Effectiveness of this course of action in achieving its targeted objective. * This entry is optional + * Default: High * Allowed Values: * High * Info @@ -261,6 +264,7 @@ Specifies what stage in the cyber threat management lifecycle this Course Of Act * This entry is optional + * Default: Containment * Allowed Values: * Containment * Eradication @@ -456,6 +460,7 @@ If not present, the valid time position of the indicator does not have an upper * This entry is optional + * Default: High * Allowed Values: * High * Info @@ -592,6 +597,7 @@ If not present, the valid time position of the indicator does not have an upper * This entry is optional + * Default: copy-to * Allowed Values: * copy-to * modify-to @@ -631,6 +637,7 @@ If not present, the valid time position of the indicator does not have an upper * This entry is optional + * Default: internal * Allowed Values: * internal * perimeter @@ -642,6 +649,7 @@ If not present, the valid time position of the indicator does not have an upper * This entry's type is sequential (allows zero or more values) + * Default: acl * Allowed Values: * acl * authenticated @@ -671,6 +679,7 @@ If not present, the valid time position of the indicator does not have an upper * This entry is optional + * Default: acknowledge * Allowed Values: * acknowledge * command-ref @@ -683,6 +692,7 @@ If not present, the valid time position of the indicator does not have an upper * This entry is optional + * Default: cve * Allowed Values: * cve * patch @@ -781,6 +791,7 @@ List of additional properties describing the actuator. * This entry is required + * Default: endpoint * Allowed Values: * endpoint * endpoint.digital-telephone-handset @@ -854,6 +865,7 @@ Observable types that can be acted upon. * This entry is required + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -925,6 +937,7 @@ Observable types that can be acted upon. * This entry is required + * Default: alert * Allowed Values: * alert * allow diff --git a/doc/structures/feedback.md b/doc/structures/feedback.md index 9db23bb8..c5714318 100644 --- a/doc/structures/feedback.md +++ b/doc/structures/feedback.md @@ -66,6 +66,7 @@ Similar to `external_ids` field with major differences: * This entry is required + * Default: -1 * Allowed Values: * -1 * 0 diff --git a/doc/structures/incident.md b/doc/structures/incident.md index e221d06c..fdb06659 100644 --- a/doc/structures/incident.md +++ b/doc/structures/incident.md @@ -58,6 +58,7 @@ A set of categories for this incident. * This entry's type is sequential (allows zero or more values) + * Default: Attrition * Allowed Values: * Attrition * Denial of Service @@ -95,6 +96,7 @@ It is important to note that the `confidence` field is subjective and can be int * This entry is required + * Default: High * Allowed Values: * High * Info @@ -122,6 +124,7 @@ Identifies how the incident was discovered. * This entry is optional + * Default: Agent Disclosure * Allowed Values: * Agent Disclosure * Antivirus @@ -203,6 +206,7 @@ Specifies the suspected intended effect of this incident * This entry is optional + * Default: Account Takeover * Allowed Values: * Account Takeover * Advantage @@ -261,6 +265,7 @@ Describes method for promoting an Incident, whether manually or automatically. A * This entry is optional + * Default: Automated * Allowed Values: * Automated * Manual @@ -308,6 +313,7 @@ It is important to note that the `severity` field is subjective and can be inter * This entry is optional + * Default: Critical * Allowed Values: * Critical * High @@ -355,6 +361,7 @@ The `status` field represents the current state of an incident within the incide * This entry is required + * Default: Closed * Allowed Values: * Closed * Closed: Confirmed Threat @@ -632,6 +639,7 @@ For example, systems can have the following score types: * This entry is optional + * Default: :asset * Allowed Values: * :asset * :global diff --git a/doc/structures/indicator.md b/doc/structures/indicator.md index 4ba57ba9..4b56c439 100644 --- a/doc/structures/indicator.md +++ b/doc/structures/indicator.md @@ -65,6 +65,7 @@ level of confidence held in the accuracy of this Indicator. * This entry is optional + * Default: High * Allowed Values: * High * Info @@ -133,6 +134,7 @@ Specifies the type or types for this Indicator. * This entry's type is sequential (allows zero or more values) + * Default: Anonymization * Allowed Values: * Anonymization * C2 @@ -231,6 +233,7 @@ CTIM schema version for this entity. * This entry is optional + * Default: Critical * Allowed Values: * Critical * High @@ -502,6 +505,7 @@ If not present, the valid time position of the indicator does not have an upper * This entry is required + * Default: and * Allowed Values: * and * not @@ -607,6 +611,7 @@ The name of the phase in the kill chain. * This entry is optional + * Default: High * Allowed Values: * High * Info diff --git a/doc/structures/judgement.md b/doc/structures/judgement.md index fbc5ba2c..b16ea75a 100644 --- a/doc/structures/judgement.md +++ b/doc/structures/judgement.md @@ -43,6 +43,7 @@ * This entry is required + * Default: High * Allowed Values: * High * Info @@ -61,6 +62,7 @@ Matches :disposition_name as in {1 "Clean", 2 "Malicious", 3 "Suspicious", 4 "Co * *DispositionNumber* Numeric verdict identifiers. + * Default: 1 * Allowed Values: * 1 * 2 @@ -75,6 +77,7 @@ Matches :disposition_name as in {1 "Clean", 2 "Malicious", 3 "Suspicious", 4 "Co * *DispositionName* String verdict identifiers. + * Default: Clean * Allowed Values: * Clean * Common @@ -194,6 +197,7 @@ CTIM schema version for this entity. * This entry is required + * Default: Critical * Allowed Values: * Critical * High @@ -339,17 +343,20 @@ A URL reference to an external resource. | Property | Type | Description | Required? | | -------- | ---- | ----------- | --------- | -|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString| |✓| -|[value](#propertyvalue-string)|String| |✓| +|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString|The type of observable.|✓| +|[value](#propertyvalue-string)|String|The value of the observable.|✓| ## Property type ∷ ObservableTypeIdentifierString +The type of observable. + * This entry is required * *ObservableTypeIdentifier* Observable type names + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -391,8 +398,8 @@ A URL reference to an external resource. * process_hash * process_name * process_path - * process_username * process_uid + * process_username * processor_id * registry_key * registry_name @@ -410,6 +417,8 @@ A URL reference to an external resource. ## Property value ∷ String +The value of the observable. + * This entry is required diff --git a/doc/structures/malware.md b/doc/structures/malware.md index 0ede5c48..dd9f4148 100644 --- a/doc/structures/malware.md +++ b/doc/structures/malware.md @@ -35,6 +35,7 @@ Malware abstraction level. * *MalwareAbstractions* Malware Abstraction level + * Default: family * Allowed Values: * family * variant @@ -113,6 +114,7 @@ The type of malware being described. * *MalwareLabel* Malware label is an open vocabulary that represents different types and functions of malware. Malware labels are not mutually exclusive; a malware instance can be both spyware and a screen capture tool. + * Default: adware * Allowed Values: * adware * backdoor diff --git a/doc/structures/relationship.md b/doc/structures/relationship.md index bed681d2..2e8b3755 100644 --- a/doc/structures/relationship.md +++ b/doc/structures/relationship.md @@ -92,6 +92,7 @@ For example, if an incident involves an attack on a system in a country where a * This entry is required + * Default: attributed-to * Allowed Values: * attributed-to * based-on diff --git a/doc/structures/sighting.md b/doc/structures/sighting.md index 8ac0498a..d90d2a84 100644 --- a/doc/structures/sighting.md +++ b/doc/structures/sighting.md @@ -41,6 +41,7 @@ * This entry is required + * Default: High * Allowed Values: * High * Info @@ -240,6 +241,7 @@ The OpenC2 Actuator name that best fits the device that is creating this sightin * *Sensor* The sensor/actuator name that best fits a device. + * Default: endpoint * Allowed Values: * endpoint * endpoint.digital-telephone-handset @@ -303,6 +305,7 @@ The OpenC2 Actuator name that best fits the device that is creating this sightin * This entry is optional + * Default: Critical * Allowed Values: * Critical * High @@ -591,6 +594,7 @@ If `true`, the row entries for this column cannot contain `nulls`. Defaults to ` * This entry is required + * Default: integer * Allowed Values: * integer * markdown @@ -636,6 +640,7 @@ If `true`, the row entries for this column cannot contain `nulls`. Defaults to ` * *Sensor* The sensor/actuator name that best fits a device. + * Default: endpoint * Allowed Values: * endpoint * endpoint.digital-telephone-handset @@ -690,17 +695,20 @@ If `true`, the row entries for this column cannot contain `nulls`. Defaults to ` | Property | Type | Description | Required? | | -------- | ---- | ----------- | --------- | -|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString| |✓| -|[value](#propertyvalue-string)|String| |✓| +|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString|The type of observable.|✓| +|[value](#propertyvalue-string)|String|The value of the observable.|✓| ## Property type ∷ ObservableTypeIdentifierString +The type of observable. + * This entry is required * *ObservableTypeIdentifier* Observable type names + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -761,6 +769,8 @@ If `true`, the row entries for this column cannot contain `nulls`. Defaults to ` ## Property value ∷ String +The value of the observable. + * This entry is required @@ -813,6 +823,7 @@ If `true`, the row entries for this column cannot contain `nulls`. Defaults to ` * *Sensor* The sensor/actuator name that best fits a device. + * Default: endpoint * Allowed Values: * endpoint * endpoint.digital-telephone-handset @@ -899,17 +910,20 @@ Time of the observation. If the observation was made over a period of time, than | Property | Type | Description | Required? | | -------- | ---- | ----------- | --------- | -|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString| |✓| -|[value](#propertyvalue-string)|String| |✓| +|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString|The type of observable.|✓| +|[value](#propertyvalue-string)|String|The value of the observable.|✓| ## Property type ∷ ObservableTypeIdentifierString +The type of observable. + * This entry is required * *ObservableTypeIdentifier* Observable type names + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -970,6 +984,8 @@ Time of the observation. If the observation was made over a period of time, than ## Property value ∷ String +The value of the observable. + * This entry is required @@ -981,17 +997,20 @@ Time of the observation. If the observation was made over a period of time, than | Property | Type | Description | Required? | | -------- | ---- | ----------- | --------- | -|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString| |✓| -|[value](#propertyvalue-string)|String| |✓| +|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString|The type of observable.|✓| +|[value](#propertyvalue-string)|String|The value of the observable.|✓| ## Property type ∷ ObservableTypeIdentifierString +The type of observable. + * This entry is required * *ObservableTypeIdentifier* Observable type names + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -1052,6 +1071,8 @@ Time of the observation. If the observation was made over a period of time, than ## Property value ∷ String +The value of the observable. + * This entry is required @@ -1102,6 +1123,7 @@ Time of the observation. If the observation was made over a period of time, than * This entry is required + * Default: Allocated * Allowed Values: * Allocated * Allocated_By @@ -1269,17 +1291,20 @@ Time of the observation. If the observation was made over a period of time, than | Property | Type | Description | Required? | | -------- | ---- | ----------- | --------- | -|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString| |✓| -|[value](#propertyvalue-string)|String| |✓| +|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString|The type of observable.|✓| +|[value](#propertyvalue-string)|String|The value of the observable.|✓| ## Property type ∷ ObservableTypeIdentifierString +The type of observable. + * This entry is required * *ObservableTypeIdentifier* Observable type names + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -1340,6 +1365,8 @@ Time of the observation. If the observation was made over a period of time, than ## Property value ∷ String +The value of the observable. + * This entry is required @@ -1351,17 +1378,20 @@ Time of the observation. If the observation was made over a period of time, than | Property | Type | Description | Required? | | -------- | ---- | ----------- | --------- | -|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString| |✓| -|[value](#propertyvalue-string)|String| |✓| +|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString|The type of observable.|✓| +|[value](#propertyvalue-string)|String|The value of the observable.|✓| ## Property type ∷ ObservableTypeIdentifierString +The type of observable. + * This entry is required * *ObservableTypeIdentifier* Observable type names + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -1422,6 +1452,8 @@ Time of the observation. If the observation was made over a period of time, than ## Property value ∷ String +The value of the observable. + * This entry is required @@ -2108,6 +2140,7 @@ Time of the observation. If the observation was made over a period of time, than * This entry is optional + * Default: CONNECT * Allowed Values: * CONNECT * GET @@ -2241,6 +2274,7 @@ Time of the observation. If the observation was made over a period of time, than * This entry is required + * Default: incoming * Allowed Values: * incoming * outgoing @@ -2561,6 +2595,7 @@ Time of the observation. If the observation was made over a period of time, than * This entry is required + * Default: incoming * Allowed Values: * incoming * outgoing diff --git a/doc/structures/target_record.md b/doc/structures/target_record.md index 4306cd10..4e664cab 100644 --- a/doc/structures/target_record.md +++ b/doc/structures/target_record.md @@ -335,6 +335,7 @@ The OpenC2 Actuator name that best fits the device that is creating this TargetR * *Sensor* The sensor/actuator name that best fits a device. + * Default: endpoint * Allowed Values: * endpoint * endpoint.digital-telephone-handset @@ -421,17 +422,20 @@ Time of the observation. If the observation was made over a period of time, than | Property | Type | Description | Required? | | -------- | ---- | ----------- | --------- | -|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString| |✓| -|[value](#propertyvalue-string)|String| |✓| +|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString|The type of observable.|✓| +|[value](#propertyvalue-string)|String|The value of the observable.|✓| ## Property type ∷ ObservableTypeIdentifierString +The type of observable. + * This entry is required * *ObservableTypeIdentifier* Observable type names + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -492,6 +496,8 @@ Time of the observation. If the observation was made over a period of time, than ## Property value ∷ String +The value of the observable. + * This entry is required diff --git a/doc/structures/tool.md b/doc/structures/tool.md index 543dc994..da831585 100644 --- a/doc/structures/tool.md +++ b/doc/structures/tool.md @@ -99,6 +99,7 @@ The kind(s) of tool(s) being described. * *ToolLabel* Tool labels describe the categories of tools that can be used to perform attacks. + * Default: credential-exploitation * Allowed Values: * credential-exploitation * denial-of-service diff --git a/doc/structures/verdict.md b/doc/structures/verdict.md index 58adf596..047114d3 100644 --- a/doc/structures/verdict.md +++ b/doc/structures/verdict.md @@ -22,6 +22,7 @@ * *DispositionNumber* Numeric verdict identifiers. + * Default: 1 * Allowed Values: * 1 * 2 @@ -38,6 +39,7 @@ The disposition_name field is optional, but is intended to be shown to a user. * *DispositionName* String verdict identifiers. + * Default: Clean * Allowed Values: * Clean * Common @@ -88,17 +90,20 @@ The disposition_name field is optional, but is intended to be shown to a user. | Property | Type | Description | Required? | | -------- | ---- | ----------- | --------- | -|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString| |✓| -|[value](#propertyvalue-string)|String| |✓| +|[type](#propertytype-observabletypeidentifierstring)|ObservableTypeIdentifierString|The type of observable.|✓| +|[value](#propertyvalue-string)|String|The value of the observable.|✓| ## Property type ∷ ObservableTypeIdentifierString +The type of observable. + * This entry is required * *ObservableTypeIdentifier* Observable type names + * Default: amp_computer_guid * Allowed Values: * amp_computer_guid * certificate_common_name @@ -159,6 +164,8 @@ The disposition_name field is optional, but is intended to be shown to a user. ## Property value ∷ String +The value of the observable. + * This entry is required diff --git a/doc/structures/vulnerability.md b/doc/structures/vulnerability.md index eec442e7..d1a5e547 100644 --- a/doc/structures/vulnerability.md +++ b/doc/structures/vulnerability.md @@ -436,6 +436,7 @@ describes the conditions beyond the attacker's control that must exist in order * *CVSSv3AttackComplexity* Describes the conditions beyond the attacker's control that must exist in order to exploit the vulnerability. As described below, such conditions may require the collection of more information about the target, the presence of certain system configuration settings, or computational exceptions. Importantly, the assessment of this metric excludes any requirements for user interaction in order to exploit the vulnerability (such conditions are captured in the User Interaction metric). this metric value is largest for the least complex attacks. The list of possible values are: `low` Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success against the vulnerable component. `high` A successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected. For example, a successful attack may depend on an attacker overcoming any of the following conditions: - The attacker must conduct target-specific reconnaissance. For example, on target configuration settings, sequence numbers, shared secrets, etc. - The attacker must prepare the target environment to improve exploit reliability. For example, repeated exploitation to win a race condition, or overcoming advanced exploit mitigation techniques. The attacker must inject herself into the logical network path between the target and the resource requested by the victim in order to read and/or modify network communications (e.g. man in the middle attack). + * Default: high * Allowed Values: * high * low @@ -450,6 +451,7 @@ Reflects the context by which vulnerability exploitation is possible * *CVSSv3AttackVector* This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the Base score) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable component. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across the Internet is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater score. The list of possible values is: `network` A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed `remotely exploitable` and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers). An example of a network attack is an attacker causing a denial of service (DoS) by sending a specially crafted TCP packet from across the public Internet (e.g. CVE 2004 0230).`adjacent_network` A vulnerability exploitable with adjacent network access means the vulnerable component is bound to the network stack, however the attack is limited to the same shared physical (e.g. Bluetooth, IEEE 802.11) or logical (e.g. local IP subnet) network, and cannot be performed across an OSI layer 3 boundary (e.g. a router). An example of an Adjacent attack would be an ARP (IPv4) or neighbor discovery (IPv6) flood leading to a denial of service on the local LAN segment. See also CVE 2013 6014. `local` A vulnerability exploitable with Local access means that the vulnerable component is not bound to the network stack, and the attacker's path is via read/write/execute capabilities. In some cases, the attacker may be logged in locally in order to exploit the vulnerability, otherwise, she may rely on User Interaction to execute a malicious file. `physical` A vulnerability exploitable with Physical access requires the attacker to physically touch or manipulate the vulnerable component. Physical interaction may be brief (e.g. evil maid attack) or persistent. An example of such an attack is a cold boot attack which allows an attacker to access to disk encryption keys after gaining physical access to the system, or peripheral attacks such as Firewire/USB Direct Memory Access attacks. + * Default: adjacent_network * Allowed Values: * adjacent_network * local @@ -466,6 +468,7 @@ measures the impact to the availability of the impacted component resulting from * *CVSSv3AvailabilityImpact* This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the impacted component, this metric refers to the loss of availability of the impacted component itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of an impacted component. The list of possible values is presented is: `high`: There is total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable). `low`: There is reduced performance or interruptions in resource availability. Even if repeated exploitation of the vulnerability is possible, the attacker does not have the ability to completely deny service to legitimate users. The resources in the impacted component are either partially available all of the time, or fully available only some of the time but overall there is no direct, serious consequence to the impacted component. `none`: There is no impact to availability within the impacted component. This metric value increases with the consequence to the impacted component. + * Default: high * Allowed Values: * high * low @@ -479,6 +482,7 @@ measures the impact to the availability of the impacted component resulting from * *CVSSv3SecurityRequirements* These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user's organization, measured in terms of Confidentiality, Integrity, and Availability. That is, if an IT asset supports a business function for which Availability is most important, the analyst can assign a greater value to Availability relative to Confidentiality and Integrity. Each security requirement has three possible values: Low, Medium, or High. The full effect on the environmental score is determined by the corresponding Modified Base Impact metrics. That is, these metrics modify the environmental score by reweighting the Modified Confidentiality, Integrity, and Availability impact metrics. For example, the Modified Confidentialityimpact (MC) metric has increased weight if the Confidentiality Requirement (CR) is High. Likewise, the Modified Confidentiality impact metric has decreased weight if the Confidentiality Requirement is Low. The Modified Confidentiality impact metric weighting is neutral if the Confidentiality Requirement is Medium. This same process is applied to the Integrity and Availability requirements.Note that the Confidentiality Requirement will not affect the Environmental score if the (Modified Base) confidentiality impact is set to None. Also, increasing the Confidentiality Requirement from Medium to Highwill not change the Environmental score when the (Modified Base) impact metrics are set to High. This is because the modified impact sub score (part of the Modified Base score that calculates impact) is already at a maximum value of 10. The list of possible values is: `not_defined`: Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. `high`: Loss of [Confidentiality / Integrity / Availability] is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). `medium`: Loss of [Confidentiality / Integrity / Availability] is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).`low`: Loss of [Confidentiality / Integrity / Availability] is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). For brevity, the same table is used for all three metrics. The greater the Security Requirement, the higher the score (recall that Medium is considered the default). + * Default: high * Allowed Values: * high * low @@ -502,6 +506,7 @@ The base score is a key metric in CVSS, which uses a scoring system to determine * This entry is required + * Default: critical * Allowed Values: * critical * high @@ -518,6 +523,7 @@ measures the impact to the confidentiality of the information resources managed * *CVSSv3ConfidentialityImpact* Measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones. The list of possible values is: `high`: There is total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server. `low`: There is some loss of confidentiality. Access to some restricted information is obtained, but the attacker does not have control over what information is obtained, or the amount or kind of loss is constrained. The information disclosure does not cause a direct, serious loss to the impacted component. `none`: There is no loss of confidentiality within the impacted component. This metric value increases with the degree of loss to the impacted component. + * Default: high * Allowed Values: * high * low @@ -531,6 +537,7 @@ measures the impact to the confidentiality of the information resources managed * *CVSSv3SecurityRequirements* These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user's organization, measured in terms of Confidentiality, Integrity, and Availability. That is, if an IT asset supports a business function for which Availability is most important, the analyst can assign a greater value to Availability relative to Confidentiality and Integrity. Each security requirement has three possible values: Low, Medium, or High. The full effect on the environmental score is determined by the corresponding Modified Base Impact metrics. That is, these metrics modify the environmental score by reweighting the Modified Confidentiality, Integrity, and Availability impact metrics. For example, the Modified Confidentialityimpact (MC) metric has increased weight if the Confidentiality Requirement (CR) is High. Likewise, the Modified Confidentiality impact metric has decreased weight if the Confidentiality Requirement is Low. The Modified Confidentiality impact metric weighting is neutral if the Confidentiality Requirement is Medium. This same process is applied to the Integrity and Availability requirements.Note that the Confidentiality Requirement will not affect the Environmental score if the (Modified Base) confidentiality impact is set to None. Also, increasing the Confidentiality Requirement from Medium to Highwill not change the Environmental score when the (Modified Base) impact metrics are set to High. This is because the modified impact sub score (part of the Modified Base score that calculates impact) is already at a maximum value of 10. The list of possible values is: `not_defined`: Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. `high`: Loss of [Confidentiality / Integrity / Availability] is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). `medium`: Loss of [Confidentiality / Integrity / Availability] is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).`low`: Loss of [Confidentiality / Integrity / Availability] is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). For brevity, the same table is used for all three metrics. The greater the Security Requirement, the higher the score (recall that Medium is considered the default). + * Default: high * Allowed Values: * high * low @@ -552,6 +559,7 @@ measures the impact to the confidentiality of the information resources managed * This entry is optional + * Default: critical * Allowed Values: * critical * high @@ -568,6 +576,7 @@ measures the likelihood of the vulnerability being attacked * *CVSSv3ExploitCodeMaturity* This metric measures the likelihood of the vulnerability being attacked, and is typically based on the current state of exploit techniques, exploit code availability, or active, 'in-the-wild' exploitation. Public availability of easy-to-use exploit code increases the number of potential attackers by including those who are unskilled, thereby increasing the severity of the vulnerability. Initially, real-world exploitation may only be theoretical. Publication of proof-of-concept code, functional exploit code, or sufficient technical details necessary to exploit the vulnerability may follow. Furthermore, the exploit code available may progress from a proof-of-concept demonstration to exploit code that is successful in exploiting the vulnerability consistently. In severe cases, it may be delivered as the payload of a network-based worm or virus or other automated attack tools. The list of possible values is: `not_defined`: Assigning this value to the metric will not influence the score. It is a signal to a scoring equation to skip this metric. `high`: Functional autonomous code exists, or no exploit is required (manual trigger) and details are widely available. Exploit code works in every situation, or is actively being delivered via an autonomous agent (such as a worm or virus). Network-connected systems are likely to encounter scanning or exploitation attempts. Exploit development has reached the level of reliable, widely-available, easy-to-use automated tools. `functional`: Functional exploit code is available. The code works in most situations where the vulnerability exists. `proof_of_concept`: Proof-of-concept exploit code is available, or an attack demonstration is not practical for most systems. The code or technique is not functional in all situations and may require substantial modification by a skilled attacker. `unproven`: No exploit code is available, or an exploit is theoretical. + * Default: functional * Allowed Values: * functional * high @@ -601,6 +610,7 @@ measures the impact to integrity of a successfully exploited vulnerability * *CVSSv3IntegrityImpact* This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. The list of possible values is: `high`: There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component. `low`: Modification of data is possible, but the attacker does not have control over the consequence of a modification, or the amount of modification is constrained. The data modification does not have a direct, serious impact on the impacted component.`none`: There is no loss of integrity within the impacted component.this metric value increases with the consequence to the impacted component. + * Default: high * Allowed Values: * high * low @@ -614,6 +624,7 @@ measures the impact to integrity of a successfully exploited vulnerability * *CVSSv3SecurityRequirements* These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user's organization, measured in terms of Confidentiality, Integrity, and Availability. That is, if an IT asset supports a business function for which Availability is most important, the analyst can assign a greater value to Availability relative to Confidentiality and Integrity. Each security requirement has three possible values: Low, Medium, or High. The full effect on the environmental score is determined by the corresponding Modified Base Impact metrics. That is, these metrics modify the environmental score by reweighting the Modified Confidentiality, Integrity, and Availability impact metrics. For example, the Modified Confidentialityimpact (MC) metric has increased weight if the Confidentiality Requirement (CR) is High. Likewise, the Modified Confidentiality impact metric has decreased weight if the Confidentiality Requirement is Low. The Modified Confidentiality impact metric weighting is neutral if the Confidentiality Requirement is Medium. This same process is applied to the Integrity and Availability requirements.Note that the Confidentiality Requirement will not affect the Environmental score if the (Modified Base) confidentiality impact is set to None. Also, increasing the Confidentiality Requirement from Medium to Highwill not change the Environmental score when the (Modified Base) impact metrics are set to High. This is because the modified impact sub score (part of the Modified Base score that calculates impact) is already at a maximum value of 10. The list of possible values is: `not_defined`: Assigning this value to the metric will not influence the score. It is a signal to the equation to skip this metric. `high`: Loss of [Confidentiality / Integrity / Availability] is likely to have a catastrophic adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). `medium`: Loss of [Confidentiality / Integrity / Availability] is likely to have a serious adverse effect on the organization or individuals associated with the organization (e.g., employees, customers).`low`: Loss of [Confidentiality / Integrity / Availability] is likely to have only a limited adverse effect on the organization or individuals associated with the organization (e.g., employees, customers). For brevity, the same table is used for all three metrics. The greater the Security Requirement, the higher the score (recall that Medium is considered the default). + * Default: high * Allowed Values: * high * low @@ -748,6 +759,7 @@ modified user interaction * *CVSSv3ModifiedUserInteraction* The same values as User Interaction, as well as not_defined (the default) + * Default: none * Allowed Values: * none * not_defined @@ -763,6 +775,7 @@ describes the level of privileges an attacker must possess before successfully e * *CVSSv3PrivilegesRequired* This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. This metric is greatest if no privileges are required. The list of possible values is: `none`: The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files to carry out an attack. `low`: The attacker is authorized with (i.e. requires) privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. Alternatively, an attacker with Low privileges may have the ability to cause an impact only to non-sensitive resources. `high`: The attacker is authorized with (i.e. requires) privileges that provide significant (e.g. administrative) control over the vulnerable component that could affect component-wide settings and files. + * Default: high * Allowed Values: * high * low @@ -778,6 +791,7 @@ Remediation Level of a vulnerability is an important factor for prioritization * *CVSSv3RemediationLevel* The Remediation Level of a vulnerability is an important factor for prioritization. The typical vulnerability is unpatched when initially published. Workarounds or hotfixes may offer interim remediation until an official patch or upgrade is issued. Each of these respective stages adjusts the temporal score downwards, reflecting the decreasing urgency as remediation becomes final. The list of possible values is: `not_defined`: Assigning this value to the metric will not influence the score. It is a signal to a scoring equation to skip this metric. `unavailable`: There is either no solution available or it is impossible to apply. `workaround`: There is an unofficial, non-vendor solution available. In some cases, users of the affected technology will create a patch of their own or provide steps to work around or otherwise mitigate the vulnerability. `temporary_fix`: There is an official but temporary fix available. This includes instances where the vendor issues a temporary hotfix, tool, or workaround.`official_fix`: A complete vendor solution is available. Either the vendor has issued an official patch, or an upgrade is available. The less official and permanent a fix, the higher the vulnerability score. + * Default: high * Allowed Values: * high * not_defined @@ -796,6 +810,7 @@ measures the degree of confidence in the existence of the vulnerability and the * *CVSSv3ReportConfidence* Measures the degree of confidence in the existence of the vulnerability and the credibility of the known technical details. Sometimes only the existence of vulnerabilities are publicized, but without specific details. For example, an impact may be recognized as undesirable, but the root cause may not be known. The vulnerability may later be corroborated by research which suggests where the vulnerability may lie, though the research may not be certain. Finally, a vulnerability may be confirmed through acknowledgement by the author or vendor of the affected technology. The urgency of a vulnerability is higher when a vulnerability is known to exist with certainty. This metric also suggests the level of technical knowledge available to would-be attackers. The list of possible values is: `not_defined`: Assigning this value to the metric will not influence the score. It is a signal to a scoring equation to skip this metric. `confirmed`: Detailed reports exist, or functional reproduction is possible (functional exploits may provide this). Source code is available to independently verify theassertions of the research, or the author or vendor of the affected code has confirmed the presence of the vulnerability. `reasonable`: Significant details are published, but researchers either do not have full confidence in the root cause, or do not have access to source code to fully confirm all of the interactions that may lead to the result. Reasonable confidence exists, however, that the bug is reproducible and at least one impact is able to be verified (proof-of-concept exploits may provide this). An example is a detailed write-up of research into a vulnerability with an explanation (possibly obfuscated or 'left as an exercise to the reader') that gives assurances on how to reproduce the results. `unknown`: There are reports of impacts that indicate a vulnerability is present. The reports indicate that the cause of the vulnerability is unknown, or reports may differ on the cause or impacts of the vulnerability. Reporters are uncertain of the true nature of the vulnerability, and there is little confidence in the validity of the reports or whether a static Base score can be applied given the differences described. An example is a bug report which notes that an intermittent but non-reproducible crash occurs, with evidence of memory corruption suggesting that denial of service, or possible more serious impacts, may result. The more a vulnerability is validated by the vendor or other reputable sources, the higher the score. + * Default: confirmed * Allowed Values: * confirmed * reasonable @@ -811,6 +826,7 @@ the ability for a vulnerability in one software component to impact resources be * *CVSSv3Scope* An important property captured by CVSS v3.0 is the ability for a vulnerability in one software component to impact resources beyond its means, or privileges. This consequence is represented by the metric Authorization Scope, or simply Scope. Formally, Scope refers to the collection of privileges defined by a computing authority (e.g. an application, an operating system, or a sandbox environment) when granting access to computing resources (e.g. files, CPU, memory, etc). These privileges are assigned based on some method of identification and authorization. In some cases, the authorization may be simple or loosely controlled based upon predefined rules or standards. For example, in the case of Ethernet traffic sent to a network switch, the switch accepts traffic that arrives on its ports and is an authority that controls the traffic flow to other switch ports. When the vulnerability of a software component governed by one authorization scope is able to affect resources governed by another authorization scope, a Scope change has occurred. Intuitively, one may think of a scope change as breaking out of a sandbox, and an example would be a vulnerability in a virtual machine that enables an attacker to delete files on the host OS (perhaps even its own VM). In this example, there are two separate authorization authorities: one that defines and enforces privileges for the virtual machine and its users, and one that defines and enforces privileges for the host system within which the virtual machine runs. a scope change would not occur, for example, with a vulnerability in Microsoft Word that allows an attacker to compromise all system files of the host OS, because the same authority enforces privileges of the user's instance of Word, and the host's system files. The Base score is greater when a scope change has occurred. The list of possible values is: `unchanged`: An exploited vulnerability can only affect resources managed by the same authority. In this case the vulnerable component and the impacted component are the same. `changed`: An exploited vulnerability can affect resources beyond the authorization privileges intended by the vulnerable component. In this case the vulnerable component and the impacted component are different. + * Default: changed * Allowed Values: * changed * unchanged @@ -834,6 +850,7 @@ temporal severity * This entry is optional + * Default: critical * Allowed Values: * critical * high @@ -850,6 +867,7 @@ captures the requirement for a user, other than the attacker, to participate in * *CVSSv3UserInteraction* Captures the requirement for a user, other than the attacker, to participate in the successful compromise of the vulnerable component. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. This metric value is greatest when no user interaction is required. The list of possible values is: `none`: The vulnerable system can be exploited without interaction from any user. `required`: Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. For example, a successful exploit may only be possible during the installation of an application by a system administrator. + * Default: none * Allowed Values: * none * required @@ -982,6 +1000,7 @@ The base score is a key metric in CVSS, which uses a scoring system to determine * This entry is required + * Default: High * Allowed Values: * High * Info @@ -1278,6 +1297,7 @@ Negates operator when true. * *cpe-node-operator-string* The operator string influences how seqs of cpe matches are related to one another. + * Default: AND * Allowed Values: * AND * OR @@ -1319,6 +1339,7 @@ Negates operator when true. * *cpe-node-operator-string* The operator string influences how seqs of cpe matches are related to one another. + * Default: AND * Allowed Values: * AND * OR diff --git a/doc/structures/weakness.md b/doc/structures/weakness.md index d6060125..e0289732 100644 --- a/doc/structures/weakness.md +++ b/doc/structures/weakness.md @@ -58,6 +58,7 @@ Refers to the level of abstraction or granularity used to describe the weakness. - Compound: A Compound Weakness describes a weakness that combines two or more Base weaknesses to exploit a system. For example, a "Buffer-Overflow with Format-String Exploit" combines the Base weaknesses of "Buffer-Overflow" and "Format-String Vulnerability". By specifying the abstraction level, cybersec professionals can more easily identify weaknesses that are related and prioritize their response efforts based on the potential impact of the vulnerability. + * Default: Base * Allowed Values: * Base * Class @@ -76,6 +77,7 @@ Identifies system resources that can be affected by an exploit of this weakness. * *SystemResource* Defines a resource of a system. + * Default: CPU * Allowed Values: * CPU * File or Directory @@ -195,6 +197,7 @@ Identifies the functional area of the software in which the weakness is most lik * *FunctionalArea* Defines the different functional areas of software in which the weakness may appear. + * Default: Authentication * Allowed Values: * Authentication * Authorization @@ -259,6 +262,7 @@ Likelihood of exploit. * This entry is optional + * Default: High * Allowed Values: * High * Info @@ -398,6 +402,7 @@ Defines the structural nature of the weakness. - Composite: A composite weakness might involve multiple vulnerabilities that exist in different layers or components of a system. For example, a composite weakness in a web application might involve both an injection vulnerability and a cross-site scripting vulnerability. An attacker could use these weaknesses in tandem to steal data or take over the system. - Simple: A simple weakness might involve a single vulnerability or exploit that can be used to achieve a specific objective. An example of a simple weakness might be a buffer overflow vulnerability in a software application. If an attacker can exploit this vulnerability, they may be able to execute arbitrary code on the system. + * Default: Chain * Allowed Values: * Chain * Composite @@ -548,6 +553,7 @@ Class of language. * *LanguageClass* Class of source code language. + * Default: Assembly * Allowed Values: * Assembly * Compiled @@ -573,6 +579,7 @@ Defines the different regularities that guide the applicability of platforms. * *Prevalence* Defines the different regularities that guide the applicability of platforms. + * Default: Often * Allowed Values: * Often * Rarely @@ -599,6 +606,7 @@ Defines the different regularities that guide the applicability of platforms. * *OperatingSystemClass* Class of Operating System. + * Default: Android * Allowed Values: * Android * Apple iOS @@ -634,6 +642,7 @@ Defines the different regularities that guide the applicability of platforms. * *Prevalence* Defines the different regularities that guide the applicability of platforms. + * Default: Often * Allowed Values: * Often * Rarely @@ -667,6 +676,7 @@ Class of architecture * This entry is optional + * Default: Embedded * Allowed Values: * Embedded * Microcomputer @@ -692,6 +702,7 @@ Defines the different regularities that guide the applicability of platforms. * *Prevalence* Defines the different regularities that guide the applicability of platforms. + * Default: Often * Allowed Values: * Often * Rarely @@ -727,6 +738,7 @@ Defines the different regularities that guide the applicability of platforms. * *Prevalence* Defines the different regularities that guide the applicability of platforms. + * Default: Often * Allowed Values: * Often * Rarely @@ -762,6 +774,7 @@ Defines the different regularities that guide the applicability of platforms. * *Prevalence* Defines the different regularities that guide the applicability of platforms. + * Default: Often * Allowed Values: * Often * Rarely @@ -827,6 +840,7 @@ Identifies the point in the software life cycle at which the weakness may be int * *SoftwarePhase* Defines the different regularities that guide the applicability of platforms. + * Default: Architecture and Design * Allowed Values: * Architecture and Design * Build and Compilation @@ -865,6 +879,7 @@ Describes the technical impact that arises if an adversary succeeds in exploitin * This entry's type is sequential (allows zero or more values) + * Default: Alter Execution Logic * Allowed Values: * Alter Execution Logic * Bypass Protection Mechanism @@ -896,6 +911,7 @@ How likely the specific consequence is expected to be seen relative to the other * This entry is optional + * Default: High * Allowed Values: * High * Info @@ -925,6 +941,7 @@ Identifies the security property that is violated. * *ConsequenceScope* Defines the different areas of software security that can be affected by exploiting a weakness. + * Default: Access Control * Allowed Values: * Access Control * Accountability @@ -967,6 +984,7 @@ How effective the detection method may be in detecting the associated weakness. * *DetectionEffectiveness* Level of effectiveness that a detection method may have in detecting an associated weakness. + * Default: High * Allowed Values: * High * Limited @@ -995,6 +1013,7 @@ Identifies the particular detection method being described. * *DetectionMethod* Method used to detect a weakness. + * Default: Architecture or Design Review * Allowed Values: * Architecture or Design Review * Automated Analysis @@ -1047,6 +1066,7 @@ Summarizes how effective the mitigation may be in preventing the weakness. * *Effectiveness* Related to how effective a mitigation may be in preventing the weakness. + * Default: Defense in Depth * Allowed Values: * Defense in Depth * High @@ -1074,6 +1094,7 @@ Indicates the development life cycle phase during which this particular mitigati * *SoftwarePhase* Defines the different regularities that guide the applicability of platforms. + * Default: Architecture and Design * Allowed Values: * Architecture and Design * Build and Compilation @@ -1100,6 +1121,7 @@ A general strategy for protecting a system to which this mitigation contributes. * *MitigationStrategy* Strategy for protecting a system to which a mitigation contributes. + * Default: Attack Surface Reduction * Allowed Values: * Attack Surface Reduction * Compilation or Build Hardening @@ -1141,6 +1163,7 @@ A general strategy for protecting a system to which this mitigation contributes. * *NoteType* Defines the different types of notes that can be associated with a weakness. + * Default: Applicable Platform * Allowed Values: * Applicable Platform * Maintenance diff --git a/project.clj b/project.clj index babfc2c5..ce0333d8 100644 --- a/project.clj +++ b/project.clj @@ -11,7 +11,7 @@ :exclusions [;flanders > threatgrid/clj-momo metosin/schema-tools]] [org.mozilla/rhino "1.7.7.1"] ;threatgrid/flanders > kovacnica/clojure.network.ip - [threatgrid/flanders "1.0.1"] + [threatgrid/flanders "1.0.2-replace-by-SNAPSHOT"] [metosin/ring-swagger "1.0.0"] [org.clojure/test.check "1.1.1"] [com.gfredericks/test.chuck "0.2.13"]