diff --git a/doc/json/actor.json b/doc/json/actor.json
index b2648dad..5315dd6c 100644
--- a/doc/json/actor.json
+++ b/doc/json/actor.json
@@ -1,6 +1,7 @@
{
"confidence" : "string",
"tlp" : "string",
+ "targeted_industries" : [ "string" ],
"aliases" : [ "string" ],
"id" : "string",
"timestamp" : "2016-01-01T01:01:01.000Z",
@@ -38,5 +39,6 @@
} ],
"motivation" : "string",
"description" : "string",
- "external_ids" : [ "string" ]
+ "external_ids" : [ "string" ],
+ "targeted_countries" : [ "string" ]
}
\ No newline at end of file
diff --git a/doc/json/bundle.json b/doc/json/bundle.json
index 72c49b7f..b7fcfc29 100644
--- a/doc/json/bundle.json
+++ b/doc/json/bundle.json
@@ -802,6 +802,7 @@
"actors" : [ {
"confidence" : "string",
"tlp" : "string",
+ "targeted_industries" : [ "string" ],
"aliases" : [ "string" ],
"id" : "string",
"timestamp" : "2016-01-01T01:01:01.000Z",
@@ -839,7 +840,8 @@
} ],
"motivation" : "string",
"description" : "string",
- "external_ids" : [ "string" ]
+ "external_ids" : [ "string" ],
+ "targeted_countries" : [ "string" ]
} ],
"indicator_refs" : [ "string" ],
"schema_version" : "string",
diff --git a/doc/json/casebook.json b/doc/json/casebook.json
index e4cdf08b..92c66afb 100644
--- a/doc/json/casebook.json
+++ b/doc/json/casebook.json
@@ -816,6 +816,7 @@
"actors" : [ {
"confidence" : "string",
"tlp" : "string",
+ "targeted_industries" : [ "string" ],
"aliases" : [ "string" ],
"id" : "string",
"timestamp" : "2016-01-01T01:01:01.000Z",
@@ -853,7 +854,8 @@
} ],
"motivation" : "string",
"description" : "string",
- "external_ids" : [ "string" ]
+ "external_ids" : [ "string" ],
+ "targeted_countries" : [ "string" ]
} ],
"indicator_refs" : [ "string" ],
"schema_version" : "string",
diff --git a/doc/structures/actor.md b/doc/structures/actor.md
index b28fc205..bcbb7d5f 100644
--- a/doc/structures/actor.md
+++ b/doc/structures/actor.md
@@ -26,6 +26,8 @@
|[revision](#propertyrevision-integer)|Integer|A monotonically increasing revision, incremented each time the object is changed.||
|[sophistication](#propertysophistication-sophisticationstring)|SophisticationString|Represents the level of expertise and skill that the threat actor has displayed in their malicious activities. Can help security analysts assess the potential impact of an attacker's TTPs and determine the potential attack surface. For example, a threat actor with a low sophistication level may primarily rely on off-the-shelf malware and attack tools, while an attacker with high sophistication may use custom tools with advanced evasion techniques, zero-day exploits, and sophisticated methods for command and control of their malware. The sophistication level of an attacker can also be inferred based on several factors such as the complexity of attacks, the attacker's knowledge of the targeted organization's systems, and the attacker's ability to remain undetected. If an attacker shows a high level of sophistication in reconnaissances, social engineering, and phishing, then the attacker may have a good knowledge of the targeted organization and its employees. This means that the attacker may be more successful in infiltrating the organization's network and compromising its systems.||
|[source_uri](#propertysource_uri-string)|String|URI of the source of the intelligence that led to the creation of the entity.||
+|[targeted_countries](#propertytargeted_countries-shortstringstringlist)|ShortStringString List|A list of ISO 3166-1 numeric codes that represent the countries this Threat Actor is believed to target.||
+|[targeted_industries](#propertytargeted_industries-shortstringstringlist)|ShortStringString List|A list of STIX Industry Sectors that represent the industries this Threat Actor is believed to target.||
|[timestamp](#propertytimestamp-instdate)|Inst (Date)|The time this object was created at, or last modified.||
|[tlp](#propertytlp-tlpstring)|TLPString|TLP stands for [Traffic Light Protocol](https://www.us-cert.gov/tlp), which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as `red`, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as `amber` or `green`, indicating that it can be shared more broadly within an organization.||
@@ -304,6 +306,28 @@ URI of the source of the intelligence that led to the creation of the entity.
* A URI
+
+## Property targeted_countries ∷ ShortStringString List
+
+A list of ISO 3166-1 numeric codes that represent the countries this Threat Actor is believed to target.
+
+* This entry is optional
+* This entry's type is sequential (allows zero or more values)
+
+
+ * *ShortString* String with at most 1024 characters.
+
+
+## Property targeted_industries ∷ ShortStringString List
+
+A list of STIX Industry Sectors that represent the industries this Threat Actor is believed to target.
+
+* This entry is optional
+* This entry's type is sequential (allows zero or more values)
+
+
+ * *ShortString* String with at most 1024 characters.
+
## Property timestamp ∷ Inst (Date)
diff --git a/doc/structures/bundle.md b/doc/structures/bundle.md
index 53f97941..822567c4 100644
--- a/doc/structures/bundle.md
+++ b/doc/structures/bundle.md
@@ -810,6 +810,8 @@ A URL reference to an external resource.
|[revision](#propertyrevision-integer)|Integer|A monotonically increasing revision, incremented each time the object is changed.||
|[sophistication](#propertysophistication-sophisticationstring)|SophisticationString|Represents the level of expertise and skill that the threat actor has displayed in their malicious activities. Can help security analysts assess the potential impact of an attacker's TTPs and determine the potential attack surface. For example, a threat actor with a low sophistication level may primarily rely on off-the-shelf malware and attack tools, while an attacker with high sophistication may use custom tools with advanced evasion techniques, zero-day exploits, and sophisticated methods for command and control of their malware. The sophistication level of an attacker can also be inferred based on several factors such as the complexity of attacks, the attacker's knowledge of the targeted organization's systems, and the attacker's ability to remain undetected. If an attacker shows a high level of sophistication in reconnaissances, social engineering, and phishing, then the attacker may have a good knowledge of the targeted organization and its employees. This means that the attacker may be more successful in infiltrating the organization's network and compromising its systems.||
|[source_uri](#propertysource_uri-string)|String|URI of the source of the intelligence that led to the creation of the entity.||
+|[targeted_countries](#propertytargeted_countries-shortstringstringlist)|ShortStringString List|A list of ISO 3166-1 numeric codes that represent the countries this Threat Actor is believed to target.||
+|[targeted_industries](#propertytargeted_industries-shortstringstringlist)|ShortStringString List|A list of STIX Industry Sectors that represent the industries this Threat Actor is believed to target.||
|[timestamp](#propertytimestamp-instdate)|Inst (Date)|The time this object was created at, or last modified.||
|[tlp](#propertytlp-tlpstring)|TLPString|TLP stands for [Traffic Light Protocol](https://www.us-cert.gov/tlp), which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as `red`, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as `amber` or `green`, indicating that it can be shared more broadly within an organization.||
@@ -1088,6 +1090,28 @@ URI of the source of the intelligence that led to the creation of the entity.
* A URI
+
+## Property targeted_countries ∷ ShortStringString List
+
+A list of ISO 3166-1 numeric codes that represent the countries this Threat Actor is believed to target.
+
+* This entry is optional
+* This entry's type is sequential (allows zero or more values)
+
+
+ * *ShortString* String with at most 1024 characters.
+
+
+## Property targeted_industries ∷ ShortStringString List
+
+A list of STIX Industry Sectors that represent the industries this Threat Actor is believed to target.
+
+* This entry is optional
+* This entry's type is sequential (allows zero or more values)
+
+
+ * *ShortString* String with at most 1024 characters.
+
## Property timestamp ∷ Inst (Date)
@@ -9849,6 +9873,7 @@ Time of the observation. If the observation was made over a period of time, than
* process_hash
* process_name
* process_path
+ * process_uid
* process_username
* processor_id
* registry_key
@@ -9930,6 +9955,7 @@ Time of the observation. If the observation was made over a period of time, than
* process_hash
* process_name
* process_path
+ * process_uid
* process_username
* processor_id
* registry_key
@@ -10026,6 +10052,7 @@ Time of the observation. If the observation was made over a period of time, than
* process_hash
* process_name
* process_path
+ * process_uid
* process_username
* processor_id
* registry_key
@@ -10234,6 +10261,7 @@ Time of the observation. If the observation was made over a period of time, than
* process_hash
* process_name
* process_path
+ * process_uid
* process_username
* processor_id
* registry_key
@@ -10399,6 +10427,7 @@ Time of the observation. If the observation was made over a period of time, than
* process_hash
* process_name
* process_path
+ * process_uid
* process_username
* processor_id
* registry_key
@@ -10990,6 +11019,7 @@ If not present, the valid time position of the indicator does not have an upper
* process_hash
* process_name
* process_path
+ * process_uid
* process_username
* processor_id
* registry_key
@@ -11487,6 +11517,7 @@ Time of the observation. If the observation was made over a period of time, than
* process_hash
* process_name
* process_path
+ * process_uid
* process_username
* processor_id
* registry_key
@@ -12091,6 +12122,7 @@ If not present, the valid time position of the indicator does not have an upper
* process_hash
* process_name
* process_path
+ * process_uid
* process_username
* processor_id
* registry_key
diff --git a/doc/structures/casebook.md b/doc/structures/casebook.md
index 20bd3b68..89de5436 100644
--- a/doc/structures/casebook.md
+++ b/doc/structures/casebook.md
@@ -8267,6 +8267,7 @@ Time of the observation. If the observation was made over a period of time, than
* process_hash
* process_name
* process_path
+ * process_uid
* process_username
* processor_id
* registry_key
@@ -8348,6 +8349,7 @@ Time of the observation. If the observation was made over a period of time, than
* process_hash
* process_name
* process_path
+ * process_uid
* process_username
* processor_id
* registry_key
@@ -8444,6 +8446,7 @@ Time of the observation. If the observation was made over a period of time, than
* process_hash
* process_name
* process_path
+ * process_uid
* process_username
* processor_id
* registry_key
@@ -8652,6 +8655,7 @@ Time of the observation. If the observation was made over a period of time, than
* process_hash
* process_name
* process_path
+ * process_uid
* process_username
* processor_id
* registry_key
@@ -8817,6 +8821,7 @@ Time of the observation. If the observation was made over a period of time, than
* process_hash
* process_name
* process_path
+ * process_uid
* process_username
* processor_id
* registry_key
@@ -10320,6 +10325,7 @@ If not present, the valid time position of the indicator does not have an upper
* process_hash
* process_name
* process_path
+ * process_uid
* process_username
* processor_id
* registry_key
@@ -12794,6 +12800,7 @@ Observable types that can be acted upon.
* process_hash
* process_name
* process_path
+ * process_uid
* process_username
* processor_id
* registry_key
@@ -14466,6 +14473,7 @@ For each asset, we allow for the assertion of time bound properties.This gives u
* process_hash
* process_name
* process_path
+ * process_uid
* process_username
* processor_id
* registry_key
@@ -14917,6 +14925,8 @@ A URL reference to an external resource.
|[revision](#propertyrevision-integer)|Integer|A monotonically increasing revision, incremented each time the object is changed.||
|[sophistication](#propertysophistication-sophisticationstring)|SophisticationString|Represents the level of expertise and skill that the threat actor has displayed in their malicious activities. Can help security analysts assess the potential impact of an attacker's TTPs and determine the potential attack surface. For example, a threat actor with a low sophistication level may primarily rely on off-the-shelf malware and attack tools, while an attacker with high sophistication may use custom tools with advanced evasion techniques, zero-day exploits, and sophisticated methods for command and control of their malware. The sophistication level of an attacker can also be inferred based on several factors such as the complexity of attacks, the attacker's knowledge of the targeted organization's systems, and the attacker's ability to remain undetected. If an attacker shows a high level of sophistication in reconnaissances, social engineering, and phishing, then the attacker may have a good knowledge of the targeted organization and its employees. This means that the attacker may be more successful in infiltrating the organization's network and compromising its systems.||
|[source_uri](#propertysource_uri-string)|String|URI of the source of the intelligence that led to the creation of the entity.||
+|[targeted_countries](#propertytargeted_countries-shortstringstringlist)|ShortStringString List|A list of ISO 3166-1 numeric codes that represent the countries this Threat Actor is believed to target.||
+|[targeted_industries](#propertytargeted_industries-shortstringstringlist)|ShortStringString List|A list of STIX Industry Sectors that represent the industries this Threat Actor is believed to target.||
|[timestamp](#propertytimestamp-instdate)|Inst (Date)|The time this object was created at, or last modified.||
|[tlp](#propertytlp-tlpstring)|TLPString|TLP stands for [Traffic Light Protocol](https://www.us-cert.gov/tlp), which indicates precisely how a resource is intended to be shared, replicated, copied, etc. It is used to indicate the sensitivity of the information contained within the message. This allows recipients to determine the appropriate handling and dissemination of the information based on their clearance level and need-to-know. For example, an entity containing information about a critical vulnerability in a widely-used software might be marked as `red`, indicating that it should only be shared with a small group of highly trusted individuals who need to know in order to take appropriate action. On the other hand, a message containing more general information about security threats might be marked as `amber` or `green`, indicating that it can be shared more broadly within an organization.||
@@ -15195,6 +15205,28 @@ URI of the source of the intelligence that led to the creation of the entity.
* A URI
+
+## Property targeted_countries ∷ ShortStringString List
+
+A list of ISO 3166-1 numeric codes that represent the countries this Threat Actor is believed to target.
+
+* This entry is optional
+* This entry's type is sequential (allows zero or more values)
+
+
+ * *ShortString* String with at most 1024 characters.
+
+
+## Property targeted_industries ∷ ShortStringString List
+
+A list of STIX Industry Sectors that represent the industries this Threat Actor is believed to target.
+
+* This entry is optional
+* This entry's type is sequential (allows zero or more values)
+
+
+ * *ShortString* String with at most 1024 characters.
+
## Property timestamp ∷ Inst (Date)
diff --git a/doc/structures/judgement.md b/doc/structures/judgement.md
index fbc5ba2c..b50c1580 100644
--- a/doc/structures/judgement.md
+++ b/doc/structures/judgement.md
@@ -391,8 +391,8 @@ A URL reference to an external resource.
* process_hash
* process_name
* process_path
- * process_username
* process_uid
+ * process_username
* processor_id
* registry_key
* registry_name
diff --git a/src/ctim/examples/actors.cljc b/src/ctim/examples/actors.cljc
index 77779ade..3626a306 100644
--- a/src/ctim/examples/actors.cljc
+++ b/src/ctim/examples/actors.cljc
@@ -39,7 +39,9 @@
:valid_time {:start_time #inst "2016-02-11T00:40:48.212-00:00"
:end_time #inst "2016-07-11T00:40:48.212-00:00"}
:tlp "green"
- :aliases ["alias 1" "alias 2"]})
+ :aliases ["alias 1" "alias 2"]
+ :targeted_countries ["840"]
+ :targeted_industries ["Goverment", "Defense", "Mining", "Technology"]})
(def actor-minimal
{:id "http://ex.tld/ctia/actor/actor-5023697b-3857-4652-9b53-ccda297f9c3e"
diff --git a/src/ctim/schemas/actor.cljc b/src/ctim/schemas/actor.cljc
index b616cae4..22aab3e8 100644
--- a/src/ctim/schemas/actor.cljc
+++ b/src/ctim/schemas/actor.cljc
@@ -81,7 +81,14 @@
"evidence."))
(f/entry :aliases [c/ShortString]
:description (str "A list of other names that this Threat Actor is "
- "believed to use.")))
+ "believed to use."))
+ (f/entry :targeted_countries [c/ShortString]
+ :description (str "A list of ISO 3166-1 numeric codes that represent the countries this Threat Actor is "
+ "believed to target."))
+ (f/entry :targeted_industries [c/ShortString]
+ :description (str "A list of STIX Industry Sectors that represent the industries this Threat Actor is "
+ "believed to target."))
+ )
;; Not provided: handling
;; Not provided: related_packages (deprecated)
)