diff --git a/git4intel/schemas/phase.json b/git4intel/schemas/phase.json new file mode 100644 index 0000000..95874ce --- /dev/null +++ b/git4intel/schemas/phase.json @@ -0,0 +1,136 @@ +{ + "title": "phase", + "description": "Mission Control specific structure for security incidents, consisting of multiple phases.", + "type": "array", + "contains": [ + { + "title": "grouping--phase", + "description": "Meta-object that represents a single incident phase", + "type": "object", + "properties": { + "type": { + "type": "string", + "const": "grouping" + }, + "context": { + "type": "string", + "const": "phase" + }, + "created_by_ref": { + "type": "string", + "pattern": "^identity--" + } + } + }, + { + "title": "indicator--phase", + "description": "Indicator that points to the observed data of the event", + "type": "object", + "properties": { + "type": { + "type": "string", + "const": "indicator" + } + } + }, + { + "title": "attack-pattern--micro", + "description": "Micro Attack Pattern that ties indicator to its ", + "type": "object", + "properties": { + "type": { + "type": "string", + "const": "attack-pattern" + } + } + }, + { + "title": "relationship--micro-to-macro", + "description": "Relationship linking micro attack pattern and macro library attack pattern (Mitre Att&ck).", + "type": "object", + "properties": { + "relationship_type": { + "type": "string", + "description": "Derived From.", + "const": "derived-from" + }, + "source_ref": { + "type": "string", + "pattern": "^attack-pattern--", + "required": true + }, + "target_ref": { + "type": "string", + "pattern": "^attack-pattern--", + "required": true + } + } + }, + { + "title": "relationship--indicator-to-micro", + "description": "Relationship linking indicator to micro attack pattern.", + "type": "object", + "properties": { + "relationship_type": { + "type": "string", + "description": "Derived From.", + "const": "indicates" + }, + "source_ref": { + "type": "string", + "pattern": "^indicator--", + "required": true + }, + "target_ref": { + "type": "string", + "pattern": "^attack-pattern--", + "required": true + } + } + }, + { + "title": "relationship--ap-to-incident-ap", + "description": "Relationship the micro attack pattern to the master incident attack pattern.", + "type": "object", + "properties": { + "relationship_type": { + "type": "string", + "description": "Using the related-to field here.", + "const": "related-to" + }, + "source_ref": { + "type": "string", + "pattern": "^attack-pattern--", + "required": true + }, + "target_ref": { + "type": "string", + "pattern": "^attack-pattern--", + "required": true + } + } + }, + { + "title": "relationship--indicator-to-observed-data", + "description": "Relationship to show the sourcing of the indicator from observed data in an event.", + "type": "object", + "properties": { + "relationship_type": { + "type": "string", + "description": "Using the related-to field here.", + "const": "based-on" + }, + "source_ref": { + "type": "string", + "pattern": "^attack-pattern--", + "required": true + }, + "target_ref": { + "type": "string", + "pattern": "^attack-pattern--", + "required": true + } + } + } + ] +} \ No newline at end of file