From b96f832c0feb48b3fbdc8cf9d02abf7f2384573c Mon Sep 17 00:00:00 2001 From: AdamTheAnalyst Date: Wed, 31 Jul 2019 12:54:05 +0100 Subject: [PATCH 1/3] Added First Pass At Phase Definitions --- git4intel/schemas/phase.json | 126 +++++++++++++++++++++++++++++++++++ 1 file changed, 126 insertions(+) create mode 100644 git4intel/schemas/phase.json diff --git a/git4intel/schemas/phase.json b/git4intel/schemas/phase.json new file mode 100644 index 0000000..05f7db9 --- /dev/null +++ b/git4intel/schemas/phase.json @@ -0,0 +1,126 @@ +{ + "title": "incident", + "description": "Mission Control specific structure for security incidents, consisting of multiple phases.", + "type": "array", + "contains": [ + { + "title": "grouping--phase", + "description": "Meta-object that represents a single incident phase", + "type": "object", + "properties": { + "type": { + "type": "string", + "const": "grouping" + }, + "context": { + "type": "string", + "const": "phase" + }, + "created_by_ref": { + "type": "string", + "pattern": "^identity--" + } + } + }, + { + "title": "indicator--phase", + "description": "Indicator that points to the observed data of the event", + "type": "object", + "properties": {} + }, + { + "title": "attack-pattern--micro", + "description": "Micro Attack Pattern that ties indicator to its ", + "type": "object", + "properties": {} + }, + { + "title": "relationship--micro-to-macro", + "description": "Relationship linking micro attack pattern and macro library attack pattern (Mitre Att&ck).", + "type": "object", + "properties": { + "relationship_type": { + "type": "string", + "description": "Derived From.", + "const": "derived-from" + }, + "source_ref": { + "type": "string", + "pattern": "^attack-pattern--", + "required": true + }, + "target_ref": { + "type": "string", + "pattern": "^attack-pattern--", + "required": true + } + } + }, + { + "title": "relationship--indicator-to-micro", + "description": "Relationship linking indicator to micro attack pattern.", + "type": "object", + "properties": { + "relationship_type": { + "type": "string", + "description": "Derived From.", + "const": "indicates" + }, + "source_ref": { + "type": "string", + "pattern": "^indicator--", + "required": true + }, + "target_ref": { + "type": "string", + "pattern": "^attack-pattern--", + "required": true + } + } + }, + { + "title": "relationship--ap-to-incident-ap", + "description": "Relationship the micro attack pattern to the master incident attack pattern.", + "type": "object", + "properties": { + "relationship_type": { + "type": "string", + "description": "Using the related-to field here.", + "const": "related-to" + }, + "source_ref": { + "type": "string", + "pattern": "^attack-pattern--", + "required": true + }, + "target_ref": { + "type": "string", + "pattern": "^attack-pattern--", + "required": true + } + } + }, + { + "title": "relationship--indicator-to-observed-data", + "description": "Relationship to show the sourcing of the indicator from observed data in an event.", + "type": "object", + "properties": { + "relationship_type": { + "type": "string", + "description": "Using the related-to field here.", + "const": "based-on" + }, + "source_ref": { + "type": "string", + "pattern": "^attack-pattern--", + "required": true + }, + "target_ref": { + "type": "string", + "pattern": "^attack-pattern--", + "required": true + } + } + } + ] +} \ No newline at end of file From 9f9ed8111e053df02dbf32c9d11e9aa36894d56a Mon Sep 17 00:00:00 2001 From: AdamTheAnalyst Date: Wed, 31 Jul 2019 13:10:07 +0100 Subject: [PATCH 2/3] Fixing phase bugs --- git4intel/schemas/phase.json | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/git4intel/schemas/phase.json b/git4intel/schemas/phase.json index 05f7db9..e53075e 100644 --- a/git4intel/schemas/phase.json +++ b/git4intel/schemas/phase.json @@ -26,13 +26,23 @@ "title": "indicator--phase", "description": "Indicator that points to the observed data of the event", "type": "object", - "properties": {} + "properties": { + "type": { + "type": "string", + "const": "indicator" + } + } }, { "title": "attack-pattern--micro", "description": "Micro Attack Pattern that ties indicator to its ", "type": "object", - "properties": {} + "properties": { + "type": { + "type": "string", + "const": "attack-pattern" + } + } }, { "title": "relationship--micro-to-macro", From 8f2fc27e447b18bda063c922ee98d5c195a04b30 Mon Sep 17 00:00:00 2001 From: AdamTheAnalyst Date: Thu, 1 Aug 2019 15:11:58 +0100 Subject: [PATCH 3/3] Added Tweaks - Dont merge this --- git4intel/schemas/phase.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/git4intel/schemas/phase.json b/git4intel/schemas/phase.json index e53075e..95874ce 100644 --- a/git4intel/schemas/phase.json +++ b/git4intel/schemas/phase.json @@ -1,5 +1,5 @@ { - "title": "incident", + "title": "phase", "description": "Mission Control specific structure for security incidents, consisting of multiple phases.", "type": "array", "contains": [