You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
BLUF: Add a new Profile for threat_intelligence that encompasses several existing, and some new, OCSF objects to provide conditional enrichment via cyber threat intelligence, open source intelligence, and/or analyst commentary. Some elements from STIX2.0 will be borrowed.
Today, there is not a dedicated object or profile to capture CTI or OSINT details. The only recourse for users is to use enrichment which is a plain JSON object without any defined schema or constraints. While this is fine for users who have experience with data modeling standardization and governance, it can lead to missing and/or duplicative data and changes to the schema over time.
This new object & profile will try to re-use existing objects within OCSF that can be used to capture details about various digital signatures, URLs, IP addresses, AS, Organizational, and similar information often gleaned from EDRs/EPPs, TIPs, and OSINT tools.
Additionally, some way to capture analyst comments as well as the campaigns and threat actors indicated by IOCs/IOAs can be fulfilled borrowing (directly or indirectly) from STIX2.0 Campaign and Threat Actor.
The text was updated successfully, but these errors were encountered:
#### Related Issue:
#988
#### Description of changes:
- Added `osint` object.
- Added `osint` Profile based on `osint` object.
- Added `signatures` object, an array of `signature` objects.
- Added `subdomains` object, an array of `subdomain` used to enumerate
DGA-generated domains.
- Added `whois` object.
- Added `contact` and array-typed `contacts` object for use with `whois`
object.
- Added `is_self_signed` Boolean attribute to `certificate` object.
Several dozen attributes were added to `dictionary` to support `whois`
and `contact`.
---------
Signed-off-by: Jonathan Rau <[email protected]>
BLUF: Add a new Profile for
threat_intelligence
that encompasses several existing, and some new, OCSF objects to provide conditional enrichment via cyber threat intelligence, open source intelligence, and/or analyst commentary. Some elements from STIX2.0 will be borrowed.Today, there is not a dedicated object or profile to capture CTI or OSINT details. The only recourse for users is to use
enrichment
which is a plain JSON object without any defined schema or constraints. While this is fine for users who have experience with data modeling standardization and governance, it can lead to missing and/or duplicative data and changes to the schema over time.This new object & profile will try to re-use existing objects within OCSF that can be used to capture details about various digital signatures, URLs, IP addresses, AS, Organizational, and similar information often gleaned from EDRs/EPPs, TIPs, and OSINT tools.
Additionally, some way to capture analyst comments as well as the campaigns and threat actors indicated by IOCs/IOAs can be fulfilled borrowing (directly or indirectly) from STIX2.0 Campaign and Threat Actor.
The text was updated successfully, but these errors were encountered: