Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expand OSINT, add threat_intelligence #1255

Closed
wants to merge 15 commits into from
Closed

Expand OSINT, add threat_intelligence #1255

wants to merge 15 commits into from

Conversation

jonrau-at-queryai
Copy link
Contributor

Description of changes:

Since there was not any appetite for STIX in the past, but there have been asks in the slack channel around more "traditional" elements of cyber threat intelligence such as reporting on the threat actor, campaign, behaviors, or otherwise I took another stab at it.

The Threat Intelligence object is purposely light meant to capture a lot of strings that can be adapted from several platforms. For instance, Crowdstrike Detects from the API provide an array of objects that describe behaviors and within each of these a behavior, MITRE tactics and techniques (or internal CRWD ones), scenarios, objective, and description is included (https://assets.falcon.crowdstrike.com/support/api/swagger.html#/detects/GetDetectSummaries)

Additionally, other CTI and OSINT tools such as MISP, Shodan Monitor, AlienVault, and Recorded Future provide some other related strings that describe an indicator and its relationships.

This new object is within the overall osint object which is intended to be related to the indicator itself, and not the other way around. I can switch this around instead, but then we would have issues with the profile being swapped out.

  • Adds additional type_id enums to osint: Reg Key, Reg Value, Command Line (these all come from Crowdstrike ioc_type, specifically) but also are present in MDE.
  • Adds related_analytics to osint
  • Several description and formatting changes, as well as fixes for constraints and captions
  • Adds threat_intelligence object with a new objective entry in the dictionary
image image image

@mikeradka mikeradka added v1.4.0 or later Changes marked for versions beyond v1.3.0 of OCSF enhancement New feature or request labels Nov 19, 2024
davemcatcisco
davemcatcisco requested changes Nov 21, 2024
View reviewed changes
Copy link
Contributor

@davemcatcisco davemcatcisco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you fix the whitespace issues, and restore pre-existing attributes to their original locations in the file? This would make it much easier to review. Thanks.

dictionary.json
@@ -3232,6 +3232,11 @@
"description": "The number of the entity. See specific usage.",
"type": "integer_t"
},
"objective": {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Term very general. Suggest: threat_objective

objects/osint.json
"type_id":{
"caption":"Indicator Type ID",
"description":"The OSINT indicator type ID.",
"requirement":"required",
"requirement":"recommended",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a breaking change. A consumer could previously assume this attribute to be present but, if made optional, it can no longer make that assumption.

objects/osint.json
"value":{
"caption":"Indicator",
"description":"The actual indicator value in scope, e.g., a SHA-256 hash hexdigest or a domain name.",
"requirement":"required"
},
"tlp":{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any reason why these attrbutes have been moved in the file? It makes it difficult for reviewers to see what has been deleted, which would be a breaking change. Would you be able to re-submit this without the movement of attributes?

objects/threat_intelligence.json
"description": "The latest time of a given subject of the threat intelligence analysis was encountered, if known.",
"requirement": "optional"
},
"name": {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You editor is inserting tabs. You need to change to spaces.

@jonrau-at-queryai jonrau-at-queryai deleted the osint_additions branch November 25, 2024 19:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@davemcatcisco davemcatcisco davemcatcisco requested changes

@floydtree floydtree Awaiting requested review from floydtree floydtree is a code owner

@pagbabian-splunk pagbabian-splunk Awaiting requested review from pagbabian-splunk pagbabian-splunk is a code owner

@Aniak5 Aniak5 Awaiting requested review from Aniak5 Aniak5 is a code owner

@mikeradka mikeradka Awaiting requested review from mikeradka mikeradka is a code owner

@zschmerber zschmerber Awaiting requested review from zschmerber zschmerber is a code owner

Assignees
No one assigned
Labels
enhancement New feature or request v1.4.0 or later Changes marked for versions beyond v1.3.0 of OCSF
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jonrau-at-queryai @davemcatcisco @mikeradka