-
Notifications
You must be signed in to change notification settings - Fork 114
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1066 from ocsf/d3fend
Support for MITRE D3FEND, Remediation Category and Classes
- Loading branch information
Showing
14 changed files
with
224 additions
and
21 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| { | ||
| "caption": "File Remediation Activity", | ||
| "description": "File Remediation Activity events report on attempts at remediating files. It follows the MITRE countermeasures defined by the D3FEND™ <a target='_blank' href='https://d3fend.mitre.org/'>Matrix</a>. Sub-techniques will include File, such as File Removal or Restore File.", | ||
| "extends": "remediation", | ||
| "name": "file_remediation", | ||
| "uid": 2, | ||
| "attributes": { | ||
| "file": { | ||
| "description": "The file that pertains to the remediation event.", | ||
| "group": "primary", | ||
| "requirement": "required" | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| { | ||
| "caption": "Network Remediation Activity", | ||
| "description": "Network Remediation Activity events report on attempts at remediating computer networks. It follows the MITRE countermeasures defined by the D3FEND™ <a target='_blank' href='https://d3fend.mitre.org/'>Matrix</a>. Techniques and Sub-techniques will include Network, such as Network Isolation or Network Traffic Filtering.", | ||
| "extends": "remediation", | ||
| "name": "network_remediation", | ||
| "uid": 4, | ||
| "attributes": { | ||
| "connection_info": { | ||
| "description": "The network connection that pertains to the remediation event.", | ||
| "requirement": "required", | ||
| "group": "primary" | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| { | ||
| "caption": "Process Remediation Activity", | ||
| "description": "Process Remediation Activity events report on attempts at remediating processes. It follows the MITRE countermeasures defined by the D3FEND™ <a target='_blank' href='https://d3fend.mitre.org/'>Matrix</a>. Sub-techniques will include Process, such as Process Termination or Kernel-based Process Isolation.", | ||
| "extends": "remediation", | ||
| "name": "process_remediation", | ||
| "uid": 3, | ||
| "attributes": { | ||
| "process": { | ||
| "description": "The process that pertains to the remediation event.", | ||
| "group": "primary", | ||
| "requirement": "required" | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,75 @@ | ||
| { | ||
| "caption": "Remediation Activity", | ||
| "description": "Remediation Activity events report on attempts at remediating a compromised device or computer network. It follows the MITRE countermeasures defined by the D3FEND™ <a target='_blank' href='https://d3fend.mitre.org/'>Matrix</a>.", | ||
| "name": "remediation", | ||
| "category": "remediation", | ||
| "extends": "base_event", | ||
| "uid": 1, | ||
| "profiles": [ | ||
| "host" | ||
| ], | ||
| "attributes": { | ||
| "$include": [ | ||
| "profiles/host.json" | ||
| ], | ||
| "activity_id": { | ||
| "enum": { | ||
| "1": { | ||
| "caption": "Isolate", | ||
| "description": "Creates logical or physical barriers in a system which reduces opportunities for adversaries to create further accesses. Defined by D3FEND™ <a target='_blank' href='https://d3fend.mitre.org/d3f:Isolate/'>d3f:Isolate</a>." | ||
| }, | ||
| "2": { | ||
| "caption": "Evict", | ||
| "description": "Removes an adversary or malicious resource from a device or computer network. Defined by D3FEND™ <a target='_blank' href='https://d3fend.mitre.org/d3f:Evict/'>d3f:Evict</a>." | ||
| }, | ||
| "3": { | ||
| "caption": "Restore", | ||
| "description": "Returns the system to a better state. Defined by D3FEND™ <a target='_blank' href='https://d3fend.mitre.org/d3f:Restore/'>d3f:Restore</a>." | ||
| }, | ||
| "4": { | ||
| "caption": "Harden", | ||
| "description": " Increases the opportunity cost of computer network exploitation. Defined by D3FEND™ <a target='_blank' href='https://d3fend.mitre.org/d3f:Harden/'>d3f:Harden</a>." | ||
| } | ||
| }, | ||
| "description": "Matches the MITRE D3FEND™ Tactic. Note: the Model and Detect Tactics are not supported as remediations by the OCSF Remediation event class." | ||
| }, | ||
| "command_uid": { | ||
| "description": "The unique identifier of the remediation command that pertains to this event.", | ||
| "group": "primary", | ||
| "requirement": "required" | ||
| }, | ||
| "countermeasures": { | ||
| "group": "primary", | ||
| "requirement": "recommended" | ||
| }, | ||
| "remediation": { | ||
| "group": "context", | ||
| "requirement": "optional" | ||
| }, | ||
| "scan": { | ||
| "group": "context", | ||
| "description": "The remediation scan that pertains to this event.", | ||
| "requirement": "optional" | ||
| }, | ||
| "status_id": { | ||
| "enum": { | ||
| "3": { | ||
| "caption": "Does Not Exist", | ||
| "description": "The target of the remediation does not exist." | ||
| }, | ||
| "4": { | ||
| "caption": "Partial", | ||
| "description": "The remediation was partially completed." | ||
| }, | ||
| "5": { | ||
| "caption": "Unsupported", | ||
| "description": "The remediation was not supported." | ||
| }, | ||
| "6": { | ||
| "caption": "Error", | ||
| "description": "There was an error during the remediation process." | ||
| } | ||
| } | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| { | ||
| "caption": "MITRE D3FEND™ Tactic", | ||
| "description": "The MITRE D3FEND™ Tactic object describes the tactic ID and/or name that is associated to an attack, as defined by <a target='_blank' href='https://d3fend.mitre.org'>D3FEND<sup>TM</sup> Matrix</a>.", | ||
| "extends": "_entity", | ||
| "name": "d3f_tactic", | ||
| "attributes": { | ||
| "name": { | ||
| "description": "The tactic name that is associated with the defensive technique, as defined by <a target='_blank' href='https://d3fend.mitre.org'>D3FEND<sup>TM</sup> Matrix</a>. For example: <code>Isolate</code>.", | ||
| "requirement" : "optional" | ||
| }, | ||
| "src_url": { | ||
| "description": "The versioned permalink of the defensive tactic, as defined by <a target='_blank' href='https://d3fend.mitre.org'>D3FEND<sup>TM</sup> Matrix</a>. For example: <code>https://d3fend.mitre.org/tactic/d3f:Isolate/</code>.", | ||
| "requirement" : "optional" | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| { | ||
| "caption": "MITRE DEFEND™ Technique", | ||
| "description": "The MITRE DEFEND™ Technique object describes the leaf defensive technique ID and/or name associated to a countermeasure, as defined by <a target='_blank' href='https://d3fend.mitre.org'>D3FEND<sup>TM</sup> Matrix</a>.", | ||
| "extends": "_entity", | ||
| "name": "d3f_technique", | ||
| "attributes": { | ||
| "name": { | ||
| "description": "The name of the defensive technique, as defined by <a target='_blank' href='https://d3fend.mitre.org'>D3FEND<sup>TM</sup> Matrix</a>. For example: <code>IO Port Restriction</code>." | ||
| }, | ||
| "src_url": { | ||
| "description": "The versioned permalink of the defensive technique, as defined by <a target='_blank' href='https://d3fend.mitre.org'>D3FEND<sup>TM</sup> Matrix</a>. For example: <code>https://d3fend.mitre.org/technique/d3f:IOPortRestriction/</code>.", | ||
| "requirement" : "optional" | ||
| }, | ||
| "uid": { | ||
| "description": "The unique identifier of the defensive technique, as defined by <a target='_blank' href='https://mitre.mitre.org'>D3FEND<sup>TM</sup> Matrix</a>. For example: <code>D3-IOPR</code>." | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| { | ||
| "caption": "MITRE D3FEND™", | ||
| "name": "d3fend", | ||
| "description": "The <a target='_blank' href='https://d3fend.mitre.org'>MITRE D3FEND™</a> object describes the tactic, technique & sub-technique associated with a countermeasure as defined in <a target='_blank' href='https://https://d3fend.mitre.org/'>DEFEND Matrix<sup>TM</sup></a>.", | ||
| "extends": "object", | ||
| "attributes": { | ||
| "d3f_tactic": { | ||
| "description": "The Tactic object describes the tactic ID and/or name that is associated with a countermeasure, as defined by <a target='_blank' href='https://d3fend.mitre.org'>D3FEND Matrix<sup>TM</sup></a>.", | ||
| "requirement": "recommended" | ||
| }, | ||
| "d3f_technique": { | ||
| "description": "The Defend Technique object describes the technique ID and/or name associated with a countermeasure, as defined by <a target='_blank' href='https://d3fend.mitre.org'>D3FEND Matrix<sup>TM</sup></a>.", | ||
| "requirement": "recommended" | ||
| }, | ||
| "version": { | ||
| "description": "The <a target='_blank' href='https://d3fend.mitre.org'>D3FEND Matrix<sup>TM</sup></a> version.", | ||
| "requirement": "recommended" | ||
| } | ||
| }, | ||
| "constraints": { | ||
| "at_least_one": [ | ||
| "d3f_tactic", | ||
| "d3f_technique" | ||
| ] | ||
| } | ||
| } | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.