New threat_intelligence Profile
#988
Comments
Merged
mikeradka
pushed a commit
that referenced
this issue
May 31, 2024
#### Related Issue: #988 #### Description of changes: - Added `osint` object. - Added `osint` Profile based on `osint` object. - Added `signatures` object, an array of `signature` objects. - Added `subdomains` object, an array of `subdomain` used to enumerate DGA-generated domains. - Added `whois` object. - Added `contact` and array-typed `contacts` object for use with `whois` object. - Added `is_self_signed` Boolean attribute to `certificate` object. Several dozen attributes were added to `dictionary` to support `whois` and `contact`. --------- Signed-off-by: Jonathan Rau <139361268+jonrau-at-queryai@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
BLUF: Add a new Profile for
threat_intelligencethat encompasses several existing, and some new, OCSF objects to provide conditional enrichment via cyber threat intelligence, open source intelligence, and/or analyst commentary. Some elements from STIX2.0 will be borrowed.Today, there is not a dedicated object or profile to capture CTI or OSINT details. The only recourse for users is to use
enrichmentwhich is a plain JSON object without any defined schema or constraints. While this is fine for users who have experience with data modeling standardization and governance, it can lead to missing and/or duplicative data and changes to the schema over time.This new object & profile will try to re-use existing objects within OCSF that can be used to capture details about various digital signatures, URLs, IP addresses, AS, Organizational, and similar information often gleaned from EDRs/EPPs, TIPs, and OSINT tools.
Additionally, some way to capture analyst comments as well as the campaigns and threat actors indicated by IOCs/IOAs can be fulfilled borrowing (directly or indirectly) from STIX2.0 Campaign and Threat Actor.
The text was updated successfully, but these errors were encountered: