-
Notifications
You must be signed in to change notification settings - Fork 134
/
machinetag.json
151 lines (151 loc) · 5.96 KB
/
machinetag.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
{
"namespace": "workflow",
"expanded": "workflow to support analysis",
"description": "Workflow support language is a common language to support intelligence analysts to perform their analysis on data and information.",
"version": 13,
"predicates": [
{
"value": "todo",
"expanded": "Todo",
"description": "Todo are the actions to be performed by one or more analyst(s) to apply cognitive methods, evaluation(s), weightening information, to validate hypothesis or complete additional tasks to improve the overall information or data being tagged with a todo. "
},
{
"value": "state",
"expanded": "State",
"description": "State are the different states of the information or data being tagged.",
"exclusive": true
}
],
"values": [
{
"predicate": "todo",
"entry": [
{
"value": "expansion",
"expanded": "Expansion need to be applied to expand the information tagged"
},
{
"value": "review",
"expanded": "Additional review is required to reach a certain level of validation of the information tagged"
},
{
"value": "review-for-privacy",
"expanded": "Additional review is required to ensure privacy of the information tagged"
},
{
"value": "review-before-publication",
"expanded": "Review is required before publishing the information tagged"
},
{
"value": "release-requested",
"expanded": "Release of the information tagged is requested (often after the review process"
},
{
"value": "review-for-false-positive",
"expanded": "Review the the information tagged to limit the number of false-positives and potentially remove any IDS/automation flag to avoid automation of the false-positives"
},
{
"value": "review-the-source-credibility",
"expanded": "Review the source credibility and add the corresponding marking like admiralty-scale on the origin"
},
{
"value": "add-missing-misp-galaxy-cluster-values",
"expanded": "Add potential MISP galaxy cluster values missing about the information tagged"
},
{
"value": "create-missing-misp-galaxy-cluster",
"expanded": "Create missing MISP galaxy cluster about the information tagged"
},
{
"value": "create-missing-misp-galaxy-cluster-relationship",
"expanded": "create missing MISP galaxy cluster relationships (e.g. relationships between MISP clusters)"
},
{
"value": "create-missing-misp-galaxy",
"expanded": "Create missing MISP galaxy at large about the information tagged (e.g. a new category of malware or activity)"
},
{
"value": "create-missing-relationship",
"expanded": "Create missing relationship about the information tagged (e.g. create new relationship between MISP objects)"
},
{
"value": "add-context",
"expanded": "Add contextual information about the information tagged"
},
{
"value": "add-tagging",
"expanded": "Add adequate tagging and classification about the information tagged"
},
{
"value": "check-passive-dns-for-shared-hosting",
"expanded": "Check Passive DNS (or similar techniques) to review if the information tagged is used within shared hosting"
},
{
"value": "review-classification",
"expanded": "Review the classification of the information tagged to ensure adequate marking of the information before publication"
},
{
"value": "review-the-grammar",
"expanded": "Review the grammar of the information tagged to improve the overall quality"
},
{
"value": "do-not-delete",
"expanded": "Element that should not be deleted (without asking)"
},
{
"value": "add-mitre-attack-cluster",
"expanded": "Describe cyber adversary behavior using MITRE ATT&CK"
},
{
"value": "additional-task",
"expanded": "Used to point an additional task that can not be describe by the rest of the taxonomy and need to be done"
},
{
"value": "create-event",
"expanded": "A new MISP event need to be created from the tag reference"
},
{
"value": "preserve-evidence",
"expanded": "Preserve evidence mentioned in the information tagged"
},
{
"value": "review-relevance",
"expanded": "Review if the event is relevant"
},
{
"value": "review-completeness",
"expanded": "Review if the event is complete"
}
]
},
{
"predicate": "state",
"entry": [
{
"value": "incomplete",
"expanded": "Incomplete means that the information tagged is incomplete and has potential to be completed by other analysts, technical processes or the current analysts performing the analysis."
},
{
"value": "complete",
"expanded": "Complete means that the information tagged reach a state of completeness with the current capabilities of the analyst."
},
{
"value": "draft",
"expanded": "Draft means the information tagged can be released as a preliminary version or outline."
},
{
"value": "ongoing",
"expanded": "Analyst is currently working on this analysis. To remove when there is no more work to be done by the analyst."
},
{
"value": "rejected",
"expanded": "Analyst rejected the process. The object will not reach state of completeness."
},
{
"value": "release",
"expanded": "Analyst approved the information to be released. Like a MISP event to be released and published."
}
]
}
]
}