forked from threatgrid/ctim
/
indicator.cljc
163 lines (139 loc) · 6.35 KB
/
indicator.cljc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
(ns ctim.schemas.indicator
(:require [ctim.schemas.common :as c]
[ctim.schemas.relationship :as rel]
[ctim.schemas.vocabularies :as v]
#?(:clj [flanders.core :as f :refer [def-entity-type
def-enum-type
def-map-type
def-eq]]
:cljs [flanders.core :as f :refer-macros [def-entity-type
def-enum-type
def-map-type
def-eq]])))
(def-eq JudgementSpecificationType "Judgement")
(def-map-type JudgementSpecification
(f/required-entries
(f/entry :type JudgementSpecificationType)
(f/entry :judgements (f/seq-of rel/JudgementReference))
(f/entry :required_judgements rel/RelatedJudgements))
:description (str "An indicator based on a list of judgements. If any of the "
"Observables in it's judgements are encountered, than it may "
"be matches against. If there are any required judgements, "
"they all must be matched in order for the indicator to be "
"considered a match."))
(def-eq ThreatBrainSpecificationType "ThreatBrain")
(def-map-type ThreatBrainSpecification
[(f/entry :type ThreatBrainSpecificationType)
(f/entry :query f/any-str
:required? false)
(f/entry :variables f/any-str-seq)]
:description "An indicator which runs in threatbrain...")
(def-eq SnortSpecificationType "Snort")
(def-map-type SnortSpecification
(f/required-entries
(f/entry :type SnortSpecificationType)
(f/entry :snort_sig f/any-str))
:description "An indicator which runs in snort...")
(def-eq SIOCSpecificationType "SIOC")
(def-map-type SIOCSpecification
(f/required-entries
(f/entry :type SIOCSpecificationType)
(f/entry :SIOC f/any-str))
:description "An indicator which runs in snort...")
(def-eq OpenIOCSpecificationType "OpenIOC")
(def-map-type OpenIOCSpecification
(f/required-entries
(f/entry :type OpenIOCSpecificationType)
(f/entry :open_IOC f/any-str))
:description "An indicator which contains an XML blob of an openIOC indicator..")
(def-enum-type BooleanOperator
#{"and" "or" "not"})
(def-map-type CompositeIndicatorExpression
(f/required-entries
(f/entry :operator BooleanOperator)
(f/entry :indicator_ids [rel/IndicatorReference]))
:reference "[CompositeIndicatorExpressionType](http://stixproject.github.io/data-model/1.2/indicator/CompositeIndicatorExpressionType/)")
(def type-identifier "indicator")
(def-eq IndicatorTypeIdentifier type-identifier
:description "The fixed value \"indicator\"")
(def indicator-desc
"An indicator is a test, or a collection of judgements that define
criteria for identifying the activity, or presence of malware, or
other unwanted software.
We follow the
[STiX IndicatorType](http://stixproject.github.io/data-model/1.2/indicator/IndicatorType/)
closely, with the exception of not including observables within the
indicator, and preferring a _specification_ object encoded in JSON as
opposed to an opaque _implementation_ block.
Additional, you will want to either define judgements against
Observables that are linked to this indicator, with the ID in the
_indicators_ field of those Judgements, or you can provide a
_specification_ value.")
(def indicator-desc-link
"[IndicatorType](http://stixproject.github.io/data-model/1.2/indicator/IndicatorType/)")
(def-entity-type Indicator
{:description indicator-desc
:reference indicator-desc-link}
c/base-entity-entries
c/describable-entity-entries
c/sourcable-object-entries
(f/required-entries
(f/entry :type IndicatorTypeIdentifier
:description (str "The fixed value " type-identifier))
(f/entry :valid_time c/ValidTime
:description "The time range during which this Indicator is considered valid.")
(f/entry :producer c/ShortString
:comment "TODO - Document what is supposed to be in this field!"))
(f/optional-entries
(f/entry :severity v/HighMedLow)
(f/entry :negate f/any-bool
:description "specifies the absence of the pattern")
(f/entry :indicator_type [v/IndicatorType]
:description "Specifies the type or types for this Indicator")
(f/entry :tags (f/seq-of c/ShortString)
:description "Descriptors for this indicator")
(f/entry :composite_indicator_expression CompositeIndicatorExpression)
(f/entry :likely_impact c/LongString
:description (str "likely potential impact within the relevant "
"context if this Indicator were to occur"))
(f/entry :confidence v/HighMedLow
:description (str "level of confidence held in the accuracy of this "
"Indicator"))
(f/entry :kill_chain_phases [c/KillChainPhase]
:comment "simplified"
:description "relevant kill chain phases indicated by this Indicator")
(f/entry :test_mechanisms [c/MedString]
:comment "simplified"
:description (str "Test Mechanisms effective at identifying the "
"cyber Observables specified in this cyber threat "
"Indicator"))
(f/entry :specification (f/conditional
#(= "Judgement" (:type %)) JudgementSpecification
#(= "ThreatBrain" (:type %)) ThreatBrainSpecification
#(= "Snort" (:type %)) SnortSpecification
#(= "SIOC" (:type %)) SIOCSpecification
#(= "OpenIOC" (:type %)) OpenIOCSpecification)))
;; Not provided: handling
)
(def-entity-type NewIndicator
"For submitting a new Indicator"
(:entries Indicator)
c/base-new-entity-entries
(f/optional-entries
(f/entry :valid_time c/ValidTime)
(f/entry :type IndicatorTypeIdentifier)))
(def-entity-type StoredIndicator
"An indicator as stored in the data store"
(:entries Indicator)
c/base-stored-entity-entries)
(defn generalize-indicator
"Strips off realized fields"
[indicator]
(dissoc indicator
:id
:type
:created
:modified
:owner))
(def IndicatorRef
(c/ref-for-type type-identifier))