new: [srbcert] New taxonomy for the SRB-CERT

MISP · Nov 15, 2023 · 9f481f4 · 9f481f4
1 parent e8892b6
commit 9f481f4
Show file tree

Hide file tree

Showing 2 changed files with 209 additions and 13 deletions.
diff --git a/MANIFEST.json b/MANIFEST.json
@@ -89,9 +89,9 @@
       "version": 2
     },
     {
-      "description": "CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection",
+      "description": "CIRCL Taxonomy - Schemes of Classification in Incident Response and Detection.",
       "name": "circl",
-      "version": 5
+      "version": 6
     },
     {
       "description": "La presente taxonomia es la primera versión disponible para el Centro Nacional de Seguridad Digital del Perú.",
@@ -124,7 +124,7 @@
       "version": 2
     },
     {
-      "description": "The Crowdsec behaviors and classifications taxonomy is the list of taxonomies used in Crowdsec to describe the behaviors and classifications of an IP address. The behaviors are a list of attack categories for which a given IP address was reported, where the classifications describe a list of categories associated to an IP address and, when applicable, a list of false positive categories.",
+      "description": "Crowdsec IP address classifications and behaviors taxonomy.",
       "name": "crowdsec",
       "version": 1
     },
@@ -238,6 +238,11 @@
       "name": "domain-abuse",
       "version": 2
     },
+    {
+      "description": "This taxonomy aims to list doping substances",
+      "name": "doping-substances",
+      "version": 2
+    },
     {
       "description": "A taxonomy based on the superclass and class of drugs. Based on https://www.drugbank.ca/releases/latest",
       "name": "drugs",
@@ -511,7 +516,7 @@
     {
       "description": "MISP workflow taxonomy to support result of workflow execution.",
       "name": "misp-workflow",
-      "version": 2
+      "version": 3
     },
     {
       "description": "MONARC Threats Taxonomy",
@@ -626,7 +631,7 @@
     {
       "description": "Runtime or software packer used to combine compressed or encrypted data with the decompression or decryption code. This code can add additional obfuscations mechanisms including polymorphic-packer or other obfuscation techniques. This taxonomy lists all the known or official packer used for legitimate use or for packing malicious binaries.",
       "name": "runtime-packer",
-      "version": 1
+      "version": 2
     },
     {
       "description": "Flags describing the sample",
@@ -658,6 +663,11 @@
       "name": "social-engineering-attack-vectors",
       "version": 1
     },
+    {
+      "description": "SRB-CERT Taxonomy - Schemes of Classification in Incident Response and Detection",
+      "name": "srbcert",
+      "version": 1
+    },
     {
       "description": "A spectrum of state responsibility to more directly tie the goals of attribution to the needs of policymakers.",
       "name": "state-responsibility",
@@ -696,7 +706,7 @@
     {
       "description": "The Traffic Light Protocol (TLP) (v2.0) was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. Information sharing happens from an information source, towards one or more recipients. TLP is a set of four standard labels (a fifth label is included in amber to limit the diffusion) used to indicate the sharing boundaries to be applied by the recipients. Only labels listed in this standard are considered valid by FIRST. This taxonomy includes additional labels for backward compatibility which are no more validated by FIRST SIG.",
       "name": "tlp",
-      "version": 7
+      "version": 9
     },
     {
       "description": "Taxonomy to describe Tor network infrastructure",
@@ -741,14 +751,9 @@
     {
       "description": "Workflow support language is a common language to support intelligence analysts to perform their analysis on data and information.",
       "name": "workflow",
-      "version": 11
-    },
-    {
-      "description": "This taxonomy aims to list doping substances",
-      "name": "doping-substances",
-      "version": 2
+      "version": 12
     }
   ],
   "url": "https://raw.githubusercontent.com/MISP/misp-taxonomies/main/",
-  "version": "20230514"
+  "version": "20231115"
 }
diff --git a/srbcert/machinetag.json b/srbcert/machinetag.json
@@ -0,0 +1,191 @@
+{
+  "namespace": "srbcert",
+  "description": "SRB-CERT Taxonomy - Schemes of Classification in Incident Response and Detection",
+  "version": 1,
+  "predicates": [
+    {
+      "value": "incident-type",
+      "expanded": "Incident Type"
+    },
+    {
+      "value": "incident-criticality-level",
+      "expanded": "Incident Criticality Level"
+    }
+  ],
+  "values": [
+    {
+      "predicate": "incident-type",
+      "entry": [
+        {
+          "value": "virus",
+          "expanded": "Virus"
+        },
+        {
+          "value": "worm",
+          "expanded": "Worm"
+        },
+        {
+          "value": "ransomware",
+          "expanded": "Ransomware"
+        },
+        {
+          "value": "trojan",
+          "expanded": "Trojan"
+        },
+        {
+          "value": "spyware",
+          "expanded": "Spyware"
+        },
+        {
+          "value": "rootkit",
+          "expanded": "Rootkit"
+        },
+        {
+          "value": "malware",
+          "expanded": "Malware"
+        },
+        {
+          "value": "port-scanning",
+          "expanded": "Port scanning"
+        },
+        {
+          "value": "sniffing",
+          "expanded": "Sniffing"
+        },
+        {
+          "value": "social-engineering",
+          "expanded": "Social engineering"
+        },
+        {
+          "value": "data-breaches",
+          "expanded": "Data breaches"
+        },
+        {
+          "value": "other-type-of-information-gathering",
+          "expanded": "Other type of information gathering"
+        },
+        {
+          "value": "phishing",
+          "expanded": "Phishing"
+        },
+        {
+          "value": "unauthorized-use-of-resources",
+          "expanded": "Unauthorized use of resources"
+        },
+        {
+          "value": "fraud",
+          "expanded": "Fraud"
+        },
+        {
+          "value": "exploiting-known-vulnerabilities",
+          "expanded": "Exploiting known vulnerabilities"
+        },
+        {
+          "value": "brute-force",
+          "expanded": "Brute force"
+        },
+        {
+          "value": "other-type-of-intrusion-attempts",
+          "expanded": "Other type of Intrusion Attempts"
+        },
+        {
+          "value": "privilege-account-compromise",
+          "expanded": "Privilege account compromise"
+        },
+        {
+          "value": "unprivileged-account-compromise",
+          "expanded": "Unprivileged account compromise"
+        },
+        {
+          "value": "application-compromise",
+          "expanded": "Application compromise"
+        },
+        {
+          "value": "botnet",
+          "expanded": "Botnet"
+        },
+        {
+          "value": "other-type-of-intrusions",
+          "expanded": "Other type of intrusions"
+        },
+        {
+          "value": "dos",
+          "expanded": "DoS"
+        },
+        {
+          "value": "ddos",
+          "expanded": "DDoS"
+        },
+        {
+          "value": "sabotage",
+          "expanded": "Sabotage"
+        },
+        {
+          "value": "outage",
+          "expanded": "Outage"
+        },
+        {
+          "value": "other-type-of-availability-incident",
+          "expanded": "Other type of Availability incident"
+        },
+        {
+          "value": "unauthorized-access-to-information",
+          "expanded": "Unauthorized access to information"
+        },
+        {
+          "value": "unauthorized-modification-of-information",
+          "expanded": "Unauthorized modification of information"
+        },
+        {
+          "value": "cryptographic-attack",
+          "expanded": "Cryptographic attack"
+        },
+        {
+          "value": "other-type-of-information-content-security-incident",
+          "expanded": "Other type of Information Content Security incident"
+        },
+        {
+          "value": "hardware-errors",
+          "expanded": "Hardware errors"
+        },
+        {
+          "value": "software-errors",
+          "expanded": "Software errors"
+        },
+        {
+          "value": "software-errors",
+          "expanded": "Software errors"
+        },
+        {
+          "value": "hardware-components-theft",
+          "expanded": "hardware-components-theft"
+        },
+        {
+          "value": "other",
+          "expanded": "Other"
+        }
+      ]
+    },
+    {
+      "predicate": "incident-criticality-level",
+      "entry": [
+        {
+          "value": "low",
+          "expanded": "Low"
+        },
+        {
+          "value": "medium",
+          "expanded": "Medium"
+        },
+        {
+          "value": "high",
+          "expanded": "High"
+        },
+        {
+          "value": "very-high",
+          "expanded": "Very High"
+        }
+      ]
+    }
+  ]
+}