diff --git a/CHANGELOG.md b/CHANGELOG.md
index daa5d5ecc..6508e2c39 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -80,6 +80,10 @@ Thankyou! -->
1. Added `os_machine_uuid` as a `uuid_t`. #1268
1. Added `sbom`, `author`, `related_component`, `relationship`, `relationship_id` and `software_component` to support SBOMs. #1262
1. Added `related_events_count` as an `int_t`. #1271
+ 1. Added `detection_pattern_type` an `detection_pattern_type_id` as a `string_t` and `int_t` respectively. #1310
+ 1. Added `external_id` as an `string_t`. #1310
+ 1. Added `intrusion_sets` as an array `string_t`. #1310
+ 1. Added `uploaded_time` as an `timestamp_t`. #1310
* #### Objects
1. Added `environment_variable` object. #1172, #1288
1. Added `advisory` object. #1176
@@ -94,6 +98,8 @@ Thankyou! -->
1. Added `software_component` and `sbom` objects. #1262
1. Added `drive_type` and `drive_type_id` objects. #1287
1. Added `cpu_architecture` and `cpu_architecture_id` objects. #1278
+ 1. Added `camapign` object #1310
+ 1. Added `threat_actor` object #1310
* ### Profiles
1. Added `incident` profile. #1293
@@ -169,6 +175,7 @@ Thankyou! -->
1. Added `cpu_architecture` and `cpu_architecture_id` to `device_hw_info` object. #1278
1. Added `name` to `script` object. #1284
1. Relax requirement of `fingerprints` in `certificate` object. #1302
+ 1. Added `campaign`, `category`, `created_time`, `creator`, `desc`, `expiration_time`, `external_id`, `labels`, `malware`, `modified_time`, `name`, `detection_pattern`, `detection_pattern_type`, `detection_pattern_type_id`, `intrusion_sets`, `risk_score`, `references`, `uploaded_time`, `severity`, `uid` and `threat_actor` to `osint` object. #1310
### Bugfixes
diff --git a/dictionary.json b/dictionary.json
index b702c36ee..097ceb04b 100644
--- a/dictionary.json
+++ b/dictionary.json
@@ -491,6 +491,11 @@
"type": "string_t",
"is_array": true
},
+ "campaign": {
+ "caption": "Campaign",
+ "description": "The campaign object describes details about the campaign that was the source of the activity.",
+ "type": "campaign"
+ },
"caption": {
"caption": "Caption",
"description": "A short description or caption of the device. For example: Scanner 1 or Database Manager.",
@@ -1497,6 +1502,36 @@
"description": "Specific pattern, algorithm, fingerprint, or model used for detection.",
"type": "string_t"
},
+ "detection_pattern_type": {
+ "caption": "Detection Pattern",
+ "description": "Specifies the type of detection pattern used to identify the associated threat indicator. This field identifies whether the pattern is based on behavioral analysis, static indicators, or heuristic methods.",
+ "type": "string_t"
+ },
+ "detection_pattern_type_id": {
+ "caption": "Detection Pattern Type ID",
+ "description": "The normalised identifier of the detection pattern type.",
+ "sibling": "detection_pattern_type",
+ "type": "integer_t",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The type is not mapped."
+ },
+ "1": {
+ "caption": "Behavioral analysis"
+ },
+ "2": {
+ "caption": "Static indicators"
+ },
+ "3": {
+ "caption": "Heuristic methods"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "Any other type of detection pattern type."
+ }
+ }
+ },
"detection_system": {
"caption": "Detection System",
"description": "The name of the type of data security tool or system that the finding, detection, or alert originated from. E.g., Endpoint, Secure Email Gateway, etc.",
@@ -2105,6 +2140,11 @@
"type": "extension",
"is_array": true
},
+ "external_id": {
+ "caption": "External ID",
+ "description": "A unique identifier assigned by an external system for cross-referencing.",
+ "type": "string_t"
+ },
"factor_type": {
"caption": "Factor Type",
"description": "The type of authentication factor used in an authentication attempt.",
@@ -2513,6 +2553,12 @@
"description": "The impact of the finding, valid range 0-100.",
"type": "integer_t"
},
+ "intrusion_sets": {
+ "caption": "Intrusion Sets",
+ "description": "A grouping of adversarial behaviors and resources believed to be associated with specific threat actors or campaigns. Intrusion sets often encompass multiple campaigns and are used to organize related activities under a common label.",
+ "type": "string_t",
+ "is_array": true
+ },
"injection_type": {
"caption": "Injection Type",
"description": "The process injection method, normalized to the caption of the injection_type_id value. In the case of 'Other', it is defined by the event source.",
@@ -5127,6 +5173,11 @@
"description": "The tree id is a unique SMB identifier which represents an open connection to a share.",
"type": "string_t"
},
+ "threat_actor": {
+ "caption": "Threat Actor",
+ "description": "The Threat Actor object describes the characteristics and metadata of a threat actor.",
+ "type": "threat_actor"
+ },
"ttl": {
"caption": "TTL",
"description": "The time interval that the resource record may be cached. Zero value means that the resource record can only be used for the transaction in progress, and should not be cached.",
@@ -5221,6 +5272,11 @@
"description": "The size in bytes of an attribute before truncation. See specific usage.",
"type": "integer_t"
},
+ "uploaded_time": {
+ "caption": "Uploaded Time",
+ "description": "The timestamp indicating when the associated indicator or intelligence was added to the system or repository.",
+ "type": "timestamp_t"
+ },
"url": {
"caption": "URL",
"description": "The URL object that pertains to the event or object. See specific usage.",
diff --git a/objects/campaign.json b/objects/campaign.json
new file mode 100644
index 000000000..760e31ea7
--- /dev/null
+++ b/objects/campaign.json
@@ -0,0 +1,12 @@
+{
+ "caption": "Campaign",
+ "description": "Campaign represent organized efforts by threat actors to achieve malicious objectives over a period, often characterized by shared tactics, techniques, and procedures (TTPs).",
+ "extends": "object",
+ "name": "campaign",
+ "attributes": {
+ "name": {
+ "description": "The name of a specific campaign associated with a cyber threat.",
+ "requirement": "optional"
+ }
+ }
+}
diff --git a/objects/osint.json b/objects/osint.json
index c50019fe4..09f28bf33 100644
--- a/objects/osint.json
+++ b/objects/osint.json
@@ -116,6 +116,13 @@
"requirement":"recommended",
"type":"string_t"
},
+ "campaign": {
+ "requirement": "optional"
+ },
+ "category": {
+ "description": "Categorizes the threat indicator based on its functional or operational role.",
+ "requirement": "optional"
+ },
"confidence_id":{
"description":"The normalized confidence refers to the accuracy of collected information related to the OSINT or how pertinent an indicator or analysis is to a specific event or finding. A low confidence means that the information collected or analysis conducted lacked detail or is not accurate enough to qualify an indicator as fully malicious.",
"requirement":"recommended"
@@ -124,6 +131,40 @@
"description":"The confidence of an indicator being malicious and/or pertinent, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source or analyst.",
"requirement":"optional"
},
+ "created_time": {
+ "description": "The timestamp when the indicator was initially created or identified.",
+ "requirement": "optional"
+ },
+ "creator": {
+ "description": "The identifier of the user, system, or organization that contributed the indicator.",
+ "requirement": "optional"
+ },
+ "desc": {
+ "description": "A detailed explanation of the indicator, including its context, purpose, and relevance.",
+ "requirement": "optional"
+ },
+ "expiration_time": {
+ "description": "The expiration date of the indicator, after which it is no longer considered reliable.",
+ "requirement": "optional"
+ },
+ "external_id": {
+ "requirement": "optional"
+ },
+ "labels": {
+ "description": "Tags or keywords associated with the indicator to enhance searchability.",
+ "requirement": "optional"
+ },
+ "malware": {
+ "requirement": "optional"
+ },
+ "modified_time": {
+ "description": "The timestamp of the last modification or update to the indicator.",
+ "requirement": "optional"
+ },
+ "name": {
+ "description": "Specifies the field(s) in logs or datasets where this indicator is expected to match.",
+ "requirement": "optional"
+ },
"vendor_name":{
"description":"The vendor name of a tool which generates intelligence or provides indicators.",
"requirement":"optional"
@@ -137,6 +178,16 @@
"description":"Analyst commentary or source commentary about an indicator or OSINT analysis.",
"requirement":"optional"
},
+ "detection_pattern":{
+ "description": "The specific detection pattern or signature associated with the indicator.",
+ "requirement": "optional"
+ },
+ "detection_pattern_type": {
+ "requirement": "optional"
+ },
+ "detection_pattern_type_id": {
+ "requirement": "optional"
+ },
"email":{
"caption":"Related Email",
"description":"Any email information pertinent to an indicator or OSINT analysis.",
@@ -147,6 +198,9 @@
"description":"Any email authentication information pertinent to an indicator or OSINT analysis.",
"requirement":"optional"
},
+ "intrusion_sets": {
+ "requirement": "optional"
+ },
"kill_chain":{
"description":"Lockheed Martin Kill Chain Phases pertinent to an indicator or OSINT analysis.",
"requirement":"optional"
@@ -192,6 +246,14 @@
"description":"Any pertinent file information related to an indicator or OSINT analysis.",
"requirement":"optional"
},
+ "risk_score":{
+ "description":"A numerical representation of the threat indicator’s risk or confidence level.",
+ "requirement":"optional"
+ },
+ "references": {
+ "description": "Provides a reference to an external source of information related to the CTI being represented. This may include a URL, a document, or some other type of reference that provides additional context or information about the CTI.",
+ "requirement": "optional"
+ },
"related_analytics": {
"caption": "Related Analytics",
"description": "Any analytics related to an indicator or OSINT analysis.",
@@ -201,6 +263,13 @@
"description":"Related reputational analysis from third-party engines and analysts for a given indicator or OSINT analysis.",
"requirement":"optional"
},
+ "uploaded_time":{
+ "requirement":"optional"
+ },
+ "severity":{
+ "description":"Represents the severity level of the threat indicator, typically reflecting its potential impact or damage.",
+ "requirement":"optional"
+ },
"subnet":{
"caption":"Related Subnet",
"description":"A CIDR or network block related to an indicator or OSINT analysis.",
@@ -210,6 +279,13 @@
"caption":"Related Script Data",
"description":"Any pertinent script information related to an indicator or OSINT analysis.",
"requirement":"optional"
+ },
+ "uid": {
+ "description": "The unique identifier for the OSINT object.",
+ "requirement": "optional"
+ },
+ "threat_actor":{
+ "requirement":"optional"
}
}
}
\ No newline at end of file
diff --git a/objects/threat_actor.json b/objects/threat_actor.json
new file mode 100644
index 000000000..3e722b4ae
--- /dev/null
+++ b/objects/threat_actor.json
@@ -0,0 +1,44 @@
+{
+ "caption": "Threat Actor",
+ "description": "Threat actor is responsible for the observed malicious activity.",
+ "extends": "object",
+ "name": "threat_actor",
+ "attributes": {
+ "name": {
+ "description": "The name of the threat actor.",
+ "requirement": "optional"
+ },
+ "type": {
+ "caption": "Threat Actor Type",
+ "description": "The classification of the threat actor based on their motivations, capabilities, or affiliations. Common types include nation-state actors, cybercriminal groups, hacktivists, or insider threats.",
+ "requirement": "optional"
+ },
+ "type_id": {
+ "caption": "Threat Actor Type ID",
+ "description": "The normalized datastore resource type identifier.",
+ "requirement": "recommended",
+ "enum": {
+ "0": {
+ "caption": "Unknown",
+ "description": "The threat actor type is unknown."
+ },
+ "1": {
+ "caption": "Nation-state"
+ },
+ "2": {
+ "caption": "Cybercriminal"
+ },
+ "3": {
+ "caption": "Hacktivists"
+ },
+ "4": {
+ "caption": "Insider"
+ },
+ "99": {
+ "caption": "Other",
+ "description": "The threat actor type is not mapped."
+ }
+ }
+ }
+ }
+ }
\ No newline at end of file