Source code for synapse.models.risk

import synapse.lib.module as s_module

[docs]class RiskModule(s_module.CoreModule):
[docs] def getModelDefs(self): modl = { 'types': ( ('risk:vuln', ('guid', {}), { 'doc': 'A unique vulnerability.', }), ('risk:hasvuln', ('guid', {}), { 'doc': 'An instance of a vulnerability present in a target.', }), ('risk:threat', ('guid', {}), { 'doc': 'A threat cluster or subgraph of threat activity.', }), ('risk:attack', ('guid', {}), { 'doc': 'An instance of an actor attacking a target.', }), ('risk:alert:taxonomy', ('taxonomy', {}), { 'doc': 'A taxonomy of alert types.' }), ('risk:alert', ('guid', {}), { 'doc': 'An instance of an alert which indicates the presence of a risk.', }), ('risk:compromise', ('guid', {}), { 'doc': 'An instance of a compromise and its aggregate impact.', }), ('risk:mitigation', ('guid', {}), { 'doc': 'A mitigation for a specific risk:vuln.', }), ('risk:attacktype', ('taxonomy', {}), { 'doc': 'An attack type taxonomy.', 'interfaces': ('taxonomy',), }), ('risk:compromisetype', ('taxonomy', {}), { 'doc': 'A compromise type taxonomy.', 'ex': 'cno.breach', 'interfaces': ('taxonomy',), }), ('risk:tool:software:taxonomy', ('taxonomy', {}), { 'interfaces': ('taxonomy',), }), ('risk:availability', ('taxonomy', {}), { 'interfaces': ('taxonomy',), 'doc': 'A taxonomy of availability status values.', }), ('risk:tool:software', ('guid', {}), { 'doc': 'A software tool used in threat activity.', }), ('risk:alert:verdict:taxonomy', ('taxonomy', {}), { 'doc': 'An assessment of the origin and validity of the alert.'}), ('risk:threat:type:taxonomy', ('taxonomy', {}), { 'doc': 'A taxonomy of threat types.'}), ), 'edges': ( # some explicit examples... (('risk:attack', 'uses', 'ou:technique'), { 'doc': 'The attack used the technique.'}), (('risk:threat', 'uses', 'ou:technique'), { 'doc': 'The threat cluster uses the technique.'}), (('risk:tool:software', 'uses', 'ou:technique'), { 'doc': 'The tool uses the technique.'}), (('risk:attack', 'uses', 'risk:vuln'), { 'doc': 'The attack used the vulnerability.'}), (('risk:threat', 'uses', 'risk:vuln'), { 'doc': 'The threat cluster uses the vulnerability.'}), (('risk:tool:software', 'uses', 'risk:vuln'), { 'doc': 'The tool uses the vulnerability.'}), (('risk:attack', 'targets', 'ou:industry'), { 'doc': 'The attack targeted the industry.'}), (('risk:threat', 'targets', 'ou:industry'), { 'doc': 'The threat cluster targets the industry.'}), (('risk:threat', 'targets', None), { 'doc': 'The threat cluster targeted the target node.'}), (('risk:threat', 'uses', None), { 'doc': 'The threat cluster uses the target node.'}), (('risk:attack', 'targets', None), { 'doc': 'The attack targeted the target node.'}), (('risk:attack', 'uses', None), { 'doc': 'The attack used the target nodes to facilitate the attack.'}), (('risk:tool:software', 'uses', None), { 'doc': 'The tool uses the target node.'}), (('risk:compromise', 'stole', None), { 'doc': 'The target node was stolen or copied as a result of the compromise.'}), ), 'forms': ( ('risk:threat:type:taxonomy', {}, ()), ('risk:threat', {}, ( ('name', ('str', {'lower': True, 'onespace': True}), { 'ex': "apt1 (mandiant)", 'doc': 'The name of the threat cluster.'}), ('type', ('risk:threat:type:taxonomy', {}), { 'doc': 'The type of threat cluster.'}), ('desc', ('str', {}), { 'doc': 'A description of the threat cluster.'}), ('tag', ('syn:tag', {}), { 'doc': 'The tag used to annotate nodes that are members of the cluster.'}), ('reporter', ('ou:org', {}), { 'doc': 'The organization who published the threat cluster.'}), ('reporter:name', ('ou:name', {}), { 'doc': 'The name of the organization who published the threat cluster.'}), ('org', ('ou:org', {}), { 'doc': 'The organization that the threat cluster is attributed to.'}), ('org:loc', ('loc', {}), { 'doc': 'The assessed location of the organization that the threat cluster is attributed to.'}), ('org:name', ('ou:name', {}), { 'ex': 'apt1', 'doc': 'The name of the organization that the threat cluster is attributed to.'}), ('org:names', ('array', {'type': 'ou:name', 'sorted': True, 'uniq': True}), { 'doc': 'An array of alternate names for the organization that the threat cluster is attributed to.'}), ('goals', ('array', {'type': 'ou:goal', 'sorted': True, 'uniq': True}), { 'doc': 'The assessed goals of the threat cluster activity.'}), ('sophistication', ('meta:sophistication', {}), { 'doc': 'The assessed sophistication of the threat cluster.'}), ('techniques', ('array', {'type': 'ou:technique', 'sorted': True, 'uniq': True}), { 'deprecated': True, 'doc': 'Deprecated for scalability. Please use -(uses)> ou:technique.'}), ('merged:time', ('time', {}), { 'doc': 'The time that this threat cluster was merged into another.'}), ('merged:isnow', ('risk:threat', {}), { 'doc': 'The threat cluster that this cluster has been merged into.'}), )), ('risk:availability', {}, {}), ('risk:tool:software:taxonomy', {}, ()), ('risk:tool:software', {}, ( ('tag', ('syn:tag', {}), { 'ex': 'rep.mandiant.tabcteng', 'doc': 'The tag used to annotate nodes that are part of the tool subgraph.'}), ('desc', ('str', {}), { 'doc': "A description of the tool's use in threat activity."}), ('type', ('risk:tool:software:taxonomy', {}), { 'doc': 'An analyst specified taxonomy of software tool types.'}), ('availability', ('risk:availability', {}), { 'doc': 'The assessed availability of the tool.'}), ('sophistication', ('meta:sophistication', {}), { 'doc': 'The assessed sophistication of the tool.'}), ('reporter', ('ou:org', {}), { 'doc': 'The organization which reported the tool.'}), ('reporter:name', ('ou:name', {}), { 'doc': 'The name of the organization which reported the tool.'}), ('soft', ('it:prod:soft', {}), { 'doc': 'The authoritative software family of the tool.'}), ('soft:name', ('it:prod:softname', {}), { 'doc': 'The reported primary name of the tool.'}), ('soft:names', ('array', {'type': 'it:prod:softname', 'uniq': True, 'sorted': True}), { 'doc': 'An array of reported alterate names for the tool.'}), ('techniques', ('array', {'type': 'ou:technique', 'uniq': True, 'sorted': True}), { 'deprecated': True, 'doc': 'Deprecated for scalability. Please use -(uses)> ou:technique.'}), )), ('risk:mitigation', {}, ( ('vuln', ('risk:vuln', {}), { 'doc': 'The vulnerability that this mitigation addresses.'}), ('name', ('str', {}), { 'doc': 'A brief name for this risk mitigation.'}), ('desc', ('str', {}), { 'disp': {'hint': 'text'}, 'doc': 'A description of the mitigation approach for the vulnerability.'}), ('software', ('it:prod:softver', {}), { 'doc': 'A software version which implements a fix for the vulnerability.'}), ('hardware', ('it:prod:hardware', {}), { 'doc': 'A hardware version which implements a fix for the vulnerability.'}), )), ('risk:vuln', {}, ( ('name', ('str', {}), { 'doc': 'A user specified name for the vulnerability.'}), ('type', ('str', {}), { 'doc': 'A user specified type for the vulnerability.'}), ('desc', ('str', {}), { 'disp': {'hint': 'text'}, 'doc': 'A description of the vulnerability.'}), ('mitigated', ('bool', {}), { 'doc': 'Set to true if a mitigation/fix is available for the vulnerability.'}), ('exploited', ('bool', {}), { 'doc': 'Set to true if the vulnerability has been exploited in the wild.'}), ('timeline:discovered', ('time', {"ismin": True}), { 'doc': 'The earliest known discovery time for the vulnerability.'}), ('timeline:published', ('time', {"ismin": True}), { 'doc': 'The earliest known time the vulnerability was published.'}), ('timeline:vendor:notified', ('time', {"ismin": True}), { 'doc': 'The earliest known vendor notification time for the vulnerability.'}), ('timeline:vendor:fixed', ('time', {"ismin": True}), { 'doc': 'The earliest known time the vendor issued a fix for the vulnerability.'}), ('timeline:exploited', ('time', {"ismin": True}), { 'doc': 'The earliest known time when the vulnerability was exploited in the wild.'}), ('cve', ('it:sec:cve', {}), { 'doc': 'The CVE ID of the vulnerability.'}), ('cve:desc', ('str', {}), { 'disp': {'hint': 'text'}, 'doc': 'The description of the vulnerability according to the CVE database.'}), ('cve:url', ('inet:url', {}), { 'doc': 'A URL linking this vulnerability to the CVE description.'}), ('cve:references', ('array', {'type': 'inet:url', 'uniq': True, 'sorted': True}), { 'doc': 'An array of documentation URLs provided by the CVE database.'}), ('nist:nvd:source', ('ou:name', {}), { 'doc': 'The name of the organization which reported the vulnerability to NIST.'}), ('nist:nvd:published', ('time', {}), { 'doc': 'The date the vulnerability was first published in the NVD.'}), ('nist:nvd:modified', ('time', {"ismax": True}), { 'doc': 'The date the vulnerability was last modified in the NVD.'}), ('cisa:kev:name', ('str', {}), { 'doc': 'The name of the vulnerability according to the CISA KEV database.'}), ('cisa:kev:desc', ('str', {}), { 'doc': 'The description of the vulnerability according to the CISA KEV database.'}), ('cisa:kev:action', ('str', {}), { 'doc': 'The action to mitigate the vulnerability according to the CISA KEV database.'}), ('cisa:kev:vendor', ('ou:name', {}), { 'doc': 'The vendor name listed in the CISA KEV database.'}), ('cisa:kev:product', ('it:prod:softname', {}), { 'doc': 'The product name listed in the CISA KEV database.'}), ('cisa:kev:added', ('time', {}), { 'doc': 'The date the vulnerability was added to the CISA KEV database.'}), ('cisa:kev:duedate', ('time', {}), { 'doc': 'The date the action is due according to the CISA KEV database.'}), ('cvss:av', ('str', {'enums': 'N,A,V,L'}), { 'doc': 'The CVSS Attack Vector (AV) value.'}), ('cvss:ac', ('str', {'enums': 'L,H'}), { 'disp': {'enums': (('Low', 'L'), ('High', 'H'))}, 'doc': 'The CVSS Attack Complexity (AC) value.'}), ('cvss:pr', ('str', {'enums': 'N,L,H'}), { 'disp': {'enums': ( {'title': 'None', 'value': 'N', 'doc': 'FIXME privs stuff'}, {'title': 'Low', 'value': 'L', 'doc': 'FIXME privs stuff'}, {'title': 'High', 'value': 'H', 'doc': 'FIXME privs stuff'}, )}, 'doc': 'The CVSS Privileges Required (PR) value.'}), ('cvss:ui', ('str', {'enums': 'N,R'}), { 'doc': 'The CVSS User Interaction (UI) value.'}), ('cvss:s', ('str', {'enums': 'U,C'}), { 'doc': 'The CVSS Scope (S) value.'}), ('cvss:c', ('str', {'enums': 'N,L,H'}), { 'doc': 'The CVSS Confidentiality Impact (C) value.'}), ('cvss:i', ('str', {'enums': 'N,L,H'}), { 'doc': 'The CVSS Integrity Impact (I) value.'}), ('cvss:a', ('str', {'enums': 'N,L,H'}), { 'doc': 'The CVSS Availability Impact (A) value.'}), ('cvss:e', ('str', {'enums': 'X,U,P,F,H'}), { 'doc': 'The CVSS Exploit Code Maturity (E) value.'}), ('cvss:rl', ('str', {'enums': 'X,O,T,W,U'}), { 'doc': 'The CVSS Remediation Level (RL) value.'}), ('cvss:rc', ('str', {'enums': 'X,U,R,C'}), { 'doc': 'The CVSS Report Confidence (AV) value.'}), ('cvss:mav', ('str', {'enums': 'X,N,A,L,P'}), { 'doc': 'The CVSS Environmental Attack Vector (MAV) value.'}), ('cvss:mac', ('str', {'enums': 'X,L,H'}), { 'doc': 'The CVSS Environmental Attack Complexity (MAC) value.'}), ('cvss:mpr', ('str', {'enums': 'X,N,L,H'}), { 'doc': 'The CVSS Environmental Privileges Required (MPR) value.'}), ('cvss:mui', ('str', {'enums': 'X,N,R'}), { 'doc': 'The CVSS Environmental User Interaction (MUI) value.'}), ('cvss:ms', ('str', {'enums': 'X,U,C'}), { 'doc': 'The CVSS Environmental Scope (MS) value.'}), ('cvss:mc', ('str', {'enums': 'X,N,L,H'}), { 'doc': 'The CVSS Environmental Confidentiality Impact (MC) value.'}), ('cvss:mi', ('str', {'enums': 'X,N,L,H'}), { 'doc': 'The CVSS Environmental Integrity Impact (MI) value.'}), ('cvss:ma', ('str', {'enums': 'X,N,L,H'}), { 'doc': 'The CVSS Environmental Accessibility Impact (MA) value.'}), ('cvss:cr', ('str', {'enums': 'X,L,M,H'}), { 'doc': 'The CVSS Environmental Confidentiality Requirement (CR) value.'}), ('cvss:ir', ('str', {'enums': 'X,L,M,H'}), { 'doc': 'The CVSS Environmental Integrity Requirement (IR) value.'}), ('cvss:ar', ('str', {'enums': 'X,L,M,H'}), { 'doc': 'The CVSS Environmental Availability Requirement (AR) value.'}), ('cvss:score', ('float', {}), { 'doc': 'The Overall CVSS Score value.'}), ('cvss:score:base', ('float', {}), { 'doc': 'The CVSS Base Score value.'}), ('cvss:score:temporal', ('float', {}), { 'doc': 'The CVSS Temporal Score value.'}), ('cvss:score:environmental', ('float', {}), { 'doc': 'The CVSS Environmental Score value.'}), ('cwes', ('array', {'type': 'it:sec:cwe', 'uniq': True, 'sorted': True}), { 'doc': 'An array of MITRE CWE values that apply to the vulnerability.'}), )), ('risk:hasvuln', {}, ( ('vuln', ('risk:vuln', {}), { 'doc': 'The vulnerability present in the target.' }), ('person', ('ps:person', {}), { 'doc': 'The vulnerable person.', }), ('org', ('ou:org', {}), { 'doc': 'The vulnerable org.', }), ('place', ('geo:place', {}), { 'doc': 'The vulnerable place.', }), ('software', ('it:prod:softver', {}), { 'doc': 'The vulnerable software.', }), ('hardware', ('it:prod:hardware', {}), { 'doc': 'The vulnerable hardware.', }), ('spec', ('mat:spec', {}), { 'doc': 'The vulnerable material specification.', }), ('item', ('mat:item', {}), { 'doc': 'The vulnerable material item.', }), ('host', ('it:host', {}), { 'doc': 'The vulnerable host.' }) )), ('risk:alert:taxonomy', {}, {}), ('risk:alert:verdict:taxonomy', {}, {}), ('risk:alert', {}, ( ('type', ('risk:alert:taxonomy', {}), { 'doc': 'An alert type.'}), ('name', ('str', {}), { 'doc': 'The alert name.'}), ('desc', ('str', {}), { 'disp': {'hint': 'text'}, 'doc': 'A free-form description / overview of the alert.'}), ('benign', ('bool', {}), { 'doc': 'Set to true if the alert has been confirmed benign. Set to false if malicious.'}), ('priority', ('int', {}), { 'doc': 'A numeric value used to rank alerts by priority.'}), ('verdict', ('risk:alert:verdict:taxonomy', {}), { 'ex': 'benign.false_positive', 'doc': 'Analyst specified verdict taxonomy about why the alert is malicious or benign.'}), ('engine', ('it:prod:softver', {}), { 'doc': 'The software which generated the alert.'}), ('detected', ('time', {}), { 'doc': 'The time the alerted condition was detected.'}), ('vuln', ('risk:vuln', {}), { 'doc': 'The optional vulnerability that the alert indicates.'}), ('attack', ('risk:attack', {}), { 'doc': 'A confirmed attack that this alert indicates.'}), ('url', ('inet:url', {}), { 'doc': 'A URL which documents the alert.'}), ('ext:id', ('str', {}), { 'doc': 'An external identifier for the alert.'}), )), ('risk:compromisetype', {}, ()), ('risk:compromise', {}, ( ('name', ('str', {'lower': True, 'onespace': True}), { 'doc': 'A brief name for the compromise event.', }), ('desc', ('str', {}), { 'disp': {'hint': 'text'}, 'doc': 'A prose description of the compromise event.', }), ('type', ('risk:compromisetype', {}), { 'ex': 'cno.breach', 'doc': 'The compromise type.', }), ('target', ('ps:contact', {}), { 'doc': 'Contact information of the target.', }), ('attacker', ('ps:contact', {}), { 'doc': 'Contact information of the attacker.', }), ('campaign', ('ou:campaign', {}), { 'doc': 'The campaign that this compromise is part of.', }), ('time', ('time', {}), { 'doc': 'Earliest known evidence of compromise.', }), ('lasttime', ('time', {}), { 'doc': 'Last known evidence of compromise.', }), ('duration', ('duration', {}), { 'doc': 'The duration of the compromise.', }), ('loss:pii', ('int', {}), { 'doc': 'The number of records compromised which contain PII.', }), ('loss:econ', ('econ:price', {}), { 'doc': 'The total economic cost of the compromise.', }), ('loss:life', ('int', {}), { 'doc': 'The total loss of life due to the compromise.', }), ('loss:bytes', ('int', {}), { 'doc': 'An estimate of the volume of data compromised.', }), ('ransom:paid', ('econ:price', {}), { 'doc': 'The value of the ransom paid by the target.', }), ('ransom:price', ('econ:price', {}), { 'doc': 'The value of the ransom demanded by the attacker.', }), ('response:cost', ('econ:price', {}), { 'doc': 'The economic cost of the response and mitigation efforts.', }), ('theft:price', ('econ:price', {}), { 'doc': 'The total value of the theft of assets.', }), ('econ:currency', ('econ:currency', {}), { 'doc': 'The currency type for the econ:price fields.', }), ('severity', ('int', {}), { 'doc': 'An integer based relative severity score for the compromise.'}), # -(stole)> file:bytes ps:contact file:bytes # -(compromised)> geo:place it:account it:host ('techniques', ('array', {'type': 'ou:technique', 'sorted': True, 'uniq': True}), { 'doc': 'A list of techniques employed during the compromise.', }), )), ('risk:attacktype', {}, ()), ('risk:attack', {}, ( ('desc', ('str', {}), { 'doc': 'A description of the attack.', 'disp': {'hint': 'text'}, }), ('type', ('risk:attacktype', {}), { 'ex': 'cno.phishing', 'doc': 'The attack type.', }), ('time', ('time', {}), { 'doc': 'Set if the time of the attack is known.', }), ('success', ('bool', {}), { 'doc': 'Set if the attack was known to have succeeded or not.', }), ('targeted', ('bool', {}), { 'doc': 'Set if the attack was assessed to be targeted or not.', }), ('goal', ('ou:goal', {}), { 'doc': 'The tactical goal of this specific attack.', }), ('campaign', ('ou:campaign', {}), { 'doc': 'Set if the attack was part of a larger campaign.', }), ('compromise', ('risk:compromise', {}), { 'doc': 'A compromise that this attack contributed to.', }), ('severity', ('int', {}), { 'doc': 'An integer based relative severity score for the attack.'}), ('sophistication', ('meta:sophistication', {}), { 'doc': 'The assessed sophistication of the attack.', }), ('prev', ('risk:attack', {}), { 'doc': 'The previous/parent attack in a list or hierarchy.', }), ('actor:org', ('ou:org', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use :attacker to allow entity resolution.', }), ('actor:person', ('ps:person', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use :attacker to allow entity resolution.', }), ('attacker', ('ps:contact', {}), { 'doc': 'Contact information associated with the attacker.', }), ('target', ('ps:contact', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(targets)> light weight edges.', }), ('target:org', ('ou:org', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(targets)> light weight edges.', }), ('target:host', ('it:host', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(targets)> light weight edges.', }), ('target:person', ('ps:person', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(targets)> light weight edges.', }), ('target:place', ('geo:place', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(targets)> light weight edges.', }), ('via:ipv4', ('inet:ipv4', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(uses)> light weight edges.', }), ('via:ipv6', ('inet:ipv6', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(uses)> light weight edges.', }), ('via:email', ('inet:email', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(uses)> light weight edges.', }), ('via:phone', ('tel:phone', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(uses)> light weight edges.', }), ('used:vuln', ('risk:vuln', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(uses)> light weight edges.', }), ('used:url', ('inet:url', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(uses)> light weight edges.', }), ('used:host', ('it:host', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(uses)> light weight edges.', }), ('used:email', ('inet:email', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(uses)> light weight edges.', }), ('used:file', ('file:bytes', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(uses)> light weight edges.', }), ('used:server', ('inet:server', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(uses)> light weight edges.', }), ('used:software', ('it:prod:softver', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(uses)> light weight edges.', }), ('techniques', ('array', {'type': 'ou:technique', 'sorted': True, 'uniq': True}), { 'doc': 'A list of techniques employed during the attack.', }), )), ), } name = 'risk' return ((name, modl), )