import synapse.lib.module as s_module
[docs]class RiskModule(s_module.CoreModule):
[docs] def getModelDefs(self):
modl = {
'types': (
('risk:vuln', ('guid', {}), {
'doc': 'A unique vulnerability.',
}),
('risk:hasvuln', ('guid', {}), {
'doc': 'An instance of a vulnerability present in a target.',
}),
('risk:threat', ('guid', {}), {
'doc': 'A threat cluster or subgraph of threat activity.',
}),
('risk:attack', ('guid', {}), {
'doc': 'An instance of an actor attacking a target.',
}),
('risk:alert:taxonomy', ('taxonomy', {}), {
'doc': 'A taxonomy of alert types.'
}),
('risk:alert', ('guid', {}), {
'doc': 'An instance of an alert which indicates the presence of a risk.',
}),
('risk:compromise', ('guid', {}), {
'doc': 'An instance of a compromise and its aggregate impact.',
}),
('risk:mitigation', ('guid', {}), {
'doc': 'A mitigation for a specific risk:vuln.',
}),
('risk:attacktype', ('taxonomy', {}), {
'doc': 'An attack type taxonomy.',
'interfaces': ('taxonomy',),
}),
('risk:compromisetype', ('taxonomy', {}), {
'doc': 'A compromise type taxonomy.',
'ex': 'cno.breach',
'interfaces': ('taxonomy',),
}),
('risk:tool:taxonomy', ('taxonomy', {}), {
'interfaces': ('taxonomy',),
}),
('risk:tool:software', ('guid', {}), {
'doc': 'A software tool used in threat activity.',
}),
),
'edges': (
(('risk:threat', 'targets', None), {
'doc': 'The threat cluster targeted the target nodes.'}),
(('risk:threat', 'uses', None), {
'doc': 'The threat cluster uses the target nodes.'}),
(('risk:attack', 'targets', None), {
'doc': 'The attack targeted the target nodes.'}),
(('risk:attack', 'uses', None), {
'doc': 'The attack used the target nodes to facilitate the attack.'}),
),
'forms': (
('risk:threat', {}, (
('name', ('str', {'lower': True, 'onespace': True}), {
'ex': "apt1 (mandiant)",
'doc': 'The name of the threat cluster.'}),
('desc', ('str', {}), {
'doc': 'A description of the threat cluster.'}),
('tag', ('syn:tag', {}), {
'doc': 'The tag used to annotate nodes that are members of the cluster.'}),
('reporter', ('ou:org', {}), {
'doc': 'The organization who published the threat cluster.'}),
('reporter:name', ('ou:name', {}), {
'doc': 'The name of the organization who published the threat cluster.'}),
('org', ('ou:org', {}), {
'doc': 'The organization that the threat cluster is attributed to.'}),
('org:loc', ('loc', {}), {
'doc': 'The assessed location of the organization that the threat cluster is attributed to.'}),
('org:name', ('ou:name', {}), {
'ex': 'apt1',
'doc': 'The name of the organization that the threat cluster is attributed to.'}),
('org:names', ('array', {'type': 'ou:name', 'sorted': True, 'uniq': True}), {
'doc': 'An array of alternate names for the organization that the threat cluster is attributed to.'}),
('goals', ('array', {'type': 'ou:goal', 'sorted': True, 'uniq': True}), {
'doc': 'The assessed goals of the threat cluster activity.'}),
('techniques', ('array', {'type': 'ou:technique', 'sorted': True, 'uniq': True}), {
'doc': 'A list of techniques employed within the threat cluster.'}),
)),
('risk:tool:software', {}, (
('tag', ('syn:tag', {}), {
'ex': 'rep.mandiant.tabcteng',
'doc': 'The tag used to annotate nodes that are part of the tool subgraph.',
}),
('desc', ('str', {}), {
'doc': "A description of the tool's use in threat activity.",
}),
('type', ('risk:tool:taxonomy', {}), {
'doc': 'An analyst specified taxonomy of software tool types.',
}),
('reporter', ('ou:org', {}), {
'doc': 'The organization which reported the tool.',
}),
('reporter:name', ('ou:name', {}), {
'doc': 'The name of the organization which reported the tool.',
}),
('soft', ('it:prod:soft', {}), {
'doc': 'The authoritative software family of the tool.',
}),
('soft:name', ('it:prod:softname', {}), {
'doc': 'The reported primary name of the tool.',
}),
('soft:names', ('array', {'type': 'it:prod:softname'}), {
'doc': 'An array of reported alterate names for the tool.',
}),
('techniques', ('array', {'type': 'ou:technique'}), {
'doc': 'An array of techniques reportedly used by the tool.',
}),
)),
('risk:mitigation', {}, (
('vuln', ('risk:vuln', {}), {
'doc': 'The vulnerability that this mitigation addresses.'}),
('name', ('str', {}), {
'doc': 'A brief name for this risk mitigation.'}),
('desc', ('str', {}), {
'disp': {'hint': 'text'},
'doc': 'A description of the mitigation approach for the vulnerability.'}),
('software', ('it:prod:softver', {}), {
'doc': 'A software version which implements a fix for the vulnerability.'}),
('hardware', ('it:prod:hardware', {}), {
'doc': 'A hardware version which implements a fix for the vulnerability.'}),
)),
('risk:vuln', {}, (
('name', ('str', {}), {
'doc': 'A user specified name for the vulnerability.',
}),
('type', ('str', {}), {
'doc': 'A user specified type for the vulnerability.',
}),
('desc', ('str', {}), {
'doc': 'A description of the vulnerability.',
'disp': {'hint': 'text'},
}),
('cve', ('it:sec:cve', {}), {
'doc': 'The CVE ID of the vulnerability.',
}),
('cvss:av', ('str', {'enums': 'N,A,V,L'}), {
'doc': 'The CVSS Attack Vector (AV) value.',
}),
('cvss:ac', ('str', {'enums': 'L,H'}), {
'doc': 'The CVSS Attack Complexity (AC) value.',
'disp': {'enums': (('Low', 'L'), ('High', 'H'))},
}),
('cvss:pr', ('str', {'enums': 'N,L,H'}), {
'doc': 'The CVSS Privileges Required (PR) value.',
'disp': {'enums': (
{'title': 'None', 'value': 'N', 'doc': 'FIXME privs stuff'},
{'title': 'Low', 'value': 'L', 'doc': 'FIXME privs stuff'},
{'title': 'High', 'value': 'H', 'doc': 'FIXME privs stuff'},
)},
}),
('cvss:ui', ('str', {'enums': 'N,R'}), {
'doc': 'The CVSS User Interaction (UI) value.',
}),
('cvss:s', ('str', {'enums': 'U,C'}), {
'doc': 'The CVSS Scope (S) value.',
}),
('cvss:c', ('str', {'enums': 'N,L,H'}), {
'doc': 'The CVSS Confidentiality Impact (C) value.',
}),
('cvss:i', ('str', {'enums': 'N,L,H'}), {
'doc': 'The CVSS Integrity Impact (I) value.',
}),
('cvss:a', ('str', {'enums': 'N,L,H'}), {
'doc': 'The CVSS Availability Impact (A) value.',
}),
('cvss:e', ('str', {'enums': 'X,U,P,F,H'}), {
'doc': 'The CVSS Exploit Code Maturity (E) value.',
}),
('cvss:rl', ('str', {'enums': 'X,O,T,W,U'}), {
'doc': 'The CVSS Remediation Level (RL) value.',
}),
('cvss:rc', ('str', {'enums': 'X,U,R,C'}), {
'doc': 'The CVSS Report Confidence (AV) value.',
}),
('cvss:mav', ('str', {'enums': 'X,N,A,L,P'}), {
'doc': 'The CVSS Environmental Attack Vector (MAV) value.',
}),
('cvss:mac', ('str', {'enums': 'X,L,H'}), {
'doc': 'The CVSS Environmental Attack Complexity (MAC) value.',
}),
('cvss:mpr', ('str', {'enums': 'X,N,L,H'}), {
'doc': 'The CVSS Environmental Privileges Required (MPR) value.',
}),
('cvss:mui', ('str', {'enums': 'X,N,R'}), {
'doc': 'The CVSS Environmental User Interaction (MUI) value.',
}),
('cvss:ms', ('str', {'enums': 'X,U,C'}), {
'doc': 'The CVSS Environmental Scope (MS) value.',
}),
('cvss:mc', ('str', {'enums': 'X,N,L,H'}), {
'doc': 'The CVSS Environmental Confidentiality Impact (MC) value.',
}),
('cvss:mi', ('str', {'enums': 'X,N,L,H'}), {
'doc': 'The CVSS Environmental Integrity Impact (MI) value.',
}),
('cvss:ma', ('str', {'enums': 'X,N,L,H'}), {
'doc': 'The CVSS Environmental Accessibility Impact (MA) value.',
}),
('cvss:cr', ('str', {'enums': 'X,L,M,H'}), {
'doc': 'The CVSS Environmental Confidentiality Requirement (CR) value.',
}),
('cvss:ir', ('str', {'enums': 'X,L,M,H'}), {
'doc': 'The CVSS Environmental Integrity Requirement (IR) value.',
}),
('cvss:ar', ('str', {'enums': 'X,L,M,H'}), {
'doc': 'The CVSS Environmental Availability Requirement (AR) value.',
}),
('cvss:score', ('float', {}), {
'doc': 'The Overall CVSS Score value.',
}),
('cvss:score:base', ('float', {}), {
'doc': 'The CVSS Base Score value.',
}),
('cvss:score:temporal', ('float', {}), {
'doc': 'The CVSS Temporal Score value.',
}),
('cvss:score:environmental', ('float', {}), {
'doc': 'The CVSS Environmental Score value.',
}),
('cwes', ('array', {'type': 'it:sec:cwe', 'uniq': True, 'sorted': True}), {
'doc': 'An array of MITRE CWE values that apply to the vulnerability.',
}),
)),
('risk:hasvuln', {}, (
('vuln', ('risk:vuln', {}), {
'doc': 'The vulnerability present in the target.'
}),
('person', ('ps:person', {}), {
'doc': 'The vulnerable person.',
}),
('org', ('ou:org', {}), {
'doc': 'The vulnerable org.',
}),
('place', ('geo:place', {}), {
'doc': 'The vulnerable place.',
}),
('software', ('it:prod:softver', {}), {
'doc': 'The vulnerable software.',
}),
('hardware', ('it:prod:hardware', {}), {
'doc': 'The vulnerable hardware.',
}),
('spec', ('mat:spec', {}), {
'doc': 'The vulnerable material specification.',
}),
('item', ('mat:item', {}), {
'doc': 'The vulnerable material item.',
}),
('host', ('it:host', {}), {
'doc': 'The vulnerable host.'
})
)),
('risk:alert:taxonomy', {}, {}),
('risk:alert', {}, (
('type', ('risk:alert:taxonomy', {}), {
'doc': 'An alert type.',
}),
('name', ('str', {}), {
'doc': 'The alert name.',
}),
('desc', ('str', {}), {
'disp': {'hint': 'text'},
'doc': 'A free-form description / overview of the alert.',
}),
('detected', ('time', {}), {
'doc': 'The time the alerted condition was detected.',
}),
('vuln', ('risk:vuln', {}), {
'doc': 'The optional vulnerability that the alert indicates.',
}),
('attack', ('risk:attack', {}), {
'doc': 'A confirmed attack that this alert indicates.',
}),
)),
('risk:compromisetype', {}, ()),
('risk:compromise', {}, (
('name', ('str', {'lower': True, 'onespace': True}), {
'doc': 'A brief name for the compromise event.',
}),
('desc', ('str', {}), {
'disp': {'hint': 'text'},
'doc': 'A prose description of the compromise event.',
}),
('type', ('risk:compromisetype', {}), {
'ex': 'cno.breach',
'doc': 'The compromise type.',
}),
('target', ('ps:contact', {}), {
'doc': 'Contact information of the target.',
}),
('attacker', ('ps:contact', {}), {
'doc': 'Contact information of the attacker.',
}),
('campaign', ('ou:campaign', {}), {
'doc': 'The campaign that this compromise is part of.',
}),
('time', ('time', {}), {
'doc': 'Earliest known evidence of compromise.',
}),
('lasttime', ('time', {}), {
'doc': 'Last known evidence of compromise.',
}),
('duration', ('duration', {}), {
'doc': 'The duration of the compromise.',
}),
('loss:pii', ('int', {}), {
'doc': 'The number of records compromised which contain PII.',
}),
('loss:econ', ('econ:price', {}), {
'doc': 'The total economic cost of the compromise.',
}),
('loss:life', ('int', {}), {
'doc': 'The total loss of life due to the compromise.',
}),
('loss:bytes', ('int', {}), {
'doc': 'An estimate of the volume of data compromised.',
}),
('ransom:paid', ('econ:price', {}), {
'doc': 'The value of the ransom paid by the target.',
}),
('ransom:price', ('econ:price', {}), {
'doc': 'The value of the ransom demanded by the attacker.',
}),
('response:cost', ('econ:price', {}), {
'doc': 'The economic cost of the response and mitigation efforts.',
}),
('theft:price', ('econ:price', {}), {
'doc': 'The total value of the theft of assets.',
}),
('econ:currency', ('econ:currency', {}), {
'doc': 'The currency type for the econ:price fields.',
}),
# -(stole)> file:bytes ps:contact file:bytes
# -(compromised)> geo:place it:account it:host
('techniques', ('array', {'type': 'ou:technique', 'sorted': True, 'uniq': True}), {
'doc': 'A list of techniques employed during the compromise.',
}),
)),
('risk:attacktype', {}, ()),
('risk:attack', {}, (
('desc', ('str', {}), {
'doc': 'A description of the attack.',
'disp': {'hint': 'text'},
}),
('type', ('risk:attacktype', {}), {
'ex': 'cno.phishing',
'doc': 'The attack type.',
}),
('time', ('time', {}), {
'doc': 'Set if the time of the attack is known.',
}),
('success', ('bool', {}), {
'doc': 'Set if the attack was known to have succeeded or not.',
}),
('targeted', ('bool', {}), {
'doc': 'Set if the attack was assessed to be targeted or not.',
}),
('goal', ('ou:goal', {}), {
'doc': 'The tactical goal of this specific attack.',
}),
('campaign', ('ou:campaign', {}), {
'doc': 'Set if the attack was part of a larger campaign.',
}),
('compromise', ('risk:compromise', {}), {
'doc': 'A compromise that this attack contributed to.',
}),
('prev', ('risk:attack', {}), {
'doc': 'The previous/parent attack in a list or hierarchy.',
}),
('actor:org', ('ou:org', {}), {
'deprecated': True,
'doc': 'Deprecated. Please use :attacker to allow entity resolution.',
}),
('actor:person', ('ps:person', {}), {
'deprecated': True,
'doc': 'Deprecated. Please use :attacker to allow entity resolution.',
}),
('attacker', ('ps:contact', {}), {
'doc': 'Contact information associated with the attacker.',
}),
('target', ('ps:contact', {}), {
'deprecated': True,
'doc': 'Deprecated. Please use -(targets)> light weight edges.',
}),
('target:org', ('ou:org', {}), {
'deprecated': True,
'doc': 'Deprecated. Please use -(targets)> light weight edges.',
}),
('target:host', ('it:host', {}), {
'deprecated': True,
'doc': 'Deprecated. Please use -(targets)> light weight edges.',
}),
('target:person', ('ps:person', {}), {
'deprecated': True,
'doc': 'Deprecated. Please use -(targets)> light weight edges.',
}),
('target:place', ('geo:place', {}), {
'deprecated': True,
'doc': 'Deprecated. Please use -(targets)> light weight edges.',
}),
('via:ipv4', ('inet:ipv4', {}), {
'deprecated': True,
'doc': 'Deprecated. Please use -(uses)> light weight edges.',
}),
('via:ipv6', ('inet:ipv6', {}), {
'deprecated': True,
'doc': 'Deprecated. Please use -(uses)> light weight edges.',
}),
('via:email', ('inet:email', {}), {
'deprecated': True,
'doc': 'Deprecated. Please use -(uses)> light weight edges.',
}),
('via:phone', ('tel:phone', {}), {
'deprecated': True,
'doc': 'Deprecated. Please use -(uses)> light weight edges.',
}),
('used:vuln', ('risk:vuln', {}), {
'deprecated': True,
'doc': 'Deprecated. Please use -(uses)> light weight edges.',
}),
('used:url', ('inet:url', {}), {
'deprecated': True,
'doc': 'Deprecated. Please use -(uses)> light weight edges.',
}),
('used:host', ('it:host', {}), {
'deprecated': True,
'doc': 'Deprecated. Please use -(uses)> light weight edges.',
}),
('used:email', ('inet:email', {}), {
'deprecated': True,
'doc': 'Deprecated. Please use -(uses)> light weight edges.',
}),
('used:file', ('file:bytes', {}), {
'deprecated': True,
'doc': 'Deprecated. Please use -(uses)> light weight edges.',
}),
('used:server', ('inet:server', {}), {
'deprecated': True,
'doc': 'Deprecated. Please use -(uses)> light weight edges.',
}),
('used:software', ('it:prod:softver', {}), {
'deprecated': True,
'doc': 'Deprecated. Please use -(uses)> light weight edges.',
}),
('techniques', ('array', {'type': 'ou:technique', 'sorted': True, 'uniq': True}), {
'doc': 'A list of techniques employed during the attack.',
}),
)),
),
}
name = 'risk'
return ((name, modl), )