Source code for synapse.models.risk

import synapse.exc as s_exc

import synapse.lib.chop as s_chop
import synapse.lib.types as s_types
import synapse.lib.module as s_module


[docs] class CvssV2(s_types.Str): def _normPyStr(self, text): try: return s_chop.cvss2_normalize(text), {} except s_exc.BadDataValu as exc: mesg = exc.get('mesg') raise s_exc.BadTypeValu(name=self.name, valu=text, mesg=mesg) from None
[docs] class CvssV3(s_types.Str): def _normPyStr(self, text): try: return s_chop.cvss3x_normalize(text), {} except s_exc.BadDataValu as exc: mesg = exc.get('mesg') raise s_exc.BadTypeValu(name=self.name, valu=text, mesg=mesg) from None
alertstatus = ( (0, 'new'), (10, 'enrichment'), (20, 'todo'), (30, 'analysis'), (40, 'remediation'), (50, 'done'), )
[docs] class RiskModule(s_module.CoreModule):
[docs] def getModelDefs(self): modl = { 'ctors': ( ('cvss:v2', 'synapse.models.risk.CvssV2', {}, { 'doc': 'A CVSS v2 vector string.', 'ex': '(AV:L/AC:L/Au:M/C:P/I:C/A:N)' }), ('cvss:v3', 'synapse.models.risk.CvssV3', {}, { 'doc': 'A CVSS v3.x vector string.', 'ex': 'AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L' }), ), 'types': ( ('risk:vuln', ('guid', {}), { 'doc': 'A unique vulnerability.'}), ('risk:vulnname', ('str', {'lower': True, 'onespace': True}), { 'doc': 'A vulnerability name such as log4j or rowhammer.'}), ('risk:vuln:type:taxonomy', ('taxonomy', {}), { 'interfaces': ('meta:taxonomy',), 'doc': 'A taxonomy of vulnerability types.'}), ('risk:vuln:soft:range', ('guid', {}), { 'doc': 'A contiguous range of software versions which contain a vulnerability.'}), ('risk:hasvuln', ('guid', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use risk:vulnerable.'}), ('risk:vulnerable', ('guid', {}), { 'doc': 'Indicates that a node is susceptible to a vulnerability.'}), ('risk:threat', ('guid', {}), { 'doc': 'A threat cluster or subgraph of threat activity, as reported by a specific organization.', 'display': { 'columns': ( {'type': 'prop', 'opts': {'name': 'org:name'}}, {'type': 'prop', 'opts': {'name': 'org:names'}}, {'type': 'prop', 'opts': {'name': 'reporter:name'}}, {'type': 'prop', 'opts': {'name': 'tag'}}, ), }, }), ('risk:attack', ('guid', {}), { 'doc': 'An instance of an actor attacking a target.', }), ('risk:alert:taxonomy', ('taxonomy', {}), { 'doc': 'A taxonomy of alert types.', 'interfaces': ('meta:taxonomy',), }), ('risk:alert', ('guid', {}), { 'doc': 'An instance of an alert which indicates the presence of a risk.', }), ('risk:compromise', ('guid', {}), { 'doc': 'An instance of a compromise and its aggregate impact.', 'display': { 'columns': ( {'type': 'prop', 'opts': {'name': 'name'}}, {'type': 'prop', 'opts': {'name': 'reporter:name'}}, ), }, }), ('risk:mitigation:type:taxonomy', ('taxonomy', {}), { 'interaces': ('taxonomy',), 'doc': 'A taxonomy of mitigation types.', }), ('risk:mitigation', ('guid', {}), { 'doc': 'A mitigation for a specific risk:vuln.', 'display': { 'columns': ( {'type': 'prop', 'opts': {'name': 'name'}}, {'type': 'prop', 'opts': {'name': 'reporter:name'}}, {'type': 'prop', 'opts': {'name': 'type'}}, {'type': 'prop', 'opts': {'name': 'tag'}}, ), }, }), ('risk:attacktype', ('taxonomy', {}), { 'doc': 'A taxonomy of attack types.', 'interfaces': ('meta:taxonomy',), }), ('risk:compromisetype', ('taxonomy', {}), { 'doc': 'A taxonomy of compromise types.', 'ex': 'cno.breach', 'interfaces': ('meta:taxonomy',), }), ('risk:tool:software:taxonomy', ('taxonomy', {}), { 'doc': 'A taxonomy of software / tool types.', 'interfaces': ('meta:taxonomy',), }), ('risk:availability', ('taxonomy', {}), { 'interfaces': ('meta:taxonomy',), 'doc': 'A taxonomy of availability status values.', }), ('risk:tool:software', ('guid', {}), { 'doc': 'A software tool used in threat activity, as reported by a specific organization.', 'display': { 'columns': ( {'type': 'prop', 'opts': {'name': 'soft:name'}}, {'type': 'prop', 'opts': {'name': 'soft:names'}}, {'type': 'prop', 'opts': {'name': 'reporter:name'}}, {'type': 'prop', 'opts': {'name': 'tag'}}, ), }, }), ('risk:alert:verdict:taxonomy', ('taxonomy', {}), { 'doc': 'A taxonomy of verdicts for the origin and validity of the alert.', 'interfaces': ('meta:taxonomy',), }), ('risk:threat:type:taxonomy', ('taxonomy', {}), { 'interfaces': ('meta:taxonomy',), 'doc': 'A taxonomy of threat types.'}), ('risk:leak', ('guid', {}), { 'doc': 'An event where information was disclosed without permission.'}), ('risk:leak:type:taxonomy', ('taxonomy', {}), { 'interfaces': ('meta:taxonomy',), 'doc': 'A taxonomy of leak event types.'}), ('risk:extortion', ('guid', {}), { 'doc': 'An event where an attacker attempted to extort a victim.'}), ('risk:outage:cause:taxonomy', ('taxonomy', {}), { 'interfaces': ('meta:taxonomy',), 'doc': 'An outage cause taxonomy.'}), ('risk:outage:type:taxonomy', ('taxonomy', {}), { 'interfaces': ('meta:taxonomy',), 'doc': 'An outage type taxonomy.'}), ('risk:outage', ('guid', {}), { 'display': { 'columns': ( {'type': 'prop', 'opts': {'name': 'name'}}, {'type': 'prop', 'opts': {'name': 'type'}}, {'type': 'prop', 'opts': {'name': 'cause'}}, {'type': 'prop', 'opts': {'name': 'period'}}, {'type': 'prop', 'opts': {'name': 'provider:name'}}, {'type': 'prop', 'opts': {'name': 'reporter:name'}}, ), }, 'doc': 'An outage event which affected resource availability.'}), ('risk:extortion:type:taxonomy', ('taxonomy', {}), { 'interfaces': ('meta:taxonomy',), 'doc': 'A taxonomy of extortion event types.'}), ('risk:technique:masquerade', ('guid', {}), { 'doc': 'Represents the assessment that a node is designed to resemble another in order to mislead.'}), ), 'edges': ( # some explicit examples... (('risk:attack', 'uses', 'ou:technique'), { 'doc': 'The attacker used the technique in the attack.'}), (('risk:threat', 'uses', 'ou:technique'), { 'doc': 'The threat cluster uses the technique.'}), (('risk:tool:software', 'uses', 'ou:technique'), { 'doc': 'The tool uses the technique.'}), (('risk:compromise', 'uses', 'ou:technique'), { 'doc': 'The attacker used the technique in the compromise.'}), (('risk:extortion', 'uses', 'ou:technique'), { 'doc': 'The attacker used the technique to extort the victim.'}), (('risk:attack', 'uses', 'risk:vuln'), { 'doc': 'The attack used the vulnerability.'}), (('risk:threat', 'uses', 'risk:vuln'), { 'doc': 'The threat cluster uses the vulnerability.'}), (('risk:tool:software', 'uses', 'risk:vuln'), { 'doc': 'The tool uses the vulnerability.'}), (('ou:technique', 'uses', 'risk:vuln'), { 'doc': 'The technique uses the vulnerability.'}), (('risk:attack', 'targets', 'ou:industry'), { 'doc': 'The attack targeted the industry.'}), (('risk:threat', 'targets', 'ou:industry'), { 'doc': 'The threat cluster targets the industry.'}), (('risk:threat', 'targets', None), { 'doc': 'The threat cluster targeted the target node.'}), (('risk:threat', 'uses', None), { 'doc': 'The threat cluster uses the target node.'}), (('risk:attack', 'targets', None), { 'doc': 'The attack targeted the target node.'}), (('risk:attack', 'uses', None), { 'doc': 'The attack used the target node to facilitate the attack.'}), (('risk:tool:software', 'uses', None), { 'doc': 'The tool uses the target node.'}), (('risk:compromise', 'stole', None), { 'doc': 'The target node was stolen or copied as a result of the compromise.'}), (('risk:mitigation', 'addresses', 'ou:technique'), { 'doc': 'The mitigation addresses the technique.'}), (('risk:mitigation', 'uses', 'meta:rule'), { 'doc': 'The mitigation uses the rule.'}), (('risk:mitigation', 'uses', 'it:app:yara:rule'), { 'doc': 'The mitigation uses the YARA rule.'}), (('risk:mitigation', 'uses', 'it:app:snort:rule'), { 'doc': 'The mitigation uses the Snort rule.'}), (('risk:mitigation', 'uses', 'inet:service:rule'), { 'doc': 'The mitigation uses the service rule.'}), (('risk:mitigation', 'uses', 'it:prod:softver'), { 'doc': 'The mitigation uses the software version.'}), (('risk:mitigation', 'uses', 'it:prod:hardware'), { 'doc': 'The mitigation uses the hardware.'}), (('risk:leak', 'leaked', None), { 'doc': 'The leak included the disclosure of the target node.'}), (('risk:leak', 'enabled', 'risk:leak'), { 'doc': 'The source leak enabled the target leak to occur.'}), (('risk:extortion', 'leveraged', None), { 'doc': 'The extortion event was based on attacker access to the target node.'}), (('meta:event', 'caused', 'risk:outage'), { 'doc': 'The event caused the outage.'}), (('risk:attack', 'caused', 'risk:outage'), { 'doc': 'The attack caused the outage.'}), (('risk:outage', 'impacted', None), { 'doc': 'The outage event impacted the availability of the target node.'}), ), 'forms': ( ('risk:threat:type:taxonomy', {}, ()), ('risk:threat', {}, ( ('name', ('str', {'lower': True, 'onespace': True}), { 'ex': "apt1 (mandiant)", 'doc': 'A brief descriptive name for the threat cluster.'}), ('type', ('risk:threat:type:taxonomy', {}), { 'doc': 'A type for the threat, as a taxonomy entry.'}), ('desc', ('str', {}), { 'doc': 'A description of the threat cluster.'}), ('tag', ('syn:tag', {}), { 'doc': 'The tag used to annotate nodes that are associated with the threat cluster.'}), ('active', ('ival', {}), { 'doc': 'An interval for when the threat cluster is assessed to have been active.'}), ('activity', ('meta:activity', {}), { 'doc': 'The most recently assessed activity level of the threat cluster.'}), ('reporter', ('ou:org', {}), { 'doc': 'The organization reporting on the threat cluster.'}), ('reporter:name', ('ou:name', {}), { 'doc': 'The name of the organization reporting on the threat cluster.'}), ('reporter:discovered', ('time', {}), { 'doc': 'The time that the reporting organization first discovered the threat cluster.'}), ('reporter:published', ('time', {}), { 'doc': 'The time that the reporting organization first publicly disclosed the threat cluster.'}), ('org', ('ou:org', {}), { 'doc': 'The authoritative organization for the threat cluster.'}), ('org:loc', ('loc', {}), { 'doc': "The reporting organization's assessed location of the threat cluster."}), ('org:name', ('ou:name', {}), { 'ex': 'apt1', 'doc': "The reporting organization's name for the threat cluster."}), ('org:names', ('array', {'type': 'ou:name', 'sorted': True, 'uniq': True}), { 'doc': 'An array of alternate names for the threat cluster, according to the reporting organization.'}), ('country', ('pol:country', {}), { 'doc': "The reporting organization's assessed country of origin of the threat cluster."}), ('country:code', ('pol:iso2', {}), { 'doc': "The 2 digit ISO 3166 country code for the threat cluster's assessed country of origin."}), ('goals', ('array', {'type': 'ou:goal', 'sorted': True, 'uniq': True}), { 'doc': "The reporting organization's assessed goals of the threat cluster."}), ('sophistication', ('meta:sophistication', {}), { 'doc': "The reporting organization's assessed sophistication of the threat cluster."}), ('techniques', ('array', {'type': 'ou:technique', 'sorted': True, 'uniq': True}), { 'deprecated': True, 'doc': 'Deprecated for scalability. Please use -(uses)> ou:technique.'}), ('merged:time', ('time', {}), { 'doc': 'The time that the reporting organization merged this threat cluster into another.'}), ('merged:isnow', ('risk:threat', {}), { 'doc': 'The threat cluster that the reporting organization merged this cluster into.'}), ('mitre:attack:group', ('it:mitre:attack:group', {}), { 'doc': 'A mapping to a MITRE ATT&CK group if applicable.'}), ('ext:id', ('str', {'strip': True}), { 'doc': 'An external identifier for the threat.'}), )), ('risk:availability', {}, {}), ('risk:tool:software:taxonomy', {}, ()), ('risk:tool:software', {}, ( ('tag', ('syn:tag', {}), { 'ex': 'rep.mandiant.tabcteng', 'doc': 'The tag used to annotate nodes that are associated with the tool.'}), ('desc', ('str', {}), { 'doc': 'A description of the tool.'}), ('type', ('risk:tool:software:taxonomy', {}), { 'doc': 'A type for the tool, as a taxonomy entry.'}), ('used', ('ival', {}), { 'doc': 'An interval for when the tool is assessed to have been deployed.'}), ('availability', ('risk:availability', {}), { 'doc': 'The reporting organization\'s assessed availability of the tool.'}), ('sophistication', ('meta:sophistication', {}), { 'doc': 'The reporting organization\'s assessed sophistication of the tool.'}), ('reporter', ('ou:org', {}), { 'doc': 'The organization reporting on the tool.'}), ('reporter:name', ('ou:name', {}), { 'doc': 'The name of the organization reporting on the tool.'}), ('reporter:discovered', ('time', {}), { 'doc': 'The time that the reporting organization first discovered the tool.'}), ('reporter:published', ('time', {}), { 'doc': 'The time that the reporting organization first publicly disclosed the tool.'}), ('soft', ('it:prod:soft', {}), { 'doc': 'The authoritative software family for the tool.'}), ('soft:name', ('it:prod:softname', {}), { 'doc': 'The reporting organization\'s name for the tool.'}), ('soft:names', ('array', {'type': 'it:prod:softname', 'uniq': True, 'sorted': True}), { 'doc': 'An array of alternate names for the tool, according to the reporting organization.'}), ('techniques', ('array', {'type': 'ou:technique', 'uniq': True, 'sorted': True}), { 'deprecated': True, 'doc': 'Deprecated for scalability. Please use -(uses)> ou:technique.'}), ('mitre:attack:software', ('it:mitre:attack:software', {}), { 'doc': 'A mapping to a MITRE ATT&CK software if applicable.'}), ('id', ('str', {'strip': True}), { 'doc': 'An ID for the tool.'}), )), ('risk:mitigation:type:taxonomy', {}, ()), ('risk:mitigation', {}, ( ('vuln', ('risk:vuln', {}), { 'doc': 'The vulnerability that this mitigation addresses.'}), ('name', ('str', {'lower': True, 'onespace': True}), { 'doc': 'A brief name for this risk mitigation.'}), ('type', ('risk:mitigation:type:taxonomy', {}), { 'doc': 'A taxonomy type entry for the mitigation.'}), ('desc', ('str', {}), { 'disp': {'hint': 'text'}, 'doc': 'A description of the mitigation approach for the vulnerability.'}), ('software', ('it:prod:softver', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use risk:mitigation -(uses)> it:prod:softver.'}), ('hardware', ('it:prod:hardware', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use risk:mitigation -(uses)> it:prod:hardware.'}), ('reporter', ('ou:org', {}), { 'doc': 'The organization reporting on the mitigation.'}), ('reporter:name', ('ou:name', {}), { 'doc': 'The name of the organization reporting on the mitigation.'}), ('mitre:attack:mitigation', ('it:mitre:attack:mitigation', {}), { 'doc': 'A mapping to a MITRE ATT&CK mitigation if applicable.'}), ('tag', ('syn:tag', {}), { 'doc': 'The tag used to annotate nodes which have the mitigation in place.'}), )), ('risk:vulnname', {}, ()), ('risk:vuln:type:taxonomy', {}, ()), ('risk:vuln', {}, ( ('name', ('risk:vulnname', {}), { 'doc': 'A user specified name for the vulnerability.'}), ('names', ('array', {'type': 'risk:vulnname', 'sorted': True, 'uniq': True}), { 'doc': 'An array of alternate names for the vulnerability.'}), ('type', ('risk:vuln:type:taxonomy', {}), { 'doc': 'A taxonomy type entry for the vulnerability.'}), ('desc', ('str', {}), { 'disp': {'hint': 'text'}, 'doc': 'A description of the vulnerability.'}), ('severity', ('meta:severity', {}), { 'doc': 'The severity of the vulnerability.'}), ('priority', ('meta:priority', {}), { 'doc': 'The priority of the vulnerability.'}), ('reporter', ('ou:org', {}), { 'doc': 'The organization reporting on the vulnerability.'}), ('reporter:name', ('ou:name', {}), { 'doc': 'The name of the organization reporting on the vulnerability.'}), ('mitigated', ('bool', {}), { 'doc': 'Set to true if a mitigation/fix is available for the vulnerability.'}), ('exploited', ('bool', {}), { 'doc': 'Set to true if the vulnerability has been exploited in the wild.'}), ('timeline:discovered', ('time', {"ismin": True}), { 'doc': 'The earliest known discovery time for the vulnerability.'}), ('timeline:published', ('time', {"ismin": True}), { 'doc': 'The earliest known time the vulnerability was published.'}), ('timeline:vendor:notified', ('time', {"ismin": True}), { 'doc': 'The earliest known vendor notification time for the vulnerability.'}), ('timeline:vendor:fixed', ('time', {"ismin": True}), { 'doc': 'The earliest known time the vendor issued a fix for the vulnerability.'}), ('timeline:exploited', ('time', {"ismin": True}), { 'doc': 'The earliest known time when the vulnerability was exploited in the wild.'}), ('id', ('str', {'strip': True}), { 'doc': 'An identifier for the vulnerability.'}), ('cve', ('it:sec:cve', {}), { 'doc': 'The CVE ID of the vulnerability.'}), ('cve:desc', ('str', {}), { 'disp': {'hint': 'text'}, 'doc': 'The description of the vulnerability according to the CVE database.'}), ('cve:url', ('inet:url', {}), { 'doc': 'A URL linking this vulnerability to the CVE description.'}), ('cve:references', ('array', {'type': 'inet:url', 'uniq': True, 'sorted': True}), { 'doc': 'An array of documentation URLs provided by the CVE database.'}), ('nist:nvd:source', ('ou:name', {}), { 'doc': 'The name of the organization which reported the vulnerability to NIST.'}), ('nist:nvd:published', ('time', {}), { 'doc': 'The date the vulnerability was first published in the NVD.'}), ('nist:nvd:modified', ('time', {"ismax": True}), { 'doc': 'The date the vulnerability was last modified in the NVD.'}), ('cisa:kev:name', ('str', {}), { 'doc': 'The name of the vulnerability according to the CISA KEV database.'}), ('cisa:kev:desc', ('str', {}), { 'doc': 'The description of the vulnerability according to the CISA KEV database.'}), ('cisa:kev:action', ('str', {}), { 'doc': 'The action to mitigate the vulnerability according to the CISA KEV database.'}), ('cisa:kev:vendor', ('ou:name', {}), { 'doc': 'The vendor name listed in the CISA KEV database.'}), ('cisa:kev:product', ('it:prod:softname', {}), { 'doc': 'The product name listed in the CISA KEV database.'}), ('cisa:kev:added', ('time', {}), { 'doc': 'The date the vulnerability was added to the CISA KEV database.'}), ('cisa:kev:duedate', ('time', {}), { 'doc': 'The date the action is due according to the CISA KEV database.'}), ('cvss:v2', ('cvss:v2', {}), { 'doc': 'The CVSS v2 vector for the vulnerability.'}), ('cvss:v2_0:score', ('float', {}), { 'doc': 'The CVSS v2.0 overall score for the vulnerability.'}), ('cvss:v2_0:score:base', ('float', {}), { 'doc': 'The CVSS v2.0 base score for the vulnerability.'}), ('cvss:v2_0:score:temporal', ('float', {}), { 'doc': 'The CVSS v2.0 temporal score for the vulnerability.'}), ('cvss:v2_0:score:environmental', ('float', {}), { 'doc': 'The CVSS v2.0 environmental score for the vulnerability.'}), ('cvss:v3', ('cvss:v3', {}), { 'doc': 'The CVSS v3 vector for the vulnerability.'}), ('cvss:v3_0:score', ('float', {}), { 'doc': 'The CVSS v3.0 overall score for the vulnerability.'}), ('cvss:v3_0:score:base', ('float', {}), { 'doc': 'The CVSS v3.0 base score for the vulnerability.'}), ('cvss:v3_0:score:temporal', ('float', {}), { 'doc': 'The CVSS v3.0 temporal score for the vulnerability.'}), ('cvss:v3_0:score:environmental', ('float', {}), { 'doc': 'The CVSS v3.0 environmental score for the vulnerability.'}), ('cvss:v3_1:score', ('float', {}), { 'doc': 'The CVSS v3.1 overall score for the vulnerability.'}), ('cvss:v3_1:score:base', ('float', {}), { 'doc': 'The CVSS v3.1 base score for the vulnerability.'}), ('cvss:v3_1:score:temporal', ('float', {}), { 'doc': 'The CVSS v3.1 temporal score for the vulnerability.'}), ('cvss:v3_1:score:environmental', ('float', {}), { 'doc': 'The CVSS v3.1 environmental score for the vulnerability.'}), ('cvss:av', ('str', {'enums': 'N,A,P,L'}), { 'deprecated': True, 'doc': 'Deprecated. Please use :cvss:v3.'}), ('cvss:ac', ('str', {'enums': 'L,H'}), { 'disp': {'enums': (('Low', 'L'), ('High', 'H'))}, 'deprecated': True, 'doc': 'Deprecated. Please use :cvss:v3.'}), ('cvss:pr', ('str', {'enums': 'N,L,H'}), { 'disp': {'enums': ( {'title': 'None', 'value': 'N', 'doc': 'FIXME privs stuff'}, {'title': 'Low', 'value': 'L', 'doc': 'FIXME privs stuff'}, {'title': 'High', 'value': 'H', 'doc': 'FIXME privs stuff'}, )}, 'deprecated': True, 'doc': 'Deprecated. Please use :cvss:v3.'}), ('cvss:ui', ('str', {'enums': 'N,R'}), { 'deprecated': True, 'doc': 'Deprecated. Please use :cvss:v3.'}), ('cvss:s', ('str', {'enums': 'U,C'}), { 'deprecated': True, 'doc': 'Deprecated. Please use :cvss:v3.'}), ('cvss:c', ('str', {'enums': 'N,L,H'}), { 'deprecated': True, 'doc': 'Deprecated. Please use :cvss:v3.'}), ('cvss:i', ('str', {'enums': 'N,L,H'}), { 'deprecated': True, 'doc': 'Deprecated. Please use :cvss:v3.'}), ('cvss:a', ('str', {'enums': 'N,L,H'}), { 'deprecated': True, 'doc': 'Deprecated. Please use :cvss:v3.'}), ('cvss:e', ('str', {'enums': 'X,U,P,F,H'}), { 'deprecated': True, 'doc': 'Deprecated. Please use :cvss:v3.'}), ('cvss:rl', ('str', {'enums': 'X,O,T,W,U'}), { 'deprecated': True, 'doc': 'Deprecated. Please use :cvss:v3.'}), ('cvss:rc', ('str', {'enums': 'X,U,R,C'}), { 'deprecated': True, 'doc': 'Deprecated. Please use :cvss:v3.'}), ('cvss:mav', ('str', {'enums': 'X,N,A,L,P'}), { 'deprecated': True, 'doc': 'Deprecated. Please use :cvss:v3.'}), ('cvss:mac', ('str', {'enums': 'X,L,H'}), { 'deprecated': True, 'doc': 'Deprecated. Please use :cvss:v3.'}), ('cvss:mpr', ('str', {'enums': 'X,N,L,H'}), { 'deprecated': True, 'doc': 'Deprecated. Please use :cvss:v3.'}), ('cvss:mui', ('str', {'enums': 'X,N,R'}), { 'deprecated': True, 'doc': 'Deprecated. Please use :cvss:v3.'}), ('cvss:ms', ('str', {'enums': 'X,U,C'}), { 'deprecated': True, 'doc': 'Deprecated. Please use :cvss:v3.'}), ('cvss:mc', ('str', {'enums': 'X,N,L,H'}), { 'deprecated': True, 'doc': 'Deprecated. Please use :cvss:v3.'}), ('cvss:mi', ('str', {'enums': 'X,N,L,H'}), { 'deprecated': True, 'doc': 'Deprecated. Please use :cvss:v3.'}), ('cvss:ma', ('str', {'enums': 'X,N,L,H'}), { 'deprecated': True, 'doc': 'Deprecated. Please use :cvss:v3.'}), ('cvss:cr', ('str', {'enums': 'X,L,M,H'}), { 'deprecated': True, 'doc': 'Deprecated. Please use :cvss:v3.'}), ('cvss:ir', ('str', {'enums': 'X,L,M,H'}), { 'deprecated': True, 'doc': 'Deprecated. Please use :cvss:v3.'}), ('cvss:ar', ('str', {'enums': 'X,L,M,H'}), { 'deprecated': True, 'doc': 'Deprecated. Please use :cvss:v3.'}), ('cvss:score', ('float', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use version specific score properties.'}), ('cvss:score:base', ('float', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use version specific score properties.'}), ('cvss:score:temporal', ('float', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use version specific score properties.'}), ('cvss:score:environmental', ('float', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use version specific score properties.'}), ('cwes', ('array', {'type': 'it:sec:cwe', 'uniq': True, 'sorted': True}), { 'doc': 'An array of MITRE CWE values that apply to the vulnerability.'}), )), ('risk:vuln:soft:range', {}, ( ('vuln', ('risk:vuln', {}), { 'doc': 'The vulnerability present in this software version range.'}), ('version:min', ('it:prod:softver', {}), { 'doc': 'The minimum version which is vulnerable in this range.'}), ('version:max', ('it:prod:softver', {}), { 'doc': 'The maximum version which is vulnerable in this range.'}), )), ('risk:hasvuln', {}, ( ('vuln', ('risk:vuln', {}), { 'doc': 'The vulnerability present in the target.'}), ('person', ('ps:person', {}), { 'doc': 'The vulnerable person.'}), ('org', ('ou:org', {}), { 'doc': 'The vulnerable org.'}), ('place', ('geo:place', {}), { 'doc': 'The vulnerable place.'}), ('software', ('it:prod:softver', {}), { 'doc': 'The vulnerable software.'}), ('hardware', ('it:prod:hardware', {}), { 'doc': 'The vulnerable hardware.'}), ('spec', ('mat:spec', {}), { 'doc': 'The vulnerable material specification.'}), ('item', ('mat:item', {}), { 'doc': 'The vulnerable material item.'}), ('host', ('it:host', {}), { 'doc': 'The vulnerable host.'}) )), ('risk:vulnerable', {}, ( ('vuln', ('risk:vuln', {}), { 'doc': 'The vulnerability that the node is susceptible to.'}), ('technique', ('ou:technique', {}), { 'doc': 'The technique that the node is susceptible to.'}), ('period', ('ival', {}), { 'doc': 'The time window where the node was vulnerable.'}), ('node', ('ndef', {}), { 'doc': 'The node which is vulnerable.'}), ('mitigated', ('bool', {}), { 'doc': 'Set to true if the vulnerable node has been mitigated.'}), ('mitigations', ('array', {'type': 'risk:mitigation', 'sorted': True, 'uniq': True}), { 'doc': 'The mitigations which were used to address the vulnerable node.'}), )), ('risk:alert:taxonomy', {}, {}), ('risk:alert:verdict:taxonomy', {}, {}), ('risk:alert', {}, ( ('type', ('risk:alert:taxonomy', {}), { 'doc': 'A type for the alert, as a taxonomy entry.'}), ('name', ('str', {}), { 'doc': 'A brief name for the alert.'}), ('desc', ('str', {}), { 'disp': {'hint': 'text'}, 'doc': 'A free-form description / overview of the alert.'}), ('status', ('int', {'enums': alertstatus}), { 'doc': 'The status of the alert.'}), ('benign', ('bool', {}), { 'doc': 'Set to true if the alert has been confirmed benign. Set to false if malicious.'}), ('priority', ('meta:priority', {}), { 'doc': 'A priority rank for the alert.'}), ('severity', ('meta:severity', {}), { 'doc': 'A severity rank for the alert.'}), ('verdict', ('risk:alert:verdict:taxonomy', {}), { 'ex': 'benign.false_positive', 'doc': 'A verdict about why the alert is malicious or benign, as a taxonomy entry.'}), ('assignee', ('syn:user', {}), { 'doc': 'The Synapse user who is assigned to investigate the alert.'}), ('ext:assignee', ('ps:contact', {}), { 'doc': 'The alert assignee contact information from an external system.'}), ('engine', ('it:prod:softver', {}), { 'doc': 'The software that generated the alert.'}), ('detected', ('time', {}), { 'doc': 'The time the alerted condition was detected.'}), ('vuln', ('risk:vuln', {}), { 'doc': 'The optional vulnerability that the alert indicates.'}), ('attack', ('risk:attack', {}), { 'doc': 'A confirmed attack that this alert indicates.'}), ('url', ('inet:url', {}), { 'doc': 'A URL which documents the alert.'}), ('ext:id', ('str', {}), { 'doc': 'An external identifier for the alert.'}), ('host', ('it:host', {}), { 'doc': 'The host which generated the alert.'}), )), ('risk:compromisetype', {}, ()), ('risk:compromise', {}, ( ('name', ('str', {'lower': True, 'onespace': True}), { 'doc': 'A brief name for the compromise event.'}), ('desc', ('str', {}), { 'disp': {'hint': 'text'}, 'doc': 'A prose description of the compromise event.'}), ('reporter', ('ou:org', {}), { 'doc': 'The organization reporting on the compromise.'}), ('reporter:name', ('ou:name', {}), { 'doc': 'The name of the organization reporting on the compromise.'}), ('ext:id', ('str', {}), { 'doc': 'An external unique ID for the compromise.'}), ('url', ('inet:url', {}), { 'doc': 'A URL which documents the compromise.'}), ('type', ('risk:compromisetype', {}), { 'ex': 'cno.breach', 'doc': 'A type for the compromise, as a taxonomy entry.'}), ('vector', ('risk:attack', {}), { 'doc': 'The attack assessed to be the initial compromise vector.'}), ('target', ('ps:contact', {}), { 'doc': 'Contact information representing the target.'}), ('attacker', ('ps:contact', {}), { 'doc': 'Contact information representing the attacker.'}), ('campaign', ('ou:campaign', {}), { 'doc': 'The campaign that this compromise is part of.'}), ('time', ('time', {}), { 'doc': 'Earliest known evidence of compromise.'}), ('lasttime', ('time', {}), { 'doc': 'Last known evidence of compromise.'}), ('duration', ('duration', {}), { 'doc': 'The duration of the compromise.'}), ('detected', ('time', {}), { 'doc': 'The first confirmed detection time of the compromise.'}), ('loss:pii', ('int', {}), { 'doc': 'The number of records compromised which contain PII.'}), ('loss:econ', ('econ:price', {}), { 'doc': 'The total economic cost of the compromise.'}), ('loss:life', ('int', {}), { 'doc': 'The total loss of life due to the compromise.'}), ('loss:bytes', ('int', {}), { 'doc': 'An estimate of the volume of data compromised.'}), ('ransom:paid', ('econ:price', {}), { 'doc': 'The value of the ransom paid by the target.'}), ('ransom:price', ('econ:price', {}), { 'doc': 'The value of the ransom demanded by the attacker.'}), ('response:cost', ('econ:price', {}), { 'doc': 'The economic cost of the response and mitigation efforts.'}), ('theft:price', ('econ:price', {}), { 'doc': 'The total value of the theft of assets.'}), ('econ:currency', ('econ:currency', {}), { 'doc': 'The currency type for the econ:price fields.'}), ('severity', ('meta:severity', {}), { 'doc': 'A severity rank for the compromise.'}), ('goal', ('ou:goal', {}), { 'doc': 'The assessed primary goal of the attacker for the compromise.'}), ('goals', ('array', {'type': 'ou:goal', 'sorted': True, 'uniq': True}), { 'doc': 'An array of assessed attacker goals for the compromise.'}), # -(stole)> file:bytes ps:contact file:bytes # -(compromised)> geo:place it:account it:host ('techniques', ('array', {'type': 'ou:technique', 'sorted': True, 'uniq': True}), { 'deprecated': True, 'doc': 'Deprecated for scalability. Please use -(uses)> ou:technique.'}), )), ('risk:attacktype', {}, ()), ('risk:attack', {}, ( ('desc', ('str', {}), { 'doc': 'A description of the attack.', 'disp': {'hint': 'text'}, }), ('type', ('risk:attacktype', {}), { 'ex': 'cno.phishing', 'doc': 'A type for the attack, as a taxonomy entry.'}), ('reporter', ('ou:org', {}), { 'doc': 'The organization reporting on the attack.'}), ('reporter:name', ('ou:name', {}), { 'doc': 'The name of the organization reporting on the attack.'}), ('time', ('time', {}), { 'doc': 'Set if the time of the attack is known.'}), ('detected', ('time', {}), { 'doc': 'The first confirmed detection time of the attack.'}), ('success', ('bool', {}), { 'doc': 'Set if the attack was known to have succeeded or not.'}), ('targeted', ('bool', {}), { 'doc': 'Set if the attack was assessed to be targeted or not.'}), ('goal', ('ou:goal', {}), { 'doc': 'The tactical goal of this specific attack.'}), ('campaign', ('ou:campaign', {}), { 'doc': 'Set if the attack was part of a larger campaign.'}), ('compromise', ('risk:compromise', {}), { 'doc': 'A compromise that this attack contributed to.'}), ('severity', ('meta:severity', {}), { 'doc': 'A severity rank for the attack.'}), ('sophistication', ('meta:sophistication', {}), { 'doc': 'The assessed sophistication of the attack.'}), ('prev', ('risk:attack', {}), { 'doc': 'The previous/parent attack in a list or hierarchy.'}), ('actor:org', ('ou:org', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use :attacker to allow entity resolution.'}), ('actor:person', ('ps:person', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use :attacker to allow entity resolution.'}), ('attacker', ('ps:contact', {}), { 'doc': 'Contact information representing the attacker.'}), ('target', ('ps:contact', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(targets)> light weight edges.'}), ('target:org', ('ou:org', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(targets)> light weight edges.'}), ('target:host', ('it:host', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(targets)> light weight edges.'}), ('target:person', ('ps:person', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(targets)> light weight edges.'}), ('target:place', ('geo:place', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(targets)> light weight edges.'}), ('via:ipv4', ('inet:ipv4', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(uses)> light weight edges.'}), ('via:ipv6', ('inet:ipv6', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(uses)> light weight edges.'}), ('via:email', ('inet:email', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(uses)> light weight edges.'}), ('via:phone', ('tel:phone', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(uses)> light weight edges.'}), ('used:vuln', ('risk:vuln', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(uses)> light weight edges.'}), ('used:url', ('inet:url', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(uses)> light weight edges.'}), ('used:host', ('it:host', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(uses)> light weight edges.'}), ('used:email', ('inet:email', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(uses)> light weight edges.'}), ('used:file', ('file:bytes', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(uses)> light weight edges.'}), ('used:server', ('inet:server', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(uses)> light weight edges.'}), ('used:software', ('it:prod:softver', {}), { 'deprecated': True, 'doc': 'Deprecated. Please use -(uses)> light weight edges.'}), ('techniques', ('array', {'type': 'ou:technique', 'sorted': True, 'uniq': True}), { 'deprecated': True, 'doc': 'Deprecated for scalability. Please use -(uses)> ou:technique.'}), ('url', ('inet:url', {}), { 'doc': 'A URL which documents the attack.'}), ('ext:id', ('str', {}), { 'doc': 'An external unique ID for the attack.'}), )), ('risk:leak:type:taxonomy', {}, ()), ('risk:leak', {}, ( ('name', ('str', {'lower': True, 'onespace': True}), { 'doc': 'A simple name for the leak event.'}), ('desc', ('str', {}), { 'disp': {'hint': 'text'}, 'doc': 'A description of the leak event.'}), ('reporter', ('ou:org', {}), { 'doc': 'The organization reporting on the leak event.'}), ('reporter:name', ('ou:name', {}), { 'doc': 'The name of the organization reporting on the leak event.'}), ('disclosed', ('time', {}), { 'doc': 'The time the leaked information was disclosed.'}), ('owner', ('ps:contact', {}), { 'doc': 'The owner of the leaked information.'}), ('leaker', ('ps:contact', {}), { 'doc': 'The identity which leaked the information.'}), ('recipient', ('ps:contact', {}), { 'doc': 'The identity which received the leaked information.'}), ('type', ('risk:leak:type:taxonomy', {}), { 'doc': 'A type taxonomy for the leak.'}), ('goal', ('ou:goal', {}), { 'doc': 'The goal of the leaker in disclosing the information.'}), ('compromise', ('risk:compromise', {}), { 'doc': 'The compromise which allowed the leaker access to the information.'}), ('extortion', ('risk:extortion', {}), { 'doc': 'The extortion event which used the threat of the leak as leverage.'}), ('public', ('bool', {}), { 'doc': 'Set to true if the leaked information was made publicly available.'}), ('public:url', ('inet:url', {}), { 'doc': 'The URL where the leaked information was made publicly available.'}), ('size:bytes', ('int', {'min': 0}), { 'doc': 'The total size of the leaked data in bytes.'}), ('size:count', ('int', {'min': 0}), { 'doc': 'The number of files included in the leaked data.'}), ('size:percent', ('int', {'min': 0, 'max': 100}), { 'doc': 'The total percent of the data leaked.'}), )), ('risk:outage:type:taxonomy', {}, ()), ('risk:outage:cause:taxonomy', {}, ()), ('risk:outage', {}, ( ('name', ('str', {'lower': True, 'onespace': True}), { 'doc': 'A name for the outage event.'}), ('period', ('ival', {}), { 'doc': 'The time period where the outage impacted availability.'}), ('type', ('risk:outage:type:taxonomy', {}), { 'ex': 'service.power', 'doc': 'The type of outage.'}), ('cause', ('risk:outage:cause:taxonomy', {}), { 'ex': 'nature.earthquake', 'doc': 'The outage cause type.'}), ('attack', ('risk:attack', {}), { 'doc': 'An attack which caused the outage.'}), ('provider', ('ou:org', {}), { 'doc': 'The organization which experienced the outage event.'}), ('provider:name', ('ou:name', {}), { 'doc': 'The name of the organization which experienced the outage event.'}), ('reporter', ('ou:org', {}), { 'doc': 'The organization reporting on the outage event.'}), ('reporter:name', ('ou:name', {}), { 'doc': 'The name of the organization reporting on the outage event.'}), )), # TODO risk:outage:vitals to track outage stats over time ('risk:extortion:type:taxonomy', {}, ()), ('risk:extortion', {}, ( ('name', ('str', {'lower': True, 'onespace': True}), { 'doc': 'A name for the extortion event.'}), ('desc', ('str', {}), { 'disp': {'hint': 'text'}, 'doc': 'A description of the extortion event.'}), ('reporter', ('ou:org', {}), { 'doc': 'The organization reporting on the extortion event.'}), ('reporter:name', ('ou:name', {}), { 'doc': 'The name of the organization reporting on the extortion event.'}), ('demanded', ('time', {}), { 'doc': 'The time that the attacker made their demands.'}), ('deadline', ('time', {}), { 'doc': 'The time that the demand must be met.'}), ('goal', ('ou:goal', {}), { 'doc': 'The goal of the attacker in extorting the victim.'}), ('type', ('risk:extortion:type:taxonomy', {}), { 'doc': 'A type taxonomy for the extortion event.'}), ('attacker', ('ps:contact', {}), { 'doc': 'The extortion attacker identity.'}), ('target', ('ps:contact', {}), { 'doc': 'The extortion target identity.'}), ('success', ('bool', {}), { 'doc': "Set to true if the victim met the attacker's demands."}), ('enacted', ('bool', {}), { 'doc': 'Set to true if attacker carried out the threat.'}), ('public', ('bool', {}), { 'doc': 'Set to true if the attacker publicly announced the extortion.'}), ('public:url', ('inet:url', {}), { 'doc': 'The URL where the attacker publicly announced the extortion.'}), ('compromise', ('risk:compromise', {}), { 'doc': 'The compromise which allowed the attacker to extort the target.'}), ('demanded:payment:price', ('econ:price', {}), { 'doc': 'The payment price which was demanded.'}), ('demanded:payment:currency', ('econ:currency', {}), { 'doc': 'The currency in which payment was demanded.'}), ('paid:price', ('econ:price', {}), { 'doc': 'The total price paid by the target of the extortion.'}), ('payments', ('array', {'type': 'econ:acct:payment', 'sorted': True, 'uniq': True}), { 'doc': 'Payments made from the target to the attacker.'}), )), ('risk:technique:masquerade', {}, ( ('node', ('ndef', {}), { 'doc': 'The node masquerading as another.'}), ('period', ('ival', {}), { 'doc': 'The time period when the masquerading was active.'}), ('target', ('ndef', {}), { 'doc': 'The being masqueraded as.'}), ('technique', ('ou:technique', {}), { 'doc': 'The specific technique which describes the type of masquerading.'}), )), ), } name = 'risk' return ((name, modl), )