From 6e62b0ab46120d8e100a185889d2060362f9166f Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Sat, 27 Feb 2016 21:07:09 +0100
Subject: [PATCH] Example of galaxy including a cluster which is default type
 where you can add as much element as you want.

The elements are the default values known by MISP but a local
instance can add more or overwrite some elements.
---
 cluster/threat-actor.json                     |  5 ++
 elements/apt-groups.json                      | 25 ++++++
 ...reat-actor-intended-effect-vocabulary.json | 86 +++++++++++++++++++
 3 files changed, 116 insertions(+)
 create mode 100644 cluster/threat-actor.json
 create mode 100644 elements/apt-groups.json
 create mode 100644 elements/threat-actor-intended-effect-vocabulary.json

diff --git a/cluster/threat-actor.json b/cluster/threat-actor.json
new file mode 100644
index 0000000..1964e8c
--- /dev/null
+++ b/cluster/threat-actor.json
@@ -0,0 +1,5 @@
+{
+   "name" : "threat actor",
+   "description": "threat actor cluster",
+   "elementOneOf": ["apt-groups", "threat-actor-intended-effect-vocabulary"]
+}
diff --git a/elements/apt-groups.json b/elements/apt-groups.json
new file mode 100644
index 0000000..cbc2de0
--- /dev/null
+++ b/elements/apt-groups.json
@@ -0,0 +1,25 @@
+{
+  "version" : 1,
+  "description": "Known or estimated adversary groups targeting organizations and employees",
+  "author": "Various",
+  "type": "APT Groups",
+  "groups"  : ["Comment Crew","Sofacy"],
+  "details" : [
+                        {
+                        "group": "Comment Crew",
+                        "description": "PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks",
+                        "refs": ["https://en.wikipedia.org/wiki/PLA_Unit_61398", "http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf"],
+                        "country": "CN",
+                        "synonyms": ["Comment Panda", "PLA Unit 61398", "APT 1", "Advanced Persistent Threat 1", "Byzantine Candor"]
+                        },
+                        {
+                        "group": "Sofacy",
+                        "description": "The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.",
+                        "refs": ["https://en.wikipedia.org/wiki/Sofacy_Group"],
+                        "country": "RU",
+                        "synonyms": ["APT 28", "APT28", "Pawn Storm", "Fancy Bear", "Sednit"]
+                        }
+              ]
+}
+
+
diff --git a/elements/threat-actor-intended-effect-vocabulary.json b/elements/threat-actor-intended-effect-vocabulary.json
new file mode 100644
index 0000000..3ee5bec
--- /dev/null
+++ b/elements/threat-actor-intended-effect-vocabulary.json
@@ -0,0 +1,86 @@
+{
+  "values": [
+    {
+      "value": "Advantage",
+      "description": "The intended effect of the incident was for the attacker to obtain some advantage over the target"
+    },
+    {
+      "value": "Advantage - Economic",
+      "description": "The intended effect of the incident was for the attacker to obtain some economic advantage over the target"
+    },
+    {
+      "value": "Advantage - Military",
+      "description": "The intended effect of the incident was for the attacker to obtain some military advantage over the target"
+    },
+    {
+      "value": "Advantage - Political",
+      "description": "The intended effect of the incident was for the attacker to obtain some political advantage over the target"
+    },
+    {
+      "value": "Theft",
+      "description": "The intended effect of the incident was to perpetrate a non-specific theft"
+    },
+    {
+      "value": "Theft - Intellectual Property",
+      "description": "The intended effect of the incident was to perpetrate a theft of intellectual property"
+    },
+    {
+      "value": "Theft - Credential Theft"
+    },
+    {
+      "value": "Theft - Identity Theft"
+    },
+    {
+      "value": "Theft - Theft of Proprietary Information"
+    },
+    {
+      "value": "Account Takeover"
+    },
+    {
+      "value": "Brand Damage"
+    },
+    {
+      "value": "Competitive Advantage"
+    },
+    {
+      "value": "Degradation of Service"
+    },
+    {
+      "value": "Denial and Deception"
+    },
+    {
+      "value": "Destruction"
+    },
+    {
+      "value": "Disruption"
+    },
+    {
+      "value": "Embarrassment"
+    },
+    {
+      "value": "Exposure"
+    },
+    {
+      "value": "Extortion"
+    },
+    {
+      "value": "Fraud"
+    },
+    {
+      "value": "Harassment"
+    },
+    {
+      "value": "ICS Control"
+    },
+    {
+      "value": "Traffic Diversion"
+    },
+    {
+      "value": "Unauthorized Access"
+    }
+  ],
+  "version" : 1,
+  "description": "The IntendedEffectVocab is the default STIX vocabulary for expressing the intended effect of a threat actor",
+  "author": "STIX",
+  "type": "threat-actor-intended-effect-vocabulary"
+}