From a157e33f4469b18014db7f97ceba3a90bc547782 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 31 Oct 2016 11:45:00 +0100 Subject: [PATCH] README updated to reflect the new structure --- README.md | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index d14157f..38293a4 100644 --- a/README.md +++ b/README.md @@ -4,30 +4,34 @@ MISP galaxy is a simple method to express a large object called cluster that can be attached to MISP events or attributes. A cluster can be composed of one or more elements. Elements are expressed as key-values. There -are default elements available in MISP galaxy but those can be overwritten, replaced or updated as you wish. +are default vocabularies available in MISP galaxy but those can be overwritten, replaced or updated as you wish. -Existing clusters and elements can be used as-is or as a template. MISP distribution can be applied +Existing clusters and vocabularies can be used as-is or as a template. MISP distribution can be applied to each cluster to permit a limited or broader distribution scheme. -Elements are from existing standards (like STIX, Veris, MISP and so on) or custom ones. +Vocabularies are from existing standards (like STIX, Veris, MISP and so on) or custom ones. The objective is to have a comment set of clusters for organizations starting analysis but that can be expanded to localized information (which is not shared) or additional information (that can be shared). # Available clusters -- [cluster/threat-actor.json](cluster/threat-actor.json) - Threat Actor. MISP +- [clusters/threat-actor.json](clusters/threat-actor.json) - Adversary groups - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. MISP +- [clusters/tools.json](clusters/tools.json) - threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries. MISP -# Available Elements +# Available Vocabularies -- [elements/adversary-groups.json](elements/adversary-groups.json) - Adversary groups - Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. MISP -- [elements/certainty-level.json](elements/certainty-level.json) - Certainty level of an associated element or cluster. -- [elements/planning-and-operational-support-vocabulary.json](elements/planning-and-operational-support-vocabulary.json) - The PlanningAndOperationalSupportVocab is the default STIX vocabulary for expressing the planning and operational support functions available to a threat actor. -- [elements/threat-actor-motivation-vocabulary.json](elements/threat-actor-motivation-vocabulary.json) - The MotivationVocab is the default STIX vocabulary for expressing the motivation of a threat actor. STIX 1.2.1 -- [elements/threat-actor-sophistication-vocabulary.json](elements/threat-actor-sophistication-vocabulary.json) - The ThreatActorSophisticationVocab enumeration is used to define the default STIX vocabulary for expressing the subjective level of sophistication of a threat actor. -- [elements/threat-actor-type-vocabulary.json](elements/threat-actor-type-vocabulary.json) - The ThreatActorTypeVocab enumeration is used to define the default STIX vocabulary for expressing the subjective type of a threat actor. -- [elements/threat-actor-intended-effect-vocabulary.json](elements/threat-actor-intended-effect-vocabulary.json) - The IntendedEffectVocab is the default STIX vocabulary for expressing the intended effect of a threat actor. STIX 1.2.1 -- [elements/threat-actor-tools.json](elements/threat-actor-tools.json) - threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries. MISP +## Common + +- [vocabularies/common/certainty-level.json](vocabularies/common/certainty-level.json) - Certainty level of an associated element or cluster. + +## Threat Actor + +- [vocabularies/threat-actor/intended-effect-vocabulary.json](vocabularies/threat-actor/intended-effect.json) - The IntendedEffectVocab is the default STIX vocabulary for expressing the intended effect of a threat actor. STIX 1.2.1 +- [vocabularies/threat-actor/motivation-vocabulary.json](vocabularies/threat-actor/motivation.json) - The MotivationVocab is the default STIX vocabulary for expressing the motivation of a threat actor. STIX 1.2.1 +- [vocabularies/threat-actor/planning-and-operational-support-vocabulary.json](vocabularies/threat-actor/planning-and-operational-support.json) - The PlanningAndOperationalSupportVocab is the default STIX vocabulary for expressing the planning and operational support functions available to a threat actor. +- [vocabularies/threat-actor/sophistication.json](vocabularies/threat-actor/sophistication.json) - The ThreatActorSophisticationVocab enumeration is used to define the default STIX vocabulary for expressing the subjective level of sophistication of a threat actor. +- [vocabularies/threat-actor/type.json](vocabularies/threat-actor/type.json) - The ThreatActorTypeVocab enumeration is used to define the default STIX vocabulary for expressing the subjective type of a threat actor. ## How to contribute?