OSINT
osint
The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.
Contents
Attributes
| Caption | Name | Type | Is Array | Default | Description |
|---|---|---|---|---|---|
| Related DNS Answers | answers | DNS Answer | Any pertinent DNS answers information related to an indicator or OSINT analysis. | ||
| MITRE ATT&CK® Details | attacks | MITRE ATT&CK® | MITRE ATT&CK Tactics, Techniques, and/or Procedures (TTPs) pertinent to an indicator or OSINT analysis. | ||
| Autonomous System | autonomous_system | Autonomous System | Any pertinent autonomous system information related to an indicator or OSINT analysis. | ||
| Analyst Comments | comment | String | Analyst commentary or source commentary about an indicator or OSINT analysis. | ||
| Confidence | confidence | String | The confidence of an indicator being malicious and/or pertinent, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source or analyst. | ||
| Confidence Id | confidence_id | Integer |
The normalized confidence refers to the accuracy of collected information related to the OSINT or how pertinent an indicator or analysis is to a specific event or finding. A low confidence means that the information collected or analysis conducted lacked detail or is not accurate enough to qualify an indicator as fully malicious.
|
||
| Related Email | Any email information pertinent to an indicator or OSINT analysis. | ||||
| Related Email Authentication | email_auth | Email Authentication | Any email authentication information pertinent to an indicator or OSINT analysis. | ||
| Kill Chain | kill_chain | Kill Chain Phase | Lockheed Martin Kill Chain Phases pertinent to an indicator or OSINT analysis. | ||
| Geo Location | location | Geo Location | Any pertinent geolocation information related to an indicator or OSINT analysis. | ||
| Name | name | String | The name of the entity. | ||
| Raw Data | raw_data | JSON | The event data as received from the event source. | ||
| Record ID | record_id | String | Unique identifier for the object | ||
| Related Digital Signatures | signatures | Digital Signature | Any digital signatures or hashes related to an indicator or OSINT analysis. | ||
| Source URL | src_url | URL String | The source URL of an indicator or OSINT analysis, e.g., a URL back to a TIP, report, or otherwise. | ||
| Related Subdomains | subdomains | String | Any pertinent subdomain information - such as those generated by a Domain Generation Algorithm - related to an indicator or OSINT analysis. | ||
| Traffic Light Protocol | tlp | String |
The Traffic Light Protocol was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. TLP provides a simple and intuitive schema for indicating with whom potentially sensitive information can be shared.
|
||
| Type | type | String | The OSINT indicator type. | ||
| Indicator Type ID | type_id | Integer |
The OSINT indicator type ID.
|
||
| Unique ID | uid | String | The unique identifier of the entity. | ||
| Unmapped Data | unmapped | Unmapped | The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source. | ||
| Indicator | value | String | The actual indicator value in scope, e.g., a SHA-256 hash hexdigest or a domain name. | ||
| Vendor Name | vendor_name | String | The vendor name of a tool which generates intelligence or provides indicators. | ||
| Related Vulnerabilities | vulnerabilities | Vulnerability Details | Any vulnerabilities related to an indicator or OSINT analysis. | ||
| WHOIS | whois | WHOIS | Any pertinent WHOIS information related to an indicator or OSINT analysis. |
References
Referenced By
- Security Finding
- Vulnerability Finding
- Detection Finding
- Data Security Finding
- Incident Finding
- Compliance Finding
- Finding
- Base Event
- Entity Management
- Authentication
- Authorize Session
- User Access Management
- Account Change
- Identity & Access Management
- Group Management
- Memory Activity
- Process Activity
- Kernel Activity
- File System Activity
- System Activity
- Scheduled Job Activity
- Event Log Activity
- Module Activity
- Kernel Extension Activity
- Web Resources Activity
- Web Resource Access Activity
- API Activity
- Datastore Activity
- File Hosting Activity
- Application Lifecycle
- Scan Activity
- Application Activity
- Network File Activity
- Tunnel Activity
- RDP Activity
- HTTP Activity
- Email File Activity
- Network Activity
- DHCP Activity
- FTP Activity
- SSH Activity
- SMB Activity
- DNS Activity
- Email Activity
- NTP Activity
- Email URL Activity
- Network
- User Query
- Discovery Result
- Device Inventory Info
- OSINT Inventory Info
- Software Inventory Info
- User Session Query
- Device Config State
- Discovery
- User Inventory Info
- Device Config State Change
- Peripheral Device Query
- Operating System Patch State
- Process Remediation Activity
- Network Remediation Activity
- Remediation Activity
- File Remediation Activity
- Windows Service Activity
- Windows Resource Activity
- Registry Key Query
- Registry Value Query
- Registry Key Activity
- Prefetch Query
- Registry Value Activity
- Email Delivery Activity
Context
JSON
{
"caption": "OSINT",
"name": "osint",
"description": "The OSINT (Open Source Intelligence) object contains details related to an indicator such as the indicator itself, related indicators, geolocation, registrar information, subdomains, analyst commentary, and other contextual information. This information can be used to further enrich a detection or finding by providing decisioning support to other analysts and engineers.",
"extends": "_entity",
"attributes": {
"type_id": {
"caption": "Indicator Type ID",
"description": "The OSINT indicator type ID.",
"requirement": "required",
"enum": {
"0": {
"caption": "Unknown",
"description": "The indicator type is ambiguous or there is not a related indicator for the OSINT object."
},
"1": {
"caption": "IP Address",
"description": "An IPv4 or IPv6 address."
},
"2": {
"caption": "Domain",
"description": "A full-qualified domain name (FQDN), subdomain, or partial domain."
},
"3": {
"caption": "Hostname",
"description": "A hostname or computer name."
},
"4": {
"caption": "Hash",
"description": "Any type of hash e.g., MD5, SHA1, SHA2, BLAKE, BLAKE2, etc. generated from a file, malware sample, request header, or otherwise."
},
"5": {
"caption": "URL",
"description": "A Uniform Resource Locator (URL) or Uniform Resource Indicator (URI)."
},
"6": {
"caption": "User Agent",
"description": "A User Agent typically seen in HTTP request headers."
},
"7": {
"caption": "Digital Certificate",
"description": "The serial number, fingerprint, or full content of an X.509 digital certificate."
},
"8": {
"caption": "Email",
"description": "The contents of an email or any related information to an email object."
},
"9": {
"caption": "Email Address",
"description": "An email address."
},
"10": {
"caption": "Vulnerability",
"description": "A CVE ID, CWE ID, or other identifier for a weakness, exploit, bug, or misconfiguration."
},
"99": {
"caption": "Other",
"description": "The indicator type is not directly listed."
}
},
"sibling": "type",
"type": "integer_t"
},
"type": {
"description": "The OSINT indicator type.",
"requirement": "optional",
"caption": "Type",
"type": "string_t"
},
"value": {
"caption": "Indicator",
"description": "The actual indicator value in scope, e.g., a SHA-256 hash hexdigest or a domain name.",
"requirement": "required",
"type": "string_t"
},
"tlp": {
"caption": "Traffic Light Protocol",
"description": "The <a target='_blank' href='https://www.first.org/tlp/'>Traffic Light Protocol</a> was created to facilitate greater sharing of potentially sensitive information and more effective collaboration. TLP provides a simple and intuitive schema for indicating with whom potentially sensitive information can be shared.",
"enum": {
"RED": {
"caption": "TLP:RED",
"description": "TLP:RED is for the eyes and ears of individual recipients only, no further disclosure. Sources may use TLP:RED when information cannot be effectively acted upon without significant risk for the privacy, reputation, or operations of the organizations involved. Recipients may therefore not share TLP:RED information with anyone else. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting."
},
"AMBER": {
"caption": "TLP:AMBER",
"description": "TLP:AMBER is for limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients. Note that TLP:AMBER+STRICT restricts sharing to the organization only. Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risk to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may share TLP:AMBER information with members of their own organization and its clients, but only on a need-to-know basis to protect their organization and its clients and prevent further harm. Note: if the source wants to restrict sharing to the organization only, they must specify TLP:AMBER+STRICT."
},
"AMBER STRICT": {
"caption": "TLP:AMBER+STRICT",
"description": "TLP:AMBER is for limited disclosure, recipients can only spread this on a need-to-know basis within their organization and its clients. Note that TLP:AMBER+STRICT restricts sharing to the organization only. Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risk to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may share TLP:AMBER information with members of their own organization and its clients, but only on a need-to-know basis to protect their organization and its clients and prevent further harm. Note: if the source wants to restrict sharing to the organization only, they must specify TLP:AMBER+STRICT."
},
"GREEN": {
"caption": "TLP:GREEN",
"description": "TLP:GREEN is for limited disclosure, recipients can spread this within their community. Sources may use TLP:GREEN when information is useful to increase awareness within their wider community. Recipients may share TLP:GREEN information with peers and partner organizations within their community, but not via publicly accessible channels. TLP:GREEN information may not be shared outside of the community. Note: when \u201ccommunity\u201d is not defined, assume the cybersecurity/defense community."
},
"CLEAR": {
"caption": "TLP:CLEAR",
"description": "TLP:CLEAR denotes that recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction."
}
},
"requirement": "recommended",
"type": "string_t"
},
"confidence_id": {
"description": "The normalized confidence refers to the accuracy of collected information related to the OSINT or how pertinent an indicator or analysis is to a specific event or finding. A low confidence means that the information collected or analysis conducted lacked detail or is not accurate enough to qualify an indicator as fully malicious.",
"requirement": "recommended",
"caption": "Confidence Id",
"type": "integer_t",
"enum": {
"0": {
"caption": "Unknown",
"description": "The normalized confidence is unknown."
},
"1": {
"caption": "Low"
},
"2": {
"caption": "Medium"
},
"3": {
"caption": "High"
},
"99": {
"caption": "Other",
"description": "The confidence is not mapped to the defined enum values. See the <code>confidence</code> attribute, which contains a data source specific value."
}
}
},
"confidence": {
"description": "The confidence of an indicator being malicious and/or pertinent, normalized to the caption of the confidence_id value. In the case of 'Other', it is defined by the event source or analyst.",
"requirement": "optional",
"caption": "Confidence",
"type": "string_t"
},
"vendor_name": {
"description": "The vendor name of a tool which generates intelligence or provides indicators.",
"requirement": "optional",
"caption": "Vendor Name",
"type": "string_t"
},
"src_url": {
"description": "The source URL of an indicator or OSINT analysis, e.g., a URL back to a TIP, report, or otherwise.",
"requirement": "optional",
"caption": "Source URL",
"type": "url_t"
},
"comment": {
"caption": "Analyst Comments",
"description": "Analyst commentary or source commentary about an indicator or OSINT analysis.",
"requirement": "optional",
"type": "string_t"
},
"email": {
"caption": "Related Email",
"description": "Any email information pertinent to an indicator or OSINT analysis.",
"requirement": "optional",
"type": "email"
},
"email_auth": {
"caption": "Related Email Authentication",
"description": "Any email authentication information pertinent to an indicator or OSINT analysis.",
"requirement": "optional",
"type": "email_auth"
},
"kill_chain": {
"description": "Lockheed Martin Kill Chain Phases pertinent to an indicator or OSINT analysis.",
"requirement": "optional",
"caption": "Kill Chain",
"type": "kill_chain_phase",
"is_array": true
},
"attacks": {
"description": "MITRE ATT&CK Tactics, Techniques, and/or Procedures (TTPs) pertinent to an indicator or OSINT analysis.",
"requirement": "optional",
"caption": "MITRE ATT&CK\u00ae Details",
"type": "attack",
"is_array": true
},
"vulnerabilities": {
"caption": "Related Vulnerabilities",
"description": "Any vulnerabilities related to an indicator or OSINT analysis.",
"requirement": "optional",
"type": "vulnerability",
"is_array": true
},
"signatures": {
"caption": "Related Digital Signatures",
"description": "Any digital signatures or hashes related to an indicator or OSINT analysis.",
"requirement": "optional",
"is_array": true,
"type": "digital_signature"
},
"subdomains": {
"caption": "Related Subdomains",
"description": "Any pertinent subdomain information - such as those generated by a Domain Generation Algorithm - related to an indicator or OSINT analysis.",
"requirement": "optional",
"is_array": true,
"type": "string_t"
},
"answers": {
"caption": "Related DNS Answers",
"description": "Any pertinent DNS answers information related to an indicator or OSINT analysis.",
"requirement": "optional",
"type": "dns_answer",
"is_array": true
},
"whois": {
"description": "Any pertinent WHOIS information related to an indicator or OSINT analysis.",
"requirement": "optional",
"caption": "WHOIS",
"type": "whois"
},
"autonomous_system": {
"description": "Any pertinent autonomous system information related to an indicator or OSINT analysis.",
"requirement": "optional",
"caption": "Autonomous System",
"type": "autonomous_system"
},
"location": {
"description": "Any pertinent geolocation information related to an indicator or OSINT analysis.",
"requirement": "optional",
"caption": "Geo Location",
"type": "location"
},
"name": {
"description": "The name of the entity.",
"requirement": "recommended",
"caption": "Name",
"type": "string_t"
},
"uid": {
"description": "The unique identifier of the entity.",
"requirement": "recommended",
"caption": "Unique ID",
"type": "string_t"
},
"raw_data": {
"group": "context",
"caption": "Raw Data",
"description": "The event data as received from the event source.",
"type": "json_t"
},
"record_id": {
"description": "Unique identifier for the object",
"group": "primary",
"requirement": "required",
"caption": "Record ID",
"type": "string_t"
},
"unmapped": {
"caption": "Unmapped Data",
"description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
"type": "unmapped",
"is_array": true
}
},
"constraints": {
"at_least_one": [
"name",
"uid"
]
}
}