You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spot.apache.org by na...@apache.org on 2017/09/26 22:41:49 UTC
[46/50] [abbrv] incubator-spot git commit: SPOT-233 closes
apache/incubator-spot#119
http://git-wip-us.apache.org/repos/asf/incubator-spot/blob/97735715/spot-setup/odm/threat_intelligence_context.avsc
----------------------------------------------------------------------
diff --git a/spot-setup/odm/threat_intelligence_context.avsc b/spot-setup/odm/threat_intelligence_context.avsc
new file mode 100644
index 0000000..11a3985
--- /dev/null
+++ b/spot-setup/odm/threat_intelligence_context.avsc
@@ -0,0 +1,62 @@
+{
+ "namespace":"org.apache.spot",
+ "name":"threat_intelligence_context",
+ "type": "record",
+ "fields": [
+ {"name":"ti_source","type":["null","string"],"doc":"TI Provider, Open Source List, Internally Developed, LE Tip, Other", "default": null},
+ {"name":"ti_provider_id", "type":["null","string"],"doc":"Anomali, CrowdStrike, Mandiant, Alienvault OTX, USCERT, etc", "default": null},
+ {"name":"ti_indicator_id", "type":["null","string"],"doc":"Unique IQ from the provider", "default": null},
+ {"name":"ti_indicator_desc", "type":["null","string"],"doc":"Full Text descriptor and links of the Indicator and associated information", "default": null},
+ {"name":"ti_date_added", "type":["null","long"],"doc":"Date first added by the provider", "default": null},
+ {"name":"ti_date_modified", "type":["null","long"],"doc":"Date last updated by the provider.", "default": null},
+ {"name":"ti_risk_impact", "type":["null","string"],"doc":"Likely Targets what function within the organization?", "default": null},
+ {"name":"ti_severity", "type":["null","string"],"doc":"Nation State, Targeted, Advanced, Commodity, Other", "default": null},
+ {"name":"ti_category", "type":["null","string"],"doc":"Ecrime, Hacktivism, Geo Pollitical, Foreign Intelligence Service", "default": null},
+ {"name":"ti_campaign_name", "type":["null","string"],"doc":"Internal Campaign designation", "default": null},
+ {"name":"ti_deployed_location", "type":["null",{"type":"array", "items":"string"}],"doc":"Where this indicator should be matched for applicability (Core, Perimeter, Network, Endpoint, Logs, ALL, etc)", "default": null},
+ {"name":"ti_associated_incidents", "type":["null","string"],"doc":"Known Associated Incident ID's", "default": null},
+ {"name":"ti_adversarial_identification_group", "type":["null","string"],"doc":"Adversary Group designation usually provided by the provider.", "default": null},
+ {"name":"ti_adversarial_identification_tactics", "type":["null","string"],"doc":"Known Adversary Tactics as indicated by the source provider.", "default": null},
+ {"name":"ti_adversarial_identification_reports", "type":["null","string"],"doc":"Linked Adversary reports."},
+ {"name":"ti_phase", "type":["null","string"],"doc":"Discovery, Weaponization, Delivery, C2, Exploitation, Actions on Objectives, etc", "default": null},
+ {"name":"ti_indicator_cve", "type":["null","string"],"doc":"MITRE CVE Link(s)", "default": null},
+ {"name":"ti_indicator_ip4", "type":["null",{"type":"array", "items":"long"}],"doc":"CIDR noted IPv4 Address Indicated by Threat Intelligence", "default": null},
+ {"name":"ti_indicator_ip4_str", "type":["null",{"type":"array", "items":"string"}],"doc":"CIDR noted IPv4 Address Indicated by Threat Intelligence", "default": null},
+ {"name":"ti_indicator_ip6", "type":["null",{"type":"array", "items":"long"}],"doc":"IPv6 Address Indicated by Threat Intelligence", "default": null},
+ {"name":"ti_indicator_ip6_str", "type":["null",{"type":"array", "items":"string"}],"doc":"IPv6 Address Indicated by Threat Intelligence", "default": null},
+ {"name":"ti_indicator_domain", "type":["null","string"],"doc":"Domain Name(s)", "default": null},
+ {"name":"ti_indicator_hostname", "type":["null","string"],"doc":"Host or Subdomain Name(es)", "default": null},
+ {"name":"ti_indicator_email", "type":["null",{"type":"array", "items":"string"}],"doc":"Email addresses associated with Indicator", "default": null},
+ {"name":"ti_indicator_url", "type":["null",{"type":"array", "items":"string"}],"doc":"URL(s) associated with indicatorv", "default": null},
+ {"name":"ti_indicator_uri", "type":["null",{"type":"array", "items":"string"}],"doc":"URI(s) associated with indicator", "default": null},
+ {"name":"ti_indicator_file_hash", "type":["null","string"],"doc":"File Hash Value associated with the indicator.", "default": null},
+ {"name":"ti_indicator_file_path", "type":["null","string"],"doc":"File Path Value associated with the indicator.", "default": null},
+ {"name":"ti_indicator_mutex", "type":["null","string"],"doc":"MUTEX Value associated with the indicator.", "default": null},
+ {"name":"ti_indicator_md5", "type":["null","string"],"doc":"MD5 Hash Sum Value", "default": null},
+ {"name":"ti_indicator_sha1", "type":["null","string"],"doc":"SHA1 Hash Sum Value", "default": null},
+ {"name":"ti_indicator_sha256", "type":["null","string"],"doc":"SHA256 Hash Sum Value", "default": null},
+ {"name":"ti_indicator_device_path", "type":["null","string"],"doc":"Device Path Value associated with the indicator.", "default": null},
+ {"name":"ti_indicator_drive", "type":["null","string"],"doc":"Drive Value associated with the indicator.", "default": null},
+ {"name":"ti_indicator_file_name", "type":["null","string"],"doc":"File Name Value associated with the indicator.", "default": null},
+ {"name":"ti_indicator_file_extension", "type":["null","string"],"doc":"File Extension Value associated with the indicator.", "default": null},
+ {"name":"ti_indicator_file_size", "type":["null","string"],"doc":"File Size Value associated with the indicator.", "default": null},
+ {"name":"ti_indicator_file_created", "type":["null","long"],"doc":"Date File value associated with the indicator was created.", "default": null},
+ {"name":"ti_indicator_file_accessed", "type":["null","long"],"doc":"Date File value associated with the indicator was last accessed.", "default": null},
+ {"name":"ti_indicator_file_changed", "type":["null","long"],"doc":"Date File value associated with the indicator was last changed.", "default": null},
+ {"name":"ti_indicator_file_entropy", "type":["null","string"],"doc":"Calculated entropy value associated with the file indicated.", "default": null},
+ {"name":"ti_indicator_file_attributes", "type":["null",{"type":"array", "items":"string"}],"doc":"Read Only, System, Hidden, Directory, Archive, Device, Temporary, SparseFile, Compressed, Encrypted, Index, Deleted, etc", "default": null},
+ {"name":"ti_indicator_user_name", "type":["null","string"],"doc":"username associated with the indicator.", "default": null},
+ {"name":"ti_indicator_security_id", "type":["null","string"],"doc":"if known securityID associated with the indicator.", "default": null},
+ {"name":"ti_indicator_pe_info", "type":["null",{"type":"array", "items":"string"}],"doc":"Subsystem, BaseAddress, PETImeStamp, Expert, JumpCodes, DetectedAnomalies, DigitalSignatures,VersionInfo, ResourceInfo,Imported Modules", "default": null},
+ {"name":"ti_indicator_pe_type", "type":["null",{"type":"array", "items":"string"}],"doc":"Executable, DLL, Invalid, Unknown, Native, Windows_GUI, OS2, POSIX, EFI, etc", "default": null},
+ {"name":"ti_indicator_strings", "type":["null",{"type":"array", "items":"string"}],"doc":"Any strings associated with the file indicated that might be useful in identification or further indicator development or adversary identification.", "default": null},
+ {"name":"ti_indicator_org", "type":["null","string"],"doc":"Name of the business that owns the IP address associated with the indicator", "default": null},
+ {"name":"ti_indicator_reg_name", "type":["null","string"],"doc":"Name of the person who registered the domain", "default": null},
+ {"name":"ti_indicator_reg_email", "type":["null","string"],"doc":"Email address of the person who registered the domain", "default": null},
+ {"name":"ti_indicator_reg_org", "type":["null","string"],"doc":"Name of the organisation that registered the domain", "default": null},
+ {"name":"ti_indicator_reg_phone", "type":["null","string"],"doc":"Phone number associated with the domain registered", "default": null},
+ {"name":"ti_tags", "type":["null","string"],"doc":"Additional comments/associations from the feed", "default": null},
+ {"name":"ti_threat_type", "type":["null","string"],"doc":"malware, compromised, apt, c2, etc...", "default": null}
+ ],
+ "doc": "A view schema for storing Apache Spot Threat Intelligence Context data."
+ }
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-spot/blob/97735715/spot-setup/odm/user_context.avsc
----------------------------------------------------------------------
diff --git a/spot-setup/odm/user_context.avsc b/spot-setup/odm/user_context.avsc
new file mode 100644
index 0000000..9c9f7e5
--- /dev/null
+++ b/spot-setup/odm/user_context.avsc
@@ -0,0 +1,37 @@
+{
+ "namespace":"org.apache.spot",
+ "name":"user_context",
+ "type": "record",
+ "fields": [
+ {"name":"dvc_time","type":["null","long"],"doc":"Timestamp from when the user context information is obtained","default":null},
+ {"name":"user_created", "type":["null","long"],"doc":"Timestamp from when user was created","default":null},
+ {"name":"user_changed", "type":["null","long"],"doc":"Timestamp from when user was updated","default":null},
+ {"name":"user_last_logon", "type":["null","long"],"doc":"Timestamp from when user last logged on","default":null},
+ {"name":"user_logon_count", "type":["null","int"],"doc":"Number of times account has logged on","default":null},
+ {"name":"user_last_reset", "type":["null","long"],"doc":"Timestamp from when user last reset password","default":null},
+ {"name":"user_expiration", "type":["null","long"],"doc":"Date/time when user expires","default":null},
+ {"name":"user_image", "type":["null","binary"],"doc":"Image data for user","default":null},
+ {"name":"user_id", "type":["null","string"],"doc":"Unique user id","default":null},
+ {"name":"user_name", "type":["null","string"],"doc":"Username in event log/alert","default":null},
+ {"name":"user_name_first", "type":["null","string"],"doc":"First name","default":null},
+ {"name":"user_name_middle", "type":["null","string"],"doc":"Middle name","default":null},
+ {"name":"user_name_last", "type":["null","string"],"doc":"Last name","default":null},
+ {"name":"user_name_mgr", "type":["null","string"],"doc":"Manager’s name","default":null},
+ {"name":"user_phone", "type":["null","string"],"doc":"Phone number","default":null},
+ {"name":"user_email", "type":["null","string"],"doc":"Email address","default":null},
+ {"name":"user_code", "type":["null","string"],"doc":"Job code","default":null},
+ {"name":"user_loc", "type":["null","string"],"doc":"Location","default":null},
+ {"name":"user_departm", "type":["null","string"],"doc":"Department","default":null},
+ {"name":"user_dn", "type":["null","string"],"doc":"Distinguished name","default":null},
+ {"name":"user_ou", "type":["null","string"],"doc":"Organizational unit","default":null},
+ {"name":"user_empid", "type":["null","string"],"doc":"Employee ID","default":null},
+ {"name":"user_title", "type":["null","string"],"doc":"Job Title","default":null},
+ {"name":"user_groups", "type":["null",{"type":"array", "items":"string"}],"doc":"Groups to which the user belongs","default":null},
+ {"name":"dvc_type", "type":["null","string"],"doc":"Device type that generated the user context data","default":null},
+ {"name":"dvc_vendor", "type":["null","string"],"doc":"Vendor","default":null},
+ {"name":"user_risk", "type":["null","float"],"doc":"Risk score","default":null},
+ {"name":"dvc_version", "type":["null","string"],"doc":"Version","default":null},
+ {"name":"additional_attrs", "type":["null",{"type":"map","values":["null","string"]}],"default":null,"doc":"Additional attributes of user"}
+ ],
+ "doc": "A view schema for storing Apache Spot User Context data."
+ }
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/incubator-spot/blob/97735715/spot-setup/odm/vulnerability_context.avsc
----------------------------------------------------------------------
diff --git a/spot-setup/odm/vulnerability_context.avsc b/spot-setup/odm/vulnerability_context.avsc
new file mode 100644
index 0000000..933b8d1
--- /dev/null
+++ b/spot-setup/odm/vulnerability_context.avsc
@@ -0,0 +1,18 @@
+{
+ "namespace":"org.apache.spot",
+ "name":"vulnerability_context",
+ "type": "record",
+ "fields": [
+ {"name":"vuln_id","type":["null","string"],"doc":"TBD", "default": null},
+ {"name":"vuln_title", "type":["null","string"],"doc":"TBD", "default": null},
+ {"name":"vuln_description", "type":["null","string"],"doc":"TBD", "default": null},
+ {"name":"vuln_solution", "type":["null","string"],"doc":"TBD", "default": null},
+ {"name":"vuln_type", "type":["null","string"],"doc":"TBD", "default": null},
+ {"name":"vuln_category", "type":["null","string"],"doc":"TBD", "default": null},
+ {"name":"vuln_severity", "type":["null","string"],"doc":"TBD", "default": null},
+ {"name":"vuln_created", "type":["null","long"],"doc":"TBD", "default": null},
+ {"name":"vuln_updated", "type":["null","long"],"doc":"TBD", "default": null},
+ {"name":"additional_attrs", "type":["null",{"type":"map","values":["null","string"]}],"default":null,"doc":"Additional attributes of vulnerability"}
+ ],
+ "doc": "A view schema for storing Apache Spot Vulnerability Context data."
+ }
\ No newline at end of file