Skip to content

3c7/infrastructure-tracking-schema

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
examples
examples
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
requirements.txt
requirements.txt
 
 
schema.yml
schema.yml
 
 
verify.py
verify.py
 
 

Repository files navigation

Infrastructure Tracking Schema

This repository contains a concept for a infrastructure tracking ruleset schema written for Yamale.

Rule based queries

While this repository does not implement software for querying various services, the goal is to have a common rule schema that allows querying a variety of services and chaining those queries together. An example rule could look like this:

title: Example Rule
uuid: 11d0a892-b2eb-4df5-8b04-3a1272da6eed
author: Nils Kuhnert
status: experimental
created: 2020-10-09
classification:
  - type: tlp
    value: white
condition:
  - AND:
    - type: "shodan"
      query: "HTTP/1.1 200 X-Super-Suspicious-Header: Honk!"
    - type: "passivedns"
      query: "regex:^\\w-\\w\\.site$"

Various services and their queries can be implemented in your own tooling in your own way. The key idea is to combine multiple data sources right from the start and to have a (mostly) readable ruleset. The complex example rule shows all currently possible rule keys implemented in the schema.

About

No description or website provided.

Topics

infrastructure tracking osint apt threat-hunting threat-intelligence

Resources

Readme

License

MIT license
Activity

Stars

24 stars

Watchers

2 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages