synapse 2.164.0__py311-none-any.whl → 2.166.0__py311-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of synapse might be problematic. Click here for more details.

Files changed (89) hide show
  1. synapse/axon.py +3 -3
  2. synapse/cmds/cortex.py +1 -6
  3. synapse/common.py +7 -1
  4. synapse/cortex.py +145 -192
  5. synapse/datamodel.py +36 -1
  6. synapse/lib/agenda.py +87 -97
  7. synapse/lib/aha.py +51 -0
  8. synapse/lib/ast.py +22 -23
  9. synapse/lib/base.py +0 -6
  10. synapse/lib/boss.py +3 -0
  11. synapse/lib/cell.py +70 -39
  12. synapse/lib/certdir.py +9 -0
  13. synapse/lib/hiveauth.py +65 -12
  14. synapse/lib/httpapi.py +1 -0
  15. synapse/lib/modelrev.py +121 -33
  16. synapse/lib/modules.py +1 -0
  17. synapse/lib/nexus.py +64 -26
  18. synapse/lib/parser.py +2 -0
  19. synapse/lib/schemas.py +14 -0
  20. synapse/lib/snap.py +50 -4
  21. synapse/lib/storm.lark +4 -3
  22. synapse/lib/storm.py +96 -22
  23. synapse/lib/storm_format.py +1 -0
  24. synapse/lib/stormlib/aha.py +7 -1
  25. synapse/lib/stormlib/auth.py +13 -5
  26. synapse/lib/stormlib/cache.py +202 -0
  27. synapse/lib/stormlib/cortex.py +147 -8
  28. synapse/lib/stormlib/gen.py +53 -6
  29. synapse/lib/stormlib/math.py +1 -1
  30. synapse/lib/stormlib/model.py +11 -1
  31. synapse/lib/stormlib/spooled.py +109 -0
  32. synapse/lib/stormlib/vault.py +1 -1
  33. synapse/lib/stormtypes.py +113 -17
  34. synapse/lib/trigger.py +36 -47
  35. synapse/lib/types.py +29 -2
  36. synapse/lib/version.py +2 -2
  37. synapse/lib/view.py +80 -53
  38. synapse/models/economic.py +174 -5
  39. synapse/models/files.py +2 -0
  40. synapse/models/inet.py +77 -2
  41. synapse/models/infotech.py +12 -12
  42. synapse/models/orgs.py +72 -21
  43. synapse/models/person.py +40 -11
  44. synapse/models/risk.py +78 -24
  45. synapse/models/science.py +102 -0
  46. synapse/telepath.py +117 -35
  47. synapse/tests/test_cortex.py +84 -158
  48. synapse/tests/test_datamodel.py +22 -0
  49. synapse/tests/test_lib_agenda.py +52 -96
  50. synapse/tests/test_lib_aha.py +126 -4
  51. synapse/tests/test_lib_ast.py +412 -6
  52. synapse/tests/test_lib_cell.py +24 -8
  53. synapse/tests/test_lib_certdir.py +32 -0
  54. synapse/tests/test_lib_grammar.py +9 -1
  55. synapse/tests/test_lib_httpapi.py +0 -1
  56. synapse/tests/test_lib_jupyter.py +0 -1
  57. synapse/tests/test_lib_modelrev.py +41 -0
  58. synapse/tests/test_lib_nexus.py +38 -0
  59. synapse/tests/test_lib_storm.py +95 -5
  60. synapse/tests/test_lib_stormlib_cache.py +272 -0
  61. synapse/tests/test_lib_stormlib_cortex.py +71 -0
  62. synapse/tests/test_lib_stormlib_gen.py +37 -2
  63. synapse/tests/test_lib_stormlib_model.py +2 -0
  64. synapse/tests/test_lib_stormlib_spooled.py +190 -0
  65. synapse/tests/test_lib_stormlib_vault.py +12 -3
  66. synapse/tests/test_lib_stormsvc.py +0 -10
  67. synapse/tests/test_lib_stormtypes.py +60 -8
  68. synapse/tests/test_lib_trigger.py +20 -2
  69. synapse/tests/test_lib_types.py +17 -1
  70. synapse/tests/test_model_economic.py +114 -0
  71. synapse/tests/test_model_files.py +2 -0
  72. synapse/tests/test_model_inet.py +73 -1
  73. synapse/tests/test_model_infotech.py +2 -2
  74. synapse/tests/test_model_orgs.py +10 -1
  75. synapse/tests/test_model_risk.py +30 -2
  76. synapse/tests/test_model_science.py +59 -0
  77. synapse/tests/test_model_syn.py +0 -1
  78. synapse/tests/test_telepath.py +30 -7
  79. synapse/tests/test_tools_modrole.py +81 -0
  80. synapse/tests/test_tools_moduser.py +105 -0
  81. synapse/tools/modrole.py +59 -7
  82. synapse/tools/moduser.py +78 -10
  83. {synapse-2.164.0.dist-info → synapse-2.166.0.dist-info}/METADATA +2 -2
  84. {synapse-2.164.0.dist-info → synapse-2.166.0.dist-info}/RECORD +87 -83
  85. {synapse-2.164.0.dist-info → synapse-2.166.0.dist-info}/WHEEL +1 -1
  86. synapse/lib/provenance.py +0 -111
  87. synapse/tests/test_lib_provenance.py +0 -37
  88. {synapse-2.164.0.dist-info → synapse-2.166.0.dist-info}/LICENSE +0 -0
  89. {synapse-2.164.0.dist-info → synapse-2.166.0.dist-info}/top_level.txt +0 -0
synapse/models/inet.py CHANGED
@@ -1304,8 +1304,8 @@ class InetModule(s_module.CoreModule):
1304
1304
  }),
1305
1305
 
1306
1306
  ('inet:ssl:cert', ('comp', {'fields': (('server', 'inet:server'), ('file', 'file:bytes'))}), {
1307
- 'doc': 'An SSL certificate file served by a server.',
1308
- 'ex': '(1.2.3.4:443, guid:d41d8cd98f00b204e9800998ecf8427e)',
1307
+ 'deprecated': True,
1308
+ 'doc': 'Deprecated. Please use inet:tls:servercert or inet:tls:clientcert',
1309
1309
  }),
1310
1310
 
1311
1311
  ('inet:port', ('int', {'min': 0, 'max': 0xffff}), {
@@ -1489,6 +1489,24 @@ class InetModule(s_module.CoreModule):
1489
1489
  ('inet:ssl:jarmsample', ('comp', {'fields': (('server', 'inet:server'), ('jarmhash', 'inet:ssl:jarmhash'))}), {
1490
1490
  'doc': 'A JARM hash sample taken from a server.'}),
1491
1491
 
1492
+ ('inet:tls:handshake', ('guid', {}), {
1493
+ 'doc': 'An instance of a TLS handshake between a server and client.'}),
1494
+
1495
+ ('inet:tls:ja3s:sample', ('comp', {'fields': (('server', 'inet:server'), ('ja3s', 'hash:md5'))}), {
1496
+ 'doc': 'A JA3 sample taken from a server.'}),
1497
+
1498
+ ('inet:tls:ja3:sample', ('comp', {'fields': (('client', 'inet:client'), ('ja3', 'hash:md5'))}), {
1499
+ 'doc': 'A JA3 sample taken from a client.'}),
1500
+
1501
+ ('inet:tls:servercert', ('comp', {'fields': (('server', 'inet:server'), ('cert', 'crypto:x509:cert'))}), {
1502
+ 'doc': 'An x509 certificate sent by a server for TLS.',
1503
+ 'ex': '(1.2.3.4:443, c7437790af01ae1bb2f8f3b684c70bf8)',
1504
+ }),
1505
+
1506
+ ('inet:tls:clientcert', ('comp', {'fields': (('client', 'inet:client'), ('cert', 'crypto:x509:cert'))}), {
1507
+ 'doc': 'An x509 certificate sent by a client for TLS.',
1508
+ 'ex': '(1.2.3.4:443, 3fdf364e081c14997b291852d1f23868)',
1509
+ }),
1492
1510
  ),
1493
1511
 
1494
1512
  'interfaces': (
@@ -1569,6 +1587,9 @@ class InetModule(s_module.CoreModule):
1569
1587
  ('received:from:fqdn', ('inet:fqdn', {}), {
1570
1588
  'doc': 'The sending server FQDN, potentially from the Received: header.'}),
1571
1589
 
1590
+ ('flow', ('inet:flow', {}), {
1591
+ 'doc': 'The inet:flow which delivered the message.'}),
1592
+
1572
1593
  )),
1573
1594
 
1574
1595
  ('inet:email:header', {}, (
@@ -3231,6 +3252,60 @@ class InetModule(s_module.CoreModule):
3231
3252
  'doc': 'The server that was sampled to compute the JARM hash.'}),
3232
3253
  )),
3233
3254
 
3255
+ ('inet:tls:handshake', {}, (
3256
+ ('time', ('time', {}), {
3257
+ 'doc': 'The time the handshake was initiated.'}),
3258
+ ('flow', ('inet:flow', {}), {
3259
+ 'doc': 'The raw inet:flow associated with the handshake.'}),
3260
+ ('server', ('inet:server', {}), {
3261
+ 'doc': 'The TLS server during the handshake.'}),
3262
+ ('server:cert', ('crypto:x509:cert', {}), {
3263
+ 'doc': 'The x509 certificate sent by the server during the handshake.'}),
3264
+ ('server:fingerprint:ja3', ('hash:md5', {}), {
3265
+ 'doc': 'The JA3S finger of the server.'}),
3266
+ ('client', ('inet:client', {}), {
3267
+ 'doc': 'The TLS client during the handshake.'}),
3268
+ ('client:cert', ('crypto:x509:cert', {}), {
3269
+ 'doc': 'The x509 certificate sent by the client during the handshake.'}),
3270
+ ('client:fingerprint:ja3', ('hash:md5', {}), {
3271
+ 'doc': 'The JA3 fingerprint of the client.'}),
3272
+ )),
3273
+
3274
+ ('inet:tls:ja3s:sample', {}, (
3275
+ ('server', ('inet:server', {}), {
3276
+ 'ro': True,
3277
+ 'doc': 'The server that was sampled to produce the JA3S hash.'}),
3278
+ ('ja3s', ('hash:md5', {}), {
3279
+ 'ro': True,
3280
+ 'doc': "The JA3S hash computed from the server's TLS hello packet."})
3281
+ )),
3282
+
3283
+ ('inet:tls:ja3:sample', {}, (
3284
+ ('client', ('inet:client', {}), {
3285
+ 'ro': True,
3286
+ 'doc': 'The client that was sampled to produce the JA3 hash.'}),
3287
+ ('ja3', ('hash:md5', {}), {
3288
+ 'ro': True,
3289
+ 'doc': "The JA3 hash computed from the client's TLS hello packet."})
3290
+ )),
3291
+
3292
+ ('inet:tls:servercert', {}, (
3293
+ ('server', ('inet:server', {}), {
3294
+ 'ro': True,
3295
+ 'doc': 'The server associated with the x509 certificate.'}),
3296
+ ('cert', ('crypto:x509:cert', {}), {
3297
+ 'ro': True,
3298
+ 'doc': 'The x509 certificate sent by the server.'})
3299
+ )),
3300
+
3301
+ ('inet:tls:clientcert', {}, (
3302
+ ('client', ('inet:client', {}), {
3303
+ 'ro': True,
3304
+ 'doc': 'The client associated with the x509 certificate.'}),
3305
+ ('cert', ('crypto:x509:cert', {}), {
3306
+ 'ro': True,
3307
+ 'doc': 'The x509 certificate sent by the client.'})
3308
+ )),
3234
3309
  ),
3235
3310
  }),
3236
3311
  )
synapse/models/infotech.py CHANGED
@@ -381,7 +381,7 @@ class ItModule(s_module.CoreModule):
381
381
  'doc': "A vulnerability scan result for an asset."}),
382
382
 
383
383
  ('it:mitre:attack:status', ('str', {'enums': 'current,deprecated,withdrawn'}), {
384
- 'doc': 'A Mitre ATT&CK element status.',
384
+ 'doc': 'A MITRE ATT&CK element status.',
385
385
  'ex': 'current',
386
386
  }),
387
387
  ('it:mitre:attack:matrix', ('str', {'enums': 'enterprise,mobile,ics'}), {
@@ -389,31 +389,31 @@ class ItModule(s_module.CoreModule):
389
389
  'ex': 'enterprise',
390
390
  }),
391
391
  ('it:mitre:attack:group', ('str', {'regex': r'^G[0-9]{4}$'}), {
392
- 'doc': 'A Mitre ATT&CK Group ID.',
392
+ 'doc': 'A MITRE ATT&CK Group ID.',
393
393
  'ex': 'G0100',
394
394
  }),
395
395
  ('it:mitre:attack:tactic', ('str', {'regex': r'^TA[0-9]{4}$'}), {
396
- 'doc': 'A Mitre ATT&CK Tactic ID.',
396
+ 'doc': 'A MITRE ATT&CK Tactic ID.',
397
397
  'ex': 'TA0040',
398
398
  }),
399
399
  ('it:mitre:attack:technique', ('str', {'regex': r'^T[0-9]{4}(.[0-9]{3})?$'}), {
400
- 'doc': 'A Mitre ATT&CK Technique ID.',
400
+ 'doc': 'A MITRE ATT&CK Technique ID.',
401
401
  'ex': 'T1548',
402
402
  }),
403
403
  ('it:mitre:attack:mitigation', ('str', {'regex': r'^M[0-9]{4}$'}), {
404
- 'doc': 'A Mitre ATT&CK Mitigation ID.',
404
+ 'doc': 'A MITRE ATT&CK Mitigation ID.',
405
405
  'ex': 'M1036',
406
406
  }),
407
407
  ('it:mitre:attack:software', ('str', {'regex': r'^S[0-9]{4}$'}), {
408
- 'doc': 'A Mitre ATT&CK Software ID.',
408
+ 'doc': 'A MITRE ATT&CK Software ID.',
409
409
  'ex': 'S0154',
410
410
  }),
411
411
  ('it:mitre:attack:campaign', ('str', {'regex': r'^C[0-9]{4}$'}), {
412
- 'doc': 'A Mitre ATT&CK Campaign ID.',
412
+ 'doc': 'A MITRE ATT&CK Campaign ID.',
413
413
  'ex': 'C0028',
414
414
  }),
415
415
  ('it:mitre:attack:flow', ('guid', {}), {
416
- 'doc': 'A Mitre ATT&CK Flow diagram.',
416
+ 'doc': 'A MITRE ATT&CK Flow diagram.',
417
417
  }),
418
418
  ('it:dev:str', ('str', {}), {
419
419
  'doc': 'A developer selected string.'
@@ -1183,7 +1183,7 @@ class ItModule(s_module.CoreModule):
1183
1183
  }),
1184
1184
  )),
1185
1185
  ('it:mitre:attack:technique', {}, (
1186
- ('name', ('str', {'strip': True}), {
1186
+ ('name', ('str', {'lower': True, 'onespace': True}), {
1187
1187
  'doc': 'The primary name for the ATT&CK technique.',
1188
1188
  }),
1189
1189
  ('matrix', ('it:mitre:attack:matrix', {}), {
@@ -1251,7 +1251,7 @@ class ItModule(s_module.CoreModule):
1251
1251
  )),
1252
1252
  ('it:mitre:attack:mitigation', {}, (
1253
1253
  # TODO map to an eventual risk:mitigation
1254
- ('name', ('str', {'strip': True}), {
1254
+ ('name', ('str', {'lower': True, 'onespace': True}), {
1255
1255
  'doc': 'The primary name for the ATT&CK mitigation.',
1256
1256
  }),
1257
1257
  ('matrix', ('it:mitre:attack:matrix', {}), {
@@ -1312,9 +1312,9 @@ class ItModule(s_module.CoreModule):
1312
1312
  ('period', ('ival', {}), {
1313
1313
  'doc': 'The time interval when the campaign was active.'}),
1314
1314
  ('created', ('time', {}), {
1315
- 'doc': 'The time that the campaign was created by Mitre.'}),
1315
+ 'doc': 'The time that the campaign was created by MITRE.'}),
1316
1316
  ('updated', ('time', {}), {
1317
- 'doc': 'The time that the campaign was last updated by Mitre.'}),
1317
+ 'doc': 'The time that the campaign was last updated by MITRE.'}),
1318
1318
 
1319
1319
  ('tag', ('syn:tag', {}), {
1320
1320
  'deprecated': True,
synapse/models/orgs.py CHANGED
@@ -24,14 +24,27 @@ class OuModule(s_module.CoreModule):
24
24
  }),
25
25
  ('ou:isic', ('str', {'regex': r'^[A-Z]([0-9]{2}[0-9]{0,2})?$'}), {
26
26
  'doc': 'An International Standard Industrial Classification of All Economic Activities (ISIC) code.',
27
- 'ex': 'C1393',
28
- }),
27
+ 'ex': 'C1393'}),
28
+
29
29
  ('ou:org', ('guid', {}), {
30
30
  'doc': 'A GUID for a human organization such as a company or military unit.',
31
- }),
31
+ 'display': {
32
+ 'columns': (
33
+ {'type': 'prop', 'opts': {'name': 'name'}},
34
+ {'type': 'prop', 'opts': {'name': 'names'}},
35
+ {'type': 'prop', 'opts': {'name': 'country:code'}},
36
+ ),
37
+ }}),
38
+
32
39
  ('ou:team', ('guid', {}), {
33
40
  'doc': 'A GUID for a team within an organization.',
34
- }),
41
+ 'display': {
42
+ 'columns': (
43
+ {'type': 'prop', 'opts': {'name': 'name'}},
44
+ {'type': 'prop', 'opts': {'name': 'org::name'}},
45
+ ),
46
+ }}),
47
+
35
48
  ('ou:orgtype', ('taxonomy', {}), {
36
49
  'doc': 'An org type taxonomy.',
37
50
  'interfaces': ('meta:taxonomy',),
@@ -49,6 +62,11 @@ class OuModule(s_module.CoreModule):
49
62
  }),
50
63
  ('ou:industry', ('guid', {}), {
51
64
  'doc': 'An industry classification type.',
65
+ 'display': {
66
+ 'columns': (
67
+ {'type': 'prop', 'opts': {'name': 'name'}},
68
+ ),
69
+ },
52
70
  }),
53
71
  ('ou:industry:type:taxonomy', ('taxonomy', {}), {
54
72
  'interfaces': ('meta:taxonomy',),
@@ -113,6 +131,12 @@ class OuModule(s_module.CoreModule):
113
131
  }),
114
132
  ('ou:conference', ('guid', {}), {
115
133
  'doc': 'A conference with a name and sponsoring org.',
134
+ 'display': {
135
+ 'columns': (
136
+ {'type': 'prop', 'opts': {'name': 'name'}},
137
+ {'type': 'prop', 'opts': {'name': 'start'}},
138
+ ),
139
+ },
116
140
  }),
117
141
  ('ou:conference:attendee', ('comp', {'fields': (('conference', 'ou:conference'), ('person', 'ps:person'))}), {
118
142
  'deprecated': True,
@@ -133,6 +157,11 @@ class OuModule(s_module.CoreModule):
133
157
  }),
134
158
  ('ou:goal', ('guid', {}), {
135
159
  'doc': 'An assessed or stated goal which may be abstract or org specific.',
160
+ 'display': {
161
+ 'columns': (
162
+ {'type': 'prop', 'opts': {'name': 'name'}},
163
+ ),
164
+ },
136
165
  }),
137
166
  ('ou:goalname', ('str', {'lower': True, 'onespace': True}), {
138
167
  'doc': 'A goal name.',
@@ -154,16 +183,31 @@ class OuModule(s_module.CoreModule):
154
183
 
155
184
  ('ou:campaign', ('guid', {}), {
156
185
  'doc': "Represents an org's activity in pursuit of a goal.",
157
- }),
186
+ 'display': {
187
+ 'columns': (
188
+ {'type': 'prop', 'opts': {'name': 'name'}},
189
+ {'type': 'prop', 'opts': {'name': 'names'}},
190
+ {'type': 'prop', 'opts': {'name': 'reporter:name'}},
191
+ {'type': 'prop', 'opts': {'name': 'tag'}},
192
+ ),
193
+ }}),
194
+
158
195
  ('ou:conflict', ('guid', {}), {
159
196
  'doc': 'Represents a conflict where two or more campaigns have mutually exclusive goals.',
160
197
  }),
161
198
  ('ou:contribution', ('guid', {}), {
162
- 'doc': 'Represents a specific instance of contributing material support to a campaign.',
163
- }),
199
+ 'doc': 'Represents a specific instance of contributing material support to a campaign.'}),
200
+
164
201
  ('ou:technique', ('guid', {}), {
165
202
  'doc': 'A specific technique used to achieve a goal.',
166
- }),
203
+ 'display': {
204
+ 'columns': (
205
+ {'type': 'prop', 'opts': {'name': 'name'}},
206
+ {'type': 'prop', 'opts': {'name': 'reporter:name'}},
207
+ {'type': 'prop', 'opts': {'name': 'tag'}},
208
+ ),
209
+ }}),
210
+
167
211
  ('ou:technique:taxonomy', ('taxonomy', {}), {
168
212
  'interfaces': ('meta:taxonomy',),
169
213
  'doc': 'An analyst defined taxonomy to classify techniques in different disciplines.',
@@ -223,6 +267,10 @@ class OuModule(s_module.CoreModule):
223
267
  'doc': 'The contribution includes the specific node.'}),
224
268
  ((None, 'meets', 'ou:requirement'), {
225
269
  'doc': 'The requirement is met by the source node.'}),
270
+ (('ou:org', 'has', None), {
271
+ 'doc': 'The organization is or was in possession of the target node.'}),
272
+ (('ou:org', 'owns', None), {
273
+ 'doc': 'The organization owns or owned the target node.'}),
226
274
  ),
227
275
  'forms': (
228
276
  ('ou:jobtype', {}, ()),
@@ -351,21 +399,24 @@ class OuModule(s_module.CoreModule):
351
399
  }),
352
400
  )),
353
401
  ('ou:id:number', {}, (
402
+
354
403
  ('type', ('ou:id:type', {}), {
355
- 'doc': 'The type of org id', 'ro': True,
356
- }),
404
+ 'doc': 'The type of org id', 'ro': True}),
405
+
357
406
  ('value', ('ou:id:value', {}), {
358
- 'doc': 'The value of org id', 'ro': True,
359
- }),
407
+ 'doc': 'The value of org id', 'ro': True}),
408
+
360
409
  ('status', ('str', {'lower': True, 'strip': True}), {
361
- 'doc': 'A freeform status such as valid, suspended, expired.',
362
- }),
410
+ 'doc': 'A freeform status such as valid, suspended, expired.'}),
411
+
363
412
  ('issued', ('time', {}), {
364
- 'doc': 'The time at which the org issued the ID number.',
365
- }),
413
+ 'doc': 'The time at which the org issued the ID number.'}),
414
+
366
415
  ('expires', ('time', {}), {
367
- 'doc': 'The time at which the ID number expires.',
368
- }),
416
+ 'doc': 'The time at which the ID number expires.'}),
417
+
418
+ ('issuer', ('ps:contact', {}), {
419
+ 'doc': 'The contact information of the office which issued the ID number.'}),
369
420
  )),
370
421
  ('ou:id:update', {}, (
371
422
  ('number', ('ou:id:number', {}), {
@@ -508,7 +559,7 @@ class OuModule(s_module.CoreModule):
508
559
  'doc': 'The tag used to annotate nodes that are associated with the campaign.'}),
509
560
 
510
561
  ('mitre:attack:campaign', ('it:mitre:attack:campaign', {}), {
511
- 'doc': 'A mapping to a Mitre ATT&CK campaign if applicable.'}),
562
+ 'doc': 'A mapping to a MITRE ATT&CK campaign if applicable.'}),
512
563
  )),
513
564
  ('ou:conflict', {}, (
514
565
  ('name', ('str', {'onespace': True}), {
@@ -555,7 +606,7 @@ class OuModule(s_module.CoreModule):
555
606
  ('tag', ('syn:tag', {}), {
556
607
  'doc': 'The tag used to annotate nodes where the technique was employed.'}),
557
608
  ('mitre:attack:technique', ('it:mitre:attack:technique', {}), {
558
- 'doc': 'A mapping to a Mitre ATT&CK technique if applicable.'}),
609
+ 'doc': 'A mapping to a MITRE ATT&CK technique if applicable.'}),
559
610
  ('reporter', ('ou:org', {}), {
560
611
  'doc': 'The organization reporting on the technique.'}),
561
612
  ('reporter:name', ('ou:name', {}), {
@@ -714,7 +765,7 @@ class OuModule(s_module.CoreModule):
714
765
  'doc': 'The name of the industry.'}),
715
766
 
716
767
  ('type', ('ou:industry:type:taxonomy', {}), {
717
- 'doc': 'An taxonomy entry for the industry.'}),
768
+ 'doc': 'A taxonomy entry for the industry.'}),
718
769
 
719
770
  ('names', ('array', {'type': 'ou:industryname', 'uniq': True, 'sorted': True}), {
720
771
  'doc': 'An array of alternative names for the industry.'}),
synapse/models/person.py CHANGED
@@ -39,11 +39,19 @@ class PsModule(s_module.CoreModule):
39
39
  ('ps:persona:has', ('comp', {'fields': (('persona', 'ps:persona'), ('node', 'ndef'))}), {
40
40
  'deprecated': True,
41
41
  'doc': 'A persona owns, controls, or has exclusive use of an object or'
42
- ' resource, potentially during a specific period of time.'
43
- }),
42
+ ' resource, potentially during a specific period of time.'}),
43
+
44
44
  ('ps:contact', ('guid', {}), {
45
45
  'doc': 'A GUID for a contact info record.',
46
- }),
46
+ 'display': {
47
+ 'columns': (
48
+ {'type': 'prop', 'opts': {'name': 'name'}},
49
+ {'type': 'prop', 'opts': {'name': 'type'}},
50
+ {'type': 'prop', 'opts': {'name': 'orgname'}},
51
+ {'type': 'prop', 'opts': {'name': 'email'}},
52
+ ),
53
+ }}),
54
+
47
55
  ('ps:contact:type:taxonomy', ('taxonomy', {}), {
48
56
  'interfaces': ('meta:taxonomy',),
49
57
  'doc': 'A taxonomy of contact types.',
@@ -55,18 +63,39 @@ class PsModule(s_module.CoreModule):
55
63
  'doc': "A GUID representing entry in a contact's work history.",
56
64
  }),
57
65
  ('ps:vitals', ('guid', {}), {
58
- 'doc': 'Statistics and demographic data about a person or contact.',
59
- }),
66
+ 'doc': 'Statistics and demographic data about a person or contact.'}),
67
+
60
68
  ('ps:skill', ('guid', {}), {
61
- 'doc': 'A specific skill which a person or organization may have.'
62
- }),
69
+ 'doc': 'A specific skill which a person or organization may have.',
70
+ 'display': {
71
+ 'columns': (
72
+ {'type': 'prop', 'opts': {'name': 'name'}},
73
+ {'type': 'prop', 'opts': {'name': 'type'}},
74
+ ),
75
+ }}),
76
+
63
77
  ('ps:skill:type:taxonomy', ('taxonomy', {}), {
64
78
  'interfaces': ('meta:taxonomy',),
65
- 'doc': 'A taxonomy of skill types.',
66
- }),
79
+ 'doc': 'A taxonomy of skill types.'}),
80
+
67
81
  ('ps:proficiency', ('guid', {}), {
68
- 'doc': 'The assessment that a given contact possesses a specific skill.'
69
- }),
82
+ 'doc': 'The assessment that a given contact possesses a specific skill.',
83
+ 'display': {
84
+ 'columns': (
85
+ {'type': 'prop', 'opts': {'name': 'contact::name'}},
86
+ {'type': 'prop', 'opts': {'name': 'skill::name'}},
87
+ ),
88
+ }}),
89
+ ),
90
+ 'edges': (
91
+ (('ps:contact', 'has', None), {
92
+ 'doc': 'The contact is or was in possession of the target node.'}),
93
+ (('ps:person', 'has', None), {
94
+ 'doc': 'The person is or was in possession of the target node.'}),
95
+ (('ps:contact', 'owns', None), {
96
+ 'doc': 'The contact owns or owned the target node.'}),
97
+ (('ps:person', 'owns', None), {
98
+ 'doc': 'The person owns or owned the target node.'}),
70
99
  ),
71
100
  'forms': (
72
101
  ('ps:workhist', {}, (
synapse/models/risk.py CHANGED
@@ -60,10 +60,22 @@ class RiskModule(s_module.CoreModule):
60
60
  'doc': 'A contiguous range of software versions which contain a vulnerability.'}),
61
61
 
62
62
  ('risk:hasvuln', ('guid', {}), {
63
- 'doc': 'An instance of a vulnerability present in a target.',
64
- }),
63
+ 'deprecated': True,
64
+ 'doc': 'Deprecated. Please use risk:vulnerable.'}),
65
+
66
+ ('risk:vulnerable', ('guid', {}), {
67
+ 'doc': 'Indicates that a node is susceptible to a vulnerability.'}),
68
+
65
69
  ('risk:threat', ('guid', {}), {
66
70
  'doc': 'A threat cluster or subgraph of threat activity, as reported by a specific organization.',
71
+ 'display': {
72
+ 'columns': (
73
+ {'type': 'prop', 'opts': {'name': 'org:name'}},
74
+ {'type': 'prop', 'opts': {'name': 'org:names'}},
75
+ {'type': 'prop', 'opts': {'name': 'reporter:name'}},
76
+ {'type': 'prop', 'opts': {'name': 'tag'}},
77
+ ),
78
+ },
67
79
  }),
68
80
  ('risk:attack', ('guid', {}), {
69
81
  'doc': 'An instance of an actor attacking a target.',
@@ -77,9 +89,22 @@ class RiskModule(s_module.CoreModule):
77
89
  }),
78
90
  ('risk:compromise', ('guid', {}), {
79
91
  'doc': 'An instance of a compromise and its aggregate impact.',
92
+ 'display': {
93
+ 'columns': (
94
+ {'type': 'prop', 'opts': {'name': 'name'}},
95
+ {'type': 'prop', 'opts': {'name': 'reporter:name'}},
96
+ ),
97
+ },
80
98
  }),
81
99
  ('risk:mitigation', ('guid', {}), {
82
100
  'doc': 'A mitigation for a specific risk:vuln.',
101
+ 'display': {
102
+ 'columns': (
103
+ {'type': 'prop', 'opts': {'name': 'name'}},
104
+ {'type': 'prop', 'opts': {'name': 'reporter:name'}},
105
+ {'type': 'prop', 'opts': {'name': 'tag'}},
106
+ ),
107
+ },
83
108
  }),
84
109
  ('risk:attacktype', ('taxonomy', {}), {
85
110
  'doc': 'A taxonomy of attack types.',
@@ -100,6 +125,14 @@ class RiskModule(s_module.CoreModule):
100
125
  }),
101
126
  ('risk:tool:software', ('guid', {}), {
102
127
  'doc': 'A software tool used in threat activity, as reported by a specific organization.',
128
+ 'display': {
129
+ 'columns': (
130
+ {'type': 'prop', 'opts': {'name': 'soft:name'}},
131
+ {'type': 'prop', 'opts': {'name': 'soft:names'}},
132
+ {'type': 'prop', 'opts': {'name': 'reporter:name'}},
133
+ {'type': 'prop', 'opts': {'name': 'tag'}},
134
+ ),
135
+ },
103
136
  }),
104
137
 
105
138
  ('risk:alert:verdict:taxonomy', ('taxonomy', {}), {
@@ -124,19 +157,22 @@ class RiskModule(s_module.CoreModule):
124
157
  ('risk:extortion:type:taxonomy', ('taxonomy', {}), {
125
158
  'interfaces': ('meta:taxonomy',),
126
159
  'doc': 'A taxonomy of extortion event types.'}),
160
+
127
161
  ('risk:technique:masquerade', ('guid', {}), {
128
162
  'doc': 'Represents the assessment that a node is designed to resemble another in order to mislead.'}),
129
163
  ),
130
164
  'edges': (
131
165
  # some explicit examples...
132
166
  (('risk:attack', 'uses', 'ou:technique'), {
133
- 'doc': 'The attackers used the technique in the attack.'}),
167
+ 'doc': 'The attacker used the technique in the attack.'}),
134
168
  (('risk:threat', 'uses', 'ou:technique'), {
135
169
  'doc': 'The threat cluster uses the technique.'}),
136
170
  (('risk:tool:software', 'uses', 'ou:technique'), {
137
171
  'doc': 'The tool uses the technique.'}),
138
172
  (('risk:compromise', 'uses', 'ou:technique'), {
139
- 'doc': 'The attackers used the technique in the compromise.'}),
173
+ 'doc': 'The attacker used the technique in the compromise.'}),
174
+ (('risk:extortion', 'uses', 'ou:technique'), {
175
+ 'doc': 'The attacker used the technique to extort the victim.'}),
140
176
 
141
177
  (('risk:attack', 'uses', 'risk:vuln'), {
142
178
  'doc': 'The attack used the vulnerability.'}),
@@ -239,6 +275,9 @@ class RiskModule(s_module.CoreModule):
239
275
 
240
276
  ('merged:isnow', ('risk:threat', {}), {
241
277
  'doc': 'The threat cluster that the reporting organization merged this cluster into.'}),
278
+
279
+ ('mitre:attack:group', ('it:mitre:attack:group', {}), {
280
+ 'doc': 'A mapping to a MITRE ATT&CK group if applicable.'}),
242
281
  )),
243
282
  ('risk:availability', {}, {}),
244
283
  ('risk:tool:software:taxonomy', {}, ()),
@@ -288,13 +327,16 @@ class RiskModule(s_module.CoreModule):
288
327
  'deprecated': True,
289
328
  'doc': 'Deprecated for scalability. Please use -(uses)> ou:technique.'}),
290
329
 
330
+ ('mitre:attack:software', ('it:mitre:attack:software', {}), {
331
+ 'doc': 'A mapping to a MITRE ATT&CK software if applicable.'}),
332
+
291
333
  )),
292
334
  ('risk:mitigation', {}, (
293
335
 
294
336
  ('vuln', ('risk:vuln', {}), {
295
337
  'doc': 'The vulnerability that this mitigation addresses.'}),
296
338
 
297
- ('name', ('str', {}), {
339
+ ('name', ('str', {'lower': True, 'onespace': True}), {
298
340
  'doc': 'A brief name for this risk mitigation.'}),
299
341
 
300
342
  ('desc', ('str', {}), {
@@ -313,6 +355,9 @@ class RiskModule(s_module.CoreModule):
313
355
  ('reporter:name', ('ou:name', {}), {
314
356
  'doc': 'The name of the organization reporting on the mitigation.'}),
315
357
 
358
+ ('mitre:attack:mitigation', ('it:mitre:attack:mitigation', {}), {
359
+ 'doc': 'A mapping to a MITRE ATT&CK mitigation if applicable.'}),
360
+
316
361
  ('tag', ('syn:tag', {}), {
317
362
  'doc': 'The tag used to annotate nodes which have the mitigation in place.'}),
318
363
  )),
@@ -580,32 +625,32 @@ class RiskModule(s_module.CoreModule):
580
625
 
581
626
  ('risk:hasvuln', {}, (
582
627
  ('vuln', ('risk:vuln', {}), {
583
- 'doc': 'The vulnerability present in the target.'
584
- }),
628
+ 'doc': 'The vulnerability present in the target.'}),
585
629
  ('person', ('ps:person', {}), {
586
- 'doc': 'The vulnerable person.',
587
- }),
630
+ 'doc': 'The vulnerable person.'}),
588
631
  ('org', ('ou:org', {}), {
589
- 'doc': 'The vulnerable org.',
590
- }),
632
+ 'doc': 'The vulnerable org.'}),
591
633
  ('place', ('geo:place', {}), {
592
- 'doc': 'The vulnerable place.',
593
- }),
634
+ 'doc': 'The vulnerable place.'}),
594
635
  ('software', ('it:prod:softver', {}), {
595
- 'doc': 'The vulnerable software.',
596
- }),
636
+ 'doc': 'The vulnerable software.'}),
597
637
  ('hardware', ('it:prod:hardware', {}), {
598
- 'doc': 'The vulnerable hardware.',
599
- }),
638
+ 'doc': 'The vulnerable hardware.'}),
600
639
  ('spec', ('mat:spec', {}), {
601
- 'doc': 'The vulnerable material specification.',
602
- }),
640
+ 'doc': 'The vulnerable material specification.'}),
603
641
  ('item', ('mat:item', {}), {
604
- 'doc': 'The vulnerable material item.',
605
- }),
642
+ 'doc': 'The vulnerable material item.'}),
606
643
  ('host', ('it:host', {}), {
607
- 'doc': 'The vulnerable host.'
608
- })
644
+ 'doc': 'The vulnerable host.'})
645
+ )),
646
+
647
+ ('risk:vulnerable', {}, (
648
+ ('vuln', ('risk:vuln', {}), {
649
+ 'doc': 'The vulnerability that the node is susceptible to.'}),
650
+ ('period', ('ival', {}), {
651
+ 'doc': 'The time window where the node was vulnerable.'}),
652
+ ('node', ('ndef', {}), {
653
+ 'doc': 'The node which is vulnerable.'}),
609
654
  )),
610
655
 
611
656
  ('risk:alert:taxonomy', {}, {}),
@@ -923,12 +968,18 @@ class RiskModule(s_module.CoreModule):
923
968
  ('compromise', ('risk:compromise', {}), {
924
969
  'doc': 'The compromise which allowed the leaker access to the information.'}),
925
970
 
971
+ ('extortion', ('risk:extortion', {}), {
972
+ 'doc': 'The extortion event which used the threat of the leak as leverage.'}),
973
+
926
974
  ('public', ('bool', {}), {
927
975
  'doc': 'Set to true if the leaked information was made publicly available.'}),
928
976
 
929
977
  ('public:url', ('inet:url', {}), {
930
978
  'doc': 'The URL where the leaked information was made publicly available.'}),
931
979
 
980
+ ('size:bytes', ('int', {'min': 0}), {
981
+ 'doc': 'The approximate uncompressed size of the total data leaked.'}),
982
+
932
983
  )),
933
984
 
934
985
  ('risk:extortion:type:taxonomy', {}, ()),
@@ -950,6 +1001,9 @@ class RiskModule(s_module.CoreModule):
950
1001
  ('demanded', ('time', {}), {
951
1002
  'doc': 'The time that the attacker made their demands.'}),
952
1003
 
1004
+ ('deadline', ('time', {}), {
1005
+ 'doc': 'The time that the demand must be met.'}),
1006
+
953
1007
  ('goal', ('ou:goal', {}), {
954
1008
  'doc': 'The goal of the attacker in extorting the victim.'}),
955
1009
 
@@ -963,7 +1017,7 @@ class RiskModule(s_module.CoreModule):
963
1017
  'doc': 'The extortion target identity.'}),
964
1018
 
965
1019
  ('success', ('bool', {}), {
966
- 'doc': 'Set to true if the victim met the attackers demands.'}),
1020
+ 'doc': "Set to true if the victim met the attacker's demands."}),
967
1021
 
968
1022
  ('enacted', ('bool', {}), {
969
1023
  'doc': 'Set to true if attacker carried out the threat.'}),