Hi,
Thanks for chiming in. I added my assumptions for a mapping below between the quotes:
On 2018-03-12 16:56, Alexandre Dulaunoy wrote:
adversary:infrastructure-status="unknown" adversary:infrastructure-status="compromised" adversary:infrastructure-status="own-and-operated"
We do not have equivalent fields for this kind of information.
adversary:infrastructure-action="passive-only" adversary:infrastructure-action="take-down" adversary:infrastructure-action="monitoring-active" adversary:infrastructure-action="pending-law-enforcement-request"
Same here.
adversary:infrastructure-state="unknown" adversary:infrastructure-state="active" adversary:infrastructure-state="down"
The state would match the field 'status'. We haven't specified values for it yet.
adversary:infrastructure-type="unknown" adversary:infrastructure-type="proxy"
In the ENISA taxonomies, proxies does not exist, so in intelmq that would be other/proxy (in taxonomy/type notation)
adversary:infrastructure-type="drop-zone"
'information content security'/dropzone
adversary:infrastructure-type="exploit-distribution-point"
Taxonomy is 'malicious code', but not sure about the type, probably 'malware configuration' or 'c&c'
adversary:infrastructure-type="vpn"
Not seen yet in intelmq, but that would be other/vpn
adversary:infrastructure-type="panel" adversary:infrastructure-type="tds"
Also not seen in intelmq yet, but these are probably types below 'malicious code'.
Sebastian