-
Notifications
You must be signed in to change notification settings - Fork 1
/
protocol_definitions.txt
42 lines (39 loc) · 3.18 KB
/
protocol_definitions.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
Graph items:
Items exchanged through the graph app should use the DCES format. It can be found at http://infosecanalytics.blogspot.com/2013/02/it-has-come-time-to-provide-standard.html
Cypher Results:
Cypher results will return a list. The first time of the list will be the column headers of the data returned by the cypher query. The remaining items in the list are the results. Each result is a list of the actual fields requested returned by the cypher.
Example:
query: "START n = node(*) MATCH n-[r]->m RETURN r, ID(n), ID(m);"
results: [["r", "ID(n)", "ID(m)"], [{1:{"weight":1, "color":"blue"}}, 2, 3], [{2...]...]
Note: As a propertie may be a dictionary it's self, be prepared to introspectively parse nodes, edges, and properties.
Client RPC Declarations:
A dictionary containing:
host: <host the client is serving the RPC on>
port: <port number the client is serving the RPC on>
URI: <URI at which the RPC can be reached>
help: <a string, URL, or other location where information on the RPC function, arguements, and return can be found.>
Graph Standard:
-all property names must be lower case
-Nodes must have the following properties:
--"class": May be "actor", "event", "condition", "attribute"
--"cpt": must be a JSON string in the format defined at http://infosecanalytics.blogspot.com/2013/03/conditional-probability-tables-in-json.html
--"start": The time the node is created. Time should be in ISO 8601 combined date and time format (e.g. 2013-03-14T16:57Z)
--"ID": Assigned by database.
-Nodes must have property "label".
-The "label" property of nodes of "class" "event", "condition", or "actor" will contain a string holding a narrative describing the actor, event, or condition
-The "label" property of nodes of "class" "attribute" must contain a JSON formatted string with a single "{'type':'value'}" pair. Type is the type/name of the attribute and value the value.
-Nodes of any class MAY have property "comments" providing additional narrative on the node
-Nodes of any class MAY have property "finish" providing a finish time for the node. Time should be in ISO 8601 combined date and time format (e.g. 2013-03-14T16:57Z)
-Edges must have the following properties:
--"source": the id of the source node
--"target": the id of the target node
--"id": id assigned by the database
--"relationship": value of "influence" if "source" property "class" is "attribute" and "target" property "class" is "event" or "condition"
value of "leads to" if "source" property "class" is "event", "threat", or "condition" and "target" property "class" is "actor", "event", or "condition"
value of "described by" if "source" property "class" is "event", "condition", or "actor" and "target" property "class" is "attribute"
value of "described by" if both "source" and "target" property "class" are "attribute"
--"directed": value of "True"
-Edges may have a property "confidence" with an integer value from 0 to 100 representing the percent confidence
-Edges must be directed
-Nodes and Edges may have additional properties, however they will not be validated and may be ignored by the attack graph.
-Nodes and Edges missing values may still be accepted if the value can be filled in.