HARM: type 'leak' -> 'data-leak' align with RSIT

The type is called data-leak in RSIT, rename here with backwards compatibility see #1409
certtools · Mar 24, 2020 · 0315bf6 · 0315bf6
1 parent 1c56722
commit 0315bf6
Show file tree

Hide file tree

Showing 10 changed files with 20 additions and 10 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -33,6 +33,7 @@ Update allowed classification fields to 2020-01-28 version (#1409, #1476). Old n
 - The taxonomy `information content security` has been renamed to `information-content-security`.
   - The validation of type `unauthorised-information-access` has been fixed, a bug prevented the use of it.
   - The validation of type `unauthorised-information-modification` has been fixed, a bug prevented the use of it.
+  - The type `leak` has been renamed to `data-leak`.
 - The taxonomy `intrusion attempts` has been renamed to `intrusion-attempts`.
 - The taxonomy `information gathering` has been rename to `information-gathering`.
 - The taxonomy `malicious code` has been renamed to `malicious-code`.

diff --git a/NEWS.md b/NEWS.md
@@ -19,6 +19,7 @@ A few classification scheme has been updated to better match the [Reference Secu
 |-|-|-|-|-|-|-|-|
 | abusive content              |                                       | abusive-content               |                                       |
 | information content security |                                       | information-content-security  |                                       |
+| information content security | leak                                  | information-content-security  | data-leak                             |
 | intrusion attempts           |                                       | intrusion-attempts            |                                       |
 | information gathering        |                                       | information-gathering         |                                       |
 | malicious code               |                                       | malicious-code                |                                       |
@@ -44,6 +45,9 @@ UPDATE events
 UPDATE events
    SET "classification.taxonomy" = 'information content security'
    WHERE "classification.taxonomy" = 'information-content-security';
+UPDATE events
+   SET "classification.type" = 'data-leak'
+   WHERE "classification.type" = 'leak' AND "classification.taxonomy" = 'information-content-security';
 UPDATE events
    SET "classification.taxonomy" = 'intrusion attempts'
    WHERE "classification.taxonomy" = 'intrusion-attempts';

diff --git a/docs/Data-Harmonization.md b/docs/Data-Harmonization.md
@@ -105,7 +105,7 @@ The taxonomy can be automatically added by the taxonomy expert bot based on the
 |information-content-security|unauthorised-information-modification|Unauthorised modification of information, e.g. by an attacker abusing stolen login credentials for a system or application or a ransomware encrypting data.|
 |information-content-security|data-loss|Loss of data, e.g. caused by harddisk failure or physical theft.|
 |information-content-security|dropzone|This IOC refers to place where the compromised machines store the stolen user data. Not in ENISA eCSIRT-II taxonomy.|
-|information-content-security|leak|IOCs relating to leaked credentials or personal data. Not in ENISA eCSIRT-II taxonomy.|
+|information-content-security|data-leak|Leaked confidential information like credentials or personal data.|
 |information gathering|scanner|Attacks that send requests to a system to discover weaknesses. This also includes testing processes to gather information on hosts, services and accounts. Examples: fingerd, DNS querying, ICMP, SMTP (EXPN, RCPT, ...), port scanning.|
 |information-gathering|sniffing|Observing and recording of network traffic (wiretapping).|
 |information-gathering|social-engineering|Gathering information from a human being in a non-technical way (e.g. lies, tricks, bribes, or threats). This IOC refers to a resource, which has been observed to perform brute-force attacks over a given application protocol.|

diff --git a/docs/Harmonization-fields.md b/docs/Harmonization-fields.md
@@ -165,6 +165,7 @@ These old values are automatically mapped to the new ones:
     'infected system' -> 'infected-system'
     'malware configuration' -> 'malware-configuration'
     'Unauthorised-information-access' -> 'unauthorised-information-access'
+    'leak' -> 'data-leak'
 
 Allowed values are:
  * application-compromise
@@ -187,7 +188,7 @@ Allowed values are:
  * ids-alert
  * infected-system
  * information-disclosure
- * leak
+ * data-leak
  * malware
  * malware-configuration
  * malware-distribution

diff --git a/intelmq/bots/experts/idea/expert.py b/intelmq/bots/experts/idea/expert.py
@@ -46,7 +46,7 @@ class IdeaExpertBot(Bot):
         "blacklist": "Other",
         "dga domain": "Anomaly.Behaviour",
         "proxy": "Vulnerable.Config",
-        "leak": "Information",
+        "data-leak": "Information",
         "tor": "Other",
         "other": "Other",
         "unknown": "Other",

diff --git a/intelmq/bots/experts/taxonomy/expert.py b/intelmq/bots/experts/taxonomy/expert.py
@@ -29,7 +29,7 @@
     "unauthorised-information-modification": "information-content-security",
     "data-loss": "information-content-security",
     "dropzone": "information-content-security",  # not in ENISA eCSIRT-II taxonomy
-    "leak": "information-content-security",  # not in ENISA eCSIRT-II taxonomy
+    "data-leak": "information-content-security",
     "scanner": "information-gathering",
     "sniffing": "information-gathering",
     "social-engineering": "information-gathering",

diff --git a/intelmq/bots/parsers/hibp/parser_callback.py b/intelmq/bots/parsers/hibp/parser_callback.py
@@ -42,7 +42,7 @@ def parse_line(self, request, report):
             pass
 
         event['classification.taxonomy'] = 'information-content-security'
-        event['classification.type'] = 'leak'
+        event['classification.type'] = 'data-leak'
 
         for email in sorted(filter(bool, set([request.get('Email')] + request["DomainEmails"]))):
             if not email:

diff --git a/intelmq/bots/parsers/n6/parser_n6stomp.py b/intelmq/bots/parsers/n6/parser_n6stomp.py
@@ -34,7 +34,7 @@
 mapping['fraud']        = {"taxonomy": "fraud",
                            "type": "account numbers", "identifier": "fraud"}
 mapping['leak']         = {"taxonomy": "information-content-security",
-                           "type": "leak", "identifier": "leak"}
+                           "type": "data-leak", "identifier": "leak"}
 mapping['malurl']       = {"taxonomy": "malicious-code",
                            "type": "exploit", "identifier": "malurl"}
 mapping['malware-action'] = {"taxonomy": "malicious-code",

diff --git a/intelmq/lib/harmonization.py b/intelmq/lib/harmonization.py
@@ -253,6 +253,7 @@ class ClassificationType(String):
         'infected system' -> 'infected-system'
         'malware configuration' -> 'malware-configuration'
         'Unauthorised-information-access' -> 'unauthorised-information-access'
+        'leak' -> 'data-leak'
 
     Allowed values are:
      * """
@@ -277,7 +278,7 @@ class ClassificationType(String):
                       'ids-alert',
                       'infected-system',
                       'information-disclosure',
-                      'leak',
+                      'data-leak',
                       'malware',
                       'malware-configuration',
                       'malware-distribution',
@@ -351,6 +352,9 @@ def sanitize(value: str) -> Optional[str]:
         # https://github.com/certtools/intelmq/pull/1476/files
         elif value == 'Unauthorised-information-access':
             value = 'unauthorised-information-access'
+        # https://github.com/certtools/intelmq/issues/1409
+        elif value == 'leak':
+            value = 'data-leak'
         return GenericType().sanitize(value)
 
 

diff --git a/intelmq/tests/bots/parsers/hibp/test_parser_callback.py b/intelmq/tests/bots/parsers/hibp/test_parser_callback.py
@@ -23,7 +23,7 @@
          "extra.domain_emails": BREACHREQUEST["DomainEmails"],
          "extra.breach": BREACHREQUEST["Breach"],
          "classification.taxonomy": "information-content-security",
-         "classification.type": "leak",
+         "classification.type": "data-leak",
          "classification.identifier": "breach",
          "source.account": "test2@example.com",
          "source.fqdn": "example.com",
@@ -43,7 +43,7 @@
          "extra.domain_emails": PASTEREQUEST["DomainEmails"],
          "extra.paste": PASTEREQUEST["Paste"],
          "classification.taxonomy": "information-content-security",
-         "classification.type": "leak",
+         "classification.type": "data-leak",
          "classification.identifier": "paste",
          "source.account": "test2@example.com",
          "source.fqdn": "example.com",
@@ -65,7 +65,7 @@
               "extra.domain_emails": BREACHREALREQUEST["DomainEmails"],
               "extra.breach": BREACHREALREQUEST["Breach"],
               "classification.taxonomy": "information-content-security",
-              "classification.type": "leak",
+              "classification.type": "data-leak",
               "classification.identifier": "breach",
               "source.fqdn": "example.com",
               "__type": "Event"