SCOR MISP Framing: seed pass, preserve all UUIDs

[h4ck32n4u75]

Scope

Seed the SCOR MISP Framing. Two new galaxies (scor-detection-signatures, scor-resilience-measures) and structural updates to five existing SCOR pairs (scor-about, scor-tens, scor-exposure-domain, scor-incidents, scor-attack-paths). One sidecar reference under doc/.

Per-galaxy outcome:

• scor-about: descriptor galaxy rewritten as the SCOR MISP Framing overview. 8 value UUIDs preserved.
• scor-tens: 30-TEN catalog per METEORSTORM Quick Guide section 8, unchanged. All 30 UUIDs preserved.
• scor-exposure-domain: five values matching METEORSTORM Quick Guide Table 2.2 (Kinetic, Non-kinetic, Electronic Warfare (EW), Cyber Warfare, Other (environmental)). All 5 UUIDs preserved; descriptions refreshed.
• scor-detection-signatures (new): reference vocabulary for AN-DET values. Seed value carries the full RootA YAML rule in meta.roota with the mandatory PCE/SEG/SVC/AST layer mapping. RootA rule UUID equals cluster value UUID.
• scor-resilience-measures (new): reference vocabulary for AN-RES values. Seed value lists TRE candidates and is the normalization bridge for cross-framework controls (13 frameworks).
• scor-incidents: 15 values at seed (11 historical inherited from the prior repo state, all UUIDs preserved; 4 demonstration entries added). Each value carries meta.confidence (1 to 10) and meta.confidence-basis.
• scor-attack-paths: 8 values at seed (4 historical inherited with UUIDs preserved and content genericized to remove specific-incident attribution; 4 new archetypal paths). Each value carries meta.related-incidents linking back to scor-incidents UUIDs where applicable.

Reference

The SCOR MISP Framing is the rich knowledge companion to the METEORSTORM MISP taxonomy at MISP/misp-taxonomies/tree/main/meteorstorm. Relationship semantics, the detection-signature normative reference, and governance follow the SCOR MISP Framing reference document (Section 8 for relation types: TOE, TDM, TRE, exposure-domain, detected-by, mitigated-by; Section 7.4 for the detection-signature normative reference).

Cluster files ship vocabulary and metadata only. Relationships are built by SCOR Platform Professionals in MISP at investigation time. One structural exception: scor-incidents and scor-attack-paths ship TOE related[] links back to the parent TEN UUIDs in scor-tens, with the TEN form in the relation tags as scor:ten="LAYER-TAG-LABEL". This anchors each value to the template it instantiates without baking analyst judgment into the cluster JSON.

Preflight

All checks passed locally before commit:

• Schema validation: 14/14 SCOR file pairs pass against schema_clusters.json and schema_galaxies.json.
• tools/chk_empty_strings: exit 0.
• tools/update_README_with_index.py: regenerated; README diff is confined to the SCOR section.
• tools/mkdocs/generator.py: completes without errors against the SCOR content.
• UUID-drop audit versus upstream/main: 58 existing UUIDs preserved, 8 newly added, 0 destroyed. Reference-galaxy UUIDs are immutable.
• Galaxy version field incremented on every modified galaxy. New galaxies start at version 1.
• Cross-reference resolution: every dest-uuid in related[] and every meta.related-incidents UUID resolves to an existing cluster value in the repo.
• Format normalized with jq --sort-keys; executable bit stripped from all JSON.

Site-refresh request

The following six file pairs were removed from upstream/main in commit 7e0e48c3 (2026-05-16) but still appear in the misp-galaxy.org sidebar because the site's static index has not refreshed: scor-sparta-mitigations, scor-sparta-tactics, scor-sparta-techniques, scor-space-shield-mitigations, scor-space-shield-tactics, scor-space-shield-techniques. Please refresh the site build so the sidebar drops them. The equivalent SPARTA and SPACE-SHIELD content is now carried as cross-framework mappings inside scor-resilience-measures.

Attribution

Stewardship: H4CK32N4U75®, within the SCORP2 community. Contact: william.o.ferguson@hkn.space.

SCOR Incidents and SCOR Attack Paths are reviewed and published by certified SCOR Platform Professionals within the SCORP2 community, under the closed-commit governance described in the SCOR MISP Framing reference document.

[adulau]

Thank you!

[h4ck32n4u75]

Thank you so much, that really means a lot. I am grateful to the CIRCL team for the guidance and for making room for this in MISP; none of it comes together without your stewardship of the platform.

I consider ESA and The Aerospace Corporation key stakeholders in this work, and I have shared a comprehensive guide with both, so we are working from the same picture. My path forward will keep things aligned with them as the seeding work matures and we move toward scaling.

What I am most happy about is that we finally have something that can literally track use cases that were a real gap before: ultra-complex scenarios like the Strait of Hormuz, aerial systems including drones, HAPS, and LAPS, and aquatic operations. Being able to model across all of those environments in one consistent structure is a big step.

Still plenty of work ahead, and I will keep everyone in the loop as it progresses. Thanks again to CIRCL for the collaboration.

[adulau]

TBH, I'm also very impressed by your work and commitment to make the modeling of space-related security threats a reality. We might have more space-related projects soon within CIRCL too.

[h4ck32n4u75]

TBH, I'm also very impressed by your work and commitment to make the modeling of space-related security threats a reality. We might have more space-related projects soon within CIRCL too.

Hope you had a great weekend, and I will be sharing more information with you in the next few weeks. Really appreciate the positive feedback.