Skip to content

Commit ad0624b

Browse files
JocLRojasJocLRojas
committed
refactor: simplify association rules and expand threat intelligence coverage
1 parent fd242a8 commit ad0624b

File tree

1 file changed

+191
-135
lines changed

1 file changed

+191
-135
lines changed

threadwinds-ingestion/internal/association/association_rules.go

Lines changed: 191 additions & 135 deletions
Original file line numberDiff line numberDiff line change
@@ -7,149 +7,205 @@ const (
77
Aggregation AssociationMode = "aggregation"
88
)
99

10-
type RuleCategory string
11-
12-
const (
13-
CategoryNetwork RuleCategory = "network"
14-
CategoryIdentity RuleCategory = "identity"
15-
)
16-
1710
type AssociationRule struct {
18-
Name string
19-
SourceType string
20-
TargetType string
21-
Mode AssociationMode
22-
Category RuleCategory
23-
Description string
24-
Enabled bool
25-
Priority int
11+
Name string
12+
SourceType string
13+
TargetType string
14+
Mode AssociationMode
15+
Enabled bool
2616
}
2717

2818
var DefaultRules = []*AssociationRule{
29-
// Network Associations
30-
{
31-
Name: "ip-to-port",
32-
SourceType: "ip",
33-
TargetType: "port",
34-
Mode: Association,
35-
Category: CategoryNetwork,
36-
Description: "IP exposes port",
37-
Enabled: true,
38-
Priority: 10,
39-
},
40-
{
41-
Name: "port-to-ip",
42-
SourceType: "port",
43-
TargetType: "ip",
44-
Mode: Association,
45-
Category: CategoryNetwork,
46-
Description: "Port exposed on IP",
47-
Enabled: true,
48-
Priority: 10,
49-
},
50-
{
51-
Name: "hostname-to-ip",
52-
SourceType: "hostname",
53-
TargetType: "ip",
54-
Mode: Association,
55-
Category: CategoryNetwork,
56-
Description: "Hostname resolves to IP",
57-
Enabled: true,
58-
Priority: 10,
59-
},
60-
{
61-
Name: "ip-to-hostname",
62-
SourceType: "ip",
63-
TargetType: "hostname",
64-
Mode: Association,
65-
Category: CategoryNetwork,
66-
Description: "IP resolves to hostname",
67-
Enabled: true,
68-
Priority: 10,
19+
// Network Infrastructure
20+
{
21+
Name: "ip-to-port",
22+
SourceType: "ip",
23+
TargetType: "port",
24+
Mode: Association,
25+
Enabled: true,
26+
},
27+
{
28+
Name: "port-to-service",
29+
SourceType: "port",
30+
TargetType: "service",
31+
Mode: Aggregation,
32+
Enabled: true,
33+
},
34+
{
35+
Name: "domain-to-ip",
36+
SourceType: "domain",
37+
TargetType: "ip",
38+
Mode: Association,
39+
Enabled: true,
40+
},
41+
{
42+
Name: "ip-to-domain",
43+
SourceType: "ip",
44+
TargetType: "domain",
45+
Mode: Association,
46+
Enabled: true,
47+
},
48+
{
49+
Name: "subdomain-to-domain",
50+
SourceType: "domain",
51+
TargetType: "domain",
52+
Mode: Aggregation,
53+
Enabled: true,
54+
},
55+
{
56+
Name: "url-to-domain",
57+
SourceType: "url",
58+
TargetType: "domain",
59+
Mode: Aggregation,
60+
Enabled: true,
61+
},
62+
{
63+
Name: "url-to-ip",
64+
SourceType: "url",
65+
TargetType: "ip",
66+
Mode: Association,
67+
Enabled: true,
6968
},
7069

71-
// Identity Associations
72-
{
73-
Name: "username-to-ip",
74-
SourceType: "username",
75-
TargetType: "ip",
76-
Mode: Association,
77-
Category: CategoryIdentity,
78-
Description: "User accessed from IP",
79-
Enabled: true,
80-
Priority: 10,
81-
},
82-
{
83-
Name: "ip-to-username",
84-
SourceType: "ip",
85-
TargetType: "username",
86-
Mode: Association,
87-
Category: CategoryIdentity,
88-
Description: "IP accessed by user",
89-
Enabled: true,
90-
Priority: 10,
91-
},
92-
{
93-
Name: "username-to-hostname",
94-
SourceType: "username",
95-
TargetType: "hostname",
96-
Mode: Association,
97-
Category: CategoryIdentity,
98-
Description: "User accessed from hostname",
99-
Enabled: true,
100-
Priority: 9,
101-
},
102-
{
103-
Name: "hostname-to-username",
104-
SourceType: "hostname",
105-
TargetType: "username",
106-
Mode: Association,
107-
Category: CategoryIdentity,
108-
Description: "Hostname accessed by user",
109-
Enabled: true,
110-
Priority: 9,
70+
// Geographic and ASN
71+
{
72+
Name: "ip-to-asn",
73+
SourceType: "ip",
74+
TargetType: "asn",
75+
Mode: Aggregation,
76+
Enabled: true,
77+
},
78+
{
79+
Name: "asn-to-organization",
80+
SourceType: "asn",
81+
TargetType: "organization",
82+
Mode: Aggregation,
83+
Enabled: true,
84+
},
85+
{
86+
Name: "domain-to-asn",
87+
SourceType: "domain",
88+
TargetType: "asn",
89+
Mode: Association,
90+
Enabled: true,
11191
},
11292

113-
// ASN Associations
114-
{
115-
Name: "ip-to-asn",
116-
SourceType: "ip",
117-
TargetType: "asn",
118-
Mode: Association,
119-
Category: CategoryNetwork,
120-
Description: "IP belongs to ASN",
121-
Enabled: true,
122-
Priority: 10,
123-
},
124-
{
125-
Name: "asn-to-ip",
126-
SourceType: "asn",
127-
TargetType: "ip",
128-
Mode: Association,
129-
Category: CategoryNetwork,
130-
Description: "ASN contains IP",
131-
Enabled: true,
132-
Priority: 10,
133-
},
134-
{
135-
Name: "hostname-to-asn",
136-
SourceType: "hostname",
137-
TargetType: "asn",
138-
Mode: Association,
139-
Category: CategoryNetwork,
140-
Description: "Hostname resolves to IP in ASN",
141-
Enabled: true,
142-
Priority: 9,
143-
},
144-
{
145-
Name: "asn-to-hostname",
146-
SourceType: "asn",
147-
TargetType: "hostname",
148-
Mode: Association,
149-
Category: CategoryNetwork,
150-
Description: "ASN contains hostname",
151-
Enabled: true,
152-
Priority: 9,
93+
// Identity and Access
94+
{
95+
Name: "user-to-ip",
96+
SourceType: "user",
97+
TargetType: "ip",
98+
Mode: Association,
99+
Enabled: true,
100+
},
101+
{
102+
Name: "user-to-hostname",
103+
SourceType: "user",
104+
TargetType: "hostname",
105+
Mode: Association,
106+
Enabled: true,
107+
},
108+
{
109+
Name: "user-to-account",
110+
SourceType: "user",
111+
TargetType: "account",
112+
Mode: Aggregation,
113+
Enabled: true,
114+
},
115+
{
116+
Name: "email-to-user",
117+
SourceType: "email",
118+
TargetType: "user",
119+
Mode: Aggregation,
120+
Enabled: true,
121+
},
122+
{
123+
Name: "email-to-domain",
124+
SourceType: "email",
125+
TargetType: "domain",
126+
Mode: Aggregation,
127+
Enabled: true,
128+
},
129+
130+
// Threat Intelligence
131+
{
132+
Name: "malware-to-ip",
133+
SourceType: "malware",
134+
TargetType: "ip",
135+
Mode: Association,
136+
Enabled: true,
137+
},
138+
{
139+
Name: "malware-to-domain",
140+
SourceType: "malware",
141+
TargetType: "domain",
142+
Mode: Association,
143+
Enabled: true,
144+
},
145+
{
146+
Name: "malware-to-url",
147+
SourceType: "malware",
148+
TargetType: "url",
149+
Mode: Association,
150+
Enabled: true,
151+
},
152+
{
153+
Name: "hash-to-malware",
154+
SourceType: "hash",
155+
TargetType: "malware",
156+
Mode: Aggregation,
157+
Enabled: true,
158+
},
159+
{
160+
Name: "ip-to-threat-actor",
161+
SourceType: "ip",
162+
TargetType: "threat-actor",
163+
Mode: Association,
164+
Enabled: true,
165+
},
166+
{
167+
Name: "domain-to-threat-actor",
168+
SourceType: "domain",
169+
TargetType: "threat-actor",
170+
Mode: Association,
171+
Enabled: true,
172+
},
173+
{
174+
Name: "cve-to-exploit",
175+
SourceType: "cve",
176+
TargetType: "exploit",
177+
Mode: Aggregation,
178+
Enabled: true,
179+
},
180+
{
181+
Name: "vulnerability-to-ip",
182+
SourceType: "vulnerability",
183+
TargetType: "ip",
184+
Mode: Association,
185+
Enabled: true,
186+
},
187+
188+
// Legacy (backward compatibility)
189+
{
190+
Name: "hostname-to-ip",
191+
SourceType: "hostname",
192+
TargetType: "ip",
193+
Mode: Association,
194+
Enabled: true,
195+
},
196+
{
197+
Name: "ip-to-hostname",
198+
SourceType: "ip",
199+
TargetType: "hostname",
200+
Mode: Association,
201+
Enabled: true,
202+
},
203+
{
204+
Name: "hostname-to-user",
205+
SourceType: "hostname",
206+
TargetType: "user",
207+
Mode: Association,
208+
Enabled: true,
153209
},
154210
}
155211

0 commit comments

Comments
 (0)