You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It's occurred to me, while pondering @domwhewell-sage's new secrets-looting module family, that BBOT could benefit a lot from having a discovery_context field on every event. This attribute would be a brief but mandatory description of how the event was discovered. By this I mean any relevant details/circumstances around the event's discovery. For example, a URL event's discovery context might be, "extracted from http body using fulluri regex". For a DNS_NAME it might be "speculated from its DNS parent", or "returned by the /subdomains endpoint of the securitytrails API".
In the graph, this attribute would be attached to the relationship, enriching the discovery chain and making it easier to follow. Also I think having this feature would simplify debugging.
We could automatically flatten this chain and attach it to each event like so:
{
"type": "DNS_NAME",
"data": "www-test.evilcorp.com",
"discovery_chain": "TARGET seeded scan with DNS_NAME evilcorp.com --> shodan_dns discovered DNS_NAME www.evilcorp.com from subdomains API with query: evilcorp.com --> nmap discovered OPEN_TCP_PORT www.evilcorp.com:443 via port scan --> httpx returned HTTP_RESPONSE from https://www.evilcorp.com --> excavate extracted URL_UNVERIFIED https://www-test.evilcorp.com from HTTP body via fulluri regex --> derived DNS_NAME www-test.evilcorp.com from URL"
}
The text was updated successfully, but these errors were encountered:
It's occurred to me, while pondering @domwhewell-sage's new secrets-looting module family, that BBOT could benefit a lot from having a
discovery_context
field on every event. This attribute would be a brief but mandatory description of how the event was discovered. By this I mean any relevant details/circumstances around the event's discovery. For example, a URL event's discovery context might be, "extracted from http body using fulluri regex". For a DNS_NAME it might be "speculated from its DNS parent", or "returned by the /subdomains endpoint of the securitytrails API".In the graph, this attribute would be attached to the relationship, enriching the discovery chain and making it easier to follow. Also I think having this feature would simplify debugging.
We could automatically flatten this chain and attach it to each event like so:
The text was updated successfully, but these errors were encountered: