{"$schema":"https://domains.younndai.com/schemas/domain.json","domain":"yon.security","version":"1.0","status":"active","state":"active","tier":"official","verified":true,"score":1,"notice":null,"description":"Cybersecurity operations, incident response, threat intelligence, and vulnerability management with STIX/MITRE ATT&CK alignment","defaultMode":"struct","defaultProfile":"audit","defaultFormat":"canon","records":[{"tag":"IOC","fields":[{"name":"rid","type":"string","example":"ioc:2026-0042","required":true,"description":"Record ID"},{"enum":["ip","domain","hash-md5","hash-sha256","url","email","file","registry-key"],"name":"type","type":"string","example":"ip","required":false,"description":"Indicator Type (8 allowed values)"},{"name":"value","type":"string","example":"203.0.113.42","required":false,"description":"Indicator Value"},{"name":"pattern","type":"string","example":"[ipv4-addr:value = '203.0.113.42']","required":false,"description":"Detection Pattern"},{"enum":["stix","sigma","yara","snort","suricata"],"name":"pattern_type","type":"string","example":"stix","required":false,"description":"Pattern Type: stix, sigma, yara, snort, suricata"},{"name":"valid_from","type":"ts","example":"2026-03-01T00:00:00Z","required":false,"description":"Valid From as ISO 8601 timestamp"},{"name":"valid_until","type":"ts","example":"2026-06-01T00:00:00Z","required":false,"description":"Valid Until as ISO 8601 timestamp"},{"name":"confidence","type":"float","range":[0,100],"example":"85.0","required":false,"description":"Confidence (0–100)"},{"name":"first_seen","type":"ts","example":"2026-03-01T14:30:00Z","required":false,"description":"First Seen as ISO 8601 timestamp"},{"enum":["white","green","amber","amber-strict","red"],"name":"tlp","type":"string","example":"amber","required":false,"description":"TLP Level: white, green, amber, amber-strict, red"},{"name":"port","type":"int","range":[1,65535],"example":"443","required":false,"description":"Port (1–65535)"},{"enum":["inbound","outbound","internal","lateral"],"name":"direction","type":"string","example":"outbound","required":false,"description":"Direction: inbound, outbound, internal, lateral"}],"description":"Indicator of compromise — STIX 2.1 Indicator aligned, observable artifact with detection pattern and temporal validity"},{"tag":"ASSET","fields":[{"name":"host","type":"string","example":"web-prod-01.corp.local","required":false,"description":"Hostname"},{"enum":["server","workstation","network","storage","cloud","iot","mobile"],"name":"role","type":"string","example":"server","required":false,"description":"Asset Role (7 allowed values)"},{"name":"os","type":"string","example":"Ubuntu 24.04 LTS","required":false,"description":"Operating System"},{"name":"patch_level","type":"ts","example":"2026-03-01","required":false,"description":"Patch Level as ISO 8601 timestamp"},{"enum":["critical","high","medium","low"],"name":"criticality","type":"string","example":"high","required":false,"description":"Criticality: critical, high, medium, low"}],"description":"Asset inventory — network-connected resource with criticality rating and patch posture"},{"tag":"TLINE","fields":[{"name":"ts","type":"ts","example":"2026-03-10T14:32:15Z","required":false,"description":"Event Timestamp as ISO 8601 timestamp"},{"name":"action","type":"string","example":"process_creation","required":false,"description":"Action"},{"name":"actor","type":"string","example":"NT AUTHORITY\\SYSTEM","required":false,"description":"Actor"},{"name":"evidence","type":"string","example":"powershell.exe -enc base64...","required":false,"description":"Evidence"}],"description":"Incident timeline — chronological event during incident response with evidence chain"},{"tag":"CONTAINMENT","fields":[{"enum":["isolate","block-ip","disable-account","quarantine","sinkhole","network-segment"],"name":"action","type":"string","example":"isolate","required":false,"description":"Containment Action (6 allowed values)"},{"name":"target","type":"string","example":"web-prod-01","required":false,"description":"Target"},{"enum":["pending","active","completed","failed","rolled-back"],"name":"status","type":"string","example":"active","required":false,"description":"Status: pending, active, completed, failed, rolled-back"},{"name":"automated","type":"bool","example":"true","required":false,"description":"Automated indicator"}],"description":"Containment action — isolation or blocking measures during active incident"},{"tag":"ERADICATION","fields":[{"enum":["malware-removal","credential-reset","patch-apply","reimage","persistence-cleanup","account-disable"],"name":"action","type":"string","example":"malware-removal","required":false,"description":"Eradication Action (6 allowed values)"},{"name":"target","type":"string","example":"web-prod-01","required":false,"description":"Target"},{"enum":["pending","in-progress","completed","verified"],"name":"status","type":"string","example":"completed","required":false,"description":"Status: pending, in-progress, completed, verified"},{"name":"verification","type":"string","example":"EDR clean scan + network baseline restored","required":false,"description":"Verification"}],"description":"Eradication action — removal of threat artifacts and verification of clean state"},{"tag":"SIEM_ALERT","fields":[{"enum":["info","low","medium","high","critical"],"name":"severity","type":"string","example":"high","required":false,"description":"Severity: info, low, medium, high, critical"},{"name":"rule","type":"string","example":"Suspicious PowerShell Execution","required":false,"description":"Detection Rule"},{"name":"source_ip","type":"string","example":"10.0.1.42","required":false,"description":"Source IP"},{"name":"dest_ip","type":"string","example":"203.0.113.42","required":false,"description":"Destination IP"},{"enum":["TCP","UDP","ICMP","HTTP","HTTPS","DNS","SSH","SMB","RDP","other"],"name":"protocol","type":"string","example":"TCP","required":false,"description":"Protocol (10 allowed values)"}],"description":"SIEM alert — correlated security event from detection rules"},{"tag":"VULNERABILITY","fields":[{"name":"cve","type":"string","example":"CVE-2026-1234","pattern":"^CVE-\\d{4}-\\d{4,}$","required":false,"description":"CVE ID in structured format"},{"name":"cvss","type":"float","unit":"0-10","range":[0,10],"example":"9.1","required":false,"description":"CVSS Score in 0-10 (0–10)"},{"enum":["none","low","medium","high","critical"],"name":"severity","type":"string","example":"critical","required":false,"description":"Severity: none, low, medium, high, critical"},{"name":"affected","type":"string","example":"Apache HTTP Server 2.4.x","required":false,"description":"Affected System"},{"name":"patch_available","type":"bool","example":"true","required":false,"description":"Patch Available indicator"},{"name":"exploited","type":"bool","example":"false","required":false,"description":"Exploited in Wild indicator"}],"description":"Vulnerability record — CVE-referenced finding with CVSS scoring and exploit status"},{"tag":"THREAT","fields":[{"name":"name","type":"string","example":"APT28 (Fancy Bear)","required":false,"description":"Threat Actor Name"},{"enum":["apt","cybercrime","hacktivism","insider","nation-state"],"name":"category","type":"string","example":"apt","required":false,"description":"Category: apt, cybercrime, hacktivism, insider, nation-state"},{"name":"confidence","type":"float","range":[0,100],"example":"85.0","required":false,"description":"Confidence (0–100)"},{"enum":["white","green","amber","amber-strict","red"],"name":"tlp","type":"string","example":"amber","required":false,"description":"TLP Level: white, green, amber, amber-strict, red"},{"name":"source","type":"string","example":"CISA Advisory","required":false,"description":"Intelligence Source"},{"name":"ttps","type":"string","example":"T1566.001, T1059.001, T1003.001","required":false,"description":"TTPs (ATT&CK)"},{"name":"actor","type":"string","example":"GRU Unit 26165","required":false,"description":"Actor Attribution"}],"description":"Threat intelligence — STIX ThreatActor aligned, actor profiles and TTP mapping with MITRE ATT&CK and TLP marking"}],"schemaHash":null,"recordCount":8,"totalFieldCount":47,"meta":{"links":[{"url":"https://attack.mitre.org/","type":"standard","label":"MITRE ATT&CK"},{"url":"https://oasis-open.github.io/cti-documentation/","type":"standard","label":"STIX/TAXII"},{"url":"https://cve.mitre.org/","type":"reference","label":"CVE Database"},{"url":"https://www.nist.gov/cyberframework","type":"standard","label":"NIST CSF"},{"url":"https://www.first.org/cvss/calculator/3.1","type":"reference","label":"CVSS Calculator"}],"related":[{"domain":"yon.compliance","reason":"Security audit and compliance reporting","relationship":"regulatory overlap"},{"domain":"yon.devops","reason":"Infrastructure security monitoring","relationship":"often paired"},{"domain":"yon.infrastructure","reason":"Critical infrastructure protection","relationship":"data source"}],"tagline":"Cybersecurity incident response and threat intelligence for AI SOCs","use_cases":[{"id":"soc-operations","tags":["SIEM_ALERT","IOC","TLINE","CONTAINMENT","ERADICATION","ASSET"],"steps":["Ingest @ALERT from SIEM with Sigma rule matching","Correlate @ACCESS_EVENT logs for lateral movement detection","Enrich @THREAT intelligence from STIX/TAXII feeds","Assess @VULNERABILITY exposure in affected systems","Escalate confirmed @INCIDENT with severity and containment plan"],"title":"Security Operations Center (SOC) Pipeline","example":"@ALERT rid=al:1 | rule=\"sigma:lateral_movement\" | severity=\"high\" | source_ip=\"10.0.1.42\" | status=\"investigating\"","tags_used":["ALERT","ACCESS_EVENT","THREAT","VULNERABILITY","INCIDENT"],"description":"Correlate SIEM alerts with threat intelligence IOCs, triage incidents, and execute containment/eradication playbooks. Track asset criticality for prioritized response."},{"id":"vulnerability-management","tags":["VULNERABILITY","ASSET","THREAT","IOC"],"steps":["Execute @SCAN across infrastructure and applications","Prioritize @VULNERABILITY by CVSS score and exploit availability","Map @VULNERABILITY to @THREAT actor TTPs (ATT&CK)","Verify @POLICY compliance against CIS/NIST benchmarks","Track remediation via @CREDENTIAL rotation and patching"],"title":"Continuous Vulnerability Management","example":"@VULNERABILITY rid=vln:1 | cve=\"CVE-2026-1234\" | cvss:float=9.1 | status=\"open\" | affected_asset=\"web-server-01\"","tags_used":["SCAN","VULNERABILITY","THREAT","POLICY","CREDENTIAL"],"description":"Scan assets for CVEs, prioritize by CVSS score and exploit availability, and track remediation through patch deployment verification across the network."}],"highlights":["IOC","VULNERABILITY","THREAT"],"tag_context":{"IOC":{"purpose":"Machine-readable threat indicators for automated detection and blocking","when_to_use":"Threat hunting, SOAR playbooks, intelligence sharing, feed ingestion, blocklist generation","related_standards":["STIX 2.1 Indicator","OpenIOC","YARA"]},"ASSET":{"purpose":"Network-connected resource with criticality rating, patch posture, and role assignment","when_to_use":"Asset inventory, attack surface mapping, patch compliance, BIA classification, CMDB synchronization","related_standards":["NIST CSF Identify","ISO 27001 A.8 Asset Mgmt","CIS Controls v8"]},"TLINE":{"purpose":"Chronological event during incident response with evidence chain","when_to_use":"Incident reconstruction, forensic timeline building, evidence correlation, post-mortem analysis, legal discovery","related_standards":["MITRE ATT&CK Navigator","STIX 2.1 Sighting","Diamond Model"]},"THREAT":{"purpose":"Threat actor profiles and TTP mapping with MITRE ATT&CK alignment","when_to_use":"Threat intelligence enrichment, attribution, adversary tracking, campaign correlation, red team emulation","related_standards":["MITRE ATT&CK","STIX 2.1 (OASIS)","CVE (MITRE)"]},"SIEM_ALERT":{"purpose":"Correlated security event from detection rules with severity and network context","when_to_use":"Alert triage, SOC workflow, detection rule tuning, false positive tracking, incident escalation","related_standards":["Sigma Rules","OCSF v1.1","CEF (ArcSight)"]},"CONTAINMENT":{"purpose":"Isolation or blocking measures during active incident with automation tracking","when_to_use":"Active incident response, network isolation, account suspension, firewall rule creation, blast radius limitation","related_standards":["NIST SP 800-61r3","SANS IR Steps","ISO 27035-2"]},"ERADICATION":{"purpose":"Removal of threat artifacts with verification of clean state and remediation tracking","when_to_use":"Malware removal, persistence mechanism cleanup, credential reset coordination, clean state verification","related_standards":["NIST SP 800-61r3","MITRE D3FEND","CIS Controls v8"]},"VULNERABILITY":{"purpose":"CVE-referenced vulnerability tracking with patch and exploit status","when_to_use":"Vulnerability management, risk scoring, compliance reporting, patch prioritization, SLA tracking","related_standards":["CVE/NVD","CVSS v4.0","CWE (MITRE)"]}}},"registry":{"domain":{"path":"yon.security","owner":{"url":"https://younndai.com","name":"YounndAI Domains Registry","since":"2026-01-15T00:00:00Z","organization":"YounndAI"},"state":"active","notice":null,"created":"2026-01-15T00:00:00Z","lastUpdated":"2026-03-02T01:19:51.127Z"},"namespace":{"path":"yon","type":"official","owner":{"url":"https://younndai.com","name":"YounndAI Domains Registry","since":"2026-01-15T00:00:00Z","organization":"YounndAI"},"state":"active","notice":null}},"owner":{"url":"https://younndai.com","name":"YounndAI Domains Registry","since":"2026-01-15T00:00:00Z","organization":"YounndAI"}}