misp-objects/objects/shadowserver-malware-url-re.../definition.json

128 lines
4.2 KiB
JSON
Raw Normal View History

{
"attributes": {
"application": {
"description": "Application layer protocol where occurrence of the URL was observed. Examples: http, https, ssh, telnet. ",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"http",
"https",
"ssh",
"telnet"
],
"ui-priority": 0
},
"asn": {
"description": "ASN where the IP resides",
"misp-attribute": "AS",
"ui-priority": 0
},
"city": {
"description": "City location of the IP in question",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"geo": {
"description": "Country location of the IP",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"host": {
"description": "Any of the capabilities identified for the malware instance or family.",
"misp-attribute": "hostname",
"multiple": true,
"ui-priority": 0
},
"ip": {
"description": "IP of the of the URL",
"misp-attribute": "ip-src",
"multiple": true,
"ui-priority": 0
},
"naics": {
"description": "North American Industry Classification System Code",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"port": {
"description": "Port of the URL",
"misp-attribute": "port",
"multiple": true,
"ui-priority": 0
},
"region": {
"description": "Regional location of the IP in question",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"resource_path": {
"description": "URL resource path extracted from the url",
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"sector": {
"description": "Sector of the IP in question",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"severity": {
"description": "Severity of the report",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"critical",
"high",
"medium",
"low",
"info"
],
"ui-priority": 0
},
"sha256": {
"description": "SHA256 of associated (potentially malicious) payload, if downloaded from the URL",
"misp-attribute": "sha256",
"ui-priority": 0
},
"source": {
"description": "Source of information, if public",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"tag": {
"description": "Array of tags associated with the URL if any. In this report typically it will be a CVE entry, for example CVE-2021-44228. This allows for better understanding of the URL context observed (ie. usage associated with a particular CVE).",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"timestamp": {
"description": "Timestamp of when the URL was seen (in the last 24 hours)",
"misp-attribute": "datetime",
"ui-priority": 0
},
"url": {
"description": "URL that was extracted from an observed exploitation attempt, assumed to be carrying a malware payload",
"misp-attribute": "url",
"multiple": true,
"ui-priority": 0
}
},
"description": "This report identifies URLs that were observed in exploitation attempts in the last 24 hours. They are assumed to contain a malware payload or serve as C2 controllers. If a payload was successfully downloaded in the last 24 hours, its SHA256 hash will also be published. The data is primarily sourced from honeypots (in which case they will often be IoT related), but other sources are possible. As always, you only receive information on IPs found on your network/constituency or in the case of a National CSIRT, your country. Ref: https://www.shadowserver.org/what-we-do/network-reporting/malware-url-report/",
"meta-category": "misc",
"name": "shadowserver-malware-url-report",
"required": [
"url"
],
"uuid": "0211496c-dbcf-465b-a147-3d965da016cc",
"version": 6
}