misp-objects/objects/passive-dns/definition.json

{
  "attributes": {
    "bailiwick": {
      "description": "Best estimate of the apex of the zone where this data is authoritative",
      "disable_correlation": true,
      "misp-attribute": "domain",
      "ui-priority": 0
    },
    "count": {
      "description": "How many authoritative DNS answers were received at the Passive DNS Server's collectors with exactly the given set of values as answers.",
      "disable_correlation": true,
      "misp-attribute": "counter",
      "ui-priority": 0
    },
    "origin": {
      "description": "Origin of the Passive DNS response",
      "disable_correlation": true,
      "misp-attribute": "text",
      "ui-priority": 0
    },
    "raw_rdata": {
      "description": "Resource records of the queried resource, in hexadecimal. *All* rdata entries at once.",
      "misp-attribute": "text",
      "ui-priority": 0
    },
    "rdata": {
      "description": "Resource records of the queried resource. Note that this field is added for *each* rdata entry in the rrset.",
      "misp-attribute": "text",
      "ui-priority": 1
    },
    "rdata_ip": {
      "categories": [
        "Network activity",
        "External analysis"
      ],
      "description": "Resource records of the queried resource. Mapped to MISP 'ip' address type. Valid for rrtypes (A, AAAA, A6, ...).",
      "misp-attribute": "ip-src",
      "ui-priority": 1
    },
    "rdata_domain": {
      "categories": [
        "Network activity",
        "External analysis"
      ],
      "description": "Resource records of the queried resource. Mapped to MISP 'domain' address type. Valid for rrtypes (CNAME, etc.).",
      "misp-attribute": "domain",
      "ui-priority": 1
    },
    "rrname": {
      "categories": [
        "Network activity",
        "External analysis"
      ],
      "description": "Resource Record name of the queried resource.",
      "misp-attribute": "text",
      "ui-priority": 1
    },
    "rrname_domain": {
      "categories": [
        "Network activity",
        "External analysis"
      ],
      "description": "Resource Record name of the queried resource. Same as the field 'rrname', however already mapped to the MISP 'domain' type so that we can correlate.",
      "misp-attribute": "domain",
      "ui-priority": 1
    },
    "rrname_ip": {
      "categories": [
        "Network activity",
        "External analysis"
      ],
      "description": "Resource Record name of the queried resource. Same as the field 'rrname', however already mapped to the MISP 'ip' type so that we can correlate. Note that this is only valid if 'rrtype' is 'PTR'.",
      "misp-attribute": "ip-src",
      "ui-priority": 1
    },
    "rrtype": {
      "categories": [
        "Network activity",
        "External analysis"
      ],
      "description": "Resource Record type as seen by the passive DNS.",
      "disable_correlation": true,
      "misp-attribute": "text",
      "sane_default": [
        "A",
        "AAAA",
        "CNAME",
        "PTR",
        "SOA",
        "TXT",
        "DNAME",
        "NS",
        "SRV",
        "RP",
        "NAPTR",
        "HINFO",
        "A6"
      ],
      "ui-priority": 1
    },
    "sensor_id": {
      "description": "Sensor information where the record was seen",
      "disable_correlation": true,
      "misp-attribute": "text",
      "ui-priority": 0
    },
    "text": {
      "description": "Description of the passive DNS record.",
      "disable_correlation": true,
      "misp-attribute": "text",
      "ui-priority": 0
    },
    "time_first": {
      "description": "First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS",
      "disable_correlation": true,
      "misp-attribute": "datetime",
      "ui-priority": 0
    },
    "time_last": {
      "description": "Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS",
      "disable_correlation": true,
      "misp-attribute": "datetime",
      "ui-priority": 0
    },
    "zone_time_first": {
      "description": "First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import",
      "disable_correlation": true,
      "misp-attribute": "datetime",
      "ui-priority": 0
    },
    "zone_time_last": {
      "description": "Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import.",
      "disable_correlation": true,
      "misp-attribute": "datetime",
      "ui-priority": 0
    }
  },
  "description": "Passive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-01",
  "meta-category": "network",
  "name": "passive-dns",
  "required": [
    "rrtype",
    "rrname",
    "rdata"
  ],
  "uuid": "b77b7b1c-66ab-4a41-8da4-83810f6d2d6c",
  "version": 3
}
Passive DNS object added 2016-02-13 18:19:27 +01:00			`{`
JQ all the things 2017-02-13 11:18:42 +01:00			`"attributes": {`
chg: Sort all the entries in the templates by default 2020-04-26 02:10:02 +02:00			`"bailiwick": {`
			`"description": "Best estimate of the apex of the zone where this data is authoritative",`
			`"disable_correlation": true,`
As discussed with @rafiot, we can't simply add rdata and rrname as text only into MISP objects. Why? Because otherwise we can't use MISP's correlation engine to correlate attributes (rrname, rdata) inside these MISP objects with other events. Because "text" would not correlate with other "ip-src" or "domain" types in other objects/attributes. Kind of sucks to duplicate the rrname and rdata entries, but that's the only solution we came up with. The COF2MISP module will populate both the rrname,rdata as well as the rrname_{domain,ip} and rdata_{domain,ip} attributes. Checked with jq_all_the_things.sh. Thanks for your consideration. 2021-05-02 15:57:54 +02:00			`"misp-attribute": "domain",`
chg: Sort all the entries in the templates by default 2020-04-26 02:10:02 +02:00			`"ui-priority": 0`
misp-usage-frequency updated 2017-07-03 12:15:50 +02:00			`},`
			`"count": {`
fix: Passive DNS records especially on the disabled_correlation fields 2018-01-25 15:07:19 +01:00			`"description": "How many authoritative DNS answers were received at the Passive DNS Server's collectors with exactly the given set of values as answers.",`
chg: Sort all the entries in the templates by default 2020-04-26 02:10:02 +02:00			`"disable_correlation": true,`
fix: Passive DNS records especially on the disabled_correlation fields 2018-01-25 15:07:19 +01:00			`"misp-attribute": "counter",`
chg: Sort all the entries in the templates by default 2020-04-26 02:10:02 +02:00			`"ui-priority": 0`
			`},`
			`"origin": {`
			`"description": "Origin of the Passive DNS response",`
			`"disable_correlation": true,`
			`"misp-attribute": "text",`
			`"ui-priority": 0`
			`},`
add: [passive-dns] Added a raw_rdata object relation 2020-11-13 20:09:46 +01:00			`"raw_rdata": {`
As discussed with @rafiot, we can't simply add rdata and rrname as text only into MISP objects. Why? Because otherwise we can't use MISP's correlation engine to correlate attributes (rrname, rdata) inside these MISP objects with other events. Because "text" would not correlate with other "ip-src" or "domain" types in other objects/attributes. Kind of sucks to duplicate the rrname and rdata entries, but that's the only solution we came up with. The COF2MISP module will populate both the rrname,rdata as well as the rrname_{domain,ip} and rdata_{domain,ip} attributes. Checked with jq_all_the_things.sh. Thanks for your consideration. 2021-05-02 15:57:54 +02:00			`"description": "Resource records of the queried resource, in hexadecimal. All rdata entries at once.",`
add: [passive-dns] Added a raw_rdata object relation 2020-11-13 20:09:46 +01:00			`"misp-attribute": "text",`
			`"ui-priority": 0`
			`},`
chg: Sort all the entries in the templates by default 2020-04-26 02:10:02 +02:00			`"rdata": {`
As discussed with @rafiot, we can't simply add rdata and rrname as text only into MISP objects. Why? Because otherwise we can't use MISP's correlation engine to correlate attributes (rrname, rdata) inside these MISP objects with other events. Because "text" would not correlate with other "ip-src" or "domain" types in other objects/attributes. Kind of sucks to duplicate the rrname and rdata entries, but that's the only solution we came up with. The COF2MISP module will populate both the rrname,rdata as well as the rrname_{domain,ip} and rdata_{domain,ip} attributes. Checked with jq_all_the_things.sh. Thanks for your consideration. 2021-05-02 15:57:54 +02:00			`"description": "Resource records of the queried resource. Note that this field is added for each rdata entry in the rrset.",`
chg: Sort all the entries in the templates by default 2020-04-26 02:10:02 +02:00			`"misp-attribute": "text",`
			`"ui-priority": 1`
misp-usage-frequency updated 2017-07-03 12:15:50 +02:00			`},`
As discussed with @rafiot, we can't simply add rdata and rrname as text only into MISP objects. Why? Because otherwise we can't use MISP's correlation engine to correlate attributes (rrname, rdata) inside these MISP objects with other events. Because "text" would not correlate with other "ip-src" or "domain" types in other objects/attributes. Kind of sucks to duplicate the rrname and rdata entries, but that's the only solution we came up with. The COF2MISP module will populate both the rrname,rdata as well as the rrname_{domain,ip} and rdata_{domain,ip} attributes. Checked with jq_all_the_things.sh. Thanks for your consideration. 2021-05-02 15:57:54 +02:00			`"rdata_ip": {`
			`"categories": [`
			`"Network activity",`
			`"External analysis"`
			`],`
			`"description": "Resource records of the queried resource. Mapped to MISP 'ip' address type. Valid for rrtypes (A, AAAA, A6, ...).",`
			`"misp-attribute": "ip-src",`
			`"ui-priority": 1`
			`},`
			`"rdata_domain": {`
			`"categories": [`
			`"Network activity",`
			`"External analysis"`
			`],`
			`"description": "Resource records of the queried resource. Mapped to MISP 'domain' address type. Valid for rrtypes (CNAME, etc.).",`
			`"misp-attribute": "domain",`
			`"ui-priority": 1`
			`},`
misp-usage-frequency updated 2017-07-03 12:15:50 +02:00			`"rrname": {`
JQ all the things 2017-02-13 11:18:42 +01:00			`"categories": [`
			`"Network activity",`
			`"External analysis"`
misp-usage-frequency updated 2017-07-03 12:15:50 +02:00			`],`
chg: Sort all the entries in the templates by default 2020-04-26 02:10:02 +02:00			`"description": "Resource Record name of the queried resource.",`
			`"misp-attribute": "text",`
			`"ui-priority": 1`
JQ all the things 2017-02-13 11:18:42 +01:00			`},`
As discussed with @rafiot, we can't simply add rdata and rrname as text only into MISP objects. Why? Because otherwise we can't use MISP's correlation engine to correlate attributes (rrname, rdata) inside these MISP objects with other events. Because "text" would not correlate with other "ip-src" or "domain" types in other objects/attributes. Kind of sucks to duplicate the rrname and rdata entries, but that's the only solution we came up with. The COF2MISP module will populate both the rrname,rdata as well as the rrname_{domain,ip} and rdata_{domain,ip} attributes. Checked with jq_all_the_things.sh. Thanks for your consideration. 2021-05-02 15:57:54 +02:00			`"rrname_domain": {`
			`"categories": [`
			`"Network activity",`
			`"External analysis"`
			`],`
			`"description": "Resource Record name of the queried resource. Same as the field 'rrname', however already mapped to the MISP 'domain' type so that we can correlate.",`
			`"misp-attribute": "domain",`
			`"ui-priority": 1`
			`},`
			`"rrname_ip": {`
			`"categories": [`
			`"Network activity",`
			`"External analysis"`
			`],`
			`"description": "Resource Record name of the queried resource. Same as the field 'rrname', however already mapped to the MISP 'ip' type so that we can correlate. Note that this is only valid if 'rrtype' is 'PTR'.",`
			`"misp-attribute": "ip-src",`
			`"ui-priority": 1`
			`},`
misp-usage-frequency updated 2017-07-03 12:15:50 +02:00			`"rrtype": {`
JQ all the things 2017-02-13 11:18:42 +01:00			`"categories": [`
			`"Network activity",`
			`"External analysis"`
misp-usage-frequency updated 2017-07-03 12:15:50 +02:00			`],`
chg: Sort all the entries in the templates by default 2020-04-26 02:10:02 +02:00			`"description": "Resource Record type as seen by the passive DNS.",`
			`"disable_correlation": true,`
Add descriptions in all the objects 2017-08-29 18:36:46 +02:00			`"misp-attribute": "text",`
			`"sane_default": [`
			`"A",`
			`"AAAA",`
			`"CNAME",`
			`"PTR",`
			`"SOA",`
			`"TXT",`
			`"DNAME",`
			`"NS",`
			`"SRV",`
			`"RP",`
			`"NAPTR",`
			`"HINFO",`
			`"A6"`
fix: Passive DNS records especially on the disabled_correlation fields 2018-01-25 15:07:19 +01:00			`],`
chg: Sort all the entries in the templates by default 2020-04-26 02:10:02 +02:00			`"ui-priority": 1`
Add descriptions in all the objects 2017-08-29 18:36:46 +02:00			`},`
chg: Sort all the entries in the templates by default 2020-04-26 02:10:02 +02:00			`"sensor_id": {`
			`"description": "Sensor information where the record was seen",`
			`"disable_correlation": true,`
			`"misp-attribute": "text",`
			`"ui-priority": 0`
JQ all the things 2017-02-13 11:18:42 +01:00			`},`
chg: Sort all the entries in the templates by default 2020-04-26 02:10:02 +02:00			`"text": {`
			`"description": "Description of the passive DNS record.",`
			`"disable_correlation": true,`
fix: Passive DNS records especially on the disabled_correlation fields 2018-01-25 15:07:19 +01:00			`"misp-attribute": "text",`
chg: Sort all the entries in the templates by default 2020-04-26 02:10:02 +02:00			`"ui-priority": 0`
			`},`
			`"time_first": {`
			`"description": "First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS",`
			`"disable_correlation": true,`
			`"misp-attribute": "datetime",`
			`"ui-priority": 0`
JQ all the things 2017-02-13 11:18:42 +01:00			`},`
misp-usage-frequency updated 2017-07-03 12:15:50 +02:00			`"time_last": {`
Add descriptions in all the objects 2017-08-29 18:36:46 +02:00			`"description": "Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS",`
chg: Sort all the entries in the templates by default 2020-04-26 02:10:02 +02:00			`"disable_correlation": true,`
fix: Passive DNS records especially on the disabled_correlation fields 2018-01-25 15:07:19 +01:00			`"misp-attribute": "datetime",`
chg: Sort all the entries in the templates by default 2020-04-26 02:10:02 +02:00			`"ui-priority": 0`
JQ all the things 2017-02-13 11:18:42 +01:00			`},`
chg: Sort all the entries in the templates by default 2020-04-26 02:10:02 +02:00			`"zone_time_first": {`
			`"description": "First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import",`
			`"disable_correlation": true,`
fix: Passive DNS records especially on the disabled_correlation fields 2018-01-25 15:07:19 +01:00			`"misp-attribute": "datetime",`
chg: Sort all the entries in the templates by default 2020-04-26 02:10:02 +02:00			`"ui-priority": 0`
JQ all the things 2017-02-13 11:18:42 +01:00			`},`
chg: Sort all the entries in the templates by default 2020-04-26 02:10:02 +02:00			`"zone_time_last": {`
			`"description": "Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import.",`
			`"disable_correlation": true,`
			`"misp-attribute": "datetime",`
			`"ui-priority": 0`
JQ all the things 2017-02-13 11:18:42 +01:00			`}`
			`},`
misp-usage-frequency updated 2017-07-03 12:15:50 +02:00			`"description": "Passive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-01",`
			`"meta-category": "network",`
chg: Sort all the entries in the templates by default 2020-04-26 02:10:02 +02:00			`"name": "passive-dns",`
			`"required": [`
			`"rrtype",`
			`"rrname",`
			`"rdata"`
			`],`
misp-usage-frequency updated 2017-07-03 12:15:50 +02:00			`"uuid": "b77b7b1c-66ab-4a41-8da4-83810f6d2d6c",`
chg: Sort all the entries in the templates by default 2020-04-26 02:10:02 +02:00			`"version": 3`
As discussed with @rafiot, we can't simply add rdata and rrname as text only into MISP objects. Why? Because otherwise we can't use MISP's correlation engine to correlate attributes (rrname, rdata) inside these MISP objects with other events. Because "text" would not correlate with other "ip-src" or "domain" types in other objects/attributes. Kind of sucks to duplicate the rrname and rdata entries, but that's the only solution we came up with. The COF2MISP module will populate both the rrname,rdata as well as the rrname_{domain,ip} and rdata_{domain,ip} attributes. Checked with jq_all_the_things.sh. Thanks for your consideration. 2021-05-02 15:57:54 +02:00			`}`