MISP
/
misp-objects
mirror of https://github.com/MISP/misp-objects
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge remote-tracking branch 'upstream/master' into process

pull/192/head
Steve Clement 2020-01-14 09:47:45 +09:00
parent e67b937f73 9ce275dcf0
commit 003391bab1
No known key found for this signature in database
GPG Key ID: 69A20F509BE4AEE9
44 changed files with 2287 additions and 110 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -70,6 +70,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
* [objects/ais-info](objects/ais-info/definition.json) - Object describing Automated Indicator Sharing (AIS) information source markings.
* [objects/android-permission](objects/android-permission/definition.json) - A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. file).
* [objects/asn](objects/asn/definition.json) - Autonomous system object describing a BGP autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.
* [objects/attack-pattern](objects/attack-pattern/definition.json) - Attack Pattern object describing a common attack pattern enumeration and classification.
* [objects/authenticode-signerinfo](objects/authenticode-signerinfo/definition.json) - Authenticode signer info.
* [objects/av-signature](objects/av-signature/definition.json) - Antivirus detection signature.
* [objects/bank-account](objects/bank-account/definition.json) - Object describing bank account information based on account description from goAML 4.0.
@ -87,10 +88,12 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
* [objects/ddos](objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target.
* [objects/device](objects/device/definition.json) - An object to describe a device such as a computer, laptop or alike.
* [objects/diameter-attack](objects/diameter-attack/definition.json) - Attack as seen on diameter authentication against a GSM, UMTS or LTE network.
* [objects/dns-record](objects/dns-record/definition.json) - A DNS record object to describe the associated records for a domain.
* [objects/domain-ip](objects/domain-ip/definition.json) - A domain and IP address seen as a tuple in a specific time frame.
* [objects/elf](objects/elf/definition.json) - Object describing an Executable and Linkable Format (ELF).
* [objects/elf-section](objects/elf-section/definition.json) - Object describing a section of an Executable and Linkable Format (ELF).
* [objects/email](objects/email/definition.json) - An email object.
* [objects/employee](objects/employee/definition.json) - An employee object.
* [objects/exploit-poc](objects/exploit-poc/definition.json) - Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object.
* [objects/facial-composite](objects/facial-composite/definition.json) A facial composite object.
* [objects/fail2ban](objects/fail2ban/definition.json) - A fail2ban object.
@ -137,6 +140,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
* [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object.
* [objects/script](objects/script/definition.json) - Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.
* [objects/shell-commands](objects/shell-commands/definition.json) - Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands.
* [objects/shodan](objects/shodan/definition.json) - A shodan object to describe a shodan report.
* [objects/shortened-link](objects/shortened-link/definition.json) - Shortened link and its redirect target.
* [objects/short-message-service](objects/short-message-service/definition.json) - Short Message Service (SMS) object template describing one or more SMS message(s).
* [objects/ss7-attack](objects/ss7-attack/definition.json) - SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging.
@ -156,8 +160,10 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
* [objects/user-account](objects/user-account/definition.json) - Object describing a user account (UNIX, Windows, etc).
* [objects/vehicle](objects/vehicle/definition.json) - Vehicle object template to describe a vehicle information and registration.
* [objects/victim](objects/victim/definition.json) - a victim object to describe the organisation being targeted or abused.
* [objects/virustotal-graph](objects/virustotal-graph/definition.json) - VirusTotal graph.
* [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report.
* [objects/vulnerability](objects/vulnerability/definition.json) - Vulnerability object to describe software or hardware vulnerability as described in a CVE.
* [objects/weakness](objects/weakness/definition.json) - Weakness object as described in a CWE.
* [objects/whois](objects/whois/definition.json) - Whois records information for a domain name.
* [objects/x509](objects/x509/definition.json) - x509 object describing a X.509 certificate.
* [objects/yabin](objects/yabin/definition.json) - yabin.py generates Yara rules from function prologs, for matching and hunting binaries. ref: [yabin](https://github.com/AlienVault-OTX/yabin).

5
objects/annotation/definition.json
View File

@ -30,7 +30,8 @@
"Other",
"Copyright",
"Authors",
"Logo"
"Logo",
"Full Report"
]
},
"format": {
@ -69,7 +70,7 @@
"multiple": true
}
},
"version": 2,
"version": 3,
"description": "An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes.",
"meta-category": "misc",
"uuid": "5d8dc046-15a1-4ca3-a09f-ed4ede7c4487",

45
objects/attack-pattern/definition.json Normal file
View File

@ -0,0 +1,45 @@
{
"requiredOneOf": [
"name",
"id"
],
"attributes": {
"id": {
"description": "CAPEC ID.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"name": {
"description": "Name of the attack pattern.",
"ui-priority": 0,
"misp-attribute": "text"
},
"summary": {
"description": "Summary description of the attack pattern.",
"ui-priority": 0,
"misp-attribute": "text"
},
"prerequisites": {
"description": "Prerequisites for the attack pattern to succeed.",
"ui-priority": 0,
"misp-attribute": "text"
},
"solutions": {
"description": "Solutions for the attack pattern to be countered.",
"ui-priority": 0,
"misp-attribute": "text"
},
"related-weakness": {
"description": "Weakness related to the attack pattern.",
"ui-priority": 0,
"multiple": true,
"misp-attribute": "weakness"
}
},
"version": 1,
"description": "Attack pattern describing a common attack pattern enumeration and classification.",
"meta-category": "vulnerability",
"uuid": "35928348-56be-4d7f-9752-a80927936351",
"name": "attack-pattern"
}

2
objects/coin-address/definition.json
View File

@ -102,7 +102,7 @@
"recommended": false
}
},
"version": 4,
"version": 5,
"description": "An address used in a cryptocurrency",
"meta-category": "financial",
"uuid": "d0e6997e-78da-4815-a6a1-cfc1c1cb8a46",

20
objects/command-line/definition.json Normal file
View File

@ -0,0 +1,20 @@
{
"attributes": {
"value": {
"description": "command code",
"ui-priority": 1,
"misp-attribute": "text",
"multiple": true
},
"description": {
"description": "description of the command",
"ui-priority": 1,
"misp-attribute": "text"
}
},
"version": 1,
"description": "Command line and options related to a specific command executed by a program, whether it is malicious or not.",
"meta-category": "misc",
"uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf",
"name": "command-line"
}

37
objects/command/definition.json Normal file
View File

@ -0,0 +1,37 @@
{
"attributes": {
"location": {
"description": "Location of the command functionality",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"Bundled",
"Module",
"Libraries",
"Unknown"
]
},
"trigger": {
"description": "How the commands are triggered",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"Local",
"Network",
"Unknown"
]
},
"description": {
"description": "Description of the command functionalities",
"ui-priority": 1,
"misp-attribute": "text"
}
},
"version": 1,
"description": "Command functionalities related to specific commands executed by a program, whether it is malicious or not. Command-line are attached to this object for the related commands.",
"meta-category": "misc",
"uuid": "21ad70d8-d397-11e9-9ea7-43b2d5f6a6e3",
"name": "command"
}

7
objects/cowrie/definition.json
View File

@ -116,9 +116,14 @@
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true
},
"hassh": {
"description": "HASSH of the client SSH session following Salesforce algorithm",
"misp-attribute": "hassh-md5",
"ui-priority": 1
}
},
"version": 2,
"version": 3,
"description": "Cowrie honeypot object template",
"meta-category": "network",
"uuid": "ae085d32-6534-4d52-b3eb-063fccb753e7",

6
objects/credential/definition.json
View File

@ -25,6 +25,7 @@
"description": "Type of password(s)",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true,
"values_list": [
"password",
"api-key",
@ -36,6 +37,7 @@
"description": "Origin of the credential(s)",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"bruteforce-scanning",
"malware-analysis",
@ -49,6 +51,7 @@
"description": "Format of the password(s)",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true,
"values_list": [
"clear-text",
"hashed",
@ -60,6 +63,7 @@
"description": "Mention of any notification(s) towards the potential owner(s) of the credential(s)",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true,
"multiple": true,
"values_list": [
"victim-notified",
@ -68,7 +72,7 @@
]
}
},
"version": 3,
"version": 4,
"description": "Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).",
"meta-category": "misc",
"uuid": "a27e98c9-9b0e-414c-8076-d201e039ca09",

161
objects/crypto-material/definition.json Normal file
View File

@ -0,0 +1,161 @@
{
"requiredOneOf": [
"text",
"private",
"p",
"q",
"modulus"
],
"attributes": {
"text": {
"description": "A description of the cryptographic materials.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"rsa-modulus-size": {
"description": "RSA modulus size in bits",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"modulus": {
"description": "Modulus Parameter - in hexadecimal - no 0x, no :",
"disable_correlation": false,
"ui-priority": 1,
"misp-attribute": "text"
},
"e": {
"description": "RSA public exponent",
"disable_correlation": false,
"ui-priority": 1,
"misp-attribute": "text"
},
"p": {
"description": "Prime Parameter - P in decimal",
"disable_correlation": false,
"ui-priority": 1,
"misp-attribute": "text"
},
"q": {
"description": "Prime Parameter - Q in decimal",
"disable_correlation": false,
"ui-priority": 1,
"misp-attribute": "text"
},
"g": {
"description": "Curve Parameter - G in decimal",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"y": {
"description": "Curve Parameter - Y in decimal",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"x": {
"description": "Curve Parameter - X in decimal",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"n": {
"description": "Curve Parameter - N in decimal",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"b": {
"description": "Curve Parameter - B in decimal",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"curve-length": {
"description": "Length of the Curve in bits",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"Gx": {
"description": "Curve Parameter - Gx in decimal",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"Gy": {
"description": "Curve Parameter - Gy in decimal",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"private": {
"description": "Private part of the cryptographic materials in PEM format",
"ui-priority": 1,
"misp-attribute": "text"
},
"type": {
"description": "Type of crytographic materials",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true,
"values_list": [
"RSA",
"DSA",
"ECDSA",
"unknown"
]
},
"ecdsa-type": {
"description": "Curve type of the ECDSA cryptographic materials",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true,
"values_list": [
"Anomalous",
"M-221",
"E-222",
"NIST P-224",
"Curve1174",
"Curve25519",
"BN(2,254)",
"brainpoolP256t1",
"ANSSI FRP256v1",
"NIST P-256",
"secp256k1",
"E-382",
"M-383",
"Curve383187",
"brainpoolP384t1",
"NIST P-384",
"Curve41417",
"Ed448-Goldilocks",
"M-511",
"E-521"
]
},
"origin": {
"description": "Origin of the cryptographic materials",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"mathematical-attack",
"exhaustive-search",
"bruteforce-attack",
"malware-extraction",
"memory-interception",
"network-interception",
"leak",
"unknown"
]
}
},
"version": 3,
"description": "Cryptographic materials such as public or/and private keys.",
"meta-category": "misc",
"uuid": "50677f82-ec9c-4484-bb29-2519cfe56823",
"name": "crypto-material"
}

63
objects/dark-pattern/definition.json Normal file
View File

@ -0,0 +1,63 @@
{
"requiredOneOf": [
"location",
"screenshot"
],
"attributes": {
"location": {
"description": "Location where to find the item",
"ui-priority": 0,
"disable_correlation": true,
"multiple": true,
"misp-attribute": "text"
},
"time": {
"description": "Date and time when first-seen",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "datetime"
},
"implementer": {
"description": "Who is the vendor / holder of the item",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"user": {
"description": "who are the user of the item",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"comment": {
"description": "textual comment about the item",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"gain": {
"description": "What is the implementer is gaining by deceiving the user",
"ui-priority": 0,
"misp-attribute": "text",
"values_list": [
"registration",
"personal data",
"money",
"contacts",
"audience"
],
"disable_correlation": true
},
"screenshot": {
"description": "A screencapture or a screengrab of the item at work",
"ui-priority": 1,
"disable_correlation": true,
"misp-attribute": "attachment"
}
},
"version": 2,
"description": "An Item whose User Interface implements a dark pattern.",
"meta-category": "misc",
"uuid": "05755e29-8f5f-464d-bcff-2b4686472769",
"name": "dark-pattern-item"
}

62
objects/dns-record/definition.json Normal file
View File

@ -0,0 +1,62 @@
{
"required": [
"queried-domain"
],
"requiredOneOf": [
"a-record",
"mx-record",
"ns-record"
],
"attributes": {
"text": {
"description": "A description of the records",
"ui-priority": 1,
"misp-attribute": "text",
"recommended": false
},
"queried-domain": {
"description": "Domain name",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "domain"
},
"a-record": {
"description": "IP Address sassociated with A Records",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "ip-dst",
"multiple": true
},
"mx-record": {
"description": "Domain associated with MX Record",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "domain",
"multiple": true
},
"ns-record": {
"description": "Domain associated with NS Records",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "domain",
"multiple": true
}
},
"version": 1,
"description": "A set of dns records observed for a specific domain.",
"meta-category": "network",
"uuid": "f023c8f0-81ab-41f3-9f5d-fa597a34a9b9",
"name": "dns-record"
}

66
objects/employee/definition.json Normal file
View File

@ -0,0 +1,66 @@
{
"required": [
"email-address"
],
"attributes": {
"text": {
"description": "A description of the person or identity.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"last-name": {
"description": "Last name Employee",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "last-name"
},
"first-name": {
"description": "First name of Employee",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "first-name"
},
"email-address": {
"description": "Employee Email Address",
"ui-priority": 0,
"misp-attribute": "target-email"
},
"userid": {
"description": "EMployee user identification",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "target-user"
},
"primary-asset": {
"description": "Asset tag of the primary asset assigned to employee",
"ui-priority": 0,
"misp-attribute": "target-machine"
},
"business-unit": {
"description": "the organizational business unit associated with the employee",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "target-org"
},
"employee-type": {
"description": "type of employee",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text",
"values_list": [
"Mid-Level Manager",
"Senior Manager",
"Non-Manager",
"Supervisor",
"First-Line Manager",
"Director"
]
}
},
"version": 1,
"description": "An employee and related data points",
"meta-category": "misc",
"uuid": "443b2f15-d7c9-4d3d-bfd2-38f099753e83",
"name": "employee"
}

7
objects/file/definition.json
View File

@ -440,9 +440,14 @@
"Windows-31J",
"windows-874"
]
},
"imphash": {
"description": "Hash (md5) calculated from the import table",
"ui-priority": 0,
"misp-attribute": "imphash"
}
},
"version": 17,
"version": 18,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",

77
objects/impersonation/definition.json Normal file
View File

@ -0,0 +1,77 @@
{
"attributes": {
"type-of-account": {
"description": "Type of the impersonated account",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"Twitter",
"Facebook",
"LinkedIn",
"Reddit",
"Google+",
"Instagram",
"Forum",
"Other"
]
},
"account-url": {
"description": "url of the impersonating account",
"ui-priority": 1,
"misp-attribute": "url"
},
"account-name": {
"description": "Name of the impersonating account",
"ui-priority": 1,
"misp-attribute": "text"
},
"impersonated-account-url": {
"description": "url of the impersonated account",
"ui-priority": 1,
"misp-attribute": "link"
},
"impersonated-account-name": {
"description": "Name of the impersonated account",
"ui-priority": 1,
"misp-attribute": "text"
},
"real-name": {
"description": "Real name of the impersonated person or entity",
"ui-priority": 1,
"misp-attribute": "text"
},
"type": {
"description": "Type of the account",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"Person",
"Association",
"Enterprise",
"Other"
]
},
"objective": {
"description": "Objective of the impersonation",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true,
"multiple": true,
"sane_default": [
"Information stealing",
"Disinformation",
"Distrusting",
"Advertising",
"Parody",
"Other"
]
}
},
"version": 1,
"description": "Represent an impersonating account",
"meta-category": "misc",
"uuid": "01833a92-d2ff-11e9-8016-d3b988153702",
"name": "impersonation"
}

419
objects/intelmq_event/definition.json Normal file
View File

@ -0,0 +1,419 @@
{
"attributes": {
"classification.identifier": {
"description": "The lowercase identifier defines the actual software or service (e.g. 'heartbleed' or 'ntp_version') or standardized malware name (e.g. 'zeus'). Note that you MAY overwrite this field during processing for your individual setup. This field is not standardized across IntelMQ setups/users.",
"misp-attribute": "text",
"ui-priority": 1
},
"classification.taxonomy": {
"description": "We recognize the need for the CSIRT teams to apply a static (incident) taxonomy to abuse data. With this goal in mind the type IOC will serve as a basis for this activity. Each value of the dynamic type mapping translates to a an element in the static taxonomy. The European CSIRT teams for example have decided to apply the eCSIRT.net incident classification. The value of the taxonomy key is thus a derivative of the dynamic type above. For more information about check [ENISA taxonomies](http://www.enisa.europa.eu/activities/cert/support/incident-management/browsable/incident-handling-process/incident-taxonomy/existing-taxonomies).",
"misp-attribute": "text",
"ui-priority": 1
},
"classification.type": {
"description": "The abuse type IOC is one of the most crucial pieces of information for any given abuse event. The main idea of dynamic typing is to keep our ontology flexible, since we need to evolve with the evolving threatscape of abuse data. In contrast with the static taxonomy below, the dynamic typing is used to perform business decisions in the abuse handling pipeline. Furthermore, the value data set should be kept as minimal as possible to avoid “type explosion”, which in turn dilutes the business value of the dynamic typing. In general, we normally have two types of abuse type IOC: ones referring to a compromised resource or ones referring to pieces of the criminal infrastructure, such as a command and control servers for example.",
"misp-attribute": "text",
"ui-priority": 1
},
"comment": {
"description": "Free text commentary about the abuse event inserted by an analyst.",
"misp-attribute": "text",
"ui-priority": 1
},
"destination.abuse_contact": {
"description": "Abuse contact for destination address. A comma separated list.",
"misp-attribute": "text",
"ui-priority": 1
},
"destination.account": {
"description": "An account name or email address, which has been identified to relate to the destination of an abuse event.",
"misp-attribute": "text",
"ui-priority": 1
},
"destination.allocated": {
"description": "Allocation date corresponding to BGP prefix.",
"misp-attribute": "datetime",
"ui-priority": 1
},
"destination.as_name": {
"description": "The autonomous system name to which the connection headed.",
"misp-attribute": "text",
"ui-priority": 1
},
"destination.asn": {
"description": "The autonomous system number to which the connection headed.",
"misp-attribute": "AS",
"ui-priority": 1
},
"destination.domain_suffix": {
"description": "The suffix of the domain from the public suffix list.",
"misp-attribute": "text",
"ui-priority": 1
},
"destination.fqdn": {
"description": "A DNS name related to the host from which the connection originated. DNS allows even binary data in DNS, so we have to allow everything. A final point is stripped, string is converted to lower case characters.",
"misp-attribute": "text",
"ui-priority": 1
},
"destination.geolocation.cc": {
"description": "Country-Code according to ISO3166-1 alpha-2 for the destination IP.",
"misp-attribute": "text",
"ui-priority": 1
},
"destination.geolocation.city": {
"description": "Some geolocation services refer to city-level geolocation.",
"misp-attribute": "text",
"ui-priority": 1
},
"destination.geolocation.country": {
"description": "The country name derived from the ISO3166 country code (assigned to cc field).",
"misp-attribute": "text",
"ui-priority": 1
},
"destination.geolocation.latitude": {
"description": "Latitude coordinates derived from a geolocation service, such as MaxMind geoip db.",
"misp-attribute": "float",
"ui-priority": 1
},
"destination.geolocation.longitude": {
"description": "Longitude coordinates derived from a geolocation service, such as MaxMind geoip db.",
"misp-attribute": "float",
"ui-priority": 1
},
"destination.geolocation.region": {
"description": "Some geolocation services refer to region-level geolocation.",
"misp-attribute": "text",
"ui-priority": 1
},
"destination.geolocation.state": {
"description": "Some geolocation services refer to state-level geolocation.",
"misp-attribute": "text",
"ui-priority": 1
},
"destination.ip": {
"description": "The IP which is the target of the observed connections.",
"misp-attribute": "ip-dst",
"ui-priority": 1
},
"destination.local_hostname": {
"description": "Some sources report a internal hostname within a NAT related to the name configured for a compromized system",
"misp-attribute": "text",
"ui-priority": 1
},
"destination.local_ip": {
"description": "Some sources report a internal (NATed) IP address related a compromized system. N.B. RFC1918 IPs are OK here.",
"misp-attribute": "ip-dst",
"ui-priority": 1
},
"destination.network": {
"description": "CIDR for an autonomous system. Also known as BGP prefix. If multiple values are possible, select the most specific.",
"misp-attribute": "ip-dst",
"ui-priority": 1
},
"destination.port": {
"description": "The port to which the connection headed.",
"misp-attribute": "counter",
"ui-priority": 1
},
"destination.registry": {
"description": "The IP registry a given ip address is allocated by.",
"misp-attribute": "text",
"ui-priority": 1
},
"destination.reverse_dns": {
"description": "Reverse DNS name acquired through a reverse DNS query on an IP address. N.B. Record types other than PTR records may also appear in the reverse DNS tree. Furthermore, unfortunately, there is no rule prohibiting people from writing anything in a PTR record. Even JavaScript will work. A final point is stripped, string is converted to lower case characters.",
"misp-attribute": "text",
"ui-priority": 1
},
"destination.tor_node": {
"description": "If the destination IP was a known tor node.",
"misp-attribute": "boolean",
"ui-priority": 1
},
"destination.url": {
"description": "A URL denotes on IOC, which refers to a malicious resource, whose interpretation is defined by the abuse type. A URL with the abuse type phishing refers to a phishing resource.",
"misp-attribute": "url",
"ui-priority": 1
},
"destination.urlpath": {
"description": "The path portion of an HTTP or related network request.",
"misp-attribute": "text",
"ui-priority": 1
},
"event_description.target": {
"description": "Some sources denominate the target (organization) of a an attack.",
"misp-attribute": "text",
"ui-priority": 1
},
"event_description.text": {
"description": "A free-form textual description of an abuse event.",
"misp-attribute": "text",
"ui-priority": 1
},
"event_description.url": {
"description": "A description URL is a link to a further description of the the abuse event in question.",
"misp-attribute": "url",
"ui-priority": 1
},
"event_hash": {
"description": "Computed event hash with specific keys and values that identify a unique event. At present, the hash should default to using the SHA1 function. Please note that for an event hash to be able to match more than one event (deduplication) the receiver of an event should calculate it based on a minimal set of keys and values present in the event. Using for example the observation time in the calculation will most likely render the checksum useless for deduplication purposes.",
"misp-attribute": "text",
"ui-priority": 1
},
"extra": {
"description": "All anecdotal information, which cannot be parsed into the data harmonization elements. E.g. os.name, os.version, etc. **Note**: this is only intended for mapping any fields which can not map naturally into the data harmonization. It is not intended for extending the data harmonization with your own fields.",
"misp-attribute": "text",
"ui-priority": 1
},
"feed.accuracy": {
"description": "A float between 0 and 100 that represents how accurate the data in the feed is",
"misp-attribute": "float",
"ui-priority": 1
},
"feed.code": {
"description": "Code name for the feed, e.g. DFGS, HSDAG etc.",
"misp-attribute": "text",
"ui-priority": 1
},
"feed.documentation": {
"description": "A URL or hint where to find the documentation of this feed.",
"misp-attribute": "text",
"ui-priority": 1
},
"feed.name": {
"description": "Name for the feed, usually found in collector bot configuration.",
"misp-attribute": "text",
"ui-priority": 1
},
"feed.provider": {
"description": "Name for the provider of the feed, usually found in collector bot configuration.",
"misp-attribute": "text",
"ui-priority": 1
},
"feed.url": {
"description": "The URL of a given abuse feed, where applicable",
"misp-attribute": "url",
"ui-priority": 1
},
"malware.hash.md5": {
"description": "A string depicting an MD5 checksum for a file, be it a malware sample for example.",
"misp-attribute": "text",
"ui-priority": 1
},
"malware.hash.sha1": {
"description": "A string depicting a SHA1 checksum for a file, be it a malware sample for example.",
"misp-attribute": "text",
"ui-priority": 1
},
"malware.hash.sha256": {
"description": "A string depicting a SHA256 checksum for a file, be it a malware sample for example.",
"misp-attribute": "text",
"ui-priority": 1
},
"malware.name": {
"description": "The malware name in lower case.",
"misp-attribute": "text",
"ui-priority": 1
},
"malware.version": {
"description": "A version string for an identified artifact generation, e.g. a crime-ware kit.",
"misp-attribute": "text",
"ui-priority": 1
},
"misp.attribute_uuid": {
"description": "MISP - Malware Information Sharing Platform & Threat Sharing UUID of an attribute.",
"misp-attribute": "text",
"ui-priority": 1
},
"misp.event_uuid": {
"description": "MISP - Malware Information Sharing Platform & Threat Sharing UUID.",
"misp-attribute": "text",
"ui-priority": 1
},
"output": {
"description": "Event data converted into foreign format, intended to be exported by output plugin.",
"misp-attribute": "text",
"ui-priority": 1
},
"protocol.application": {
"description": "e.g. vnc, ssh, sip, irc, http or smtp.",
"misp-attribute": "text",
"ui-priority": 1
},
"protocol.transport": {
"description": "e.g. tcp, udp, icmp.",
"misp-attribute": "text",
"ui-priority": 1
},
"raw": {
"description": "The original line of the event from encoded in base64.",
"misp-attribute": "text",
"ui-priority": 1
},
"rtir_id": {
"description": "Request Tracker Incident Response ticket id.",
"misp-attribute": "counter",
"ui-priority": 1
},
"screenshot_url": {
"description": "Some source may report URLs related to a an image generated of a resource without any metadata. Or an URL pointing to resource, which has been rendered into a webshot, e.g. a PNG image and the relevant metadata related to its retrieval/generation.",
"misp-attribute": "url",
"ui-priority": 1
},
"source.abuse_contact": {
"description": "Abuse contact for source address. A comma separated list.",
"misp-attribute": "text",
"ui-priority": 1
},
"source.account": {
"description": "An account name or email address, which has been identified to relate to the source of an abuse event.",
"misp-attribute": "text",
"ui-priority": 1
},
"source.allocated": {
"description": "Allocation date corresponding to BGP prefix.",
"misp-attribute": "datetime",
"ui-priority": 1
},
"source.as_name": {
"description": "The autonomous system name from which the connection originated.",
"misp-attribute": "text",
"ui-priority": 1
},
"source.asn": {
"description": "The autonomous system number from which originated the connection.",
"misp-attribute": "AS",
"ui-priority": 1
},
"source.domain_suffix": {
"description": "The suffix of the domain from the public suffix list.",
"misp-attribute": "text",
"ui-priority": 1
},
"source.fqdn": {
"description": "A DNS name related to the host from which the connection originated. DNS allows even binary data in DNS, so we have to allow everything. A final point is stripped, string is converted to lower case characters.",
"misp-attribute": "text",
"ui-priority": 1
},
"source.geolocation.cc": {
"description": "Country-Code according to ISO3166-1 alpha-2 for the source IP.",
"misp-attribute": "text",
"ui-priority": 1
},
"source.geolocation.city": {
"description": "Some geolocation services refer to city-level geolocation.",
"misp-attribute": "text",
"ui-priority": 1
},
"source.geolocation.country": {
"description": "The country name derived from the ISO3166 country code (assigned to cc field).",
"misp-attribute": "text",
"ui-priority": 1
},
"source.geolocation.cymru_cc": {
"description": "The country code denoted for the ip by the Team Cymru asn to ip mapping service.",
"misp-attribute": "text",
"ui-priority": 1
},
"source.geolocation.geoip_cc": {
"description": "MaxMind Country Code (ISO3166-1 alpha-2).",
"misp-attribute": "text",
"ui-priority": 1
},
"source.geolocation.latitude": {
"description": "Latitude coordinates derived from a geolocation service, such as MaxMind geoip db.",
"misp-attribute": "float",
"ui-priority": 1
},
"source.geolocation.longitude": {
"description": "Longitude coordinates derived from a geolocation service, such as MaxMind geoip db.",
"misp-attribute": "float",
"ui-priority": 1
},
"source.geolocation.region": {
"description": "Some geolocation services refer to region-level geolocation.",
"misp-attribute": "text",
"ui-priority": 1
},
"source.geolocation.state": {
"description": "Some geolocation services refer to state-level geolocation.",
"misp-attribute": "text",
"ui-priority": 1
},
"source.ip": {
"description": "The ip observed to initiate the connection",
"misp-attribute": "ip-src",
"ui-priority": 1
},
"source.local_hostname": {
"description": "Some sources report a internal hostname within a NAT related to the name configured for a compromised system",
"misp-attribute": "text",
"ui-priority": 1
},
"source.local_ip": {
"description": "Some sources report a internal (NATed) IP address related a compromised system. N.B. RFC1918 IPs are OK here.",
"misp-attribute": "ip-src",
"ui-priority": 1
},
"source.network": {
"description": "CIDR for an autonomous system. Also known as BGP prefix. If multiple values are possible, select the most specific.",
"misp-attribute": "ip-src",
"ui-priority": 1
},
"source.port": {
"description": "The port from which the connection originated.",
"misp-attribute": "counter",
"ui-priority": 1
},
"source.registry": {
"description": "The IP registry a given ip address is allocated by.",
"misp-attribute": "text",
"ui-priority": 1
},
"source.reverse_dns": {
"description": "Reverse DNS name acquired through a reverse DNS query on an IP address. N.B. Record types other than PTR records may also appear in the reverse DNS tree. Furthermore, unfortunately, there is no rule prohibiting people from writing anything in a PTR record. Even JavaScript will work. A final point is stripped, string is converted to lower case characters.",
"misp-attribute": "text",
"ui-priority": 1
},
"source.tor_node": {
"description": "If the source IP was a known tor node.",
"misp-attribute": "boolean",
"ui-priority": 1
},
"source.url": {
"description": "A URL denotes an IOC, which refers to a malicious resource, whose interpretation is defined by the abuse type. A URL with the abuse type phishing refers to a phishing resource.",
"misp-attribute": "url",
"ui-priority": 1
},
"source.urlpath": {
"description": "The path portion of an HTTP or related network request.",
"misp-attribute": "text",
"ui-priority": 1
},
"status": {
"description": "Status of the malicious resource (phishing, dropzone, etc), e.g. online, offline.",
"misp-attribute": "text",
"ui-priority": 1
},
"time.observation": {
"description": "The time the collector of the local instance processed (observed) the event.",
"misp-attribute": "datetime",
"ui-priority": 1
},
"time.source": {
"description": "The time of occurence of the event as reported the feed (source).",
"misp-attribute": "datetime",
"ui-priority": 1
},
"tlp": {
"description": "Traffic Light Protocol level of the event.",
"misp-attribute": "text",
"ui-priority": 1
}
},
"description": "IntelMQ Event",
"meta-category": "network",
"name": "intelmq_event",
"uuid": "491ac7d2-25a1-4078-8246-b04a132d003d",
"version": 3
}

59
objects/intelmq_report/definition.json Normal file
View File

@ -0,0 +1,59 @@
{
"attributes": {
"extra": {
"description": "All anecdotal information of the report, which cannot be parsed into the data harmonization elements. E.g. subject of mails, etc. This is data is not automatically propagated to the events.",
"misp-attribute": "text",
"ui-priority": 1
},
"feed.accuracy": {
"description": "A float between 0 and 100 that represents how accurate the data in the feed is",
"misp-attribute": "float",
"ui-priority": 1
},
"feed.code": {
"description": "Code name for the feed, e.g. DFGS, HSDAG etc.",
"misp-attribute": "text",
"ui-priority": 1
},
"feed.documentation": {
"description": "A URL or hint where to find the documentation of this feed.",
"misp-attribute": "text",
"ui-priority": 1
},
"feed.name": {
"description": "Name for the feed, usually found in collector bot configuration.",
"misp-attribute": "text",
"ui-priority": 1
},
"feed.provider": {
"description": "Name for the provider of the feed, usually found in collector bot configuration.",
"misp-attribute": "text",
"ui-priority": 1
},
"feed.url": {
"description": "The URL of a given abuse feed, where applicable",
"misp-attribute": "url",
"ui-priority": 1
},
"raw": {
"description": "The original raw and unparsed data encoded in base64.",
"misp-attribute": "text",
"ui-priority": 1
},
"rtir_id": {
"description": "Request Tracker Incident Response ticket id.",
"misp-attribute": "counter",
"ui-priority": 1
},
"time.observation": {
"description": "The time the collector of the local instance processed (observed) the event.",
"misp-attribute": "datetime",
"ui-priority": 1
}
},
"description": "IntelMQ Report",
"meta-category": "network",
"name": "intelmq_report",
"uuid": "c3d34be1-904b-455b-bceb-509418392110",
"version": 3
}

34
objects/microblog/definition.json
View File

@ -9,10 +9,15 @@
"misp-attribute": "text"
},
"url": {
"description": "Original URL location of the microblog post",
"description": "Original URL location of the microblog post (potentially malicious)",
"ui-priority": 1,
"misp-attribute": "url"
},
"link": {
"description": "Original link into the microblog post (Supposed harmless)",
"ui-priority": 1,
"misp-attribute": "link"
},
"type": {
"description": "Type of the microblog post",
"ui-priority": 1,
@ -45,6 +50,17 @@
"ui-priority": 0,
"misp-attribute": "text"
},
"verified-username": {
"description": "Is the username account verified by the operator of the microblog platform",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true,
"values_list": [
"Verified",
"Unverified",
"Unknown"
]
},
"creation-date": {
"description": "Initial creation of the microblog post",
"ui-priority": 0,
@ -55,12 +71,18 @@
"ui-priority": 0,
"misp-attribute": "datetime"
},
"link": {
"embedded-link": {
"description": "Link into the microblog post",
"ui-priority": 0,
"misp-attribute": "url",
"multiple": true
},
"embedded-safe-link": {
"description": "Safe link into the microblog post",
"ui-priority": 0,
"misp-attribute": "link",
"multiple": true
},
"removal-date": {
"description": "When the microblog post was removed",
"ui-priority": 0,
@ -71,9 +93,15 @@
"ui-priority": 0,
"multiple": true,
"misp-attribute": "text"
},
"hashtag": {
"description": "Hashtag into the microblog post",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
}
},
"version": 6,
"version": 11,
"description": "Microblog post like a Twitter tweet or a post on a Facebook wall.",
"meta-category": "misc",
"uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60",

17
objects/netflow/definition.json
View File

@ -3,7 +3,7 @@
"uuid": "bf148c58-3e7e-414e-8de8-5d96379ca77e",
"meta-category": "network",
"description": "Netflow object describes an network object based on the Netflowv5/v9 minimal definition",
"version": 1,
"version": 2,
"attributes": {
"ip-dst": {
"misp-attribute": "ip-dst",
@ -70,6 +70,7 @@
"protocol": {
"misp-attribute": "text",
"ui-priority": 0,
"disable_correlation": true,
"values_list": [
"TCP",
"UDP",
@ -133,18 +134,26 @@
"first-packet-seen": {
"misp-attribute": "datetime",
"ui-priority": 1,
"description": "First packet seen in this flow"
"description": "First packet seen in this flow",
"disable_correlation": true
},
"last-packet-seen": {
"misp-attribute": "datetime",
"ui-priority": 0,
"description": "Last packet seen in this flow"
"description": "Last packet seen in this flow",
"disable_correlation": true
},
"community-id": {
"misp-attribute": "community-id",
"ui-priority": 0,
"description": "Community id of the represented flow"
}
},
"requiredOneOf": [
"first-packet-seen",
"ip-src",
"ip-dst",
"dst-port"
"dst-port",
"community-id"
]
}

13
objects/network-connection/definition.json
View File

@ -3,7 +3,7 @@
"uuid": "af16764b-f8e5-4603-9de1-de34d272f80b",
"meta-category": "network",
"description": "A local or remote network connection.",
"version": 2,
"version": 3,
"attributes": {
"ip-src": {
"description": "Source IP address of the nework connection.",
@ -86,7 +86,13 @@
"first-packet-seen": {
"misp-attribute": "datetime",
"ui-priority": 1,
"description": "Datetime of the first packet seen."
"description": "Datetime of the first packet seen.",
"disable_correlation": true
},
"community-id": {
"misp-attribute": "community-id",
"ui-priority": 1,
"description": "Flow description as a community ID hash value"
}
},
"requiredOneOf": [
@ -94,6 +100,7 @@
"ip-src",
"ip-dst",
"src-port",
"dst-port"
"dst-port",
"community-id"
]
}

10
objects/organization/definition.json
View File

@ -65,11 +65,17 @@
"Target"
],
"disable_correlation": true
},
"VAT": {
"description": "VAT or TAX-ID of the organization",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
}
},
"version": 1,
"version": 3,
"description": "An object which describes an organization.",
"meta-category": "misc",
"uuid": "f750e12b-127a-432c-b022-b3f9153c4e2a",
"name": "misc"
"name": "organization"
}

2
objects/paste/definition.json
View File

@ -61,7 +61,7 @@
"misp-attribute": "datetime"
}
},
"version": 4,
"version": 5,
"description": "Paste or similar post from a website allowing to share privately or publicly posts.",
"meta-category": "misc",
"uuid": "cedc055c-78aa-49a4-bfd7-4cc30cecef12",

3
objects/pe/definition.json
View File

@ -1,6 +1,7 @@
{
"requiredOneOf": [
"text",
"type",
"original-filename",
"internal-filename",
"entrypoint-address"
@ -118,7 +119,7 @@
"misp-attribute": "text"
}
},
"version": 3,
"version": 4,
"description": "Object describing a Portable Executable",
"meta-category": "file",
"uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",

61
objects/process/definition.json
View File

@ -3,16 +3,16 @@
"uuid": "02aeef94-ac23-455c-addb-731757ceafb5",
"meta-category": "misc",
"description": "Object describing a system process.",
"version": 6,
"version": 7,
"attributes": {
"creation-time": {
"description": "Local date/time at which the process was created.",
"description": "Local date/time at which the process was created",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"start-time": {
"description": "Local date/time at which the process was started.",
"description": "Local date/time at which the process was started",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
@ -23,19 +23,35 @@
"misp-attribute": "text"
},
"pid": {
"description": "Process ID of the process.",
"description": "Process ID of the process",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true
},
"pgid": {
"description": "Identifier of the group of processes the process belong to",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true
},
"guid": {
"description": "The globally unique identifier of the assigned by the vendor product",
"ui-priority": 1,
"misp-attribute": "text"
},
"parent-pid": {
"description": "Process ID of the parent process.",
"description": "Process ID of the parent process",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true
},
"parent-guid": {
"description": "The globally unique idenifier of the parent process assigned by the vendor product",
"ui-priority": 1,
"misp-attribute": "text"
},
"child-pid": {
"description": "Process ID of the child(ren) process.",
"description": "Process ID of the child(ren) process",
"ui-priority": 1,
"misp-attribute": "text",
"multiple": true,
@ -76,9 +92,9 @@
"disable_correlation": true
},
"port": {
"description": "Port(s) owned by the process.",
"description": "Port(s) owned by the process",
"ui-priority": 1,
"misp-attribute": "src-port",
"misp-attribute": "port",
"multiple": true,
"disable_correlation": true
},
@ -87,6 +103,12 @@
"ui-priority": 1,
"misp-attribute": "text"
},
"args": {
"description": "Arguments of the process",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true
},
"current-directory": {
"description": "Current working directory of the process",
"ui-priority": 2,
@ -108,6 +130,16 @@
"ui-priority": 1,
"misp-attribute": "filename"
},
"parent-process-name": {
"description": "Process name of the parent",
"ui-priority": 1,
"misp-attribute": "text"
},
"parent-process-path": {
"description": "Parent process path of the parent",
"ui-priority": 1,
"misp-attribute": "text"
},
"user": {
"description": "User context of the process",
"ui-priority": 2,
@ -118,6 +150,19 @@
"description": "Integrity level of the process",
"ui-priority": 2,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"system",
"high",
"medium",
"low",
"untrusted"
]
},
"hidden": {
"description": "Specifies whether the process is hidden",
"ui-priority": 1,
"misp-attribute": "boolean",
"disable_correlation": true
}
},

6
objects/sb-signature/definition.json
View File

@ -8,7 +8,7 @@
"description": "Name of Sandbox software",
"disable_correlation": true,
"categories": [
"Sandbox detection"
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "text"
@ -16,7 +16,7 @@
"signature": {
"description": "Name of detection signature - set the description of the detection signature as a comment",
"categories": [
"Sandbox detection"
"External analysis"
],
"ui-priority": 2,
"misp-attribute": "text",
@ -41,7 +41,7 @@
"misp-attribute": "datetime"
}
},
"version": 1,
"version": 2,
"description": "Sandbox detection signature",
"meta-category": "misc",
"uuid": "984c5c39-be7f-4e1e-b034-d3213bac51cb",

53
objects/scrippsco2-c13-daily/definition.json Normal file
View File

@ -0,0 +1,53 @@
{
"requiredOneOf": [
"sample-datetime",
"sample-date-excel",
"sample-date-fractional",
"number-flask",
"flag",
"c13-value"
],
"attributes": {
"sample-datetime": {
"description": "Datetime the sample has been taken",
"ui-priority": 1,
"misp-attribute": "datetime",
"disable_correlation": true
},
"sample-date-excel": {
"description": "M$Excel spreadsheet date format.",
"ui-priority": 1,
"misp-attribute": "float",
"disable_correlation": true
},
"sample-date-fractional": {
"description": "Decimal year and fractional year.",
"ui-priority": 1,
"misp-attribute": "float",
"disable_correlation": true
},
"number-flask": {
"description": "Number of flasks used in daily average.",
"misp-attribute": "counter",
"disable_correlation": true,
"ui-priority": 1
},
"flag": {
"description": "Flag (see taxonomy for details).",
"misp-attribute": "counter",
"disable_correlation": true,
"ui-priority": 0
},
"c13-value": {
"description": "C13 value (ppm) - C13 concentrations are measured on the '08A' Calibration Scale",
"misp-attribute": "float",
"disable_correlation": true,
"ui-priority": 1
}
},
"version": 2,
"description": "Daily average C13 concentrations (ppm) derived from flask air samples.",
"meta-category": "climate",
"uuid": "5f71a99e-4a56-45b5-b7d6-19949d22409a",
"name": "scrippsco2-c13-daily"
}

56
objects/scrippsco2-c13-monthly/definition.json Normal file
View File

@ -0,0 +1,56 @@
{
"required": [
"sample-datetime",
"sample-date-excel",
"sample-date-fractional"
],
"attributes": {
"sample-datetime": {
"description": "The monthly values have been adjusted to 24:00 hours on the 15th of each month.",
"ui-priority": 1,
"misp-attribute": "datetime",
"disable_correlation": true
},
"sample-date-excel": {
"description": "M$Excel spreadsheet date format.",
"ui-priority": 1,
"misp-attribute": "float",
"disable_correlation": true
},
"sample-date-fractional": {
"description": "Decimal year and fractional year.",
"ui-priority": 1,
"misp-attribute": "float",
"disable_correlation": true
},
"monthly-c13": {
"description": "Monthly C13 concentrations in micro-mol C13 per mole (ppm) reported on the 2008A SIO manometric mole fraction scale. This is the standard version of the data most often sought.",
"misp-attribute": "float",
"disable_correlation": true,
"ui-priority": 1
},
"monthly-c13-seasonal-adjustment": {
"description": "Same data after a seasonal adjustment to remove the quasi-regular seasonal cycle. The adjustment involves subtracting from the data a 4-harmonic fit with a linear gain factor.",
"misp-attribute": "float",
"disable_correlation": true,
"ui-priority": 0
},
"monthly-c13-smoothed": {
"description": "Smoothed version of the data generated from a stiff cubic spline function plus 4-harmonic functions with linear gain.",
"misp-attribute": "float",
"disable_correlation": true,
"ui-priority": 1
},
"monthly-c13-smoothed-seasonal-adjustment": {
"description": "Same smoothed version with the seasonal cycle removed.",
"misp-attribute": "float",
"disable_correlation": true,
"ui-priority": 1
}
},
"version": 2,
"description": "Monthly average C13 concentrations (ppm) derived from flask air samples.",
"meta-category": "climate",
"uuid": "812125c7-47de-4503-8bbc-19067d3a1c38",
"name": "scrippsco2-c13-monthly"
}

53
objects/scrippsco2-co2-daily/definition.json Normal file
View File

@ -0,0 +1,53 @@
{
"requiredOneOf": [
"sample-datetime",
"sample-date-excel",
"sample-date-fractional",
"number-flask",
"flag",
"co2-value"
],
"attributes": {
"sample-datetime": {
"description": "Datetime the sample has been taken",
"ui-priority": 1,
"misp-attribute": "datetime",
"disable_correlation": true
},
"sample-date-excel": {
"description": "M$Excel spreadsheet date format.",
"ui-priority": 1,
"misp-attribute": "float",
"disable_correlation": true
},
"sample-date-fractional": {
"description": "Decimal year and fractional year.",
"ui-priority": 1,
"misp-attribute": "float",
"disable_correlation": true
},
"number-flask": {
"description": "Number of flasks used in daily average.",
"misp-attribute": "counter",
"disable_correlation": true,
"ui-priority": 1
},
"flag": {
"description": "Flag (see taxonomy for details).",
"misp-attribute": "counter",
"disable_correlation": true,
"ui-priority": 0
},
"co2-value": {
"description": "CO2 value (ppm) - CO2 concentrations are measured on the '08A' Calibration Scale",
"misp-attribute": "float",
"disable_correlation": true,
"ui-priority": 1
}
},
"version": 2,
"description": "Daily average CO2 concentrations (ppm) derived from flask air samples.",
"meta-category": "climate",
"uuid": "0779baca-06b9-491e-9ab7-ccc3e1538fd3",
"name": "scrippsco2-co2-daily"
}

56
objects/scrippsco2-co2-monthly/definition.json Normal file
View File

@ -0,0 +1,56 @@
{
"required": [
"sample-datetime",
"sample-date-excel",
"sample-date-fractional"
],
"attributes": {
"sample-datetime": {
"description": "The monthly values have been adjusted to 24:00 hours on the 15th of each month.",
"ui-priority": 1,
"misp-attribute": "datetime",
"disable_correlation": true
},
"sample-date-excel": {
"description": "M$Excel spreadsheet date format.",
"ui-priority": 1,
"misp-attribute": "float",
"disable_correlation": true
},
"sample-date-fractional": {
"description": "Decimal year and fractional year.",
"ui-priority": 1,
"misp-attribute": "float",
"disable_correlation": true
},
"monthly-co2": {
"description": "Monthly CO2 concentrations in micro-mol CO2 per mole (ppm) reported on the 2008A SIO manometric mole fraction scale. This is the standard version of the data most often sought.",
"misp-attribute": "float",
"disable_correlation": true,
"ui-priority": 1
},
"monthly-co2-seasonal-adjustment": {
"description": "Same data after a seasonal adjustment to remove the quasi-regular seasonal cycle. The adjustment involves subtracting from the data a 4-harmonic fit with a linear gain factor.",
"misp-attribute": "float",
"disable_correlation": true,
"ui-priority": 0
},
"monthly-co2-smoothed": {
"description": "Smoothed version of the data generated from a stiff cubic spline function plus 4-harmonic functions with linear gain.",
"misp-attribute": "float",
"disable_correlation": true,
"ui-priority": 1
},
"monthly-co2-smoothed-seasonal-adjustment": {
"description": "Same smoothed version with the seasonal cycle removed.",
"misp-attribute": "float",
"disable_correlation": true,
"ui-priority": 1
}
},
"version": 2,
"description": "Monthly average CO2 concentrations (ppm) derived from flask air samples.",
"meta-category": "climate",
"uuid": "3350fc46-7120-4fb1-b5b3-c931465c9b2a",
"name": "scrippsco2-co2-monthly"
}

53
objects/scrippsco2-o18-daily/definition.json Normal file
View File

@ -0,0 +1,53 @@
{
"requiredOneOf": [
"sample-datetime",
"sample-date-excel",
"sample-date-fractional",
"number-flask",
"flag",
"o18-value"
],
"attributes": {
"sample-datetime": {
"description": "Datetime the sample has been taken",
"ui-priority": 1,
"misp-attribute": "datetime",
"disable_correlation": true
},
"sample-date-excel": {
"description": "M$Excel spreadsheet date format.",
"ui-priority": 1,
"misp-attribute": "float",
"disable_correlation": true
},
"sample-date-fractional": {
"description": "Decimal year and fractional year.",
"ui-priority": 1,
"misp-attribute": "float",
"disable_correlation": true
},
"number-flask": {
"description": "Number of flasks used in daily average.",
"misp-attribute": "counter",
"disable_correlation": true,
"ui-priority": 1
},
"flag": {
"description": "Flag (see taxonomy for details).",
"misp-attribute": "counter",
"disable_correlation": true,
"ui-priority": 0
},
"o18-value": {
"description": "O18 value (ppm) - O18 concentrations are measured on the '08A' Calibration Scale",
"misp-attribute": "float",
"disable_correlation": true,
"ui-priority": 1
}
},
"version": 2,
"description": "Daily average O18 concentrations (ppm) derived from flask air samples.",
"meta-category": "climate",
"uuid": "8b6878a7-577d-4845-b165-ead6e58bec04",
"name": "scrippsco2-o18-daily"
}

56
objects/scrippsco2-o18-monthly/definition.json Normal file
View File

@ -0,0 +1,56 @@
{
"required": [
"sample-datetime",
"sample-date-excel",
"sample-date-fractional"
],
"attributes": {
"sample-datetime": {
"description": "The monthly values have been adjusted to 24:00 hours on the 15th of each month.",
"ui-priority": 1,
"misp-attribute": "datetime",
"disable_correlation": true
},
"sample-date-excel": {
"description": "M$Excel spreadsheet date format.",
"ui-priority": 1,
"misp-attribute": "float",
"disable_correlation": true
},
"sample-date-fractional": {
"description": "Decimal year and fractional year.",
"ui-priority": 1,
"misp-attribute": "float",
"disable_correlation": true
},
"monthly-o18": {
"description": "Monthly O18 concentrations in micro-mol O18 per mole (ppm) reported on the 2008A SIO manometric mole fraction scale. This is the standard version of the data most often sought.",
"misp-attribute": "float",
"disable_correlation": true,
"ui-priority": 1
},
"monthly-o18-seasonal-adjustment": {
"description": "Same data after a seasonal adjustment to remove the quasi-regular seasonal cycle. The adjustment involves subtracting from the data a 4-harmonic fit with a linear gain factor.",
"misp-attribute": "float",
"disable_correlation": true,
"ui-priority": 0
},
"monthly-o18-smoothed": {
"description": "Smoothed version of the data generated from a stiff cubic spline function plus 4-harmonic functions with linear gain.",
"misp-attribute": "float",
"disable_correlation": true,
"ui-priority": 1
},
"monthly-o18-smoothed-seasonal-adjustment": {
"description": "Same smoothed version with the seasonal cycle removed.",
"misp-attribute": "float",
"disable_correlation": true,
"ui-priority": 1
}
},
"version": 2,
"description": "Monthly average O18 concentrations (ppm) derived from flask air samples.",
"meta-category": "climate",
"uuid": "86bd588b-cd0c-486a-8ea0-17fd95312fa0",
"name": "scrippsco2-o18-monthly"
}

13
objects/script/definition.json
View File

@ -1,7 +1,8 @@
{
"requiredOneOf": [
"script",
"filename"
"filename",
"attachment"
],
"attributes": {
"script": {
@ -9,6 +10,11 @@
"ui-priority": 10,
"misp-attribute": "text"
},
"script-as-attachment": {
"description": "Attachment of the script.",
"ui-priority": 10,
"misp-attribute": "attachment"
},
"comment": {
"description": "Comment associated to the script.",
"ui-priority": 1,
@ -32,7 +38,8 @@
"Ruby",
"Winbatch",
"AutoIt",
"PHP"
"PHP",
"Nim"
]
},
"filename": {
@ -56,7 +63,7 @@
]
}
},
"version": 4,
"version": 6,
"description": "Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.",
"meta-category": "misc",
"uuid": "6bce7d01-dbec-4054-b3c2-3655a19382e2",

4
objects/shell-commands/definition.json
View File

@ -1,5 +1,5 @@
{
"requiredOneOf": [
"required": [
"shell-command"
],
"attributes": {
@ -54,7 +54,7 @@
]
}
},
"version": 1,
"version": 2,
"description": "Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands.",
"meta-category": "misc",
"uuid": "fee65efa-eb64-4516-8611-1db76c589f79",

70
objects/shodan-report/definition.json Normal file
View File

@ -0,0 +1,70 @@
{
"required": [
"ip"
],
"requiredOneOf": [
"hostname",
"org",
"port",
"banner"
],
"attributes": {
"text": {
"description": "A description of the report",
"ui-priority": 1,
"misp-attribute": "text",
"recommended": false
},
"ip": {
"description": "IP Address Queried",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "ip-dst"
},
"hostname": {
"description": "Hostnames found",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "domain",
"multiple": true
},
"org": {
"description": "Associated Organization",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "text"
},
"port": {
"description": "Listening Port",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "port"
},
"banner": {
"description": "server banner reported",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "text"
}
},
"version": 1,
"description": "Shodan Report for a given IP",
"meta-category": "network",
"uuid": "10b03d93-3694-4a79-9cd1-4a273746303a",
"name": "shodan-report"
}

4
objects/timesketch-timeline/definition.json
View File

@ -12,7 +12,7 @@
"timestamp": {
"description": "When the log entry was seen in microseconds since Unix epoch",
"ui-priority": 0,
"misp-attribute": "timestamp-microsec"
"misp-attribute": "text"
},
"timestamp_desc": {
"description": "Text explaining what type of timestamp is it",
@ -25,7 +25,7 @@
"misp-attribute": "datetime"
}
},
"version": 2,
"version": 3,
"description": "A timesketch timeline object based on mandatory field in timesketch to describe a log entry.",
"meta-category": "misc",
"uuid": "06db0221-cbc0-4ffc-ad98-7f34549310f1",

243
objects/translation/definition.json Normal file
View File

@ -0,0 +1,243 @@
{
"requiredOneOf": [
"original-text",
"translated-text",
"original-language",
"translation-language",
"translation-type"
],
"attributes": {
"original-text": {
"description": "Original text",
"ui-priority": 1,
"misp-attribute": "text"
},
"translated-text": {
"description": "Text after translation",
"ui-priority": 1,
"misp-attribute": "text"
},
"original-language": {
"description": "Language of the original text",
"ui-priority": 1,
"misp-attribute": "text",
"sane_default": [
"Mandarin (language family)",
"Spanish",
"English",
"Hindi",
"Bengali",
"Portuguese",
"Russian",
"Japanese",
"Western Punjabi",
"Marathi",
"Telugu",
"Wu (language family)",
"Turkish",
"Korean",
"French",
"German",
"Vietnamese",
"Tamil",
"Yue (language family)",
"Urdu",
"Javanese",
"Italian",
"Egyptian Arabic",
"Gujarati",
"Iranian Persian",
"Bhojpuri",
"Min Nan (language family)",
"Hakka",
"Jinyu",
"Hausa",
"Kannada",
"Indonesian (Indonesian Malay)",
"Polish",
"Yoruba",
"Xiang Chinese (language family)",
"Malayalam",
"Odia",
"Maithili",
"Burmese",
"Eastern Punjabi",
"Sunda",
"Sudanese Arabic",
"Algerian Arabic",
"Moroccan Arabic",
"Ukrainian",
"Igbo",
"Northern Uzbek",
"Sindhi",
"North Levantine Arabic",
"Romanian",
"Tagalog",
"Dutch",
"Saʽidi Arabic",
"Gan",
"Amharic",
"Northern Pashto",
"Magahi",
"Thai",
"Saraiki",
"Khmer",
"Chhattisgarhi",
"Somali",
"Malay (Malaysian Malay)",
"Cebuano",
"Nepali",
"Mesopotamian Arabic",
"Assamese",
"Sinhala",
"Northern Kurdish",
"Hejazi Arabic",
"Nigerian Fulfulde",
"South Azerbaijani",
"Greek",
"Chittagonian",
"Kazakh",
"Deccan",
"Hungarian",
"Kinyarwanda",
"Zulu",
"South Levantine Arabic",
"Tunisian Arabic",
"Sanaani Spoken Arabic",
"Min Bei Chinese (language family)",
"Southern Pashto",
"Rundi",
"Czech",
"Taʽizzi-Adeni Arabic",
"Uyghur",
"Min Dong Chinese (language family)",
"Sylheti "
]
},
"translation-language": {
"description": "Language of translation",
"ui-priority": 1,
"misp-attribute": "text",
"sane_default": [
"Mandarin (language family)",
"Spanish",
"English",
"Hindi",
"Bengali",
"Portuguese",
"Russian",
"Japanese",
"Western Punjabi",
"Marathi",
"Telugu",
"Wu (language family)",
"Turkish",
"Korean",
"French",
"German",
"Vietnamese",
"Tamil",
"Yue (language family)",
"Urdu",
"Javanese",
"Italian",
"Egyptian Arabic",
"Gujarati",
"Iranian Persian",
"Bhojpuri",
"Min Nan (language family)",
"Hakka",
"Jinyu",
"Hausa",
"Kannada",
"Indonesian (Indonesian Malay)",
"Polish",
"Yoruba",
"Xiang Chinese (language family)",
"Malayalam",
"Odia",
"Maithili",
"Burmese",
"Eastern Punjabi",
"Sunda",
"Sudanese Arabic",
"Algerian Arabic",
"Moroccan Arabic",
"Ukrainian",
"Igbo",
"Northern Uzbek",
"Sindhi",
"North Levantine Arabic",
"Romanian",
"Tagalog",
"Dutch",
"Saʽidi Arabic",
"Gan",
"Amharic",
"Northern Pashto",
"Magahi",
"Thai",
"Saraiki",
"Khmer",
"Chhattisgarhi",
"Somali",
"Malay (Malaysian Malay)",
"Cebuano",
"Nepali",
"Mesopotamian Arabic",
"Assamese",
"Sinhala",
"Northern Kurdish",
"Hejazi Arabic",
"Nigerian Fulfulde",
"South Azerbaijani",
"Greek",
"Chittagonian",
"Kazakh",
"Deccan",
"Hungarian",
"Kinyarwanda",
"Zulu",
"South Levantine Arabic",
"Tunisian Arabic",
"Sanaani Spoken Arabic",
"Min Bei Chinese (language family)",
"Southern Pashto",
"Rundi",
"Czech",
"Taʽizzi-Adeni Arabic",
"Uyghur",
"Min Dong Chinese (language family)",
"Sylheti "
]
},
"translation-service": {
"description": "translation service used for the translation",
"ui-priority": 1,
"misp-attribute": "text",
"sane_default": [
"Google Translate",
"Microsoft Translator",
"Babelfish",
"Reverso",
"Dict.cc",
"Linguee",
"unknown"
]
},
"translation-type": {
"description": "type of translation",
"ui-priority": 1,
"misp-attribute": "text",
"sane_default": [
"Automated translation",
"Manual translation"
]
}
},
"version": 1,
"description": "Used to keep a text and its translation",
"meta-category": "misc",
"uuid": "a43b54fa-dac9-11e9-9b0d-97296aceae1a",
"name": "translation"
}

7
objects/url/definition.json
View File

@ -90,13 +90,18 @@
"ui-priority": 0,
"misp-attribute": "datetime"
},
"ip": {
"description": "Better type when the host is an IP.",
"ui-priority": 0,
"misp-attribute": "ip-dst"
},
"host": {
"description": "Full hostname",
"ui-priority": 0,
"misp-attribute": "hostname"
}
},
"version": 7,
"version": 8,
"description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.",
"meta-category": "network",
"uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5",

52
objects/virustotal-graph/definition.json Normal file
View File

@ -0,0 +1,52 @@
{
"required": [
"permalink"
],
"attributes": {
"access": {
"description": "Access to the VirusTotal graph",
"disable_correlation": true,
"categories": [
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "text",
"values_list": [
"Private",
"Public"
]
},
"permalink": {
"description": "Permalink Reference to the VirusTotal graph",
"categories": [
"External analysis"
],
"ui-priority": 2,
"misp-attribute": "link"
},
"comment": {
"description": "Comment related to this VirusTotal graph",
"categories": [
"External analysis"
],
"misp-attribute": "text",
"ui-priority": 2,
"multiple": true,
"disable_correlation": true
},
"screenshot": {
"description": "Screenshot of the VirusTotal graph",
"misp-attribute": "attachment",
"disable_correlation": true,
"ui-priority": 1,
"categories": [
"External analysis"
]
}
},
"version": 1,
"description": "VirusTotal graph",
"meta-category": "misc",
"uuid": "9b421055-b1bb-4c33-9ead-7fa3f39e2232",
"name": "virustotal-graph"
}

4
objects/virustotal-report/definition.json
View File

@ -48,14 +48,14 @@
"comment": {
"description": "Comment related to this hash",
"categories": [
"Exernal analysis"
"External analysis"
],
"misp-attribute": "text",
"ui-priority": 2,
"multiple": true
}
},
"version": 2,
"version": 3,
"description": "VirusTotal report",
"meta-category": "misc",
"uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",

52
objects/weakness/definition.json Normal file
View File

@ -0,0 +1,52 @@
{
"requiredOneOf": [
"id",
"name",
"description"
],
"attributes": {
"id": {
"description": "Weakness ID (generally CWE).",
"ui-priority": 0,
"misp-attribute": "text"
},
"description": {
"description": "Description of the weakness.",
"ui-priority": 0,
"misp-attribute": "text"
},
"name": {
"description": "Name of the weakness.",
"ui-priority": 0,
"misp-attribute": "text"
},
"status": {
"description": "Status of the weakness.",
"ui-priority": 0,
"sane_default": [
"Incomplete",
"Deprecated",
"Draft",
"Usable"
],
"disable_correlation": true,
"misp-attribute": "text"
},
"weakness-abs": {
"description": "Abstraction of the weakness.",
"ui-priority": 0,
"sane_default": [
"Class",
"Base",
"Variant"
],
"disable_correlation": true,
"misp-attribute": "text"
}
},
"version": 1,
"description": "Weakness object describing a common weakness enumeration which can describe usable, incomplete, draft or deprecated weakness for software, equipment of hardware.",
"meta-category": "vulnerability",
"uuid": "b8713fc0-d7a2-4b27-a182-38ed47966802",
"name": "weakness"
}

34
objects/x509/definition.json
View File

@ -19,18 +19,18 @@
"disable_correlation": true
},
"pubkey-info-size": {
"description": "Length of the public key (in bits)",
"description": "Length of the public key (in bits expressed in decimal: eg. 256 bits)",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"pubkey-info-exponent": {
"description": "Exponent of the public key",
"description": "Exponent of the public key - in decimal",
"ui-priority": 0,
"misp-attribute": "text"
},
"pubkey-info-modulus": {
"description": "Modulus of the public key",
"description": "Modulus of the public key - in Hexadecimal - no 0x, no :",
"ui-priority": 0,
"misp-attribute": "text"
},
@ -108,7 +108,31 @@
"disable_correlation": true
},
"dns_names": {
"description": "DNS names",
"description": "Subject Alternative Name - DNS names",
"multiple": true,
"misp-attribute": "text",
"ui-priority": 0
},
"email": {
"description": "Subject Alternative Name - emails",
"multiple": true,
"misp-attribute": "text",
"ui-priority": 0
},
"ip": {
"description": "Subject Alternative Name - IP",
"multiple": true,
"misp-attribute": "text",
"ui-priority": 0
},
"uri": {
"description": "Subject Alternative Name - URI",
"multiple": true,
"misp-attribute": "text",
"ui-priority": 0
},
"rid": {
"description": "Subject Alternative Name - RID",
"multiple": true,
"misp-attribute": "text",
"ui-priority": 0
@ -124,7 +148,7 @@
]
}
},
"version": 9,
"version": 11,
"description": "x509 object describing a X.509 certificate",
"meta-category": "network",
"uuid": "d1ab756a-26b5-4349-9f43-765630f0911c",

37
relationships/definition.json
View File

@ -1,5 +1,5 @@
{
"version": 15,
"version": 17,
"values": [
{
"name": "derived-from",
@ -204,6 +204,13 @@
"stix-2.0"
]
},
{
"name": "mentions",
"description": "This relationship describes that the source object mentions the target object.",
"format": [
"misp"
]
},
{
"name": "mitigates",
"description": "This relationship describes a source object which mitigates the target object.",
@ -243,6 +250,13 @@
"misp"
]
},
{
"name": "is-author-of",
"description": "This relationship describes an object being author by someone.",
"format": [
"misp"
]
},
{
"name": "located",
"description": "This relationship describes the location (of any type) of a specific object.",
@ -257,6 +271,13 @@
"misp"
]
},
{
"name": "includes",
"description": "This relationship describes an object that includes an other object.",
"format": [
"misp"
]
},
{
"name": "analysed-with",
"description": "This relationship describes an object analysed by another object.",
@ -942,6 +963,20 @@
"misp"
]
},
{
"name": "injects-into",
"description": "Represents an object injecting something into something",
"format": [
"misp"
]
},
{
"name": "injected-into",
"description": "Represents an object which is injected something into something",
"format": [
"misp"
]
},
{
"name": "creates",
"description": "Represents an object that creates something.",

306
schema_objects.json
View File

@ -1,108 +1,290 @@
{
"$schema": "http://json-schema.org/schema#",
"title": "Validator for misp-objects",
"id": "https://www.github.com/MISP/misp-objects/schema.json",
"additionalProperties": false,
"defs": {
"attribute": {
"type": "object",
"additionalProperties": false,
"properties": {
"misp-attribute": {
"type": "string"
},
"ui-priority": {
"type": "number"
},
"categories": {
"type": "array",
"uniqueItems": true,
"items": {
"enum": [
"Antivirus detection",
"Artifacts dropped",
"Attribution",
"External analysis",
"Financial fraud",
"Internal reference",
"Network activity",
"Other",
"Payload delivery",
"Payload installation",
"Payload type",
"Persistence mechanism",
"Person",
"Social network",
"Support Tool",
"Targeting data"
],
"type": "string"
}
},
"values_list": {
},
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
"uniqueItems": true
},
"sane_default": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
},
"multiple": {
"type": "boolean"
"description": {
"type": "string"
},
"disable_correlation": {
"type": "boolean"
},
"to_ids": {
"misp-attribute": {
"enum": [
"AS",
"aba-rtn",
"anonymised",
"attachment",
"authentihash",
"bank-account-nr",
"bic",
"bin",
"boolean",
"bro",
"btc",
"campaign-id",
"campaign-name",
"cc-number",
"cdhash",
"comment",
"community-id",
"cookie",
"cortex",
"counter",
"country-of-residence",
"cpe",
"dash",
"date-of-birth",
"datetime",
"dns-soa-email",
"domain",
"domain|ip",
"email-attachment",
"email-body",
"email-dst",
"email-dst-display-name",
"email-header",
"email-message-id",
"email-mime-boundary",
"email-reply-to",
"email-src",
"email-src-display-name",
"email-subject",
"email-thread-index",
"email-x-mailer",
"eppn",
"filename",
"filename|authentihash",
"filename|impfuzzy",
"filename|imphash",
"filename|md5",
"filename|pehash",
"filename|sha1",
"filename|sha224",
"filename|sha256",
"filename|sha384",
"filename|sha512",
"filename|sha512/224",
"filename|sha512/256",
"filename|ssdeep",
"filename|tlsh",
"first-name",
"float",
"frequent-flyer-number",
"gender",
"gene",
"github-organisation",
"github-repository",
"github-username",
"hassh-md5",
"hasshserver-md5",
"hex",
"hostname",
"hostname|port",
"http-method",
"iban",
"identity-card-number",
"impfuzzy",
"imphash",
"ip-dst",
"ip-dst|port",
"ip-src",
"ip-src|port",
"issue-date-of-the-visa",
"ja3-fingerprint-md5",
"jabber-id",
"kusto-query",
"last-name",
"link",
"mac-address",
"mac-eui-64",
"malware-sample",
"malware-type",
"md5",
"middle-name",
"mime-type",
"mobile-application-id",
"mutex",
"named pipe",
"nationality",
"other",
"passenger-name-record-locator-number",
"passport-country",
"passport-expiration",
"passport-number",
"pattern-in-file",
"pattern-in-memory",
"pattern-in-traffic",
"payment-details",
"pdb",
"pehash",
"phone-number",
"place-of-birth",
"place-port-of-clearance",
"place-port-of-onward-foreign-destination",
"place-port-of-original-embarkation",
"port",
"primary-residence",
"prtn",
"redress-number",
"regkey",
"regkey|value",
"sha1",
"sha224",
"sha256",
"sha384",
"sha512",
"sha512/224",
"sha512/256",
"sigma",
"size-in-bytes",
"snort",
"special-service-request",
"ssdeep",
"stix2-pattern",
"target-email",
"target-external",
"target-location",
"target-machine",
"target-org",
"target-user",
"text",
"threat-actor",
"tlsh",
"travel-details",
"twitter-id",
"uri",
"url",
"user-agent",
"visa-number",
"vulnerability",
"weakness",
"whois-creation-date",
"whois-registrant-email",
"whois-registrant-name",
"whois-registrant-org",
"whois-registrant-phone",
"whois-registrar",
"windows-scheduled-task",
"windows-service-displayname",
"windows-service-name",
"x509-fingerprint-md5",
"x509-fingerprint-sha1",
"x509-fingerprint-sha256",
"xmr",
"yara",
"zeek"
],
"type": "string"
},
"multiple": {
"type": "boolean"
},
"recommended": {
"type": "boolean"
},
"description": {
"type": "string"
"sane_default": {
"items": {
"type": "string"
},
"type": "array",
"uniqueItems": true
},
"to_ids": {
"type": "boolean"
},
"ui-priority": {
"type": "number"
},
"values_list": {
"items": {
"type": "string"
},
"type": "array",
"uniqueItems": true
}
},
"required": [
"misp-attribute",
"ui-priority",
"description"
]
],
"type": "object"
}
},
"type": "object",
"additionalProperties": false,
"id": "https://www.github.com/MISP/misp-objects/schema.json",
"properties": {
"attributes": {
"additionalProperties": {
"$ref": "#/defs/attribute",
"type": "object"
},
"type": "object"
},
"description": {
"type": "string"
},
"meta-category": {
"type": "string",
"enum": [
"file",
"network",
"financial",
"misc",
"internal",
"vulnerability"
]
"vulnerability",
"climate"
],
"type": "string"
},
"name": {
"type": "string"
},
"description": {
"type": "string"
"required": {
"items": {
"type": "string"
},
"type": "array",
"uniqueItems": true
},
"version": {
"type": "integer"
"requiredOneOf": {
"items": {
"type": "string"
},
"type": "array",
"uniqueItems": true
},
"uuid": {
"type": "string"
},
"attributes": {
"type": "object",
"additionalProperties": {
"type": "object",
"$ref": "#/defs/attribute"
}
},
"requiredOneOf": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
},
"required": {
"type": "array",
"uniqueItems": true,
"items": {
"type": "string"
}
"version": {
"type": "integer"
}
},
"required": [
@ -112,5 +294,7 @@
"meta-category",
"name",
"uuid"
]
],
"title": "Validator for misp-objects",
"type": "object"
}

50
tools/list_of_objects.py Normal file
View File

@ -0,0 +1,50 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
#
#
# A simple converter of MISP objects to asciidoctor format
# Copyright (C) 2017-2019 Alexandre Dulaunoy
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import os
import json
import argparse
thisDir = os.path.dirname(__file__)
objects = []
pathObjects = os.path.join(thisDir, '../objects')
for f in os.listdir(pathObjects):
objectName = f
objects.append(objectName)
objects.sort()
argParser = argparse.ArgumentParser(description='Generate list of MISP object templates', epilog='Available objects are {0}'.format(objects))
argParser.add_argument('-v', action='store_true', help='Verbose mode')
args = argParser.parse_args()
for mispobject in objects:
fullPathClusters = os.path.join(pathObjects, '{}/{}'.format(mispobject, 'definition.json'))
with open(fullPathClusters) as fp:
c = json.load(fp)
if not c['description'].endswith('.'):
c['description'] = c['description']+"."
v = "- [objects/{}](objects/{}/definition.json) - {}".format(c['name'], c['name'],c['description'])
print(v)

6
validate_all.sh
View File

@ -8,7 +8,7 @@ set -x
diffs=`git status --porcelain | wc -l`
if ! [ $diffs -eq 0 ]; then
echo "Please make sure you run ./jq_all_the_things.sh before commiting."
echo "ERROR: Please make sure you run ./jq_all_the_things.sh before doing a PR."
exit 1
fi
@ -18,7 +18,7 @@ find -name "*.json" -exec chmod -x "{}" \;
diffs=`git status --porcelain | wc -l`
if ! [ $diffs -eq 0 ]; then
echo "Please make sure you run remove the executable flag on the json files before commiting: find -name "*.json" -exec chmod -x \"{}\" \\;"
echo "ERROR: Please make sure you run remove the executable flag on the json files before doing a PR: find -name "*.json" -exec chmod -x \"{}\" \\;"
exit 1
fi
@ -33,3 +33,5 @@ done
jsonschema -i relationships/definition.json schema_relationships.json
./unique_uuid.py
echo "Success: All is fine, please go ahead.".