From 07b6883c93a2b227835a832e0ad154425a781824 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Sat, 25 Jun 2022 11:37:41 +0200
Subject: [PATCH] new: [query] query object to describe search queries on SIEM
 and other tools

MISP object template designed following requests and especially this twitter thread:

https://twitter.com/castello_johnny/status/1540610057263628289

I added a list of sane default based on the ones I have seen being used:

      "sane_default": [
        "event query language (eql)",
        "keyword query language (kql)",
        "Query DSL",
        "Query (Elastic Search)",
        "Sigma",
        "Lucene query",
        "Google search query",
        "Ariel Query Language (qradar)",
        "Grep",
        "Devo LINQ"
      ],

Thanks to Gianni Castaldi and others for ideas.

The object can be expanded and improved over the time and the needs
to share new queries.
---
 objects/query/definition.json | 51 +++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 objects/query/definition.json

diff --git a/objects/query/definition.json b/objects/query/definition.json
new file mode 100644
index 0000000..45e0e1c
--- /dev/null
+++ b/objects/query/definition.json
@@ -0,0 +1,51 @@
+{
+  "attributes": {
+    "author": {
+      "description": "Author of the query",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "comment": {
+      "description": "A description of the query rule.",
+      "misp-attribute": "comment",
+      "ui-priority": 0
+    },
+    "format": {
+      "description": "Format of the query.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "event query language (eql)",
+        "keyword query language (kql)",
+        "Query DSL",
+        "Query (Elastic Search)",
+        "Sigma",
+        "Lucene query",
+        "Google search query",
+        "Ariel Query Language (qradar)",
+        "Grep",
+        "Devo LINQ"
+      ],
+      "ui-priority": 0
+    },
+    "query": {
+      "description": "Query rule in the format specified in the format field.",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "query-rule-name": {
+      "description": "Query rule name.",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    }
+  },
+  "description": "An object describing a query, along with its format.",
+  "meta-category": "misc",
+  "name": "query",
+  "requiredOneOf": [
+    "query"
+  ],
+  "uuid": "006539b3-f68a-4a02-a213-e600762d39b5",
+  "version": 1
+}
\ No newline at end of file