diff --git a/README.md b/README.md index c80d2ba..5f0a474 100644 --- a/README.md +++ b/README.md @@ -110,8 +110,11 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/android-permission](https://github.com/MISP/misp-objects/blob/main/objects/android-permission/definition.json) - A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. malware, app). - [objects/annotation](https://github.com/MISP/misp-objects/blob/main/objects/annotation/definition.json) - An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes. - [objects/anonymisation](https://github.com/MISP/misp-objects/blob/main/objects/anonymisation/definition.json) - Anonymisation object describing an anonymisation technique used to encode MISP attribute values. Reference: https://www.caida.org/tools/taxonomy/anonymization.xml. +- [objects/apivoid-email-verification](https://github.com/MISP/misp-objects/blob/main/objects/apivoid-email-verification/definition.json) - Apivoid email verification API result. Reference: https://www.apivoid.com/api/email-verify/. +- [objects/artifact](https://github.com/MISP/misp-objects/blob/main/objects/artifact/definition.json) - The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. from STIX 2.1 (6.1). - [objects/asn](https://github.com/MISP/misp-objects/blob/main/objects/asn/definition.json) - Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike. - [objects/attack-pattern](https://github.com/MISP/misp-objects/blob/main/objects/attack-pattern/definition.json) - Attack pattern describing a common attack pattern enumeration and classification. +- [objects/attack-step](https://github.com/MISP/misp-objects/blob/main/objects/attack-step/definition.json) - An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks. - [objects/authentication-failure-report](https://github.com/MISP/misp-objects/blob/main/objects/authentication-failure-report/definition.json) - Authentication Failure Report. - [objects/authenticode-signerinfo](https://github.com/MISP/misp-objects/blob/main/objects/authenticode-signerinfo/definition.json) - Authenticode Signer Info. - [objects/av-signature](https://github.com/MISP/misp-objects/blob/main/objects/av-signature/definition.json) - Antivirus detection signature. @@ -125,6 +128,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/cap-alert](https://github.com/MISP/misp-objects/blob/main/objects/cap-alert/definition.json) - Common Alerting Protocol Version (CAP) alert object. - [objects/cap-info](https://github.com/MISP/misp-objects/blob/main/objects/cap-info/definition.json) - Common Alerting Protocol Version (CAP) info object. - [objects/cap-resource](https://github.com/MISP/misp-objects/blob/main/objects/cap-resource/definition.json) - Common Alerting Protocol Version (CAP) resource object. +- [objects/cloth](https://github.com/MISP/misp-objects/blob/main/objects/cloth/definition.json) - Describes clothes a natural person wears. - [objects/coin-address](https://github.com/MISP/misp-objects/blob/main/objects/coin-address/definition.json) - An address used in a cryptocurrency. - [objects/command](https://github.com/MISP/misp-objects/blob/main/objects/command/definition.json) - Command functionalities related to specific commands executed by a program, whether it is malicious or not. Command-line are attached to this object for the related commands. - [objects/command-line](https://github.com/MISP/misp-objects/blob/main/objects/command-line/definition.json) - Command line and options related to a specific command executed by a program, whether it is malicious or not. @@ -144,9 +148,9 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/cytomic-orion-file](https://github.com/MISP/misp-objects/blob/main/objects/cytomic-orion-file/definition.json) - Cytomic Orion File Detection. - [objects/cytomic-orion-machine](https://github.com/MISP/misp-objects/blob/main/objects/cytomic-orion-machine/definition.json) - Cytomic Orion File at Machine Detection. - [objects/dark-pattern-item](https://github.com/MISP/misp-objects/blob/main/objects/dark-pattern-item/definition.json) - An Item whose User Interface implements a dark pattern. -- [objects/ddos](https://github.com/MISP/misp-objects/blob/main/objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy. +- [objects/ddos](https://github.com/MISP/misp-objects/blob/main/objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy or using the type field. - [objects/device](https://github.com/MISP/misp-objects/blob/main/objects/device/definition.json) - An object to define a device. -- [objects/diameter-attack](https://github.com/MISP/misp-objects/blob/main/objects/diameter-attack/definition.json) - Attack as seen on diameter authentication against a GSM, UMTS or LTE network. +- [objects/diameter-attack](https://github.com/MISP/misp-objects/blob/main/objects/diameter-attack/definition.json) - Attack as seen on the diameter signaling protocol supporting LTE networks. - [objects/dkim](https://github.com/MISP/misp-objects/blob/main/objects/dkim/definition.json) - DomainKeys Identified Mail - DKIM. - [objects/dns-record](https://github.com/MISP/misp-objects/blob/main/objects/dns-record/definition.json) - A set of DNS records observed for a specific domain. - [objects/domain-crawled](https://github.com/MISP/misp-objects/blob/main/objects/domain-crawled/definition.json) - A domain crawled over time. @@ -156,6 +160,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/elf-section](https://github.com/MISP/misp-objects/blob/main/objects/elf-section/definition.json) - Object describing a section of an Executable and Linkable Format. - [objects/email](https://github.com/MISP/misp-objects/blob/main/objects/email/definition.json) - Email object describing an email with meta-information. - [objects/employee](https://github.com/MISP/misp-objects/blob/main/objects/employee/definition.json) - An employee and related data points. +- [objects/error-message](https://github.com/MISP/misp-objects/blob/main/objects/error-message/definition.json) - An error message which can be related to the processing of data such as import, export scripts from the original MISP instance. - [objects/exploit-poc](https://github.com/MISP/misp-objects/blob/main/objects/exploit-poc/definition.json) - Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object. - [objects/facebook-account](https://github.com/MISP/misp-objects/blob/main/objects/facebook-account/definition.json) - Facebook account. - [objects/facebook-group](https://github.com/MISP/misp-objects/blob/main/objects/facebook-group/definition.json) - Public or private facebook group. @@ -168,70 +173,73 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/forensic-case](https://github.com/MISP/misp-objects/blob/main/objects/forensic-case/definition.json) - An object template to describe a digital forensic case. - [objects/forensic-evidence](https://github.com/MISP/misp-objects/blob/main/objects/forensic-evidence/definition.json) - An object template to describe a digital forensic evidence. - [objects/forged-document](https://github.com/MISP/misp-objects/blob/main/objects/forged-document/definition.json) - Object describing a forged document. -- [objects/ftm-Airplane](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Airplane/definition.json) - . -- [objects/ftm-Assessment](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Assessment/definition.json) - . -- [objects/ftm-Asset](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Asset/definition.json) - . +- [objects/ftm-Airplane](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Airplane/definition.json) - An airplane, helicopter or other flying vehicle. +- [objects/ftm-Assessment](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Assessment/definition.json) - Assessment with meta-data. +- [objects/ftm-Asset](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Asset/definition.json) - A piece of property which can be owned and assigned a monetary value. - [objects/ftm-Associate](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Associate/definition.json) - Non-family association between two people. -- [objects/ftm-Audio](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Audio/definition.json) - . -- [objects/ftm-BankAccount](https://github.com/MISP/misp-objects/blob/main/objects/ftm-BankAccount/definition.json) - . -- [objects/ftm-Call](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Call/definition.json) - . -- [objects/ftm-Company](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Company/definition.json) - . +- [objects/ftm-Audio](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Audio/definition.json) - Audio with meta-data. +- [objects/ftm-BankAccount](https://github.com/MISP/misp-objects/blob/main/objects/ftm-BankAccount/definition.json) - An account held at a bank and controlled by an owner. This may also be used to describe more complex arrangements like correspondent bank settlement accounts. +- [objects/ftm-Call](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Call/definition.json) - Phone call object template including the call and all associated meta-data. +- [objects/ftm-Company](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Company/definition.json) - A legal entity representing an association of people, whether natural, legal or a mixture of both, with a specific objective. - [objects/ftm-Contract](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Contract/definition.json) - An contract or contract lot issued by an authority. Multiple lots may be awarded to different suppliers (see ContractAward). . - [objects/ftm-ContractAward](https://github.com/MISP/misp-objects/blob/main/objects/ftm-ContractAward/definition.json) - A contract or contract lot as awarded to a supplier. -- [objects/ftm-CourtCase](https://github.com/MISP/misp-objects/blob/main/objects/ftm-CourtCase/definition.json) - . -- [objects/ftm-CourtCaseParty](https://github.com/MISP/misp-objects/blob/main/objects/ftm-CourtCaseParty/definition.json) - . +- [objects/ftm-CourtCase](https://github.com/MISP/misp-objects/blob/main/objects/ftm-CourtCase/definition.json) - Court case. +- [objects/ftm-CourtCaseParty](https://github.com/MISP/misp-objects/blob/main/objects/ftm-CourtCaseParty/definition.json) - Court Case Party. - [objects/ftm-Debt](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Debt/definition.json) - A monetary debt between two parties. -- [objects/ftm-Directorship](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Directorship/definition.json) - . -- [objects/ftm-Document](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Document/definition.json) - . -- [objects/ftm-Documentation](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Documentation/definition.json) - . +- [objects/ftm-Directorship](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Directorship/definition.json) - Directorship. +- [objects/ftm-Document](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Document/definition.json) - Document. +- [objects/ftm-Documentation](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Documentation/definition.json) - Documentation. - [objects/ftm-EconomicActivity](https://github.com/MISP/misp-objects/blob/main/objects/ftm-EconomicActivity/definition.json) - A foreign economic activity. -- [objects/ftm-Email](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Email/definition.json) - . -- [objects/ftm-Event](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Event/definition.json) - . +- [objects/ftm-Email](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Email/definition.json) - Email. +- [objects/ftm-Event](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Event/definition.json) - Event. - [objects/ftm-Family](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Family/definition.json) - Family relationship between two people. -- [objects/ftm-Folder](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Folder/definition.json) - . -- [objects/ftm-HyperText](https://github.com/MISP/misp-objects/blob/main/objects/ftm-HyperText/definition.json) - . -- [objects/ftm-Image](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Image/definition.json) - . -- [objects/ftm-Land](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Land/definition.json) - . +- [objects/ftm-Folder](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Folder/definition.json) - Folder. +- [objects/ftm-HyperText](https://github.com/MISP/misp-objects/blob/main/objects/ftm-HyperText/definition.json) - HyperText. +- [objects/ftm-Image](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Image/definition.json) - Image. +- [objects/ftm-Land](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Land/definition.json) - Land. - [objects/ftm-LegalEntity](https://github.com/MISP/misp-objects/blob/main/objects/ftm-LegalEntity/definition.json) - A legal entity may be a person or a company. - [objects/ftm-License](https://github.com/MISP/misp-objects/blob/main/objects/ftm-License/definition.json) - A grant of land, rights or property. A type of Contract. -- [objects/ftm-Membership](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Membership/definition.json) - . -- [objects/ftm-Message](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Message/definition.json) - . -- [objects/ftm-Organization](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Organization/definition.json) - . -- [objects/ftm-Ownership](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Ownership/definition.json) - . -- [objects/ftm-Package](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Package/definition.json) - . -- [objects/ftm-Page](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Page/definition.json) - . -- [objects/ftm-Pages](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Pages/definition.json) - . +- [objects/ftm-Membership](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Membership/definition.json) - Membership. +- [objects/ftm-Message](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Message/definition.json) - Message. +- [objects/ftm-Organization](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Organization/definition.json) - Organization. +- [objects/ftm-Ownership](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Ownership/definition.json) - Ownership. +- [objects/ftm-Package](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Package/definition.json) - Package. +- [objects/ftm-Page](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Page/definition.json) - Page. +- [objects/ftm-Pages](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Pages/definition.json) - Pages. - [objects/ftm-Passport](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Passport/definition.json) - Passport. - [objects/ftm-Payment](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Payment/definition.json) - A monetary payment between two parties. - [objects/ftm-Person](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Person/definition.json) - An individual. -- [objects/ftm-PlainText](https://github.com/MISP/misp-objects/blob/main/objects/ftm-PlainText/definition.json) - . +- [objects/ftm-PlainText](https://github.com/MISP/misp-objects/blob/main/objects/ftm-PlainText/definition.json) - Plaintext. - [objects/ftm-PublicBody](https://github.com/MISP/misp-objects/blob/main/objects/ftm-PublicBody/definition.json) - A public body, such as a ministry, department or state company. - [objects/ftm-RealEstate](https://github.com/MISP/misp-objects/blob/main/objects/ftm-RealEstate/definition.json) - A piece of land or property. - [objects/ftm-Representation](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Representation/definition.json) - A mediatory, intermediary, middleman, or broker acting on behalf of a legal entity. -- [objects/ftm-Row](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Row/definition.json) - . +- [objects/ftm-Row](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Row/definition.json) - Row. - [objects/ftm-Sanction](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Sanction/definition.json) - A sanction designation. - [objects/ftm-Succession](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Succession/definition.json) - Two entities that legally succeed each other. -- [objects/ftm-Table](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Table/definition.json) - . +- [objects/ftm-Table](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Table/definition.json) - Table. - [objects/ftm-TaxRoll](https://github.com/MISP/misp-objects/blob/main/objects/ftm-TaxRoll/definition.json) - A tax declaration of an individual. -- [objects/ftm-UnknownLink](https://github.com/MISP/misp-objects/blob/main/objects/ftm-UnknownLink/definition.json) - . -- [objects/ftm-UserAccount](https://github.com/MISP/misp-objects/blob/main/objects/ftm-UserAccount/definition.json) - . -- [objects/ftm-Vehicle](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Vehicle/definition.json) - . +- [objects/ftm-UnknownLink](https://github.com/MISP/misp-objects/blob/main/objects/ftm-UnknownLink/definition.json) - Unknown Link. +- [objects/ftm-UserAccount](https://github.com/MISP/misp-objects/blob/main/objects/ftm-UserAccount/definition.json) - User Account. +- [objects/ftm-Vehicle](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Vehicle/definition.json) - Vehicle. - [objects/ftm-Vessel](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Vessel/definition.json) - A boat or ship. -- [objects/ftm-Video](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Video/definition.json) - . -- [objects/ftm-Workbook](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Workbook/definition.json) - . +- [objects/ftm-Video](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Video/definition.json) - Video. +- [objects/ftm-Workbook](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Workbook/definition.json) - Workbook. +- [objects/game-cheat](https://github.com/MISP/misp-objects/blob/main/objects/game-cheat/definition.json) - Describes a game cheat or a cheatware. - [objects/geolocation](https://github.com/MISP/misp-objects/blob/main/objects/geolocation/definition.json) - An object to describe a geographic location. - [objects/git-vuln-finder](https://github.com/MISP/misp-objects/blob/main/objects/git-vuln-finder/definition.json) - Export from git-vuln-finder. - [objects/github-user](https://github.com/MISP/misp-objects/blob/main/objects/github-user/definition.json) - GitHub user. - [objects/gitlab-user](https://github.com/MISP/misp-objects/blob/main/objects/gitlab-user/definition.json) - GitLab user. Gitlab.com user or self-hosted GitLab instance. -- [objects/gtp-attack](https://github.com/MISP/misp-objects/blob/main/objects/gtp-attack/definition.json) - GTP attack object as seen on a GSM, UMTS or LTE network. +- [objects/gtp-attack](https://github.com/MISP/misp-objects/blob/main/objects/gtp-attack/definition.json) - GTP attack object as attack as seen on the GTP signaling protocol supporting GPRS/LTE networks. - [objects/hashlookup](https://github.com/MISP/misp-objects/blob/main/objects/hashlookup/definition.json) - hashlookup object as described on hashlookup services from circl.lu - https://www.circl.lu/services/hashlookup. - [objects/http-request](https://github.com/MISP/misp-objects/blob/main/objects/http-request/definition.json) - A single HTTP request header. +- [objects/identity](https://github.com/MISP/misp-objects/blob/main/objects/identity/definition.json) - Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, systems or groups (e.g., the finance sector). The Identity SDO can capture basic identifying information, contact information, and the sectors that the Identity belongs to. Identity is used in STIX to represent, among other things, targets of attacks, information sources, object creators, and threat actor identities. (ref. STIX 2.1 - 4.5). - [objects/ilr-impact](https://github.com/MISP/misp-objects/blob/main/objects/ilr-impact/definition.json) - Institut Luxembourgeois de Regulation - Impact. - [objects/ilr-notification-incident](https://github.com/MISP/misp-objects/blob/main/objects/ilr-notification-incident/definition.json) - Institut Luxembourgeois de Regulation - Notification d'incident. - [objects/image](https://github.com/MISP/misp-objects/blob/main/objects/image/definition.json) - Object describing an image file. - [objects/impersonation](https://github.com/MISP/misp-objects/blob/main/objects/impersonation/definition.json) - Represent an impersonating account. - [objects/imsi-catcher](https://github.com/MISP/misp-objects/blob/main/objects/imsi-catcher/definition.json) - IMSI Catcher entry object based on the open source IMSI cather. +- [objects/infrastructure](https://github.com/MISP/misp-objects/blob/main/objects/infrastructure/definition.json) - The Infrastructure object represents a type of TTP and describes any systems, software services and any associated physical or virtual resources intended to support some purpose (e.g., C2 servers used as part of an attack, device or server that are part of defense, database servers targeted by an attack, etc.). While elements of an attack can be represented by other objects, the Infrastructure object represents a named group of related data that constitutes the infrastructure. STIX 2.1 - 4.8. - [objects/instant-message](https://github.com/MISP/misp-objects/blob/main/objects/instant-message/definition.json) - Instant Message (IM) object template describing one or more IM message. - [objects/instant-message-group](https://github.com/MISP/misp-objects/blob/main/objects/instant-message-group/definition.json) - Instant Message (IM) group object template describing a public or private IM group, channel or conversation. - [objects/intel471-vulnerability-intelligence](https://github.com/MISP/misp-objects/blob/main/objects/intel471-vulnerability-intelligence/definition.json) - Intel 471 vulnerability intelligence object. @@ -248,6 +256,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/ja3s](https://github.com/MISP/misp-objects/blob/main/objects/ja3s/definition.json) - JA3S is JA3 for the Server side of the SSL/TLS communication and fingerprints how servers respond to particular clients. JA3S fingerprints are composed of Server Hello packet; SSL Version, Cipher, SSLExtensions. https://github.com/salesforce/ja3. - [objects/jarm](https://github.com/MISP/misp-objects/blob/main/objects/jarm/definition.json) - Jarm object to describe an TLS/SSL implementation used for malicious or legitimate use-case. - [objects/keybase-account](https://github.com/MISP/misp-objects/blob/main/objects/keybase-account/definition.json) - Information related to a keybase account, from API Users Object. +- [objects/language-content](https://github.com/MISP/misp-objects/blob/main/objects/language-content/definition.json) - The Language Content object represents text content for objects represented in languages other than that of the original object. Language content may be a translation of the original object by a third-party, a first-source translation by the original publisher, or additional official language content provided at the time of creation. STIX 2.1 ref 7.1. - [objects/leaked-document](https://github.com/MISP/misp-objects/blob/main/objects/leaked-document/definition.json) - Object describing a leaked document. - [objects/legal-entity](https://github.com/MISP/misp-objects/blob/main/objects/legal-entity/definition.json) - An object to describe a legal entity. - [objects/lnk](https://github.com/MISP/misp-objects/blob/main/objects/lnk/definition.json) - LNK object describing a Windows LNK binary file (aka Windows shortcut). @@ -280,15 +289,19 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/pe](https://github.com/MISP/misp-objects/blob/main/objects/pe/definition.json) - Object describing a Portable Executable. - [objects/pe-section](https://github.com/MISP/misp-objects/blob/main/objects/pe-section/definition.json) - Object describing a section of a Portable Executable. - [objects/person](https://github.com/MISP/misp-objects/blob/main/objects/person/definition.json) - An object which describes a person or an identity. +- [objects/personification](https://github.com/MISP/misp-objects/blob/main/objects/personification/definition.json) - An object which describes a person or an identity. - [objects/pgp-meta](https://github.com/MISP/misp-objects/blob/main/objects/pgp-meta/definition.json) - Metadata extracted from a PGP keyblock, message or signature. - [objects/phishing](https://github.com/MISP/misp-objects/blob/main/objects/phishing/definition.json) - Phishing template to describe a phishing website and its analysis. - [objects/phishing-kit](https://github.com/MISP/misp-objects/blob/main/objects/phishing-kit/definition.json) - Object to describe a phishing-kit. - [objects/phone](https://github.com/MISP/misp-objects/blob/main/objects/phone/definition.json) - A phone or mobile phone object which describe a phone. - [objects/postal-address](https://github.com/MISP/misp-objects/blob/main/objects/postal-address/definition.json) - A postal address. +- [objects/probabilistic-data-structure](https://github.com/MISP/misp-objects/blob/main/objects/probabilistic-data-structure/definition.json) - Probabilistic data structure object describe a space-efficient data structure such as Bloom filter or similar structure. - [objects/process](https://github.com/MISP/misp-objects/blob/main/objects/process/definition.json) - Object describing a system process. - [objects/publication](https://github.com/MISP/misp-objects/blob/main/objects/publication/definition.json) - An object to describe a book, journal, or academic publication. - [objects/python-etvx-event-log](https://github.com/MISP/misp-objects/blob/main/objects/python-etvx-event-log/definition.json) - Event log object template to share information of the activities conducted on a system. . +- [objects/query](https://github.com/MISP/misp-objects/blob/main/objects/query/definition.json) - An object describing a query, along with its format. - [objects/r2graphity](https://github.com/MISP/misp-objects/blob/main/objects/r2graphity/definition.json) - Indicators extracted from files using radare2 and graphml. +- [objects/ransom-negotiation](https://github.com/MISP/misp-objects/blob/main/objects/ransom-negotiation/definition.json) - An object to describe ransom negotiations, as seen in ransomware incidents. - [objects/reddit-account](https://github.com/MISP/misp-objects/blob/main/objects/reddit-account/definition.json) - Reddit account. - [objects/reddit-comment](https://github.com/MISP/misp-objects/blob/main/objects/reddit-comment/definition.json) - A Reddit post comment. - [objects/reddit-post](https://github.com/MISP/misp-objects/blob/main/objects/reddit-post/definition.json) - A Reddit post. @@ -317,6 +330,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/sandbox-report](https://github.com/MISP/misp-objects/blob/main/objects/sandbox-report/definition.json) - Sandbox report. - [objects/sb-signature](https://github.com/MISP/misp-objects/blob/main/objects/sb-signature/definition.json) - Sandbox detection signature. - [objects/scheduled-event](https://github.com/MISP/misp-objects/blob/main/objects/scheduled-event/definition.json) - Event object template describing a gathering of individuals in meatspace. +- [objects/scheduled-task](https://github.com/MISP/misp-objects/blob/main/objects/scheduled-task/definition.json) - Windows scheduled task description. - [objects/scrippsco2-c13-daily](https://github.com/MISP/misp-objects/blob/main/objects/scrippsco2-c13-daily/definition.json) - Daily average C13 concentrations (ppm) derived from flask air samples. - [objects/scrippsco2-c13-monthly](https://github.com/MISP/misp-objects/blob/main/objects/scrippsco2-c13-monthly/definition.json) - Monthly average C13 concentrations (ppm) derived from flask air samples. - [objects/scrippsco2-co2-daily](https://github.com/MISP/misp-objects/blob/main/objects/scrippsco2-co2-daily/definition.json) - Daily average CO2 concentrations (ppm) derived from flask air samples. @@ -324,19 +338,25 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/scrippsco2-o18-daily](https://github.com/MISP/misp-objects/blob/main/objects/scrippsco2-o18-daily/definition.json) - Daily average O18 concentrations (ppm) derived from flask air samples. - [objects/scrippsco2-o18-monthly](https://github.com/MISP/misp-objects/blob/main/objects/scrippsco2-o18-monthly/definition.json) - Monthly average O18 concentrations (ppm) derived from flask air samples. - [objects/script](https://github.com/MISP/misp-objects/blob/main/objects/script/definition.json) - Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts. -- [objects/security-playbook](https://github.com/MISP/misp-objects/blob/main/objects/security-playbook/definition.json) - An object to manage, represent, and share course of action playbooks (security playbooks) for cyberspace defense. +- [objects/security-playbook](https://github.com/MISP/misp-objects/blob/main/objects/security-playbook/definition.json) - The security-playbook object provides meta-information and allows managing, storing, and sharing cybersecurity playbooks and orchestration workflows. - [objects/shell-commands](https://github.com/MISP/misp-objects/blob/main/objects/shell-commands/definition.json) - Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands. - [objects/shodan-report](https://github.com/MISP/misp-objects/blob/main/objects/shodan-report/definition.json) - Shodan Report for a given IP. - [objects/short-message-service](https://github.com/MISP/misp-objects/blob/main/objects/short-message-service/definition.json) - Short Message Service (SMS) object template describing one or more SMS message. Restriction of the initial format 3GPP 23.038 GSM character set doesn't apply. - [objects/shortened-link](https://github.com/MISP/misp-objects/blob/main/objects/shortened-link/definition.json) - Shortened link and its redirect target. +- [objects/sigma](https://github.com/MISP/misp-objects/blob/main/objects/sigma/definition.json) - An object describing a Sigma rule (or a Sigma rule name). - [objects/social-media-group](https://github.com/MISP/misp-objects/blob/main/objects/social-media-group/definition.json) - Social media group object template describing a public or private group or channel. +- [objects/software](https://github.com/MISP/misp-objects/blob/main/objects/software/definition.json) - The Software object represents high-level properties associated with software, including software products. STIX 2.1 - 6.14. +- [objects/spearphishing-attachment](https://github.com/MISP/misp-objects/blob/main/objects/spearphishing-attachment/definition.json) - Spearphishing Attachment. +- [objects/spearphishing-link](https://github.com/MISP/misp-objects/blob/main/objects/spearphishing-link/definition.json) - Spearphishing Link. - [objects/splunk](https://github.com/MISP/misp-objects/blob/main/objects/splunk/definition.json) - Splunk / Splunk ES object. -- [objects/ss7-attack](https://github.com/MISP/misp-objects/blob/main/objects/ss7-attack/definition.json) - SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging. +- [objects/ss7-attack](https://github.com/MISP/misp-objects/blob/main/objects/ss7-attack/definition.json) - SS7 object of an attack as seen on the SS7 signaling protocol supporting GSM/GPRS/UMTS networks. - [objects/ssh-authorized-keys](https://github.com/MISP/misp-objects/blob/main/objects/ssh-authorized-keys/definition.json) - An object to store ssh authorized keys file. - [objects/stix2-pattern](https://github.com/MISP/misp-objects/blob/main/objects/stix2-pattern/definition.json) - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern. +- [objects/stock](https://github.com/MISP/misp-objects/blob/main/objects/stock/definition.json) - Object to describe stock market. - [objects/submarine](https://github.com/MISP/misp-objects/blob/main/objects/submarine/definition.json) - Submarine description. - [objects/suricata](https://github.com/MISP/misp-objects/blob/main/objects/suricata/definition.json) - An object describing one or more Suricata rule(s) along with version and contextual information. - [objects/target-system](https://github.com/MISP/misp-objects/blob/main/objects/target-system/definition.json) - Description about an targeted system, this could potentially be a compromissed internal system. +- [objects/tattoo](https://github.com/MISP/misp-objects/blob/main/objects/tattoo/definition.json) - Describes tattoos on a natural person's body. - [objects/telegram-account](https://github.com/MISP/misp-objects/blob/main/objects/telegram-account/definition.json) - Information related to a telegram account. - [objects/temporal-event](https://github.com/MISP/misp-objects/blob/main/objects/temporal-event/definition.json) - A temporal event consists of some temporal and spacial boundaries. Spacial boundaries can be physical, virtual or hybrid. - [objects/threatgrid-report](https://github.com/MISP/misp-objects/blob/main/objects/threatgrid-report/definition.json) - ThreatGrid report. @@ -365,6 +385,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/victim](https://github.com/MISP/misp-objects/blob/main/objects/victim/definition.json) - Victim object describes the target of an attack or abuse. - [objects/virustotal-graph](https://github.com/MISP/misp-objects/blob/main/objects/virustotal-graph/definition.json) - VirusTotal graph. - [objects/virustotal-report](https://github.com/MISP/misp-objects/blob/main/objects/virustotal-report/definition.json) - VirusTotal report. +- [objects/virustotal-submission](https://github.com/MISP/misp-objects/blob/main/objects/virustotal-submission/definition.json) - VirusTotal Submission. - [objects/vulnerability](https://github.com/MISP/misp-objects/blob/main/objects/vulnerability/definition.json) - Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware. - [objects/weakness](https://github.com/MISP/misp-objects/blob/main/objects/weakness/definition.json) - Weakness object describing a common weakness enumeration which can describe usable, incomplete, draft or deprecated weakness for software, equipment of hardware. - [objects/whois](https://github.com/MISP/misp-objects/blob/main/objects/whois/definition.json) - Whois records information for a domain name or an IP address. @@ -396,6 +417,15 @@ Every object needs a **uuid** which can be created using **uuidgen -r** on a lin When the object is created, the `validate_all.sh` and `jq_all_the_things.sh` is run for validation, pull a request on this project. We usually merge the objects if it fits existing use-cases. +### Best practices when creating MISP object templates + +- Use lower-case name without underscore or special characters (except minus) for the field names +- Add a description in the object template explaining the scope and use-cases of your object templates +- If the object is the mapping of an existing format, add a reference into the description of the object template +- `first-seen` and `last-seen` are not required in a object template as an object has those fields by default. If you need additional temporal information, add new specific field(s). +- Be lax on the number of fields required by default (e.g. use `requiredOneOf`). +- Review existing object templates before creating a new one. When doing a pull-request, don't hesitate to add the logic why a new template is required. + ## MISP objects documentation The MISP objects are documented at the following location in [HTML](https://www.misp-project.org/objects.html) and [PDF](https://www.misp-project.org/objects.pdf). diff --git a/objects/apivoid-email-verification/definition.json b/objects/apivoid-email-verification/definition.json new file mode 100644 index 0000000..7743138 --- /dev/null +++ b/objects/apivoid-email-verification/definition.json @@ -0,0 +1,219 @@ +{ + "attributes": { + "china_free_email": { + "description": "True if email is a free China email, i.e 163.com.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "comment": { + "description": "Field for comments or correlating text", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "dirty_words_domain": { + "description": "True if domain contains dirty/bad words.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "dirty_words_username": { + "description": "True if username contains dirty/bad words.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "disposable": { + "description": "True if email is disposable, i.e yopmail.com.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "dmarc_configured": { + "description": "True if domain has DMARC records configured.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "dmarc_enforced": { + "description": "True if domain is configured for DMARC and set to an enforcement policy.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "domain": { + "description": "Email domain.", + "disable_correlation": true, + "misp-attribute": "domain", + "to_ids": false, + "ui-priority": 1 + }, + "domain_popular": { + "description": "True if domain is a known popular domain.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "educational_domain": { + "description": "True if domain is an educational domain, i.e .edu", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "email": { + "categories": [ + "Attribution" + ], + "description": "The email address that was queried.", + "misp-attribute": "email", + "to_ids": false, + "ui-priority": 1 + }, + "free_email": { + "description": "True if email is a free email, i.e gmail.com.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "government_domain": { + "description": "True if domain is a government domain, i.e .gov", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "has_a_records": { + "description": "True if domain has A records configured.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "has_mx_records": { + "description": "True if domain has MX records configured.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "has_spf_records": { + "description": "True if domain has SPF records configured.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "is_spoofable": { + "description": "True if domain does not have SPF records or if ~all is not configured.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "police_domain": { + "description": "True if domain is a police domain (such as *polizei*, *police*, etc).", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "risky_tld": { + "description": "True if domain TLD is risky, i.e .top or .pro.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "role_address": { + "description": "True if email is a role address, i.e admin@website.com", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "russian_free_email": { + "description": "True if email is a free Russian email, i.e mail.ru.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "score": { + "description": "A number between 0 (bad) and 100 (good).", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 1 + }, + "should_block": { + "description": "True if the score is bad (<= 70) and thus it should be blocked.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "suspicious_domain": { + "description": "True if domain is suspicious, i.e known spam or parked.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "suspicious_email": { + "description": "True if email is considered suspicious.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "suspicious_username": { + "description": "True if username is suspicious, i.e only numbers.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "username": { + "description": "Username part of the email address (email prefix)", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "valid_format": { + "description": "True if email has a valid format.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "valid_tld": { + "description": "True if domain TLD is valid, i.e .com or .co.uk", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + } + }, + "description": "Apivoid email verification API result. Reference: https://www.apivoid.com/api/email-verify/", + "meta-category": "misc", + "name": "apivoid-email-verification", + "required": [ + "email" + ], + "requiredOneOf": [ + "valid_format", + "username", + "role_address", + "suspicious_username", + "dirty_words_username", + "suspicious_email", + "domain", + "valid_tld", + "disposable", + "has_a_records", + "has_mx_records", + "has_spf_records", + "is_spoofable", + "dmarc_configured", + "dmarc_enforced", + "free_email", + "russian_free_email", + "china_free_email", + "suspicious_domain", + "dirty_words_domain", + "domain_popular", + "risky_tld", + "police_domain", + "government_domain", + "educational_domain", + "should_block", + "score" + ], + "uuid": "289492ab-4b74-49ec-add7-cd9b541f2245", + "version": 1 +} \ No newline at end of file diff --git a/objects/artifact/definition.json b/objects/artifact/definition.json new file mode 100644 index 0000000..df2b7c9 --- /dev/null +++ b/objects/artifact/definition.json @@ -0,0 +1,45 @@ +{ + "attributes": { + "decryption_key": { + "description": "Specifies the decryption key for the encrypted binary data (either via payload_bin or url). For example, this may be useful in cases of sharing malware samples, which are often encoded in an encrypted archive.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "encryption_algorithm": { + "description": "If the artifact is encrypted, specifies the type of encryption algorithm the binary data (either via payload_bin or url) is encoded in.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "hashes": { + "description": "Specifies a dictionary of hashes for the contents of the url or the payload_bin. This property MUST be present when the url property is present. (should be file with relationships?)", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "mime_type": { + "description": "Whenever feasible, this value SHOULD be one of the values defined in the Template column in the IANA media type registry [Media Types]. Maintaining a comprehensive universal catalog of all extant file types is obviously not possible. When specifying a MIME Type not included in the IANA registry, implementers should use their best judgement so as to facilitate interoperability.", + "disable_correlation": true, + "misp-attribute": "mime-type", + "ui-priority": 0 + }, + "payload_bin": { + "description": "Specifies the binary data contained in the artifact as a base64-encoded string.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "url": { + "description": "The value of this property MUST be a valid URL that resolves to the unencoded content.", + "misp-attribute": "url", + "ui-priority": 0 + } + }, + "description": "The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. from STIX 2.1 (6.1)", + "meta-category": "file", + "name": "artifact", + "requiredOneOf": [ + "payload_bin", + "url" + ], + "uuid": "0a46df3a-bd9b-472c-a1e7-6aede7094483", + "version": 1 +} \ No newline at end of file diff --git a/objects/attack-step/definition.json b/objects/attack-step/definition.json new file mode 100644 index 0000000..ec30a13 --- /dev/null +++ b/objects/attack-step/definition.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "command-line": { + "description": "Command line used to execute attack step, if any.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, + "description": { + "description": "Description of the attack step", + "misp-attribute": "text", + "ui-priority": 1 + }, + "detections": { + "description": "Detections by the victim's monitoring capabilities.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "dst-domain": { + "description": "Domain destination of the attack step, if any.", + "disable_correlation": true, + "misp-attribute": "domain", + "ui-priority": 1 + }, + "dst-ip": { + "description": "IP destination of the attack step, if any.", + "disable_correlation": true, + "misp-attribute": "ip-dst", + "ui-priority": 1 + }, + "dst-misc": { + "description": "Other type of source of the attack step, if any. This can be e.g. localhost.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "expected-response": { + "description": "Response or detection expected (in case of purple teaming)", + "misp-attribute": "text", + "ui-priority": 1 + }, + "key-step": { + "description": "Was this attack step object a key step within the context of the incident/event?", + "misp-attribute": "boolean", + "sane_default": [ + "True", + "False" + ], + "ui-priority": 1 + }, + "source-domain": { + "description": "Domain source of the attack step, if any.", + "misp-attribute": "domain", + "ui-priority": 1 + }, + "source-ip": { + "description": "IP source of the attack step, if any.", + "misp-attribute": "ip-src", + "ui-priority": 1 + }, + "source-misc": { + "description": "Other type of source of the attack step, if any. This can be e.g. rotating ip from cloud providers such as AWS, or localhost.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "succesful": { + "description": "Was this attack step succesful?", + "misp-attribute": "boolean", + "sane_default": [ + "True", + "False" + ], + "ui-priority": 1 + } + }, + "description": "An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks.", + "meta-category": "misc", + "name": "attack-step", + "requiredOneOf": [ + "description" + ], + "uuid": "F86CD6C4-B89D-454A-95C1-165D456D8A74", + "version": 1 +} \ No newline at end of file diff --git a/objects/cloth/definition.json b/objects/cloth/definition.json new file mode 100644 index 0000000..7920091 --- /dev/null +++ b/objects/cloth/definition.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "bottom-accessories": { + "description": "Cloth and accessories on the bottom part of the body", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "trousers", + "skirt", + "underpants / panties", + "shorts", + "boxer shorts", + "body stocking", + "sock", + "shoe", + "boot", + "sandal", + "slipper", + "sneaker", + "hiking boot", + "high tops" + ] + }, + "cloth-color": { + "description": "Cloth's colors", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1, + "values_list": [ + "black", + "white", + "red", + "green", + "blue", + "cyan", + "orange", + "violet", + "pink", + "yellow", + "brown", + "grey" + ] + }, + "cloth-picture": { + "description": "Cloth's pictures", + "misp-attribute": "attachment", + "multiple": true, + "ui-priority": 0 + }, + "description": { + "description": "Cloth's Description of a natural person", + "misp-attribute": "text", + "ui-priority": 50 + }, + "head-accessories": { + "description": "Cloth and accessories on the head", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "hat", + "cap", + "bonnet", + "glasses", + "bandeau" + ] + }, + "top-accessories": { + "description": "Cloth and accessories on the top part of the body", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "jacket", + "coat", + "dress", + "shirt", + "top", + "pullover", + "sweatshirt", + "suit", + "tie", + "bow tie", + "lady's suit", + "waistcoat", + "cardigan", + "undershirt", + "t-shirt", + "bra", + "scarf", + "glove" + ] + } + }, + "description": "Describes clothes a natural person wears", + "meta-category": "misc", + "name": "cloth", + "required": [ + "description" + ], + "uuid": "31a49e4f-49bc-4bae-a9c7-c6058180ba6f", + "version": 1 +} \ No newline at end of file diff --git a/objects/ddos/definition.json b/objects/ddos/definition.json index bbffc3d..e43d181 100644 --- a/objects/ddos/definition.json +++ b/objects/ddos/definition.json @@ -1,5 +1,23 @@ { "attributes": { + "backscatter-threshold": { + "description": "The minimum amount of backscatter received in 5 minutes / day. This field is only used when the capture origin is indirect network capture such as backscatter.", + "disable_correlation": true, + "misp-attribute": "counter", + "ui-priority": 0 + }, + "capture-origin": { + "description": "Origin of the (D)DoS evidences", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Direct network capture", + "Logs", + "Indirect network capture (e.g. backscatter)", + "Unknown" + ], + "ui-priority": 0 + }, "domain-dst": { "categories": [ "Network activity", @@ -52,6 +70,7 @@ }, "protocol": { "description": "Protocol used for the attack", + "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0, "values_list": [ @@ -78,17 +97,60 @@ "ui-priority": 0 }, "total-bps": { - "description": "Bits per second", + "description": "Bits per second (maximum rate of bits per second measured)", + "disable_correlation": true, + "misp-attribute": "counter", + "ui-priority": 0 + }, + "total-bytes-sent": { + "description": "Total number of bytes sent by the sources mentioned", + "disable_correlation": true, + "misp-attribute": "counter", + "ui-priority": 0 + }, + "total-packets-sent": { + "description": "Total number of packets sent by the source mentioned", + "disable_correlation": true, "misp-attribute": "counter", "ui-priority": 0 }, "total-pps": { - "description": "Packets per second", + "description": "Packets per second (maximum rate of packets per second measured)", + "disable_correlation": true, "misp-attribute": "counter", "ui-priority": 0 + }, + "type": { + "description": "Type(s) or Technique(s) of Denial of Service", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "amplification-attack", + "reflected-spoofed-attack", + "slow-read-attack", + "flooding-attack", + "post-attack", + "chargen-amplification", + "dns", + "dns-amplification", + "ip-fragmentation", + "ip-private", + "icmp", + "memcached-amplification", + "ms-sql-rs-amplification", + "ntp-amplification", + "snmp-amplification", + "ssdp-amplification", + "tcp-null", + "tcp-rst", + "tcp-syn", + "udp" + ], + "ui-priority": 0 } }, - "description": "DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy", + "description": "DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy or using the type field.", "meta-category": "network", "name": "ddos", "requiredOneOf": [ @@ -97,5 +159,5 @@ "domain-dst" ], "uuid": "e2f124d6-f57c-4f93-99e6-8450545fa05d", - "version": 7 + "version": 9 } \ No newline at end of file diff --git a/objects/diameter-attack/definition.json b/objects/diameter-attack/definition.json index 11ee5b5..22a7e00 100644 --- a/objects/diameter-attack/definition.json +++ b/objects/diameter-attack/definition.json @@ -78,12 +78,12 @@ "ui-priority": 0 } }, - "description": "Attack as seen on diameter authentication against a GSM, UMTS or LTE network", + "description": "Attack as seen on the diameter signaling protocol supporting LTE networks.", "meta-category": "network", "name": "diameter-attack", "requiredOneOf": [ "text" ], "uuid": "a3fdce4c-8e21-4acc-ab8e-9976e9165a12", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/domain-ip/definition.json b/objects/domain-ip/definition.json index f34bad2..865f817 100644 --- a/objects/domain-ip/definition.json +++ b/objects/domain-ip/definition.json @@ -44,6 +44,7 @@ ], "description": "Associated TCP port with the domain", "misp-attribute": "port", + "multiple": true, "ui-priority": 1 }, "registration-date": { @@ -69,5 +70,5 @@ "hostname" ], "uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", - "version": 10 + "version": 11 } \ No newline at end of file diff --git a/objects/employee/definition.json b/objects/employee/definition.json index 5f68ad3..693b944 100644 --- a/objects/employee/definition.json +++ b/objects/employee/definition.json @@ -26,13 +26,19 @@ ] }, "first-name": { - "description": "First name of Employee", + "description": "Employee's first name", "disable_correlation": true, "misp-attribute": "first-name", "ui-priority": 0 }, + "full-name": { + "description": "Employee's full name", + "disable_correlation": true, + "misp-attribute": "full-name", + "ui-priority": 0 + }, "last-name": { - "description": "Last name Employee", + "description": "Employee's last name", "disable_correlation": true, "misp-attribute": "last-name", "ui-priority": 0 diff --git a/objects/error-message/definition.json b/objects/error-message/definition.json new file mode 100644 index 0000000..a6f2b0f --- /dev/null +++ b/objects/error-message/definition.json @@ -0,0 +1,29 @@ +{ + "attributes": { + "message": { + "description": "Content of the error message.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "source": { + "description": "Source of the error message.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "misp-stix", + "lief", + "other" + ], + "ui-priority": 0 + } + }, + "description": "An error message which can be related to the processing of data such as import, export scripts from the original MISP instance.", + "meta-category": "misc", + "name": "error-message", + "requiredOneOf": [ + "source", + "message" + ], + "uuid": "40e81601-8205-41af-8e67-33795291a448", + "version": 1 +} \ No newline at end of file diff --git a/objects/exploit/definition.json b/objects/exploit/definition.json new file mode 100644 index 0000000..22ec156 --- /dev/null +++ b/objects/exploit/definition.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "0day-today-id": { + "description": "Reference to the 0day.today referencing this exploit.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "accessibility": { + "description": "Accessibility of the exploit.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0, + "values_list": [ + "Unknown", + "Public", + "Limited", + "Paid" + ] + }, + "comment": { + "description": "Comment associated to the exploit.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "credit": { + "description": "Credit(s) for the exploit (such as author, distributor or original source).", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "cve-id": { + "description": "Reference to the CVE value targeted by the exploit.", + "misp-attribute": "vulnerability", + "multiple": true, + "ui-priority": 0 + }, + "exploit": { + "description": "Free text of the exploit.", + "misp-attribute": "text", + "ui-priority": 10 + }, + "exploit-as-attachment": { + "description": "Attachment of the exploit.", + "misp-attribute": "attachment", + "ui-priority": 10 + }, + "exploitdb-id": { + "description": "Reference to the ExploitDB referencing this exploit.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "filename": { + "description": "Filename used for the exploit.", + "disable_correlation": true, + "misp-attribute": "filename", + "multiple": true, + "ui-priority": 8 + }, + "level": { + "description": "Level of the exploit.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0, + "values_list": [ + "Unknown", + "Proof-of-Concept", + "Functional", + "Production-ready" + ] + }, + "reference": { + "description": "Reference to the exploit.", + "disable_correlation": true, + "misp-attribute": "link", + "multiple": true, + "ui-priority": 0 + } + }, + "description": "Exploit object describes a program in binary or source code form used to abuse one or more vulnerabilities.", + "meta-category": "misc", + "name": "exploit", + "requiredOneOf": [ + "exploit", + "filename", + "exploit-as-attachment" + ], + "uuid": "611a25d5-d8aa-4dde-b9c8-c084e786ebf3", + "version": 1 +} \ No newline at end of file diff --git a/objects/facebook-group/definition.json b/objects/facebook-group/definition.json index b0a1607..aca232c 100644 --- a/objects/facebook-group/definition.json +++ b/objects/facebook-group/definition.json @@ -63,6 +63,11 @@ "multiple": true, "ui-priority": 0 }, + "id": { + "description": "Unique identified of the group.", + "misp-attribute": "text", + "ui-priority": 1 + }, "link": { "description": "Original link to the group (supposed harmless).", "misp-attribute": "link", @@ -94,5 +99,5 @@ "link" ], "uuid": "165c5507-1cba-4cec-9be4-66e21b590ee6", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/facebook-reaction/definition.json b/objects/facebook-reaction/definition.json new file mode 100644 index 0000000..b805cc9 --- /dev/null +++ b/objects/facebook-reaction/definition.json @@ -0,0 +1,37 @@ +{ + "attributes": { + "link": { + "description": "Link to the user account which did the reaction.", + "misp-attribute": "link", + "ui-priority": 1 + }, + "name": { + "description": "The name of A user account which did the reaction.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "type": { + "description": "Type of reaction.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "like", + "love", + "sad", + "haha", + "wow", + "care" + ], + "ui-priority": 1 + } + }, + "description": "Reaction to facebook posts.", + "meta-category": "misc", + "name": "facebook-reaction", + "requiredOneOf": [ + "name", + "link" + ], + "uuid": "f219f784-38b8-47f4-a676-e32efd7df0c3", + "version": 1 +} \ No newline at end of file diff --git a/objects/ftm-Airplane/definition.json b/objects/ftm-Airplane/definition.json index de14854..275a00b 100644 --- a/objects/ftm-Airplane/definition.json +++ b/objects/ftm-Airplane/definition.json @@ -239,12 +239,12 @@ "ui-priority": 0 } }, - "description": "", + "description": "An airplane, helicopter or other flying vehicle.", "meta-category": "followthemoney", "name": "ftm-Airplane", "required": [ "name" ], "uuid": "ea720b4a-8849-44a5-a150-eab87b86de2c", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-Assessment/definition.json b/objects/ftm-Assessment/definition.json index 7a83564..4f5e763 100644 --- a/objects/ftm-Assessment/definition.json +++ b/objects/ftm-Assessment/definition.json @@ -169,12 +169,12 @@ "ui-priority": 0 } }, - "description": "", + "description": "Assessment with meta-data.", "meta-category": "followthemoney", "name": "ftm-Assessment", "required": [ "name" ], "uuid": "25330bcb-d629-4d81-bbb9-51cead65175d", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-Asset/definition.json b/objects/ftm-Asset/definition.json index c8bd8d5..3109e20 100644 --- a/objects/ftm-Asset/definition.json +++ b/objects/ftm-Asset/definition.json @@ -183,12 +183,12 @@ "ui-priority": 0 } }, - "description": "", + "description": "A piece of property which can be owned and assigned a monetary value.", "meta-category": "followthemoney", "name": "ftm-Asset", "required": [ "name" ], "uuid": "ece6a00c-2f42-4186-bc96-5254aec002a7", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-Audio/definition.json b/objects/ftm-Audio/definition.json index 0421000..c2dd9a5 100644 --- a/objects/ftm-Audio/definition.json +++ b/objects/ftm-Audio/definition.json @@ -358,12 +358,12 @@ "ui-priority": 0 } }, - "description": "", + "description": "Audio with meta-data.", "meta-category": "followthemoney", "name": "ftm-Audio", "required": [ "name" ], "uuid": "92acc7f9-cb98-4b60-93c0-06be77843968", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-BankAccount/definition.json b/objects/ftm-BankAccount/definition.json index aa57343..bdf475b 100644 --- a/objects/ftm-BankAccount/definition.json +++ b/objects/ftm-BankAccount/definition.json @@ -232,12 +232,12 @@ "ui-priority": 0 } }, - "description": "", + "description": "An account held at a bank and controlled by an owner. This may also be used to describe more complex arrangements like correspondent bank settlement accounts.", "meta-category": "followthemoney", "name": "ftm-BankAccount", "required": [ "name" ], "uuid": "c51ed099-a628-46ee-ad8f-ffed866b6b8d", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-Call/definition.json b/objects/ftm-Call/definition.json index 2aff940..74249d4 100644 --- a/objects/ftm-Call/definition.json +++ b/objects/ftm-Call/definition.json @@ -113,9 +113,9 @@ "ui-priority": 0 } }, - "description": "", + "description": "Phone call object template including the call and all associated meta-data.", "meta-category": "followthemoney", "name": "ftm-Call", "uuid": "4ad4661a-59bb-4171-a47b-18d9e7b6d6d7", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-CourtCase/definition.json b/objects/ftm-CourtCase/definition.json index 07390a8..a911fde 100644 --- a/objects/ftm-CourtCase/definition.json +++ b/objects/ftm-CourtCase/definition.json @@ -204,7 +204,7 @@ "ui-priority": 0 } }, - "description": "", + "description": "Court case", "meta-category": "followthemoney", "name": "ftm-CourtCase", "required": [ diff --git a/objects/ftm-CourtCaseParty/definition.json b/objects/ftm-CourtCaseParty/definition.json index 0030a7d..a65e00d 100644 --- a/objects/ftm-CourtCaseParty/definition.json +++ b/objects/ftm-CourtCaseParty/definition.json @@ -106,7 +106,7 @@ "ui-priority": 0 } }, - "description": "", + "description": "Court Case Party", "meta-category": "followthemoney", "name": "ftm-CourtCaseParty", "uuid": "9f00c22f-348b-48a9-996b-3ba30de851fe", diff --git a/objects/ftm-Directorship/definition.json b/objects/ftm-Directorship/definition.json index b323c7a..3610b21 100644 --- a/objects/ftm-Directorship/definition.json +++ b/objects/ftm-Directorship/definition.json @@ -113,7 +113,7 @@ "ui-priority": 0 } }, - "description": "", + "description": "Directorship", "meta-category": "followthemoney", "name": "ftm-Directorship", "uuid": "9d9b0af9-9c8c-42c4-8210-388dc3824239", diff --git a/objects/ftm-Document/definition.json b/objects/ftm-Document/definition.json index 10d2249..857c530 100644 --- a/objects/ftm-Document/definition.json +++ b/objects/ftm-Document/definition.json @@ -344,7 +344,7 @@ "ui-priority": 0 } }, - "description": "", + "description": "Document", "meta-category": "followthemoney", "name": "ftm-Document", "required": [ diff --git a/objects/ftm-Documentation/definition.json b/objects/ftm-Documentation/definition.json index 143e2f3..86830b6 100644 --- a/objects/ftm-Documentation/definition.json +++ b/objects/ftm-Documentation/definition.json @@ -106,7 +106,7 @@ "ui-priority": 0 } }, - "description": "", + "description": "Documentation", "meta-category": "followthemoney", "name": "ftm-Documentation", "uuid": "a5a0c1dd-4438-4520-875d-1e7cf4bcda7d", diff --git a/objects/ftm-Email/definition.json b/objects/ftm-Email/definition.json index 543d8e6..6c142d1 100644 --- a/objects/ftm-Email/definition.json +++ b/objects/ftm-Email/definition.json @@ -421,7 +421,7 @@ "ui-priority": 0 } }, - "description": "", + "description": "Email", "meta-category": "followthemoney", "name": "ftm-Email", "required": [ diff --git a/objects/ftm-Event/definition.json b/objects/ftm-Event/definition.json index 3117613..d77e26f 100644 --- a/objects/ftm-Event/definition.json +++ b/objects/ftm-Event/definition.json @@ -267,7 +267,7 @@ "ui-priority": 0 } }, - "description": "", + "description": "Event", "meta-category": "followthemoney", "name": "ftm-Event", "required": [ diff --git a/objects/ftm-Folder/definition.json b/objects/ftm-Folder/definition.json index 1a497a2..3c0113c 100644 --- a/objects/ftm-Folder/definition.json +++ b/objects/ftm-Folder/definition.json @@ -344,7 +344,7 @@ "ui-priority": 0 } }, - "description": "", + "description": "Folder", "meta-category": "followthemoney", "name": "ftm-Folder", "required": [ diff --git a/objects/ftm-HyperText/definition.json b/objects/ftm-HyperText/definition.json index 9548c78..7539e52 100644 --- a/objects/ftm-HyperText/definition.json +++ b/objects/ftm-HyperText/definition.json @@ -358,7 +358,7 @@ "ui-priority": 0 } }, - "description": "", + "description": "HyperText", "meta-category": "followthemoney", "name": "ftm-HyperText", "required": [ diff --git a/objects/ftm-Image/definition.json b/objects/ftm-Image/definition.json index 38cdc9f..c1bbc72 100644 --- a/objects/ftm-Image/definition.json +++ b/objects/ftm-Image/definition.json @@ -351,7 +351,7 @@ "ui-priority": 0 } }, - "description": "", + "description": "Image", "meta-category": "followthemoney", "name": "ftm-Image", "required": [ diff --git a/objects/ftm-Land/definition.json b/objects/ftm-Land/definition.json index 2270464..26e087a 100644 --- a/objects/ftm-Land/definition.json +++ b/objects/ftm-Land/definition.json @@ -267,7 +267,7 @@ "ui-priority": 0 } }, - "description": "", + "description": "Land", "meta-category": "followthemoney", "name": "ftm-Land", "required": [ diff --git a/objects/ftm-Membership/definition.json b/objects/ftm-Membership/definition.json index 96c180a..855ede9 100644 --- a/objects/ftm-Membership/definition.json +++ b/objects/ftm-Membership/definition.json @@ -106,9 +106,9 @@ "ui-priority": 0 } }, - "description": "", + "description": "Membership", "meta-category": "followthemoney", "name": "ftm-Membership", "uuid": "42dbbf3a-8c60-483c-a395-44aaaefc77d1", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-Message/definition.json b/objects/ftm-Message/definition.json index a0ab88b..988e6d0 100644 --- a/objects/ftm-Message/definition.json +++ b/objects/ftm-Message/definition.json @@ -407,7 +407,7 @@ "ui-priority": 0 } }, - "description": "", + "description": "Message", "meta-category": "followthemoney", "name": "ftm-Message", "required": [ diff --git a/objects/ftm-Organization/definition.json b/objects/ftm-Organization/definition.json index 9d4558f..2869e69 100644 --- a/objects/ftm-Organization/definition.json +++ b/objects/ftm-Organization/definition.json @@ -316,7 +316,7 @@ "ui-priority": 0 } }, - "description": "", + "description": "Organization", "meta-category": "followthemoney", "name": "ftm-Organization", "required": [ diff --git a/objects/ftm-Ownership/definition.json b/objects/ftm-Ownership/definition.json index 5c9d760..0c73599 100644 --- a/objects/ftm-Ownership/definition.json +++ b/objects/ftm-Ownership/definition.json @@ -155,9 +155,9 @@ "ui-priority": 0 } }, - "description": "", + "description": "Ownership", "meta-category": "followthemoney", "name": "ftm-Ownership", "uuid": "2a09b445-c638-40e1-8f52-b95c9156f4d8", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-Package/definition.json b/objects/ftm-Package/definition.json index 5bc88c3..dd4ed63 100644 --- a/objects/ftm-Package/definition.json +++ b/objects/ftm-Package/definition.json @@ -344,12 +344,12 @@ "ui-priority": 0 } }, - "description": "", + "description": "Package", "meta-category": "followthemoney", "name": "ftm-Package", "required": [ "name" ], "uuid": "f9f13fd9-797c-4e2e-aa17-0ca4a0a60f5c", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-Page/definition.json b/objects/ftm-Page/definition.json index c8babad..609fda4 100644 --- a/objects/ftm-Page/definition.json +++ b/objects/ftm-Page/definition.json @@ -29,9 +29,9 @@ "ui-priority": 0 } }, - "description": "", + "description": "Page", "meta-category": "followthemoney", "name": "ftm-Page", "uuid": "2d9d7605-5105-445e-9ee8-9e39ad34c5c9", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-Pages/definition.json b/objects/ftm-Pages/definition.json index 8f2eeee..e139c23 100644 --- a/objects/ftm-Pages/definition.json +++ b/objects/ftm-Pages/definition.json @@ -351,12 +351,12 @@ "ui-priority": 0 } }, - "description": "", + "description": "Pages", "meta-category": "followthemoney", "name": "ftm-Pages", "required": [ "name" ], "uuid": "8e567eab-d893-4a38-9dd9-73442f15ede7", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-PlainText/definition.json b/objects/ftm-PlainText/definition.json index b87fa12..dfc0f0b 100644 --- a/objects/ftm-PlainText/definition.json +++ b/objects/ftm-PlainText/definition.json @@ -351,12 +351,12 @@ "ui-priority": 0 } }, - "description": "", + "description": "Plaintext", "meta-category": "followthemoney", "name": "ftm-PlainText", "required": [ "name" ], "uuid": "8f260d94-c712-4fdd-a463-6b2487f8a80d", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-Row/definition.json b/objects/ftm-Row/definition.json index b290e55..2895849 100644 --- a/objects/ftm-Row/definition.json +++ b/objects/ftm-Row/definition.json @@ -22,9 +22,9 @@ "ui-priority": 0 } }, - "description": "", + "description": "Row", "meta-category": "followthemoney", "name": "ftm-Row", "uuid": "282c0f7c-be66-41be-a709-b35032016829", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-Table/definition.json b/objects/ftm-Table/definition.json index a859e23..540e53a 100644 --- a/objects/ftm-Table/definition.json +++ b/objects/ftm-Table/definition.json @@ -365,12 +365,12 @@ "ui-priority": 0 } }, - "description": "", + "description": "Table", "meta-category": "followthemoney", "name": "ftm-Table", "required": [ "name" ], "uuid": "5ac61342-9fa9-4f07-a578-261709633358", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-UnknownLink/definition.json b/objects/ftm-UnknownLink/definition.json index 28bdaf2..e951e77 100644 --- a/objects/ftm-UnknownLink/definition.json +++ b/objects/ftm-UnknownLink/definition.json @@ -106,9 +106,9 @@ "ui-priority": 0 } }, - "description": "", + "description": "Unknown Link", "meta-category": "followthemoney", "name": "ftm-UnknownLink", "uuid": "16a29891-df0f-42f7-b466-8b4b718acbfa", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-UserAccount/definition.json b/objects/ftm-UserAccount/definition.json index fd839db..a8e6c79 100644 --- a/objects/ftm-UserAccount/definition.json +++ b/objects/ftm-UserAccount/definition.json @@ -190,12 +190,12 @@ "ui-priority": 0 } }, - "description": "", + "description": "User Account", "meta-category": "followthemoney", "name": "ftm-UserAccount", "required": [ "name" ], "uuid": "094943f5-41c5-4fad-9d61-60d82bce49b1", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-Vehicle/definition.json b/objects/ftm-Vehicle/definition.json index 6a5f0c6..284f4a5 100644 --- a/objects/ftm-Vehicle/definition.json +++ b/objects/ftm-Vehicle/definition.json @@ -218,12 +218,12 @@ "ui-priority": 0 } }, - "description": "", + "description": "Vehicle", "meta-category": "followthemoney", "name": "ftm-Vehicle", "required": [ "name" ], "uuid": "82378b01-aad3-416b-b678-7af7140f6629", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-Video/definition.json b/objects/ftm-Video/definition.json index ac49f27..6dd30a2 100644 --- a/objects/ftm-Video/definition.json +++ b/objects/ftm-Video/definition.json @@ -351,12 +351,12 @@ "ui-priority": 0 } }, - "description": "", + "description": "Video", "meta-category": "followthemoney", "name": "ftm-Video", "required": [ "name" ], "uuid": "af4821a6-712f-49d7-8297-92eb8c3b75f1", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-Workbook/definition.json b/objects/ftm-Workbook/definition.json index 932164c..1cda212 100644 --- a/objects/ftm-Workbook/definition.json +++ b/objects/ftm-Workbook/definition.json @@ -344,12 +344,12 @@ "ui-priority": 0 } }, - "description": "", + "description": "Workbook", "meta-category": "followthemoney", "name": "ftm-Workbook", "required": [ "name" ], "uuid": "ebedfb2a-c666-4870-9b77-baedb1c34dac", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/game-cheat/definition.json b/objects/game-cheat/definition.json new file mode 100644 index 0000000..bc7dd77 --- /dev/null +++ b/objects/game-cheat/definition.json @@ -0,0 +1,117 @@ +{ + "attributes": { + "affected-game": { + "description": "Name of the game that is targeted by the cheatware.", + "misp-attribute": "text", + "ui-priority": 7 + }, + "cheat-name": { + "description": "Known name of the game cheat, if given.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 12 + }, + "cheat-screenshot": { + "description": "Screenshot of the cheat at work.", + "misp-attribute": "attachment", + "ui-priority": 9 + }, + "cheat-type": { + "description": "Select a type of cheat.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 11, + "values_list": [ + "Aimbot", + "Artificial lag", + "Auto farmer", + "DDoS", + "Disconnecting", + "Exploit", + "Fly", + "Force field", + "Full brightness", + "Ghosting", + "God mode", + "Invicibility", + "Macros", + "No clip", + "No fog", + "RapidFire", + "Scripting", + "Show Hitboxes", + "Wallhack", + "Others" + ] + }, + "cheat-version": { + "description": "Any information about the cheatware version.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 8 + }, + "compilation-date": { + "description": "Compilation date of the game cheat, if known.", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 5 + }, + "creator": { + "description": "Individual and/or Group and/or Organization that created the cheat.", + "misp-attribute": "threat-actor", + "ui-priority": 1 + }, + "ig-cheat-behaviour": { + "description": "Describe the in-game behaviour of the cheat (e.g. You selected 'Aim Bot', here you can add details like 'Activate by pressing F7, Deactivate by pressing F8. Not detected be Easy Anti-Cheat.')", + "disable_correlation": true, + "misp-attribute": "comment", + "ui-priority": 10 + }, + "implementation": { + "description": "How cheatware is implemented", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 4, + "values_list": [ + "Game code modification", + "In-memory data manipulation", + "System software modification", + "Packet interception and manipulation" + ] + }, + "implementation-details": { + "description": "Additionnal informations about the implementation of the cheatware. (e.g. Requires to swap a dll file.)", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 3 + }, + "operating-system": { + "description": "Operating system required and its version.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 2 + }, + "pricing": { + "description": "Cheatware price, 0 if free.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 6 + }, + "webpage": { + "description": "Place where the cheat is promoted. Website, Forum, Download page, ...", + "misp-attribute": "url", + "ui-priority": 0 + } + }, + "description": "Describes a game cheat or a cheatware.", + "meta-category": "misc", + "name": "game-cheat", + "required": [ + "affected-game", + "cheat-type" + ], + "uuid": "ab31f87b-f8ac-4dfc-b610-359302b4e86b", + "version": 9 +} \ No newline at end of file diff --git a/objects/gtp-attack/definition.json b/objects/gtp-attack/definition.json index 36af16e..667a466 100644 --- a/objects/gtp-attack/definition.json +++ b/objects/gtp-attack/definition.json @@ -88,12 +88,12 @@ "ui-priority": 0 } }, - "description": "GTP attack object as seen on a GSM, UMTS or LTE network", + "description": "GTP attack object as attack as seen on the GTP signaling protocol supporting GPRS/LTE networks.", "meta-category": "network", "name": "gtp-attack", "requiredOneOf": [ "text" ], "uuid": "6b3c48d2-0ca6-4608-9c36-455105439145", - "version": 3 + "version": 4 } \ No newline at end of file diff --git a/objects/identity/definition.json b/objects/identity/definition.json new file mode 100644 index 0000000..4a08de0 --- /dev/null +++ b/objects/identity/definition.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "contact_information": { + "description": "The contact information (e-mail, phone number, etc.) for this Identity. No format for this information is currently defined by this specification.", + "misp-attribute": "text", + "ui-priority": 18 + }, + "description": { + "description": "A description that provides more details and context about the Identity, potentially including its purpose and its key characteristics.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 10 + }, + "identity_class": { + "description": "The type of entity that this Identity describes, e.g., an individual or organization.", + "misp-attribute": "text", + "sane_default": [ + "individual", + "group", + "system", + "organization", + "class", + "unknown" + ], + "ui-priority": 16 + }, + "name": { + "description": "The name of this Identity. When referring to a specific entity (e.g., an individual or organization), this property SHOULD contain the canonical name of the specific entity.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "roles": { + "description": "The list of roles that this Identity performs (e.g., CEO, Domain Administrators, Doctors, Hospital, or Retailer).", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 15 + }, + "sectors": { + "description": "Description of the organization", + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "agriculture", + "aerospace", + "automotive", + "chemical", + "commercial", + "communication", + "construction", + "defense", + "education", + "energy", + "entertainment", + "financial-services", + "government", + "government emergency-services", + "government government-local", + "government-national", + "government-public-services", + "government-regional", + "healthcare", + "hospitality-leasure", + "infrastructure", + "infrastructure dams", + "infrastructure nuclear", + "infrastructure water", + "insurance", + "manufacturing", + "mining", + "non-profit", + "pharmaceuticals", + "retail", + "technology", + "telecommunication", + "transportation", + "utilities" + ], + "ui-priority": 17 + } + }, + "description": "Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, systems or groups (e.g., the finance sector). The Identity SDO can capture basic identifying information, contact information, and the sectors that the Identity belongs to. Identity is used in STIX to represent, among other things, targets of attacks, information sources, object creators, and threat actor identities. (ref. STIX 2.1 - 4.5)", + "meta-category": "misc", + "name": "identity", + "requiredOneOf": [ + "name" + ], + "uuid": "ae85b960-b507-4de2-a32c-9cfb8f25f990", + "version": 1 +} \ No newline at end of file diff --git a/objects/infrastructure/definition.json b/objects/infrastructure/definition.json new file mode 100644 index 0000000..bb981d6 --- /dev/null +++ b/objects/infrastructure/definition.json @@ -0,0 +1,62 @@ +{ + "attributes": { + "alias": { + "description": "Alternative names used to identify this Infrastructure.", + "misp-attribute": "text", + "ui-priority": 7 + }, + "description": { + "description": "A description that provides more details and context about the Infrastructure, potentially including its purpose, how it is being used, how it relates to other intelligence activities captured in related objects, and its key characteristics.", + "misp-attribute": "text", + "ui-priority": 9 + }, + "infrastructure_type": { + "description": "The type of infrastructure being described. The values for this property SHOULD come from the infrastructure-type-ov open vocabulary.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "amplification", + "anonymization", + "botnet", + "command-and-control", + "exfiltration", + "hosting-malware", + "hosting-target-lists", + "phishing", + "reconnaissance", + "staging", + "unknown" + ], + "ui-priority": 8 + }, + "kill_chain_phases": { + "description": "The list of Kill Chain Phases for which this Infrastructure is used.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "(1) Reconnaissance", + "(2) Weaponization", + "(3) Deliver", + "(4) Exploitation", + "(5) Installation", + "(6) Command and Control", + "(7) Actions on objectives" + ], + "ui-priority": 6 + }, + "name": { + "description": "A name or characterizing text used to identify the Infrastructure.", + "misp-attribute": "text", + "ui-priority": 10 + } + }, + "description": "The Infrastructure object represents a type of TTP and describes any systems, software services and any associated physical or virtual resources intended to support some purpose (e.g., C2 servers used as part of an attack, device or server that are part of defense, database servers targeted by an attack, etc.). While elements of an attack can be represented by other objects, the Infrastructure object represents a named group of related data that constitutes the infrastructure. STIX 2.1 - 4.8", + "meta-category": "misc", + "name": "infrastructure", + "requiredOneOf": [ + "name" + ], + "uuid": "39d64bd7-1264-4b2e-bdd1-31d1c4b38e6c", + "version": 1 +} \ No newline at end of file diff --git a/objects/instant-message-group/definition.json b/objects/instant-message-group/definition.json index b5174dc..3f20a20 100644 --- a/objects/instant-message-group/definition.json +++ b/objects/instant-message-group/definition.json @@ -15,6 +15,7 @@ "BlackBerry Messenger", "TeamSpeak", "TorChat", + "Tox", "RetroShare", "Slack" ], @@ -76,5 +77,5 @@ "attachment" ], "uuid": "e26becca-2149-4bc0-b3fb-7090d43af28f", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/instant-message/definition.json b/objects/instant-message/definition.json index 5936290..0c54e8f 100644 --- a/objects/instant-message/definition.json +++ b/objects/instant-message/definition.json @@ -14,8 +14,15 @@ "BlackBerry Messenger", "TeamSpeak", "TorChat", + "Tox", "RetroShare", - "Slack" + "Slack", + "Wire", + "Threema", + "Discord", + "Mumble", + "Jabber", + "Twitter" ], "ui-priority": 1 }, @@ -105,8 +112,10 @@ "name": "instant-message", "requiredOneOf": [ "body", - "from-user" + "from-user", + "from-number", + "from-name" ], "uuid": "5fa51a24-f40f-4696-a77e-d31e26bab5fc", - "version": 1 + "version": 3 } \ No newline at end of file diff --git a/objects/intrusion-set/definition.json b/objects/intrusion-set/definition.json new file mode 100644 index 0000000..3e94273 --- /dev/null +++ b/objects/intrusion-set/definition.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "aliases": { + "description": "Alternative names used to identify this Intrusion Set.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, + "description": { + "description": "A description that provides more details and context about the Intrusion Set, potentially including its purpose and its key characteristics.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "goals": { + "description": "The high-level goals of this Intrusion Set, namely, what are they trying to do. For example, they may be motivated by personal gain, but their goal is to steal credit card numbers. To do this, they may execute specific Campaigns that have detailed objectives like compromising point of sale systems at a large retailer. Another example: to gain information about latest merger and IPO information from ACME Bank.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, + "name": { + "description": "A name used to identify this Intrusion Set.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "primary-motivation": { + "description": "The primary reason, motivation, or purpose behind this Intrusion Set. The motivation is why the Intrusion Set wishes to achieve the goal (what they are trying to achieve). For example, an Intrusion Set with a goal to disrupt the finance sector in a country might be motivated by ideological hatred of capitalism.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "accidental - A non-hostile actor whose benevolent or harmless intent inadvertently causes harm. For example, a well-meaning and dedicated employee who through distraction or poor training unintentionally causes harm to his or her organization.", + "coercion - Being forced to act on someone else's behalf. Adversaries who are motivated by coercion are often forced through intimidation or blackmail to act illegally for someone else’s benefit. Unlike the other motivations, a coerced person does not act for personal gain, but out of fear of incurring a loss.", + "dominance - A desire to assert superiority over someone or something else. Adversaries who are seeking dominance over a target are focused on using their power to force their target into submission or irrelevance. Dominance may be found with ideology in some state-sponsored attacks and with notoriety in some cyber vandalism-based attacks.", + "ideology - A passion to express a set of ideas, beliefs, and values that may shape and drive harmful and illegal acts. Adversaries who act for ideological reasons (e.g., political, religious, human rights, environmental, desire to cause chaos/anarchy, etc.) are not usually motivated primarily by the desire for profit; they are acting on their own sense of morality, justice, or political loyalty. For example, an activist group may sabotage a company’s equipment because they believe the company is harming the environment.", + "notoriety - Seeking prestige or to become well known through some activity. Adversaries motivated by notoriety are often seeking either personal validation or respect within a community and staying covert is not a priority. In fact, one of the main goals is to garner the respect of their target audience.", + "organizational-gain - Seeking advantage over a competing organization, including a military organization. Adversaries motivated by increased profit or other gains through an unfairly obtained competitive advantage are often seeking theft of intellectual property, business processes, or supply chain agreements and thus accelerating their position in a market or capability.", + "personal-gain - The desire to improve one’s own financial status. Adversaries motivated by a selfish desire for personal gain are often out for gains that come from financial fraud, hacking for hire, or intellectual property theft. While a Threat Actor or Intrusion Set may be seeking personal gain, this does not mean they are acting alone. Individuals can band together solely to maximize their own personal profits.", + "personal-satisfaction - A desire to satisfy a strictly personal goal, including curiosity, thrill-seeking, amusement, etc. Threat Actors or Intrusion Set driven by personal satisfaction may incidentally receive some other gain from their actions, such as a profit, but their primary motivation is to gratify a personal, emotional need. Individuals can band together with others toward a mutual, but not necessarily organizational, objective.", + "revenge - A desire to avenge perceived wrongs through harmful actions such as sabotage, violence, theft, fraud, or embarrassing certain individuals or the organization. A disgruntled Threat Actor or Intrusion Set seeking revenge can include current or former employees, who may have extensive knowledge to leverage when conducting attacks. Individuals can band together with others if the individual believes that doing so will enable them to cause more harm.", + "unpredictable - Acting without identifiable reason or purpose and creating unpredictable events. Unpredictable is not a miscellaneous or default category. Unpredictable means a truly random and likely bizarre event, which seems to have no logical purpose to the victims." + ], + "ui-priority": 1 + }, + "resource_level": { + "description": "This property specifies the organizational level at which this Intrusion Set typically works, which in turn determines the resources available to this Intrusion Set for use in an attack. ", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "individual - Resources limited to the average individual; Threat Actor acts independently.", + "club - Members interact on a social and volunteer basis, often with little personal interest in the specific target. An example might be a core group of unrelated activists who regularly exchange tips on a particular blog. Group persists long term.", + "contest - A short-lived and perhaps anonymous interaction that concludes when the participants have achieved a single goal. For example, people who break into systems just for thrills or prestige may hold a contest to see who can break into a specific target first. It also includes announced 'operations' to achieve a specific goal, such as the original 'OpIsrael' call for volunteers to disrupt all of Israel's Internet functions for a day.", + "team - A formally organized group with a leader, typically motivated by a specific goal and organized around that goal. Group persists long term and typically operates within a single geography.", + "organization - Larger and better resourced than a team; typically, a company or crime syndicate. Usually operates in multiple geographic areas and persists long term.", + "government - Controls public assets and functions within a jurisdiction; very well resourced and persists long term." + ], + "ui-priority": 1 + }, + "secondary-motivation": { + "description": "The secondary reasons, motivations, or purposes behind this Intrusion Set. These motivations can exist as an equal or near-equal cause to the primary motivation. However, it does not replace or necessarily magnify the primary motivation, but it might indicate additional context. The position in the list has no significance.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "accidental - A non-hostile actor whose benevolent or harmless intent inadvertently causes harm. For example, a well-meaning and dedicated employee who through distraction or poor training unintentionally causes harm to his or her organization.", + "coercion - Being forced to act on someone else's behalf. Adversaries who are motivated by coercion are often forced through intimidation or blackmail to act illegally for someone else’s benefit. Unlike the other motivations, a coerced person does not act for personal gain, but out of fear of incurring a loss.", + "dominance - A desire to assert superiority over someone or something else. Adversaries who are seeking dominance over a target are focused on using their power to force their target into submission or irrelevance. Dominance may be found with ideology in some state-sponsored attacks and with notoriety in some cyber vandalism-based attacks.", + "ideology - A passion to express a set of ideas, beliefs, and values that may shape and drive harmful and illegal acts. Adversaries who act for ideological reasons (e.g., political, religious, human rights, environmental, desire to cause chaos/anarchy, etc.) are not usually motivated primarily by the desire for profit; they are acting on their own sense of morality, justice, or political loyalty. For example, an activist group may sabotage a company’s equipment because they believe the company is harming the environment.", + "notoriety - Seeking prestige or to become well known through some activity. Adversaries motivated by notoriety are often seeking either personal validation or respect within a community and staying covert is not a priority. In fact, one of the main goals is to garner the respect of their target audience.", + "organizational-gain - Seeking advantage over a competing organization, including a military organization. Adversaries motivated by increased profit or other gains through an unfairly obtained competitive advantage are often seeking theft of intellectual property, business processes, or supply chain agreements and thus accelerating their position in a market or capability.", + "personal-gain - The desire to improve one’s own financial status. Adversaries motivated by a selfish desire for personal gain are often out for gains that come from financial fraud, hacking for hire, or intellectual property theft. While a Threat Actor or Intrusion Set may be seeking personal gain, this does not mean they are acting alone. Individuals can band together solely to maximize their own personal profits.", + "personal-satisfaction - A desire to satisfy a strictly personal goal, including curiosity, thrill-seeking, amusement, etc. Threat Actors or Intrusion Set driven by personal satisfaction may incidentally receive some other gain from their actions, such as a profit, but their primary motivation is to gratify a personal, emotional need. Individuals can band together with others toward a mutual, but not necessarily organizational, objective.", + "revenge - A desire to avenge perceived wrongs through harmful actions such as sabotage, violence, theft, fraud, or embarrassing certain individuals or the organization. A disgruntled Threat Actor or Intrusion Set seeking revenge can include current or former employees, who may have extensive knowledge to leverage when conducting attacks. Individuals can band together with others if the individual believes that doing so will enable them to cause more harm.", + "unpredictable - Acting without identifiable reason or purpose and creating unpredictable events. Unpredictable is not a miscellaneous or default category. Unpredictable means a truly random and likely bizarre event, which seems to have no logical purpose to the victims." + ], + "ui-priority": 1 + } + }, + "description": "A object template describing an Intrusion Set as defined in STIX 2.1. An Intrusion Set is a grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization. An Intrusion Set may capture multiple Campaigns or other activities that are all tied together by shared attributes indicating a commonly known or unknown Threat Actor. New activity can be attributed to an Intrusion Set even if the Threat Actors behind the attack are not known. Threat Actors can move from supporting one Intrusion Set to supporting another, or they may support multiple Intrusion Sets. Where a Campaign is a set of attacks over a period of time against a specific set of targets to achieve some objective, an Intrusion Set is the entire attack package and may be used over a very long period of time in multiple Campaigns to achieve potentially multiple purposes. While sometimes an Intrusion Set is not active, or changes focus, it is usually difficult to know if it has truly disappeared or ended. Analysts may have varying level of fidelity on attributing an Intrusion Set back to Threat Actors and may be able to only attribute it back to a nation state or perhaps back to an organization within that nation state.", + "meta-category": "misc", + "name": "intrusion-set", + "requiredOneOf": [ + "description", + "name" + ], + "uuid": "bfe96eae-e37a-4ecf-8012-1cdb478571a5", + "version": 1 +} \ No newline at end of file diff --git a/objects/ip-port/definition.json b/objects/ip-port/definition.json index 67c8ce7..c200f0c 100644 --- a/objects/ip-port/definition.json +++ b/objects/ip-port/definition.json @@ -1,5 +1,26 @@ { "attributes": { + "AS": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Autonomous system", + "disable_correlation": true, + "misp-attribute": "AS", + "multiple": true, + "ui-priority": 0 + }, + "country-code": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Country Code", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, "domain": { "categories": [ "Network activity", @@ -73,12 +94,23 @@ "misp-attribute": "datetime", "ui-priority": 0 }, + "protocol": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Protocol", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, "src-port": { "categories": [ "Network activity", "External analysis" ], "description": "Source port", + "disable_correlation": true, "misp-attribute": "port", "multiple": true, "ui-priority": 0 @@ -103,5 +135,5 @@ "ip-dst" ], "uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", - "version": 8 + "version": 9 } \ No newline at end of file diff --git a/objects/language-content/definition.json b/objects/language-content/definition.json new file mode 100644 index 0000000..f3208de --- /dev/null +++ b/objects/language-content/definition.json @@ -0,0 +1,258 @@ +{ + "attributes": { + "content": { + "description": "The contents property contains the actual Language Content (translation).", + "misp-attribute": "text", + "ui-priority": 10 + }, + "language": { + "description": "RFC 5646 language codes for which language content is being provided.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "af", + "af-ZA", + "ar", + "ar-AE", + "ar-BH", + "ar-DZ", + "ar-EG", + "ar-IQ", + "ar-JO", + "ar-KW", + "ar-LB", + "ar-LY", + "ar-MA", + "ar-OM", + "ar-QA", + "ar-SA", + "ar-SY", + "ar-TN", + "ar-YE", + "az", + "az-AZ", + "az-Cyrl-AZ", + "be", + "be-BY", + "bg", + "bg-BG", + "bs-BA", + "ca", + "ca-ES", + "cs", + "cs-CZ", + "cy", + "cy-GB", + "da", + "da-DK", + "de", + "de-AT", + "de-CH", + "de-DE", + "de-LI", + "de-LU", + "dv", + "dv-MV", + "el", + "el-GR", + "en", + "en-AU", + "en-BZ", + "en-CA", + "en-CB", + "en-GB", + "en-IE", + "en-JM", + "en-NZ", + "en-PH", + "en-TT", + "en-US", + "en-ZA", + "en-ZW", + "eo", + "es", + "es-AR", + "es-BO", + "es-CL", + "es-CO", + "es-CR", + "es-DO", + "es-EC", + "es-ES", + "es-GT", + "es-HN", + "es-MX", + "es-NI", + "es-PA", + "es-PE", + "es-PR", + "es-PY", + "es-SV", + "es-UY", + "es-VE", + "et", + "et-EE", + "eu", + "eu-ES", + "fa", + "fa-IR", + "fi", + "fi-FI", + "fo", + "fo-FO", + "fr", + "fr-BE", + "fr-CA", + "fr-CH", + "fr-FR", + "fr-LU", + "fr-MC", + "gl", + "gl-ES", + "gu", + "gu-IN", + "he", + "he-IL", + "hi", + "hi-IN", + "hr", + "hr-BA", + "hr-HR", + "hu", + "hu-HU", + "hy", + "hy-AM", + "id", + "id-ID", + "is", + "is-IS", + "it", + "it-CH", + "it-IT", + "ja", + "ja-JP", + "ka", + "ka-GE", + "kk", + "kk-KZ", + "kn", + "kn-IN", + "ko", + "ko-KR", + "kok", + "kok-IN", + "ky", + "ky-KG", + "lt", + "lt-LT", + "lv", + "lv-LV", + "mi", + "mi-NZ", + "mk", + "mk-MK", + "mn", + "mn-MN", + "mr", + "mr-IN", + "ms", + "ms-BN", + "ms-MY", + "mt", + "mt-MT", + "nb", + "nb-NO", + "nl", + "nl-BE", + "nl-NL", + "nn-NO", + "ns", + "ns-ZA", + "pa", + "pa-IN", + "pl", + "pl-PL", + "ps", + "ps-AR", + "pt", + "pt-BR", + "pt-PT", + "qu", + "qu-BO", + "qu-EC", + "qu-PE", + "ro", + "ro-RO", + "ru", + "ru-RU", + "sa", + "sa-IN", + "se", + "se-FI", + "se-NO", + "se-SE", + "sk", + "sk-SK", + "sl", + "sl-SI", + "sq", + "sq-AL", + "sr-BA", + "sr-Cyrl-BA", + "sr-SP", + "sr-Cyrl-SP", + "sv", + "sv-FI", + "sv-SE", + "sw", + "sw-KE", + "syr", + "syr-SY", + "ta", + "ta-IN", + "te", + "te-IN", + "th", + "th-TH", + "tl", + "tl-PH", + "tn", + "tn-ZA", + "tr", + "tr-TR", + "tt", + "tt-RU", + "ts", + "uk", + "uk-UA", + "ur", + "ur-PK", + "uz", + "uz-UZ", + "uz-Cyrl-UZ", + "vi", + "vi-VN", + "xh", + "xh-ZA", + "zh", + "zh-CN", + "zh-HK", + "zh-MO", + "zh-SG", + "zh-TW", + "zu", + "zu-ZA" + ], + "ui-priority": 5 + } + }, + "description": "The Language Content object represents text content for objects represented in languages other than that of the original object. Language content may be a translation of the original object by a third-party, a first-source translation by the original publisher, or additional official language content provided at the time of creation. STIX 2.1 ref 7.1", + "meta-category": "misc", + "name": "language-content", + "required": [ + "content", + "language" + ], + "uuid": "dff53cb1-d98d-4898-b4d2-85bd8b44929c", + "version": 1 +} \ No newline at end of file diff --git a/objects/network-connection/definition.json b/objects/network-connection/definition.json index 16efe53..9d30c5a 100644 --- a/objects/network-connection/definition.json +++ b/objects/network-connection/definition.json @@ -5,6 +5,11 @@ "misp-attribute": "community-id", "ui-priority": 1 }, + "count": { + "description": "Number of similar network connections seen", + "misp-attribute": "counter", + "ui-priority": 1 + }, "dst-port": { "categories": [ "Network activity", @@ -102,5 +107,5 @@ "community-id" ], "uuid": "af16764b-f8e5-4603-9de1-de34d272f80b", - "version": 3 + "version": 4 } \ No newline at end of file diff --git a/objects/organization/definition.json b/objects/organization/definition.json index 31c7834..cdffce0 100644 --- a/objects/organization/definition.json +++ b/objects/organization/definition.json @@ -20,7 +20,7 @@ }, "date-of-inception": { "description": "Date of inception of the organization", - "misp-attribute": "date-of-birth", + "misp-attribute": "datetime", "ui-priority": 0 }, "description": { @@ -52,6 +52,11 @@ "multiple": true, "ui-priority": 10 }, + "registration-number": { + "description": "Registration number of the organization", + "misp-attribute": "text", + "ui-priority": 15 + }, "role": { "description": "The role of the organization.", "disable_correlation": true, @@ -86,5 +91,5 @@ "alias" ], "uuid": "f750e12b-127a-432c-b022-b3f9153c4e2a", - "version": 5 + "version": 6 } \ No newline at end of file diff --git a/objects/paloalto-threat-event/definition.json b/objects/paloalto-threat-event/definition.json index 81ab487..795a7f5 100644 --- a/objects/paloalto-threat-event/definition.json +++ b/objects/paloalto-threat-event/definition.json @@ -87,5 +87,5 @@ "meta-category": "network", "name": "paloalto-threat-event", "uuid": "e6fa7a87-1173-43d6-86c2-b4d02af5fc74", - "version": 5 + "version": 6 } \ No newline at end of file diff --git a/objects/passive-ssh/definition.json b/objects/passive-ssh/definition.json index b4f90fd..1d00539 100644 --- a/objects/passive-ssh/definition.json +++ b/objects/passive-ssh/definition.json @@ -1,5 +1,15 @@ { "attributes": { + "banner": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "SSH banner", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, "base64": { "description": "Base64 representation of the ssh-key", "disable_correlation": true, @@ -20,6 +30,11 @@ "misp-attribute": "datetime", "ui-priority": 0 }, + "hassh": { + "description": "Hassh fingerprint", + "misp-attribute": "hassh-md5", + "ui-priority": 1 + }, "host": { "categories": [ "Network activity", @@ -35,6 +50,11 @@ "disable_correlation": true, "misp-attribute": "datetime", "ui-priority": 0 + }, + "port": { + "description": "Port of the connection", + "misp-attribute": "port", + "ui-priority": 1 } }, "description": "Passive-ssh object as described on passive-ssh services from circl.lu - https://github.com/D4-project/passive-ssh", @@ -43,8 +63,9 @@ "requiredOneOf": [ "host", "base64", - "fingerprint" + "fingerprint", + "hassh" ], "uuid": "ec350cdf-2311-4df5-972a-a4342a2c0065", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/person/definition.json b/objects/person/definition.json index 1f71dea..59acb70 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -70,11 +70,44 @@ "Unknown" ] }, + "handle": { + "description": "Handle used by the user in application.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 11 + }, "identity-card-number": { "description": "The identity card number of a natural person.", "misp-attribute": "identity-card-number", "ui-priority": 0 }, + "instant-messaging-used": { + "description": "The IM application used by this person.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "WhatsApp", + "Google Hangouts", + "Facebook Messenger", + "Telegram", + "Signal", + "WeChat", + "BlackBerry Messenger", + "TeamSpeak", + "TorChat", + "Tox", + "RetroShare", + "Slack", + "Wire", + "Threema", + "Discord", + "Mumble", + "Jabber", + "Twitter" + ], + "ui-priority": 10 + }, "last-name": { "description": "Last name of a natural person.", "misp-attribute": "last-name", @@ -212,8 +245,9 @@ "first-name", "last-name", "full-name", - "alias" + "alias", + "handle" ], "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", - "version": 14 + "version": 18 } \ No newline at end of file diff --git a/objects/personification/definition.json b/objects/personification/definition.json new file mode 100644 index 0000000..2eea901 --- /dev/null +++ b/objects/personification/definition.json @@ -0,0 +1,236 @@ +{ + "attributes": { + "age-range": { + "description": "Age range that the person appears to be", + "misp-attribute": "float", + "ui-priority": 0 + }, + "beard": { + "description": "Description of the characteristics of someones beard.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "Beardless", + "Stubble Short", + "Stuble Medium", + "Stuble Long", + "Full Beard", + "French Fork", + "Ducktail", + "Goatee", + "Imperial", + "Van Dyke", + "Anchor", + "Balbo", + "Mutton Chops", + "Verdi", + "Garibaldi", + "Dutch", + "Winter Beard", + "Mustache", + "Unknown" + ] + }, + "birthmark": { + "description": "Position(s) of birthmarks.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "Head", + "Arms", + "Back", + "Torso", + "Legs", + "Foot", + "Backside", + "Unknown" + ] + }, + "body-type": { + "description": "Body type of a person.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0, + "values_list": [ + "Slim", + "Tone", + "Muscular", + "Stocky", + "Large", + "Unknown" + ] + }, + "color-of-eyes": { + "description": "Description of a person’s colour of eyes.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "Amber", + "Blue", + "Brown", + "Gray", + "Green", + "Hazel", + "Red", + "Unknown" + ] + }, + "hair-characteristics": { + "description": "Description of the characteristics of someones hairs.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "Straight", + "Wavy", + "Curly", + "Coily", + "Unknown" + ] + }, + "hair-color": { + "description": "Description of a person’s colour of hair.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "Black", + "Brown", + "Auburn", + "Red", + "Blond", + "Gray", + "White", + "Blue", + "Pink", + "Green", + "Violet", + "Unknown" + ] + }, + "haircut": { + "description": "Description of the characteristics of someones hairs.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "Crew Cut", + "Shaved", + "Bald", + "Long", + "Spiky", + "Dreadlocks", + "Cornrow", + "Bob", + "Layered", + "Flat-top", + "Chignon", + "Bun", + "French Twist", + "Medium", + "Braid", + "Pigtails", + "Ponytail", + "Unknown" + ] + }, + "height": { + "description": "Height of a person in cm.", + "misp-attribute": "float", + "multiple": true, + "ui-priority": 10 + }, + "other-facial-features": { + "description": "Description of other facial features such as nose, cheeks, lips etc...", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10 + }, + "portrait": { + "description": "Portrait of the person.", + "misp-attribute": "attachment", + "multiple": true, + "ui-priority": 10 + }, + "shape-of-eyes": { + "description": "Description of a person’s eye shape.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "Monolids", + "Hooded", + "Upturned", + "Downturned", + "Round", + "Almond", + "Unknown" + ] + }, + "shoe-size": { + "description": "Shoe size of a person.", + "misp-attribute": "float", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "US", + "UK", + "EU", + "Asia", + "CM", + "Inches" + ] + }, + "skin-charateristics": { + "description": "Traits or features of a person's skin", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "Normal", + "Irritated", + "Dry", + "Oily", + "Scaly", + "Red spots", + "Skin moles" + ] + }, + "skin-complexion": { + "description": "Skin tone and complexion of a person. Type I: Extremely fair skin, always burns, never tans. Type II: Fair skin, always burns, sometimes tans.Dry: Medium skin, sometimes burns, always tans.Type IV: Olive skin, rarely burns, always tans. Type V: Moderately pigmented brown skin, never burns, always tans. Type VI: Markedly pigmented black skin, never burns, always tans. ", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "Type I", + "Type II", + "Type III", + "Type IV", + "Type V", + "Type VI", + "Unknown" + ] + }, + "weight": { + "description": "Weight of a person in Kg.", + "misp-attribute": "float", + "multiple": true, + "ui-priority": 10 + } + }, + "description": "An object which describes a person or an identity", + "meta-category": "misc", + "name": "personification", + "requiredOneOf": [ + "beard", + "portrait", + "body-type", + "hair-color", + "age-range" + ], + "uuid": "102a8696-420b-486d-806d-70a34d2f4e54", + "version": 2 +} \ No newline at end of file diff --git a/objects/query/definition.json b/objects/query/definition.json new file mode 100644 index 0000000..a1c9c6a --- /dev/null +++ b/objects/query/definition.json @@ -0,0 +1,53 @@ +{ + "attributes": { + "author": { + "description": "Author of the query", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "comment": { + "description": "A description of the query rule.", + "misp-attribute": "comment", + "ui-priority": 0 + }, + "format": { + "description": "Format of the query.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "event query language (eql)", + "keyword query language (kql)", + "Kusto Query Language", + "Query DSL", + "Query (Elastic Search)", + "Search Processing Language - SPL (Splunk)", + "Sigma", + "Lucene query", + "Google search query", + "Ariel Query Language (qradar)", + "Grep", + "Devo LINQ" + ], + "ui-priority": 0 + }, + "query": { + "description": "Query rule in the format specified in the format field.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "query-rule-name": { + "description": "Query rule name.", + "misp-attribute": "text", + "ui-priority": 0 + } + }, + "description": "An object describing a query, along with its format.", + "meta-category": "misc", + "name": "query", + "requiredOneOf": [ + "query" + ], + "uuid": "006539b3-f68a-4a02-a213-e600762d39b5", + "version": 3 +} \ No newline at end of file diff --git a/objects/ransom-negotiation/definition.json b/objects/ransom-negotiation/definition.json new file mode 100644 index 0000000..2d89d3d --- /dev/null +++ b/objects/ransom-negotiation/definition.json @@ -0,0 +1,153 @@ +{ + "attributes": { + "Remarks": { + "description": "Remarks", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 860 + }, + "annual_revenue_EUR": { + "description": "Annual revenue of the targeted organisation in EUR", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 920 + }, + "chatsite": { + "description": "Chatsite where the negotiations take place", + "disable_correlation": true, + "misp-attribute": "url", + "to_ids": false, + "ui-priority": 835 + }, + "chatsite_id_private": { + "description": "Second, private, chat ID given by actor", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 833 + }, + "chatsite_id_public": { + "description": "Initial chat ID given by actor", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 834 + }, + "currency": { + "description": "The currency of the initial demand. Often USD or BTC.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 960 + }, + "data_leaked": { + "description": "Was data leaked in this incident?", + "disable_correlation": true, + "misp-attribute": "boolean", + "sane_default": [ + "True", + "False" + ], + "ui-priority": 890 + }, + "data_stolen": { + "description": "Was data exfiltrated in this incident?", + "disable_correlation": true, + "misp-attribute": "boolean", + "sane_default": [ + "True", + "False" + ], + "ui-priority": 900 + }, + "discount": { + "description": "Discount after negotiations", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 970 + }, + "email_address": { + "description": "Contact address, if any", + "disable_correlation": false, + "misp-attribute": "text", + "ui-priority": 870 + }, + "final_ransom": { + "description": "Final ransom amount after negotiations, in the currency as displayed in field 'currency'", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 980 + }, + "initial_ransom": { + "description": "Initial ransom demand in the currency as displayed in field 'currency'", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 900 + }, + "negotiations_screenshot": { + "description": "Screenshot of the negotiations", + "disable_correlation": true, + "misp-attribute": "attachment", + "multiple": true, + "ui-priority": 840 + }, + "negotiations_transcript": { + "description": "Transcript of the negotiations", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 850 + }, + "pay_for_deletion": { + "description": "Does the target need/want to pay for data deletion", + "disable_correlation": true, + "misp-attribute": "boolean", + "sane_default": [ + "True", + "False" + ], + "ui-priority": 906 + }, + "pay_for_encryptor": { + "description": "Does the target need/want to pay for the decryptor", + "disable_correlation": true, + "misp-attribute": "boolean", + "sane_default": [ + "True", + "False" + ], + "ui-priority": 908 + }, + "percentage_of_revenue": { + "description": "Percentage of the annual revenue that the ransom demand amounts to", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 910 + }, + "time": { + "description": "Date and time of transaction", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 940 + }, + "url_leaksite": { + "description": "URL of the leaksite", + "disable_correlation": false, + "misp-attribute": "url", + "ui-priority": 880 + }, + "value_EUR": { + "description": "Value in EUR of the final ransom amount, with conversion rate as of date/time displayed in field 'time'", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 950 + }, + "wallet-address": { + "description": "A cryptocoin wallet address", + "disable_correlation": false, + "misp-attribute": "btc", + "ui-priority": 930 + } + }, + "description": "An object to describe ransom negotiations, as seen in ransomware incidents.", + "meta-category": "financial", + "name": "ransom-negotiation", + "uuid": "FB72F951-DE2E-4B54-A570-8FC560A74B06", + "version": 2 +} \ No newline at end of file diff --git a/objects/report/definition.json b/objects/report/definition.json index 0c8aba6..466fd92 100644 --- a/objects/report/definition.json +++ b/objects/report/definition.json @@ -36,14 +36,46 @@ "disable_correlation": true, "misp-attribute": "text", "sane_default": [ - "Report", "Alert", + "Artwork", + "Attachment", + "Audio", + "Bill", + "Blog", + "Book", + "Case", + "Conference", + "Dictionary", + "Document", + "Email", + "Encyclopedia", + "Film", + "Forum", + "Hearing", "Incident", + "Instant", + "Interview", + "Journal", + "Letter", + "Magazine", + "Manuscript", + "Map", + "Newspaper", + "Note", + "Online", "Operation", - "Press Article", - "Press Release", - "Online Article", - "Blog post" + "Patent", + "Podcast", + "Presentation", + "Press", + "Radio", + "Report", + "Software", + "Statute", + "Thesis", + "TV", + "Video", + "Webpage" ], "ui-priority": 100 } @@ -56,5 +88,5 @@ "link" ], "uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df", - "version": 5 + "version": 7 } \ No newline at end of file diff --git a/objects/scheduled-task/definition.json b/objects/scheduled-task/definition.json new file mode 100644 index 0000000..07ead8f --- /dev/null +++ b/objects/scheduled-task/definition.json @@ -0,0 +1,112 @@ +{ + "attributes": { + "Start-time": { + "description": "Time when the task is triggered", + "disable_correlation": true, + "misp-attribute": "datetime", + "multiple": true, + "ui-priority": 1 + }, + "author": { + "categories": [ + "Other" + ], + "description": "Who created the task", + "misp-attribute": "text", + "ui-priority": 1 + }, + "description": { + "categories": [ + "Other" + ], + "description": "Description of the task ", + "misp-attribute": "text", + "ui-priority": 1 + }, + "highest-privileges": { + "description": "Should the task run with the highest privileges", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 0 + }, + "location": { + "categories": [ + "Other" + ], + "description": "Location (Path including filename) of the scheduled task on the computer", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "name": { + "categories": [ + "Other" + ], + "description": "Name of the scheduled task", + "misp-attribute": "text", + "ui-priority": 1 + }, + "password-stored": { + "description": "Should the password be stored (Only if log on is not mandatory)", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 0 + }, + "repeat": { + "categories": [ + "Other" + ], + "description": "condition to repeat the task", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "run-when-user-logged-on-only": { + "description": "Should the task run if the user is logged on only", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 0 + }, + "running-account": { + "categories": [ + "Other" + ], + "description": "User account used when running the task", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "trigger": { + "categories": [ + "Other" + ], + "description": "when should the task being triggered", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "On a schedule", + "At log on", + "At startup", + "On idle", + "On an event", + "At task creation/modification", + "On connection to user session", + "On disconnect from user session", + "On workstation lock", + "On workstation unlock" + ], + "ui-priority": 0 + } + }, + "description": "Windows scheduled task description", + "meta-category": "misc", + "name": "scheduled-task", + "requiredOneOf": [ + "name", + "description", + "location" + ], + "uuid": "076f9362-23f7-4326-b370-a98e47531a44", + "version": 1 +} \ No newline at end of file diff --git a/objects/security-playbook/definition.json b/objects/security-playbook/definition.json index c62b171..7752ef5 100644 --- a/objects/security-playbook/definition.json +++ b/objects/security-playbook/definition.json @@ -1,145 +1,127 @@ { "attributes": { - "created": { - "categories": [ - "Other" - ], - "description": "The time at which the playbook was originally created.", - "disable_correlation": true, - "misp-attribute": "datetime", - "ui-priority": 1 - }, - "creator": { - "categories": [ - "Other" - ], - "description": "The entity that created this playbook. It can be a natural person or an organization. It may be represented using an id that identifies the creator.", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 1 - }, "description": { - "categories": [ - "Other" - ], - "description": "More details, context, and possibly an explanation about what this playbook does and tries to accomplish.", + "description": "An explanation, details, and more context about what this playbook does and tries to accomplish.", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 1 }, - "id": { - "categories": [ - "Other" - ], - "description": "A value that uniquely identifies the playbook.", - "disable_correlation": false, - "misp-attribute": "text", - "ui-priority": 1 - }, - "impact": { - "categories": [ - "Other" - ], - "description": "An integer that represents the impact the playbook has on the organization from 0 to 100. A value of 0 means specifically undefined. Values range from 1, the lowest impact, to a value of 100, the highest. For example, a purely investigative playbook that is non-invasive would have a low impact value of 1, whereas a playbook that performs changes such as adding rules into a firewall would have a higher impact value.", - "disable_correlation": true, - "misp-attribute": "counter", - "ui-priority": 1 - }, - "label": { - "categories": [ - "Other" - ], - "description": "An optional set of terms, labels or tags associated with this playbook (e.g., aliases of adversary groups or operations that this playbook is related to).", + "labels": { + "description": "Labels for this playbook (e.g., adversary persona names, associated groups, malware family/variant/name that this playbook is related to). Another option is to use MISP tags, taxonomies, and galaxies.", "disable_correlation": true, "misp-attribute": "text", "multiple": true, "ui-priority": 1 }, - "modified": { - "categories": [ - "Other" - ], - "description": "The time that this particular version of the playbook was last modified.", - "disable_correlation": true, - "misp-attribute": "datetime", - "ui-priority": 1 - }, "organization-type": { - "categories": [ - "Other" - ], - "description": "Type of an organization, that the playbook is intended for. This can be an industry sector.", + "description": "The type of organization that the playbook is intended for. This can be an industry sector. Another option is to use MISP tags, taxonomies, and galaxies.", "disable_correlation": true, "misp-attribute": "text", - "ui-priority": 1 - }, - "playbook": { - "categories": [ - "Payload delivery" - ], - "description": "The whole playbook in its native format (e.g., CACAO JSON). Producers and consumers of playbooks use this property to share and retrieve playbooks.", - "misp-attribute": "attachment", + "multiple": true, "ui-priority": 1 }, "playbook-abstraction": { - "categories": [ - "Other" - ], - "description": "Identifies the level of completeness of the playbook.", + "description": "The playbook’s level of abstraction (with regards to consumption).", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 1, "values_list": [ - "guideline", - "playbook template", - "playbook", - "partial workflow", - "full workflow", - "fully scripted" + "template", + "executable" ] }, + "playbook-base64": { + "description": "The entire playbook file/document encoded in base64.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "playbook-creation-time": { + "description": "The date and time at which the playbook was originally created.", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 1 + }, + "playbook-creator": { + "description": "The entity that created the playbook. It can be a natural person or an organization. It may be represented using a unique identifier that identifies the creator.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "playbook-file": { + "description": "The entire playbook file/document in its native format (e.g., CACAO JSON or BPMN).", + "misp-attribute": "attachment", + "ui-priority": 1 + }, + "playbook-id": { + "description": "A value that (uniquely) identifies the playbook. If the playbook itself embeds an identifier then the playbook-id SHOULD use the same identifier (value) for correlation purposes.", + "disable_correlation": false, + "misp-attribute": "text", + "ui-priority": 1 + }, + "playbook-impact": { + "description": "From 0 to 100, a value representing the impact the playbook has on the organization. A value of 0 means specifically undefined. Impact values range from 1, the lowest impact, to a value of 100, the highest. For example, a purely investigative playbook that is non-invasive could have a low impact value of 1. In contrast, a playbook that performs changes such as adding rules into a firewall should have a higher impact value.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "playbook-modification-time": { + "description": "The date and time at which the playbook was last modified.", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 1 + }, + "playbook-priority": { + "description": "From 0 to 100, a value representing the priority of this playbook relative to other defined playbooks. A value of 0 means specifically undefined. Priority values range from 1, the highest priority, to a value of 100, the lowest.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "playbook-severity": { + "description": "From 0 to 100, a value representing the seriousness of the conditions that this playbook addresses. A value of 0 means specifically undefined. Severity values range from 1, the lowest severity, to a value of 100, the highest.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, "playbook-standard": { - "categories": [ - "Other" - ], - "description": "Identification of the playbook standard.", + "description": "The standard/format/notation the playbook conforms to (e.g., CACAO, BPMN).", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 1 }, "playbook-type": { - "categories": [ - "Other" - ], - "description": "The security operational functions the playbook addresses. A playbook may account for multiple types (e.g., detection, investigation).", + "description": "The security-related functions the playbook supports. A playbook may account for multiple types (e.g., detection and investigation). The listed options are based on the CACAO standard and NIST SP 800-61 rev2. Another option is to use MISP tags, taxonomies, and galaxies.", "disable_correlation": true, "misp-attribute": "text", "multiple": true, "ui-priority": 1, "values_list": [ - "notification playbook", - "detection playbook", - "investigation playbook", - "prevention playbook", - "mitigation playbook", - "remediation playbook", - "attack playbook" + "notification", + "detection", + "investigation", + "prevention", + "mitigation", + "remediation", + "analysis", + "containment", + "eradication", + "recovery", + "attack" ] }, - "priority": { - "categories": [ - "Other" - ], - "description": "An integer that represents the priority of this playbook relative to other defined playbooks. A value of 0 means specifically undefined. Values range from 1, the highest priority, to a value of 100, the lowest.", + "playbook-valid-from": { + "description": "The date and time from which the playbook is considered valid and the steps that it contains can be executed.", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "datetime", + "ui-priority": 1 + }, + "playbook-valid-until": { + "description": "The date and time from which the playbook should no longer be considered a valid playbook to be executed.", + "disable_correlation": true, + "misp-attribute": "datetime", "ui-priority": 1 }, "revoked": { - "categories": [ - "Other" - ], - "description": "A boolean that identifies if the playbook creator deems that this playbook is no longer valid.", + "description": "A boolean that identifies if the playbook is no longer valid (revoked).", "disable_correlation": true, "misp-attribute": "boolean", "sane_default": [ @@ -147,43 +129,15 @@ "False" ], "ui-priority": 1 - }, - "severity": { - "categories": [ - "Other" - ], - "description": "A positive integer that represents the seriousness of the conditions that this playbook addresses. A value of 0 means specifically undefined. Values range from 1, the lowest severity, to a value of 100, the highest.", - "disable_correlation": true, - "misp-attribute": "counter", - "ui-priority": 1 - }, - "valid-from": { - "categories": [ - "Other" - ], - "description": "The time from which the playbook is considered valid and the steps that it contains can be executed.", - "disable_correlation": true, - "misp-attribute": "datetime", - "ui-priority": 1 - }, - "valid-until": { - "categories": [ - "Other" - ], - "description": "The time at which this playbook should no longer be considered a valid playbook to be executed.", - "disable_correlation": true, - "misp-attribute": "datetime", - "ui-priority": 1 } }, - "description": "An object to manage, represent, and share course of action playbooks (security playbooks) for cyberspace defense.", + "description": "The security-playbook object provides meta-information and allows managing, storing, and sharing cybersecurity playbooks and orchestration workflows.", "meta-category": "misc", "name": "security-playbook", - "required": [ - "playbook", - "playbook-standard", - "playbook-type" + "requiredOneOf": [ + "playbook-file", + "playbook-base64" ], "uuid": "48894c92-447b-4abe-b093-360c4d823e9d", - "version": 2 + "version": 3 } \ No newline at end of file diff --git a/objects/sigma/definition.json b/objects/sigma/definition.json new file mode 100644 index 0000000..d106942 --- /dev/null +++ b/objects/sigma/definition.json @@ -0,0 +1,47 @@ +{ + "attributes": { + "comment": { + "description": "A description of the Sigma rule.", + "misp-attribute": "comment", + "ui-priority": 0 + }, + "context": { + "description": "Context where the Sigma rule can be applied", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "all", + "disk", + "memory", + "network", + "dns" + ], + "ui-priority": 0 + }, + "reference": { + "description": "Reference/origin of the Sigma rule.", + "misp-attribute": "link", + "ui-priority": 0 + }, + "sigma": { + "description": "Sigma rule.", + "misp-attribute": "sigma", + "ui-priority": 0 + }, + "sigma-rule-name": { + "description": "Sigma rule name.", + "misp-attribute": "text", + "ui-priority": 0 + } + }, + "description": "An object describing a Sigma rule (or a Sigma rule name).", + "meta-category": "misc", + "name": "sigma", + "requiredOneOf": [ + "sigma", + "sigma-rule-name" + ], + "uuid": "aa21a3cd-ab2c-442a-9999-a5e6626591ec", + "version": 1 +} \ No newline at end of file diff --git a/objects/software/definition.json b/objects/software/definition.json new file mode 100644 index 0000000..2d2275e --- /dev/null +++ b/objects/software/definition.json @@ -0,0 +1,48 @@ +{ + "attributes": { + "cpe": { + "description": "Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary [NVD] . While the CPE dictionary does not contain entries for all software, whenever it does contain an identifier for a given instance of software, this property SHOULD be present.", + "misp-attribute": "cpe", + "multiple": true, + "ui-priority": 9 + }, + "language": { + "description": "Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to [RFC5646].", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 2 + }, + "name": { + "description": "Specifies the name of the software.", + "misp-attribute": "text", + "ui-priority": 10 + }, + "swid": { + "description": "Specifies the Software Identification (SWID) Tags [SWID] entry for the software, if available. The tag attribute, tagId, a globally unique identifier, SHOULD be used as a proxy identifier of the tagged product.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 9 + }, + "vendor": { + "description": "Specifies the name of the vendor of the software.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 4 + }, + "version": { + "description": "Specifies the version of the software.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 4 + } + }, + "description": "The Software object represents high-level properties associated with software, including software products. STIX 2.1 - 6.14", + "meta-category": "misc", + "name": "software", + "requiredOneOf": [ + "name" + ], + "uuid": "b1b5dc0e-73fe-443c-8d9d-0e208de3951e", + "version": 1 +} \ No newline at end of file diff --git a/objects/spearphishing-attachment/definition.json b/objects/spearphishing-attachment/definition.json new file mode 100644 index 0000000..9bb6a33 --- /dev/null +++ b/objects/spearphishing-attachment/definition.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "artifact-dropped-md5": { + "description": "The MD5 of an additional file that was either extracted from or downloaded by the attachment.", + "misp-attribute": "md5", + "multiple": true, + "ui-priority": 1 + }, + "artifact-dropped-name": { + "description": "Name of an additional file that was either extracted from or downloaded by the attachment.", + "misp-attribute": "filename", + "multiple": true, + "ui-priority": 0 + }, + "artifact-dropped-sha1": { + "description": "The SHA1 of an additional file that was either extracted from or downloaded by the attachment.", + "misp-attribute": "sha1", + "multiple": true, + "ui-priority": 1 + }, + "artifact-dropped-sha256": { + "description": "The SHA256 of an additional file that was either extracted from or downloaded by the attachment.", + "misp-attribute": "sha256", + "multiple": true, + "ui-priority": 1 + }, + "attachment-md5": { + "description": "The MD5 of the file that was attached to the e-mail itself.", + "misp-attribute": "md5", + "multiple": true, + "ui-priority": 1 + }, + "attachment-name": { + "description": "The name of the file that was attached to the e-mail itself.", + "misp-attribute": "filename", + "ui-priority": 0 + }, + "attachment-sha1": { + "description": "The SHA1 of the file that was attached to the e-mail itself.", + "misp-attribute": "sha1", + "multiple": true, + "ui-priority": 1 + }, + "attachment-sha256": { + "description": "The SHA256 of the file that was attached to the e-mail itself.", + "misp-attribute": "sha256", + "multiple": true, + "ui-priority": 1 + }, + "c2-domain": { + "description": "Command and control domain detected during analysis.", + "misp-attribute": "domain", + "multiple": true, + "ui-priority": 1 + }, + "c2-ip": { + "description": "Command and control IP address detected during analysis.", + "misp-attribute": "ip-dst", + "multiple": true, + "ui-priority": 1 + }, + "c2-url": { + "description": "Command and control URL detected during analysis.", + "misp-attribute": "url", + "multiple": true, + "ui-priority": 1 + }, + "date": { + "description": "Date and time the e-mail was sent.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "email-sender": { + "description": "The source address from which the e-mail was sent.", + "misp-attribute": "email-src", + "multiple": true, + "ui-priority": 1 + }, + "malicious-url": { + "description": "Malicious URL that downloaded additional malware.", + "misp-attribute": "url", + "multiple": true, + "ui-priority": 1 + }, + "research-links": { + "description": "A link to an external analysis (VirusTotal, urlscan, etc.).", + "misp-attribute": "link", + "multiple": true, + "ui-priority": 0 + }, + "sender-ip": { + "description": "The source IP from which the e-mail was sent.", + "misp-attribute": "ip-src", + "multiple": true, + "ui-priority": 1 + }, + "subject": { + "description": "The subject line of the e-mail.", + "misp-attribute": "email-subject", + "multiple": true, + "ui-priority": 1 + }, + "supporting-evidence": { + "description": "Description of the spearphish e-mail.", + "misp-attribute": "text", + "ui-priority": 0 + } + }, + "description": "Spearphishing Attachment", + "meta-category": "network", + "name": "spearphishing-attachment", + "required": [ + "email-sender", + "subject" + ], + "requiredOneOf": [ + "attachment-md5", + "attachment-sha1", + "attachment-sha256" + ], + "uuid": "5dfcd9a9-d10c-48ae-9ba4-13c2428a994a", + "version": 20220825 +} \ No newline at end of file diff --git a/objects/spearphishing-link/definition.json b/objects/spearphishing-link/definition.json new file mode 100644 index 0000000..7e81d4b --- /dev/null +++ b/objects/spearphishing-link/definition.json @@ -0,0 +1,61 @@ +{ + "attributes": { + "date": { + "description": "Date and time e-mail was sent.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "email-sender": { + "description": "The source address from which the e-mail was sent.", + "misp-attribute": "email-src", + "multiple": true, + "ui-priority": 1 + }, + "embedded-link": { + "description": "The malicious URL in the e-mail body.", + "misp-attribute": "url", + "multiple": true, + "ui-priority": 1 + }, + "redirect-url": { + "description": "The redirect URL, if any, from the malicious embedded link.", + "misp-attribute": "url", + "multiple": true, + "ui-priority": 0 + }, + "research-links": { + "description": "A link to an external analysis (VirusTotal, urlscan, etc.).", + "misp-attribute": "link", + "multiple": true, + "ui-priority": 0 + }, + "sender-ip": { + "description": "The source IP from which the e-mail was sent.", + "misp-attribute": "ip-src", + "multiple": true, + "ui-priority": 1 + }, + "subject": { + "description": "The subject line of the e-mail.", + "misp-attribute": "email-subject", + "multiple": true, + "ui-priority": 1 + }, + "supporting-evidence": { + "description": "Description of the spearphish e-mail.", + "misp-attribute": "text", + "ui-priority": 0 + } + }, + "description": "Spearphishing Link", + "meta-category": "network", + "name": "spearphishing-link", + "required": [ + "email-sender", + "subject", + "embedded-link" + ], + "uuid": "4e758e53-6c84-47b0-a19b-362f587059e2", + "version": 20220825 +} \ No newline at end of file diff --git a/objects/ss7-attack/definition.json b/objects/ss7-attack/definition.json index fc9be03..0cf62da 100644 --- a/objects/ss7-attack/definition.json +++ b/objects/ss7-attack/definition.json @@ -46,6 +46,53 @@ "description": "MAP application context in OID format.", "disable_correlation": true, "misp-attribute": "text", + "sane_default": [ + "4.0.0.1.0.1. - networkLocUp", + "4.0.0.1.0.2. - locationCancel", + "4.0.0.1.0.3. - roamingNbEnquiry", + "4.0.0.1.0.22. - subscriberDataModificationNotification", + "4.0.0.1.0.6. - callControlTransfer", + "4.0.0.1.0.16. - subscriberDataMngt", + "4.0.0.1.0.46. - vcsgLocationUpdate", + "4.0.0.1.0.15. - interVlrInfoRetrieval", + "4.0.0.1.0.18. - networkFunctionalSs", + "4.0.0.1.0.39. - authenticationFailureReport", + "4.0.0.1.0.44. - resourceMngt", + "4.0.0.1.0.41. - shortMsgMT_VGCS_Relay", + "4.0.0.1.0.5. - locInfoRetrieval", + "4.0.0.1.0.32. - gprsLocationUpdate", + "4.0.0.1.0.33. - gprsLocationInfoRetrieval", + "4.0.0.1.0.34. - failureReport", + "4.0.0.1.0.35. - gprsNotify", + "4.0.0.1.0.11. - handoverControl", + "4.0.0.1.0.12. - sIWFSAllocation", + "4.0.0.1.0.47. - vcsgLocationCancel", + "4.0.0.1.0.10. - reset", + "4.0.0.1.0.31. - groupCallControl", + "4.0.0.1.0.13. - equipmentMngt", + "4.0.0.1.0.25. - shortMsgMT_Relay", + "4.0.0.1.0.20. - shortMsgGateway", + "4.0.0.1.0.21. - shortMsgMO_Relay", + "4.0.0.1.0.24. - mwdMngt", + "4.0.0.1.0.23. - shortMsgAlert", + "4.0.0.1.0.17. - tracing", + "4.0.0.1.0.14. - infoRetrieval", + "4.0.0.1.0.26. - imsiRetrieval", + "4.0.0.1.0.19. - networkUnstructuredSs", + "4.0.0.1.0.43. - anyTimeInfoHandling", + "4.0.0.1.0.4. - istAlerting", + "4.0.0.1.0.27. - msPurging", + "4.0.0.1.0.28. - subscriberInfoEnquiry", + "4.0.0.1.0.29. - anyTimeEnquiry", + "4.0.0.1.0.36. - ss_InvocationNotification", + "4.0.0.1.0.7. - reporting", + "4.0.0.1.0.8. - callCompletion", + "4.0.0.1.0.38. - locationSvcEnquiry", + "4.0.0.1.0.45. - groupCallInfoRetrieval", + "4.0.0.1.0.37. - locationSvcGateway", + "4.0.0.1.0.9. - ServiceTermination", + "4.0.0.1.0.42. - mm_EventReporting" + ], "ui-priority": 0 }, "MapGmlc": { @@ -79,6 +126,90 @@ "description": "MAP operation codes - Decimal value between 0-99.", "disable_correlation": true, "misp-attribute": "text", + "sane_default": [ + "updateLocation - 2", + "cancelLocation - 3", + "provideRoamingNumber - 4", + "noteSubscriberDataModified - 5", + "resumeCallHandling - 6", + "insertSubscriberData - 7", + "deleteSubscriberData - 8", + "sendParameters - 9", + "registerSS - 10", + "eraseSS - 11", + "activateSS - 12", + "deactivateSS - 13", + "interrogateSS - 14", + "authenticationFailureReport - 15", + "registerPassword - 17", + "getPassword - 18", + "processUnstructuredSS_Data - 19", + "releaseResources - 20", + "mt_ForwardSM_VGCS - 21", + "sendRoutingInfo - 22", + "updateGprsLocation - 23", + "sendRoutingInfoForGprs - 24", + "failureReport - 25", + "noteMsPresentForGprs - 26", + "performHandover - 28", + "sendEndSignal - 29", + "performSubsequentHandover - 30", + "provideSIWFSNumber - 31", + "siwfs_SignallingModify - 32", + "processAccessSignalling - 33", + "forwardAccessSignalling - 34", + "noteInternalHandover - 35", + "cancelVcsgLocation - 36", + "reset_ - 37", + "forwardCheckSsIndication - 38", + "prepareGroupCall - 39", + "sendGroupCallEndSignal - 40", + "processGroupCallSignalling - 41", + "forwardGroupCallSignalling - 42", + "checkIMEI - 43", + "mt_forwardSM - 44", + "sendRoutingInfoForSM - 45", + "mo_forwardSM - 46", + "forwardSM - 46", + "reportSmDeliveryStatus - 47", + "noteSubscriberPresent - 48", + "alertServiceCentreWithoutResult - 49", + "activateTraceMode - 50", + "deactivateTraceMode - 51", + "traceSubscriberActivity - 52", + "updateVcsgLocation - 53", + "beginSubscriberActivity - 54", + "sendIdentification - 55", + "sendAuthenticationInfo - 56", + "restoreData - 57", + "sendIMSI - 58", + "processUnstructuredSS_Request - 59", + "unstructuredSS_Request - 60", + "unstructuredSS_Notify - 61", + "anyTimeSubscriptionInterrogation - 62", + "informServiceCentre - 63", + "alertServiceCentre - 64", + "anyTimeModification - 65", + "readyForSM - 66", + "purgeMS - 67", + "prepareHandover - 68", + "prepareSubsequentHandover - 69", + "provideSubscriberInfo - 70", + "anyTimeInterrogation - 71", + "ss_Invocation_Notification - 72", + "setReportingState - 73", + "statusReport - 74", + "remoteUserFree - 75", + "registerCC_Entry - 76", + "eraseCC_Entry - 77", + "provideSubscriberLocation - 83", + "sendGroupCallInfo - 84", + "sendRoutingInfoForLCS - 85", + "subscriberLocationReport - 86", + "istAlert - 87", + "istCommand - 88", + "NoteMM_Event - 89" + ], "ui-priority": 0 }, "MapSmsTP-DCS": { @@ -145,6 +276,27 @@ "SccpCdGT": { "description": "Signaling Connection Control Part (SCCP) CdGT - Phone number.", "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "SccpCdGT-Country": { + "description": "Country in which SCCP CDGT is registered.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "SccpCdGT-CountryISO2": { + "description": "Code ISO 3166-1 alpha-2 from which the SCCP CDGT is allocated.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "SccpCdGT-OperatorName": { + "description": "Operator Name under which the SCCP CDGT is registered.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "SccpCdGT-TADIG": { + "description": "TADIG under which the SCCP CDGT is registered.", + "misp-attribute": "text", "ui-priority": 0 }, "SccpCdPC": { @@ -164,6 +316,26 @@ "multiple": true, "ui-priority": 0 }, + "SccpCgGT-Country": { + "description": "Country in which SCCP CGGT is registered.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "SccpCgGT-CountryISO2": { + "description": "Allocated Code ISO 3166-1 alpha-2 for the SCCP CGGT.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "SccpCgGT-OperatorName": { + "description": "Operator Name under which the SCCP CGGT is registered.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "SccpCgGT-TADIG": { + "description": "TADIG under which the SCCP CGGT is registered.", + "misp-attribute": "text", + "ui-priority": 0 + }, "SccpCgPC": { "description": "Signaling Connection Control Part (SCCP) CgPC - Phone number.", "misp-attribute": "text", @@ -190,12 +362,12 @@ "ui-priority": 0 } }, - "description": "SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging.", + "description": "SS7 object of an attack as seen on the SS7 signaling protocol supporting GSM/GPRS/UMTS networks.", "meta-category": "network", "name": "ss7-attack", "requiredOneOf": [ "text" ], "uuid": "f3493d8b-a7ab-48d0-a775-046c4d64d782", - "version": 3 + "version": 5 } \ No newline at end of file diff --git a/objects/stock/definition.json b/objects/stock/definition.json new file mode 100644 index 0000000..3105813 --- /dev/null +++ b/objects/stock/definition.json @@ -0,0 +1,325 @@ +{ + "attributes": { + "bloomberg-exchange-code": { + "description": "Bloomberg Exchange Code", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "AB", + "AF", + "AO", + "AT", + "AV", + "BB", + "BC", + "BD", + "BI", + "BQ", + "BS", + "CC", + "CF", + "CG", + "CK", + "CS", + "CT", + "CV", + "CX", + "CY", + "DB", + "DC", + "DH", + "DU", + "EB", + "EC", + "FH", + "FP", + "GA", + "GB", + "GD", + "GF", + "GH", + "GI", + "GM", + "GS", + "GY", + "HB", + "HK", + "IB", + "ID", + "IJ", + "IM", + "IS", + "IT", + "IX", + "JR", + "JT", + "KK", + "KN", + "KP", + "KQ", + "LI", + "LN", + "LX", + "MC", + "MK", + "MM", + "MT", + "NA", + "NG", + "NL", + "NO", + "NS", + "NZ", + "OM", + "PE", + "PK", + "PL", + "PM", + "PO", + "PW", + "QD", + "QF", + "QT", + "RE", + "RF", + "RX", + "SE", + "SJ", + "SL", + "SM", + "SP", + "SS", + "SV", + "SY", + "TB", + "TG", + "TI", + "TQ", + "TT", + "UA", + "UF", + "UN", + "UP", + "UQ", + "UR", + "UV", + "UW", + "VH", + "VM", + "VX", + "XB", + "ZA" + ], + "ui-priority": 10 + }, + "country": { + "description": "Country", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "currency": { + "description": "Currency", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "exchange": { + "description": "Exchange where the stock is traded (Google code)", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "AMS", + "ASX", + "ATH", + "BAK", + "BATS", + "BDP", + "BIT", + "BME", + "BMV", + "BOM", + "BVMF", + "CAI", + "CPH", + "DFM", + "EBR", + "ELI", + "EPA", + "ETR", + "FRA", + "HEL", + "HKG", + "IRE", + "IST", + "JAK", + "JNB", + "KAR", + "KOSDAQ", + "KRX", + "KUL", + "LON", + "MCX", + "NASDAQ", + "NSE", + "NYSE", + "NYSEAMERICAN", + "NYSEARCA", + "NZE", + "OTCMKTS", + "PRG", + "PSE", + "SGX", + "SHA", + "SHE", + "STO", + "SWX", + "TLV", + "TPE", + "TSE", + "TYO", + "VIE", + "VTX", + "WSE" + ], + "ui-priority": 0 + }, + "high-price": { + "description": "Highest price seen", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "iso-mic": { + "description": "ISO MIC", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "ARCX", + "BATE", + "BATS", + "BOAT", + "BVMF", + "CHIX", + "DIFX", + "DSMD", + "HSTC", + "MISX", + "MTAA", + "NEOE", + "NOTC", + "OOTC", + "ROCO", + "TOMX", + "TRQX", + "XADS", + "XAMM", + "XAMS", + "XASE", + "XASX", + "XATH", + "XBAH", + "XBER", + "XBKK", + "XBOG", + "XBOM", + "XBRU", + "XBRV", + "XBSE", + "XBUD", + "XBUE", + "XCAI", + "XCAS", + "XCNQ", + "XCOL", + "XCSE", + "XCYS", + "XDFM", + "XDHA", + "XDSE", + "XDUB", + "XDUS", + "XEQT", + "XETR", + "XFRA", + "XHAM", + "XHAN", + "XHEL", + "XHKG", + "XICE", + "XIDX", + "XIST", + "XJSE", + "XKAR", + "XKLS", + "XKOS", + "XKRX", + "XKUW", + "XLIM", + "XLIS", + "XLJU", + "XLON", + "XLUX", + "XMAD", + "XMEX", + "XMUN", + "XMUS", + "XNAI", + "XNCM", + "XNEC", + "XNGM", + "XNGS", + "XNMS", + "XNSA", + "XNSE", + "XNYS", + "XNZE", + "XOSL", + "XPAR", + "XPHS", + "XPOS", + "XPRA", + "XQTX", + "XSAU", + "XSES", + "XSGO", + "XSHE", + "XSHG", + "XSTC", + "XSTO", + "XSTU", + "XSWX", + "XTAE", + "XTAI", + "XTKS", + "XTSE", + "XTSX", + "XVTX", + "XWAR", + "XWBO", + "XZAG" + ], + "ui-priority": 10 + }, + "low-price": { + "description": "Lowest price seen", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 10 + }, + "symbol": { + "description": "Symbol of the stock", + "misp-attribute": "text", + "ui-priority": 0 + } + }, + "description": "Object to describe stock market", + "meta-category": "misc", + "name": "stock", + "requiredOneOf": [ + "symbol" + ], + "uuid": "dd3e00b2-977e-4cf4-9d12-0b009a00a721", + "version": 1 +} \ No newline at end of file diff --git a/objects/tattoo/definition.json b/objects/tattoo/definition.json new file mode 100644 index 0000000..0e1cb16 --- /dev/null +++ b/objects/tattoo/definition.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "tattoo-body-part": { + "description": "Describe the body part where the tattoo is located.", + "misp-attribute": "text", + "ui-priority": 4, + "values_list": [ + "head", + "forehead", + "face", + "ear", + "eye", + "mouth/lips", + "neck", + "shoulder", + "chest", + "elbow", + "arm", + "forearm", + "hand", + "finger", + "thigh", + "knee", + "calf", + "heel", + "foot", + "toe" + ] + }, + "tattoo-color": { + "description": "Colors of the tattoo", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1, + "values_list": [ + "black", + "white", + "red", + "green", + "blue", + "cyan", + "orange", + "violet", + "pink", + "yellow", + "brown", + "grey" + ] + }, + "tattoo-description": { + "description": "Description of the tattoo,its composition.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "tattoo-picture": { + "description": "Picture of the tattoo", + "misp-attribute": "attachment", + "multiple": true, + "ui-priority": 0 + }, + "tattoo-size": { + "description": "Size of the tattoo", + "misp-attribute": "text", + "multiple": false, + "ui-priority": 0, + "values_list": [ + "tiny", + "small", + "medium", + "large" + ] + }, + "tattoo-style": { + "description": "Style of the tattoo", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1, + "values_list": [ + "traditional", + "realism", + "watercolor", + "tribal", + "new school", + "japanese", + "blackwork", + "lettering", + "dotwork", + "abstract", + "celtic", + "geometric", + "mandala", + "minimalist", + "neo-traditional", + "portrait", + "sketch" + ] + } + }, + "description": "Describes tattoos on a natural person's body", + "meta-category": "misc", + "name": "tattoo", + "required": [ + "tattoo-body-part" + ], + "uuid": "747976fc-d637-4730-8b64-93f7f2814506", + "version": 1 +} \ No newline at end of file diff --git a/objects/telegram-bot/definition.json b/objects/telegram-bot/definition.json new file mode 100644 index 0000000..8369061 --- /dev/null +++ b/objects/telegram-bot/definition.json @@ -0,0 +1,42 @@ +{ + "attributes": { + "chat-id": { + "description": "Telegram chat id", + "misp-attribute": "text", + "ui-priority": 1 + }, + "comment": { + "description": "Phone associated with the telegram user", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "name": { + "description": "Telegram bot name", + "misp-attribute": "text", + "ui-priority": 1 + }, + "token": { + "description": "Telegram Token", + "misp-attribute": "text", + "ui-priority": 1 + }, + "username": { + "description": "Telegram bot username, must end with \"bot\"", + "misp-attribute": "text", + "ui-priority": 1 + } + }, + "description": "Information related to a telegram bot", + "meta-category": "misc", + "name": "telegram-bot", + "requiredOneOf": [ + "token", + "chat-id", + "name", + "username", + "comment" + ], + "uuid": "e2cb6c8f-45fa-429d-9cdb-05298ab21f46", + "version": 2 +} \ No newline at end of file diff --git a/objects/virustotal-submission/definition.json b/objects/virustotal-submission/definition.json new file mode 100644 index 0000000..9ec9566 --- /dev/null +++ b/objects/virustotal-submission/definition.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "city": { + "categories": [ + "Other" + ], + "description": "The city a file was uploaded from.", + "disable_correlation": true, + "misp-attribute": "text", + "to_ids": false, + "ui-priority": 0 + }, + "country": { + "categories": [ + "Other" + ], + "description": "The country a file was uploaded from.", + "disable_correlation": true, + "misp-attribute": "text", + "to_ids": false, + "ui-priority": 1 + }, + "date": { + "categories": [ + "Other" + ], + "description": "The upload date.", + "disable_correlation": true, + "misp-attribute": "datetime", + "to_ids": false, + "ui-priority": 0 + }, + "filename": { + "categories": [ + "Payload delivery" + ], + "description": "The filename used to submit a file.", + "disable_correlation": false, + "misp-attribute": "filename", + "to_ids": false, + "ui-priority": 0 + }, + "interface": { + "categories": [ + "Other" + ], + "description": "The interface used to upload a file.", + "disable_correlation": true, + "misp-attribute": "text", + "to_ids": false, + "ui-priority": 0, + "values_list": [ + "web", + "api", + "email" + ] + }, + "submitter-id": { + "categories": [ + "Other" + ], + "description": "Submitter ID, given as source_key via the VT API.", + "disable_correlation": false, + "misp-attribute": "text", + "to_ids": false, + "ui-priority": 1 + } + }, + "description": "VirusTotal Submission", + "meta-category": "misc", + "name": "virustotal-submission", + "required": [ + "submitter-id" + ], + "uuid": "473d289b-f1d4-4f02-a4fe-3b69f534ed45", + "version": 1 +} \ No newline at end of file diff --git a/objects/yara/definition.json b/objects/yara/definition.json index be27fac..fff3231 100644 --- a/objects/yara/definition.json +++ b/objects/yara/definition.json @@ -17,6 +17,11 @@ ], "ui-priority": 0 }, + "reference": { + "description": "Reference or origin of the YARA rule.", + "misp-attribute": "link", + "ui-priority": 0 + }, "version": { "description": "Version of the YARA rule depending where the yara rule is known to work as expected.", "disable_correlation": true, @@ -45,5 +50,5 @@ "yara-rule-name" ], "uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", - "version": 5 + "version": 6 } \ No newline at end of file diff --git a/relationships/definition.json b/relationships/definition.json index cea81cb..6634c8c 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -455,11 +455,42 @@ { "description": "This relationship describes an object which is used by another object.", "format": [ - "cert-eu" + "cert-eu", + "stix-2.1" ], "name": "used-by", "opposite": "uses" }, + { + "description": "This relationship describes an object which hosts another object.", + "format": [ + "stix-2.1" + ], + "name": "hosts", + "opposite": "hosted-by" + }, + { + "description": "This relatiobship describes an object hosted by another object.", + "format": [ + "stix-2.1" + ], + "name": "hosted-by", + "opposite": "hosts" + }, + { + "description": "This relationship describes an object which consists of one or more object(s).", + "format": [ + "stix-2.1" + ], + "name": "consists" + }, + { + "description": "This relationship describes an object which delivers to one or more object(s).", + "format": [ + "stix-2.1" + ], + "name": "delivers" + }, { "description": "This relationship describes an object which is affiliated with another object.", "format": [ @@ -1235,7 +1266,93 @@ "misp" ], "name": "drives" + }, + { + "description": "The referenced source object is a friend of the target object.", + "format": [ + "foaf" + ], + "name": "friend-of" + }, + { + "description": "The referenced source object is an acquaintance of the target object.", + "format": [ + "foaf" + ], + "name": "acquaintance-of" + }, + { + "description": "The referenced source object is a sibling of the target object.", + "format": [ + "foaf" + ], + "name": "sibling-of" + }, + { + "description": "The referenced source object is a grandchild of the target object.", + "format": [ + "foaf" + ], + "name": "grandchild-of" + }, + { + "description": "The referenced source object is a spouse of the target object.", + "format": [ + "foaf" + ], + "name": "spouse-of" + }, + { + "description": "The referenced source object is an ennemy of the target object.", + "format": [ + "foaf" + ], + "name": "ennemy-of" + }, + { + "description": "The referenced source object is an antagonist of the target object.", + "format": [ + "foaf" + ], + "name": "antagonist-of" + }, + { + "description": "The referenced source object is an ambivalent of the target object.", + "format": [ + "foaf" + ], + "name": "ambivalient-of" + }, + { + "description": "The referenced source object is a translation of the target object.", + "format": [ + "misp" + ], + "name": "is-a-translation-of" + }, + { + "description": "The referenced source object has met with the target object.", + "format": [ + "misp" + ], + "name": "has-met" + }, + { + "description": "The referenced source object submitted the referenced target object (to an online anti virus scanner).", + "format": [ + "misp" + ], + "name": "submitted", + "opposite": "submitted-by" + }, + { + "description": "The referenced source object was submitted (to an online anti virus scanner) by the referenced target object.", + "format": [ + "misp" + ], + "name": "submitted-by", + "opposite": "submitted" } ], - "version": 28 + "version": 34 } \ No newline at end of file diff --git a/tools/updated.sh b/tools/updated.sh index 27106fe..acc0c56 100644 --- a/tools/updated.sh +++ b/tools/updated.sh @@ -2,5 +2,5 @@ python3 adoc_objects.py >a.txt mv a.txt objects.txt asciidoctor-pdf -a allow-uri-read objects.txt asciidoctor -a allow-uri-read objects.txt -cp objects.html ../../misp-website/ -cp objects.pdf ../../misp-website/ +cp objects.html ../../misp-website-new/static +cp objects.pdf ../../misp-website-new/static