From aa00bd384c001459e8242e6a895b86a2b895a63f Mon Sep 17 00:00:00 2001 From: Alexandre De Oliveira Date: Tue, 11 Jan 2022 09:43:03 +0100 Subject: [PATCH 001/112] Add MAP application context list, without version --- objects/ss7-attack/definition.json | 63 +++++++++++++++++++++++++++++- 1 file changed, 62 insertions(+), 1 deletion(-) diff --git a/objects/ss7-attack/definition.json b/objects/ss7-attack/definition.json index fc9be03..95756d4 100644 --- a/objects/ss7-attack/definition.json +++ b/objects/ss7-attack/definition.json @@ -46,6 +46,67 @@ "description": "MAP application context in OID format.", "disable_correlation": true, "misp-attribute": "text", + "sane_default": [ + "4.0.0.1.0.1. - networkLocUp ", + "4.0.0.1.0.2. - locationCancel ", + "4.0.0.1.0.3. - roamingNbEnquiry ", + "4.0.0.1.0.22. - subscriberDataModificationNotification ", + "4.0.0.1.0.6. - callControlTransfer ", + "4.0.0.1.0.16. - subscriberDataMngt ", + "4.0.0.1.0.32. - gprsLocationUpdate ", + "4.0.0.1.0.46. - vcsgLocationUpdate ", + "4.0.0.1.0.1. - networkLocUp_v1 ", + "4.0.0.1.0.14. - infoRetrieval_v1 ", + "4.0.0.1.0.15. - interVlrInfoRetrieval_v1 ", + "4.0.0.1.0.18. - networkFunctionalSs ", + "4.0.0.1.0.39. - authenticationFailureReport_v3 ", + "4.0.0.1.0.18. - networkFunctionalSs_v1 ", + "4.0.0.1.0.44. - resourceMngt ", + "4.0.0.1.0.41. - shortMsgMT_VGCS_Relay ", + "4.0.0.1.0.5. - locInfoRetrieval ", + "4.0.0.1.0.32. - gprsLocationUpdate_v3 ", + "4.0.0.1.0.33. - gprsLocationInfoRetrieval_v3_v4 ", + "4.0.0.1.0.34. - failureReport_v3 ", + "4.0.0.1.0.35. - gprsNotify ", + "4.0.0.1.0.11. - handoverControl_v1 ", + "4.0.0.1.0.11. - handoverControl ", + "4.0.0.1.0.12. - sIWFSAllocation ", + "4.0.0.1.0.47. - vcsgLocationCancel ", + "4.0.0.1.0.10. - reset ", + "4.0.0.1.0.31. - groupCallControl ", + "4.0.0.1.0.13. - equipmentMngt ", + "4.0.0.1.0.25. - shortMsgMT_Relay ", + "4.0.0.1.0.20. - shortMsgGateway ", + "4.0.0.1.0.21. - shortMsgMO_Relay ", + "4.0.0.1.0.24. - mwdMngt_v1 ", + "4.0.0.1.0.23. - shortMsgAlert_v1 ", + "4.0.0.1.0.17. - tracing ", + "4.0.0.1.0.18. - networkFunctionalSs_V1 ", + "4.0.0.1.0.15. - interVlrInfoRetrievalV2_V3 ", + "4.0.0.1.0.14. - infoRetrieval_v2_v3 ", + "4.0.0.1.0.1. - networkLocUp_v2 ", + "4.0.0.1.0.26. - imsiRetrieval_v2 ", + "4.0.0.1.0.19. - networkUnstructuredSsv2 ", + "4.0.0.1.0.19. - networkUnstructuredSs ", + "4.0.0.1.0.43. - anyTimeInfoHandling ", + "4.0.0.1.0.23. - shortMsgAlert_v2 ", + "4.0.0.1.0.24. - mwdMngt_v2_v3 ", + "4.0.0.1.0.4. - istAlerting_v2_v3 ", + "4.0.0.1.0.27. - msPurging_v3 ", + "4.0.0.1.0.11. - handoverControl_v2_v3 ", + "4.0.0.1.0.28. - subscriberInfoEnquiry ", + "4.0.0.1.0.29. - anyTimeEnquiryv3 ", + "4.0.0.1.0.36. - ss_InvocationNotification ", + "4.0.0.1.0.7. - reporting ", + "4.0.0.1.0.8. - callCompletion ", + "4.0.0.1.0.38. - locationSvcEnquiryv3 ", + "4.0.0.1.0.45. - groupCallInfoRetrieval ", + "4.0.0.1.0.37. - locationSvcGateway_v3 ", + "4.0.0.1.0.38. - locationSvcEnquiry ", + "4.0.0.1.0.4. - istAlerting_v3 ", + "4.0.0.1.0.9. - ServiceTermination ", + "4.0.0.1.0.42. - mm_EventReporting " + ], "ui-priority": 0 }, "MapGmlc": { @@ -198,4 +259,4 @@ ], "uuid": "f3493d8b-a7ab-48d0-a775-046c4d64d782", "version": 3 -} \ No newline at end of file +} From e7622d92b38d1b26a30aeef55e4c1af8ae3621d8 Mon Sep 17 00:00:00 2001 From: Alexandre De Oliveira Date: Tue, 11 Jan 2022 09:49:30 +0100 Subject: [PATCH 002/112] Add list of MAP Opcodes (text + number) --- objects/ss7-attack/definition.json | 83 ++++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) diff --git a/objects/ss7-attack/definition.json b/objects/ss7-attack/definition.json index 95756d4..a2f43cd 100644 --- a/objects/ss7-attack/definition.json +++ b/objects/ss7-attack/definition.json @@ -140,6 +140,89 @@ "description": "MAP operation codes - Decimal value between 0-99.", "disable_correlation": true, "misp-attribute": "text", + "sane_default": [ + "updateLocation - 2", + "cancelLocation - 3", + "provideRoamingNumber - 4", + "noteSubscriberDataModified - 5", + "resumeCallHandling - 6", + "insertSubscriberData - 7", + "deleteSubscriberData - 8", + "sendParameters - 9", + "registerSS - 10", + "eraseSS - 11", + "activateSS - 12", + "deactivateSS - 13", + "interrogateSS - 14", + "authenticationFailureReport - 15", + "registerPassword - 17", + "getPassword - 18", + "processUnstructuredSS_Data - 19", + "releaseResources - 20", + "mt_ForwardSM_VGCS - 21", + "sendRoutingInfo - 22", + "updateGprsLocation - 23", + "sendRoutingInfoForGprs - 24", + "failureReport - 25", + "noteMsPresentForGprs - 26", + "performHandover - 28", + "sendEndSignal - 29", + "performSubsequentHandover - 30", + "provideSIWFSNumber - 31", + "siwfs_SignallingModify - 32", + "processAccessSignalling - 33", + "forwardAccessSignalling - 34", + "noteInternalHandover - 35", + "cancelVcsgLocation - 36", + "reset_ - 37", + "forwardCheckSsIndication - 38", + "prepareGroupCall - 39", + "sendGroupCallEndSignal - 40", + "processGroupCallSignalling - 41", + "forwardGroupCallSignalling - 42", + "checkIMEI - 43", + "mt_forwardSM - 44", + "sendRoutingInfoForSM - 45", + "mo_forwardSM - 46", + "reportSmDeliveryStatus - 47", + "noteSubscriberPresent - 48", + "alertServiceCentreWithoutResult - 49", + "activateTraceMode - 50", + "deactivateTraceMode - 51", + "traceSubscriberActivity - 52", + "updateVcsgLocation - 53", + "beginSubscriberActivity - 54", + "sendIdentification - 55", + "sendAuthenticationInfo - 56", + "restoreData - 57", + "sendIMSI - 58", + "processUnstructuredSS_Request - 59", + "unstructuredSS_Request - 60", + "unstructuredSS_Notify - 61", + "anyTimeSubscriptionInterrogation - 62", + "informServiceCentre - 63", + "alertServiceCentre - 64", + "anyTimeModification - 65", + "readyForSM - 66", + "purgeMS - 67", + "prepareHandover - 68", + "prepareSubsequentHandover - 69", + "provideSubscriberInfo - 70", + "anyTimeInterrogation - 71", + "ss_Invocation_Notification - 72", + "setReportingState - 73", + "statusReport - 74", + "remoteUserFree - 75", + "registerCC_Entry - 76", + "eraseCC_Entry - 77", + "provideSubscriberLocation - 83", + "sendGroupCallInfo - 84", + "sendRoutingInfoForLCS - 85", + "subscriberLocationReport - 86", + "istAlert - 87", + "istCommand - 88", + "NoteMM_Event - 89" + ], "ui-priority": 0 }, "MapSmsTP-DCS": { From b2638ebae314e2b1de4d508b22b29f8d70ebc693 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 16 Jan 2022 16:39:06 +0100 Subject: [PATCH 003/112] chg: [instan-message-*] add Tox as potential chat application Ref: https://wiki.tox.chat --- objects/instant-message-group/definition.json | 3 ++- objects/instant-message/definition.json | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/objects/instant-message-group/definition.json b/objects/instant-message-group/definition.json index b5174dc..3f20a20 100644 --- a/objects/instant-message-group/definition.json +++ b/objects/instant-message-group/definition.json @@ -15,6 +15,7 @@ "BlackBerry Messenger", "TeamSpeak", "TorChat", + "Tox", "RetroShare", "Slack" ], @@ -76,5 +77,5 @@ "attachment" ], "uuid": "e26becca-2149-4bc0-b3fb-7090d43af28f", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/instant-message/definition.json b/objects/instant-message/definition.json index 5936290..7f57491 100644 --- a/objects/instant-message/definition.json +++ b/objects/instant-message/definition.json @@ -14,6 +14,7 @@ "BlackBerry Messenger", "TeamSpeak", "TorChat", + "Tox", "RetroShare", "Slack" ], @@ -108,5 +109,5 @@ "from-user" ], "uuid": "5fa51a24-f40f-4696-a77e-d31e26bab5fc", - "version": 1 + "version": 2 } \ No newline at end of file From 41d52f67b98bd2aa68c1a0a7803f358994e97c9f Mon Sep 17 00:00:00 2001 From: Alexandre De Oliveira Date: Wed, 19 Jan 2022 18:05:40 +0100 Subject: [PATCH 004/112] Cleanup ApplicationContext List + Removed versions Versions are managed via the MAP Version field --- objects/ss7-attack/definition.json | 105 +++++++++++++---------------- 1 file changed, 46 insertions(+), 59 deletions(-) diff --git a/objects/ss7-attack/definition.json b/objects/ss7-attack/definition.json index a2f43cd..8ada671 100644 --- a/objects/ss7-attack/definition.json +++ b/objects/ss7-attack/definition.json @@ -47,65 +47,52 @@ "disable_correlation": true, "misp-attribute": "text", "sane_default": [ - "4.0.0.1.0.1. - networkLocUp ", - "4.0.0.1.0.2. - locationCancel ", - "4.0.0.1.0.3. - roamingNbEnquiry ", - "4.0.0.1.0.22. - subscriberDataModificationNotification ", - "4.0.0.1.0.6. - callControlTransfer ", - "4.0.0.1.0.16. - subscriberDataMngt ", - "4.0.0.1.0.32. - gprsLocationUpdate ", - "4.0.0.1.0.46. - vcsgLocationUpdate ", - "4.0.0.1.0.1. - networkLocUp_v1 ", - "4.0.0.1.0.14. - infoRetrieval_v1 ", - "4.0.0.1.0.15. - interVlrInfoRetrieval_v1 ", - "4.0.0.1.0.18. - networkFunctionalSs ", - "4.0.0.1.0.39. - authenticationFailureReport_v3 ", - "4.0.0.1.0.18. - networkFunctionalSs_v1 ", - "4.0.0.1.0.44. - resourceMngt ", - "4.0.0.1.0.41. - shortMsgMT_VGCS_Relay ", - "4.0.0.1.0.5. - locInfoRetrieval ", - "4.0.0.1.0.32. - gprsLocationUpdate_v3 ", - "4.0.0.1.0.33. - gprsLocationInfoRetrieval_v3_v4 ", - "4.0.0.1.0.34. - failureReport_v3 ", - "4.0.0.1.0.35. - gprsNotify ", - "4.0.0.1.0.11. - handoverControl_v1 ", - "4.0.0.1.0.11. - handoverControl ", - "4.0.0.1.0.12. - sIWFSAllocation ", - "4.0.0.1.0.47. - vcsgLocationCancel ", - "4.0.0.1.0.10. - reset ", - "4.0.0.1.0.31. - groupCallControl ", - "4.0.0.1.0.13. - equipmentMngt ", - "4.0.0.1.0.25. - shortMsgMT_Relay ", - "4.0.0.1.0.20. - shortMsgGateway ", - "4.0.0.1.0.21. - shortMsgMO_Relay ", - "4.0.0.1.0.24. - mwdMngt_v1 ", - "4.0.0.1.0.23. - shortMsgAlert_v1 ", - "4.0.0.1.0.17. - tracing ", - "4.0.0.1.0.18. - networkFunctionalSs_V1 ", - "4.0.0.1.0.15. - interVlrInfoRetrievalV2_V3 ", - "4.0.0.1.0.14. - infoRetrieval_v2_v3 ", - "4.0.0.1.0.1. - networkLocUp_v2 ", - "4.0.0.1.0.26. - imsiRetrieval_v2 ", - "4.0.0.1.0.19. - networkUnstructuredSsv2 ", - "4.0.0.1.0.19. - networkUnstructuredSs ", - "4.0.0.1.0.43. - anyTimeInfoHandling ", - "4.0.0.1.0.23. - shortMsgAlert_v2 ", - "4.0.0.1.0.24. - mwdMngt_v2_v3 ", - "4.0.0.1.0.4. - istAlerting_v2_v3 ", - "4.0.0.1.0.27. - msPurging_v3 ", - "4.0.0.1.0.11. - handoverControl_v2_v3 ", - "4.0.0.1.0.28. - subscriberInfoEnquiry ", - "4.0.0.1.0.29. - anyTimeEnquiryv3 ", - "4.0.0.1.0.36. - ss_InvocationNotification ", - "4.0.0.1.0.7. - reporting ", - "4.0.0.1.0.8. - callCompletion ", - "4.0.0.1.0.38. - locationSvcEnquiryv3 ", - "4.0.0.1.0.45. - groupCallInfoRetrieval ", - "4.0.0.1.0.37. - locationSvcGateway_v3 ", - "4.0.0.1.0.38. - locationSvcEnquiry ", - "4.0.0.1.0.4. - istAlerting_v3 ", - "4.0.0.1.0.9. - ServiceTermination ", - "4.0.0.1.0.42. - mm_EventReporting " + "4.0.0.1.0.1. - networkLocUp", + "4.0.0.1.0.2. - locationCancel", + "4.0.0.1.0.3. - roamingNbEnquiry", + "4.0.0.1.0.22. - subscriberDataModificationNotification", + "4.0.0.1.0.6. - callControlTransfer", + "4.0.0.1.0.16. - subscriberDataMngt", + "4.0.0.1.0.32. - gprsLocationUpdate", + "4.0.0.1.0.46. - vcsgLocationUpdate", + "4.0.0.1.0.15. - interVlrInfoRetrieval", + "4.0.0.1.0.18. - networkFunctionalSs", + "4.0.0.1.0.39. - authenticationFailureReport", + "4.0.0.1.0.44. - resourceMngt", + "4.0.0.1.0.41. - shortMsgMT_VGCS_Relay", + "4.0.0.1.0.5. - locInfoRetrieval", + "4.0.0.1.0.32. - gprsLocationUpdate", + "4.0.0.1.0.33. - gprsLocationInfoRetrieval", + "4.0.0.1.0.34. - failureReport", + "4.0.0.1.0.35. - gprsNotify", + "4.0.0.1.0.11. - handoverControl", + "4.0.0.1.0.12. - sIWFSAllocation", + "4.0.0.1.0.47. - vcsgLocationCancel", + "4.0.0.1.0.10. - reset", + "4.0.0.1.0.31. - groupCallControl", + "4.0.0.1.0.13. - equipmentMngt", + "4.0.0.1.0.25. - shortMsgMT_Relay", + "4.0.0.1.0.20. - shortMsgGateway", + "4.0.0.1.0.21. - shortMsgMO_Relay", + "4.0.0.1.0.24. - mwdMngt", + "4.0.0.1.0.23. - shortMsgAlert", + "4.0.0.1.0.17. - tracing", + "4.0.0.1.0.14. - infoRetrieval", + "4.0.0.1.0.26. - imsiRetrieval", + "4.0.0.1.0.19. - networkUnstructuredSs", + "4.0.0.1.0.43. - anyTimeInfoHandling", + "4.0.0.1.0.4. - istAlerting", + "4.0.0.1.0.27. - msPurging", + "4.0.0.1.0.28. - subscriberInfoEnquiry", + "4.0.0.1.0.29. - anyTimeEnquiry", + "4.0.0.1.0.36. - ss_InvocationNotification", + "4.0.0.1.0.7. - reporting", + "4.0.0.1.0.8. - callCompletion", + "4.0.0.1.0.38. - locationSvcEnquiry", + "4.0.0.1.0.45. - groupCallInfoRetrieval", + "4.0.0.1.0.37. - locationSvcGateway", + "4.0.0.1.0.9. - ServiceTermination", + "4.0.0.1.0.42. - mm_EventReporting" ], "ui-priority": 0 }, From 430df1cf4818214c794dd1712650467a7c4f2f1c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 31 Jan 2022 07:45:38 +0100 Subject: [PATCH 005/112] new: [identity] from STIX 2.1 - 4.5 - new object template Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, systems or groups (e.g., the finance sector). Ref: 4.5 Identity --- objects/identity/definition.json | 90 ++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 objects/identity/definition.json diff --git a/objects/identity/definition.json b/objects/identity/definition.json new file mode 100644 index 0000000..4a08de0 --- /dev/null +++ b/objects/identity/definition.json @@ -0,0 +1,90 @@ +{ + "attributes": { + "contact_information": { + "description": "The contact information (e-mail, phone number, etc.) for this Identity. No format for this information is currently defined by this specification.", + "misp-attribute": "text", + "ui-priority": 18 + }, + "description": { + "description": "A description that provides more details and context about the Identity, potentially including its purpose and its key characteristics.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 10 + }, + "identity_class": { + "description": "The type of entity that this Identity describes, e.g., an individual or organization.", + "misp-attribute": "text", + "sane_default": [ + "individual", + "group", + "system", + "organization", + "class", + "unknown" + ], + "ui-priority": 16 + }, + "name": { + "description": "The name of this Identity. When referring to a specific entity (e.g., an individual or organization), this property SHOULD contain the canonical name of the specific entity.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "roles": { + "description": "The list of roles that this Identity performs (e.g., CEO, Domain Administrators, Doctors, Hospital, or Retailer).", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 15 + }, + "sectors": { + "description": "Description of the organization", + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "agriculture", + "aerospace", + "automotive", + "chemical", + "commercial", + "communication", + "construction", + "defense", + "education", + "energy", + "entertainment", + "financial-services", + "government", + "government emergency-services", + "government government-local", + "government-national", + "government-public-services", + "government-regional", + "healthcare", + "hospitality-leasure", + "infrastructure", + "infrastructure dams", + "infrastructure nuclear", + "infrastructure water", + "insurance", + "manufacturing", + "mining", + "non-profit", + "pharmaceuticals", + "retail", + "technology", + "telecommunication", + "transportation", + "utilities" + ], + "ui-priority": 17 + } + }, + "description": "Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, systems or groups (e.g., the finance sector). The Identity SDO can capture basic identifying information, contact information, and the sectors that the Identity belongs to. Identity is used in STIX to represent, among other things, targets of attacks, information sources, object creators, and threat actor identities. (ref. STIX 2.1 - 4.5)", + "meta-category": "misc", + "name": "identity", + "requiredOneOf": [ + "name" + ], + "uuid": "ae85b960-b507-4de2-a32c-9cfb8f25f990", + "version": 1 +} \ No newline at end of file From 8cd68cdfd60e9097910d655d3a3839561c1f60b2 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 1 Feb 2022 16:25:24 +0100 Subject: [PATCH 006/112] new: [artifact] The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. ref: STIX 2.1 - 6.1 Open point: relationships for the related hashes --- objects/artifact/definition.json | 45 ++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) create mode 100644 objects/artifact/definition.json diff --git a/objects/artifact/definition.json b/objects/artifact/definition.json new file mode 100644 index 0000000..df2b7c9 --- /dev/null +++ b/objects/artifact/definition.json @@ -0,0 +1,45 @@ +{ + "attributes": { + "decryption_key": { + "description": "Specifies the decryption key for the encrypted binary data (either via payload_bin or url). For example, this may be useful in cases of sharing malware samples, which are often encoded in an encrypted archive.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "encryption_algorithm": { + "description": "If the artifact is encrypted, specifies the type of encryption algorithm the binary data (either via payload_bin or url) is encoded in.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "hashes": { + "description": "Specifies a dictionary of hashes for the contents of the url or the payload_bin. This property MUST be present when the url property is present. (should be file with relationships?)", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "mime_type": { + "description": "Whenever feasible, this value SHOULD be one of the values defined in the Template column in the IANA media type registry [Media Types]. Maintaining a comprehensive universal catalog of all extant file types is obviously not possible. When specifying a MIME Type not included in the IANA registry, implementers should use their best judgement so as to facilitate interoperability.", + "disable_correlation": true, + "misp-attribute": "mime-type", + "ui-priority": 0 + }, + "payload_bin": { + "description": "Specifies the binary data contained in the artifact as a base64-encoded string.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "url": { + "description": "The value of this property MUST be a valid URL that resolves to the unencoded content.", + "misp-attribute": "url", + "ui-priority": 0 + } + }, + "description": "The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. from STIX 2.1 (6.1)", + "meta-category": "file", + "name": "artifact", + "requiredOneOf": [ + "payload_bin", + "url" + ], + "uuid": "0a46df3a-bd9b-472c-a1e7-6aede7094483", + "version": 1 +} \ No newline at end of file From f1fea67b5886f4f4f8d14b7ea9f3116de5bfc2e9 Mon Sep 17 00:00:00 2001 From: Alexandre De Oliveira Date: Tue, 1 Feb 2022 17:26:22 +0100 Subject: [PATCH 007/112] Add FowardSM for "old" SMS --- objects/ss7-attack/definition.json | 1 + 1 file changed, 1 insertion(+) diff --git a/objects/ss7-attack/definition.json b/objects/ss7-attack/definition.json index 8ada671..a2b4bd0 100644 --- a/objects/ss7-attack/definition.json +++ b/objects/ss7-attack/definition.json @@ -171,6 +171,7 @@ "mt_forwardSM - 44", "sendRoutingInfoForSM - 45", "mo_forwardSM - 46", + "forwardSM - 46", "reportSmDeliveryStatus - 47", "noteSubscriberPresent - 48", "alertServiceCentreWithoutResult - 49", From 30949fbeb56ec47490b85b56cca839a3d91aa7b6 Mon Sep 17 00:00:00 2001 From: Alexandre De Oliveira Date: Thu, 3 Feb 2022 10:09:05 +0100 Subject: [PATCH 008/112] Update descriptions for SS7, Diameter & GTP objects --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index c80d2ba..84a820e 100644 --- a/README.md +++ b/README.md @@ -146,7 +146,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/dark-pattern-item](https://github.com/MISP/misp-objects/blob/main/objects/dark-pattern-item/definition.json) - An Item whose User Interface implements a dark pattern. - [objects/ddos](https://github.com/MISP/misp-objects/blob/main/objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy. - [objects/device](https://github.com/MISP/misp-objects/blob/main/objects/device/definition.json) - An object to define a device. -- [objects/diameter-attack](https://github.com/MISP/misp-objects/blob/main/objects/diameter-attack/definition.json) - Attack as seen on diameter authentication against a GSM, UMTS or LTE network. +- [objects/diameter-attack](https://github.com/MISP/misp-objects/blob/main/objects/diameter-attack/definition.json) - Attack as seen on the diameter signaling protocol supporting LTE networks. - [objects/dkim](https://github.com/MISP/misp-objects/blob/main/objects/dkim/definition.json) - DomainKeys Identified Mail - DKIM. - [objects/dns-record](https://github.com/MISP/misp-objects/blob/main/objects/dns-record/definition.json) - A set of DNS records observed for a specific domain. - [objects/domain-crawled](https://github.com/MISP/misp-objects/blob/main/objects/domain-crawled/definition.json) - A domain crawled over time. @@ -224,7 +224,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/git-vuln-finder](https://github.com/MISP/misp-objects/blob/main/objects/git-vuln-finder/definition.json) - Export from git-vuln-finder. - [objects/github-user](https://github.com/MISP/misp-objects/blob/main/objects/github-user/definition.json) - GitHub user. - [objects/gitlab-user](https://github.com/MISP/misp-objects/blob/main/objects/gitlab-user/definition.json) - GitLab user. Gitlab.com user or self-hosted GitLab instance. -- [objects/gtp-attack](https://github.com/MISP/misp-objects/blob/main/objects/gtp-attack/definition.json) - GTP attack object as seen on a GSM, UMTS or LTE network. +- [objects/gtp-attack](https://github.com/MISP/misp-objects/blob/main/objects/gtp-attack/definition.json) - GTP attack object as attack as seen on the GTP signaling protocol supporting GPRS/LTE networks. - [objects/hashlookup](https://github.com/MISP/misp-objects/blob/main/objects/hashlookup/definition.json) - hashlookup object as described on hashlookup services from circl.lu - https://www.circl.lu/services/hashlookup. - [objects/http-request](https://github.com/MISP/misp-objects/blob/main/objects/http-request/definition.json) - A single HTTP request header. - [objects/ilr-impact](https://github.com/MISP/misp-objects/blob/main/objects/ilr-impact/definition.json) - Institut Luxembourgeois de Regulation - Impact. @@ -331,7 +331,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/shortened-link](https://github.com/MISP/misp-objects/blob/main/objects/shortened-link/definition.json) - Shortened link and its redirect target. - [objects/social-media-group](https://github.com/MISP/misp-objects/blob/main/objects/social-media-group/definition.json) - Social media group object template describing a public or private group or channel. - [objects/splunk](https://github.com/MISP/misp-objects/blob/main/objects/splunk/definition.json) - Splunk / Splunk ES object. -- [objects/ss7-attack](https://github.com/MISP/misp-objects/blob/main/objects/ss7-attack/definition.json) - SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging. +- [objects/ss7-attack](https://github.com/MISP/misp-objects/blob/main/objects/ss7-attack/definition.json) - SS7 object of an attack as seen on the SS7 signaling protocol supporting GSM/GPRS/UMTS networks. - [objects/ssh-authorized-keys](https://github.com/MISP/misp-objects/blob/main/objects/ssh-authorized-keys/definition.json) - An object to store ssh authorized keys file. - [objects/stix2-pattern](https://github.com/MISP/misp-objects/blob/main/objects/stix2-pattern/definition.json) - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern. - [objects/submarine](https://github.com/MISP/misp-objects/blob/main/objects/submarine/definition.json) - Submarine description. From df81204b24db106b9c032c9164de3ee347b9dc88 Mon Sep 17 00:00:00 2001 From: Alexandre De Oliveira Date: Thu, 3 Feb 2022 10:42:35 +0100 Subject: [PATCH 009/112] Modification avec the jq_all_the_things.sh --- objects/ss7-attack/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/ss7-attack/definition.json b/objects/ss7-attack/definition.json index a2b4bd0..c9c14ac 100644 --- a/objects/ss7-attack/definition.json +++ b/objects/ss7-attack/definition.json @@ -46,7 +46,7 @@ "description": "MAP application context in OID format.", "disable_correlation": true, "misp-attribute": "text", - "sane_default": [ + "sane_default": [ "4.0.0.1.0.1. - networkLocUp", "4.0.0.1.0.2. - locationCancel", "4.0.0.1.0.3. - roamingNbEnquiry", @@ -330,4 +330,4 @@ ], "uuid": "f3493d8b-a7ab-48d0-a775-046c4d64d782", "version": 3 -} +} \ No newline at end of file From c5d084b93063b1114ff38440ee4a1910ad008ec9 Mon Sep 17 00:00:00 2001 From: Alexandre De Oliveira Date: Thu, 3 Feb 2022 12:54:09 +0100 Subject: [PATCH 010/112] Remove a duplicated gprsLocationUpdate --- objects/ss7-attack/definition.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/objects/ss7-attack/definition.json b/objects/ss7-attack/definition.json index c9c14ac..c7d4a0e 100644 --- a/objects/ss7-attack/definition.json +++ b/objects/ss7-attack/definition.json @@ -53,7 +53,6 @@ "4.0.0.1.0.22. - subscriberDataModificationNotification", "4.0.0.1.0.6. - callControlTransfer", "4.0.0.1.0.16. - subscriberDataMngt", - "4.0.0.1.0.32. - gprsLocationUpdate", "4.0.0.1.0.46. - vcsgLocationUpdate", "4.0.0.1.0.15. - interVlrInfoRetrieval", "4.0.0.1.0.18. - networkFunctionalSs", @@ -330,4 +329,4 @@ ], "uuid": "f3493d8b-a7ab-48d0-a775-046c4d64d782", "version": 3 -} \ No newline at end of file +} From 6859121d166a5ddb7bdbb75e96a026113ba22033 Mon Sep 17 00:00:00 2001 From: Alexandre De Oliveira Date: Thu, 3 Feb 2022 12:58:56 +0100 Subject: [PATCH 011/112] Modification after running ./jq_all_the_things.sh --- objects/ss7-attack/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/ss7-attack/definition.json b/objects/ss7-attack/definition.json index c7d4a0e..2bad2c8 100644 --- a/objects/ss7-attack/definition.json +++ b/objects/ss7-attack/definition.json @@ -329,4 +329,4 @@ ], "uuid": "f3493d8b-a7ab-48d0-a775-046c4d64d782", "version": 3 -} +} \ No newline at end of file From 1d32596600e7326c5b64a2998f177bff5d20e996 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 3 Feb 2022 17:43:28 +0100 Subject: [PATCH 012/112] chg: [ss7/gtp/diameter] used description updated in the README --- objects/diameter-attack/definition.json | 6 +++--- objects/gtp-attack/definition.json | 6 +++--- objects/ss7-attack/definition.json | 6 +++--- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/objects/diameter-attack/definition.json b/objects/diameter-attack/definition.json index 11ee5b5..29826e9 100644 --- a/objects/diameter-attack/definition.json +++ b/objects/diameter-attack/definition.json @@ -78,12 +78,12 @@ "ui-priority": 0 } }, - "description": "Attack as seen on diameter authentication against a GSM, UMTS or LTE network", + "description": "Attack as seen on the diameter signaling protocol supporting LTE networks.", "meta-category": "network", "name": "diameter-attack", "requiredOneOf": [ "text" ], "uuid": "a3fdce4c-8e21-4acc-ab8e-9976e9165a12", - "version": 1 -} \ No newline at end of file + "version": 2 +} diff --git a/objects/gtp-attack/definition.json b/objects/gtp-attack/definition.json index 36af16e..081da4c 100644 --- a/objects/gtp-attack/definition.json +++ b/objects/gtp-attack/definition.json @@ -88,12 +88,12 @@ "ui-priority": 0 } }, - "description": "GTP attack object as seen on a GSM, UMTS or LTE network", + "description": "GTP attack object as attack as seen on the GTP signaling protocol supporting GPRS/LTE networks.", "meta-category": "network", "name": "gtp-attack", "requiredOneOf": [ "text" ], "uuid": "6b3c48d2-0ca6-4608-9c36-455105439145", - "version": 3 -} \ No newline at end of file + "version": 4 +} diff --git a/objects/ss7-attack/definition.json b/objects/ss7-attack/definition.json index 2bad2c8..dc630ee 100644 --- a/objects/ss7-attack/definition.json +++ b/objects/ss7-attack/definition.json @@ -321,12 +321,12 @@ "ui-priority": 0 } }, - "description": "SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging.", + "description": "SS7 object of an attack as seen on the SS7 signaling protocol supporting GSM/GPRS/UMTS networks.", "meta-category": "network", "name": "ss7-attack", "requiredOneOf": [ "text" ], "uuid": "f3493d8b-a7ab-48d0-a775-046c4d64d782", - "version": 3 -} \ No newline at end of file + "version": 4 +} From 30c53a61ebd0615891a607aa326eced1bb42eb0c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 3 Feb 2022 17:44:17 +0100 Subject: [PATCH 013/112] fix: [JSON] updated --- objects/diameter-attack/definition.json | 2 +- objects/gtp-attack/definition.json | 2 +- objects/ss7-attack/definition.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/objects/diameter-attack/definition.json b/objects/diameter-attack/definition.json index 29826e9..22a7e00 100644 --- a/objects/diameter-attack/definition.json +++ b/objects/diameter-attack/definition.json @@ -86,4 +86,4 @@ ], "uuid": "a3fdce4c-8e21-4acc-ab8e-9976e9165a12", "version": 2 -} +} \ No newline at end of file diff --git a/objects/gtp-attack/definition.json b/objects/gtp-attack/definition.json index 081da4c..667a466 100644 --- a/objects/gtp-attack/definition.json +++ b/objects/gtp-attack/definition.json @@ -96,4 +96,4 @@ ], "uuid": "6b3c48d2-0ca6-4608-9c36-455105439145", "version": 4 -} +} \ No newline at end of file diff --git a/objects/ss7-attack/definition.json b/objects/ss7-attack/definition.json index dc630ee..f4d2045 100644 --- a/objects/ss7-attack/definition.json +++ b/objects/ss7-attack/definition.json @@ -329,4 +329,4 @@ ], "uuid": "f3493d8b-a7ab-48d0-a775-046c4d64d782", "version": 4 -} +} \ No newline at end of file From fdc6140182fed2f41ba64f843c7865982fdee3df Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 3 Feb 2022 18:36:33 +0100 Subject: [PATCH 014/112] new: [relationships] FOAF relationship added ref: A module for defining relationships in FOAF (ref. Eric Vitiello Jr.) --- relationships/definition.json | 58 ++++++++++++++++++++++++++++++++++- 1 file changed, 57 insertions(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index cea81cb..49b4f93 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1235,7 +1235,63 @@ "misp" ], "name": "drives" + }, + { + "description": "The referenced source object is a friend of the target object.", + "format": [ + "foaf" + ], + "name": "friend-of" + }, + { + "description": "The referenced source object is an acquaintance of the target object.", + "format": [ + "foaf" + ], + "name": "acquaintance-of" + }, + { + "description": "The referenced source object is a sibling of the target object.", + "format": [ + "foaf" + ], + "name": "sibling-of" + }, + { + "description": "The referenced source object is a grandchild of the target object.", + "format": [ + "foaf" + ], + "name": "grandchild-of" + }, + { + "description": "The referenced source object is a spouse of the target object.", + "format": [ + "foaf" + ], + "name": "spouse-of" + }, + { + "description": "The referenced source object is an ennemy of the target object.", + "format": [ + "foaf" + ], + "name": "ennemy-of" + }, + { + "description": "The referenced source object is an antagonist of the target object.", + "format": [ + "foaf" + ], + "name": "antagonist-of" + }, + { + "description": "The referenced source object is an ambivalent of the target object.", + "format": [ + "foaf" + ], + "name": "ambivalient-of" } ], - "version": 28 + "version": 29 } \ No newline at end of file From d6dbeaa57468dc3c46e7cce6e3ac591f67158dae Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 4 Feb 2022 08:47:56 +0100 Subject: [PATCH 015/112] chg: [person] add the ability to set the instant-messaging apps used by the person --- objects/person/definition.json | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index 1f71dea..4944afe 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -75,6 +75,31 @@ "misp-attribute": "identity-card-number", "ui-priority": 0 }, + "instant-messaging-used": { + "description": "The IM application used by this person.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": "true", + "sane_default": [ + "WhatsApp", + "Google Hangouts", + "Facebook Messenger", + "Telegram", + "Signal", + "WeChat", + "BlackBerry Messenger", + "TeamSpeak", + "TorChat", + "Tox", + "RetroShare", + "Slack", + "Wire", + "Threema", + "Discord", + "Mumble" + ], + "ui-priority": 10 + }, "last-name": { "description": "Last name of a natural person.", "misp-attribute": "last-name", @@ -215,5 +240,5 @@ "alias" ], "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", - "version": 14 + "version": 16 } \ No newline at end of file From b67cda2d512069346bfc169c89e17955a7cfe665 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 4 Feb 2022 08:49:32 +0100 Subject: [PATCH 016/112] chg: [instant-messaging] add new sane default --- objects/instant-message/definition.json | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/objects/instant-message/definition.json b/objects/instant-message/definition.json index 7f57491..ae643f0 100644 --- a/objects/instant-message/definition.json +++ b/objects/instant-message/definition.json @@ -16,7 +16,11 @@ "TorChat", "Tox", "RetroShare", - "Slack" + "Slack", + "Wire", + "Threema", + "Discord", + "Mumble" ], "ui-priority": 1 }, @@ -109,5 +113,5 @@ "from-user" ], "uuid": "5fa51a24-f40f-4696-a77e-d31e26bab5fc", - "version": 2 -} \ No newline at end of file + "version": 3 +} From dfc090f19e0a1b2293fe80dd7c2bcee23e807cc4 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 4 Feb 2022 08:50:36 +0100 Subject: [PATCH 017/112] chg: [person] typo fixed --- objects/person/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index 4944afe..ab1c473 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -79,7 +79,7 @@ "description": "The IM application used by this person.", "disable_correlation": true, "misp-attribute": "text", - "multiple": "true", + "multiple": true, "sane_default": [ "WhatsApp", "Google Hangouts", @@ -241,4 +241,4 @@ ], "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", "version": 16 -} \ No newline at end of file +} From a6d51a91b9cc45ac3062492b5e602f68392d63d6 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 4 Feb 2022 08:52:33 +0100 Subject: [PATCH 018/112] chg: [objects] jq all the things --- objects/instant-message/definition.json | 2 +- objects/person/definition.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/instant-message/definition.json b/objects/instant-message/definition.json index ae643f0..97ab449 100644 --- a/objects/instant-message/definition.json +++ b/objects/instant-message/definition.json @@ -114,4 +114,4 @@ ], "uuid": "5fa51a24-f40f-4696-a77e-d31e26bab5fc", "version": 3 -} +} \ No newline at end of file diff --git a/objects/person/definition.json b/objects/person/definition.json index ab1c473..8217f29 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -241,4 +241,4 @@ ], "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", "version": 16 -} +} \ No newline at end of file From 1ee36b442685ff2eaf1f18c203c2ec662203c1d8 Mon Sep 17 00:00:00 2001 From: Jeroen Pinoy Date: Mon, 7 Feb 2022 17:54:31 +0100 Subject: [PATCH 019/112] new: Add apivoid email verification API result object --- README.md | 1 + .../definition.json | 219 ++++++++++++++++++ 2 files changed, 220 insertions(+) create mode 100644 objects/apivoid-email-verification/definition.json diff --git a/README.md b/README.md index 84a820e..705b313 100644 --- a/README.md +++ b/README.md @@ -110,6 +110,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/android-permission](https://github.com/MISP/misp-objects/blob/main/objects/android-permission/definition.json) - A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. malware, app). - [objects/annotation](https://github.com/MISP/misp-objects/blob/main/objects/annotation/definition.json) - An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes. - [objects/anonymisation](https://github.com/MISP/misp-objects/blob/main/objects/anonymisation/definition.json) - Anonymisation object describing an anonymisation technique used to encode MISP attribute values. Reference: https://www.caida.org/tools/taxonomy/anonymization.xml. +- [objects/apivoid-email-verification](https://github.com/MISP/misp-objects/blob/main/objects/apivoid-email-verification/definition.json) - Apivoid email verification API result. Reference: https://www.apivoid.com/api/email-verify/ - [objects/asn](https://github.com/MISP/misp-objects/blob/main/objects/asn/definition.json) - Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike. - [objects/attack-pattern](https://github.com/MISP/misp-objects/blob/main/objects/attack-pattern/definition.json) - Attack pattern describing a common attack pattern enumeration and classification. - [objects/authentication-failure-report](https://github.com/MISP/misp-objects/blob/main/objects/authentication-failure-report/definition.json) - Authentication Failure Report. diff --git a/objects/apivoid-email-verification/definition.json b/objects/apivoid-email-verification/definition.json new file mode 100644 index 0000000..7743138 --- /dev/null +++ b/objects/apivoid-email-verification/definition.json @@ -0,0 +1,219 @@ +{ + "attributes": { + "china_free_email": { + "description": "True if email is a free China email, i.e 163.com.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "comment": { + "description": "Field for comments or correlating text", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "dirty_words_domain": { + "description": "True if domain contains dirty/bad words.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "dirty_words_username": { + "description": "True if username contains dirty/bad words.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "disposable": { + "description": "True if email is disposable, i.e yopmail.com.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "dmarc_configured": { + "description": "True if domain has DMARC records configured.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "dmarc_enforced": { + "description": "True if domain is configured for DMARC and set to an enforcement policy.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "domain": { + "description": "Email domain.", + "disable_correlation": true, + "misp-attribute": "domain", + "to_ids": false, + "ui-priority": 1 + }, + "domain_popular": { + "description": "True if domain is a known popular domain.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "educational_domain": { + "description": "True if domain is an educational domain, i.e .edu", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "email": { + "categories": [ + "Attribution" + ], + "description": "The email address that was queried.", + "misp-attribute": "email", + "to_ids": false, + "ui-priority": 1 + }, + "free_email": { + "description": "True if email is a free email, i.e gmail.com.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "government_domain": { + "description": "True if domain is a government domain, i.e .gov", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "has_a_records": { + "description": "True if domain has A records configured.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "has_mx_records": { + "description": "True if domain has MX records configured.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "has_spf_records": { + "description": "True if domain has SPF records configured.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "is_spoofable": { + "description": "True if domain does not have SPF records or if ~all is not configured.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "police_domain": { + "description": "True if domain is a police domain (such as *polizei*, *police*, etc).", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "risky_tld": { + "description": "True if domain TLD is risky, i.e .top or .pro.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "role_address": { + "description": "True if email is a role address, i.e admin@website.com", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "russian_free_email": { + "description": "True if email is a free Russian email, i.e mail.ru.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "score": { + "description": "A number between 0 (bad) and 100 (good).", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 1 + }, + "should_block": { + "description": "True if the score is bad (<= 70) and thus it should be blocked.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "suspicious_domain": { + "description": "True if domain is suspicious, i.e known spam or parked.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "suspicious_email": { + "description": "True if email is considered suspicious.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "suspicious_username": { + "description": "True if username is suspicious, i.e only numbers.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "username": { + "description": "Username part of the email address (email prefix)", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "valid_format": { + "description": "True if email has a valid format.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + }, + "valid_tld": { + "description": "True if domain TLD is valid, i.e .com or .co.uk", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 1 + } + }, + "description": "Apivoid email verification API result. Reference: https://www.apivoid.com/api/email-verify/", + "meta-category": "misc", + "name": "apivoid-email-verification", + "required": [ + "email" + ], + "requiredOneOf": [ + "valid_format", + "username", + "role_address", + "suspicious_username", + "dirty_words_username", + "suspicious_email", + "domain", + "valid_tld", + "disposable", + "has_a_records", + "has_mx_records", + "has_spf_records", + "is_spoofable", + "dmarc_configured", + "dmarc_enforced", + "free_email", + "russian_free_email", + "china_free_email", + "suspicious_domain", + "dirty_words_domain", + "domain_popular", + "risky_tld", + "police_domain", + "government_domain", + "educational_domain", + "should_block", + "score" + ], + "uuid": "289492ab-4b74-49ec-add7-cd9b541f2245", + "version": 1 +} \ No newline at end of file From 2ca2606252eba34f41f08b4ed743612499c7d0f0 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 14 Feb 2022 11:06:53 +0100 Subject: [PATCH 020/112] new: [software] software template object added based 6.14 (STIX 2.1) --- README.md | 8 ++++-- objects/software/definition.json | 48 ++++++++++++++++++++++++++++++++ tools/updated.sh | 4 +-- 3 files changed, 56 insertions(+), 4 deletions(-) create mode 100644 objects/software/definition.json diff --git a/README.md b/README.md index 705b313..eb06ee0 100644 --- a/README.md +++ b/README.md @@ -110,7 +110,8 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/android-permission](https://github.com/MISP/misp-objects/blob/main/objects/android-permission/definition.json) - A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. malware, app). - [objects/annotation](https://github.com/MISP/misp-objects/blob/main/objects/annotation/definition.json) - An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes. - [objects/anonymisation](https://github.com/MISP/misp-objects/blob/main/objects/anonymisation/definition.json) - Anonymisation object describing an anonymisation technique used to encode MISP attribute values. Reference: https://www.caida.org/tools/taxonomy/anonymization.xml. -- [objects/apivoid-email-verification](https://github.com/MISP/misp-objects/blob/main/objects/apivoid-email-verification/definition.json) - Apivoid email verification API result. Reference: https://www.apivoid.com/api/email-verify/ +- [objects/apivoid-email-verification](https://github.com/MISP/misp-objects/blob/main/objects/apivoid-email-verification/definition.json) - Apivoid email verification API result. Reference: https://www.apivoid.com/api/email-verify/. +- [objects/artifact](https://github.com/MISP/misp-objects/blob/main/objects/artifact/definition.json) - The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. from STIX 2.1 (6.1). - [objects/asn](https://github.com/MISP/misp-objects/blob/main/objects/asn/definition.json) - Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike. - [objects/attack-pattern](https://github.com/MISP/misp-objects/blob/main/objects/attack-pattern/definition.json) - Attack pattern describing a common attack pattern enumeration and classification. - [objects/authentication-failure-report](https://github.com/MISP/misp-objects/blob/main/objects/authentication-failure-report/definition.json) - Authentication Failure Report. @@ -176,7 +177,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/ftm-Audio](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Audio/definition.json) - . - [objects/ftm-BankAccount](https://github.com/MISP/misp-objects/blob/main/objects/ftm-BankAccount/definition.json) - . - [objects/ftm-Call](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Call/definition.json) - . -- [objects/ftm-Company](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Company/definition.json) - . +- [objects/ftm-Company](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Company/definition.json) - A legal entity representing an association of people, whether natural, legal or a mixture of both, with a specific objective. - [objects/ftm-Contract](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Contract/definition.json) - An contract or contract lot issued by an authority. Multiple lots may be awarded to different suppliers (see ContractAward). . - [objects/ftm-ContractAward](https://github.com/MISP/misp-objects/blob/main/objects/ftm-ContractAward/definition.json) - A contract or contract lot as awarded to a supplier. @@ -228,6 +229,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/gtp-attack](https://github.com/MISP/misp-objects/blob/main/objects/gtp-attack/definition.json) - GTP attack object as attack as seen on the GTP signaling protocol supporting GPRS/LTE networks. - [objects/hashlookup](https://github.com/MISP/misp-objects/blob/main/objects/hashlookup/definition.json) - hashlookup object as described on hashlookup services from circl.lu - https://www.circl.lu/services/hashlookup. - [objects/http-request](https://github.com/MISP/misp-objects/blob/main/objects/http-request/definition.json) - A single HTTP request header. +- [objects/identity](https://github.com/MISP/misp-objects/blob/main/objects/identity/definition.json) - Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, systems or groups (e.g., the finance sector). The Identity SDO can capture basic identifying information, contact information, and the sectors that the Identity belongs to. Identity is used in STIX to represent, among other things, targets of attacks, information sources, object creators, and threat actor identities. (ref. STIX 2.1 - 4.5). - [objects/ilr-impact](https://github.com/MISP/misp-objects/blob/main/objects/ilr-impact/definition.json) - Institut Luxembourgeois de Regulation - Impact. - [objects/ilr-notification-incident](https://github.com/MISP/misp-objects/blob/main/objects/ilr-notification-incident/definition.json) - Institut Luxembourgeois de Regulation - Notification d'incident. - [objects/image](https://github.com/MISP/misp-objects/blob/main/objects/image/definition.json) - Object describing an image file. @@ -286,6 +288,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/phishing-kit](https://github.com/MISP/misp-objects/blob/main/objects/phishing-kit/definition.json) - Object to describe a phishing-kit. - [objects/phone](https://github.com/MISP/misp-objects/blob/main/objects/phone/definition.json) - A phone or mobile phone object which describe a phone. - [objects/postal-address](https://github.com/MISP/misp-objects/blob/main/objects/postal-address/definition.json) - A postal address. +- [objects/probabilistic-data-structure](https://github.com/MISP/misp-objects/blob/main/objects/probabilistic-data-structure/definition.json) - Probabilistic data structure object describe a space-efficient data structure such as Bloom filter or similar structure. - [objects/process](https://github.com/MISP/misp-objects/blob/main/objects/process/definition.json) - Object describing a system process. - [objects/publication](https://github.com/MISP/misp-objects/blob/main/objects/publication/definition.json) - An object to describe a book, journal, or academic publication. - [objects/python-etvx-event-log](https://github.com/MISP/misp-objects/blob/main/objects/python-etvx-event-log/definition.json) - Event log object template to share information of the activities conducted on a system. . @@ -331,6 +334,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/short-message-service](https://github.com/MISP/misp-objects/blob/main/objects/short-message-service/definition.json) - Short Message Service (SMS) object template describing one or more SMS message. Restriction of the initial format 3GPP 23.038 GSM character set doesn't apply. - [objects/shortened-link](https://github.com/MISP/misp-objects/blob/main/objects/shortened-link/definition.json) - Shortened link and its redirect target. - [objects/social-media-group](https://github.com/MISP/misp-objects/blob/main/objects/social-media-group/definition.json) - Social media group object template describing a public or private group or channel. +- [objects/software](https://github.com/MISP/misp-objects/blob/main/objects/software/definition.json) - The Software object represents high-level properties associated with software, including software products. STIX 2.1 - 6.14. - [objects/splunk](https://github.com/MISP/misp-objects/blob/main/objects/splunk/definition.json) - Splunk / Splunk ES object. - [objects/ss7-attack](https://github.com/MISP/misp-objects/blob/main/objects/ss7-attack/definition.json) - SS7 object of an attack as seen on the SS7 signaling protocol supporting GSM/GPRS/UMTS networks. - [objects/ssh-authorized-keys](https://github.com/MISP/misp-objects/blob/main/objects/ssh-authorized-keys/definition.json) - An object to store ssh authorized keys file. diff --git a/objects/software/definition.json b/objects/software/definition.json new file mode 100644 index 0000000..2d2275e --- /dev/null +++ b/objects/software/definition.json @@ -0,0 +1,48 @@ +{ + "attributes": { + "cpe": { + "description": "Specifies the Common Platform Enumeration (CPE) entry for the software, if available. The value for this property MUST be a CPE v2.3 entry from the official NVD CPE Dictionary [NVD] . While the CPE dictionary does not contain entries for all software, whenever it does contain an identifier for a given instance of software, this property SHOULD be present.", + "misp-attribute": "cpe", + "multiple": true, + "ui-priority": 9 + }, + "language": { + "description": "Specifies the languages supported by the software. The value of each list member MUST be a language code conformant to [RFC5646].", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 2 + }, + "name": { + "description": "Specifies the name of the software.", + "misp-attribute": "text", + "ui-priority": 10 + }, + "swid": { + "description": "Specifies the Software Identification (SWID) Tags [SWID] entry for the software, if available. The tag attribute, tagId, a globally unique identifier, SHOULD be used as a proxy identifier of the tagged product.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 9 + }, + "vendor": { + "description": "Specifies the name of the vendor of the software.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 4 + }, + "version": { + "description": "Specifies the version of the software.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 4 + } + }, + "description": "The Software object represents high-level properties associated with software, including software products. STIX 2.1 - 6.14", + "meta-category": "misc", + "name": "software", + "requiredOneOf": [ + "name" + ], + "uuid": "b1b5dc0e-73fe-443c-8d9d-0e208de3951e", + "version": 1 +} \ No newline at end of file diff --git a/tools/updated.sh b/tools/updated.sh index 27106fe..acc0c56 100644 --- a/tools/updated.sh +++ b/tools/updated.sh @@ -2,5 +2,5 @@ python3 adoc_objects.py >a.txt mv a.txt objects.txt asciidoctor-pdf -a allow-uri-read objects.txt asciidoctor -a allow-uri-read objects.txt -cp objects.html ../../misp-website/ -cp objects.pdf ../../misp-website/ +cp objects.html ../../misp-website-new/static +cp objects.pdf ../../misp-website-new/static From 7dffebe9b659f9e0e1c6df966a7912755031bd1c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 14 Feb 2022 11:30:09 +0100 Subject: [PATCH 021/112] new: [infrastructure] infrastructure object added (STIX 2.1 - 4.8) --- README.md | 1 + objects/infrastructure/definition.json | 62 ++++++++++++++++++++++++++ 2 files changed, 63 insertions(+) create mode 100644 objects/infrastructure/definition.json diff --git a/README.md b/README.md index eb06ee0..a31ffbf 100644 --- a/README.md +++ b/README.md @@ -235,6 +235,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/image](https://github.com/MISP/misp-objects/blob/main/objects/image/definition.json) - Object describing an image file. - [objects/impersonation](https://github.com/MISP/misp-objects/blob/main/objects/impersonation/definition.json) - Represent an impersonating account. - [objects/imsi-catcher](https://github.com/MISP/misp-objects/blob/main/objects/imsi-catcher/definition.json) - IMSI Catcher entry object based on the open source IMSI cather. +- [objects/infrastructure](https://github.com/MISP/misp-objects/blob/main/objects/infrastructure/definition.json) - The Infrastructure object represents a type of TTP and describes any systems, software services and any associated physical or virtual resources intended to support some purpose (e.g., C2 servers used as part of an attack, device or server that are part of defense, database servers targeted by an attack, etc.). While elements of an attack can be represented by other objects, the Infrastructure object represents a named group of related data that constitutes the infrastructure. STIX 2.1 - 4.8. - [objects/instant-message](https://github.com/MISP/misp-objects/blob/main/objects/instant-message/definition.json) - Instant Message (IM) object template describing one or more IM message. - [objects/instant-message-group](https://github.com/MISP/misp-objects/blob/main/objects/instant-message-group/definition.json) - Instant Message (IM) group object template describing a public or private IM group, channel or conversation. - [objects/intel471-vulnerability-intelligence](https://github.com/MISP/misp-objects/blob/main/objects/intel471-vulnerability-intelligence/definition.json) - Intel 471 vulnerability intelligence object. diff --git a/objects/infrastructure/definition.json b/objects/infrastructure/definition.json new file mode 100644 index 0000000..bb981d6 --- /dev/null +++ b/objects/infrastructure/definition.json @@ -0,0 +1,62 @@ +{ + "attributes": { + "alias": { + "description": "Alternative names used to identify this Infrastructure.", + "misp-attribute": "text", + "ui-priority": 7 + }, + "description": { + "description": "A description that provides more details and context about the Infrastructure, potentially including its purpose, how it is being used, how it relates to other intelligence activities captured in related objects, and its key characteristics.", + "misp-attribute": "text", + "ui-priority": 9 + }, + "infrastructure_type": { + "description": "The type of infrastructure being described. The values for this property SHOULD come from the infrastructure-type-ov open vocabulary.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "amplification", + "anonymization", + "botnet", + "command-and-control", + "exfiltration", + "hosting-malware", + "hosting-target-lists", + "phishing", + "reconnaissance", + "staging", + "unknown" + ], + "ui-priority": 8 + }, + "kill_chain_phases": { + "description": "The list of Kill Chain Phases for which this Infrastructure is used.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "(1) Reconnaissance", + "(2) Weaponization", + "(3) Deliver", + "(4) Exploitation", + "(5) Installation", + "(6) Command and Control", + "(7) Actions on objectives" + ], + "ui-priority": 6 + }, + "name": { + "description": "A name or characterizing text used to identify the Infrastructure.", + "misp-attribute": "text", + "ui-priority": 10 + } + }, + "description": "The Infrastructure object represents a type of TTP and describes any systems, software services and any associated physical or virtual resources intended to support some purpose (e.g., C2 servers used as part of an attack, device or server that are part of defense, database servers targeted by an attack, etc.). While elements of an attack can be represented by other objects, the Infrastructure object represents a named group of related data that constitutes the infrastructure. STIX 2.1 - 4.8", + "meta-category": "misc", + "name": "infrastructure", + "requiredOneOf": [ + "name" + ], + "uuid": "39d64bd7-1264-4b2e-bdd1-31d1c4b38e6c", + "version": 1 +} \ No newline at end of file From 6225b2c376d343cc4664960f9ad70cada5de78fa Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 14 Feb 2022 11:38:30 +0100 Subject: [PATCH 022/112] chg: [relationships] updated for stix 2.1 --- relationships/definition.json | 29 ++++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/relationships/definition.json b/relationships/definition.json index 49b4f93..2edca1a 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -455,11 +455,34 @@ { "description": "This relationship describes an object which is used by another object.", "format": [ - "cert-eu" + "cert-eu", + "stix-2.1" ], "name": "used-by", "opposite": "uses" }, + { + "description": "This relationship describes an object which hosts another object.", + "format": [ + "stix-2.1" + ], + "name": "hosts", + "opposite": "hosted-by" + }, + { + "description": "This relationship describes an object which consists of one or more object(s).", + "format": [ + "stix-2.1" + ], + "name": "consists" + }, + { + "description": "This relationship describes an object which delivers to one or more object(s).", + "format": [ + "stix-2.1" + ], + "name": "delivers" + }, { "description": "This relationship describes an object which is affiliated with another object.", "format": [ @@ -1293,5 +1316,5 @@ "name": "ambivalient-of" } ], - "version": 29 -} \ No newline at end of file + "version": 30 +} From 2001eb35c29241e8f0f17c4fbbbc554f899142ae Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 14 Feb 2022 11:43:37 +0100 Subject: [PATCH 023/112] chg: [relationships] fix --- relationships/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index 2edca1a..101e862 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1317,4 +1317,4 @@ } ], "version": 30 -} +} \ No newline at end of file From ed01e38ec29d5bd9b449ba98c98edb6a4de348ce Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 14 Feb 2022 11:51:13 +0100 Subject: [PATCH 024/112] chg: [relationships] fixed `hosted-by` opposite --- relationships/definition.json | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index 101e862..c6d0b2d 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -469,6 +469,14 @@ "name": "hosts", "opposite": "hosted-by" }, + { + "description": "This relatiobship describes an object hosted by another object.", + "format": [ + "stix-2.1" + ], + "name": "hosted-by", + "opposite": "hosts" + }, { "description": "This relationship describes an object which consists of one or more object(s).", "format": [ @@ -1316,5 +1324,5 @@ "name": "ambivalient-of" } ], - "version": 30 + "version": 31 } \ No newline at end of file From 363f90f789449c5248ed5cb79b035caec51e8b69 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 15 Feb 2022 07:21:58 +0100 Subject: [PATCH 025/112] new: [language-content] New object template language-content based on 7.1 (STIX 2.1) --- README.md | 1 + objects/language-content/definition.json | 258 +++++++++++++++++++++++ relationships/definition.json | 9 +- 3 files changed, 267 insertions(+), 1 deletion(-) create mode 100644 objects/language-content/definition.json diff --git a/README.md b/README.md index a31ffbf..f14ff55 100644 --- a/README.md +++ b/README.md @@ -252,6 +252,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/ja3s](https://github.com/MISP/misp-objects/blob/main/objects/ja3s/definition.json) - JA3S is JA3 for the Server side of the SSL/TLS communication and fingerprints how servers respond to particular clients. JA3S fingerprints are composed of Server Hello packet; SSL Version, Cipher, SSLExtensions. https://github.com/salesforce/ja3. - [objects/jarm](https://github.com/MISP/misp-objects/blob/main/objects/jarm/definition.json) - Jarm object to describe an TLS/SSL implementation used for malicious or legitimate use-case. - [objects/keybase-account](https://github.com/MISP/misp-objects/blob/main/objects/keybase-account/definition.json) - Information related to a keybase account, from API Users Object. +- [objects/language-content](https://github.com/MISP/misp-objects/blob/main/objects/language-content/definition.json) - The Language Content object represents text content for objects represented in languages other than that of the original object. Language content may be a translation of the original object by a third-party, a first-source translation by the original publisher, or additional official language content provided at the time of creation. STIX 2.1 ref 7.1. - [objects/leaked-document](https://github.com/MISP/misp-objects/blob/main/objects/leaked-document/definition.json) - Object describing a leaked document. - [objects/legal-entity](https://github.com/MISP/misp-objects/blob/main/objects/legal-entity/definition.json) - An object to describe a legal entity. - [objects/lnk](https://github.com/MISP/misp-objects/blob/main/objects/lnk/definition.json) - LNK object describing a Windows LNK binary file (aka Windows shortcut). diff --git a/objects/language-content/definition.json b/objects/language-content/definition.json new file mode 100644 index 0000000..f3208de --- /dev/null +++ b/objects/language-content/definition.json @@ -0,0 +1,258 @@ +{ + "attributes": { + "content": { + "description": "The contents property contains the actual Language Content (translation).", + "misp-attribute": "text", + "ui-priority": 10 + }, + "language": { + "description": "RFC 5646 language codes for which language content is being provided.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "af", + "af-ZA", + "ar", + "ar-AE", + "ar-BH", + "ar-DZ", + "ar-EG", + "ar-IQ", + "ar-JO", + "ar-KW", + "ar-LB", + "ar-LY", + "ar-MA", + "ar-OM", + "ar-QA", + "ar-SA", + "ar-SY", + "ar-TN", + "ar-YE", + "az", + "az-AZ", + "az-Cyrl-AZ", + "be", + "be-BY", + "bg", + "bg-BG", + "bs-BA", + "ca", + "ca-ES", + "cs", + "cs-CZ", + "cy", + "cy-GB", + "da", + "da-DK", + "de", + "de-AT", + "de-CH", + "de-DE", + "de-LI", + "de-LU", + "dv", + "dv-MV", + "el", + "el-GR", + "en", + "en-AU", + "en-BZ", + "en-CA", + "en-CB", + "en-GB", + "en-IE", + "en-JM", + "en-NZ", + "en-PH", + "en-TT", + "en-US", + "en-ZA", + "en-ZW", + "eo", + "es", + "es-AR", + "es-BO", + "es-CL", + "es-CO", + "es-CR", + "es-DO", + "es-EC", + "es-ES", + "es-GT", + "es-HN", + "es-MX", + "es-NI", + "es-PA", + "es-PE", + "es-PR", + "es-PY", + "es-SV", + "es-UY", + "es-VE", + "et", + "et-EE", + "eu", + "eu-ES", + "fa", + "fa-IR", + "fi", + "fi-FI", + "fo", + "fo-FO", + "fr", + "fr-BE", + "fr-CA", + "fr-CH", + "fr-FR", + "fr-LU", + "fr-MC", + "gl", + "gl-ES", + "gu", + "gu-IN", + "he", + "he-IL", + "hi", + "hi-IN", + "hr", + "hr-BA", + "hr-HR", + "hu", + "hu-HU", + "hy", + "hy-AM", + "id", + "id-ID", + "is", + "is-IS", + "it", + "it-CH", + "it-IT", + "ja", + "ja-JP", + "ka", + "ka-GE", + "kk", + "kk-KZ", + "kn", + "kn-IN", + "ko", + "ko-KR", + "kok", + "kok-IN", + "ky", + "ky-KG", + "lt", + "lt-LT", + "lv", + "lv-LV", + "mi", + "mi-NZ", + "mk", + "mk-MK", + "mn", + "mn-MN", + "mr", + "mr-IN", + "ms", + "ms-BN", + "ms-MY", + "mt", + "mt-MT", + "nb", + "nb-NO", + "nl", + "nl-BE", + "nl-NL", + "nn-NO", + "ns", + "ns-ZA", + "pa", + "pa-IN", + "pl", + "pl-PL", + "ps", + "ps-AR", + "pt", + "pt-BR", + "pt-PT", + "qu", + "qu-BO", + "qu-EC", + "qu-PE", + "ro", + "ro-RO", + "ru", + "ru-RU", + "sa", + "sa-IN", + "se", + "se-FI", + "se-NO", + "se-SE", + "sk", + "sk-SK", + "sl", + "sl-SI", + "sq", + "sq-AL", + "sr-BA", + "sr-Cyrl-BA", + "sr-SP", + "sr-Cyrl-SP", + "sv", + "sv-FI", + "sv-SE", + "sw", + "sw-KE", + "syr", + "syr-SY", + "ta", + "ta-IN", + "te", + "te-IN", + "th", + "th-TH", + "tl", + "tl-PH", + "tn", + "tn-ZA", + "tr", + "tr-TR", + "tt", + "tt-RU", + "ts", + "uk", + "uk-UA", + "ur", + "ur-PK", + "uz", + "uz-UZ", + "uz-Cyrl-UZ", + "vi", + "vi-VN", + "xh", + "xh-ZA", + "zh", + "zh-CN", + "zh-HK", + "zh-MO", + "zh-SG", + "zh-TW", + "zu", + "zu-ZA" + ], + "ui-priority": 5 + } + }, + "description": "The Language Content object represents text content for objects represented in languages other than that of the original object. Language content may be a translation of the original object by a third-party, a first-source translation by the original publisher, or additional official language content provided at the time of creation. STIX 2.1 ref 7.1", + "meta-category": "misc", + "name": "language-content", + "required": [ + "content", + "language" + ], + "uuid": "dff53cb1-d98d-4898-b4d2-85bd8b44929c", + "version": 1 +} \ No newline at end of file diff --git a/relationships/definition.json b/relationships/definition.json index c6d0b2d..5863018 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1322,7 +1322,14 @@ "foaf" ], "name": "ambivalient-of" + }, + { + "description": "The referenced source object is a translation of the target object.", + "format": [ + "misp" + ], + "name": "is-a-translation-of" } ], - "version": 31 + "version": 32 } \ No newline at end of file From b741142e2ca4515060e08738df0fecab8f931cca Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 17 Feb 2022 07:38:35 +0100 Subject: [PATCH 026/112] chg: [ddos] Updated DDoS object template to include more details and clarification - Clarify that the field of pps/bps are peak values; - New fields for total number of packets or bytes; - Type of DDoS added in the object; - How the capture of the DDoS evidences were collected; --- objects/ddos/definition.json | 64 +++++++++++++++++++++++++++++++++--- 1 file changed, 60 insertions(+), 4 deletions(-) diff --git a/objects/ddos/definition.json b/objects/ddos/definition.json index bbffc3d..1944d61 100644 --- a/objects/ddos/definition.json +++ b/objects/ddos/definition.json @@ -1,5 +1,17 @@ { "attributes": { + "capture-origin": { + "description": "Origin of the (D)DoS evidences", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Direct network capture", + "Logs", + "Indirect network capture (e.g. backscatter)", + "Unknown" + ], + "ui-priority": 0 + }, "domain-dst": { "categories": [ "Network activity", @@ -52,6 +64,7 @@ }, "protocol": { "description": "Protocol used for the attack", + "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0, "values_list": [ @@ -78,17 +91,60 @@ "ui-priority": 0 }, "total-bps": { - "description": "Bits per second", + "description": "Bits per second (maximum rate of bits per second measured)", + "disable_correlation": true, + "misp-attribute": "counter", + "ui-priority": 0 + }, + "total-bytes-sent": { + "description": "Total number of bytes sent by the sources mentioned", + "disable_correlation": true, + "misp-attribute": "counter", + "ui-priority": 0 + }, + "total-packets-sent": { + "description": "Total number of packets sent by the source mentioned", + "disable_correlation": true, "misp-attribute": "counter", "ui-priority": 0 }, "total-pps": { - "description": "Packets per second", + "description": "Packets per second (maximum rate of packets per second measured)", + "disable_correlation": true, "misp-attribute": "counter", "ui-priority": 0 + }, + "type": { + "description": "Type(s) or Technique(s) of Denial of Service", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "amplification-attack", + "reflected-spoofed-attack", + "slow-read-attack", + "flooding-attack", + "post-attack", + "chargen-amplification", + "dns", + "dns-amplification", + "ip-fragmentation", + "ip-private", + "icmp", + "memcached-amplification", + "ms-sql-rs-amplification", + "ntp-amplification", + "snmp-amplification", + "ssdp-amplification", + "tcp-null", + "tcp-rst", + "tcp-syn", + "udp" + ], + "ui-priority": 0 } }, - "description": "DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy", + "description": "DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy or using the type field.", "meta-category": "network", "name": "ddos", "requiredOneOf": [ @@ -97,5 +153,5 @@ "domain-dst" ], "uuid": "e2f124d6-f57c-4f93-99e6-8450545fa05d", - "version": 7 + "version": 8 } \ No newline at end of file From ae2814bb990515ffaa52caac54798b6a47c55786 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 17 Feb 2022 16:47:08 +0100 Subject: [PATCH 027/112] new: [error-message] new template to create error-message from MISP processing scripts --- objects/error-message/definition.json | 29 +++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 objects/error-message/definition.json diff --git a/objects/error-message/definition.json b/objects/error-message/definition.json new file mode 100644 index 0000000..a6f2b0f --- /dev/null +++ b/objects/error-message/definition.json @@ -0,0 +1,29 @@ +{ + "attributes": { + "message": { + "description": "Content of the error message.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "source": { + "description": "Source of the error message.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "misp-stix", + "lief", + "other" + ], + "ui-priority": 0 + } + }, + "description": "An error message which can be related to the processing of data such as import, export scripts from the original MISP instance.", + "meta-category": "misc", + "name": "error-message", + "requiredOneOf": [ + "source", + "message" + ], + "uuid": "40e81601-8205-41af-8e67-33795291a448", + "version": 1 +} \ No newline at end of file From e0d30596f65abf41f519f9f46702c9fcfeb6b2cf Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 9 Mar 2022 10:48:47 +0100 Subject: [PATCH 028/112] chg: [ddos] The minimum amount of backscatter received in 5 minutes / day added in the object as backscatter-threshold. --- objects/ddos/definition.json | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/objects/ddos/definition.json b/objects/ddos/definition.json index 1944d61..ee007f7 100644 --- a/objects/ddos/definition.json +++ b/objects/ddos/definition.json @@ -1,5 +1,11 @@ { "attributes": { + "backscatter-threshold": { + "description": "The minimum amount of backscatter received in 5 minutes / day. This field is only used when the capture origin is indirect network capture such as backscatter.", + "disable_correlation": true, + "misp-attribute": "counter", + "ui-priority": 0 + }, "capture-origin": { "description": "Origin of the (D)DoS evidences", "disable_correlation": true, @@ -153,5 +159,5 @@ "domain-dst" ], "uuid": "e2f124d6-f57c-4f93-99e6-8450545fa05d", - "version": 8 -} \ No newline at end of file + "version": 9 +} From 6405b3f114a9ccca4208f0fc87625c7b1a5bff6b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 9 Mar 2022 11:06:19 +0100 Subject: [PATCH 029/112] chg: [ddos] because newline --- objects/ddos/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/ddos/definition.json b/objects/ddos/definition.json index ee007f7..e43d181 100644 --- a/objects/ddos/definition.json +++ b/objects/ddos/definition.json @@ -160,4 +160,4 @@ ], "uuid": "e2f124d6-f57c-4f93-99e6-8450545fa05d", "version": 9 -} +} \ No newline at end of file From d4cad4db4621cff7d7f0d5d77194860940eca130 Mon Sep 17 00:00:00 2001 From: mhpcchaves <56161402+mhpcchaves@users.noreply.github.com> Date: Thu, 10 Mar 2022 09:34:52 -0300 Subject: [PATCH 030/112] Include protocol, AS, and country code Include protocol, AS and country code to add more context to the tuple. --- objects/ip-port/definition.json | 36 +++++++++++++++++++++++++++++++-- 1 file changed, 34 insertions(+), 2 deletions(-) diff --git a/objects/ip-port/definition.json b/objects/ip-port/definition.json index 67c8ce7..7e5d2a1 100644 --- a/objects/ip-port/definition.json +++ b/objects/ip-port/definition.json @@ -79,10 +79,42 @@ "External analysis" ], "description": "Source port", + "disable_correlation": true, "misp-attribute": "port", "multiple": true, "ui-priority": 0 }, + "protocol": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Protocol", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "AS": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Autonomous system", + "disable_correlation": true, + "misp-attribute": "AS", + "multiple": true, + "ui-priority": 0 + }, + "country-code": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Country Code", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, "text": { "description": "Description of the tuple", "disable_correlation": true, @@ -103,5 +135,5 @@ "ip-dst" ], "uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", - "version": 8 -} \ No newline at end of file + "version": 9 +} From a3bec8e748c652fa89ab8d43dd8ab1dc97b56ba9 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 11 Mar 2022 10:21:09 +0100 Subject: [PATCH 031/112] fix: [ip-port] jq all the things --- objects/ip-port/definition.json | 64 ++++++++++++++++----------------- 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/objects/ip-port/definition.json b/objects/ip-port/definition.json index 7e5d2a1..c200f0c 100644 --- a/objects/ip-port/definition.json +++ b/objects/ip-port/definition.json @@ -1,5 +1,26 @@ { "attributes": { + "AS": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Autonomous system", + "disable_correlation": true, + "misp-attribute": "AS", + "multiple": true, + "ui-priority": 0 + }, + "country-code": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Country Code", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, "domain": { "categories": [ "Network activity", @@ -73,6 +94,16 @@ "misp-attribute": "datetime", "ui-priority": 0 }, + "protocol": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Protocol", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, "src-port": { "categories": [ "Network activity", @@ -84,37 +115,6 @@ "multiple": true, "ui-priority": 0 }, - "protocol": { - "categories": [ - "Network activity", - "External analysis" - ], - "description": "Protocol", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 0 - }, - "AS": { - "categories": [ - "Network activity", - "External analysis" - ], - "description": "Autonomous system", - "disable_correlation": true, - "misp-attribute": "AS", - "multiple": true, - "ui-priority": 0 - }, - "country-code": { - "categories": [ - "Network activity", - "External analysis" - ], - "description": "Country Code", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 0 - }, "text": { "description": "Description of the tuple", "disable_correlation": true, @@ -136,4 +136,4 @@ ], "uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "version": 9 -} +} \ No newline at end of file From 5eea5eae1498fd948ae9261331b35bdc1e1ea97f Mon Sep 17 00:00:00 2001 From: enes Date: Mon, 14 Mar 2022 16:07:09 +0100 Subject: [PATCH 032/112] Add game-cheat Object --- objects/game-cheat/definition.json | 113 +++++++++++++++++++++++++++++ 1 file changed, 113 insertions(+) create mode 100644 objects/game-cheat/definition.json diff --git a/objects/game-cheat/definition.json b/objects/game-cheat/definition.json new file mode 100644 index 0000000..391fe87 --- /dev/null +++ b/objects/game-cheat/definition.json @@ -0,0 +1,113 @@ +{ + "attributes": { + "affected-game": { + "description": "Name of the game that is targeted by the cheatware.", + "misp-attribute": "text", + "ui-priority": 7 + }, + "cheat-name": { + "description": "Known name of the game cheat, if given.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 12 + }, + "cheat-screenshot": { + "description": "Screenshot of the cheat at work.", + "misp-attribute": "attachment", + "ui-priority": 9 + }, + "cheat-type": { + "description": "Select the type of cheat.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 11, + "values_list": [ + "Aim bot", + "Auto farmer", + "Boosting", + "DDoS", + "Disconnecting", + "Exploit", + "Fly", + "Force field", + "Ghosting", + "God mode", + "Invicibility", + "Macros", + "RapidFire", + "Scripting", + "Wallhack", + "Win trading", + "Others" + ] + }, + "cheat-version": { + "description": "Any information about the cheatware version.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 8 + }, + "compilation-date": { + "description": "Compilation date of the game cheat, if known.", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 5 + }, + "creator": { + "description": "Individual and/or Group and/or Organization that created the cheat.", + "misp-attribute": "threat-actor", + "ui-priority": 1 + }, + "ig-cheat-behaviour": { + "description": "Describe the in-game behaviour of the cheat (e.g. You selected 'Aim Bot', here you can add details like 'Activate by pressing F7, Deactivate by pressing F8. Not detected be Easy Anti-Cheat.'", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 10 + }, + "implementation": { + "description": "How cheatware is implemented", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 4, + "values_list": [ + "Game code modification", + "In-memory data manipulation", + "System software modification", + "Packet interception and manipulation" + ] + }, + "implementation-details": { + "description": "Additionnal informations about the implementation of the cheatware. (e.g. Requires to swap a dll file.)", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 3 + }, + "operating-system": { + "description": "Operating system required and its version.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 2 + }, + "pricing": { + "description": "Cheatware price, 0 if free.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 6 + }, + "webpage": { + "description": "Place where the cheat is promoted. Website, Forum, Download page, ...", + "misp-attribute": "url", + "ui-priority": 0 + } + }, + "description": "Describes a game cheat or a cheatware.", + "meta-category": "misc", + "name": "game-cheat", + "required": [ + "affected-game", + "cheat-type" + ], + "uuid": "ab31f87b-f8ac-4dfc-b610-359302b4e86b", + "version": 7 +} \ No newline at end of file From 3c7ee6214e1ad29fbeb24f9418e23f28d65f3cc5 Mon Sep 17 00:00:00 2001 From: enes-usta Date: Tue, 15 Mar 2022 03:37:26 +0100 Subject: [PATCH 033/112] added cheat types and minor changes --- objects/game-cheat/definition.json | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/objects/game-cheat/definition.json b/objects/game-cheat/definition.json index 391fe87..bc7dd77 100644 --- a/objects/game-cheat/definition.json +++ b/objects/game-cheat/definition.json @@ -17,27 +17,30 @@ "ui-priority": 9 }, "cheat-type": { - "description": "Select the type of cheat.", + "description": "Select a type of cheat.", "misp-attribute": "text", "multiple": true, "ui-priority": 11, "values_list": [ - "Aim bot", + "Aimbot", + "Artificial lag", "Auto farmer", - "Boosting", "DDoS", "Disconnecting", "Exploit", "Fly", "Force field", + "Full brightness", "Ghosting", "God mode", "Invicibility", "Macros", + "No clip", + "No fog", "RapidFire", "Scripting", + "Show Hitboxes", "Wallhack", - "Win trading", "Others" ] }, @@ -59,9 +62,9 @@ "ui-priority": 1 }, "ig-cheat-behaviour": { - "description": "Describe the in-game behaviour of the cheat (e.g. You selected 'Aim Bot', here you can add details like 'Activate by pressing F7, Deactivate by pressing F8. Not detected be Easy Anti-Cheat.'", + "description": "Describe the in-game behaviour of the cheat (e.g. You selected 'Aim Bot', here you can add details like 'Activate by pressing F7, Deactivate by pressing F8. Not detected be Easy Anti-Cheat.')", "disable_correlation": true, - "misp-attribute": "text", + "misp-attribute": "comment", "ui-priority": 10 }, "implementation": { @@ -93,6 +96,7 @@ "description": "Cheatware price, 0 if free.", "disable_correlation": true, "misp-attribute": "text", + "multiple": true, "ui-priority": 6 }, "webpage": { @@ -109,5 +113,5 @@ "cheat-type" ], "uuid": "ab31f87b-f8ac-4dfc-b610-359302b4e86b", - "version": 7 + "version": 9 } \ No newline at end of file From 9515ae332e45d9ac306eaaaa802b605c1090cf5c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 17 Mar 2022 09:14:39 +0100 Subject: [PATCH 034/112] chg: [instant-message] Jabber and Twitter added + updated required fields --- objects/instant-message/definition.json | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/objects/instant-message/definition.json b/objects/instant-message/definition.json index 97ab449..0c54e8f 100644 --- a/objects/instant-message/definition.json +++ b/objects/instant-message/definition.json @@ -20,7 +20,9 @@ "Wire", "Threema", "Discord", - "Mumble" + "Mumble", + "Jabber", + "Twitter" ], "ui-priority": 1 }, @@ -110,7 +112,9 @@ "name": "instant-message", "requiredOneOf": [ "body", - "from-user" + "from-user", + "from-number", + "from-name" ], "uuid": "5fa51a24-f40f-4696-a77e-d31e26bab5fc", "version": 3 From cc2587d73387529538166a485be375592657c205 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 17 Mar 2022 15:14:32 +0100 Subject: [PATCH 035/112] chg: [person] handle added as requested by @gallypette --- objects/person/definition.json | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index 8217f29..0141548 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -70,6 +70,12 @@ "Unknown" ] }, + "handle": { + "description": "Handle used by the user in application.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 11 + }, "identity-card-number": { "description": "The identity card number of a natural person.", "misp-attribute": "identity-card-number", @@ -237,8 +243,9 @@ "first-name", "last-name", "full-name", - "alias" + "alias", + "handle" ], "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", - "version": 16 + "version": 17 } \ No newline at end of file From 5bfe1f2d6600acbf2b57b48343490c7cc310042c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 17 Mar 2022 15:56:16 +0100 Subject: [PATCH 036/112] chg: [person] add new potential direct message chat application --- objects/person/definition.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index 0141548..59acb70 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -102,7 +102,9 @@ "Wire", "Threema", "Discord", - "Mumble" + "Mumble", + "Jabber", + "Twitter" ], "ui-priority": 10 }, @@ -247,5 +249,5 @@ "handle" ], "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", - "version": 17 + "version": 18 } \ No newline at end of file From da1d90ab8a0c4bf25346868bb19889ce0bd76d72 Mon Sep 17 00:00:00 2001 From: Alexandre De Oliveira Date: Fri, 18 Mar 2022 12:08:13 +0100 Subject: [PATCH 037/112] Add fields related to GT --- objects/ss7-attack/definition.json | 44 +++++++++++++++++++++++++++++- 1 file changed, 43 insertions(+), 1 deletion(-) diff --git a/objects/ss7-attack/definition.json b/objects/ss7-attack/definition.json index f4d2045..4c0c7b3 100644 --- a/objects/ss7-attack/definition.json +++ b/objects/ss7-attack/definition.json @@ -278,6 +278,26 @@ "misp-attribute": "text", "ui-priority": 0 }, + "SccpCdGT-Country": { + "description": "Country in which SCCP CDGT is registered.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "SccpCdGT-CountryISO2": { + "description": "Code ISO 3166-1 alpha-2 from which the SCCP CDGT is allocated.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "SccpCdGT-OperatorName": { + "description": "Operator Name under which the SCCP CDGT is registered.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "SccpCdGT-TADIG": { + "description": "TADIG under which the SCCP CDGT is registered.", + "misp-attribute": "text", + "ui-priority": 0 + }, "SccpCdPC": { "description": "Signaling Connection Control Part (SCCP) CdPC - Phone number.", "misp-attribute": "text", @@ -295,6 +315,28 @@ "multiple": true, "ui-priority": 0 }, + "SccpCgGT-Country": { + "description": "Country in which SCCP CGGT is registered.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "SccpCgGT-CountryISO2": { + "description": "Allocated Code ISO 3166-1 alpha-2 for the SCCP CGGT.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "SccpCgGT-OperatorName": { + "description": "Operator Name under which the SCCP CGGT is registered.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "SccpCgGT-TADIG": { + "description": "TADIG under which the SCCP CGGT is registered.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, "SccpCgPC": { "description": "Signaling Connection Control Part (SCCP) CgPC - Phone number.", "misp-attribute": "text", @@ -329,4 +371,4 @@ ], "uuid": "f3493d8b-a7ab-48d0-a775-046c4d64d782", "version": 4 -} \ No newline at end of file +} From df2b900c75bc9e0f53d8a98b818e6c4aaab8848f Mon Sep 17 00:00:00 2001 From: Alexandre De Oliveira Date: Fri, 18 Mar 2022 12:12:04 +0100 Subject: [PATCH 038/112] Run the ./jq_all_the_things.sh --- objects/ss7-attack/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/ss7-attack/definition.json b/objects/ss7-attack/definition.json index 4c0c7b3..de71cb9 100644 --- a/objects/ss7-attack/definition.json +++ b/objects/ss7-attack/definition.json @@ -371,4 +371,4 @@ ], "uuid": "f3493d8b-a7ab-48d0-a775-046c4d64d782", "version": 4 -} +} \ No newline at end of file From e2da981c9451333b44ee388c22c91be3aa1a853d Mon Sep 17 00:00:00 2001 From: Alexandre De Oliveira Date: Fri, 18 Mar 2022 12:15:58 +0100 Subject: [PATCH 039/112] Update definition.json --- objects/ss7-attack/definition.json | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/objects/ss7-attack/definition.json b/objects/ss7-attack/definition.json index de71cb9..efbf4a8 100644 --- a/objects/ss7-attack/definition.json +++ b/objects/ss7-attack/definition.json @@ -276,6 +276,7 @@ "SccpCdGT": { "description": "Signaling Connection Control Part (SCCP) CdGT - Phone number.", "misp-attribute": "text", + "multiple": true, "ui-priority": 0 }, "SccpCdGT-Country": { @@ -318,7 +319,6 @@ "SccpCgGT-Country": { "description": "Country in which SCCP CGGT is registered.", "misp-attribute": "text", - "multiple": true, "ui-priority": 0 }, "SccpCgGT-CountryISO2": { @@ -334,7 +334,6 @@ "SccpCgGT-TADIG": { "description": "TADIG under which the SCCP CGGT is registered.", "misp-attribute": "text", - "multiple": true, "ui-priority": 0 }, "SccpCgPC": { @@ -371,4 +370,4 @@ ], "uuid": "f3493d8b-a7ab-48d0-a775-046c4d64d782", "version": 4 -} \ No newline at end of file +} From e54cfa0e4c066555da8e18637273a80d901b258f Mon Sep 17 00:00:00 2001 From: Alexandre De Oliveira Date: Fri, 18 Mar 2022 12:17:41 +0100 Subject: [PATCH 040/112] modified by ./jq_all_the_things.sh --- objects/ss7-attack/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/ss7-attack/definition.json b/objects/ss7-attack/definition.json index efbf4a8..a01fadf 100644 --- a/objects/ss7-attack/definition.json +++ b/objects/ss7-attack/definition.json @@ -370,4 +370,4 @@ ], "uuid": "f3493d8b-a7ab-48d0-a775-046c4d64d782", "version": 4 -} +} \ No newline at end of file From b6c6de5632bb412b559532205db3e78ff8cc9977 Mon Sep 17 00:00:00 2001 From: 0wlyW00d Date: Sat, 19 Mar 2022 11:56:48 +0100 Subject: [PATCH 041/112] Add tattoo object definition --- objects/tattoo/definition.json | 108 +++++++++++++++++++++++++++++++++ 1 file changed, 108 insertions(+) create mode 100644 objects/tattoo/definition.json diff --git a/objects/tattoo/definition.json b/objects/tattoo/definition.json new file mode 100644 index 0000000..2cc41df --- /dev/null +++ b/objects/tattoo/definition.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "tattoo-body-part": { + "description": "Describe the body part where the tattoo is located.", + "misp-attribute": "text", + "ui-priority": 4, + "values_list": [ + "head", + "forehead", + "face", + "ear", + "eye", + "mouth/lips", + "neck", + "shoulder", + "chest", + "elbow", + "arm", + "forearm", + "hand", + "finger", + "thigh", + "knee", + "calf", + "heel", + "foot", + "toe" + ] + }, + "tattoo-description": { + "description": "Description of the tattoo, what's its composition ?", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "tattoo-style": { + "description": "Select the style of the tattoo", + "multiple": true, + "misp-attribute": "text", + "ui-priority": 1, + "values_list": [ + "traditional", + "realism", + "watercolor", + "tribal", + "new school", + "japanese", + "blackwork", + "lettering", + "dotwork", + "abstract", + "celtic", + "geometric", + "mandala", + "minimalist", + "neo-traditional", + "portrait", + "sketch" + ] + }, + "tattoo-color": { + "description": "Select the colors of the tattoo", + "multiple": true, + "misp-attribute": "text", + "ui-priority": 1, + "values_list": [ + "black", + "white", + "red", + "green", + "blue", + "cyan", + "orange", + "violet", + "pink", + "yellow", + "brown", + "grey" + ] + }, + "tattoo-picture": { + "description": "Picture of the tattoo", + "misp-attribute": "attachment", + "multiple": true, + "ui-priority": 0 + }, + "tattoo-size": { + "description": "Size of the tattoo", + "misp-attribute": "text", + "multiple": false, + "ui-priority": 0, + "values_list": [ + "tiny", + "small", + "medium", + "large" + ] + } + }, + "description": "Describes a tattoo on the body of a natural person", + "meta-category": "misc", + "name": "tattoo", + "required": [ + "tattoo-body-part" + ], + "uuid": "344111fb-79a3-421d-8d59-cc2b054b0478", + "version": 1 + } \ No newline at end of file From d82287d35f361df2d54167d33afb21f1a7239492 Mon Sep 17 00:00:00 2001 From: 0wlyW00d Date: Sun, 20 Mar 2022 17:13:31 +0100 Subject: [PATCH 042/112] Add news objects to MISP Creation of new object to better describe a natural perso Add CLoth Object Add Tattoo object Add Personification Object --- objects/cloth/definition.json | 104 +++++++++++ objects/personification/definition.json | 235 ++++++++++++++++++++++++ objects/tattoo/definition.json | 8 +- 3 files changed, 343 insertions(+), 4 deletions(-) create mode 100644 objects/cloth/definition.json create mode 100644 objects/personification/definition.json diff --git a/objects/cloth/definition.json b/objects/cloth/definition.json new file mode 100644 index 0000000..1d81192 --- /dev/null +++ b/objects/cloth/definition.json @@ -0,0 +1,104 @@ +{ + "attributes": { + "description": { + "description": "Cloth's Description of a natural person", + "misp-attribute": "text", + "ui-priority": 50 + }, + "head-accessories": { + "description": "Cloth and accessories on the head", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "hat", + "cap", + "bonnet", + "glasses", + "bandeau" + ] + }, + "top-accessories": { + "description": "Cloth and accessories on the top part of the body", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "jacket", + "coat", + "dress", + "shirt", + "top", + "pullover", + "sweatshirt", + "suit", + "tie", + "bow tie", + "lady's suit", + "waistcoat", + "cardigan", + "undershirt", + "t-shirt", + "bra", + "scarf", + "glove" + ] + }, + "bottom-accessories": { + "description": "Cloth and accessories on the bottom part of the body", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "trousers", + "skirt", + "underpants / panties", + "shorts", + "boxer shorts", + "body stocking", + "sock", + "shoe", + "boot", + "sandal", + "slipper", + "sneaker", + "hiking boot", + "high tops" + ] + }, + "cloth-color": { + "description": "Cloth's colors", + "multiple": true, + "misp-attribute": "text", + "ui-priority": 1, + "values_list": [ + "black", + "white", + "red", + "green", + "blue", + "cyan", + "orange", + "violet", + "pink", + "yellow", + "brown", + "grey" + ] + }, + "cloth-picture": { + "description": "Cloth's pictures", + "misp-attribute": "attachment", + "multiple": true, + "ui-priority": 0 + } + }, + "description": "Describes clothes a natural person wears", + "meta-category": "misc", + "name": "cloth", + "required": [ + "description" + ], + "uuid": "d0f6c949-a47f-4be5-bc39-45033268bd89", + "version": 1 +} \ No newline at end of file diff --git a/objects/personification/definition.json b/objects/personification/definition.json new file mode 100644 index 0000000..0f50c0e --- /dev/null +++ b/objects/personification/definition.json @@ -0,0 +1,235 @@ +{ + "attributes": { + "portrait": { + "description": "Portrait of the person.", + "misp-attribute": "attachment", + "multiple": true, + "ui-priority": 10 + }, + "age-range": { + "description": "Age range that the person appears to be", + "misp-attribute": "int", + "ui-priority": 0 + }, + "weight": { + "description": "Weight of a person in Kg.", + "misp-attribute": "float", + "multiple": true, + "ui-priority": 10 + }, + "height": { + "description": "Height of a person in cm.", + "misp-attribute": "float", + "multiple": true, + "ui-priority": 10 + }, + "body-type": { + "description": "Body type of a person.", + "disable_correlation": true, + "misp-attribute": "body-type", + "ui-priority": 0, + "values_list": [ + "Slim", + "Tone", + "Muscular", + "Stocky", + "Large", + "Unknown" + ] + }, + "shoe-size": { + "description": "Shoe size of a person.", + "misp-attribute": "float", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "US", + "UK", + "EU", + "Asia", + "CM", + "Inches" + ] + }, + "color-of-eyes": { + "description": "Description of a person’s colour of eyes.", + "misp-attribute": "color", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "Amber", + "Blue", + "Brown", + "Gray", + "Green", + "Hazel", + "Red", + "Unknown" + ] + }, + "shape-of-eyes": { + "description": "Description of a person’s eye shape.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "Monolids", + "Hooded", + "Upturned", + "Downturned", + "Round", + "Almond", + "Unknown" + ] + }, + "skin-complexion": { + "description": "Skin tone and complexion of a person. Type I: Extremely fair skin, always burns, never tans. Type II: Fair skin, always burns, sometimes tans.Dry: Medium skin, sometimes burns, always tans.Type IV: Olive skin, rarely burns, always tans. Type V: Moderately pigmented brown skin, never burns, always tans. Type VI: Markedly pigmented black skin, never burns, always tans. ", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "Type I", + "Type II", + "Type III", + "Type IV", + "Type V", + "Type VI", + "Unknown" + ] + }, + "skin-charateristics": { + "description": "Traits or features of a person's skin", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "Normal", + "Irritated", + "Dry", + "Oily", + "Scaly", + "Red spots", + "Skin moles" + ] + }, + "other-facial-features": { + "description": "Description of other facial features such as nose, cheeks, lips etc...", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10 + }, + "hair-color": { + "description": "Description of a person’s colour of hair.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "Black", + "Brown", + "Auburn", + "Red", + "Blond", + "Gray", + "White", + "Blue", + "Pink", + "Green", + "Violet", + "Unknown" + ] + }, + "hair-characteristics": { + "description": "Description of the characteristics of someones hairs.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "Straight", + "Wavy", + "Curly", + "Coily", + "Unknown" + ] + }, + "haircut": { + "description": "Description of the characteristics of someones hairs.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "Crew Cut", + "Shaved", + "Bald", + "Long", + "Spiky", + "Dreadlocks", + "Cornrow", + "Bob", + "Layered", + "Flat-top", + "Chignon", + "Bun", + "French Twist", + "Medium", + "Braid", + "Pigtails", + "Ponytail", + "Unknown" + ] + }, + "beard": { + "description": "Description of the characteristics of someones beard.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "Beardless", + "Stubble Short", + "Stuble Medium", + "Stuble Long", + "Full Beard", + "French Fork", + "Ducktail", + "Goatee", + "Imperial", + "Van Dyke", + "Anchor", + "Balbo", + "Mutton Chops", + "Verdi", + "Garibaldi", + "Dutch", + "Winter Beard", + "Mustache", + "Unknown" + ] + }, + "birthmark": { + "description": "Position(s) of birthmarks.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "Head", + "Arms", + "Back", + "Torso", + "Legs", + "Foot", + "Backside", + "Unknown" + ] + } + }, + "description": "An object which describes a person or an identity", + "meta-category": "misc", + "name": "personification", + "requiredOneOf": [ + "first-name", + "last-name", + "full-name", + "alias" + ], + "uuid": "4a2bdac3-e7bb-4a47-ba5f-35df63216885", + "version": 2 +} \ No newline at end of file diff --git a/objects/tattoo/definition.json b/objects/tattoo/definition.json index 2cc41df..9db3bbb 100644 --- a/objects/tattoo/definition.json +++ b/objects/tattoo/definition.json @@ -28,13 +28,13 @@ ] }, "tattoo-description": { - "description": "Description of the tattoo, what's its composition ?", + "description": "Description of the tattoo,its composition.", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 }, "tattoo-style": { - "description": "Select the style of the tattoo", + "description": "Style of the tattoo", "multiple": true, "misp-attribute": "text", "ui-priority": 1, @@ -59,7 +59,7 @@ ] }, "tattoo-color": { - "description": "Select the colors of the tattoo", + "description": "Colors of the tattoo", "multiple": true, "misp-attribute": "text", "ui-priority": 1, @@ -97,7 +97,7 @@ ] } }, - "description": "Describes a tattoo on the body of a natural person", + "description": "Describes tattoos on a natural person's body", "meta-category": "misc", "name": "tattoo", "required": [ From 3dd5c938fe400c5ad5b6d46b67db11ce3f9db648 Mon Sep 17 00:00:00 2001 From: 0wlyW00d Date: Mon, 21 Mar 2022 10:01:37 +0000 Subject: [PATCH 043/112] Objects add --- objects/cloth/definition.json | 2 +- objects/personification/definition.json | 8 ++++---- objects/tattoo/definition.json | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/objects/cloth/definition.json b/objects/cloth/definition.json index 1d81192..7d64002 100644 --- a/objects/cloth/definition.json +++ b/objects/cloth/definition.json @@ -99,6 +99,6 @@ "required": [ "description" ], - "uuid": "d0f6c949-a47f-4be5-bc39-45033268bd89", + "uuid": "31a49e4f-49bc-4bae-a9c7-c6058180ba6f", "version": 1 } \ No newline at end of file diff --git a/objects/personification/definition.json b/objects/personification/definition.json index 0f50c0e..411c631 100644 --- a/objects/personification/definition.json +++ b/objects/personification/definition.json @@ -8,7 +8,7 @@ }, "age-range": { "description": "Age range that the person appears to be", - "misp-attribute": "int", + "misp-attribute": "float", "ui-priority": 0 }, "weight": { @@ -26,7 +26,7 @@ "body-type": { "description": "Body type of a person.", "disable_correlation": true, - "misp-attribute": "body-type", + "misp-attribute": "text", "ui-priority": 0, "values_list": [ "Slim", @@ -53,7 +53,7 @@ }, "color-of-eyes": { "description": "Description of a person’s colour of eyes.", - "misp-attribute": "color", + "misp-attribute": "text", "multiple": true, "ui-priority": 10, "values_list": [ @@ -230,6 +230,6 @@ "full-name", "alias" ], - "uuid": "4a2bdac3-e7bb-4a47-ba5f-35df63216885", + "uuid": "102a8696-420b-486d-806d-70a34d2f4e54", "version": 2 } \ No newline at end of file diff --git a/objects/tattoo/definition.json b/objects/tattoo/definition.json index 9db3bbb..69dc09e 100644 --- a/objects/tattoo/definition.json +++ b/objects/tattoo/definition.json @@ -103,6 +103,6 @@ "required": [ "tattoo-body-part" ], - "uuid": "344111fb-79a3-421d-8d59-cc2b054b0478", + "uuid": "747976fc-d637-4730-8b64-93f7f2814506", "version": 1 } \ No newline at end of file From c44272a0696f95d56e26d45c2de373d1a7d85a50 Mon Sep 17 00:00:00 2001 From: 0wlyW00d Date: Mon, 21 Mar 2022 10:08:36 +0000 Subject: [PATCH 044/112] test --- objects/cloth/definition.json | 206 +++++------ objects/personification/definition.json | 468 ++++++++++++------------ objects/tattoo/definition.json | 216 +++++------ 3 files changed, 445 insertions(+), 445 deletions(-) diff --git a/objects/cloth/definition.json b/objects/cloth/definition.json index 7d64002..7920091 100644 --- a/objects/cloth/definition.json +++ b/objects/cloth/definition.json @@ -1,104 +1,104 @@ -{ - "attributes": { - "description": { - "description": "Cloth's Description of a natural person", - "misp-attribute": "text", - "ui-priority": 50 - }, - "head-accessories": { - "description": "Cloth and accessories on the head", - "misp-attribute": "text", - "multiple": true, - "ui-priority": 10, - "values_list": [ - "hat", - "cap", - "bonnet", - "glasses", - "bandeau" - ] - }, - "top-accessories": { - "description": "Cloth and accessories on the top part of the body", - "misp-attribute": "text", - "multiple": true, - "ui-priority": 10, - "values_list": [ - "jacket", - "coat", - "dress", - "shirt", - "top", - "pullover", - "sweatshirt", - "suit", - "tie", - "bow tie", - "lady's suit", - "waistcoat", - "cardigan", - "undershirt", - "t-shirt", - "bra", - "scarf", - "glove" - ] - }, - "bottom-accessories": { - "description": "Cloth and accessories on the bottom part of the body", - "misp-attribute": "text", - "multiple": true, - "ui-priority": 10, - "values_list": [ - "trousers", - "skirt", - "underpants / panties", - "shorts", - "boxer shorts", - "body stocking", - "sock", - "shoe", - "boot", - "sandal", - "slipper", - "sneaker", - "hiking boot", - "high tops" - ] - }, - "cloth-color": { - "description": "Cloth's colors", - "multiple": true, - "misp-attribute": "text", - "ui-priority": 1, - "values_list": [ - "black", - "white", - "red", - "green", - "blue", - "cyan", - "orange", - "violet", - "pink", - "yellow", - "brown", - "grey" - ] - }, - "cloth-picture": { - "description": "Cloth's pictures", - "misp-attribute": "attachment", - "multiple": true, - "ui-priority": 0 - } - }, - "description": "Describes clothes a natural person wears", - "meta-category": "misc", - "name": "cloth", - "required": [ - "description" - ], - "uuid": "31a49e4f-49bc-4bae-a9c7-c6058180ba6f", - "version": 1 +{ + "attributes": { + "bottom-accessories": { + "description": "Cloth and accessories on the bottom part of the body", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "trousers", + "skirt", + "underpants / panties", + "shorts", + "boxer shorts", + "body stocking", + "sock", + "shoe", + "boot", + "sandal", + "slipper", + "sneaker", + "hiking boot", + "high tops" + ] + }, + "cloth-color": { + "description": "Cloth's colors", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1, + "values_list": [ + "black", + "white", + "red", + "green", + "blue", + "cyan", + "orange", + "violet", + "pink", + "yellow", + "brown", + "grey" + ] + }, + "cloth-picture": { + "description": "Cloth's pictures", + "misp-attribute": "attachment", + "multiple": true, + "ui-priority": 0 + }, + "description": { + "description": "Cloth's Description of a natural person", + "misp-attribute": "text", + "ui-priority": 50 + }, + "head-accessories": { + "description": "Cloth and accessories on the head", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "hat", + "cap", + "bonnet", + "glasses", + "bandeau" + ] + }, + "top-accessories": { + "description": "Cloth and accessories on the top part of the body", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "jacket", + "coat", + "dress", + "shirt", + "top", + "pullover", + "sweatshirt", + "suit", + "tie", + "bow tie", + "lady's suit", + "waistcoat", + "cardigan", + "undershirt", + "t-shirt", + "bra", + "scarf", + "glove" + ] + } + }, + "description": "Describes clothes a natural person wears", + "meta-category": "misc", + "name": "cloth", + "required": [ + "description" + ], + "uuid": "31a49e4f-49bc-4bae-a9c7-c6058180ba6f", + "version": 1 } \ No newline at end of file diff --git a/objects/personification/definition.json b/objects/personification/definition.json index 411c631..70a269c 100644 --- a/objects/personification/definition.json +++ b/objects/personification/definition.json @@ -1,235 +1,235 @@ -{ - "attributes": { - "portrait": { - "description": "Portrait of the person.", - "misp-attribute": "attachment", - "multiple": true, - "ui-priority": 10 - }, - "age-range": { - "description": "Age range that the person appears to be", - "misp-attribute": "float", - "ui-priority": 0 - }, - "weight": { - "description": "Weight of a person in Kg.", - "misp-attribute": "float", - "multiple": true, - "ui-priority": 10 - }, - "height": { - "description": "Height of a person in cm.", - "misp-attribute": "float", - "multiple": true, - "ui-priority": 10 - }, - "body-type": { - "description": "Body type of a person.", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 0, - "values_list": [ - "Slim", - "Tone", - "Muscular", - "Stocky", - "Large", - "Unknown" - ] - }, - "shoe-size": { - "description": "Shoe size of a person.", - "misp-attribute": "float", - "multiple": true, - "ui-priority": 10, - "values_list": [ - "US", - "UK", - "EU", - "Asia", - "CM", - "Inches" - ] - }, - "color-of-eyes": { - "description": "Description of a person’s colour of eyes.", - "misp-attribute": "text", - "multiple": true, - "ui-priority": 10, - "values_list": [ - "Amber", - "Blue", - "Brown", - "Gray", - "Green", - "Hazel", - "Red", - "Unknown" - ] - }, - "shape-of-eyes": { - "description": "Description of a person’s eye shape.", - "misp-attribute": "text", - "multiple": true, - "ui-priority": 10, - "values_list": [ - "Monolids", - "Hooded", - "Upturned", - "Downturned", - "Round", - "Almond", - "Unknown" - ] - }, - "skin-complexion": { - "description": "Skin tone and complexion of a person. Type I: Extremely fair skin, always burns, never tans. Type II: Fair skin, always burns, sometimes tans.Dry: Medium skin, sometimes burns, always tans.Type IV: Olive skin, rarely burns, always tans. Type V: Moderately pigmented brown skin, never burns, always tans. Type VI: Markedly pigmented black skin, never burns, always tans. ", - "misp-attribute": "text", - "multiple": true, - "ui-priority": 10, - "values_list": [ - "Type I", - "Type II", - "Type III", - "Type IV", - "Type V", - "Type VI", - "Unknown" - ] - }, - "skin-charateristics": { - "description": "Traits or features of a person's skin", - "misp-attribute": "text", - "multiple": true, - "ui-priority": 10, - "values_list": [ - "Normal", - "Irritated", - "Dry", - "Oily", - "Scaly", - "Red spots", - "Skin moles" - ] - }, - "other-facial-features": { - "description": "Description of other facial features such as nose, cheeks, lips etc...", - "misp-attribute": "text", - "multiple": true, - "ui-priority": 10 - }, - "hair-color": { - "description": "Description of a person’s colour of hair.", - "misp-attribute": "text", - "multiple": true, - "ui-priority": 10, - "values_list": [ - "Black", - "Brown", - "Auburn", - "Red", - "Blond", - "Gray", - "White", - "Blue", - "Pink", - "Green", - "Violet", - "Unknown" - ] - }, - "hair-characteristics": { - "description": "Description of the characteristics of someones hairs.", - "misp-attribute": "text", - "multiple": true, - "ui-priority": 10, - "values_list": [ - "Straight", - "Wavy", - "Curly", - "Coily", - "Unknown" - ] - }, - "haircut": { - "description": "Description of the characteristics of someones hairs.", - "misp-attribute": "text", - "multiple": true, - "ui-priority": 10, - "values_list": [ - "Crew Cut", - "Shaved", - "Bald", - "Long", - "Spiky", - "Dreadlocks", - "Cornrow", - "Bob", - "Layered", - "Flat-top", - "Chignon", - "Bun", - "French Twist", - "Medium", - "Braid", - "Pigtails", - "Ponytail", - "Unknown" - ] - }, - "beard": { - "description": "Description of the characteristics of someones beard.", - "misp-attribute": "text", - "multiple": true, - "ui-priority": 10, - "values_list": [ - "Beardless", - "Stubble Short", - "Stuble Medium", - "Stuble Long", - "Full Beard", - "French Fork", - "Ducktail", - "Goatee", - "Imperial", - "Van Dyke", - "Anchor", - "Balbo", - "Mutton Chops", - "Verdi", - "Garibaldi", - "Dutch", - "Winter Beard", - "Mustache", - "Unknown" - ] - }, - "birthmark": { - "description": "Position(s) of birthmarks.", - "misp-attribute": "text", - "multiple": true, - "ui-priority": 10, - "values_list": [ - "Head", - "Arms", - "Back", - "Torso", - "Legs", - "Foot", - "Backside", - "Unknown" - ] - } - }, - "description": "An object which describes a person or an identity", - "meta-category": "misc", - "name": "personification", - "requiredOneOf": [ - "first-name", - "last-name", - "full-name", - "alias" - ], - "uuid": "102a8696-420b-486d-806d-70a34d2f4e54", - "version": 2 +{ + "attributes": { + "age-range": { + "description": "Age range that the person appears to be", + "misp-attribute": "float", + "ui-priority": 0 + }, + "beard": { + "description": "Description of the characteristics of someones beard.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "Beardless", + "Stubble Short", + "Stuble Medium", + "Stuble Long", + "Full Beard", + "French Fork", + "Ducktail", + "Goatee", + "Imperial", + "Van Dyke", + "Anchor", + "Balbo", + "Mutton Chops", + "Verdi", + "Garibaldi", + "Dutch", + "Winter Beard", + "Mustache", + "Unknown" + ] + }, + "birthmark": { + "description": "Position(s) of birthmarks.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "Head", + "Arms", + "Back", + "Torso", + "Legs", + "Foot", + "Backside", + "Unknown" + ] + }, + "body-type": { + "description": "Body type of a person.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0, + "values_list": [ + "Slim", + "Tone", + "Muscular", + "Stocky", + "Large", + "Unknown" + ] + }, + "color-of-eyes": { + "description": "Description of a person’s colour of eyes.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "Amber", + "Blue", + "Brown", + "Gray", + "Green", + "Hazel", + "Red", + "Unknown" + ] + }, + "hair-characteristics": { + "description": "Description of the characteristics of someones hairs.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "Straight", + "Wavy", + "Curly", + "Coily", + "Unknown" + ] + }, + "hair-color": { + "description": "Description of a person’s colour of hair.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "Black", + "Brown", + "Auburn", + "Red", + "Blond", + "Gray", + "White", + "Blue", + "Pink", + "Green", + "Violet", + "Unknown" + ] + }, + "haircut": { + "description": "Description of the characteristics of someones hairs.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "Crew Cut", + "Shaved", + "Bald", + "Long", + "Spiky", + "Dreadlocks", + "Cornrow", + "Bob", + "Layered", + "Flat-top", + "Chignon", + "Bun", + "French Twist", + "Medium", + "Braid", + "Pigtails", + "Ponytail", + "Unknown" + ] + }, + "height": { + "description": "Height of a person in cm.", + "misp-attribute": "float", + "multiple": true, + "ui-priority": 10 + }, + "other-facial-features": { + "description": "Description of other facial features such as nose, cheeks, lips etc...", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10 + }, + "portrait": { + "description": "Portrait of the person.", + "misp-attribute": "attachment", + "multiple": true, + "ui-priority": 10 + }, + "shape-of-eyes": { + "description": "Description of a person’s eye shape.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "Monolids", + "Hooded", + "Upturned", + "Downturned", + "Round", + "Almond", + "Unknown" + ] + }, + "shoe-size": { + "description": "Shoe size of a person.", + "misp-attribute": "float", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "US", + "UK", + "EU", + "Asia", + "CM", + "Inches" + ] + }, + "skin-charateristics": { + "description": "Traits or features of a person's skin", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "Normal", + "Irritated", + "Dry", + "Oily", + "Scaly", + "Red spots", + "Skin moles" + ] + }, + "skin-complexion": { + "description": "Skin tone and complexion of a person. Type I: Extremely fair skin, always burns, never tans. Type II: Fair skin, always burns, sometimes tans.Dry: Medium skin, sometimes burns, always tans.Type IV: Olive skin, rarely burns, always tans. Type V: Moderately pigmented brown skin, never burns, always tans. Type VI: Markedly pigmented black skin, never burns, always tans. ", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10, + "values_list": [ + "Type I", + "Type II", + "Type III", + "Type IV", + "Type V", + "Type VI", + "Unknown" + ] + }, + "weight": { + "description": "Weight of a person in Kg.", + "misp-attribute": "float", + "multiple": true, + "ui-priority": 10 + } + }, + "description": "An object which describes a person or an identity", + "meta-category": "misc", + "name": "personification", + "requiredOneOf": [ + "first-name", + "last-name", + "full-name", + "alias" + ], + "uuid": "102a8696-420b-486d-806d-70a34d2f4e54", + "version": 2 } \ No newline at end of file diff --git a/objects/tattoo/definition.json b/objects/tattoo/definition.json index 69dc09e..0e1cb16 100644 --- a/objects/tattoo/definition.json +++ b/objects/tattoo/definition.json @@ -1,108 +1,108 @@ -{ - "attributes": { - "tattoo-body-part": { - "description": "Describe the body part where the tattoo is located.", - "misp-attribute": "text", - "ui-priority": 4, - "values_list": [ - "head", - "forehead", - "face", - "ear", - "eye", - "mouth/lips", - "neck", - "shoulder", - "chest", - "elbow", - "arm", - "forearm", - "hand", - "finger", - "thigh", - "knee", - "calf", - "heel", - "foot", - "toe" - ] - }, - "tattoo-description": { - "description": "Description of the tattoo,its composition.", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 0 - }, - "tattoo-style": { - "description": "Style of the tattoo", - "multiple": true, - "misp-attribute": "text", - "ui-priority": 1, - "values_list": [ - "traditional", - "realism", - "watercolor", - "tribal", - "new school", - "japanese", - "blackwork", - "lettering", - "dotwork", - "abstract", - "celtic", - "geometric", - "mandala", - "minimalist", - "neo-traditional", - "portrait", - "sketch" - ] - }, - "tattoo-color": { - "description": "Colors of the tattoo", - "multiple": true, - "misp-attribute": "text", - "ui-priority": 1, - "values_list": [ - "black", - "white", - "red", - "green", - "blue", - "cyan", - "orange", - "violet", - "pink", - "yellow", - "brown", - "grey" - ] - }, - "tattoo-picture": { - "description": "Picture of the tattoo", - "misp-attribute": "attachment", - "multiple": true, - "ui-priority": 0 - }, - "tattoo-size": { - "description": "Size of the tattoo", - "misp-attribute": "text", - "multiple": false, - "ui-priority": 0, - "values_list": [ - "tiny", - "small", - "medium", - "large" - ] - } - }, - "description": "Describes tattoos on a natural person's body", - "meta-category": "misc", - "name": "tattoo", - "required": [ - "tattoo-body-part" - ], - "uuid": "747976fc-d637-4730-8b64-93f7f2814506", - "version": 1 - } \ No newline at end of file +{ + "attributes": { + "tattoo-body-part": { + "description": "Describe the body part where the tattoo is located.", + "misp-attribute": "text", + "ui-priority": 4, + "values_list": [ + "head", + "forehead", + "face", + "ear", + "eye", + "mouth/lips", + "neck", + "shoulder", + "chest", + "elbow", + "arm", + "forearm", + "hand", + "finger", + "thigh", + "knee", + "calf", + "heel", + "foot", + "toe" + ] + }, + "tattoo-color": { + "description": "Colors of the tattoo", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1, + "values_list": [ + "black", + "white", + "red", + "green", + "blue", + "cyan", + "orange", + "violet", + "pink", + "yellow", + "brown", + "grey" + ] + }, + "tattoo-description": { + "description": "Description of the tattoo,its composition.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "tattoo-picture": { + "description": "Picture of the tattoo", + "misp-attribute": "attachment", + "multiple": true, + "ui-priority": 0 + }, + "tattoo-size": { + "description": "Size of the tattoo", + "misp-attribute": "text", + "multiple": false, + "ui-priority": 0, + "values_list": [ + "tiny", + "small", + "medium", + "large" + ] + }, + "tattoo-style": { + "description": "Style of the tattoo", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1, + "values_list": [ + "traditional", + "realism", + "watercolor", + "tribal", + "new school", + "japanese", + "blackwork", + "lettering", + "dotwork", + "abstract", + "celtic", + "geometric", + "mandala", + "minimalist", + "neo-traditional", + "portrait", + "sketch" + ] + } + }, + "description": "Describes tattoos on a natural person's body", + "meta-category": "misc", + "name": "tattoo", + "required": [ + "tattoo-body-part" + ], + "uuid": "747976fc-d637-4730-8b64-93f7f2814506", + "version": 1 +} \ No newline at end of file From a98ac163fb35a16d8640330df2887c77fab3b012 Mon Sep 17 00:00:00 2001 From: Alexandre De Oliveira Date: Mon, 21 Mar 2022 15:02:48 +0100 Subject: [PATCH 045/112] Update object version to v5 --- objects/ss7-attack/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/ss7-attack/definition.json b/objects/ss7-attack/definition.json index a01fadf..c9514eb 100644 --- a/objects/ss7-attack/definition.json +++ b/objects/ss7-attack/definition.json @@ -369,5 +369,5 @@ "text" ], "uuid": "f3493d8b-a7ab-48d0-a775-046c4d64d782", - "version": 4 -} \ No newline at end of file + "version": 5 +} From 2a7d2de50863f90202bdca5d624c9ea46426d354 Mon Sep 17 00:00:00 2001 From: Alexandre De Oliveira Date: Mon, 21 Mar 2022 15:04:26 +0100 Subject: [PATCH 046/112] modified by ./jq_all_the_things.sh --- objects/ss7-attack/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/ss7-attack/definition.json b/objects/ss7-attack/definition.json index c9514eb..0cf62da 100644 --- a/objects/ss7-attack/definition.json +++ b/objects/ss7-attack/definition.json @@ -370,4 +370,4 @@ ], "uuid": "f3493d8b-a7ab-48d0-a775-046c4d64d782", "version": 5 -} +} \ No newline at end of file From f1086328a1683d3e7e9a924e69c7f3d629ebfb80 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 24 Mar 2022 15:42:35 +0100 Subject: [PATCH 047/112] chg: [personification] fixed --- objects/personification/definition.json | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/objects/personification/definition.json b/objects/personification/definition.json index 70a269c..2eea901 100644 --- a/objects/personification/definition.json +++ b/objects/personification/definition.json @@ -225,10 +225,11 @@ "meta-category": "misc", "name": "personification", "requiredOneOf": [ - "first-name", - "last-name", - "full-name", - "alias" + "beard", + "portrait", + "body-type", + "hair-color", + "age-range" ], "uuid": "102a8696-420b-486d-806d-70a34d2f4e54", "version": 2 From 60d2fc447fd5f8725b72d8260b78d1499f2b1dac Mon Sep 17 00:00:00 2001 From: chrisr3d Date: Thu, 31 Mar 2022 19:58:52 +0200 Subject: [PATCH 048/112] add: [employee] Added a `full-name` object_relation for cases when we are not sure which name is the first and the last --- objects/employee/definition.json | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/objects/employee/definition.json b/objects/employee/definition.json index 5f68ad3..693b944 100644 --- a/objects/employee/definition.json +++ b/objects/employee/definition.json @@ -26,13 +26,19 @@ ] }, "first-name": { - "description": "First name of Employee", + "description": "Employee's first name", "disable_correlation": true, "misp-attribute": "first-name", "ui-priority": 0 }, + "full-name": { + "description": "Employee's full name", + "disable_correlation": true, + "misp-attribute": "full-name", + "ui-priority": 0 + }, "last-name": { - "description": "Last name Employee", + "description": "Employee's last name", "disable_correlation": true, "misp-attribute": "last-name", "ui-priority": 0 From 46a4b67c357fcd4243d1d1b9cc7da7b2222a00cd Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 4 Apr 2022 14:07:55 +0200 Subject: [PATCH 049/112] chg: [organization] add registry number and format for date of registration --- objects/organization/definition.json | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/objects/organization/definition.json b/objects/organization/definition.json index 31c7834..37295ef 100644 --- a/objects/organization/definition.json +++ b/objects/organization/definition.json @@ -20,7 +20,7 @@ }, "date-of-inception": { "description": "Date of inception of the organization", - "misp-attribute": "date-of-birth", + "misp-attribute": "datetime", "ui-priority": 0 }, "description": { @@ -52,6 +52,11 @@ "multiple": true, "ui-priority": 10 }, + "registration-number": { + "description": "Registration number of the organization", + "misp-attribute": "text", + "ui-priority": "15" + }, "role": { "description": "The role of the organization.", "disable_correlation": true, @@ -86,5 +91,5 @@ "alias" ], "uuid": "f750e12b-127a-432c-b022-b3f9153c4e2a", - "version": 5 + "version": 6 } \ No newline at end of file From a3c3484c92b07ba9df75496a444b6bf62a295b4f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 4 Apr 2022 14:27:58 +0200 Subject: [PATCH 050/112] chg: [relationship] "has-met" added --- relationships/definition.json | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/relationships/definition.json b/relationships/definition.json index 5863018..656c7a2 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1329,7 +1329,14 @@ "misp" ], "name": "is-a-translation-of" + }, + { + "description": "The referenced source object has met with the target object.", + "format": [ + "misp" + ], + "name": "has-met" } ], - "version": 32 -} \ No newline at end of file + "version": 33 +} From 4f0e518368f5a6e3fe891c5d94badc555547b7bc Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 4 Apr 2022 14:32:44 +0200 Subject: [PATCH 051/112] chg: [relationships] NL fix --- relationships/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index 656c7a2..9eadce3 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1339,4 +1339,4 @@ } ], "version": 33 -} +} \ No newline at end of file From 783ae64fa00a6a460833c3b28a54b8aceb827036 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 4 Apr 2022 14:46:22 +0200 Subject: [PATCH 052/112] chg: [organization] typo fixed --- objects/organization/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/organization/definition.json b/objects/organization/definition.json index 37295ef..ef863fd 100644 --- a/objects/organization/definition.json +++ b/objects/organization/definition.json @@ -55,7 +55,7 @@ "registration-number": { "description": "Registration number of the organization", "misp-attribute": "text", - "ui-priority": "15" + "ui-priority": 15 }, "role": { "description": "The role of the organization.", @@ -92,4 +92,4 @@ ], "uuid": "f750e12b-127a-432c-b022-b3f9153c4e2a", "version": 6 -} \ No newline at end of file +} From ea23d591851856098fe8a7333823f5ebeda545d4 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 4 Apr 2022 14:49:44 +0200 Subject: [PATCH 053/112] chg: [organization] NL fixed --- objects/organization/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/organization/definition.json b/objects/organization/definition.json index ef863fd..cdffce0 100644 --- a/objects/organization/definition.json +++ b/objects/organization/definition.json @@ -92,4 +92,4 @@ ], "uuid": "f750e12b-127a-432c-b022-b3f9153c4e2a", "version": 6 -} +} \ No newline at end of file From dcb44bcc5a77a709603ee03698a3db2c156ef009 Mon Sep 17 00:00:00 2001 From: 3c7 Date: Tue, 26 Apr 2022 14:02:43 +0200 Subject: [PATCH 054/112] Added VirusTotal Submission object and uploaded/uploaded-by relation --- objects/virustotal-submitter/definition.json | 77 ++++++++++++++++++++ relationships/definition.json | 18 ++++- 2 files changed, 94 insertions(+), 1 deletion(-) create mode 100644 objects/virustotal-submitter/definition.json diff --git a/objects/virustotal-submitter/definition.json b/objects/virustotal-submitter/definition.json new file mode 100644 index 0000000..14271f6 --- /dev/null +++ b/objects/virustotal-submitter/definition.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "city": { + "categories": [ + "Other" + ], + "description": "The city a file was uploaded from.", + "disable_correlation": true, + "misp-attribute": "text", + "to_ids": false, + "ui-priority": 0 + }, + "country": { + "categories": [ + "Other" + ], + "description": "The country a file was uploaded from.", + "disable_correlation": true, + "misp-attribute": "text", + "to_ids": false, + "ui-priority": 1 + }, + "date": { + "categories": [ + "Other" + ], + "description": "The upload date.", + "disable_correlation": true, + "misp-attribute": "datetime", + "to_ids": false, + "ui-priority": 0 + }, + "filename": { + "categories": [ + "Payload Delivery" + ], + "description": "The filename used to submit a file.", + "disable_correlation": false, + "misp-attribute": "filename", + "to_ids": false, + "ui-priority": 0 + }, + "interface": { + "categories": [ + "Other" + ], + "description": "The interface used to upload a file.", + "disable_correlation": true, + "misp-attribute": "text", + "to_ids": false, + "ui-priority": 0, + "values-list": [ + "web", + "api", + "email" + ] + }, + "submitter-id": { + "categories": [ + "Other" + ], + "description": "Submitter ID, given as source_key via the VT API.", + "disable_correlation": false, + "misp-attribute": "text", + "to_ids": false, + "ui-priority": 1 + } + }, + "description": "VirusTotal Submission", + "meta-category": "misc", + "name": "virustotal-submission", + "required": [ + "submitter-id" + ], + "uuid": "473d289b-f1d4-4f02-a4fe-3b69f534ed45", + "version": 1 +} \ No newline at end of file diff --git a/relationships/definition.json b/relationships/definition.json index 9eadce3..f9b695e 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1336,7 +1336,23 @@ "misp" ], "name": "has-met" + }, + { + "description": "The referenced source object uploaded the referenced target object.", + "format": [ + "misp" + ], + "name": "uploaded", + "opposite": "uploaded-by" + }, + { + "description": "The referenced source object was uploaded by the referenced target object.", + "format": [ + "misp" + ], + "name": "uploaded-by", + "opposite": "uploaded" } ], - "version": 33 + "version": 34 } \ No newline at end of file From e57ab0f52239471feb0b7382d3a09a39ce286eec Mon Sep 17 00:00:00 2001 From: 3c7 Date: Tue, 26 Apr 2022 14:07:20 +0200 Subject: [PATCH 055/112] uploaded -> submitted; otherwise possible semantic collision with "uploads" relationship --- .../definition.json | 0 relationships/definition.json | 12 ++++++------ 2 files changed, 6 insertions(+), 6 deletions(-) rename objects/{virustotal-submitter => virustotal-submission}/definition.json (100%) diff --git a/objects/virustotal-submitter/definition.json b/objects/virustotal-submission/definition.json similarity index 100% rename from objects/virustotal-submitter/definition.json rename to objects/virustotal-submission/definition.json diff --git a/relationships/definition.json b/relationships/definition.json index f9b695e..6634c8c 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1338,20 +1338,20 @@ "name": "has-met" }, { - "description": "The referenced source object uploaded the referenced target object.", + "description": "The referenced source object submitted the referenced target object (to an online anti virus scanner).", "format": [ "misp" ], - "name": "uploaded", - "opposite": "uploaded-by" + "name": "submitted", + "opposite": "submitted-by" }, { - "description": "The referenced source object was uploaded by the referenced target object.", + "description": "The referenced source object was submitted (to an online anti virus scanner) by the referenced target object.", "format": [ "misp" ], - "name": "uploaded-by", - "opposite": "uploaded" + "name": "submitted-by", + "opposite": "submitted" } ], "version": 34 From 314d72f948b6451edad1ff8afe8627695aa33bc0 Mon Sep 17 00:00:00 2001 From: 3c7 Date: Tue, 26 Apr 2022 15:05:05 +0200 Subject: [PATCH 056/112] Fixes wrong category and typo in value list --- objects/virustotal-submission/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/virustotal-submission/definition.json b/objects/virustotal-submission/definition.json index 14271f6..9ec9566 100644 --- a/objects/virustotal-submission/definition.json +++ b/objects/virustotal-submission/definition.json @@ -32,7 +32,7 @@ }, "filename": { "categories": [ - "Payload Delivery" + "Payload delivery" ], "description": "The filename used to submit a file.", "disable_correlation": false, @@ -49,7 +49,7 @@ "misp-attribute": "text", "to_ids": false, "ui-priority": 0, - "values-list": [ + "values_list": [ "web", "api", "email" From 384397423222e8161ff07c87531ac5b55b86b3c9 Mon Sep 17 00:00:00 2001 From: 3c7 Date: Tue, 26 Apr 2022 15:08:14 +0200 Subject: [PATCH 057/112] Added new object to README --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index f14ff55..a774b0a 100644 --- a/README.md +++ b/README.md @@ -372,6 +372,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/victim](https://github.com/MISP/misp-objects/blob/main/objects/victim/definition.json) - Victim object describes the target of an attack or abuse. - [objects/virustotal-graph](https://github.com/MISP/misp-objects/blob/main/objects/virustotal-graph/definition.json) - VirusTotal graph. - [objects/virustotal-report](https://github.com/MISP/misp-objects/blob/main/objects/virustotal-report/definition.json) - VirusTotal report. +- [objects/virustotal-submission](https://github.com/MISP/misp-objects/blob/main/objects/virustotal-submission/definition.json) - VirusTotal Submission. - [objects/vulnerability](https://github.com/MISP/misp-objects/blob/main/objects/vulnerability/definition.json) - Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware. - [objects/weakness](https://github.com/MISP/misp-objects/blob/main/objects/weakness/definition.json) - Weakness object describing a common weakness enumeration which can describe usable, incomplete, draft or deprecated weakness for software, equipment of hardware. - [objects/whois](https://github.com/MISP/misp-objects/blob/main/objects/whois/definition.json) - Whois records information for a domain name or an IP address. From 25c318c3b32b773d8a9fc27730b6b11999cbd725 Mon Sep 17 00:00:00 2001 From: matthijsvp Date: Wed, 4 May 2022 16:49:17 +0200 Subject: [PATCH 058/112] Initial commit --- objects/ransom-negotiation/definition.json | 41 ++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 objects/ransom-negotiation/definition.json diff --git a/objects/ransom-negotiation/definition.json b/objects/ransom-negotiation/definition.json new file mode 100644 index 0000000..999fc86 --- /dev/null +++ b/objects/ransom-negotiation/definition.json @@ -0,0 +1,41 @@ +{ + "attributes": { + "BTC_received": { + "description": "Value of received BTC", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 0 + }, + "BTC_sent": { + "description": "Value of sent BTC", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 0 + }, + "balance_BTC": { + "description": "Value in BTC at date/time displayed in field 'time'", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 0 + }, + "time": { + "description": "Date and time of lookup/conversion", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "wallet-address": { + "description": "A Bitcoin wallet address", + "misp-attribute": "btc", + "ui-priority": 0 + } + }, + "description": "An object to describe ransom negotiations, as seen in ransomware incidents.", + "meta-category": "financial", + "name": "ransom-negotiation", + "requiredOneOf": [ + "wallet-address" + ], + "uuid": "FB72F951-DE2E-4B54-A570-8FC560A74B06", + "version": 1 +} \ No newline at end of file From 38d22a425ffa65af0af48ba2b3abcd035981f988 Mon Sep 17 00:00:00 2001 From: matthijsvp Date: Thu, 5 May 2022 15:18:22 +0200 Subject: [PATCH 059/112] v1 of ransom-negotiation object --- objects/ransom-negotiation/definition.json | 99 +++++++++++++++++----- 1 file changed, 77 insertions(+), 22 deletions(-) diff --git a/objects/ransom-negotiation/definition.json b/objects/ransom-negotiation/definition.json index 999fc86..da70dab 100644 --- a/objects/ransom-negotiation/definition.json +++ b/objects/ransom-negotiation/definition.json @@ -1,33 +1,88 @@ { "attributes": { - "BTC_received": { - "description": "Value of received BTC", - "disable_correlation": true, - "misp-attribute": "float", - "ui-priority": 0 - }, - "BTC_sent": { - "description": "Value of sent BTC", - "disable_correlation": true, - "misp-attribute": "float", - "ui-priority": 0 - }, - "balance_BTC": { - "description": "Value in BTC at date/time displayed in field 'time'", - "disable_correlation": true, - "misp-attribute": "float", - "ui-priority": 0 + "wallet-address": { + "description": "A cryptocoin wallet address", + "disable_correlation": false, + "misp-attribute": "btc", + "ui-priority": 6 }, "time": { - "description": "Date and time of lookup/conversion", + "description": "Date and time of transaction", "disable_correlation": true, "misp-attribute": "datetime", + "ui-priority": 5 + }, + "initial_ransom": { + "description": "Initial ransom demand in the currency as displayed in field 'currency'", + "disable_correlation": true, + "misp-attribute": "float", "ui-priority": 0 }, - "wallet-address": { - "description": "A Bitcoin wallet address", - "misp-attribute": "btc", - "ui-priority": 0 + "final_ransom":{ + "description": "Final ransom amount after negotiations, in the currency as displayed in field 'currency'", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 1 + }, + "currency":{ + "description": "The currency of the initial demand. Often USD or BTC.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 3 + }, + "value_EUR": { + "description": "Value in EUR of the final ransom amount, with conversion rate as of date/time displayed in field 'time'", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 4 + }, + "annual_revenue_EUR": { + "description": "Annual revenue of the targeted organisation in EUR", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 7 + }, + "data_stolen": { + "description": "Was data exfiltrated in this incident?", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 9 + }, + "data_lekaed": { + "description": "Was data leaked in this incident?", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 10 + }, + "url_leaksite": { + "description": "URL of the leaksite", + "disable_correlation": false, + "misp-attribute": "url", + "ui-priority": 11 + }, + "email_address": { + "description": "Contact address, if any", + "disable_correlation": false, + "misp-attribute": "float", + "ui-priority": 12 + }, + "Remarks": { + "description": "Remarks", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 13 + }, + "percentage_of_revenue": { + "description": "Percentage of the annual revenue that the ransom demand amounts to", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 8 + }, + "discount": { + "description": "Discount after negotiations", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 2 } }, "description": "An object to describe ransom negotiations, as seen in ransomware incidents.", From 1c2513caf23128b80325c61cc86def324a2bb9e9 Mon Sep 17 00:00:00 2001 From: matthijsvp Date: Thu, 5 May 2022 15:38:19 +0200 Subject: [PATCH 060/112] Fixed email attribute type, fixed typo --- objects/ransom-negotiation/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/ransom-negotiation/definition.json b/objects/ransom-negotiation/definition.json index da70dab..c2ec80e 100644 --- a/objects/ransom-negotiation/definition.json +++ b/objects/ransom-negotiation/definition.json @@ -48,7 +48,7 @@ "misp-attribute": "boolean", "ui-priority": 9 }, - "data_lekaed": { + "data_leaked": { "description": "Was data leaked in this incident?", "disable_correlation": true, "misp-attribute": "boolean", @@ -63,7 +63,7 @@ "email_address": { "description": "Contact address, if any", "disable_correlation": false, - "misp-attribute": "float", + "misp-attribute": "text", "ui-priority": 12 }, "Remarks": { From 6ec02ff6d8eb49832dd55591b130dc151b3fcb02 Mon Sep 17 00:00:00 2001 From: matthijsvp Date: Thu, 5 May 2022 15:48:31 +0200 Subject: [PATCH 061/112] Added transcript and screenshot fields --- objects/ransom-negotiation/definition.json | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/objects/ransom-negotiation/definition.json b/objects/ransom-negotiation/definition.json index c2ec80e..432f0f4 100644 --- a/objects/ransom-negotiation/definition.json +++ b/objects/ransom-negotiation/definition.json @@ -78,6 +78,18 @@ "misp-attribute": "float", "ui-priority": 8 }, + "negotiations_transcript": { + "description": "Transcript of the negotiations", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 14 + }, + "negotiations_screenshot": { + "description": "Screenshot of the negotiations", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 15 + }, "discount": { "description": "Discount after negotiations", "disable_correlation": true, @@ -92,5 +104,5 @@ "wallet-address" ], "uuid": "FB72F951-DE2E-4B54-A570-8FC560A74B06", - "version": 1 + "version": 1.1 } \ No newline at end of file From 33458100e4682c45f5946ec7961d82397cf696c2 Mon Sep 17 00:00:00 2001 From: matthijsvp Date: Thu, 5 May 2022 15:54:37 +0200 Subject: [PATCH 062/112] Fixed ui order, fixed screenshot type --- objects/ransom-negotiation/definition.json | 34 +++++++++++----------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/objects/ransom-negotiation/definition.json b/objects/ransom-negotiation/definition.json index 432f0f4..bed3f2b 100644 --- a/objects/ransom-negotiation/definition.json +++ b/objects/ransom-negotiation/definition.json @@ -4,97 +4,97 @@ "description": "A cryptocoin wallet address", "disable_correlation": false, "misp-attribute": "btc", - "ui-priority": 6 + "ui-priority": 9 }, "time": { "description": "Date and time of transaction", "disable_correlation": true, "misp-attribute": "datetime", - "ui-priority": 5 + "ui-priority": 10 }, "initial_ransom": { "description": "Initial ransom demand in the currency as displayed in field 'currency'", "disable_correlation": true, "misp-attribute": "float", - "ui-priority": 0 + "ui-priority": 15 }, "final_ransom":{ "description": "Final ransom amount after negotiations, in the currency as displayed in field 'currency'", "disable_correlation": true, "misp-attribute": "float", - "ui-priority": 1 + "ui-priority": 14 }, "currency":{ "description": "The currency of the initial demand. Often USD or BTC.", "disable_correlation": true, "misp-attribute": "text", - "ui-priority": 3 + "ui-priority": 12 }, "value_EUR": { "description": "Value in EUR of the final ransom amount, with conversion rate as of date/time displayed in field 'time'", "disable_correlation": true, "misp-attribute": "float", - "ui-priority": 4 + "ui-priority": 11 }, "annual_revenue_EUR": { "description": "Annual revenue of the targeted organisation in EUR", "disable_correlation": true, "misp-attribute": "float", - "ui-priority": 7 + "ui-priority": 8 }, "data_stolen": { "description": "Was data exfiltrated in this incident?", "disable_correlation": true, "misp-attribute": "boolean", - "ui-priority": 9 + "ui-priority": 6 }, "data_leaked": { "description": "Was data leaked in this incident?", "disable_correlation": true, "misp-attribute": "boolean", - "ui-priority": 10 + "ui-priority": 5 }, "url_leaksite": { "description": "URL of the leaksite", "disable_correlation": false, "misp-attribute": "url", - "ui-priority": 11 + "ui-priority": 4 }, "email_address": { "description": "Contact address, if any", "disable_correlation": false, "misp-attribute": "text", - "ui-priority": 12 + "ui-priority": 3 }, "Remarks": { "description": "Remarks", "disable_correlation": true, "misp-attribute": "text", - "ui-priority": 13 + "ui-priority": 2 }, "percentage_of_revenue": { "description": "Percentage of the annual revenue that the ransom demand amounts to", "disable_correlation": true, "misp-attribute": "float", - "ui-priority": 8 + "ui-priority": 7 }, "negotiations_transcript": { "description": "Transcript of the negotiations", "disable_correlation": true, "misp-attribute": "text", - "ui-priority": 14 + "ui-priority": 1 }, "negotiations_screenshot": { "description": "Screenshot of the negotiations", "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 15 + "misp-attribute": "attachment", + "ui-priority": 0 }, "discount": { "description": "Discount after negotiations", "disable_correlation": true, "misp-attribute": "float", - "ui-priority": 2 + "ui-priority": 13 } }, "description": "An object to describe ransom negotiations, as seen in ransomware incidents.", From de7792373ce037ff110de6d3768db197e1ac9ffb Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Thu, 5 May 2022 20:38:53 +0200 Subject: [PATCH 063/112] add: [passive-ssh] Added `banner` & `hassh` attributes --- objects/passive-ssh/definition.json | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/objects/passive-ssh/definition.json b/objects/passive-ssh/definition.json index b4f90fd..e48f159 100644 --- a/objects/passive-ssh/definition.json +++ b/objects/passive-ssh/definition.json @@ -1,5 +1,15 @@ { "attributes": { + "banner": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "SSH banner", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, "base64": { "description": "Base64 representation of the ssh-key", "disable_correlation": true, @@ -20,6 +30,11 @@ "misp-attribute": "datetime", "ui-priority": 0 }, + "hassh": { + "description": "Hassh fingerprint", + "misp-attribute": "hassh-md5", + "ui-priority": 1 + }, "host": { "categories": [ "Network activity", @@ -43,8 +58,9 @@ "requiredOneOf": [ "host", "base64", - "fingerprint" + "fingerprint", + "hassh" ], "uuid": "ec350cdf-2311-4df5-972a-a4342a2c0065", - "version": 1 + "version": 2 } \ No newline at end of file From 7480c515335f21f25bb2ec005a6d63c577a00933 Mon Sep 17 00:00:00 2001 From: matthijsvp Date: Fri, 6 May 2022 13:25:31 +0200 Subject: [PATCH 064/112] Added need/want for decryptor and data deletion --- objects/ransom-negotiation/definition.json | 52 +++++++++++++++------- 1 file changed, 36 insertions(+), 16 deletions(-) diff --git a/objects/ransom-negotiation/definition.json b/objects/ransom-negotiation/definition.json index bed3f2b..621dd9d 100644 --- a/objects/ransom-negotiation/definition.json +++ b/objects/ransom-negotiation/definition.json @@ -4,97 +4,117 @@ "description": "A cryptocoin wallet address", "disable_correlation": false, "misp-attribute": "btc", - "ui-priority": 9 + "ui-priority": 930 }, "time": { "description": "Date and time of transaction", "disable_correlation": true, "misp-attribute": "datetime", - "ui-priority": 10 + "ui-priority": 940 }, "initial_ransom": { "description": "Initial ransom demand in the currency as displayed in field 'currency'", "disable_correlation": true, "misp-attribute": "float", - "ui-priority": 15 + "ui-priority": 900 }, "final_ransom":{ "description": "Final ransom amount after negotiations, in the currency as displayed in field 'currency'", "disable_correlation": true, "misp-attribute": "float", - "ui-priority": 14 + "ui-priority": 980 }, "currency":{ "description": "The currency of the initial demand. Often USD or BTC.", "disable_correlation": true, "misp-attribute": "text", - "ui-priority": 12 + "ui-priority": 960 }, "value_EUR": { "description": "Value in EUR of the final ransom amount, with conversion rate as of date/time displayed in field 'time'", "disable_correlation": true, "misp-attribute": "float", - "ui-priority": 11 + "ui-priority": 950 }, "annual_revenue_EUR": { "description": "Annual revenue of the targeted organisation in EUR", "disable_correlation": true, "misp-attribute": "float", - "ui-priority": 8 + "ui-priority": 920 }, "data_stolen": { "description": "Was data exfiltrated in this incident?", "disable_correlation": true, "misp-attribute": "boolean", - "ui-priority": 6 + "ui-priority": 900 }, "data_leaked": { "description": "Was data leaked in this incident?", "disable_correlation": true, "misp-attribute": "boolean", - "ui-priority": 5 + "ui-priority": 890 }, "url_leaksite": { "description": "URL of the leaksite", "disable_correlation": false, "misp-attribute": "url", - "ui-priority": 4 + "ui-priority": 880 }, "email_address": { "description": "Contact address, if any", "disable_correlation": false, "misp-attribute": "text", - "ui-priority": 3 + "ui-priority": 870 }, "Remarks": { "description": "Remarks", "disable_correlation": true, "misp-attribute": "text", - "ui-priority": 2 + "ui-priority": 860 }, "percentage_of_revenue": { "description": "Percentage of the annual revenue that the ransom demand amounts to", "disable_correlation": true, "misp-attribute": "float", - "ui-priority": 7 + "ui-priority": 910 + }, + "pay_for_encryptor": { + "description": "Does the target needs/wants to pay for the decryptor", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 908, + "sane_default": [ + "True", + "False" + ], + }, + "pay_for_deletion": { + "description": "Does the target needs/wants to pay for data deletion", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 906, + "sane_default": [ + "True", + "False" + ], }, "negotiations_transcript": { "description": "Transcript of the negotiations", "disable_correlation": true, "misp-attribute": "text", - "ui-priority": 1 + "ui-priority": 850 }, "negotiations_screenshot": { "description": "Screenshot of the negotiations", "disable_correlation": true, "misp-attribute": "attachment", - "ui-priority": 0 + "ui-priority": 840 }, "discount": { "description": "Discount after negotiations", "disable_correlation": true, "misp-attribute": "float", - "ui-priority": 13 + "ui-priority": 970 } }, "description": "An object to describe ransom negotiations, as seen in ransomware incidents.", From dcf34a680fa6fa399ecaf469222079bffe52ca1e Mon Sep 17 00:00:00 2001 From: matthijsvp Date: Fri, 6 May 2022 13:38:11 +0200 Subject: [PATCH 065/112] bumped version number, fixed stray typo --- objects/ransom-negotiation/definition.json | 156 ++++++++++----------- 1 file changed, 78 insertions(+), 78 deletions(-) diff --git a/objects/ransom-negotiation/definition.json b/objects/ransom-negotiation/definition.json index 621dd9d..4447b18 100644 --- a/objects/ransom-negotiation/definition.json +++ b/objects/ransom-negotiation/definition.json @@ -1,40 +1,10 @@ { "attributes": { - "wallet-address": { - "description": "A cryptocoin wallet address", - "disable_correlation": false, - "misp-attribute": "btc", - "ui-priority": 930 - }, - "time": { - "description": "Date and time of transaction", - "disable_correlation": true, - "misp-attribute": "datetime", - "ui-priority": 940 - }, - "initial_ransom": { - "description": "Initial ransom demand in the currency as displayed in field 'currency'", - "disable_correlation": true, - "misp-attribute": "float", - "ui-priority": 900 - }, - "final_ransom":{ - "description": "Final ransom amount after negotiations, in the currency as displayed in field 'currency'", - "disable_correlation": true, - "misp-attribute": "float", - "ui-priority": 980 - }, - "currency":{ - "description": "The currency of the initial demand. Often USD or BTC.", + "Remarks": { + "description": "Remarks", "disable_correlation": true, "misp-attribute": "text", - "ui-priority": 960 - }, - "value_EUR": { - "description": "Value in EUR of the final ransom amount, with conversion rate as of date/time displayed in field 'time'", - "disable_correlation": true, - "misp-attribute": "float", - "ui-priority": 950 + "ui-priority": 860 }, "annual_revenue_EUR": { "description": "Annual revenue of the targeted organisation in EUR", @@ -42,11 +12,11 @@ "misp-attribute": "float", "ui-priority": 920 }, - "data_stolen": { - "description": "Was data exfiltrated in this incident?", + "currency": { + "description": "The currency of the initial demand. Often USD or BTC.", "disable_correlation": true, - "misp-attribute": "boolean", - "ui-priority": 900 + "misp-attribute": "text", + "ui-priority": 960 }, "data_leaked": { "description": "Was data leaked in this incident?", @@ -54,11 +24,17 @@ "misp-attribute": "boolean", "ui-priority": 890 }, - "url_leaksite": { - "description": "URL of the leaksite", - "disable_correlation": false, - "misp-attribute": "url", - "ui-priority": 880 + "data_stolen": { + "description": "Was data exfiltrated in this incident?", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 900 + }, + "discount": { + "description": "Discount after negotiations", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 970 }, "email_address": { "description": "Contact address, if any", @@ -66,11 +42,49 @@ "misp-attribute": "text", "ui-priority": 870 }, - "Remarks": { - "description": "Remarks", + "final_ransom": { + "description": "Final ransom amount after negotiations, in the currency as displayed in field 'currency'", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 980 + }, + "initial_ransom": { + "description": "Initial ransom demand in the currency as displayed in field 'currency'", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 900 + }, + "negotiations_screenshot": { + "description": "Screenshot of the negotiations", + "disable_correlation": true, + "misp-attribute": "attachment", + "ui-priority": 840 + }, + "negotiations_transcript": { + "description": "Transcript of the negotiations", "disable_correlation": true, "misp-attribute": "text", - "ui-priority": 860 + "ui-priority": 850 + }, + "pay_for_deletion": { + "description": "Does the target needs/wants to pay for data deletion", + "disable_correlation": true, + "misp-attribute": "boolean", + "sane_default": [ + "True", + "False" + ], + "ui-priority": 906 + }, + "pay_for_encryptor": { + "description": "Does the target needs/wants to pay for the decryptor", + "disable_correlation": true, + "misp-attribute": "boolean", + "sane_default": [ + "True", + "False" + ], + "ui-priority": 908 }, "percentage_of_revenue": { "description": "Percentage of the annual revenue that the ransom demand amounts to", @@ -78,43 +92,29 @@ "misp-attribute": "float", "ui-priority": 910 }, - "pay_for_encryptor": { - "description": "Does the target needs/wants to pay for the decryptor", + "time": { + "description": "Date and time of transaction", "disable_correlation": true, - "misp-attribute": "boolean", - "ui-priority": 908, - "sane_default": [ - "True", - "False" - ], + "misp-attribute": "datetime", + "ui-priority": 940 }, - "pay_for_deletion": { - "description": "Does the target needs/wants to pay for data deletion", - "disable_correlation": true, - "misp-attribute": "boolean", - "ui-priority": 906, - "sane_default": [ - "True", - "False" - ], + "url_leaksite": { + "description": "URL of the leaksite", + "disable_correlation": false, + "misp-attribute": "url", + "ui-priority": 880 }, - "negotiations_transcript": { - "description": "Transcript of the negotiations", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 850 - }, - "negotiations_screenshot": { - "description": "Screenshot of the negotiations", - "disable_correlation": true, - "misp-attribute": "attachment", - "ui-priority": 840 - }, - "discount": { - "description": "Discount after negotiations", + "value_EUR": { + "description": "Value in EUR of the final ransom amount, with conversion rate as of date/time displayed in field 'time'", "disable_correlation": true, "misp-attribute": "float", - "ui-priority": 970 + "ui-priority": 950 + }, + "wallet-address": { + "description": "A cryptocoin wallet address", + "disable_correlation": false, + "misp-attribute": "btc", + "ui-priority": 930 } }, "description": "An object to describe ransom negotiations, as seen in ransomware incidents.", @@ -124,5 +124,5 @@ "wallet-address" ], "uuid": "FB72F951-DE2E-4B54-A570-8FC560A74B06", - "version": 1.1 + "version": 1.2 } \ No newline at end of file From d04d453f475e33f51962ad50437e38bc77749be3 Mon Sep 17 00:00:00 2001 From: matthijsvp Date: Fri, 6 May 2022 13:48:12 +0200 Subject: [PATCH 066/112] Added sane defaults to all booleans --- objects/ransom-negotiation/definition.json | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/objects/ransom-negotiation/definition.json b/objects/ransom-negotiation/definition.json index 4447b18..1c7ab68 100644 --- a/objects/ransom-negotiation/definition.json +++ b/objects/ransom-negotiation/definition.json @@ -22,12 +22,20 @@ "description": "Was data leaked in this incident?", "disable_correlation": true, "misp-attribute": "boolean", + "sane_default": [ + "True", + "False" + ], "ui-priority": 890 }, "data_stolen": { "description": "Was data exfiltrated in this incident?", "disable_correlation": true, "misp-attribute": "boolean", + "sane_default": [ + "True", + "False" + ], "ui-priority": 900 }, "discount": { From bb686f24d4e29c5b2e1cc5713fd6a3a358cb3ebf Mon Sep 17 00:00:00 2001 From: matthijsvp Date: Fri, 6 May 2022 13:50:34 +0200 Subject: [PATCH 067/112] Removed required field --- objects/ransom-negotiation/definition.json | 3 --- 1 file changed, 3 deletions(-) diff --git a/objects/ransom-negotiation/definition.json b/objects/ransom-negotiation/definition.json index 1c7ab68..971c2e8 100644 --- a/objects/ransom-negotiation/definition.json +++ b/objects/ransom-negotiation/definition.json @@ -128,9 +128,6 @@ "description": "An object to describe ransom negotiations, as seen in ransomware incidents.", "meta-category": "financial", "name": "ransom-negotiation", - "requiredOneOf": [ - "wallet-address" - ], "uuid": "FB72F951-DE2E-4B54-A570-8FC560A74B06", "version": 1.2 } \ No newline at end of file From 3f90f655082c65e735db228b32255f47386d3815 Mon Sep 17 00:00:00 2001 From: matthijsvp Date: Fri, 6 May 2022 14:09:50 +0200 Subject: [PATCH 068/112] Fixed spelling mistakes --- objects/ransom-negotiation/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/ransom-negotiation/definition.json b/objects/ransom-negotiation/definition.json index 971c2e8..62143cf 100644 --- a/objects/ransom-negotiation/definition.json +++ b/objects/ransom-negotiation/definition.json @@ -75,7 +75,7 @@ "ui-priority": 850 }, "pay_for_deletion": { - "description": "Does the target needs/wants to pay for data deletion", + "description": "Does the target need/want to pay for data deletion", "disable_correlation": true, "misp-attribute": "boolean", "sane_default": [ @@ -85,7 +85,7 @@ "ui-priority": 906 }, "pay_for_encryptor": { - "description": "Does the target needs/wants to pay for the decryptor", + "description": "Does the target need/want to pay for the decryptor", "disable_correlation": true, "misp-attribute": "boolean", "sane_default": [ From f762d5b2a4dc8efeb23596b33c572606fe66c9f3 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Fri, 6 May 2022 17:01:13 +0200 Subject: [PATCH 069/112] add: [passive-ssh] Added `port` attribute --- objects/passive-ssh/definition.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/objects/passive-ssh/definition.json b/objects/passive-ssh/definition.json index e48f159..1d00539 100644 --- a/objects/passive-ssh/definition.json +++ b/objects/passive-ssh/definition.json @@ -50,6 +50,11 @@ "disable_correlation": true, "misp-attribute": "datetime", "ui-priority": 0 + }, + "port": { + "description": "Port of the connection", + "misp-attribute": "port", + "ui-priority": 1 } }, "description": "Passive-ssh object as described on passive-ssh services from circl.lu - https://github.com/D4-project/passive-ssh", From 109f78336b28016c4eb5898ebd81713cddc1b5fd Mon Sep 17 00:00:00 2001 From: Matthijs van P Date: Sat, 7 May 2022 06:47:40 +0200 Subject: [PATCH 070/112] Changed version to int. --- objects/ransom-negotiation/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/ransom-negotiation/definition.json b/objects/ransom-negotiation/definition.json index 62143cf..655fc85 100644 --- a/objects/ransom-negotiation/definition.json +++ b/objects/ransom-negotiation/definition.json @@ -129,5 +129,5 @@ "meta-category": "financial", "name": "ransom-negotiation", "uuid": "FB72F951-DE2E-4B54-A570-8FC560A74B06", - "version": 1.2 -} \ No newline at end of file + "version": 1 +} From b8456cf80b6521e991faed44174682c9a476971a Mon Sep 17 00:00:00 2001 From: matthijsvp Date: Sat, 7 May 2022 08:00:38 +0200 Subject: [PATCH 071/112] Ran validation --- objects/ransom-negotiation/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/ransom-negotiation/definition.json b/objects/ransom-negotiation/definition.json index 655fc85..a92925c 100644 --- a/objects/ransom-negotiation/definition.json +++ b/objects/ransom-negotiation/definition.json @@ -130,4 +130,4 @@ "name": "ransom-negotiation", "uuid": "FB72F951-DE2E-4B54-A570-8FC560A74B06", "version": 1 -} +} \ No newline at end of file From a5184c6746f27560d73c02cf15f88da56b3f0758 Mon Sep 17 00:00:00 2001 From: Andras Iklody Date: Wed, 11 May 2022 13:16:36 +0200 Subject: [PATCH 072/112] chg: [paloalto-threat-event] version bump For instances that ingested it before the disable_correlation changes, they didn't take and ended up pushing a lot of correlating noise. This should resolve it for the future. --- objects/paloalto-threat-event/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/paloalto-threat-event/definition.json b/objects/paloalto-threat-event/definition.json index 81ab487..17814c7 100644 --- a/objects/paloalto-threat-event/definition.json +++ b/objects/paloalto-threat-event/definition.json @@ -87,5 +87,5 @@ "meta-category": "network", "name": "paloalto-threat-event", "uuid": "e6fa7a87-1173-43d6-86c2-b4d02af5fc74", - "version": 5 -} \ No newline at end of file + "version": 6 +} From 7c7d1fbe9829126628e07330318e8aa78cac3af0 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 11 May 2022 15:38:24 +0200 Subject: [PATCH 073/112] chg: [paloalto-threat-event] Hungary access to the git repository has been sanctioned --- objects/paloalto-threat-event/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/paloalto-threat-event/definition.json b/objects/paloalto-threat-event/definition.json index 17814c7..795a7f5 100644 --- a/objects/paloalto-threat-event/definition.json +++ b/objects/paloalto-threat-event/definition.json @@ -88,4 +88,4 @@ "name": "paloalto-threat-event", "uuid": "e6fa7a87-1173-43d6-86c2-b4d02af5fc74", "version": 6 -} +} \ No newline at end of file From 0c54a39d376febd9c185a69b3d377a80505a42e2 Mon Sep 17 00:00:00 2001 From: Vasileios Mavroeidis <29202434+Vasileios-Mavroeidis@users.noreply.github.com> Date: Wed, 18 May 2022 13:56:59 +0200 Subject: [PATCH 074/112] Update definition.json The PR updates the security playbook object with improved semantics based on feedback we have received. The updated template has "one-to-one" mapping with the available STIX 2.1 ad-hoc extension for the COA SDO available here: https://github.com/fovea-research/stix2.1-coa-playbook-extension This research (updated version 3) was partially supported by the research projects CyberHunt (Grant No. 303585 - funded by the Research Council of Norway) and JCOP (Grant No. INEA/CEF/ICT/A2020/2373266 - funded by the European Health and Digital Executive Agency through the Connected Europe Facility program). --- objects/security-playbook/definition.json | 311 ++++++++++------------ 1 file changed, 134 insertions(+), 177 deletions(-) diff --git a/objects/security-playbook/definition.json b/objects/security-playbook/definition.json index c62b171..d3be4e0 100644 --- a/objects/security-playbook/definition.json +++ b/objects/security-playbook/definition.json @@ -1,189 +1,146 @@ { - "attributes": { - "created": { - "categories": [ - "Other" - ], - "description": "The time at which the playbook was originally created.", - "disable_correlation": true, - "misp-attribute": "datetime", - "ui-priority": 1 + "attributes":{ + "description":{ + "description":"An explanation, details, and more context about what this playbook does and tries to accomplish.", + "disable_correlation":true, + "misp-attribute":"text", + "ui-priority":1 }, - "creator": { - "categories": [ - "Other" - ], - "description": "The entity that created this playbook. It can be a natural person or an organization. It may be represented using an id that identifies the creator.", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 1 + "playbook-id":{ + "description":"A value that uniquely identifies the playbook. If the playbook itself embeds an identifier then the playbook-id SHOULD use the same identifier (value). If not, the producer MAY generate a unique identifier for the playbook.", + "disable_correlation":false, + "misp-attribute":"text", + "ui-priority":1 }, - "description": { - "categories": [ - "Other" - ], - "description": "More details, context, and possibly an explanation about what this playbook does and tries to accomplish.", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 1 - }, - "id": { - "categories": [ - "Other" - ], - "description": "A value that uniquely identifies the playbook.", - "disable_correlation": false, - "misp-attribute": "text", - "ui-priority": 1 - }, - "impact": { - "categories": [ - "Other" - ], - "description": "An integer that represents the impact the playbook has on the organization from 0 to 100. A value of 0 means specifically undefined. Values range from 1, the lowest impact, to a value of 100, the highest. For example, a purely investigative playbook that is non-invasive would have a low impact value of 1, whereas a playbook that performs changes such as adding rules into a firewall would have a higher impact value.", - "disable_correlation": true, - "misp-attribute": "counter", - "ui-priority": 1 - }, - "label": { - "categories": [ - "Other" - ], - "description": "An optional set of terms, labels or tags associated with this playbook (e.g., aliases of adversary groups or operations that this playbook is related to).", - "disable_correlation": true, - "misp-attribute": "text", - "multiple": true, - "ui-priority": 1 - }, - "modified": { - "categories": [ - "Other" - ], - "description": "The time that this particular version of the playbook was last modified.", - "disable_correlation": true, - "misp-attribute": "datetime", - "ui-priority": 1 - }, - "organization-type": { - "categories": [ - "Other" - ], - "description": "Type of an organization, that the playbook is intended for. This can be an industry sector.", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 1 - }, - "playbook": { - "categories": [ - "Payload delivery" - ], - "description": "The whole playbook in its native format (e.g., CACAO JSON). Producers and consumers of playbooks use this property to share and retrieve playbooks.", - "misp-attribute": "attachment", - "ui-priority": 1 - }, - "playbook-abstraction": { - "categories": [ - "Other" - ], - "description": "Identifies the level of completeness of the playbook.", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 1, - "values_list": [ - "guideline", - "playbook template", - "playbook", - "partial workflow", - "full workflow", - "fully scripted" - ] - }, - "playbook-standard": { - "categories": [ - "Other" - ], - "description": "Identification of the playbook standard.", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 1 - }, - "playbook-type": { - "categories": [ - "Other" - ], - "description": "The security operational functions the playbook addresses. A playbook may account for multiple types (e.g., detection, investigation).", - "disable_correlation": true, - "misp-attribute": "text", - "multiple": true, - "ui-priority": 1, - "values_list": [ - "notification playbook", - "detection playbook", - "investigation playbook", - "prevention playbook", - "mitigation playbook", - "remediation playbook", - "attack playbook" - ] - }, - "priority": { - "categories": [ - "Other" - ], - "description": "An integer that represents the priority of this playbook relative to other defined playbooks. A value of 0 means specifically undefined. Values range from 1, the highest priority, to a value of 100, the lowest.", - "disable_correlation": true, - "misp-attribute": "counter", - "ui-priority": 1 - }, - "revoked": { - "categories": [ - "Other" - ], - "description": "A boolean that identifies if the playbook creator deems that this playbook is no longer valid.", - "disable_correlation": true, - "misp-attribute": "boolean", - "sane_default": [ + "revoked":{ + "description":"A boolean that identifies if the playbook is no longer valid (revoked).", + "disable_correlation":true, + "misp-attribute":"boolean", + "sane_default":[ "True", "False" ], - "ui-priority": 1 + "ui-priority":1 }, - "severity": { - "categories": [ - "Other" - ], - "description": "A positive integer that represents the seriousness of the conditions that this playbook addresses. A value of 0 means specifically undefined. Values range from 1, the lowest severity, to a value of 100, the highest.", - "disable_correlation": true, - "misp-attribute": "counter", - "ui-priority": 1 + "playbook-type":{ + "description":"The security-related functions the playbook supports. A playbook may account for multiple types (e.g., detection and investigation). The listed options are based on the CACAO standard and NIST SP 800-61 rev2. Another option is to use MISP tags, taxonomies, and galaxies.", + "disable_correlation":true, + "misp-attribute":"text", + "multiple":true, + "ui-priority":1, + "values_list":[ + "notification", + "detection", + "investigation", + "prevention", + "mitigation", + "remediation", + "analysis", + "containment", + "eradication", + "recovery", + "attack" + ] }, - "valid-from": { - "categories": [ - "Other" - ], - "description": "The time from which the playbook is considered valid and the steps that it contains can be executed.", - "disable_correlation": true, - "misp-attribute": "datetime", - "ui-priority": 1 + "organization-type":{ + "description":"The type of organization that the playbook is intended for. This can be an industry sector. Another option is to use MISP tags, taxonomies, and galaxies.", + "disable_correlation":true, + "misp-attribute":"text", + "multiple":true, + "ui-priority":1 }, - "valid-until": { - "categories": [ - "Other" - ], - "description": "The time at which this playbook should no longer be considered a valid playbook to be executed.", - "disable_correlation": true, - "misp-attribute": "datetime", - "ui-priority": 1 + "labels":{ + "description":"Labels for this playbook (e.g., adversary persona names, associated groups, malware family/variant/name that this playbook is related to). Another option is to use MISP tags, taxonomies, and galaxies.", + "disable_correlation":true, + "misp-attribute":"text", + "multiple":true, + "ui-priority":1 + }, + "playbook-standard":{ + "description":"The standard/format/notation the playbook conforms to (e.g., CACAO, BPMN).", + "disable_correlation":true, + "misp-attribute":"text", + "ui-priority":1 + }, + "playbook-abstraction":{ + "description":"The playbook’s level of abstraction (with regards to consumption).", + "disable_correlation":true, + "misp-attribute":"text", + "ui-priority":1, + "values_list":[ + "template", + "executable" + ] + }, + "playbook-creator":{ + "description":"The entity that created the playbook. It can be a natural person or an organization. It may be represented using a unique identifier that identifies the creator.", + "disable_correlation":true, + "misp-attribute":"text", + "ui-priority":1 + }, + "playbook-creation-time":{ + "description":"The date and time at which the playbook was originally created.", + "disable_correlation":true, + "misp-attribute":"datetime", + "ui-priority":1 + }, + "playbook-modification-time":{ + "description":"The date and time at which the playbook was last modified.", + "disable_correlation":true, + "misp-attribute":"datetime", + "ui-priority":1 + }, + "playbook-impact":{ + "description":"From 0 to 100, a value representing the impact the playbook has on the organization. A value of 0 means specifically undefined. Impact values range from 1, the lowest impact, to a value of 100, the highest. For example, a purely investigative playbook that is non-invasive could have a low impact value of 1. In contrast, a playbook that performs changes such as adding rules into a firewall should have a higher impact value.", + "disable_correlation":true, + "misp-attribute":"text", + "ui-priority":1 + }, + "playbook-priority":{ + "description":"From 0 to 100, a value representing the priority of this playbook relative to other defined playbooks. A value of 0 means specifically undefined. Priority values range from 1, the highest priority, to a value of 100, the lowest.", + "disable_correlation":true, + "misp-attribute":"text", + "ui-priority":1 + }, + "playbook-severity":{ + "description":"From 0 to 100, a value representing the seriousness of the conditions that this playbook addresses. A value of 0 means specifically undefined. Severity values range from 1, the lowest severity, to a value of 100, the highest.", + "disable_correlation":true, + "misp-attribute":"text", + "ui-priority":1 + }, + "playbook-valid-from":{ + "description":"The date and time from which the playbook is considered valid and the steps that it contains can be executed.", + "disable_correlation":true, + "misp-attribute":"datetime", + "ui-priority":1 + }, + "playbook-valid-until":{ + "description":"The date and time from which the playbook should no longer be considered a valid playbook to be executed.", + "disable_correlation":true, + "misp-attribute":"datetime", + "ui-priority":1 + }, + "playbook-file":{ + "description":"The entire playbook file/document in its native format (e.g., CACAO JSON or BPMN).", + "misp-attribute":"attachment", + "ui-priority":1 + }, + "playbook-base64":{ + "description":"The entire playbook file/document encoded in base64.", + "misp-attribute":"text", + "ui-priority":1 } }, - "description": "An object to manage, represent, and share course of action playbooks (security playbooks) for cyberspace defense.", - "meta-category": "misc", - "name": "security-playbook", - "required": [ - "playbook", - "playbook-standard", - "playbook-type" + "description":"The security-playbook object provides meta-information and allows managing, storing, and sharing cybersecurity playbooks and orchestration workflows.", + "meta-category":"misc", + "name":"security-playbook", + "required":[ + "playbook-id" ], - "uuid": "48894c92-447b-4abe-b093-360c4d823e9d", - "version": 2 -} \ No newline at end of file + "requiredOneOf":[ + "playbook-file", + "playbook-base64" + ], + "uuid":"48894c92-447b-4abe-b093-360c4d823e9d", + "version":3 +} From ccd239bf6472a2572b110dea3a867fe883c96eaa Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 18 May 2022 22:00:41 +0200 Subject: [PATCH 075/112] chg: [security-playbook] jq all the things --- objects/security-playbook/definition.json | 240 +++++++++++----------- 1 file changed, 120 insertions(+), 120 deletions(-) diff --git a/objects/security-playbook/definition.json b/objects/security-playbook/definition.json index d3be4e0..4175874 100644 --- a/objects/security-playbook/definition.json +++ b/objects/security-playbook/definition.json @@ -1,34 +1,100 @@ { - "attributes":{ - "description":{ - "description":"An explanation, details, and more context about what this playbook does and tries to accomplish.", - "disable_correlation":true, - "misp-attribute":"text", - "ui-priority":1 + "attributes": { + "description": { + "description": "An explanation, details, and more context about what this playbook does and tries to accomplish.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 }, - "playbook-id":{ - "description":"A value that uniquely identifies the playbook. If the playbook itself embeds an identifier then the playbook-id SHOULD use the same identifier (value). If not, the producer MAY generate a unique identifier for the playbook.", - "disable_correlation":false, - "misp-attribute":"text", - "ui-priority":1 + "labels": { + "description": "Labels for this playbook (e.g., adversary persona names, associated groups, malware family/variant/name that this playbook is related to). Another option is to use MISP tags, taxonomies, and galaxies.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 }, - "revoked":{ - "description":"A boolean that identifies if the playbook is no longer valid (revoked).", - "disable_correlation":true, - "misp-attribute":"boolean", - "sane_default":[ - "True", - "False" - ], - "ui-priority":1 + "organization-type": { + "description": "The type of organization that the playbook is intended for. This can be an industry sector. Another option is to use MISP tags, taxonomies, and galaxies.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 }, - "playbook-type":{ - "description":"The security-related functions the playbook supports. A playbook may account for multiple types (e.g., detection and investigation). The listed options are based on the CACAO standard and NIST SP 800-61 rev2. Another option is to use MISP tags, taxonomies, and galaxies.", - "disable_correlation":true, - "misp-attribute":"text", - "multiple":true, - "ui-priority":1, - "values_list":[ + "playbook-abstraction": { + "description": "The playbook’s level of abstraction (with regards to consumption).", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1, + "values_list": [ + "template", + "executable" + ] + }, + "playbook-base64": { + "description": "The entire playbook file/document encoded in base64.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "playbook-creation-time": { + "description": "The date and time at which the playbook was originally created.", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 1 + }, + "playbook-creator": { + "description": "The entity that created the playbook. It can be a natural person or an organization. It may be represented using a unique identifier that identifies the creator.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "playbook-file": { + "description": "The entire playbook file/document in its native format (e.g., CACAO JSON or BPMN).", + "misp-attribute": "attachment", + "ui-priority": 1 + }, + "playbook-id": { + "description": "A value that uniquely identifies the playbook. If the playbook itself embeds an identifier then the playbook-id SHOULD use the same identifier (value). If not, the producer MAY generate a unique identifier for the playbook.", + "disable_correlation": false, + "misp-attribute": "text", + "ui-priority": 1 + }, + "playbook-impact": { + "description": "From 0 to 100, a value representing the impact the playbook has on the organization. A value of 0 means specifically undefined. Impact values range from 1, the lowest impact, to a value of 100, the highest. For example, a purely investigative playbook that is non-invasive could have a low impact value of 1. In contrast, a playbook that performs changes such as adding rules into a firewall should have a higher impact value.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "playbook-modification-time": { + "description": "The date and time at which the playbook was last modified.", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 1 + }, + "playbook-priority": { + "description": "From 0 to 100, a value representing the priority of this playbook relative to other defined playbooks. A value of 0 means specifically undefined. Priority values range from 1, the highest priority, to a value of 100, the lowest.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "playbook-severity": { + "description": "From 0 to 100, a value representing the seriousness of the conditions that this playbook addresses. A value of 0 means specifically undefined. Severity values range from 1, the lowest severity, to a value of 100, the highest.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "playbook-standard": { + "description": "The standard/format/notation the playbook conforms to (e.g., CACAO, BPMN).", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "playbook-type": { + "description": "The security-related functions the playbook supports. A playbook may account for multiple types (e.g., detection and investigation). The listed options are based on the CACAO standard and NIST SP 800-61 rev2. Another option is to use MISP tags, taxonomies, and galaxies.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1, + "values_list": [ "notification", "detection", "investigation", @@ -42,105 +108,39 @@ "attack" ] }, - "organization-type":{ - "description":"The type of organization that the playbook is intended for. This can be an industry sector. Another option is to use MISP tags, taxonomies, and galaxies.", - "disable_correlation":true, - "misp-attribute":"text", - "multiple":true, - "ui-priority":1 + "playbook-valid-from": { + "description": "The date and time from which the playbook is considered valid and the steps that it contains can be executed.", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 1 }, - "labels":{ - "description":"Labels for this playbook (e.g., adversary persona names, associated groups, malware family/variant/name that this playbook is related to). Another option is to use MISP tags, taxonomies, and galaxies.", - "disable_correlation":true, - "misp-attribute":"text", - "multiple":true, - "ui-priority":1 + "playbook-valid-until": { + "description": "The date and time from which the playbook should no longer be considered a valid playbook to be executed.", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 1 }, - "playbook-standard":{ - "description":"The standard/format/notation the playbook conforms to (e.g., CACAO, BPMN).", - "disable_correlation":true, - "misp-attribute":"text", - "ui-priority":1 - }, - "playbook-abstraction":{ - "description":"The playbook’s level of abstraction (with regards to consumption).", - "disable_correlation":true, - "misp-attribute":"text", - "ui-priority":1, - "values_list":[ - "template", - "executable" - ] - }, - "playbook-creator":{ - "description":"The entity that created the playbook. It can be a natural person or an organization. It may be represented using a unique identifier that identifies the creator.", - "disable_correlation":true, - "misp-attribute":"text", - "ui-priority":1 - }, - "playbook-creation-time":{ - "description":"The date and time at which the playbook was originally created.", - "disable_correlation":true, - "misp-attribute":"datetime", - "ui-priority":1 - }, - "playbook-modification-time":{ - "description":"The date and time at which the playbook was last modified.", - "disable_correlation":true, - "misp-attribute":"datetime", - "ui-priority":1 - }, - "playbook-impact":{ - "description":"From 0 to 100, a value representing the impact the playbook has on the organization. A value of 0 means specifically undefined. Impact values range from 1, the lowest impact, to a value of 100, the highest. For example, a purely investigative playbook that is non-invasive could have a low impact value of 1. In contrast, a playbook that performs changes such as adding rules into a firewall should have a higher impact value.", - "disable_correlation":true, - "misp-attribute":"text", - "ui-priority":1 - }, - "playbook-priority":{ - "description":"From 0 to 100, a value representing the priority of this playbook relative to other defined playbooks. A value of 0 means specifically undefined. Priority values range from 1, the highest priority, to a value of 100, the lowest.", - "disable_correlation":true, - "misp-attribute":"text", - "ui-priority":1 - }, - "playbook-severity":{ - "description":"From 0 to 100, a value representing the seriousness of the conditions that this playbook addresses. A value of 0 means specifically undefined. Severity values range from 1, the lowest severity, to a value of 100, the highest.", - "disable_correlation":true, - "misp-attribute":"text", - "ui-priority":1 - }, - "playbook-valid-from":{ - "description":"The date and time from which the playbook is considered valid and the steps that it contains can be executed.", - "disable_correlation":true, - "misp-attribute":"datetime", - "ui-priority":1 - }, - "playbook-valid-until":{ - "description":"The date and time from which the playbook should no longer be considered a valid playbook to be executed.", - "disable_correlation":true, - "misp-attribute":"datetime", - "ui-priority":1 - }, - "playbook-file":{ - "description":"The entire playbook file/document in its native format (e.g., CACAO JSON or BPMN).", - "misp-attribute":"attachment", - "ui-priority":1 - }, - "playbook-base64":{ - "description":"The entire playbook file/document encoded in base64.", - "misp-attribute":"text", - "ui-priority":1 + "revoked": { + "description": "A boolean that identifies if the playbook is no longer valid (revoked).", + "disable_correlation": true, + "misp-attribute": "boolean", + "sane_default": [ + "True", + "False" + ], + "ui-priority": 1 } }, - "description":"The security-playbook object provides meta-information and allows managing, storing, and sharing cybersecurity playbooks and orchestration workflows.", - "meta-category":"misc", - "name":"security-playbook", - "required":[ + "description": "The security-playbook object provides meta-information and allows managing, storing, and sharing cybersecurity playbooks and orchestration workflows.", + "meta-category": "misc", + "name": "security-playbook", + "required": [ "playbook-id" ], - "requiredOneOf":[ + "requiredOneOf": [ "playbook-file", "playbook-base64" ], - "uuid":"48894c92-447b-4abe-b093-360c4d823e9d", - "version":3 -} + "uuid": "48894c92-447b-4abe-b093-360c4d823e9d", + "version": 3 +} \ No newline at end of file From dac6d57e79988c55591b6e4ed16b3a110fdea05a Mon Sep 17 00:00:00 2001 From: matthijsvp Date: Fri, 20 May 2022 15:50:31 +0200 Subject: [PATCH 076/112] Added some field from feedback --- objects/ransom-negotiation/definition.json | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/objects/ransom-negotiation/definition.json b/objects/ransom-negotiation/definition.json index a92925c..6a0cd23 100644 --- a/objects/ransom-negotiation/definition.json +++ b/objects/ransom-negotiation/definition.json @@ -65,6 +65,7 @@ "negotiations_screenshot": { "description": "Screenshot of the negotiations", "disable_correlation": true, + "multiple": true, "misp-attribute": "attachment", "ui-priority": 840 }, @@ -74,6 +75,25 @@ "misp-attribute": "text", "ui-priority": 850 }, + "chatsite": { + "description": "Chatsite where the negotiations take place", + "disable_correlation": true, + "to_ids": false, + "misp-attribute": "url", + "ui-priority": 835 + }, + "chatsite_id_public": { + "description": "Initial chat ID given by actor", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 834 + }, + "chatsite_id_private": { + "description": "Second, private, chat ID given by actor", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 833 + }, "pay_for_deletion": { "description": "Does the target need/want to pay for data deletion", "disable_correlation": true, @@ -129,5 +149,5 @@ "meta-category": "financial", "name": "ransom-negotiation", "uuid": "FB72F951-DE2E-4B54-A570-8FC560A74B06", - "version": 1 + "version": 2 } \ No newline at end of file From f04caaa2c107f8dfdb26b4c17ea9ea4926504346 Mon Sep 17 00:00:00 2001 From: matthijsvp Date: Fri, 20 May 2022 15:53:29 +0200 Subject: [PATCH 077/112] Added fields --- objects/ransom-negotiation/definition.json | 40 +++++++++++----------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/objects/ransom-negotiation/definition.json b/objects/ransom-negotiation/definition.json index 6a0cd23..2d89d3d 100644 --- a/objects/ransom-negotiation/definition.json +++ b/objects/ransom-negotiation/definition.json @@ -12,6 +12,25 @@ "misp-attribute": "float", "ui-priority": 920 }, + "chatsite": { + "description": "Chatsite where the negotiations take place", + "disable_correlation": true, + "misp-attribute": "url", + "to_ids": false, + "ui-priority": 835 + }, + "chatsite_id_private": { + "description": "Second, private, chat ID given by actor", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 833 + }, + "chatsite_id_public": { + "description": "Initial chat ID given by actor", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 834 + }, "currency": { "description": "The currency of the initial demand. Often USD or BTC.", "disable_correlation": true, @@ -65,8 +84,8 @@ "negotiations_screenshot": { "description": "Screenshot of the negotiations", "disable_correlation": true, - "multiple": true, "misp-attribute": "attachment", + "multiple": true, "ui-priority": 840 }, "negotiations_transcript": { @@ -75,25 +94,6 @@ "misp-attribute": "text", "ui-priority": 850 }, - "chatsite": { - "description": "Chatsite where the negotiations take place", - "disable_correlation": true, - "to_ids": false, - "misp-attribute": "url", - "ui-priority": 835 - }, - "chatsite_id_public": { - "description": "Initial chat ID given by actor", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 834 - }, - "chatsite_id_private": { - "description": "Second, private, chat ID given by actor", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 833 - }, "pay_for_deletion": { "description": "Does the target need/want to pay for data deletion", "disable_correlation": true, From c62a113fecb2c04a386a23ab5a1163eb1e249c68 Mon Sep 17 00:00:00 2001 From: goodlandsecurity Date: Fri, 20 May 2022 11:49:15 -0500 Subject: [PATCH 078/112] add new objects for spearphishing-link and spearphishing-attachment intel --- .../spearphishing-attachment/definition.json | 103 ++++++++++++++++++ objects/spearphishing-link/definition.json | 49 +++++++++ 2 files changed, 152 insertions(+) create mode 100644 objects/spearphishing-attachment/definition.json create mode 100644 objects/spearphishing-link/definition.json diff --git a/objects/spearphishing-attachment/definition.json b/objects/spearphishing-attachment/definition.json new file mode 100644 index 0000000..85f909e --- /dev/null +++ b/objects/spearphishing-attachment/definition.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "artifact-dropped-md5": { + "description": "The MD5 of an additional file that was either extracted from or downloaded by the attachment.", + "misp-attribute": "md5", + "ui-priority": 1 + }, + "artifact-dropped-name": { + "description": "Name of an additional file that was either extracted from or downloaded by the attachment.", + "misp-attribute": "filename", + "ui-priority": 0 + }, + "artifact-dropped-sha1": { + "description": "The SHA1 of an additional file that was either extracted from or downloaded by the attachment.", + "misp-attribute": "sha1", + "ui-priority": 1 + }, + "artifact-dropped-sha256": { + "description": "The SHA256 of an additional file that was either extracted from or downloaded by the attachment.", + "misp-attribute": "sha256", + "ui-priority": 1 + }, + "attachment-md5": { + "description": "The MD5 of the file that was attached to the e-mail itself.", + "misp-attribute": "md5", + "ui-priority": 1 + }, + "attachment-name": { + "description": "The name of the file that was attached to the e-mail itself.", + "misp-attribute": "filename", + "ui-priority": 0 + }, + "attachment-sha1": { + "description": "The SHA1 of the file that was attached to the e-mail itself.", + "misp-attribute": "sha1", + "ui-priority": 1 + }, + "attachment-sha256": { + "description": "The SHA256 of the file that was attached to the e-mail itself.", + "misp-attribute": "sha256", + "ui-priority": 1 + }, + "c2-domain": { + "description": "Command and control domain detected during analysis.", + "misp-attribute": "domain", + "ui-priority": 1 + }, + "c2-ip": { + "description": "Command and control IP address detected during analysis.", + "misp-attribute": "ip-dst", + "ui-priority": 1 + }, + "c2-url": { + "description": "Command and control URL detected during analysis.", + "misp-attribute": "url", + "ui-priority": 1 + }, + "email-sender": { + "description": "The source address from which the e-mail was sent.", + "misp-attribute": "email-src", + "ui-priority": 1 + }, + "malicious-url": { + "description": "Malicious URL that downloaded additional malware.", + "misp-attribute": "url", + "ui-priority": 1 + }, + "research-links": { + "description": "A link to an external analysis (VirusTotal, urlscan, etc.).", + "misp-attribute": "link", + "ui-priority": 0 + }, + "sender-ip": { + "description": "The source IP from which the e-mail was sent.", + "misp-attribute": "ip-src", + "ui-priority": 1 + }, + "subject": { + "description": "The subject line of the e-mail.", + "misp-attribute": "email-subject", + "ui-priority": 1 + }, + "supporting-evidence": { + "description": "Description of the spearphish e-mail.", + "misp-attribute": "text", + "ui-priority": 0 + } + }, + "description": "Spearphishing Attachment", + "meta-category": "network", + "name": "spearphishing-attachment", + "required": [ + "email-sender", + "subject" + ], + "requiredOneOf": [ + "attachment-md5", + "attachment-sha1", + "attachment-sha256" + ], + "uuid": "5dfcd9a9-d10c-48ae-9ba4-13c2428a994a", + "version": 20220520 +} \ No newline at end of file diff --git a/objects/spearphishing-link/definition.json b/objects/spearphishing-link/definition.json new file mode 100644 index 0000000..89d65e3 --- /dev/null +++ b/objects/spearphishing-link/definition.json @@ -0,0 +1,49 @@ +{ + "attributes": { + "email-sender": { + "description": "The source address from which the e-mail was sent.", + "misp-attribute": "email-src", + "ui-priority": 1 + }, + "embedded-link": { + "description": "The malicious URL in the e-mail body.", + "misp-attribute": "url", + "ui-priority": 1 + }, + "redirect-url": { + "description": "The redirect URL, if any, from the malicious embedded link.", + "misp-attribute": "url", + "ui-priority": 0 + }, + "research-links": { + "description": "A link to an external analysis (VirusTotal, urlscan, etc.).", + "misp-attribute": "link", + "ui-priority": 0 + }, + "sender-ip": { + "description": "The source IP from which the e-mail was sent.", + "misp-attribute": "ip-src", + "ui-priority": 1 + }, + "subject": { + "description": "The subject line of the e-mail.", + "misp-attribute": "email-subject", + "ui-priority": 1 + }, + "supporting-evidence": { + "description": "Description of the spearphish e-mail.", + "misp-attribute": "text", + "ui-priority": 0 + } + }, + "description": "Spearphishing Link", + "meta-category": "network", + "name": "spearphishing-link", + "required": [ + "email-sender", + "subject", + "embedded-link" + ], + "uuid": "4e758e53-6c84-47b0-a19b-362f587059e2", + "version": 20220520 +} \ No newline at end of file From 1c3aff42c500fc110a4000086beeba135ef28873 Mon Sep 17 00:00:00 2001 From: goodlandsecurity Date: Fri, 20 May 2022 14:20:37 -0500 Subject: [PATCH 079/112] added date for tracking when e-mail was sent --- objects/spearphishing-attachment/definition.json | 8 +++++++- objects/spearphishing-link/definition.json | 8 +++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/objects/spearphishing-attachment/definition.json b/objects/spearphishing-attachment/definition.json index 85f909e..6557974 100644 --- a/objects/spearphishing-attachment/definition.json +++ b/objects/spearphishing-attachment/definition.json @@ -55,6 +55,12 @@ "misp-attribute": "url", "ui-priority": 1 }, + "date": { + "description": "Date and time the e-mail was sent.", + "misp-attribute": "text", + "disable_correlation": true, + "ui-priority": 0 + }, "email-sender": { "description": "The source address from which the e-mail was sent.", "misp-attribute": "email-src", @@ -100,4 +106,4 @@ ], "uuid": "5dfcd9a9-d10c-48ae-9ba4-13c2428a994a", "version": 20220520 -} \ No newline at end of file +} diff --git a/objects/spearphishing-link/definition.json b/objects/spearphishing-link/definition.json index 89d65e3..5ea5977 100644 --- a/objects/spearphishing-link/definition.json +++ b/objects/spearphishing-link/definition.json @@ -1,5 +1,11 @@ { "attributes": { + "date": { + "description": "Date and time e-mail was sent.", + "misp-attribute": "text", + "disable_correlation": true, + "ui-priority": 0 + }, "email-sender": { "description": "The source address from which the e-mail was sent.", "misp-attribute": "email-src", @@ -46,4 +52,4 @@ ], "uuid": "4e758e53-6c84-47b0-a19b-362f587059e2", "version": 20220520 -} \ No newline at end of file +} From 2b19a8099e5dd74fa1f1c66457bf90b68bcb0a5b Mon Sep 17 00:00:00 2001 From: goodlandsecurity Date: Fri, 20 May 2022 14:24:40 -0500 Subject: [PATCH 080/112] formatting after jq_all_the_things --- objects/spearphishing-attachment/definition.json | 4 ++-- objects/spearphishing-link/definition.json | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/objects/spearphishing-attachment/definition.json b/objects/spearphishing-attachment/definition.json index 6557974..c438049 100644 --- a/objects/spearphishing-attachment/definition.json +++ b/objects/spearphishing-attachment/definition.json @@ -57,8 +57,8 @@ }, "date": { "description": "Date and time the e-mail was sent.", - "misp-attribute": "text", "disable_correlation": true, + "misp-attribute": "text", "ui-priority": 0 }, "email-sender": { @@ -106,4 +106,4 @@ ], "uuid": "5dfcd9a9-d10c-48ae-9ba4-13c2428a994a", "version": 20220520 -} +} \ No newline at end of file diff --git a/objects/spearphishing-link/definition.json b/objects/spearphishing-link/definition.json index 5ea5977..43c6053 100644 --- a/objects/spearphishing-link/definition.json +++ b/objects/spearphishing-link/definition.json @@ -2,8 +2,8 @@ "attributes": { "date": { "description": "Date and time e-mail was sent.", - "misp-attribute": "text", "disable_correlation": true, + "misp-attribute": "text", "ui-priority": 0 }, "email-sender": { @@ -52,4 +52,4 @@ ], "uuid": "4e758e53-6c84-47b0-a19b-362f587059e2", "version": 20220520 -} +} \ No newline at end of file From b99a0e939d87fba3c5c93e4a7ff8a2ec1ebb43cb Mon Sep 17 00:00:00 2001 From: iglocska Date: Mon, 30 May 2022 18:07:25 +0200 Subject: [PATCH 081/112] chg: [domain-ip] added the multiple flag back to ports - as discussed with @righel, if we allow multiple IPs we should also allow multiple ports - we might revise this in the future if it causes issues, however, then we should also restrict the use of multiple IP addresses --- objects/domain-ip/definition.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/objects/domain-ip/definition.json b/objects/domain-ip/definition.json index f34bad2..865f817 100644 --- a/objects/domain-ip/definition.json +++ b/objects/domain-ip/definition.json @@ -44,6 +44,7 @@ ], "description": "Associated TCP port with the domain", "misp-attribute": "port", + "multiple": true, "ui-priority": 1 }, "registration-date": { @@ -69,5 +70,5 @@ "hostname" ], "uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", - "version": 10 + "version": 11 } \ No newline at end of file From cbfff75588519f1e090dfc2fe6dcbb748eec174f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 17 Jun 2022 10:05:09 +0200 Subject: [PATCH 082/112] chg: [network-connection] add a counter following discussion with @chrisr3d --- objects/network-connection/definition.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/objects/network-connection/definition.json b/objects/network-connection/definition.json index 16efe53..9d30c5a 100644 --- a/objects/network-connection/definition.json +++ b/objects/network-connection/definition.json @@ -5,6 +5,11 @@ "misp-attribute": "community-id", "ui-priority": 1 }, + "count": { + "description": "Number of similar network connections seen", + "misp-attribute": "counter", + "ui-priority": 1 + }, "dst-port": { "categories": [ "Network activity", @@ -102,5 +107,5 @@ "community-id" ], "uuid": "af16764b-f8e5-4603-9de1-de34d272f80b", - "version": 3 + "version": 4 } \ No newline at end of file From 8215066c961e80cc15d8709336b2760d4c2b19c1 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 18 Jun 2022 16:10:41 +0200 Subject: [PATCH 083/112] chg: [report] add Zotero item types in addition to the default type --- objects/report/definition.json | 44 +++++++++++++++++++++++++++++----- 1 file changed, 38 insertions(+), 6 deletions(-) diff --git a/objects/report/definition.json b/objects/report/definition.json index 0c8aba6..466fd92 100644 --- a/objects/report/definition.json +++ b/objects/report/definition.json @@ -36,14 +36,46 @@ "disable_correlation": true, "misp-attribute": "text", "sane_default": [ - "Report", "Alert", + "Artwork", + "Attachment", + "Audio", + "Bill", + "Blog", + "Book", + "Case", + "Conference", + "Dictionary", + "Document", + "Email", + "Encyclopedia", + "Film", + "Forum", + "Hearing", "Incident", + "Instant", + "Interview", + "Journal", + "Letter", + "Magazine", + "Manuscript", + "Map", + "Newspaper", + "Note", + "Online", "Operation", - "Press Article", - "Press Release", - "Online Article", - "Blog post" + "Patent", + "Podcast", + "Presentation", + "Press", + "Radio", + "Report", + "Software", + "Statute", + "Thesis", + "TV", + "Video", + "Webpage" ], "ui-priority": 100 } @@ -56,5 +88,5 @@ "link" ], "uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df", - "version": 5 + "version": 7 } \ No newline at end of file From 421f5f9cccbd9927abed9cade10601fa8ed00b80 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 18 Jun 2022 16:55:13 +0200 Subject: [PATCH 084/112] new: [stock] a first version of a stock market object to describe stock in MISP --- objects/stock/definition.json | 325 ++++++++++++++++++++++++++++++++++ 1 file changed, 325 insertions(+) create mode 100644 objects/stock/definition.json diff --git a/objects/stock/definition.json b/objects/stock/definition.json new file mode 100644 index 0000000..6668e25 --- /dev/null +++ b/objects/stock/definition.json @@ -0,0 +1,325 @@ +{ + "attributes": { + "bloomberg-exchange-code": { + "description": "Bloomberg Exchange Code", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "AB", + "AF", + "AO", + "AT", + "AV", + "BB", + "BC", + "BD", + "BI", + "BQ", + "BS", + "CC", + "CF", + "CG", + "CK", + "CS", + "CT", + "CV", + "CX", + "CY", + "DB", + "DC", + "DH", + "DU", + "EB", + "EC", + "FH", + "FP", + "GA", + "GB", + "GD", + "GF", + "GH", + "GI", + "GM", + "GS", + "GY", + "HB", + "HK", + "IB", + "ID", + "IJ", + "IM", + "IS", + "IT", + "IX", + "JR", + "JT", + "KK", + "KN", + "KP", + "KQ", + "LI", + "LN", + "LX", + "MC", + "MK", + "MM", + "MT", + "NA", + "NG", + "NL", + "NO", + "NS", + "NZ", + "OM", + "PE", + "PK", + "PL", + "PM", + "PO", + "PW", + "QD", + "QF", + "QT", + "RE", + "RF", + "RX", + "SE", + "SJ", + "SL", + "SM", + "SP", + "SS", + "SV", + "SY", + "TB", + "TG", + "TI", + "TQ", + "TT", + "UA", + "UF", + "UN", + "UP", + "UQ", + "UR", + "UV", + "UW", + "VH", + "VM", + "VX", + "XB", + "ZA" + ], + "ui-priority": 10 + }, + "country": { + "description": "Country", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "currency": { + "description": "Currency", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "exchange": { + "description": "Exchange where the stock is traded (Google code)", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "AMS", + "ASX", + "ATH", + "BAK", + "BATS", + "BDP", + "BIT", + "BME", + "BMV", + "BOM", + "BVMF", + "CAI", + "CPH", + "DFM", + "EBR", + "ELI", + "EPA", + "ETR", + "FRA", + "HEL", + "HKG", + "IRE", + "IST", + "JAK", + "JNB", + "KAR", + "KOSDAQ", + "KRX", + "KUL", + "LON", + "MCX", + "NASDAQ", + "NSE", + "NYSE", + "NYSEAMERICAN", + "NYSEARCA", + "NZE", + "OTCMKTS", + "PRG", + "PSE", + "SGX", + "SHA", + "SHE", + "STO", + "SWX", + "TLV", + "TPE", + "TSE", + "TYO", + "VIE", + "VTX", + "WSE" + ], + "ui-priority": 0 + }, + "high-price": { + "description": "Highest price seen", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "iso-mic": { + "description": "ISO MIC", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "ARCX", + "BATE", + "BATS", + "BOAT", + "BVMF", + "CHIX", + "DIFX", + "DSMD", + "HSTC", + "MISX", + "MTAA", + "NEOE", + "NOTC", + "OOTC", + "ROCO", + "TOMX", + "TRQX", + "XADS", + "XAMM", + "XAMS", + "XASE", + "XASX", + "XATH", + "XBAH", + "XBER", + "XBKK", + "XBOG", + "XBOM", + "XBRU", + "XBRV", + "XBSE", + "XBUD", + "XBUE", + "XCAI", + "XCAS", + "XCNQ", + "XCOL", + "XCSE", + "XCYS", + "XDFM", + "XDHA", + "XDSE", + "XDUB", + "XDUS", + "XEQT", + "XETR", + "XFRA", + "XHAM", + "XHAN", + "XHEL", + "XHKG", + "XICE", + "XIDX", + "XIST", + "XJSE", + "XKAR", + "XKLS", + "XKOS", + "XKRX", + "XKUW", + "XLIM", + "XLIS", + "XLJU", + "XLON", + "XLUX", + "XMAD", + "XMEX", + "XMUN", + "XMUS", + "XNAI", + "XNCM", + "XNEC", + "XNGM", + "XNGS", + "XNMS", + "XNSA", + "XNSE", + "XNYS", + "XNZE", + "XOSL", + "XPAR", + "XPHS", + "XPOS", + "XPRA", + "XQTX", + "XSAU", + "XSES", + "XSGO", + "XSHE", + "XSHG", + "XSTC", + "XSTO", + "XSTU", + "XSWX", + "XTAE", + "XTAI", + "XTKS", + "XTSE", + "XTSX", + "XVTX", + "XWAR", + "XWBO", + "XZAG" + ], + "ui-priority": 10 + }, + "low-price": { + "description": "Lowest price seen", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 10 + }, + "symbol": { + "description": "Symbol of the stock", + "misp-attribute": "text", + "ui-priority": 0 + } + }, + "description": "Object to describe stock market", + "meta-category": "misc", + "name": "stock", + "requiredOneOf": [ + "symbol" + ], + "uuid": "9f5c1a68-2021-4faa-b409-61c899c86466", + "version": 1 +} \ No newline at end of file From 7ea63899dfa7ec2c7948f08593485dfffc75d10b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 18 Jun 2022 16:58:49 +0200 Subject: [PATCH 085/112] chg: [stock] UUID fixed --- objects/stock/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/stock/definition.json b/objects/stock/definition.json index 6668e25..984fbe2 100644 --- a/objects/stock/definition.json +++ b/objects/stock/definition.json @@ -320,6 +320,6 @@ "requiredOneOf": [ "symbol" ], - "uuid": "9f5c1a68-2021-4faa-b409-61c899c86466", + "uuid": "dd3e00b2-977e-4cf4-9d12-0b009a00a721", "version": 1 -} \ No newline at end of file +} From 8fd41924dda8875a75f10f659a6ffe1951e9933b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 18 Jun 2022 17:00:13 +0200 Subject: [PATCH 086/112] chg: [stock] newline fixed --- objects/stock/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/stock/definition.json b/objects/stock/definition.json index 984fbe2..3105813 100644 --- a/objects/stock/definition.json +++ b/objects/stock/definition.json @@ -322,4 +322,4 @@ ], "uuid": "dd3e00b2-977e-4cf4-9d12-0b009a00a721", "version": 1 -} +} \ No newline at end of file From 4badc17a84a17aee057f5e4f23f89d9eebda9395 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 18 Jun 2022 20:57:14 +0200 Subject: [PATCH 087/112] chg: [doc] list of objects updated --- README.md | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a774b0a..50d58a6 100644 --- a/README.md +++ b/README.md @@ -127,6 +127,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/cap-alert](https://github.com/MISP/misp-objects/blob/main/objects/cap-alert/definition.json) - Common Alerting Protocol Version (CAP) alert object. - [objects/cap-info](https://github.com/MISP/misp-objects/blob/main/objects/cap-info/definition.json) - Common Alerting Protocol Version (CAP) info object. - [objects/cap-resource](https://github.com/MISP/misp-objects/blob/main/objects/cap-resource/definition.json) - Common Alerting Protocol Version (CAP) resource object. +- [objects/cloth](https://github.com/MISP/misp-objects/blob/main/objects/cloth/definition.json) - Describes clothes a natural person wears. - [objects/coin-address](https://github.com/MISP/misp-objects/blob/main/objects/coin-address/definition.json) - An address used in a cryptocurrency. - [objects/command](https://github.com/MISP/misp-objects/blob/main/objects/command/definition.json) - Command functionalities related to specific commands executed by a program, whether it is malicious or not. Command-line are attached to this object for the related commands. - [objects/command-line](https://github.com/MISP/misp-objects/blob/main/objects/command-line/definition.json) - Command line and options related to a specific command executed by a program, whether it is malicious or not. @@ -146,7 +147,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/cytomic-orion-file](https://github.com/MISP/misp-objects/blob/main/objects/cytomic-orion-file/definition.json) - Cytomic Orion File Detection. - [objects/cytomic-orion-machine](https://github.com/MISP/misp-objects/blob/main/objects/cytomic-orion-machine/definition.json) - Cytomic Orion File at Machine Detection. - [objects/dark-pattern-item](https://github.com/MISP/misp-objects/blob/main/objects/dark-pattern-item/definition.json) - An Item whose User Interface implements a dark pattern. -- [objects/ddos](https://github.com/MISP/misp-objects/blob/main/objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy. +- [objects/ddos](https://github.com/MISP/misp-objects/blob/main/objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy or using the type field. - [objects/device](https://github.com/MISP/misp-objects/blob/main/objects/device/definition.json) - An object to define a device. - [objects/diameter-attack](https://github.com/MISP/misp-objects/blob/main/objects/diameter-attack/definition.json) - Attack as seen on the diameter signaling protocol supporting LTE networks. - [objects/dkim](https://github.com/MISP/misp-objects/blob/main/objects/dkim/definition.json) - DomainKeys Identified Mail - DKIM. @@ -158,6 +159,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/elf-section](https://github.com/MISP/misp-objects/blob/main/objects/elf-section/definition.json) - Object describing a section of an Executable and Linkable Format. - [objects/email](https://github.com/MISP/misp-objects/blob/main/objects/email/definition.json) - Email object describing an email with meta-information. - [objects/employee](https://github.com/MISP/misp-objects/blob/main/objects/employee/definition.json) - An employee and related data points. +- [objects/error-message](https://github.com/MISP/misp-objects/blob/main/objects/error-message/definition.json) - An error message which can be related to the processing of data such as import, export scripts from the original MISP instance. - [objects/exploit-poc](https://github.com/MISP/misp-objects/blob/main/objects/exploit-poc/definition.json) - Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object. - [objects/facebook-account](https://github.com/MISP/misp-objects/blob/main/objects/facebook-account/definition.json) - Facebook account. - [objects/facebook-group](https://github.com/MISP/misp-objects/blob/main/objects/facebook-group/definition.json) - Public or private facebook group. @@ -222,6 +224,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/ftm-Vessel](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Vessel/definition.json) - A boat or ship. - [objects/ftm-Video](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Video/definition.json) - . - [objects/ftm-Workbook](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Workbook/definition.json) - . +- [objects/game-cheat](https://github.com/MISP/misp-objects/blob/main/objects/game-cheat/definition.json) - Describes a game cheat or a cheatware. - [objects/geolocation](https://github.com/MISP/misp-objects/blob/main/objects/geolocation/definition.json) - An object to describe a geographic location. - [objects/git-vuln-finder](https://github.com/MISP/misp-objects/blob/main/objects/git-vuln-finder/definition.json) - Export from git-vuln-finder. - [objects/github-user](https://github.com/MISP/misp-objects/blob/main/objects/github-user/definition.json) - GitHub user. @@ -285,6 +288,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/pe](https://github.com/MISP/misp-objects/blob/main/objects/pe/definition.json) - Object describing a Portable Executable. - [objects/pe-section](https://github.com/MISP/misp-objects/blob/main/objects/pe-section/definition.json) - Object describing a section of a Portable Executable. - [objects/person](https://github.com/MISP/misp-objects/blob/main/objects/person/definition.json) - An object which describes a person or an identity. +- [objects/personification](https://github.com/MISP/misp-objects/blob/main/objects/personification/definition.json) - An object which describes a person or an identity. - [objects/pgp-meta](https://github.com/MISP/misp-objects/blob/main/objects/pgp-meta/definition.json) - Metadata extracted from a PGP keyblock, message or signature. - [objects/phishing](https://github.com/MISP/misp-objects/blob/main/objects/phishing/definition.json) - Phishing template to describe a phishing website and its analysis. - [objects/phishing-kit](https://github.com/MISP/misp-objects/blob/main/objects/phishing-kit/definition.json) - Object to describe a phishing-kit. @@ -295,6 +299,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/publication](https://github.com/MISP/misp-objects/blob/main/objects/publication/definition.json) - An object to describe a book, journal, or academic publication. - [objects/python-etvx-event-log](https://github.com/MISP/misp-objects/blob/main/objects/python-etvx-event-log/definition.json) - Event log object template to share information of the activities conducted on a system. . - [objects/r2graphity](https://github.com/MISP/misp-objects/blob/main/objects/r2graphity/definition.json) - Indicators extracted from files using radare2 and graphml. +- [objects/ransom-negotiation](https://github.com/MISP/misp-objects/blob/main/objects/ransom-negotiation/definition.json) - An object to describe ransom negotiations, as seen in ransomware incidents. - [objects/reddit-account](https://github.com/MISP/misp-objects/blob/main/objects/reddit-account/definition.json) - Reddit account. - [objects/reddit-comment](https://github.com/MISP/misp-objects/blob/main/objects/reddit-comment/definition.json) - A Reddit post comment. - [objects/reddit-post](https://github.com/MISP/misp-objects/blob/main/objects/reddit-post/definition.json) - A Reddit post. @@ -330,20 +335,24 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/scrippsco2-o18-daily](https://github.com/MISP/misp-objects/blob/main/objects/scrippsco2-o18-daily/definition.json) - Daily average O18 concentrations (ppm) derived from flask air samples. - [objects/scrippsco2-o18-monthly](https://github.com/MISP/misp-objects/blob/main/objects/scrippsco2-o18-monthly/definition.json) - Monthly average O18 concentrations (ppm) derived from flask air samples. - [objects/script](https://github.com/MISP/misp-objects/blob/main/objects/script/definition.json) - Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts. -- [objects/security-playbook](https://github.com/MISP/misp-objects/blob/main/objects/security-playbook/definition.json) - An object to manage, represent, and share course of action playbooks (security playbooks) for cyberspace defense. +- [objects/security-playbook](https://github.com/MISP/misp-objects/blob/main/objects/security-playbook/definition.json) - The security-playbook object provides meta-information and allows managing, storing, and sharing cybersecurity playbooks and orchestration workflows. - [objects/shell-commands](https://github.com/MISP/misp-objects/blob/main/objects/shell-commands/definition.json) - Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands. - [objects/shodan-report](https://github.com/MISP/misp-objects/blob/main/objects/shodan-report/definition.json) - Shodan Report for a given IP. - [objects/short-message-service](https://github.com/MISP/misp-objects/blob/main/objects/short-message-service/definition.json) - Short Message Service (SMS) object template describing one or more SMS message. Restriction of the initial format 3GPP 23.038 GSM character set doesn't apply. - [objects/shortened-link](https://github.com/MISP/misp-objects/blob/main/objects/shortened-link/definition.json) - Shortened link and its redirect target. - [objects/social-media-group](https://github.com/MISP/misp-objects/blob/main/objects/social-media-group/definition.json) - Social media group object template describing a public or private group or channel. - [objects/software](https://github.com/MISP/misp-objects/blob/main/objects/software/definition.json) - The Software object represents high-level properties associated with software, including software products. STIX 2.1 - 6.14. +- [objects/spearphishing-attachment](https://github.com/MISP/misp-objects/blob/main/objects/spearphishing-attachment/definition.json) - Spearphishing Attachment. +- [objects/spearphishing-link](https://github.com/MISP/misp-objects/blob/main/objects/spearphishing-link/definition.json) - Spearphishing Link. - [objects/splunk](https://github.com/MISP/misp-objects/blob/main/objects/splunk/definition.json) - Splunk / Splunk ES object. - [objects/ss7-attack](https://github.com/MISP/misp-objects/blob/main/objects/ss7-attack/definition.json) - SS7 object of an attack as seen on the SS7 signaling protocol supporting GSM/GPRS/UMTS networks. - [objects/ssh-authorized-keys](https://github.com/MISP/misp-objects/blob/main/objects/ssh-authorized-keys/definition.json) - An object to store ssh authorized keys file. - [objects/stix2-pattern](https://github.com/MISP/misp-objects/blob/main/objects/stix2-pattern/definition.json) - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern. +- [objects/stock](https://github.com/MISP/misp-objects/blob/main/objects/stock/definition.json) - Object to describe stock market. - [objects/submarine](https://github.com/MISP/misp-objects/blob/main/objects/submarine/definition.json) - Submarine description. - [objects/suricata](https://github.com/MISP/misp-objects/blob/main/objects/suricata/definition.json) - An object describing one or more Suricata rule(s) along with version and contextual information. - [objects/target-system](https://github.com/MISP/misp-objects/blob/main/objects/target-system/definition.json) - Description about an targeted system, this could potentially be a compromissed internal system. +- [objects/tattoo](https://github.com/MISP/misp-objects/blob/main/objects/tattoo/definition.json) - Describes tattoos on a natural person's body. - [objects/telegram-account](https://github.com/MISP/misp-objects/blob/main/objects/telegram-account/definition.json) - Information related to a telegram account. - [objects/temporal-event](https://github.com/MISP/misp-objects/blob/main/objects/temporal-event/definition.json) - A temporal event consists of some temporal and spacial boundaries. Spacial boundaries can be physical, virtual or hybrid. - [objects/threatgrid-report](https://github.com/MISP/misp-objects/blob/main/objects/threatgrid-report/definition.json) - ThreatGrid report. From 07b6883c93a2b227835a832e0ad154425a781824 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 25 Jun 2022 11:37:41 +0200 Subject: [PATCH 088/112] new: [query] query object to describe search queries on SIEM and other tools MISP object template designed following requests and especially this twitter thread: https://twitter.com/castello_johnny/status/1540610057263628289 I added a list of sane default based on the ones I have seen being used: "sane_default": [ "event query language (eql)", "keyword query language (kql)", "Query DSL", "Query (Elastic Search)", "Sigma", "Lucene query", "Google search query", "Ariel Query Language (qradar)", "Grep", "Devo LINQ" ], Thanks to Gianni Castaldi and others for ideas. The object can be expanded and improved over the time and the needs to share new queries. --- objects/query/definition.json | 51 +++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 objects/query/definition.json diff --git a/objects/query/definition.json b/objects/query/definition.json new file mode 100644 index 0000000..45e0e1c --- /dev/null +++ b/objects/query/definition.json @@ -0,0 +1,51 @@ +{ + "attributes": { + "author": { + "description": "Author of the query", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "comment": { + "description": "A description of the query rule.", + "misp-attribute": "comment", + "ui-priority": 0 + }, + "format": { + "description": "Format of the query.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "event query language (eql)", + "keyword query language (kql)", + "Query DSL", + "Query (Elastic Search)", + "Sigma", + "Lucene query", + "Google search query", + "Ariel Query Language (qradar)", + "Grep", + "Devo LINQ" + ], + "ui-priority": 0 + }, + "query": { + "description": "Query rule in the format specified in the format field.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "query-rule-name": { + "description": "Query rule name.", + "misp-attribute": "text", + "ui-priority": 0 + } + }, + "description": "An object describing a query, along with its format.", + "meta-category": "misc", + "name": "query", + "requiredOneOf": [ + "query" + ], + "uuid": "006539b3-f68a-4a02-a213-e600762d39b5", + "version": 1 +} \ No newline at end of file From fd58bdd7b7dc505c28e195477280602f986da7e3 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 25 Jun 2022 11:56:15 +0200 Subject: [PATCH 089/112] chg: [query] add missing SPL language (Splunk) format Thanks to https://twitter.com/nbareil/status/1540633706959863813 @nbareil --- objects/query/definition.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/objects/query/definition.json b/objects/query/definition.json index 45e0e1c..bf257f7 100644 --- a/objects/query/definition.json +++ b/objects/query/definition.json @@ -20,6 +20,7 @@ "keyword query language (kql)", "Query DSL", "Query (Elastic Search)", + "Search Processing Language - SPL (Splunk)", "Sigma", "Lucene query", "Google search query", @@ -47,5 +48,5 @@ "query" ], "uuid": "006539b3-f68a-4a02-a213-e600762d39b5", - "version": 1 + "version": 2 } \ No newline at end of file From 91e1c8bdcd0dfd093b767be5b708f8657d2df046 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 25 Jun 2022 19:20:13 +0200 Subject: [PATCH 090/112] chg: [query] add Kusto Query Language (KQL) Ref: https://twitter.com/castello_johnny/status/1540732973753847808 --- objects/query/definition.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/objects/query/definition.json b/objects/query/definition.json index bf257f7..a1c9c6a 100644 --- a/objects/query/definition.json +++ b/objects/query/definition.json @@ -18,6 +18,7 @@ "sane_default": [ "event query language (eql)", "keyword query language (kql)", + "Kusto Query Language", "Query DSL", "Query (Elastic Search)", "Search Processing Language - SPL (Splunk)", @@ -48,5 +49,5 @@ "query" ], "uuid": "006539b3-f68a-4a02-a213-e600762d39b5", - "version": 2 + "version": 3 } \ No newline at end of file From 9b0a9cd9eb0b82e56f87430296136ab018c2d289 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 30 Jun 2022 17:12:25 +0200 Subject: [PATCH 091/112] chg: [ftm-Call] fixed missing description --- objects/ftm-Call/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/ftm-Call/definition.json b/objects/ftm-Call/definition.json index 2aff940..74249d4 100644 --- a/objects/ftm-Call/definition.json +++ b/objects/ftm-Call/definition.json @@ -113,9 +113,9 @@ "ui-priority": 0 } }, - "description": "", + "description": "Phone call object template including the call and all associated meta-data.", "meta-category": "followthemoney", "name": "ftm-Call", "uuid": "4ad4661a-59bb-4171-a47b-18d9e7b6d6d7", - "version": 1 + "version": 2 } \ No newline at end of file From 85dd164dbb52382eecf70a5a313a9859fc41bd04 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 30 Jun 2022 17:19:33 +0200 Subject: [PATCH 092/112] fix: [ftm] missing description fix #363 --- objects/ftm-Airplane/definition.json | 4 ++-- objects/ftm-Assessment/definition.json | 4 ++-- objects/ftm-Asset/definition.json | 4 ++-- objects/ftm-Audio/definition.json | 4 ++-- objects/ftm-BankAccount/definition.json | 4 ++-- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/objects/ftm-Airplane/definition.json b/objects/ftm-Airplane/definition.json index de14854..275a00b 100644 --- a/objects/ftm-Airplane/definition.json +++ b/objects/ftm-Airplane/definition.json @@ -239,12 +239,12 @@ "ui-priority": 0 } }, - "description": "", + "description": "An airplane, helicopter or other flying vehicle.", "meta-category": "followthemoney", "name": "ftm-Airplane", "required": [ "name" ], "uuid": "ea720b4a-8849-44a5-a150-eab87b86de2c", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-Assessment/definition.json b/objects/ftm-Assessment/definition.json index 7a83564..4f5e763 100644 --- a/objects/ftm-Assessment/definition.json +++ b/objects/ftm-Assessment/definition.json @@ -169,12 +169,12 @@ "ui-priority": 0 } }, - "description": "", + "description": "Assessment with meta-data.", "meta-category": "followthemoney", "name": "ftm-Assessment", "required": [ "name" ], "uuid": "25330bcb-d629-4d81-bbb9-51cead65175d", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-Asset/definition.json b/objects/ftm-Asset/definition.json index c8bd8d5..3109e20 100644 --- a/objects/ftm-Asset/definition.json +++ b/objects/ftm-Asset/definition.json @@ -183,12 +183,12 @@ "ui-priority": 0 } }, - "description": "", + "description": "A piece of property which can be owned and assigned a monetary value.", "meta-category": "followthemoney", "name": "ftm-Asset", "required": [ "name" ], "uuid": "ece6a00c-2f42-4186-bc96-5254aec002a7", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-Audio/definition.json b/objects/ftm-Audio/definition.json index 0421000..c2dd9a5 100644 --- a/objects/ftm-Audio/definition.json +++ b/objects/ftm-Audio/definition.json @@ -358,12 +358,12 @@ "ui-priority": 0 } }, - "description": "", + "description": "Audio with meta-data.", "meta-category": "followthemoney", "name": "ftm-Audio", "required": [ "name" ], "uuid": "92acc7f9-cb98-4b60-93c0-06be77843968", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-BankAccount/definition.json b/objects/ftm-BankAccount/definition.json index aa57343..bdf475b 100644 --- a/objects/ftm-BankAccount/definition.json +++ b/objects/ftm-BankAccount/definition.json @@ -232,12 +232,12 @@ "ui-priority": 0 } }, - "description": "", + "description": "An account held at a bank and controlled by an owner. This may also be used to describe more complex arrangements like correspondent bank settlement accounts.", "meta-category": "followthemoney", "name": "ftm-BankAccount", "required": [ "name" ], "uuid": "c51ed099-a628-46ee-ad8f-ffed866b6b8d", - "version": 1 + "version": 2 } \ No newline at end of file From db5033f385d4010fd2edcd9061dc65bea3ea355d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 30 Jun 2022 17:43:44 +0200 Subject: [PATCH 093/112] fix: [ftm-*] Fixing missing description - #363 --- objects/ftm-CourtCase/definition.json | 2 +- objects/ftm-CourtCaseParty/definition.json | 2 +- objects/ftm-Directorship/definition.json | 2 +- objects/ftm-Document/definition.json | 2 +- objects/ftm-Documentation/definition.json | 2 +- objects/ftm-Email/definition.json | 2 +- objects/ftm-Event/definition.json | 2 +- objects/ftm-Folder/definition.json | 2 +- objects/ftm-HyperText/definition.json | 2 +- objects/ftm-Image/definition.json | 2 +- objects/ftm-Land/definition.json | 2 +- objects/ftm-Membership/definition.json | 4 ++-- objects/ftm-Message/definition.json | 2 +- objects/ftm-Organization/definition.json | 2 +- objects/ftm-Ownership/definition.json | 4 ++-- objects/ftm-Package/definition.json | 4 ++-- objects/ftm-Page/definition.json | 4 ++-- objects/ftm-Pages/definition.json | 4 ++-- objects/ftm-PlainText/definition.json | 4 ++-- objects/ftm-Row/definition.json | 4 ++-- objects/ftm-Table/definition.json | 4 ++-- objects/ftm-UnknownLink/definition.json | 4 ++-- objects/ftm-UserAccount/definition.json | 4 ++-- objects/ftm-Vehicle/definition.json | 4 ++-- objects/ftm-Video/definition.json | 4 ++-- objects/ftm-Workbook/definition.json | 4 ++-- 26 files changed, 39 insertions(+), 39 deletions(-) diff --git a/objects/ftm-CourtCase/definition.json b/objects/ftm-CourtCase/definition.json index 07390a8..a911fde 100644 --- a/objects/ftm-CourtCase/definition.json +++ b/objects/ftm-CourtCase/definition.json @@ -204,7 +204,7 @@ "ui-priority": 0 } }, - "description": "", + "description": "Court case", "meta-category": "followthemoney", "name": "ftm-CourtCase", "required": [ diff --git a/objects/ftm-CourtCaseParty/definition.json b/objects/ftm-CourtCaseParty/definition.json index 0030a7d..a65e00d 100644 --- a/objects/ftm-CourtCaseParty/definition.json +++ b/objects/ftm-CourtCaseParty/definition.json @@ -106,7 +106,7 @@ "ui-priority": 0 } }, - "description": "", + "description": "Court Case Party", "meta-category": "followthemoney", "name": "ftm-CourtCaseParty", "uuid": "9f00c22f-348b-48a9-996b-3ba30de851fe", diff --git a/objects/ftm-Directorship/definition.json b/objects/ftm-Directorship/definition.json index b323c7a..3610b21 100644 --- a/objects/ftm-Directorship/definition.json +++ b/objects/ftm-Directorship/definition.json @@ -113,7 +113,7 @@ "ui-priority": 0 } }, - "description": "", + "description": "Directorship", "meta-category": "followthemoney", "name": "ftm-Directorship", "uuid": "9d9b0af9-9c8c-42c4-8210-388dc3824239", diff --git a/objects/ftm-Document/definition.json b/objects/ftm-Document/definition.json index 10d2249..857c530 100644 --- a/objects/ftm-Document/definition.json +++ b/objects/ftm-Document/definition.json @@ -344,7 +344,7 @@ "ui-priority": 0 } }, - "description": "", + "description": "Document", "meta-category": "followthemoney", "name": "ftm-Document", "required": [ diff --git a/objects/ftm-Documentation/definition.json b/objects/ftm-Documentation/definition.json index 143e2f3..86830b6 100644 --- a/objects/ftm-Documentation/definition.json +++ b/objects/ftm-Documentation/definition.json @@ -106,7 +106,7 @@ "ui-priority": 0 } }, - "description": "", + "description": "Documentation", "meta-category": "followthemoney", "name": "ftm-Documentation", "uuid": "a5a0c1dd-4438-4520-875d-1e7cf4bcda7d", diff --git a/objects/ftm-Email/definition.json b/objects/ftm-Email/definition.json index 543d8e6..6c142d1 100644 --- a/objects/ftm-Email/definition.json +++ b/objects/ftm-Email/definition.json @@ -421,7 +421,7 @@ "ui-priority": 0 } }, - "description": "", + "description": "Email", "meta-category": "followthemoney", "name": "ftm-Email", "required": [ diff --git a/objects/ftm-Event/definition.json b/objects/ftm-Event/definition.json index 3117613..d77e26f 100644 --- a/objects/ftm-Event/definition.json +++ b/objects/ftm-Event/definition.json @@ -267,7 +267,7 @@ "ui-priority": 0 } }, - "description": "", + "description": "Event", "meta-category": "followthemoney", "name": "ftm-Event", "required": [ diff --git a/objects/ftm-Folder/definition.json b/objects/ftm-Folder/definition.json index 1a497a2..3c0113c 100644 --- a/objects/ftm-Folder/definition.json +++ b/objects/ftm-Folder/definition.json @@ -344,7 +344,7 @@ "ui-priority": 0 } }, - "description": "", + "description": "Folder", "meta-category": "followthemoney", "name": "ftm-Folder", "required": [ diff --git a/objects/ftm-HyperText/definition.json b/objects/ftm-HyperText/definition.json index 9548c78..7539e52 100644 --- a/objects/ftm-HyperText/definition.json +++ b/objects/ftm-HyperText/definition.json @@ -358,7 +358,7 @@ "ui-priority": 0 } }, - "description": "", + "description": "HyperText", "meta-category": "followthemoney", "name": "ftm-HyperText", "required": [ diff --git a/objects/ftm-Image/definition.json b/objects/ftm-Image/definition.json index 38cdc9f..c1bbc72 100644 --- a/objects/ftm-Image/definition.json +++ b/objects/ftm-Image/definition.json @@ -351,7 +351,7 @@ "ui-priority": 0 } }, - "description": "", + "description": "Image", "meta-category": "followthemoney", "name": "ftm-Image", "required": [ diff --git a/objects/ftm-Land/definition.json b/objects/ftm-Land/definition.json index 2270464..26e087a 100644 --- a/objects/ftm-Land/definition.json +++ b/objects/ftm-Land/definition.json @@ -267,7 +267,7 @@ "ui-priority": 0 } }, - "description": "", + "description": "Land", "meta-category": "followthemoney", "name": "ftm-Land", "required": [ diff --git a/objects/ftm-Membership/definition.json b/objects/ftm-Membership/definition.json index 96c180a..855ede9 100644 --- a/objects/ftm-Membership/definition.json +++ b/objects/ftm-Membership/definition.json @@ -106,9 +106,9 @@ "ui-priority": 0 } }, - "description": "", + "description": "Membership", "meta-category": "followthemoney", "name": "ftm-Membership", "uuid": "42dbbf3a-8c60-483c-a395-44aaaefc77d1", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-Message/definition.json b/objects/ftm-Message/definition.json index a0ab88b..988e6d0 100644 --- a/objects/ftm-Message/definition.json +++ b/objects/ftm-Message/definition.json @@ -407,7 +407,7 @@ "ui-priority": 0 } }, - "description": "", + "description": "Message", "meta-category": "followthemoney", "name": "ftm-Message", "required": [ diff --git a/objects/ftm-Organization/definition.json b/objects/ftm-Organization/definition.json index 9d4558f..2869e69 100644 --- a/objects/ftm-Organization/definition.json +++ b/objects/ftm-Organization/definition.json @@ -316,7 +316,7 @@ "ui-priority": 0 } }, - "description": "", + "description": "Organization", "meta-category": "followthemoney", "name": "ftm-Organization", "required": [ diff --git a/objects/ftm-Ownership/definition.json b/objects/ftm-Ownership/definition.json index 5c9d760..0c73599 100644 --- a/objects/ftm-Ownership/definition.json +++ b/objects/ftm-Ownership/definition.json @@ -155,9 +155,9 @@ "ui-priority": 0 } }, - "description": "", + "description": "Ownership", "meta-category": "followthemoney", "name": "ftm-Ownership", "uuid": "2a09b445-c638-40e1-8f52-b95c9156f4d8", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-Package/definition.json b/objects/ftm-Package/definition.json index 5bc88c3..dd4ed63 100644 --- a/objects/ftm-Package/definition.json +++ b/objects/ftm-Package/definition.json @@ -344,12 +344,12 @@ "ui-priority": 0 } }, - "description": "", + "description": "Package", "meta-category": "followthemoney", "name": "ftm-Package", "required": [ "name" ], "uuid": "f9f13fd9-797c-4e2e-aa17-0ca4a0a60f5c", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-Page/definition.json b/objects/ftm-Page/definition.json index c8babad..609fda4 100644 --- a/objects/ftm-Page/definition.json +++ b/objects/ftm-Page/definition.json @@ -29,9 +29,9 @@ "ui-priority": 0 } }, - "description": "", + "description": "Page", "meta-category": "followthemoney", "name": "ftm-Page", "uuid": "2d9d7605-5105-445e-9ee8-9e39ad34c5c9", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-Pages/definition.json b/objects/ftm-Pages/definition.json index 8f2eeee..e139c23 100644 --- a/objects/ftm-Pages/definition.json +++ b/objects/ftm-Pages/definition.json @@ -351,12 +351,12 @@ "ui-priority": 0 } }, - "description": "", + "description": "Pages", "meta-category": "followthemoney", "name": "ftm-Pages", "required": [ "name" ], "uuid": "8e567eab-d893-4a38-9dd9-73442f15ede7", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-PlainText/definition.json b/objects/ftm-PlainText/definition.json index b87fa12..dfc0f0b 100644 --- a/objects/ftm-PlainText/definition.json +++ b/objects/ftm-PlainText/definition.json @@ -351,12 +351,12 @@ "ui-priority": 0 } }, - "description": "", + "description": "Plaintext", "meta-category": "followthemoney", "name": "ftm-PlainText", "required": [ "name" ], "uuid": "8f260d94-c712-4fdd-a463-6b2487f8a80d", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-Row/definition.json b/objects/ftm-Row/definition.json index b290e55..2895849 100644 --- a/objects/ftm-Row/definition.json +++ b/objects/ftm-Row/definition.json @@ -22,9 +22,9 @@ "ui-priority": 0 } }, - "description": "", + "description": "Row", "meta-category": "followthemoney", "name": "ftm-Row", "uuid": "282c0f7c-be66-41be-a709-b35032016829", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-Table/definition.json b/objects/ftm-Table/definition.json index a859e23..540e53a 100644 --- a/objects/ftm-Table/definition.json +++ b/objects/ftm-Table/definition.json @@ -365,12 +365,12 @@ "ui-priority": 0 } }, - "description": "", + "description": "Table", "meta-category": "followthemoney", "name": "ftm-Table", "required": [ "name" ], "uuid": "5ac61342-9fa9-4f07-a578-261709633358", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-UnknownLink/definition.json b/objects/ftm-UnknownLink/definition.json index 28bdaf2..e951e77 100644 --- a/objects/ftm-UnknownLink/definition.json +++ b/objects/ftm-UnknownLink/definition.json @@ -106,9 +106,9 @@ "ui-priority": 0 } }, - "description": "", + "description": "Unknown Link", "meta-category": "followthemoney", "name": "ftm-UnknownLink", "uuid": "16a29891-df0f-42f7-b466-8b4b718acbfa", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-UserAccount/definition.json b/objects/ftm-UserAccount/definition.json index fd839db..a8e6c79 100644 --- a/objects/ftm-UserAccount/definition.json +++ b/objects/ftm-UserAccount/definition.json @@ -190,12 +190,12 @@ "ui-priority": 0 } }, - "description": "", + "description": "User Account", "meta-category": "followthemoney", "name": "ftm-UserAccount", "required": [ "name" ], "uuid": "094943f5-41c5-4fad-9d61-60d82bce49b1", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-Vehicle/definition.json b/objects/ftm-Vehicle/definition.json index 6a5f0c6..284f4a5 100644 --- a/objects/ftm-Vehicle/definition.json +++ b/objects/ftm-Vehicle/definition.json @@ -218,12 +218,12 @@ "ui-priority": 0 } }, - "description": "", + "description": "Vehicle", "meta-category": "followthemoney", "name": "ftm-Vehicle", "required": [ "name" ], "uuid": "82378b01-aad3-416b-b678-7af7140f6629", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-Video/definition.json b/objects/ftm-Video/definition.json index ac49f27..6dd30a2 100644 --- a/objects/ftm-Video/definition.json +++ b/objects/ftm-Video/definition.json @@ -351,12 +351,12 @@ "ui-priority": 0 } }, - "description": "", + "description": "Video", "meta-category": "followthemoney", "name": "ftm-Video", "required": [ "name" ], "uuid": "af4821a6-712f-49d7-8297-92eb8c3b75f1", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/ftm-Workbook/definition.json b/objects/ftm-Workbook/definition.json index 932164c..1cda212 100644 --- a/objects/ftm-Workbook/definition.json +++ b/objects/ftm-Workbook/definition.json @@ -344,12 +344,12 @@ "ui-priority": 0 } }, - "description": "", + "description": "Workbook", "meta-category": "followthemoney", "name": "ftm-Workbook", "required": [ "name" ], "uuid": "ebedfb2a-c666-4870-9b77-baedb1c34dac", - "version": 1 + "version": 2 } \ No newline at end of file From 593d80abd1f0f840be6f0317f454144d8938151d Mon Sep 17 00:00:00 2001 From: matthijsvp Date: Fri, 1 Jul 2022 16:43:22 +0200 Subject: [PATCH 094/112] initial commit --- objects/attack-step/definition.json | 83 +++++++++++++++++++++++++++++ 1 file changed, 83 insertions(+) create mode 100644 objects/attack-step/definition.json diff --git a/objects/attack-step/definition.json b/objects/attack-step/definition.json new file mode 100644 index 0000000..b0f5573 --- /dev/null +++ b/objects/attack-step/definition.json @@ -0,0 +1,83 @@ +{ + "attributes": { + "source-ip": { + "description": "IP source of the attack step, if any.", + "misp-attribute": "ip-src", + "ui-priority": 1 + }, + "source-domain": { + "description": "Domain source of the attack step, if any.", + "misp-attribute": "domain", + "ui-priority": 1 + }, + "source-misc": { + "description": "Other type of source of the attack step, if any. This can be e.g. rotating ip from cloud providers such as AWS, or localhost.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "dst-ip": { + "description": "IP destination of the attack step, if any.", + "misp-attribute": "ip-dst", + "disable-correlation": true, + "ui-priority": 1 + }, + "dst-domain": { + "description": "Domain destination of the attack step, if any.", + "misp-attribute": "domain", + "disable-correlation": true, + "ui-priority": 1 + }, + "dst-misc": { + "description": "Other type of source of the attack step, if any. This can be e.g. localhost.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "description": { + "description": "Description of the attack step", + "misp-attribute": "text", + "ui-priority": 1 + }, + "command-line": { + "description": "Command line used to execute attack step, if any.", + "multiple": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "succesful": { + "description": "Was this attack step succesful?", + "misp-attribute": "boolean", + "sane_default": [ + "True", + "False" + ], + "ui-priority": 1 + }, + "key-step": { + "description": "Was this attack step object a key step within the context of the incident/event?", + "misp-attribute": "boolean", + "sane_default": [ + "True", + "False" + ], + "ui-priority": 1 + }, + "detections": { + "description": "Detections by the victim's monitoring capabilities.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "expected-response": { + "description": "Response or detection expected (in case of purple teaming)", + "misp-attribute": "text", + "ui-priority": 1 + } + }, + "description": "An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks.", + "meta-category": "misc", + "name": "attack-step", + "requiredOneOf": [ + "description" + ], + "uuid": "F86CD6C4-B89D-454A-95C1-165D456D8A74", + "version": 1 +} \ No newline at end of file From 896fb727358366b949dfa74b9321d979c6e53e62 Mon Sep 17 00:00:00 2001 From: matthijsvp Date: Fri, 1 Jul 2022 16:47:23 +0200 Subject: [PATCH 095/112] Merge from master --- objects/attack-step/definition.json | 88 ++++++++++++++--------------- 1 file changed, 44 insertions(+), 44 deletions(-) diff --git a/objects/attack-step/definition.json b/objects/attack-step/definition.json index b0f5573..0c63e05 100644 --- a/objects/attack-step/definition.json +++ b/objects/attack-step/definition.json @@ -1,35 +1,9 @@ { "attributes": { - "source-ip": { - "description": "IP source of the attack step, if any.", - "misp-attribute": "ip-src", - "ui-priority": 1 - }, - "source-domain": { - "description": "Domain source of the attack step, if any.", - "misp-attribute": "domain", - "ui-priority": 1 - }, - "source-misc": { - "description": "Other type of source of the attack step, if any. This can be e.g. rotating ip from cloud providers such as AWS, or localhost.", - "misp-attribute": "text", - "ui-priority": 1 - }, - "dst-ip": { - "description": "IP destination of the attack step, if any.", - "misp-attribute": "ip-dst", - "disable-correlation": true, - "ui-priority": 1 - }, - "dst-domain": { - "description": "Domain destination of the attack step, if any.", - "misp-attribute": "domain", - "disable-correlation": true, - "ui-priority": 1 - }, - "dst-misc": { - "description": "Other type of source of the attack step, if any. This can be e.g. localhost.", + "command-line": { + "description": "Command line used to execute attack step, if any.", "misp-attribute": "text", + "multiple": true, "ui-priority": 1 }, "description": { @@ -37,19 +11,31 @@ "misp-attribute": "text", "ui-priority": 1 }, - "command-line": { - "description": "Command line used to execute attack step, if any.", - "multiple": true, + "detections": { + "description": "Detections by the victim's monitoring capabilities.", "misp-attribute": "text", "ui-priority": 1 }, - "succesful": { - "description": "Was this attack step succesful?", - "misp-attribute": "boolean", - "sane_default": [ - "True", - "False" - ], + "dst-domain": { + "description": "Domain destination of the attack step, if any.", + "disable-correlation": true, + "misp-attribute": "domain", + "ui-priority": 1 + }, + "dst-ip": { + "description": "IP destination of the attack step, if any.", + "disable-correlation": true, + "misp-attribute": "ip-dst", + "ui-priority": 1 + }, + "dst-misc": { + "description": "Other type of source of the attack step, if any. This can be e.g. localhost.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "expected-response": { + "description": "Response or detection expected (in case of purple teaming)", + "misp-attribute": "text", "ui-priority": 1 }, "key-step": { @@ -61,14 +47,28 @@ ], "ui-priority": 1 }, - "detections": { - "description": "Detections by the victim's monitoring capabilities.", + "source-domain": { + "description": "Domain source of the attack step, if any.", + "misp-attribute": "domain", + "ui-priority": 1 + }, + "source-ip": { + "description": "IP source of the attack step, if any.", + "misp-attribute": "ip-src", + "ui-priority": 1 + }, + "source-misc": { + "description": "Other type of source of the attack step, if any. This can be e.g. rotating ip from cloud providers such as AWS, or localhost.", "misp-attribute": "text", "ui-priority": 1 }, - "expected-response": { - "description": "Response or detection expected (in case of purple teaming)", - "misp-attribute": "text", + "succesful": { + "description": "Was this attack step succesful?", + "misp-attribute": "boolean", + "sane_default": [ + "True", + "False" + ], "ui-priority": 1 } }, From 8e024f48636c6091585895df47d7cc1f1a73013f Mon Sep 17 00:00:00 2001 From: matthijsvp Date: Fri, 1 Jul 2022 16:59:03 +0200 Subject: [PATCH 096/112] chg: Fixed typo in disable_correlation --- objects/attack-step/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/attack-step/definition.json b/objects/attack-step/definition.json index 0c63e05..ec30a13 100644 --- a/objects/attack-step/definition.json +++ b/objects/attack-step/definition.json @@ -18,13 +18,13 @@ }, "dst-domain": { "description": "Domain destination of the attack step, if any.", - "disable-correlation": true, + "disable_correlation": true, "misp-attribute": "domain", "ui-priority": 1 }, "dst-ip": { "description": "IP destination of the attack step, if any.", - "disable-correlation": true, + "disable_correlation": true, "misp-attribute": "ip-dst", "ui-priority": 1 }, From 73c246244830c6eb84b47ed49494f14ac1227699 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Thu, 7 Jul 2022 15:17:34 +0200 Subject: [PATCH 097/112] Windows Scheduled Task Object - First draft --- objects/scheduled-task/definition.json | 103 +++++++++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100644 objects/scheduled-task/definition.json diff --git a/objects/scheduled-task/definition.json b/objects/scheduled-task/definition.json new file mode 100644 index 0000000..724cf24 --- /dev/null +++ b/objects/scheduled-task/definition.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "Start-time": { + "description": "Time when the task is triggered", + "misp-attribute": "datetime", + "multiple": true, + "ui-priority": 1 + }, + "author": { + "categories": [ + "Other" + ], + "description": "Who created the task", + "misp-attribute": "text", + "ui-priority": 1 + }, + "description": { + "categories": [ + "Other" + ], + "description": "Description of the task ", + "misp-attribute": "text", + "ui-priority": 1 + }, + "highest-privileges": { + "description": "Should the task run with the highest privileges", + "misp-attribute": "boolean", + "ui-priority": 0 + }, + "location": { + "categories": [ + "Other" + ], + "description": "Location (Path) of the scheduled task on the computer", + "misp-attribute": "text", + "ui-priority": 1 + }, + "name": { + "categories": [ + "Other" + ], + "description": "Name of the scheduled task", + "misp-attribute": "text", + "ui-priority": 1 + }, + "password-stored": { + "description": "Should the password be stored (Only if log on is not mandatory)", + "misp-attribute": "boolean", + "ui-priority": 0 + }, + "repeat": { + "categories": [ + "Other" + ], + "description": "condition to repeat the task", + "misp-attribute": "text", + "ui-priority": 0 + }, + "run-when-user-logged-on-only": { + "description": "Should the task run if the user is logged on only", + "misp-attribute": "boolean", + "ui-priority": 0 + }, + "running-account": { + "categories": [ + "Other" + ], + "description": "User account used when running the task", + "misp-attribute": "text", + "ui-priority": 0 + }, + "trigger": { + "categories": [ + "Other" + ], + "description": "when should the task being triggered", + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "On a schedule", + "At log on", + "At startup", + "On idle", + "On an event", + "At task creation/modification", + "On connection to user session", + "On disconnect from user session", + "On workstation lock", + "On workstation unlock" + ], + "ui-priority": 0 + } + }, + "description": "Windows scheduled task description", + "meta-category": "misc", + "name": "scheduled-task", + "requiredOneOf": [ + "name", + "description" + ], + "uuid": "076f9362-23f7-4326-b370-a98e47531a44", + "version": 1 +} \ No newline at end of file From 50f61a03beb9aac4256a82348b5cb2f4ed6d1932 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 8 Jul 2022 15:03:27 +0200 Subject: [PATCH 098/112] chg: [scheduled-task] disable_correlation + clarification --- objects/scheduled-task/definition.json | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/objects/scheduled-task/definition.json b/objects/scheduled-task/definition.json index 724cf24..07ead8f 100644 --- a/objects/scheduled-task/definition.json +++ b/objects/scheduled-task/definition.json @@ -2,6 +2,7 @@ "attributes": { "Start-time": { "description": "Time when the task is triggered", + "disable_correlation": true, "misp-attribute": "datetime", "multiple": true, "ui-priority": 1 @@ -24,6 +25,7 @@ }, "highest-privileges": { "description": "Should the task run with the highest privileges", + "disable_correlation": true, "misp-attribute": "boolean", "ui-priority": 0 }, @@ -31,7 +33,8 @@ "categories": [ "Other" ], - "description": "Location (Path) of the scheduled task on the computer", + "description": "Location (Path including filename) of the scheduled task on the computer", + "disable_correlation": true, "misp-attribute": "text", "ui-priority": 1 }, @@ -45,6 +48,7 @@ }, "password-stored": { "description": "Should the password be stored (Only if log on is not mandatory)", + "disable_correlation": true, "misp-attribute": "boolean", "ui-priority": 0 }, @@ -53,11 +57,13 @@ "Other" ], "description": "condition to repeat the task", + "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 }, "run-when-user-logged-on-only": { "description": "Should the task run if the user is logged on only", + "disable_correlation": true, "misp-attribute": "boolean", "ui-priority": 0 }, @@ -66,6 +72,7 @@ "Other" ], "description": "User account used when running the task", + "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 }, @@ -74,6 +81,7 @@ "Other" ], "description": "when should the task being triggered", + "disable_correlation": true, "misp-attribute": "text", "multiple": true, "sane_default": [ @@ -96,7 +104,8 @@ "name": "scheduled-task", "requiredOneOf": [ "name", - "description" + "description", + "location" ], "uuid": "076f9362-23f7-4326-b370-a98e47531a44", "version": 1 From ec00217098c20cdbb801fed3a785b0e80649cbc1 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 28 Jul 2022 18:50:16 +0200 Subject: [PATCH 099/112] Best practices when creating MISP object templates --- README.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/README.md b/README.md index 50d58a6..9a0ebf6 100644 --- a/README.md +++ b/README.md @@ -413,6 +413,15 @@ Every object needs a **uuid** which can be created using **uuidgen -r** on a lin When the object is created, the `validate_all.sh` and `jq_all_the_things.sh` is run for validation, pull a request on this project. We usually merge the objects if it fits existing use-cases. +### Best practices when creating MISP object templates + +- Use lower-case name without underscore or special characters (except minus) for the field names +- Add a description in the object template explaining the scope and use-cases of your object templates +- If the object is the mapping of an existing format, add a reference into the description of the object template +- `first-seen` and `last-seen` are not required in a object template as an object has those fields by default. If you need additional temporal information, add new specific field(s). +- Be lax on the number of fields required by default (e.g. use `requiredOneOf`). +- Review existing object templates before creating a new one. When doing a pull-request, don't hesitate to add the logic why a new template is required. + ## MISP objects documentation The MISP objects are documented at the following location in [HTML](https://www.misp-project.org/objects.html) and [PDF](https://www.misp-project.org/objects.pdf). From 734d85337d22470ed3e77c154c8305149b23fa53 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 3 Aug 2022 11:44:37 +0200 Subject: [PATCH 100/112] new: [sigma] a sigma attribute exists in MISP but the object was missing to add some additional meta information. --- objects/sigma/definition.json | 47 +++++++++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 objects/sigma/definition.json diff --git a/objects/sigma/definition.json b/objects/sigma/definition.json new file mode 100644 index 0000000..d106942 --- /dev/null +++ b/objects/sigma/definition.json @@ -0,0 +1,47 @@ +{ + "attributes": { + "comment": { + "description": "A description of the Sigma rule.", + "misp-attribute": "comment", + "ui-priority": 0 + }, + "context": { + "description": "Context where the Sigma rule can be applied", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "all", + "disk", + "memory", + "network", + "dns" + ], + "ui-priority": 0 + }, + "reference": { + "description": "Reference/origin of the Sigma rule.", + "misp-attribute": "link", + "ui-priority": 0 + }, + "sigma": { + "description": "Sigma rule.", + "misp-attribute": "sigma", + "ui-priority": 0 + }, + "sigma-rule-name": { + "description": "Sigma rule name.", + "misp-attribute": "text", + "ui-priority": 0 + } + }, + "description": "An object describing a Sigma rule (or a Sigma rule name).", + "meta-category": "misc", + "name": "sigma", + "requiredOneOf": [ + "sigma", + "sigma-rule-name" + ], + "uuid": "aa21a3cd-ab2c-442a-9999-a5e6626591ec", + "version": 1 +} \ No newline at end of file From 9b9c8389616b516a2d5cbe41a4407b2e9d7f24d3 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 3 Aug 2022 11:46:30 +0200 Subject: [PATCH 101/112] fix: [yara] add a reference link to the YARA object template --- objects/yara/definition.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/objects/yara/definition.json b/objects/yara/definition.json index be27fac..fff3231 100644 --- a/objects/yara/definition.json +++ b/objects/yara/definition.json @@ -17,6 +17,11 @@ ], "ui-priority": 0 }, + "reference": { + "description": "Reference or origin of the YARA rule.", + "misp-attribute": "link", + "ui-priority": 0 + }, "version": { "description": "Version of the YARA rule depending where the yara rule is known to work as expected.", "disable_correlation": true, @@ -45,5 +50,5 @@ "yara-rule-name" ], "uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", - "version": 5 + "version": 6 } \ No newline at end of file From 66a9b8eee70ce3ac7ff5f2225cd7f78fe4630143 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 3 Aug 2022 11:48:05 +0200 Subject: [PATCH 102/112] chg: [doc] list of MISP object template updated --- README.md | 68 +++++++++++++++++++++++++++++-------------------------- 1 file changed, 36 insertions(+), 32 deletions(-) diff --git a/README.md b/README.md index 9a0ebf6..5f0a474 100644 --- a/README.md +++ b/README.md @@ -114,6 +114,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/artifact](https://github.com/MISP/misp-objects/blob/main/objects/artifact/definition.json) - The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. from STIX 2.1 (6.1). - [objects/asn](https://github.com/MISP/misp-objects/blob/main/objects/asn/definition.json) - Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike. - [objects/attack-pattern](https://github.com/MISP/misp-objects/blob/main/objects/attack-pattern/definition.json) - Attack pattern describing a common attack pattern enumeration and classification. +- [objects/attack-step](https://github.com/MISP/misp-objects/blob/main/objects/attack-step/definition.json) - An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks. - [objects/authentication-failure-report](https://github.com/MISP/misp-objects/blob/main/objects/authentication-failure-report/definition.json) - Authentication Failure Report. - [objects/authenticode-signerinfo](https://github.com/MISP/misp-objects/blob/main/objects/authenticode-signerinfo/definition.json) - Authenticode Signer Info. - [objects/av-signature](https://github.com/MISP/misp-objects/blob/main/objects/av-signature/definition.json) - Antivirus detection signature. @@ -172,58 +173,58 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/forensic-case](https://github.com/MISP/misp-objects/blob/main/objects/forensic-case/definition.json) - An object template to describe a digital forensic case. - [objects/forensic-evidence](https://github.com/MISP/misp-objects/blob/main/objects/forensic-evidence/definition.json) - An object template to describe a digital forensic evidence. - [objects/forged-document](https://github.com/MISP/misp-objects/blob/main/objects/forged-document/definition.json) - Object describing a forged document. -- [objects/ftm-Airplane](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Airplane/definition.json) - . -- [objects/ftm-Assessment](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Assessment/definition.json) - . -- [objects/ftm-Asset](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Asset/definition.json) - . +- [objects/ftm-Airplane](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Airplane/definition.json) - An airplane, helicopter or other flying vehicle. +- [objects/ftm-Assessment](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Assessment/definition.json) - Assessment with meta-data. +- [objects/ftm-Asset](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Asset/definition.json) - A piece of property which can be owned and assigned a monetary value. - [objects/ftm-Associate](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Associate/definition.json) - Non-family association between two people. -- [objects/ftm-Audio](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Audio/definition.json) - . -- [objects/ftm-BankAccount](https://github.com/MISP/misp-objects/blob/main/objects/ftm-BankAccount/definition.json) - . -- [objects/ftm-Call](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Call/definition.json) - . +- [objects/ftm-Audio](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Audio/definition.json) - Audio with meta-data. +- [objects/ftm-BankAccount](https://github.com/MISP/misp-objects/blob/main/objects/ftm-BankAccount/definition.json) - An account held at a bank and controlled by an owner. This may also be used to describe more complex arrangements like correspondent bank settlement accounts. +- [objects/ftm-Call](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Call/definition.json) - Phone call object template including the call and all associated meta-data. - [objects/ftm-Company](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Company/definition.json) - A legal entity representing an association of people, whether natural, legal or a mixture of both, with a specific objective. - [objects/ftm-Contract](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Contract/definition.json) - An contract or contract lot issued by an authority. Multiple lots may be awarded to different suppliers (see ContractAward). . - [objects/ftm-ContractAward](https://github.com/MISP/misp-objects/blob/main/objects/ftm-ContractAward/definition.json) - A contract or contract lot as awarded to a supplier. -- [objects/ftm-CourtCase](https://github.com/MISP/misp-objects/blob/main/objects/ftm-CourtCase/definition.json) - . -- [objects/ftm-CourtCaseParty](https://github.com/MISP/misp-objects/blob/main/objects/ftm-CourtCaseParty/definition.json) - . +- [objects/ftm-CourtCase](https://github.com/MISP/misp-objects/blob/main/objects/ftm-CourtCase/definition.json) - Court case. +- [objects/ftm-CourtCaseParty](https://github.com/MISP/misp-objects/blob/main/objects/ftm-CourtCaseParty/definition.json) - Court Case Party. - [objects/ftm-Debt](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Debt/definition.json) - A monetary debt between two parties. -- [objects/ftm-Directorship](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Directorship/definition.json) - . -- [objects/ftm-Document](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Document/definition.json) - . -- [objects/ftm-Documentation](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Documentation/definition.json) - . +- [objects/ftm-Directorship](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Directorship/definition.json) - Directorship. +- [objects/ftm-Document](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Document/definition.json) - Document. +- [objects/ftm-Documentation](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Documentation/definition.json) - Documentation. - [objects/ftm-EconomicActivity](https://github.com/MISP/misp-objects/blob/main/objects/ftm-EconomicActivity/definition.json) - A foreign economic activity. -- [objects/ftm-Email](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Email/definition.json) - . -- [objects/ftm-Event](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Event/definition.json) - . +- [objects/ftm-Email](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Email/definition.json) - Email. +- [objects/ftm-Event](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Event/definition.json) - Event. - [objects/ftm-Family](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Family/definition.json) - Family relationship between two people. -- [objects/ftm-Folder](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Folder/definition.json) - . -- [objects/ftm-HyperText](https://github.com/MISP/misp-objects/blob/main/objects/ftm-HyperText/definition.json) - . -- [objects/ftm-Image](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Image/definition.json) - . -- [objects/ftm-Land](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Land/definition.json) - . +- [objects/ftm-Folder](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Folder/definition.json) - Folder. +- [objects/ftm-HyperText](https://github.com/MISP/misp-objects/blob/main/objects/ftm-HyperText/definition.json) - HyperText. +- [objects/ftm-Image](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Image/definition.json) - Image. +- [objects/ftm-Land](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Land/definition.json) - Land. - [objects/ftm-LegalEntity](https://github.com/MISP/misp-objects/blob/main/objects/ftm-LegalEntity/definition.json) - A legal entity may be a person or a company. - [objects/ftm-License](https://github.com/MISP/misp-objects/blob/main/objects/ftm-License/definition.json) - A grant of land, rights or property. A type of Contract. -- [objects/ftm-Membership](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Membership/definition.json) - . -- [objects/ftm-Message](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Message/definition.json) - . -- [objects/ftm-Organization](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Organization/definition.json) - . -- [objects/ftm-Ownership](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Ownership/definition.json) - . -- [objects/ftm-Package](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Package/definition.json) - . -- [objects/ftm-Page](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Page/definition.json) - . -- [objects/ftm-Pages](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Pages/definition.json) - . +- [objects/ftm-Membership](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Membership/definition.json) - Membership. +- [objects/ftm-Message](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Message/definition.json) - Message. +- [objects/ftm-Organization](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Organization/definition.json) - Organization. +- [objects/ftm-Ownership](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Ownership/definition.json) - Ownership. +- [objects/ftm-Package](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Package/definition.json) - Package. +- [objects/ftm-Page](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Page/definition.json) - Page. +- [objects/ftm-Pages](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Pages/definition.json) - Pages. - [objects/ftm-Passport](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Passport/definition.json) - Passport. - [objects/ftm-Payment](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Payment/definition.json) - A monetary payment between two parties. - [objects/ftm-Person](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Person/definition.json) - An individual. -- [objects/ftm-PlainText](https://github.com/MISP/misp-objects/blob/main/objects/ftm-PlainText/definition.json) - . +- [objects/ftm-PlainText](https://github.com/MISP/misp-objects/blob/main/objects/ftm-PlainText/definition.json) - Plaintext. - [objects/ftm-PublicBody](https://github.com/MISP/misp-objects/blob/main/objects/ftm-PublicBody/definition.json) - A public body, such as a ministry, department or state company. - [objects/ftm-RealEstate](https://github.com/MISP/misp-objects/blob/main/objects/ftm-RealEstate/definition.json) - A piece of land or property. - [objects/ftm-Representation](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Representation/definition.json) - A mediatory, intermediary, middleman, or broker acting on behalf of a legal entity. -- [objects/ftm-Row](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Row/definition.json) - . +- [objects/ftm-Row](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Row/definition.json) - Row. - [objects/ftm-Sanction](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Sanction/definition.json) - A sanction designation. - [objects/ftm-Succession](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Succession/definition.json) - Two entities that legally succeed each other. -- [objects/ftm-Table](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Table/definition.json) - . +- [objects/ftm-Table](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Table/definition.json) - Table. - [objects/ftm-TaxRoll](https://github.com/MISP/misp-objects/blob/main/objects/ftm-TaxRoll/definition.json) - A tax declaration of an individual. -- [objects/ftm-UnknownLink](https://github.com/MISP/misp-objects/blob/main/objects/ftm-UnknownLink/definition.json) - . -- [objects/ftm-UserAccount](https://github.com/MISP/misp-objects/blob/main/objects/ftm-UserAccount/definition.json) - . -- [objects/ftm-Vehicle](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Vehicle/definition.json) - . +- [objects/ftm-UnknownLink](https://github.com/MISP/misp-objects/blob/main/objects/ftm-UnknownLink/definition.json) - Unknown Link. +- [objects/ftm-UserAccount](https://github.com/MISP/misp-objects/blob/main/objects/ftm-UserAccount/definition.json) - User Account. +- [objects/ftm-Vehicle](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Vehicle/definition.json) - Vehicle. - [objects/ftm-Vessel](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Vessel/definition.json) - A boat or ship. -- [objects/ftm-Video](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Video/definition.json) - . -- [objects/ftm-Workbook](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Workbook/definition.json) - . +- [objects/ftm-Video](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Video/definition.json) - Video. +- [objects/ftm-Workbook](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Workbook/definition.json) - Workbook. - [objects/game-cheat](https://github.com/MISP/misp-objects/blob/main/objects/game-cheat/definition.json) - Describes a game cheat or a cheatware. - [objects/geolocation](https://github.com/MISP/misp-objects/blob/main/objects/geolocation/definition.json) - An object to describe a geographic location. - [objects/git-vuln-finder](https://github.com/MISP/misp-objects/blob/main/objects/git-vuln-finder/definition.json) - Export from git-vuln-finder. @@ -298,6 +299,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/process](https://github.com/MISP/misp-objects/blob/main/objects/process/definition.json) - Object describing a system process. - [objects/publication](https://github.com/MISP/misp-objects/blob/main/objects/publication/definition.json) - An object to describe a book, journal, or academic publication. - [objects/python-etvx-event-log](https://github.com/MISP/misp-objects/blob/main/objects/python-etvx-event-log/definition.json) - Event log object template to share information of the activities conducted on a system. . +- [objects/query](https://github.com/MISP/misp-objects/blob/main/objects/query/definition.json) - An object describing a query, along with its format. - [objects/r2graphity](https://github.com/MISP/misp-objects/blob/main/objects/r2graphity/definition.json) - Indicators extracted from files using radare2 and graphml. - [objects/ransom-negotiation](https://github.com/MISP/misp-objects/blob/main/objects/ransom-negotiation/definition.json) - An object to describe ransom negotiations, as seen in ransomware incidents. - [objects/reddit-account](https://github.com/MISP/misp-objects/blob/main/objects/reddit-account/definition.json) - Reddit account. @@ -328,6 +330,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/sandbox-report](https://github.com/MISP/misp-objects/blob/main/objects/sandbox-report/definition.json) - Sandbox report. - [objects/sb-signature](https://github.com/MISP/misp-objects/blob/main/objects/sb-signature/definition.json) - Sandbox detection signature. - [objects/scheduled-event](https://github.com/MISP/misp-objects/blob/main/objects/scheduled-event/definition.json) - Event object template describing a gathering of individuals in meatspace. +- [objects/scheduled-task](https://github.com/MISP/misp-objects/blob/main/objects/scheduled-task/definition.json) - Windows scheduled task description. - [objects/scrippsco2-c13-daily](https://github.com/MISP/misp-objects/blob/main/objects/scrippsco2-c13-daily/definition.json) - Daily average C13 concentrations (ppm) derived from flask air samples. - [objects/scrippsco2-c13-monthly](https://github.com/MISP/misp-objects/blob/main/objects/scrippsco2-c13-monthly/definition.json) - Monthly average C13 concentrations (ppm) derived from flask air samples. - [objects/scrippsco2-co2-daily](https://github.com/MISP/misp-objects/blob/main/objects/scrippsco2-co2-daily/definition.json) - Daily average CO2 concentrations (ppm) derived from flask air samples. @@ -340,6 +343,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/shodan-report](https://github.com/MISP/misp-objects/blob/main/objects/shodan-report/definition.json) - Shodan Report for a given IP. - [objects/short-message-service](https://github.com/MISP/misp-objects/blob/main/objects/short-message-service/definition.json) - Short Message Service (SMS) object template describing one or more SMS message. Restriction of the initial format 3GPP 23.038 GSM character set doesn't apply. - [objects/shortened-link](https://github.com/MISP/misp-objects/blob/main/objects/shortened-link/definition.json) - Shortened link and its redirect target. +- [objects/sigma](https://github.com/MISP/misp-objects/blob/main/objects/sigma/definition.json) - An object describing a Sigma rule (or a Sigma rule name). - [objects/social-media-group](https://github.com/MISP/misp-objects/blob/main/objects/social-media-group/definition.json) - Social media group object template describing a public or private group or channel. - [objects/software](https://github.com/MISP/misp-objects/blob/main/objects/software/definition.json) - The Software object represents high-level properties associated with software, including software products. STIX 2.1 - 6.14. - [objects/spearphishing-attachment](https://github.com/MISP/misp-objects/blob/main/objects/spearphishing-attachment/definition.json) - Spearphishing Attachment. From 2771e2681f814f25f774ecb655112267ddbfe6d3 Mon Sep 17 00:00:00 2001 From: Vasileios Mavroeidis <29202434+Vasileios-Mavroeidis@users.noreply.github.com> Date: Wed, 24 Aug 2022 18:44:11 +0200 Subject: [PATCH 103/112] Update definition.json Found the issue and updated the playbook-id attribute. It is not required anymore. We should not dictate producers generating this property since it can be used to correlate playbooks. The use case is: If we have a cacao playbook attached then we could have the UUIDV4 extracted from the "attachment" and put at the MISP security-playbook object attribute "playbook-id". Correlation is enabled if another security playbook object follows the same process while attaching the same CACAO playbook. If the attached playbook is a png then there is no way to associate it again with another security playbook object that has the same png as an attachment as we cannot know that. That would be possible only if the attachment had a machine-readable identifier. Another use case is to generate a hash and attach it to a property, but let's leave that for the future and if it is never needed or appears as a use case. Long story short the pull request improves the semantics of the object and correlations of different security playbook objects :) --- objects/security-playbook/definition.json | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/objects/security-playbook/definition.json b/objects/security-playbook/definition.json index 4175874..15dc375 100644 --- a/objects/security-playbook/definition.json +++ b/objects/security-playbook/definition.json @@ -53,7 +53,7 @@ "ui-priority": 1 }, "playbook-id": { - "description": "A value that uniquely identifies the playbook. If the playbook itself embeds an identifier then the playbook-id SHOULD use the same identifier (value). If not, the producer MAY generate a unique identifier for the playbook.", + "description": "A value that (uniquely) identifies the playbook. If the playbook itself embeds an identifier then the playbook-id SHOULD use the same identifier (value) for correlation purposes.", "disable_correlation": false, "misp-attribute": "text", "ui-priority": 1 @@ -134,13 +134,10 @@ "description": "The security-playbook object provides meta-information and allows managing, storing, and sharing cybersecurity playbooks and orchestration workflows.", "meta-category": "misc", "name": "security-playbook", - "required": [ - "playbook-id" - ], "requiredOneOf": [ "playbook-file", "playbook-base64" ], "uuid": "48894c92-447b-4abe-b093-360c4d823e9d", "version": 3 -} \ No newline at end of file +} From ec351176f94b1e4b2af6e23f7b901e6cafaea575 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 25 Aug 2022 10:17:48 +0200 Subject: [PATCH 104/112] chg: [security-playbook] JSON fixed --- objects/security-playbook/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/security-playbook/definition.json b/objects/security-playbook/definition.json index 15dc375..7752ef5 100644 --- a/objects/security-playbook/definition.json +++ b/objects/security-playbook/definition.json @@ -140,4 +140,4 @@ ], "uuid": "48894c92-447b-4abe-b093-360c4d823e9d", "version": 3 -} +} \ No newline at end of file From 26c2767228d9a0ea11b40fcae5dc6ebc269f2641 Mon Sep 17 00:00:00 2001 From: goodlandsecurity Date: Thu, 25 Aug 2022 15:56:36 -0500 Subject: [PATCH 105/112] allow multiple of certain types. bump version --- .../spearphishing-attachment/definition.json | 19 +++++++++++++++++-- objects/spearphishing-link/definition.json | 10 ++++++++-- 2 files changed, 25 insertions(+), 4 deletions(-) diff --git a/objects/spearphishing-attachment/definition.json b/objects/spearphishing-attachment/definition.json index c438049..5dd791b 100644 --- a/objects/spearphishing-attachment/definition.json +++ b/objects/spearphishing-attachment/definition.json @@ -3,26 +3,31 @@ "artifact-dropped-md5": { "description": "The MD5 of an additional file that was either extracted from or downloaded by the attachment.", "misp-attribute": "md5", + "multiple": true, "ui-priority": 1 }, "artifact-dropped-name": { "description": "Name of an additional file that was either extracted from or downloaded by the attachment.", "misp-attribute": "filename", + "multiple": true, "ui-priority": 0 }, "artifact-dropped-sha1": { "description": "The SHA1 of an additional file that was either extracted from or downloaded by the attachment.", "misp-attribute": "sha1", + "multiple": true, "ui-priority": 1 }, "artifact-dropped-sha256": { "description": "The SHA256 of an additional file that was either extracted from or downloaded by the attachment.", "misp-attribute": "sha256", + "multiple": true, "ui-priority": 1 }, "attachment-md5": { "description": "The MD5 of the file that was attached to the e-mail itself.", "misp-attribute": "md5", + "multiple": true, "ui-priority": 1 }, "attachment-name": { @@ -33,26 +38,31 @@ "attachment-sha1": { "description": "The SHA1 of the file that was attached to the e-mail itself.", "misp-attribute": "sha1", + "multiple": true, "ui-priority": 1 }, "attachment-sha256": { "description": "The SHA256 of the file that was attached to the e-mail itself.", "misp-attribute": "sha256", + "multiple": true, "ui-priority": 1 }, "c2-domain": { "description": "Command and control domain detected during analysis.", "misp-attribute": "domain", + "multiple": true, "ui-priority": 1 }, "c2-ip": { "description": "Command and control IP address detected during analysis.", "misp-attribute": "ip-dst", + "multiple": true, "ui-priority": 1 }, "c2-url": { "description": "Command and control URL detected during analysis.", "misp-attribute": "url", + "multiple": true, "ui-priority": 1 }, "date": { @@ -64,26 +74,31 @@ "email-sender": { "description": "The source address from which the e-mail was sent.", "misp-attribute": "email-src", + "multiple": true, "ui-priority": 1 }, "malicious-url": { "description": "Malicious URL that downloaded additional malware.", "misp-attribute": "url", + "multiple": true, "ui-priority": 1 }, "research-links": { "description": "A link to an external analysis (VirusTotal, urlscan, etc.).", "misp-attribute": "link", + "multiple": true, "ui-priority": 0 }, "sender-ip": { "description": "The source IP from which the e-mail was sent.", "misp-attribute": "ip-src", + "multiple": true, "ui-priority": 1 }, "subject": { "description": "The subject line of the e-mail.", "misp-attribute": "email-subject", + "multiple": true, "ui-priority": 1 }, "supporting-evidence": { @@ -105,5 +120,5 @@ "attachment-sha256" ], "uuid": "5dfcd9a9-d10c-48ae-9ba4-13c2428a994a", - "version": 20220520 -} \ No newline at end of file + "version": 20220825 +} diff --git a/objects/spearphishing-link/definition.json b/objects/spearphishing-link/definition.json index 43c6053..4a3420c 100644 --- a/objects/spearphishing-link/definition.json +++ b/objects/spearphishing-link/definition.json @@ -9,31 +9,37 @@ "email-sender": { "description": "The source address from which the e-mail was sent.", "misp-attribute": "email-src", + "multiple": true, "ui-priority": 1 }, "embedded-link": { "description": "The malicious URL in the e-mail body.", "misp-attribute": "url", + "multiple": true, "ui-priority": 1 }, "redirect-url": { "description": "The redirect URL, if any, from the malicious embedded link.", "misp-attribute": "url", + "multiple": true, "ui-priority": 0 }, "research-links": { "description": "A link to an external analysis (VirusTotal, urlscan, etc.).", "misp-attribute": "link", + "multiple": true, "ui-priority": 0 }, "sender-ip": { "description": "The source IP from which the e-mail was sent.", "misp-attribute": "ip-src", + "multiple": true, "ui-priority": 1 }, "subject": { "description": "The subject line of the e-mail.", "misp-attribute": "email-subject", + "multiple": true, "ui-priority": 1 }, "supporting-evidence": { @@ -51,5 +57,5 @@ "embedded-link" ], "uuid": "4e758e53-6c84-47b0-a19b-362f587059e2", - "version": 20220520 -} \ No newline at end of file + "version": 20220825 +} From b258786935f722dd876afdff8e4c96f95c32607b Mon Sep 17 00:00:00 2001 From: goodlandsecurity Date: Thu, 25 Aug 2022 16:03:59 -0500 Subject: [PATCH 106/112] jq_all_the_things --- objects/spearphishing-attachment/definition.json | 2 +- objects/spearphishing-link/definition.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/spearphishing-attachment/definition.json b/objects/spearphishing-attachment/definition.json index 5dd791b..9bb6a33 100644 --- a/objects/spearphishing-attachment/definition.json +++ b/objects/spearphishing-attachment/definition.json @@ -121,4 +121,4 @@ ], "uuid": "5dfcd9a9-d10c-48ae-9ba4-13c2428a994a", "version": 20220825 -} +} \ No newline at end of file diff --git a/objects/spearphishing-link/definition.json b/objects/spearphishing-link/definition.json index 4a3420c..7e81d4b 100644 --- a/objects/spearphishing-link/definition.json +++ b/objects/spearphishing-link/definition.json @@ -58,4 +58,4 @@ ], "uuid": "4e758e53-6c84-47b0-a19b-362f587059e2", "version": 20220825 -} +} \ No newline at end of file From fc51889b42547b8e3bcac3298c46b0de4511863a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 9 Sep 2022 07:21:59 +0200 Subject: [PATCH 107/112] new: [facebook-reaction] new object to link reaction with facebook posts or alike --- objects/facebook-reaction/definition.json | 37 +++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 objects/facebook-reaction/definition.json diff --git a/objects/facebook-reaction/definition.json b/objects/facebook-reaction/definition.json new file mode 100644 index 0000000..b805cc9 --- /dev/null +++ b/objects/facebook-reaction/definition.json @@ -0,0 +1,37 @@ +{ + "attributes": { + "link": { + "description": "Link to the user account which did the reaction.", + "misp-attribute": "link", + "ui-priority": 1 + }, + "name": { + "description": "The name of A user account which did the reaction.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "type": { + "description": "Type of reaction.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "like", + "love", + "sad", + "haha", + "wow", + "care" + ], + "ui-priority": 1 + } + }, + "description": "Reaction to facebook posts.", + "meta-category": "misc", + "name": "facebook-reaction", + "requiredOneOf": [ + "name", + "link" + ], + "uuid": "f219f784-38b8-47f4-a676-e32efd7df0c3", + "version": 1 +} \ No newline at end of file From fa26cdf15eee2824ebf30fe68ced56c9c1836c05 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 9 Sep 2022 07:24:05 +0200 Subject: [PATCH 108/112] fix: [facebook-group] add an optional ID reference to the facebook id --- objects/facebook-group/definition.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/objects/facebook-group/definition.json b/objects/facebook-group/definition.json index b0a1607..aca232c 100644 --- a/objects/facebook-group/definition.json +++ b/objects/facebook-group/definition.json @@ -63,6 +63,11 @@ "multiple": true, "ui-priority": 0 }, + "id": { + "description": "Unique identified of the group.", + "misp-attribute": "text", + "ui-priority": 1 + }, "link": { "description": "Original link to the group (supposed harmless).", "misp-attribute": "link", @@ -94,5 +99,5 @@ "link" ], "uuid": "165c5507-1cba-4cec-9be4-66e21b590ee6", - "version": 1 + "version": 2 } \ No newline at end of file From 35df5bad01e46ee7522c263d9ae8d1b8aff43329 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 26 Sep 2022 07:40:11 +0200 Subject: [PATCH 109/112] new: [exploit] Exploit object template to describe code or program used to exploit specific vulnerabilities. The objet can be linked to `vulnerability` objects but also device, iot, firmware or alike. --- objects/exploit/definition.json | 91 +++++++++++++++++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 objects/exploit/definition.json diff --git a/objects/exploit/definition.json b/objects/exploit/definition.json new file mode 100644 index 0000000..22ec156 --- /dev/null +++ b/objects/exploit/definition.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "0day-today-id": { + "description": "Reference to the 0day.today referencing this exploit.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "accessibility": { + "description": "Accessibility of the exploit.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0, + "values_list": [ + "Unknown", + "Public", + "Limited", + "Paid" + ] + }, + "comment": { + "description": "Comment associated to the exploit.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "credit": { + "description": "Credit(s) for the exploit (such as author, distributor or original source).", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "cve-id": { + "description": "Reference to the CVE value targeted by the exploit.", + "misp-attribute": "vulnerability", + "multiple": true, + "ui-priority": 0 + }, + "exploit": { + "description": "Free text of the exploit.", + "misp-attribute": "text", + "ui-priority": 10 + }, + "exploit-as-attachment": { + "description": "Attachment of the exploit.", + "misp-attribute": "attachment", + "ui-priority": 10 + }, + "exploitdb-id": { + "description": "Reference to the ExploitDB referencing this exploit.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "filename": { + "description": "Filename used for the exploit.", + "disable_correlation": true, + "misp-attribute": "filename", + "multiple": true, + "ui-priority": 8 + }, + "level": { + "description": "Level of the exploit.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0, + "values_list": [ + "Unknown", + "Proof-of-Concept", + "Functional", + "Production-ready" + ] + }, + "reference": { + "description": "Reference to the exploit.", + "disable_correlation": true, + "misp-attribute": "link", + "multiple": true, + "ui-priority": 0 + } + }, + "description": "Exploit object describes a program in binary or source code form used to abuse one or more vulnerabilities.", + "meta-category": "misc", + "name": "exploit", + "requiredOneOf": [ + "exploit", + "filename", + "exploit-as-attachment" + ], + "uuid": "611a25d5-d8aa-4dde-b9c8-c084e786ebf3", + "version": 1 +} \ No newline at end of file From 06df3688900a24a43e101d39919d7a2c29d351ca Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 29 Sep 2022 07:32:52 +0200 Subject: [PATCH 110/112] new: [intrusion-set] based on the STIX 2.1 definition TODO - "Open Vocabularies" - value versus description. --- objects/intrusion-set/definition.json | 86 +++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 objects/intrusion-set/definition.json diff --git a/objects/intrusion-set/definition.json b/objects/intrusion-set/definition.json new file mode 100644 index 0000000..3e94273 --- /dev/null +++ b/objects/intrusion-set/definition.json @@ -0,0 +1,86 @@ +{ + "attributes": { + "aliases": { + "description": "Alternative names used to identify this Intrusion Set.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, + "description": { + "description": "A description that provides more details and context about the Intrusion Set, potentially including its purpose and its key characteristics.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "goals": { + "description": "The high-level goals of this Intrusion Set, namely, what are they trying to do. For example, they may be motivated by personal gain, but their goal is to steal credit card numbers. To do this, they may execute specific Campaigns that have detailed objectives like compromising point of sale systems at a large retailer. Another example: to gain information about latest merger and IPO information from ACME Bank.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, + "name": { + "description": "A name used to identify this Intrusion Set.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "primary-motivation": { + "description": "The primary reason, motivation, or purpose behind this Intrusion Set. The motivation is why the Intrusion Set wishes to achieve the goal (what they are trying to achieve). For example, an Intrusion Set with a goal to disrupt the finance sector in a country might be motivated by ideological hatred of capitalism.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "accidental - A non-hostile actor whose benevolent or harmless intent inadvertently causes harm. For example, a well-meaning and dedicated employee who through distraction or poor training unintentionally causes harm to his or her organization.", + "coercion - Being forced to act on someone else's behalf. Adversaries who are motivated by coercion are often forced through intimidation or blackmail to act illegally for someone else’s benefit. Unlike the other motivations, a coerced person does not act for personal gain, but out of fear of incurring a loss.", + "dominance - A desire to assert superiority over someone or something else. Adversaries who are seeking dominance over a target are focused on using their power to force their target into submission or irrelevance. Dominance may be found with ideology in some state-sponsored attacks and with notoriety in some cyber vandalism-based attacks.", + "ideology - A passion to express a set of ideas, beliefs, and values that may shape and drive harmful and illegal acts. Adversaries who act for ideological reasons (e.g., political, religious, human rights, environmental, desire to cause chaos/anarchy, etc.) are not usually motivated primarily by the desire for profit; they are acting on their own sense of morality, justice, or political loyalty. For example, an activist group may sabotage a company’s equipment because they believe the company is harming the environment.", + "notoriety - Seeking prestige or to become well known through some activity. Adversaries motivated by notoriety are often seeking either personal validation or respect within a community and staying covert is not a priority. In fact, one of the main goals is to garner the respect of their target audience.", + "organizational-gain - Seeking advantage over a competing organization, including a military organization. Adversaries motivated by increased profit or other gains through an unfairly obtained competitive advantage are often seeking theft of intellectual property, business processes, or supply chain agreements and thus accelerating their position in a market or capability.", + "personal-gain - The desire to improve one’s own financial status. Adversaries motivated by a selfish desire for personal gain are often out for gains that come from financial fraud, hacking for hire, or intellectual property theft. While a Threat Actor or Intrusion Set may be seeking personal gain, this does not mean they are acting alone. Individuals can band together solely to maximize their own personal profits.", + "personal-satisfaction - A desire to satisfy a strictly personal goal, including curiosity, thrill-seeking, amusement, etc. Threat Actors or Intrusion Set driven by personal satisfaction may incidentally receive some other gain from their actions, such as a profit, but their primary motivation is to gratify a personal, emotional need. Individuals can band together with others toward a mutual, but not necessarily organizational, objective.", + "revenge - A desire to avenge perceived wrongs through harmful actions such as sabotage, violence, theft, fraud, or embarrassing certain individuals or the organization. A disgruntled Threat Actor or Intrusion Set seeking revenge can include current or former employees, who may have extensive knowledge to leverage when conducting attacks. Individuals can band together with others if the individual believes that doing so will enable them to cause more harm.", + "unpredictable - Acting without identifiable reason or purpose and creating unpredictable events. Unpredictable is not a miscellaneous or default category. Unpredictable means a truly random and likely bizarre event, which seems to have no logical purpose to the victims." + ], + "ui-priority": 1 + }, + "resource_level": { + "description": "This property specifies the organizational level at which this Intrusion Set typically works, which in turn determines the resources available to this Intrusion Set for use in an attack. ", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "individual - Resources limited to the average individual; Threat Actor acts independently.", + "club - Members interact on a social and volunteer basis, often with little personal interest in the specific target. An example might be a core group of unrelated activists who regularly exchange tips on a particular blog. Group persists long term.", + "contest - A short-lived and perhaps anonymous interaction that concludes when the participants have achieved a single goal. For example, people who break into systems just for thrills or prestige may hold a contest to see who can break into a specific target first. It also includes announced 'operations' to achieve a specific goal, such as the original 'OpIsrael' call for volunteers to disrupt all of Israel's Internet functions for a day.", + "team - A formally organized group with a leader, typically motivated by a specific goal and organized around that goal. Group persists long term and typically operates within a single geography.", + "organization - Larger and better resourced than a team; typically, a company or crime syndicate. Usually operates in multiple geographic areas and persists long term.", + "government - Controls public assets and functions within a jurisdiction; very well resourced and persists long term." + ], + "ui-priority": 1 + }, + "secondary-motivation": { + "description": "The secondary reasons, motivations, or purposes behind this Intrusion Set. These motivations can exist as an equal or near-equal cause to the primary motivation. However, it does not replace or necessarily magnify the primary motivation, but it might indicate additional context. The position in the list has no significance.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "accidental - A non-hostile actor whose benevolent or harmless intent inadvertently causes harm. For example, a well-meaning and dedicated employee who through distraction or poor training unintentionally causes harm to his or her organization.", + "coercion - Being forced to act on someone else's behalf. Adversaries who are motivated by coercion are often forced through intimidation or blackmail to act illegally for someone else’s benefit. Unlike the other motivations, a coerced person does not act for personal gain, but out of fear of incurring a loss.", + "dominance - A desire to assert superiority over someone or something else. Adversaries who are seeking dominance over a target are focused on using their power to force their target into submission or irrelevance. Dominance may be found with ideology in some state-sponsored attacks and with notoriety in some cyber vandalism-based attacks.", + "ideology - A passion to express a set of ideas, beliefs, and values that may shape and drive harmful and illegal acts. Adversaries who act for ideological reasons (e.g., political, religious, human rights, environmental, desire to cause chaos/anarchy, etc.) are not usually motivated primarily by the desire for profit; they are acting on their own sense of morality, justice, or political loyalty. For example, an activist group may sabotage a company’s equipment because they believe the company is harming the environment.", + "notoriety - Seeking prestige or to become well known through some activity. Adversaries motivated by notoriety are often seeking either personal validation or respect within a community and staying covert is not a priority. In fact, one of the main goals is to garner the respect of their target audience.", + "organizational-gain - Seeking advantage over a competing organization, including a military organization. Adversaries motivated by increased profit or other gains through an unfairly obtained competitive advantage are often seeking theft of intellectual property, business processes, or supply chain agreements and thus accelerating their position in a market or capability.", + "personal-gain - The desire to improve one’s own financial status. Adversaries motivated by a selfish desire for personal gain are often out for gains that come from financial fraud, hacking for hire, or intellectual property theft. While a Threat Actor or Intrusion Set may be seeking personal gain, this does not mean they are acting alone. Individuals can band together solely to maximize their own personal profits.", + "personal-satisfaction - A desire to satisfy a strictly personal goal, including curiosity, thrill-seeking, amusement, etc. Threat Actors or Intrusion Set driven by personal satisfaction may incidentally receive some other gain from their actions, such as a profit, but their primary motivation is to gratify a personal, emotional need. Individuals can band together with others toward a mutual, but not necessarily organizational, objective.", + "revenge - A desire to avenge perceived wrongs through harmful actions such as sabotage, violence, theft, fraud, or embarrassing certain individuals or the organization. A disgruntled Threat Actor or Intrusion Set seeking revenge can include current or former employees, who may have extensive knowledge to leverage when conducting attacks. Individuals can band together with others if the individual believes that doing so will enable them to cause more harm.", + "unpredictable - Acting without identifiable reason or purpose and creating unpredictable events. Unpredictable is not a miscellaneous or default category. Unpredictable means a truly random and likely bizarre event, which seems to have no logical purpose to the victims." + ], + "ui-priority": 1 + } + }, + "description": "A object template describing an Intrusion Set as defined in STIX 2.1. An Intrusion Set is a grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization. An Intrusion Set may capture multiple Campaigns or other activities that are all tied together by shared attributes indicating a commonly known or unknown Threat Actor. New activity can be attributed to an Intrusion Set even if the Threat Actors behind the attack are not known. Threat Actors can move from supporting one Intrusion Set to supporting another, or they may support multiple Intrusion Sets. Where a Campaign is a set of attacks over a period of time against a specific set of targets to achieve some objective, an Intrusion Set is the entire attack package and may be used over a very long period of time in multiple Campaigns to achieve potentially multiple purposes. While sometimes an Intrusion Set is not active, or changes focus, it is usually difficult to know if it has truly disappeared or ended. Analysts may have varying level of fidelity on attributing an Intrusion Set back to Threat Actors and may be able to only attribute it back to a nation state or perhaps back to an organization within that nation state.", + "meta-category": "misc", + "name": "intrusion-set", + "requiredOneOf": [ + "description", + "name" + ], + "uuid": "bfe96eae-e37a-4ecf-8012-1cdb478571a5", + "version": 1 +} \ No newline at end of file From 82c699cc5f139e7d991b5c76099c0cde88dbf806 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 13 Oct 2022 10:32:58 +0200 Subject: [PATCH 111/112] new: [telegram-bot] new object to describe Telegram bots --- objects/telegram-bot/definition.json | 36 ++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 objects/telegram-bot/definition.json diff --git a/objects/telegram-bot/definition.json b/objects/telegram-bot/definition.json new file mode 100644 index 0000000..47d6518 --- /dev/null +++ b/objects/telegram-bot/definition.json @@ -0,0 +1,36 @@ +{ + "attributes": { + "chat-id": { + "description": "Telegram chat id", + "misp-attribute": "text", + "ui-priority": 1 + }, + "comment": { + "description": "Phone associated with the telegram user", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "name": { + "description": "Telegram bot name", + "misp-attribute": "text", + "ui-priority": 1 + }, + "token": { + "description": "Telegram Token", + "misp-attribute": "text", + "ui-priority": 1 + } + }, + "description": "Information related to a telegram bot", + "meta-category": "misc", + "name": "telegram-bot", + "requiredOneOf": [ + "token", + "chat-id", + "name", + "comment" + ], + "uuid": "e2cb6c8f-45fa-429d-9cdb-05298ab21f46", + "version": 1 +} \ No newline at end of file From e7b9a8e7cf9f15394e5b1865a3100ec1a0f7f7bc Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Thu, 13 Oct 2022 13:45:52 +0200 Subject: [PATCH 112/112] add username field in telegram-bot object --- objects/telegram-bot/definition.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/objects/telegram-bot/definition.json b/objects/telegram-bot/definition.json index 47d6518..8369061 100644 --- a/objects/telegram-bot/definition.json +++ b/objects/telegram-bot/definition.json @@ -20,6 +20,11 @@ "description": "Telegram Token", "misp-attribute": "text", "ui-priority": 1 + }, + "username": { + "description": "Telegram bot username, must end with \"bot\"", + "misp-attribute": "text", + "ui-priority": 1 } }, "description": "Information related to a telegram bot", @@ -29,8 +34,9 @@ "token", "chat-id", "name", + "username", "comment" ], "uuid": "e2cb6c8f-45fa-429d-9cdb-05298ab21f46", - "version": 1 + "version": 2 } \ No newline at end of file