Merge branch 'main' of github.com:MISP/misp-objects

2024-04-02 21:18:22 +02:00 · 2024-04-02 21:18:22 +02:00 · 1118a0492b
parent 3ac509965f b023d0a3de
commit 1118a0492b
11 changed files with 152 additions and 14 deletions
--- a/objects/command-line/definition.json
+++ b/objects/command-line/definition.json
@ -1,20 +1,35 @@
 {
  "attributes": {
+    "command_line": {
+      "description": "command code line",
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 1
+    },
    "description": {
      "description": "description of the command",
      "misp-attribute": "text",
      "ui-priority": 1
    },
-    "value": {
-      "description": "command code",
+    "software": {
+      "description": "type of shell (bash/sh,powershell,cmd.exe)",
      "misp-attribute": "text",
-      "multiple": true,
+      "sane_default": [
+        "Shell",
+        "Bash",
+        "zsh",
+        "Powershell",
+        "cmd.exe"
+      ],
      "ui-priority": 1
    }
  },
  "description": "Command line and options related to a specific command executed by a program, whether it is malicious or not.",
  "meta-category": "misc",
  "name": "command-line",
+  "required": [
+    "command_line"
+  ],
  "uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf",
-  "version": 1
+  "version": 2
 }
--- a/objects/crowdsec-ip-context/definition.json
+++ b/objects/crowdsec-ip-context/definition.json
@ -7,7 +7,7 @@
      ],
      "description": "Autonomous system name",
      "disable_correlation": true,
-      "misp-attribute": "AS",
+      "misp-attribute": "text",
      "multiple": true,
      "ui-priority": 0
    },
--- a/objects/cs-beacon-config/definition.json
+++ b/objects/cs-beacon-config/definition.json
@ -104,7 +104,7 @@
  "description": "Cobalt Strike Beacon Config",
  "meta-category": "file",
  "name": "cs-beacon-config",
-  "required": [
+  "requiredOneOf": [
    "jar-md5",
    "md5",
    "sha1",
@ -112,5 +112,5 @@
    "watermark"
  ],
  "uuid": "d17355ef-ca1f-4b5a-86cd-65d877991f54",
-  "version": 3
+  "version": 4
 }
--- a/objects/ddos/definition.json
+++ b/objects/ddos/definition.json
@ -156,8 +156,9 @@
  "requiredOneOf": [
    "ip-dst",
    "ip-src",
-    "domain-dst"
+    "domain-dst",
+    "type"
  ],
  "uuid": "e2f124d6-f57c-4f93-99e6-8450545fa05d",
-  "version": 9
+  "version": 10
 }
--- a/objects/exploit/definition.json
+++ b/objects/exploit/definition.json
@ -82,6 +82,11 @@
      "multiple": true,
      "ui-priority": 0
    },
+    "software": {
+      "description": "Software impacted",
+      "misp-attribute": "text",
+      "ui-priority": 10
+    },
    "title": {
      "description": "Title of the exploit.",
      "misp-attribute": "text",
--- a/objects/intelmq_event/definition.json
+++ b/objects/intelmq_event/definition.json
@ -405,11 +405,13 @@
    },
    "time.observation": {
      "description": "The time the collector of the local instance processed (observed) the event.",
+      "disable_correlation": true,
      "misp-attribute": "datetime",
      "ui-priority": 1
    },
    "time.source": {
      "description": "The time of occurence of the event as reported the feed (source).",
+      "disable_correlation": true,
      "misp-attribute": "datetime",
      "ui-priority": 1
    },
--- a/objects/intelmq_report/definition.json
+++ b/objects/intelmq_report/definition.json
@ -47,6 +47,7 @@
    },
    "time.observation": {
      "description": "The time the collector of the local instance processed (observed) the event.",
+      "disable_correlation": true,
      "misp-attribute": "datetime",
      "ui-priority": 1
    }
--- a/objects/organization/definition.json
+++ b/objects/organization/definition.json
@ -79,7 +79,8 @@
        "Source",
        "Originator",
        "Informant",
-        "Emitter"
+        "Emitter",
+        "Impersonated"
      ]
    },
    "sector": {
@ -138,5 +139,5 @@
    "alias"
  ],
  "uuid": "f750e12b-127a-432c-b022-b3f9153c4e2a",
-  "version": 6
+  "version": 7
 }
--- a/objects/person/definition.json
+++ b/objects/person/definition.json
@ -223,7 +223,8 @@
        "Source",
        "Originator",
        "Informant",
-        "Emitter"
+        "Emitter",
+        "Impersonated"
      ]
    },
    "social-security-number": {
@ -255,5 +256,5 @@
    "handle"
  ],
  "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248",
-  "version": 19
+  "version": 20
 }
--- a/objects/stairwell/definition.json
+++ b/objects/stairwell/definition.json
@ -0,0 +1,89 @@
+{
+  "attributes": {
+    "entropy": {
+      "description": "Measure of the information contained in a object as opposed to the portion of the object that is determined (or predictable)",
+      "disable_correlation": true,
+      "misp-attribute": "float",
+      "ui-priority": 1
+    },
+    "environment": {
+      "description": "Stairwell environments that this object has been seen within",
+      "misp-attribute": "comment",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "imphash": {
+      "description": "The Mandiant import hash (imphash) of the object",
+      "misp-attribute": "imphash",
+      "ui-priority": 0
+    },
+    "magic": {
+      "description": "Magic number as determined by yara rule based identification",
+      "misp-attribute": "comment",
+      "ui-priority": 0
+    },
+    "malEval-probability": {
+      "description": "Confidence that the label applies on the object",
+      "misp-attribute": "comment",
+      "ui-priority": 0
+    },
+    "malEval-severity": {
+      "description": "Severity of malware detected",
+      "misp-attribute": "comment",
+      "ui-priority": 0
+    },
+    "md5": {
+      "description": "The md5 hash signature of an object",
+      "misp-attribute": "md5",
+      "ui-priority": 1
+    },
+    "mime-type": {
+      "description": "MIME type as determined by yara rule based identification",
+      "disable_correlation": true,
+      "misp-attribute": "mime-type",
+      "ui-priority": 0
+    },
+    "sha1": {
+      "description": "The sha1 hash signature of an object",
+      "misp-attribute": "sha1",
+      "ui-priority": 1
+    },
+    "sha256": {
+      "description": "The sha256 hash signature of an object",
+      "misp-attribute": "sha256",
+      "ui-priority": 1
+    },
+    "size-in-bytes": {
+      "description": "The size of the file in bytes",
+      "disable_correlation": true,
+      "misp-attribute": "size-in-bytes",
+      "ui-priority": 0
+    },
+    "stairwell-first-seen": {
+      "description": "The timestamp at which an object was first observed by Stairwell",
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    },
+    "tlsh": {
+      "description": "The TLSH of the object",
+      "misp-attribute": "tlsh",
+      "ui-priority": 0
+    },
+    "yara-rule-match": {
+      "description": "Stairwell yara rule resource names which have matched on this object",
+      "misp-attribute": "comment",
+      "multiple": true,
+      "ui-priority": 0
+    }
+  },
+  "description": "Stairwell leverages automated analysis, YARA rule libraries, shared malware feeds, privately run AV verdicts, static & dynamic analysis, malware unpacking, and variant discovery.",
+  "meta-category": "file",
+  "name": "stairwell",
+  "requiredOneOf": [
+    "md5",
+    "sha1",
+    "sha256"
+  ],
+  "uuid": "113d31ab-6eea-46df-976c-e955c369acd2",
+  "version": 1
+}
--- a/relationships/definition.json
+++ b/relationships/definition.json
@ -1725,7 +1725,30 @@
        "stix-2.1"
      ],
      "name": "sample-of"
+    },
+    {
+      "description": "This relationship describes an object which is allied with another object.",
+      "format": [
+        "misp"
+      ],
+      "name": "is-allied-with "
+    },
+    {
+      "description": "The source object acquires the target object.",
+      "format": [
+        "misp"
+      ],
+      "name": "acquires",
+      "opposite": "is-acquired-by"
+    },
+    {
+      "description": "The source object is acquired by the target object.",
+      "format": [
+        "misp"
+      ],
+      "name": "is-acquired-by",
+      "opposite": "acquires"
    }
  ],
-  "version": 40
+  "version": 41
 }