MISP
/
misp-objects
mirror of https://github.com/MISP/misp-objects
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'MISP:main' into main

pull/422/head
Karen Yousefi 2024-06-22 13:27:34 -07:00 committed by GitHub
parent 21775dbecc e3288ef6e5
commit 16d8bf7af8
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
41 changed files with 1167 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
README.md
View File

@ -135,6 +135,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/cap-alert](https://github.com/MISP/misp-objects/blob/main/objects/cap-alert/definition.json) - Common Alerting Protocol Version (CAP) alert object.
- [objects/cap-info](https://github.com/MISP/misp-objects/blob/main/objects/cap-info/definition.json) - Common Alerting Protocol Version (CAP) info object.
- [objects/cap-resource](https://github.com/MISP/misp-objects/blob/main/objects/cap-resource/definition.json) - Common Alerting Protocol Version (CAP) resource object.
- [objects/cert-pl-phishing](https://github.com/MISP/misp-objects/blob/main/objects/cert-pl-phishing/definition.json) - cert.pl phishing object template representing an url along with some metadata as such phash, html-structure or partial-hash.
- [objects/cloth](https://github.com/MISP/misp-objects/blob/main/objects/cloth/definition.json) - Describes clothes a natural person wears.
- [objects/coin-address](https://github.com/MISP/misp-objects/blob/main/objects/coin-address/definition.json) - An address used in a cryptocurrency.
- [objects/command](https://github.com/MISP/misp-objects/blob/main/objects/command/definition.json) - Command functionalities related to specific commands executed by a program, whether it is malicious or not. Command-line are attached to this object for the related commands.
@ -161,6 +162,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/cytomic-orion-machine](https://github.com/MISP/misp-objects/blob/main/objects/cytomic-orion-machine/definition.json) - Cytomic Orion File at Machine Detection.
- [objects/dark-pattern-item](https://github.com/MISP/misp-objects/blob/main/objects/dark-pattern-item/definition.json) - An Item whose User Interface implements a dark pattern.
- [objects/ddos](https://github.com/MISP/misp-objects/blob/main/objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy or using the type field.
- [objects/ddos-claim](https://github.com/MISP/misp-objects/blob/main/objects/ddos-claim/definition.json) - DDoS-claim object describes a current claim of DDoS activity.
- [objects/device](https://github.com/MISP/misp-objects/blob/main/objects/device/definition.json) - An object to define a device.
- [objects/diameter-attack](https://github.com/MISP/misp-objects/blob/main/objects/diameter-attack/definition.json) - Attack as seen on the diameter signaling protocol supporting LTE networks.
- [objects/diamond-event](https://github.com/MISP/misp-objects/blob/main/objects/diamond-event/definition.json) - A diamond model event object consisting of the four diamond features advesary, infrastructure, capability and victim, several meta-features and ioc attributes.
@ -190,6 +192,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/file](https://github.com/MISP/misp-objects/blob/main/objects/file/definition.json) - File object describing a file with meta-information.
- [objects/flowintel-cm-case](https://github.com/MISP/misp-objects/blob/main/objects/flowintel-cm-case/definition.json) - A case as defined by flowintel-cm.
- [objects/flowintel-cm-task](https://github.com/MISP/misp-objects/blob/main/objects/flowintel-cm-task/definition.json) - A task as defined by flowintel-cm.
- [objects/flowintel-cm-task-note](https://github.com/MISP/misp-objects/blob/main/objects/flowintel-cm-task-note/definition.json) - A task's note as defined by flowintel-cm.
- [objects/forensic-case](https://github.com/MISP/misp-objects/blob/main/objects/forensic-case/definition.json) - An object template to describe a digital forensic case.
- [objects/forensic-evidence](https://github.com/MISP/misp-objects/blob/main/objects/forensic-evidence/definition.json) - An object template to describe a digital forensic evidence.
- [objects/forged-document](https://github.com/MISP/misp-objects/blob/main/objects/forged-document/definition.json) - Object describing a forged document.
@ -246,6 +249,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/ftm-Video](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Video/definition.json) - Video.
- [objects/ftm-Workbook](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Workbook/definition.json) - Workbook.
- [objects/game-cheat](https://github.com/MISP/misp-objects/blob/main/objects/game-cheat/definition.json) - Describes a game cheat or a cheatware.
- [objects/Generalizing Persuasion Framework](https://github.com/MISP/misp-objects/blob/main/objects/Generalizing Persuasion Framework/definition.json) - By placing their work within the GP Framework, scholars will help the field resolve inconsistencies, identify and address open questions, and ensure collective progress. The GP Framework is not meant to compete with other theories (such as the ELM) but rather to fill in two gaps. First, it allows one to consider how individual persuasion studies connect to one another and why studies may arrive at contradictory conclusions. Second, it highlights the sources of variations that should be studied. (James N. Druckman).
- [objects/geolocation](https://github.com/MISP/misp-objects/blob/main/objects/geolocation/definition.json) - An object to describe a geographic location.
- [objects/git-vuln-finder](https://github.com/MISP/misp-objects/blob/main/objects/git-vuln-finder/definition.json) - Export from git-vuln-finder.
- [objects/github-user](https://github.com/MISP/misp-objects/blob/main/objects/github-user/definition.json) - GitHub user.
@ -301,6 +305,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/network-connection](https://github.com/MISP/misp-objects/blob/main/objects/network-connection/definition.json) - A local or remote network connection.
- [objects/network-profile](https://github.com/MISP/misp-objects/blob/main/objects/network-profile/definition.json) - Elements that can be used to profile, pivot or identify a network infrastructure, including domains, ip and urls.
- [objects/network-socket](https://github.com/MISP/misp-objects/blob/main/objects/network-socket/definition.json) - Network socket object describes a local or remote network connections based on the socket data structure.
- [objects/network-traffic](https://github.com/MISP/misp-objects/blob/main/objects/network-traffic/definition.json) - Generic network traffic that originates from a source and is addressed to a destination.
- [objects/news-agency](https://github.com/MISP/misp-objects/blob/main/objects/news-agency/definition.json) - News agencies compile news and disseminate news in bulk.
- [objects/news-media](https://github.com/MISP/misp-objects/blob/main/objects/news-media/definition.json) - News media are forms of mass media delivering news to the general public.
- [objects/open-data-security](https://github.com/MISP/misp-objects/blob/main/objects/open-data-security/definition.json) - An object describing an open dataset available and described under the open data security model. ref. https://github.com/CIRCL/open-data-security.
@ -316,6 +321,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/paste](https://github.com/MISP/misp-objects/blob/main/objects/paste/definition.json) - Paste or similar post from a website allowing to share privately or publicly posts.
- [objects/pcap-metadata](https://github.com/MISP/misp-objects/blob/main/objects/pcap-metadata/definition.json) - Network packet capture metadata.
- [objects/pe](https://github.com/MISP/misp-objects/blob/main/objects/pe/definition.json) - Object describing a Portable Executable.
- [objects/pe-optional-header](https://github.com/MISP/misp-objects/blob/main/objects/pe-optional-header/definition.json) - Object describing a Portable Executable Optional Header.
- [objects/pe-section](https://github.com/MISP/misp-objects/blob/main/objects/pe-section/definition.json) - Object describing a section of a Portable Executable.
- [objects/Deception PersNOna](https://github.com/MISP/misp-objects/blob/main/objects/Deception PersNOna/definition.json) - Fake persona with tasks.
- [objects/person](https://github.com/MISP/misp-objects/blob/main/objects/person/definition.json) - An object which describes a person or an identity.
@ -324,6 +330,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/phishing](https://github.com/MISP/misp-objects/blob/main/objects/phishing/definition.json) - Phishing template to describe a phishing website and its analysis.
- [objects/phishing-kit](https://github.com/MISP/misp-objects/blob/main/objects/phishing-kit/definition.json) - Object to describe a phishing-kit.
- [objects/phone](https://github.com/MISP/misp-objects/blob/main/objects/phone/definition.json) - A phone or mobile phone object which describe a phone.
- [objects/phone-number](https://github.com/MISP/misp-objects/blob/main/objects/phone-number/definition.json) - Phone number based on the E.164 international public telecommunication numbering plan.
- [objects/physical-impact](https://github.com/MISP/misp-objects/blob/main/objects/physical-impact/definition.json) - Physical Impact object as described in STIX 2.1 Incident object extension.
- [objects/postal-address](https://github.com/MISP/misp-objects/blob/main/objects/postal-address/definition.json) - A postal address.
- [objects/probabilistic-data-structure](https://github.com/MISP/misp-objects/blob/main/objects/probabilistic-data-structure/definition.json) - Probabilistic data structure object describe a space-efficient data structure such as Bloom filter or similar structure.
@ -333,7 +340,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/query](https://github.com/MISP/misp-objects/blob/main/objects/query/definition.json) - An object describing a query, along with its format.
- [objects/r2graphity](https://github.com/MISP/misp-objects/blob/main/objects/r2graphity/definition.json) - Indicators extracted from files using radare2 and graphml.
- [objects/ransom-negotiation](https://github.com/MISP/misp-objects/blob/main/objects/ransom-negotiation/definition.json) - An object to describe ransom negotiations, as seen in ransomware incidents.
- [objects/ransomware-group-post](https://github.com/MISP/misp-objects/blob/main/objects/ransomware-group-post/definition.json) - Ransomware group post as monitored by ransomlook.io.
- [objects/ransomware-group-post](https://github.com/MISP/misp-objects/blob/main/objects/ransomware-group-post/definition.json) - Ransomware group post as monitored by ransomlook.io or others.
- [objects/reddit-account](https://github.com/MISP/misp-objects/blob/main/objects/reddit-account/definition.json) - Reddit account.
- [objects/reddit-comment](https://github.com/MISP/misp-objects/blob/main/objects/reddit-comment/definition.json) - A Reddit post comment.
- [objects/reddit-post](https://github.com/MISP/misp-objects/blob/main/objects/reddit-post/definition.json) - A Reddit post.
@ -390,6 +397,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/splunk](https://github.com/MISP/misp-objects/blob/main/objects/splunk/definition.json) - Splunk / Splunk ES object.
- [objects/ss7-attack](https://github.com/MISP/misp-objects/blob/main/objects/ss7-attack/definition.json) - SS7 object of an attack as seen on the SS7 signaling protocol supporting GSM/GPRS/UMTS networks.
- [objects/ssh-authorized-keys](https://github.com/MISP/misp-objects/blob/main/objects/ssh-authorized-keys/definition.json) - An object to store ssh authorized keys file.
- [objects/stairwell](https://github.com/MISP/misp-objects/blob/main/objects/stairwell/definition.json) - Stairwell leverages automated analysis, YARA rule libraries, shared malware feeds, privately run AV verdicts, static & dynamic analysis, malware unpacking, and variant discovery.
- [objects/stix2-pattern](https://github.com/MISP/misp-objects/blob/main/objects/stix2-pattern/definition.json) - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern.
- [objects/stock](https://github.com/MISP/misp-objects/blob/main/objects/stock/definition.json) - Object to describe stock market.
- [objects/submarine](https://github.com/MISP/misp-objects/blob/main/objects/submarine/definition.json) - Submarine description.
@ -470,7 +478,7 @@ When the object is created, the `validate_all.sh` and `jq_all_the_things.sh` is
- Add a description in the object template explaining the scope and use-cases of your object templates
- If the object is the mapping of an existing format, add a reference into the description of the object template
- `first-seen` and `last-seen` are not required in a object template as an object has those fields by default. If you need additional temporal information, add new specific field(s).
- Be lax on the number of fields required by default (e.g. use `requiredOneOf`).
- Be lax on the number of fields required by default (e.g. use `requiredOneOf`).
- Review existing object templates before creating a new one. When doing a pull-request, don't hesitate to add the logic why a new template is required.
## MISP objects documentation
@ -498,11 +506,12 @@ The MISP objects (JSON files) are dual-licensed under:
or
~~~~
Copyright (c) 2016-2023 Alexandre Dulaunoy - a@foo.be
Copyright (c) 2016-2023 CIRCL - Computer Incident Response Center Luxembourg
Copyright (c) 2016-2023 Andras Iklody
Copyright (c) 2016-2023 Raphael Vinot
Copyright (c) 2016-2023 Various contributors to MISP Project
Copyright (c) 2016-2024 Alexandre Dulaunoy - a@foo.be
Copyright (c) 2016-2024 CIRCL - Computer Incident Response Center Luxembourg
Copyright (c) 2016-2024 Andras Iklody
Copyright (c) 2016-2024 Raphael Vinot
Copyright (c) 2016-2024 Christian Studer
Copyright (c) 2016-2024 Various contributors to MISP Project
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
@ -532,9 +541,9 @@ If a specific author of a taxonomy wants to license it under a different license
~~~~
Copyright (C) 2016-2023 Andras Iklody
Copyright (C) 2016-2023 Alexandre Dulaunoy
Copyright (C) 2016-2023 CIRCL - Computer Incident Response Center Luxembourg
Copyright (C) 2016-2024 Andras Iklody
Copyright (C) 2016-2024 Alexandre Dulaunoy
Copyright (C) 2016-2024 CIRCL - Computer Incident Response Center Luxembourg
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by

2
objects/abuseipdb/definition.json
View File

@ -2,7 +2,7 @@
"attributes": {
"abuse-confidence-score": {
"description": "Rating (0-100) of how confident AbuseIPDB is that an IP address is entirely malicious",
"misp-attribute": "counter",
"misp-attribute": "integer",
"ui-priority": 0
},
"is-malicious": {

42
objects/cert-pl-phishing/definition.json Normal file
View File

@ -0,0 +1,42 @@
{
"attributes": {
"favicon-mmh3": {
"description": "Favicon of the phishing url in Murmurhash3 format (base64).",
"misp-attribute": "text",
"ui-priority": 0
},
"html-structure": {
"description": "HTML tags defining the structure of the HTML page.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"phash-dct-base64": {
"description": "pHash (DCT hash) - as described in https://github.com/thorn-oss/perception.",
"misp-attribute": "text",
"ui-priority": 0
},
"truncated-hash-html-structure": {
"description": "Truncated hash value of the html-structure.",
"misp-attribute": "text",
"ui-priority": 0
},
"url": {
"description": "Full URL of the phishing object.",
"misp-attribute": "url",
"ui-priority": 1
}
},
"description": "cert.pl phishing object template representing an url along with some metadata as such phash, html-structure or partial-hash",
"meta-category": "network",
"name": "cert-pl-phishing",
"requiredOneOf": [
"url",
"phash-dct-base64",
"html-structure",
"truncated-hash-html-structure",
"favicon-mmh3"
],
"uuid": "4c37c9af-ca71-4365-bcfb-6393c22dd88e",
"version": 1
}

6
objects/concordia-mtmf-intrusion-set/definition.json
View File

@ -10,14 +10,14 @@
"CMTMF_ATCKID": {
"description": "Identifier of the Attack",
"disable_correlation": false,
"misp-attribute": "counter",
"misp-attribute": "integer",
"recommended": true,
"ui-priority": 1
},
"FeedbackLoop": {
"description": "Feedback Loop Sequence",
"disable_correlation": false,
"misp-attribute": "counter",
"misp-attribute": "integer",
"ui-priority": 0
},
"PhName": {
@ -30,7 +30,7 @@
"PhSequence": {
"description": "Phase Sequence",
"disable_correlation": true,
"misp-attribute": "counter",
"misp-attribute": "integer",
"recommended": true,
"ui-priority": 0
},

4
objects/covid19-csse-daily-report/definition.json
View File

@ -21,7 +21,7 @@
"county": {
"description": "US County (US Only)",
"disable_correlation": true,
"misp-attribute": "counter",
"misp-attribute": "integer",
"ui-priority": 0
},
"death": {
@ -33,7 +33,7 @@
"fips": {
"description": "Federal Information Processing Standard county code (US Only)",
"disable_correlation": true,
"misp-attribute": "counter",
"misp-attribute": "integer",
"ui-priority": 0
},
"latitude": {

91
objects/cs-beacon-config/definition.json
View File

@ -1,11 +1,43 @@
{
"attributes": {
"architecture": {
"description": "Hardware architecture of the sample",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"asn": {
"description": "Originating ASN for the CS Beacon Config",
"disable_correlation": true,
"misp-attribute": "AS",
"ui-priority": 0
},
"beacon-host": {
"description": "Beacon host IP",
"misp-attribute": "ip-dst",
"ui-priority": 0
},
"beacon-type": {
"description": "Beacon type used",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"binary-md5": {
"description": "MD5 of the binary delivered",
"misp-attribute": "md5",
"ui-priority": 0
},
"binary-sha1": {
"description": "SHA1 of the binary delivered",
"misp-attribute": "sha1",
"ui-priority": 0
},
"binary-sha256": {
"description": "SHA256 of the binary delivered",
"misp-attribute": "sha256",
"ui-priority": 0
},
"c2": {
"categories": [
"Network activity"
@ -21,12 +53,67 @@
"misp-attribute": "text",
"ui-priority": 0
},
"config-md5": {
"description": "MD5 of the configuration",
"misp-attribute": "md5",
"ui-priority": 0
},
"config-sha1": {
"description": "SHA1 of the configuration",
"misp-attribute": "sha1",
"ui-priority": 0
},
"config-sha256": {
"description": "SHA256 of the configuration",
"misp-attribute": "sha256",
"ui-priority": 0
},
"content-length": {
"description": "Content length of the payload",
"disable_correlation": true,
"misp-attribute": "size-in-bytes",
"ui-priority": 0
},
"content-type": {
"description": "Content/type received",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"encoded-data": {
"description": "Encoded payload data in Base64 as file attachment",
"misp-attribute": "attachment",
"ui-priority": 0
},
"encoded-length": {
"description": "Length of the encoded data",
"disable_correlation": true,
"misp-attribute": "size-in-bytes",
"ui-priority": 0
},
"geo": {
"description": "Country location of the CS Beacon Config",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"http": {
"description": "HTTP protocol used",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"http-code": {
"description": "HTTP return code",
"disable_correlation": true,
"misp-attribute": "integer",
"ui-priority": 0
},
"http-url": {
"description": "HTTP url path of the beacon",
"misp-attribute": "text",
"ui-priority": 0
},
"ip": {
"description": "IP of the C2",
"misp-attribute": "ip-dst",
@ -55,7 +142,7 @@
"ui-priority": 1
},
"naics": {
"description": "North American Industry Classification System Code",
"description": "North American Industry Classification System Code (NAICS)",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
@ -112,5 +199,5 @@
"watermark"
],
"uuid": "d17355ef-ca1f-4b5a-86cd-65d877991f54",
"version": 4
"version": 7
}

51
objects/ddos-claim/definition.json Normal file
View File

@ -0,0 +1,51 @@
{
"attributes": {
"claim-validity": {
"description": "Validity of the claim. Valid means, a trusted entity having the technical capabilities to perform analysis confirmed the detection of DDoS activities.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"Unknown",
"Valid",
"Invalid"
],
"ui-priority": 0
},
"proof": {
"description": "The claim in text format.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"proof-screenshot": {
"description": "Screenshot of the claim.",
"misp-attribute": "attachment",
"multiple": true,
"ui-priority": 0
},
"reference": {
"description": "Reference to the DDoS claim.",
"disable_correlation": true,
"misp-attribute": "link",
"multiple": true,
"ui-priority": 0
},
"target": {
"description": "Target of the DDoS claim.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
}
},
"description": "DDoS-claim object describes a current claim of DDoS activity.",
"meta-category": "network",
"name": "ddos-claim",
"requiredOneOf": [
"target",
"proof",
"reference"
],
"uuid": "2722ac76-1f1f-43b7-bc68-ba5465ec5c04",
"version": 2
}

8
objects/ddos/definition.json
View File

@ -3,7 +3,7 @@
"backscatter-threshold": {
"description": "The minimum amount of backscatter received in 5 minutes / day. This field is only used when the capture origin is indirect network capture such as backscatter.",
"disable_correlation": true,
"misp-attribute": "counter",
"misp-attribute": "integer",
"ui-priority": 0
},
"capture-origin": {
@ -99,13 +99,13 @@
"total-bps": {
"description": "Bits per second (maximum rate of bits per second measured)",
"disable_correlation": true,
"misp-attribute": "counter",
"misp-attribute": "integer",
"ui-priority": 0
},
"total-bytes-sent": {
"description": "Total number of bytes sent by the sources mentioned",
"disable_correlation": true,
"misp-attribute": "counter",
"misp-attribute": "size-in-bytes",
"ui-priority": 0
},
"total-packets-sent": {
@ -117,7 +117,7 @@
"total-pps": {
"description": "Packets per second (maximum rate of packets per second measured)",
"disable_correlation": true,
"misp-attribute": "counter",
"misp-attribute": "integer",
"ui-priority": 0
},
"type": {

2
objects/diamond/definition.json
View File

@ -31,7 +31,7 @@
},
"EventID": {
"description": "Id of the event",
"misp-attribute": "counter",
"misp-attribute": "integer",
"ui-priority": 0
},
"Infrastructure": {

8
objects/flowintel-cm-case/definition.json
View File

@ -42,6 +42,12 @@
"misp-attribute": "datetime",
"ui-priority": 0
},
"notes": {
"description": "Notes of the case",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"origin-url": {
"description": "Origin of the case",
"disable_correlation": true,
@ -86,5 +92,5 @@
"meta-category": "misc",
"name": "flowintel-cm-case",
"uuid": "19df57c7-b315-4fd2-84e5-d81ab221425e",
"version": 2
"version": 3
}

35
objects/flowintel-cm-task-note/definition.json Normal file
View File

@ -0,0 +1,35 @@
{
"attributes": {
"note": {
"description": "Notes of the task",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"note-uuid": {
"description": "UUID of the note",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 2
},
"origin-url": {
"description": "Origin of the task",
"disable_correlation": true,
"misp-attribute": "url",
"to_ids": false,
"ui-priority": 1
},
"task-uuid": {
"description": "UUID of the parent task",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 2
}
},
"description": "A task's note as defined by flowintel-cm.",
"meta-category": "misc",
"name": "flowintel-cm-task-note",
"uuid": "2c6f6aba-48b6-482f-a810-81934d29be9a",
"version": 1
}

8
objects/flowintel-cm-task/definition.json
View File

@ -37,12 +37,6 @@
"misp-attribute": "datetime",
"ui-priority": 0
},
"notes": {
"description": "Notes of the task",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"origin-url": {
"description": "Origin of the task",
"disable_correlation": true,
@ -88,5 +82,5 @@
"meta-category": "misc",
"name": "flowintel-cm-task",
"uuid": "2f525f6e-d3f2-4cb9-9ca0-f1160d99397d",
"version": 3
"version": 4
}

151
objects/generalizing-persuasion-framework/definition.json Normal file
View File

@ -0,0 +1,151 @@
{
"attributes": {
"actors_receiver": {
"description": "Assessments across weighted dimensions. Effort, motivation, prior attitudes",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 20
},
"actors_speaker_motivation": {
"description": "Motivations in crafting messages",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 11
},
"actors_speaker_type": {
"description": "Types (e.g., elites, media, opinion leaders, friends/family).",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"sane_default": [
"Politician",
"Government Official",
"Law Enforcement",
"Media",
"Religious Leader",
"CEO/Executive",
"Community Leader",
"Teacher/Professor",
"Coache/Mentor",
"Expert in a specific field",
"Celebrity",
"Athlete",
"Social Media Personality",
"Trendsetter",
"Salesperson",
"Marketeer",
"Friend/Family",
"Lobbyist",
"Advocacy Group",
"Professional Association",
"Leaked document",
"Whistle-blower",
"Online forum",
"Algorithm"
],
"ui-priority": 10
},
"outcomes_attitude": {
"description": "General evaluation of an object (where the 'object' is broadly construed).",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 60
},
"outcomes_behavior": {
"description": "Does not always follow from an attitude. Depends on attitude attributes, injunctive and descriptive norms, behavioral control, and emotions.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 70
},
"outcomes_emotion": {
"description": "Can inform conscious evaluations or override them.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 80
},
"outcomes_identity": {
"description": "A dimension of evaluation. Often activated when threatened.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 90
},
"settings_competition_observers": {
"description": "Number of observers.",
"disable_correlation": true,
"misp-attribute": "float",
"ui-priority": 102
},
"settings_competition_receivers": {
"description": "Number of receivers.",
"disable_correlation": true,
"misp-attribute": "float",
"ui-priority": 101
},
"settings_competition_speakers": {
"description": "Number of speakers.",
"disable_correlation": true,
"misp-attribute": "float",
"ui-priority": 100
},
"settings_culture": {
"description": "Shapes understandings of topics. Alters salience of different values.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 140
},
"settings_process": {
"description": "Threatening settings. Political (conflictual) settings versus deliberative settings",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 130
},
"settings_space": {
"description": "Attitude or behavioral change in one setting may not generalize to other settings.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 110
},
"settings_time": {
"description": "Pretreatment effects—what happened prior to the persuasive message. Posttreatment duration—how long an effect lasts. Time between exposure and outcome measurement.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 120
},
"treatments_medium": {
"description": "Alters frames, processing goals, and/or effort. Interactions with other persuasion variables.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 50
},
"treatments_message_content": {
"description": "Argument strength (and inadequacy). Framing and evaluations. Matching to receivers' goals. Altering receivers' motivations (e.g., using narratives).",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 40
},
"treatments_topic": {
"description": "Persons/groups, issues, institutions, products. Variation within a topic (e.g., different policy issues)",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 30
}
},
"description": "By placing their work within the GP Framework, scholars will help the field resolve inconsistencies, identify and address open questions, and ensure collective progress. The GP Framework is not meant to compete with other theories (such as the ELM) but rather to fill in two gaps. First, it allows one to consider how individual persuasion studies connect to one another and why studies may arrive at contradictory conclusions. Second, it highlights the sources of variations that should be studied. (James N. Druckman)",
"meta-category": "misc",
"name": "Generalizing Persuasion Framework",
"uuid": "dc6cdc5f-17d7-4d7b-95fe-86478990c910",
"version": 1
}

2
objects/imsi-catcher/definition.json
View File

@ -56,7 +56,7 @@
"seq": {
"description": "A sequence number for the collection",
"disable_correlation": true,
"misp-attribute": "counter",
"misp-attribute": "integer",
"ui-priority": 0
},
"text": {

3
objects/instant-message/definition.json
View File

@ -22,7 +22,8 @@
"Discord",
"Mumble",
"Jabber",
"Twitter"
"Twitter",
"Mattermost"
],
"ui-priority": 1
},

6
objects/intelmq_event/definition.json
View File

@ -112,7 +112,7 @@
},
"destination.port": {
"description": "The port to which the connection headed.",
"misp-attribute": "counter",
"misp-attribute": "port",
"ui-priority": 1
},
"destination.registry": {
@ -256,7 +256,7 @@
},
"rtir_id": {
"description": "Request Tracker Incident Response ticket id.",
"misp-attribute": "counter",
"misp-attribute": "integer",
"ui-priority": 1
},
"screenshot_url": {
@ -366,7 +366,7 @@
},
"source.port": {
"description": "The port from which the connection originated.",
"misp-attribute": "counter",
"misp-attribute": "port",
"ui-priority": 1
},
"source.registry": {

2
objects/intelmq_report/definition.json
View File

@ -42,7 +42,7 @@
},
"rtir_id": {
"description": "Request Tracker Incident Response ticket id.",
"misp-attribute": "counter",
"misp-attribute": "integer",
"ui-priority": 1
},
"time.observation": {

2
objects/mactime-timeline-analysis/definition.json
View File

@ -39,7 +39,7 @@
"file_size": {
"description": "Determines the file size in bytes",
"disable_correlation": true,
"misp-attribute": "text",
"misp-attribute": "size-in-bytes",
"ui-priority": 0
}
},

6
objects/netflow/definition.json
View File

@ -3,7 +3,7 @@
"byte-count": {
"description": "Bytes counted in this flow",
"disable_correlation": true,
"misp-attribute": "counter",
"misp-attribute": "size-in-bytes",
"ui-priority": 0
},
"community-id": {
@ -73,7 +73,7 @@
"ip-protocol-number": {
"description": "IP protocol number of this flow",
"disable_correlation": true,
"misp-attribute": "size-in-bytes",
"misp-attribute": "integer",
"ui-priority": 0
},
"ip-src": {
@ -88,7 +88,7 @@
"ip_version": {
"description": "IP version of this flow",
"disable_correlation": true,
"misp-attribute": "counter",
"misp-attribute": "integer",
"ui-priority": 0
},
"last-packet-seen": {

6
objects/network-connection/definition.json
View File

@ -13,7 +13,7 @@
"dst-bytes-count": {
"description": "Number of bytes sent from the source to the destination.",
"disable_correlation": true,
"misp-attribute": "counter",
"misp-attribute": "size-in-bytes",
"ui-priority": 0
},
"dst-packets-count": {
@ -116,7 +116,7 @@
"src-bytes-count": {
"description": "Number of bytes sent from the destination to the source.",
"disable_correlation": true,
"misp-attribute": "counter",
"misp-attribute": "size-in-bytes",
"ui-priority": 0
},
"src-packets-count": {
@ -147,5 +147,5 @@
"community-id"
],
"uuid": "af16764b-f8e5-4603-9de1-de34d272f80b",
"version": 6
"version": 7
}

4
objects/network-socket/definition.json
View File

@ -109,7 +109,7 @@
"dst-bytes-count": {
"description": "Number of bytes sent from the source to the destination.",
"disable_correlation": true,
"misp-attribute": "counter",
"misp-attribute": "size-in-bytes",
"ui-priority": 0
},
"dst-packets-count": {
@ -215,7 +215,7 @@
"src-bytes-count": {
"description": "Number of bytes sent from the destination to the source.",
"disable_correlation": true,
"misp-attribute": "counter",
"misp-attribute": "size-in-bytes",
"ui-priority": 0
},
"src-packets-count": {

108
objects/network-traffic/definition.json Normal file
View File

@ -0,0 +1,108 @@
{
"attributes": {
"dst_bytes_count": {
"description": "Number of bytes sent from the destination to the source",
"misp-attribute": "size-in-bytes",
"ui-priority": 0
},
"dst_hostname": {
"description": "Destination hostname of the network traffic",
"misp-attribute": "hostname",
"ui-priority": 1
},
"dst_ip": {
"description": "Destination IP address of the network traffic",
"misp-attribute": "ip-dst",
"ui-priority": 1
},
"dst_mac": {
"description": "Destination MAC address of the network traffic",
"misp-attribute": "mac-address",
"ui-priority": 1
},
"dst_packets": {
"description": "Number of packets sent from the destination to the source",
"misp-attribute": "counter",
"ui-priority": 0
},
"dst_port": {
"categories": [
"Network activity",
"External analysis"
],
"description": "Destination port of the nework connection",
"misp-attribute": "port",
"ui-priority": 1
},
"end_time": {
"description": "Time the network traffic ended",
"misp-attribute": "datetime",
"ui-priority": 0
},
"is_active": {
"description": "Indicates whether the network traffic is still ongoing. Must be False if the end_time attribute is present",
"misp-attribute": "boolean",
"ui-priority": 0
},
"protocol": {
"description": "Protocol observed in the network traffic",
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"src_bytes_count": {
"description": "Number of bytes sent from the source to the destination",
"misp-attribute": "size-in-bytes",
"ui-priority": 0
},
"src_hostname": {
"description": "Destination hostname of the network traffic",
"misp-attribute": "hostname",
"ui-priority": 1
},
"src_ip": {
"description": "Source IP address of the network traffic",
"misp-attribute": "ip-dst",
"ui-priority": 1
},
"src_mac": {
"description": "Source MAC address of the network traffic",
"misp-attribute": "mac-address",
"ui-priority": 1
},
"src_packets": {
"description": "Number of packets sent from the source to the destination",
"misp-attribute": "counter",
"ui-priority": 0
},
"src_port": {
"categories": [
"Network activity",
"External analysis"
],
"description": "Source port of the nework connection",
"misp-attribute": "port",
"ui-priority": 1
},
"start_time": {
"description": "Time the network traffic started",
"misp-attribute": "datetime",
"ui-priority": 0
}
},
"description": "Generic network traffic that originates from a source and is addressed to a destination.",
"meta-category": "network",
"name": "network-traffic",
"requiredOneOf": [
"dst_hostname",
"dst_ip",
"dst_mac",
"dst_port",
"src_hostname",
"src_ip",
"src_mac",
"src_port"
],
"uuid": "16290b18-9af5-4a43-b195-75fe1eef0c35",
"version": 1
}

6
objects/news-media/definition.json
View File

@ -88,6 +88,8 @@
"Pressure Group",
"Staging",
"Trade Site",
"Governmental Communication",
"Alert",
"Other"
]
},
@ -117,6 +119,8 @@
"Radio (Online)",
"Podcast",
"Alternative Media",
"Governmental",
"News agency",
"Other"
],
"ui-priority": 1
@ -146,5 +150,5 @@
"attachment"
],
"uuid": "691463c5-5302-4847-9bec-4c56ccfec677",
"version": 2
"version": 3
}

9
objects/organization/definition.json
View File

@ -45,6 +45,12 @@
"multiple": true,
"ui-priority": 10
},
"misp-uuid": {
"description": "MISP UUID of the organization",
"misp-attribute": "text",
"multiple": true,
"ui-priority": 97
},
"name": {
"description": "Name of the organization",
"disable_correlation": false,
@ -117,6 +123,7 @@
"mining",
"non-profit",
"pharmaceuticals",
"private",
"retail",
"technology",
"telecommunication",
@ -139,5 +146,5 @@
"alias"
],
"uuid": "f750e12b-127a-432c-b022-b3f9153c4e2a",
"version": 7
"version": 9
}

4
objects/paloalto-threat-event/definition.json
View File

@ -15,7 +15,7 @@
"dport": {
"description": "The port to which the connection headed.",
"disable_correlation": true,
"misp-attribute": "counter",
"misp-attribute": "port",
"ui-priority": 1
},
"dst": {
@ -38,7 +38,7 @@
"sport": {
"description": "The port from which the connection originated.",
"disable_correlation": true,
"misp-attribute": "counter",
"misp-attribute": "port",
"ui-priority": 1
},
"src": {

217
objects/pe-optional-header/definition.json Normal file
View File

@ -0,0 +1,217 @@
{
"attributes": {
"address_of_entrypoint": {
"description": "The address of the entry point relative to the image base when the executable file is loaded into memory",
"disable_correlation": true,
"misp-attribute": "integer",
"ui-priority": 1
},
"base_of_code": {
"description": "Address relative to the imagebase where the binary's code starts",
"disable_correlation": true,
"misp-attribute": "integer",
"ui-priority": 0
},
"base_of_data": {
"description": "Address relative to the imagebase where the binary's data starts",
"disable_correlation": true,
"misp-attribute": "integer",
"ui-priority": 0
},
"checksum": {
"description": "The image file checksum",
"disable_correlation": true,
"misp-attribute": "hex",
"ui-priority": 0
},
"dll_characteristics": {
"description": "Some characteristics of the underlying binary",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"sane_default": [
"APPCONTAINER",
"DYNAMIC_BASE",
"FORCE_INTEGRITY",
"GUARD_CF",
"HIGH_ENTROPY_VA",
"NO_BIND",
"NO_ISOLATION",
"NO_SEH",
"NX_COMPAT",
"TERMINAL_SERVER_AWARE",
"WDM_DRIVER"
],
"ui-priority": 0
},
"dll_characteristics_hex": {
"description": "The DLL characteristics in a single hex value",
"disable_correlation": true,
"misp-attribute": "hex",
"ui-priority": 0
},
"file_alignment": {
"description": "The alignment factor (in bytes) that is used to align the raw data of sections in the image file",
"misp-attribute": "size-in-bytes",
"ui-priority": 0
},
"image_base": {
"description": "The preferred base address when mapping the binary in memory",
"disable_correlation": true,
"misp-attribute": "integer",
"ui-priority": 0
},
"loader_flags": {
"description": "According to the PE specifications, this value is reserved and should be 0",
"disable_correlation": true,
"misp-attribute": "hex",
"ui-priority": 0
},
"magic": {
"description": "Magic value (PE_TYPE) that identifies a PE32 from a PE64",
"disable_correlation": true,
"misp-attribute": "hex",
"ui-priority": 0
},
"major_image_version": {
"description": "The major version number of the image",
"disable_correlation": true,
"misp-attribute": "integer",
"ui-priority": 0
},
"major_linker_version": {
"description": "The linker major version number",
"disable_correlation": true,
"misp-attribute": "integer",
"ui-priority": 0
},
"major_os_version": {
"description": "The major version number of the required operating system",
"disable_correlation": true,
"misp-attribute": "integer",
"ui-priority": 0
},
"major_subsystem_version": {
"description": "The major version number of the subsystem",
"disable_correlation": true,
"misp-attribute": "integer",
"ui-priority": 0
},
"minor_image_version": {
"description": "The minor version number of the image",
"disable_correlation": true,
"misp-attribute": "integer",
"ui-priority": 0
},
"minor_linker_version": {
"description": "The linker minor version number",
"disable_correlation": true,
"misp-attribute": "integer",
"ui-priority": 0
},
"minor_os_version": {
"description": "The minor version number of the required operating system",
"disable_correlation": true,
"misp-attribute": "integer",
"ui-priority": 0
},
"minor_subsystem_version": {
"description": "The minor version number of the subsystem",
"disable_correlation": true,
"misp-attribute": "integer",
"ui-priority": 0
},
"number_of_rva_and_size": {
"description": "The number of DataDirectory that follow this header",
"disable_correlation": true,
"misp-attribute": "integer",
"ui-priority": 0
},
"section_alignment": {
"description": "The alignment (in bytes) of sections when they are loaded into memory. It must be greater than or equal to file_alignment and the default is the page size for the architecture",
"misp-attribute": "size-in-bytes",
"ui-priority": 0
},
"size_of_code": {
"description": "The size of the code .text section or the sum of all the sections that contain code",
"misp-attribute": "size-in-bytes",
"ui-priority": 0
},
"size_of_headers": {
"description": "The combined size of an MS-DOS stub, PE header, and section headers rounded up to a multiple of file_alignment",
"misp-attribute": "size-in-bytes",
"ui-priority": 0
},
"size_of_heap_commit": {
"description": "The size of the local heap space to commit",
"misp-attribute": "size-in-bytes",
"ui-priority": 0
},
"size_of_heap_reserve": {
"description": "The size of the local heap space to reserve",
"misp-attribute": "size-in-bytes",
"ui-priority": 0
},
"size_of_image": {
"description": "The size (in bytes) of the image, including all headers, as the image is loaded in memory",
"misp-attribute": "size-in-bytes",
"ui-priority": 0
},
"size_of_initialised_data": {
"description": "The size of the initialized data which are usually located in the .data section. If the initialized data are split across multiple sections, it is the sum of the sections",
"misp-attribute": "size-in-bytes",
"ui-priority": 0
},
"size_of_stack_commit": {
"description": "The size of the stack to commit",
"misp-attribute": "size-in-bytes",
"ui-priority": 0
},
"size_of_stack_reserve": {
"description": "The size of the stack to reserve",
"misp-attribute": "size-in-bytes",
"ui-priority": 0
},
"size_of_uninitialised_data": {
"description": "The size of the uninitialized data which are usually located in the .bss section. If the uninitialized data are split across multiple sections, it is the sum of the sections",
"misp-attribute": "size-in-bytes",
"ui-priority": 0
},
"subsystem": {
"description": "Target subsystem",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"EFI_APPLICATION",
"EFI_BOOT_SERVICE_DRIVER",
"EFI_ROM",
"EFI_RUNTIME_DRIVER",
"NATIVE",
"NATIVE_WINDOWS",
"OS2_CUI",
"POSIX_CUI",
"UNKNOWN",
"WINDOWS_BOOT_APPLICATION",
"WINDOWS_CE_GUI",
"WINDOWS_CUI",
"WINDOWS_GUI",
"XBOX"
],
"ui-priority": 0
},
"win32_version_value": {
"description": "Specifies the reserved win32 version value (must be zero)",
"disable_correlation": true,
"misp-attribute": "hex",
"ui-priority": 0
}
},
"description": "Object describing a Portable Executable Optional Header",
"meta-category": "file",
"name": "pe-optional-header",
"requiredOneOf": [
"address_of_entrypoint"
],
"uuid": "ebde65ab-ce98-413d-a518-8f37bc79bcb9",
"version": 1
}

79
objects/pe/definition.json
View File

@ -5,6 +5,36 @@
"misp-attribute": "authentihash",
"ui-priority": 1
},
"characteristics": {
"description": "The characteristics that indicate the attributes of the file",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"sane_default": [
"AGGRESSIVE_WS_TRIM",
"BYTES_REVERSED_HI",
"BYTES_REVERSED_LO",
"DEBUG_STRIPPED",
"DLL",
"EXECUTABLE_IMAGE",
"LARGE_ADDRESS_AWARE",
"LINE_NUMS_STRIPPED",
"LOCAL_SYMS_STRIPPED",
"NEED_32BIT_MACHINE",
"NET_RUN_FROM_SWAP",
"RELOCS_STRIPPED",
"REMOVABLE_RUN_FROM_SWAP",
"SYSTEM",
"UP_SYSTEM_ONLY"
],
"ui-priority": 0
},
"characteristics_hex": {
"description": "The characteristics in a single hex value",
"disable_correlation": true,
"misp-attribute": "hex",
"ui-priority": 0
},
"company-name": {
"description": "CompanyName in the resources",
"disable_correlation": true,
@ -68,6 +98,42 @@
"misp-attribute": "text",
"ui-priority": 0
},
"machine-type": {
"description": "Type of machine",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"AM33",
"AMD64",
"ARM",
"ARM64",
"ARMNT",
"EBC",
"I386",
"IA64",
"M32R",
"MIPS16",
"MIPSFPU",
"MIPSFPU16",
"POWERPC",
"POWERPCFP",
"R4000",
"SH3",
"SH3DSP",
"SH4",
"SH5",
"THUMB",
"UNKNOWN",
"WCEMIPSV2"
],
"ui-priority": 0
},
"number-of-symbols": {
"description": "Number of entries in the symbol table",
"disable_correlation": true,
"misp-attribute": "counter",
"ui-priority": 0
},
"number-sections": {
"description": "Number of sections",
"disable_correlation": true,
@ -85,6 +151,12 @@
"misp-attribute": "pehash",
"ui-priority": 0
},
"pointer-to-symbol-table": {
"description": "The file offset of the COFF symbol table.",
"disable_correlation": true,
"misp-attribute": "hex",
"ui-priority": 0
},
"product-name": {
"description": "ProductName in the resources",
"disable_correlation": true,
@ -103,6 +175,11 @@
"multiple": true,
"ui-priority": 0
},
"size-of-optional-header": {
"description": "Size of the optional header and the data directories which follow this header",
"misp-attribute": "size-in-bytes",
"ui-priority": 0
},
"text": {
"description": "Free text value to attach to the PE",
"disable_correlation": true,
@ -136,5 +213,5 @@
"impfuzzy"
],
"uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",
"version": 7
"version": 9
}

60
objects/phone-number/definition.json Normal file
View File

@ -0,0 +1,60 @@
{
"attributes": {
"country-code": {
"description": "Country code in text format (e.g., US)",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": false,
"to_ids": false,
"ui-priority": 1
},
"country-code-numeric": {
"description": "Country code as per the E.164 numbering plan (e.g., +1)",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": false,
"to_ids": false,
"ui-priority": 1
},
"national-destination-code": {
"description": "National destination code as per the E.164 numbering plan (e.g., 415)",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": false,
"to_ids": false,
"ui-priority": 0
},
"phone-number": {
"description": "Phone number in E.164 format (e.g., +14155552671)",
"disable_correlation": false,
"misp-attribute": "phone-number",
"multiple": false,
"to_ids": false,
"ui-priority": 3
},
"subscriber-number": {
"description": "Subscriber number as per the E.164 numbering plan (e.g., 5552671)",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": false,
"to_ids": false,
"ui-priority": 0
},
"text": {
"description": "Description or additional information about the phone number.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": false,
"to_ids": false,
"ui-priority": 2
}
},
"description": "Phone number based on the E.164 international public telecommunication numbering plan",
"meta-category": "mobile",
"name": "phone-number",
"required": [
"phone-number"
],
"uuid": "c4b5a67c-63d2-11ec-90d6-0242ac120003",
"version": 1
}

6
objects/probabilistic-data-structure/definition.json
View File

@ -21,13 +21,13 @@
"total-bits": {
"description": "The number of bits used by this probabilistic data structure.",
"disable_correlation": true,
"misp-attribute": "counter",
"misp-attribute": "integer",
"ui-priority": 1
},
"total-capacity": {
"description": "The total capacity of the total set represented in this probabilistic data structure.",
"disable_correlation": true,
"misp-attribute": "counter",
"misp-attribute": "integer",
"ui-priority": 1
},
"type": {
@ -59,7 +59,7 @@
"used-capacity": {
"description": "The used capacity (and cardinality) of the set represented in this probabilistic data structure.",
"disable_correlation": true,
"misp-attribute": "counter",
"misp-attribute": "integer",
"ui-priority": 1
},
"vendor-implementation-ref": {

6
objects/r2graphity/definition.json
View File

@ -3,13 +3,13 @@
"callback-average": {
"description": "Average size of a callback",
"disable_correlation": true,
"misp-attribute": "counter",
"misp-attribute": "integer",
"ui-priority": 0
},
"callback-largest": {
"description": "Largest callback",
"disable_correlation": true,
"misp-attribute": "counter",
"misp-attribute": "integer",
"ui-priority": 0
},
"callbacks": {
@ -105,7 +105,7 @@
"shortest-path-to-create-thread": {
"description": "Shortest path to the first time the binary calls CreateThread",
"disable_correlation": true,
"misp-attribute": "counter",
"misp-attribute": "integer",
"ui-priority": 0
},
"text": {

73
objects/ransomware-group-post/definition.json
View File

@ -1,7 +1,26 @@
{
"attributes": {
"actor-geo-stats-30d": {
"description": "Count of how many other victims were publicly leaked by the same ransomware actor in the country of the victim during the past 30 days",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"actor-total-stats-30d": {
"description": "Count of how many other victims were publicly leaked by the same ransomware actor worldwide during the past 30 days",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"date": {
"description": "Last update of the post as seen on the ransomware group blog. Different than the first/last seen from the crawling.",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 0
},
"date-published": {
"description": "Initial published date of the post on the ransomware group blog.",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 0
},
@ -10,25 +29,73 @@
"misp-attribute": "text",
"ui-priority": 1
},
"entity-name": {
"description": "Entity name of the victim referenced in the post of the ransomware group.",
"misp-attribute": "text",
"ui-priority": 1
},
"geo": {
"description": "Geographic (main) location of the victim referenced in the post of the ransomware group.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"leak-site-url": {
"description": "Link to the post.",
"misp-attribute": "link",
"ui-priority": 1
},
"link": {
"description": "Original URL location of the post.",
"misp-attribute": "link",
"ui-priority": 1
},
"ransomware-group": {
"description": "Ransomware group where the post is mentioned.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"sector": {
"description": "Sector (main) of the victim referenced in the post of the ransomware group.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"severity": {
"description": "Severity of the post mentioned.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"critical",
"high",
"medium",
"low",
"info"
],
"ui-priority": 1
},
"title": {
"description": "Title of blog post.",
"misp-attribute": "text",
"ui-priority": 1
},
"website": {
"description": "Website of the victim referenced in the post of the ransomware group.",
"misp-attribute": "link",
"ui-priority": 1
}
},
"description": "Ransomware group post as monitored by ransomlook.io",
"description": "Ransomware group post as monitored by ransomlook.io or others",
"meta-category": "misc",
"name": "ransomware-group-post",
"requiredOneOf": [
"title",
"description",
"link"
"link",
"website",
"leak-site-url"
],
"uuid": "52a0e179-4942-41e6-90f5-7db856fd6f39",
"version": 1
"version": 4
}

17
objects/registry-key/definition.json
View File

@ -2,7 +2,8 @@
"attributes": {
"data": {
"categories": [
"Persistence mechanism"
"Persistence mechanism",
"Artifacts dropped"
],
"description": "Data stored in the registry key",
"misp-attribute": "text",
@ -10,7 +11,8 @@
},
"data-type": {
"categories": [
"Persistence mechanism"
"Persistence mechanism",
"Artifacts dropped"
],
"description": "Registry value type",
"disable_correlation": true,
@ -35,7 +37,8 @@
},
"hive": {
"categories": [
"Persistence mechanism"
"Persistence mechanism",
"Artifacts dropped"
],
"description": "Hive used to store the registry key (file on disk)",
"disable_correlation": true,
@ -44,7 +47,8 @@
},
"key": {
"categories": [
"Persistence mechanism"
"Persistence mechanism",
"Artifacts dropped"
],
"description": "Full key path",
"misp-attribute": "regkey",
@ -60,7 +64,8 @@
},
"name": {
"categories": [
"Persistence mechanism"
"Persistence mechanism",
"Artifacts dropped"
],
"description": "Name of the registry key",
"misp-attribute": "text",
@ -98,5 +103,5 @@
"data"
],
"uuid": "8b3228ad-6d82-4fe6-b2ae-05426308f1d5",
"version": 4
"version": 5
}

12
objects/research-scanner/definition.json
View File

@ -43,6 +43,16 @@
"multiple": true,
"ui-priority": 1
},
"scanning_host": {
"categories": [
"Network activity",
"External analysis"
],
"description": "Scanning host used by project",
"misp-attribute": "hostname",
"multiple": true,
"ui-priority": 1
},
"scanning_ip": {
"categories": [
"Network activity",
@ -76,5 +86,5 @@
"scanning_ip"
],
"uuid": "d690e956-fc8a-11e8-8eb2-f2801f1b9fd1",
"version": 20190102
"version": 20240527
}

2
objects/scrippsco2-c13-daily/definition.json
View File

@ -9,7 +9,7 @@
"flag": {
"description": "Flag (see taxonomy for details).",
"disable_correlation": true,
"misp-attribute": "counter",
"misp-attribute": "integer",
"ui-priority": 0
},
"number-flask": {

2
objects/scrippsco2-co2-daily/definition.json
View File

@ -9,7 +9,7 @@
"flag": {
"description": "Flag (see taxonomy for details).",
"disable_correlation": true,
"misp-attribute": "counter",
"misp-attribute": "integer",
"ui-priority": 0
},
"number-flask": {

2
objects/scrippsco2-o18-daily/definition.json
View File

@ -3,7 +3,7 @@
"flag": {
"description": "Flag (see taxonomy for details).",
"disable_correlation": true,
"misp-attribute": "counter",
"misp-attribute": "integer",
"ui-priority": 0
},
"number-flask": {

4
objects/sigmf-expanded-recording/definition.json
View File

@ -99,7 +99,7 @@
"offset": {
"description": "The index number of the first sample in the Dataset. If not provided, this value defaults to zero. Typically used when a Recording is split over multiple files. All sample indices in SigMF are absolute, and so all other indices referenced in metadata for this recording SHOULD be greater than or equal to this value.",
"disable_correlation": true,
"misp-attribute": "counter",
"misp-attribute": "integer",
"ui-priority": 0
},
"recorder": {
@ -123,7 +123,7 @@
"trailing_bytes": {
"description": "The number of bytes to ignore at the end of a Non-Conforming Dataset file.",
"disable_correlation": true,
"misp-attribute": "counter",
"misp-attribute": "size-in-bytes",
"ui-priority": 0
},
"version": {

10
objects/submarine/definition.json
View File

@ -36,7 +36,7 @@
},
"complement": {
"description": "Crew size",
"misp-attribute": "counter",
"misp-attribute": "integer",
"recommended": false,
"ui-priority": 0
},
@ -46,8 +46,8 @@
"ui-priority": 1
},
"displacement": {
"description": "Displacement in tonns",
"misp-attribute": "counter",
"description": "Displacement in tonnes",
"misp-attribute": "integer",
"recommended": true,
"ui-priority": 0
},
@ -64,12 +64,12 @@
},
"in_service_from": {
"description": "The year the submarine entered service",
"misp-attribute": "counter",
"misp-attribute": "integer",
"ui-priority": 0
},
"in_service_until": {
"description": "The year the submarine left service",
"misp-attribute": "counter",
"misp-attribute": "integer",
"ui-priority": 0
},
"length": {

160
relationships/definition.json
View File

@ -13,13 +13,45 @@
"name": "derived-from"
},
{
"description": "This relationship describes an object which executes another object",
"description": "This relationship describes an object which executes another object.",
"format": [
"misp"
],
"name": "executes",
"opposite": "executed-by"
},
{
"description": "This relationship describes an object which shares another object.",
"format": [
"misp"
],
"name": "shares",
"opposite": "shared-by"
},
{
"description": "This relationship describes an object which was shared by another object.",
"format": [
"misp"
],
"name": "shared-by",
"opposite": "shares"
},
{
"description": "This relationship describes an object which publishes another object.",
"format": [
"misp"
],
"name": "publishes",
"opposite": "published-by"
},
{
"description": "This relationship describes an object which was published by another object.",
"format": [
"misp"
],
"name": "published-by",
"opposite": "publishes"
},
{
"description": "The referenced source and target objects are semantically duplicates of each other.",
"format": [
@ -850,9 +882,19 @@
{
"description": "Represents the semantic link of a communication initiating an event.",
"format": [
"alfred"
"alfred",
"misp"
],
"name": "initiates"
"name": "initiates",
"opposite": "initiated-by"
},
{
"description": "The source object initiated the target object.",
"format": [
"misp"
],
"name": "initiated-by",
"opposite": "initiates"
},
{
"description": "Represents the semantic link between a FILE and FILE_BINARY.",
@ -1748,7 +1790,117 @@
],
"name": "is-acquired-by",
"opposite": "acquires"
},
{
"description": "The source object supports the target object.",
"format": [
"misp"
],
"name": "supports",
"opposite": "supported-by"
},
{
"description": "The source object is supported by the target object.",
"format": [
"misp"
],
"name": "supported-by",
"opposite": "supports"
},
{
"description": "The source object sponsors the target object.",
"format": [
"misp"
],
"name": "sponsors",
"opposite": "sponsored-by"
},
{
"description": "The source object is sponsored by the target object.",
"format": [
"misp"
],
"name": "sponsored-by",
"opposite": "sponsors"
},
{
"description": "The source object operates from the target object.",
"format": [
"misp"
],
"name": "operates-from"
},
{
"description": "The source object deploys the target object.",
"format": [
"misp"
],
"name": "deploys",
"opposite": "is-deployed-by"
},
{
"description": "The source object is deployed by the target object.",
"format": [
"misp"
],
"name": "is-deployed-by",
"opposite": "deploys"
},
{
"description": "The source object interacts with the target object.",
"format": [
"misp"
],
"name": "interacts-with"
},
{
"description": "The source object injects the target object.",
"format": [
"misp"
],
"name": "injects",
"opposite": "is-injected-by"
},
{
"description": "The source object is injected by the target object.",
"format": [
"misp"
],
"name": "is-injected-by",
"opposite": "injects"
},
{
"description": "The source object interviews the target object.",
"format": [
"misp"
],
"name": "interviews",
"opposite": "is-interviewed-by"
},
{
"description": "The source object is interviewed by the target object.",
"format": [
"misp"
],
"name": "is-interviewed-by",
"opposite": "interviews"
},
{
"description": "The source object summarizes the target object.",
"format": [
"misp"
],
"name": "summarizes",
"opposite": "summarized-by"
},
{
"description": "The source object is summarized by the target object.",
"format": [
"misp"
],
"name": "summarized-by",
"opposite": "summarizes"
}
],
"version": 41
"version": 49
}

1
schema_objects.json
View File

@ -127,6 +127,7 @@
"identity-card-number",
"impfuzzy",
"imphash",
"integer",
"ip-dst",
"ip-dst|port",
"ip-src",

4
tools/updated.sh
View File

@ -2,5 +2,5 @@ python3 adoc_objects.py >a.txt
mv a.txt objects.txt
asciidoctor-pdf -a allow-uri-read objects.txt
asciidoctor -a allow-uri-read objects.txt
cp objects.html ../../misp-website-new/static
cp objects.pdf ../../misp-website-new/static
cp objects.html ../../misp-website/static
cp objects.pdf ../../misp-website/static