From 1d97cbbd2dc056ec25c0d667847c137808ace4ef Mon Sep 17 00:00:00 2001 From: Michael Kerscher Date: Wed, 7 Dec 2016 16:06:52 +0100 Subject: [PATCH 1/2] email object added --- objects/email/definition.json | 86 +++++++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 objects/email/definition.json diff --git a/objects/email/definition.json b/objects/email/definition.json new file mode 100644 index 0000000..aa3ad87 --- /dev/null +++ b/objects/email/definition.json @@ -0,0 +1,86 @@ +{ + "name": "email", + "meta-category": "email", + "description": "Email object describing an email with meta-information", + "version": 1, + "attributes" : + { + "from": { + "misp-attribute": "email-src", + "misp-usage-frequency": 1, + "categories": ["Payload delivery"] + }, + "from-display-name": { + "misp-attribute": "email-src-display-name", + "misp-usage-frequency": 1, + "categories": ["Payload delivery"] + }, + "to": { + "misp-attribute": "email-dst", + "misp-usage-frequency": 1, + "categories": ["Payload delivery"], + "multiple": true + }, + "to-display-name": { + "misp-attribute": "email-dst-display-name", + "misp-usage-frequency": 1, + "categories": ["Payload delivery"], + "multiple": true + }, + "subject": { + "misp-attribute": "email-subject", + "misp-usage-frequency": 1, + "categories": ["Payload delivery"] + }, + "attachment": { + "misp-attribute": "email-attachment", + "misp-usage-frequency": 0, + "categories": ["Payload delivery"], + "multiple": true + }, + "message-id": { + "misp-attribute": "email-message-id", + "misp-usage-frequency": 0, + "categories": ["Payload delivery"] + }, + "reply-to": { + "misp-attribute": "email-reply-to", + "misp-usage-frequency": 1, + "categories": ["Payload delivery"] + }, + "send-date": { + "misp-attribute": "datetime", + "misp-usage-frequency": 0, + "categories": ["Other"] + }, + "url": { + "misp-attribute": "url", + "misp-usage-frequency": 0, + "categories": ["Payload delivery"], + "multiple": true + }, + "mime-boundary": { + "misp-attribute": "email-mime-boundary", + "misp-usage-frequency": 0, + "categories": ["Payload delivery"] + }, + "thread-index": { + "misp-attribute": "email-thread-index", + "misp-usage-frequency": 0, + "categories": ["Payload delivery"] + }, + "header": { + "misp-attribute": "email-header", + "misp-usage-frequency": 0, + "categories": ["Payload delivery"], + "multiple": true + }, + "x-mailer": { + "misp-attribute": "email-xmailer", + "misp-usage-frequency": 0, + "categories": ["Payload delivery"] + } + + }, + "requiredOneOf": ["email-src", "email-src-display-name", "email-dst", "email-dst-display-name", "email-subject", "email-attachment", "email-message-id", "email-reply-to", "send-date", "url", "email-mime-boundary", "email-thread-index", "email-header", "x-mailer"] +} From 30512f69af184282d8009325ada9e193e91d0949 Mon Sep 17 00:00:00 2001 From: Michael Kerscher Date: Wed, 7 Dec 2016 16:39:31 +0100 Subject: [PATCH 2/2] registry key object added --- objects/registry-key/definition.json | 40 ++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 objects/registry-key/definition.json diff --git a/objects/registry-key/definition.json b/objects/registry-key/definition.json new file mode 100644 index 0000000..2739f35 --- /dev/null +++ b/objects/registry-key/definition.json @@ -0,0 +1,40 @@ +{ + "name": "registry-key", + "meta-category": "file", + "description": "Registry key object describing a Windows registry key with value and last-modified timestamp", + "version": 1, + "attributes" : + { + "hive": { + "misp-attribute": "reg-hive", + "misp-usage-frequency": 1, + "categories": ["Persistence mechanism"] + }, + "key": { + "misp-attribute": "reg-key", + "misp-usage-frequency": 1, + "categories": ["Persistence mechanism"] + }, + "name": { + "misp-attribute": "reg-name", + "misp-usage-frequency": 1, + "categories": ["Persistence mechanism"] + }, + "data": { + "misp-attribute": "reg-data", + "misp-usage-frequency": 1, + "categories": ["Persistence mechanism"] + }, + "data-type": { + "misp-attribute": "reg-datatype", + "misp-usage-frequency": 0, + "categories": ["Persistence mechanism"] + }, + "last-modified": { + "misp-attribute": "datetime", + "misp-usage-frequency": 0, + "categories": ["Other"] + } + }, + "required": ["key", "name"] +}