MISP
/
misp-objects
mirror of https://github.com/MISP/misp-objects
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'main' of github.com:MISP/misp-objects into chrisr3d_patch

pull/393/head
Christian Studer 2023-05-24 16:20:27 +02:00
parent aaa75c86c0 61608e5d44
commit 37e43490c0
15 changed files with 1285 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
README.md
View File

@ -105,7 +105,9 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
## Existing MISP objects
- [objects/ADS](https://github.com/MISP/misp-objects/blob/main/objects/ADS/definition.json) - An object defining ADS - Alerting and Detection Strategy by PALANTIR. Can be used for detection engineering.
- [objects/ai-chat-prompt](https://github.com/MISP/misp-objects/blob/main/objects/ai-chat-prompt/definition.json) - Object describing an AI prompt such as ChatGPT.
- [objects/ail-leak](https://github.com/MISP/misp-objects/blob/main/objects/ail-leak/definition.json) - An information leak as defined by the AIL Analysis Information Leak framework.
- [objects/ais](https://github.com/MISP/misp-objects/blob/main/objects/ais/definition.json) - Automatic Identification System (AIS) is an automatic tracking system that uses transceivers on ships.
- [objects/ais-info](https://github.com/MISP/misp-objects/blob/main/objects/ais-info/definition.json) - Automated Indicator Sharing (AIS) Information Source Markings.
- [objects/android-app](https://github.com/MISP/misp-objects/blob/main/objects/android-app/definition.json) - Indicators related to an Android app.
- [objects/android-permission](https://github.com/MISP/misp-objects/blob/main/objects/android-permission/definition.json) - A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. malware, app).
@ -125,7 +127,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/blog](https://github.com/MISP/misp-objects/blob/main/objects/blog/definition.json) - Blog post like Medium or WordPress.
- [objects/boleto](https://github.com/MISP/misp-objects/blob/main/objects/boleto/definition.json) - A common form of payment used in Brazil.
- [objects/btc-transaction](https://github.com/MISP/misp-objects/blob/main/objects/btc-transaction/definition.json) - An object to describe a Bitcoin transaction. Best to be used with bitcoin-wallet.
- [objects/btc-wallet](https://github.com/MISP/misp-objects/blob/main/objects/btc-wallet/definition.json) - An object to describe a Bitcoin wallet. Best to be used with bitcoin-transaction.
- [objects/btc-wallet](https://github.com/MISP/misp-objects/blob/main/objects/btc-wallet/definition.json) - An object to describe a Bitcoin wallet. Best to be used with btc-transaction object.
- [objects/cap-alert](https://github.com/MISP/misp-objects/blob/main/objects/cap-alert/definition.json) - Common Alerting Protocol Version (CAP) alert object.
- [objects/cap-info](https://github.com/MISP/misp-objects/blob/main/objects/cap-info/definition.json) - Common Alerting Protocol Version (CAP) info object.
- [objects/cap-resource](https://github.com/MISP/misp-objects/blob/main/objects/cap-resource/definition.json) - Common Alerting Protocol Version (CAP) resource object.
@ -152,6 +154,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/ddos](https://github.com/MISP/misp-objects/blob/main/objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy or using the type field.
- [objects/device](https://github.com/MISP/misp-objects/blob/main/objects/device/definition.json) - An object to define a device.
- [objects/diameter-attack](https://github.com/MISP/misp-objects/blob/main/objects/diameter-attack/definition.json) - Attack as seen on the diameter signaling protocol supporting LTE networks.
- [objects/directory](https://github.com/MISP/misp-objects/blob/main/objects/directory/definition.json) - Directory object describing a directory with meta-information.
- [objects/dkim](https://github.com/MISP/misp-objects/blob/main/objects/dkim/definition.json) - DomainKeys Identified Mail - DKIM.
- [objects/dns-record](https://github.com/MISP/misp-objects/blob/main/objects/dns-record/definition.json) - A set of DNS records observed for a specific domain.
- [objects/domain-crawled](https://github.com/MISP/misp-objects/blob/main/objects/domain-crawled/definition.json) - A domain crawled over time.
@ -233,6 +236,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/git-vuln-finder](https://github.com/MISP/misp-objects/blob/main/objects/git-vuln-finder/definition.json) - Export from git-vuln-finder.
- [objects/github-user](https://github.com/MISP/misp-objects/blob/main/objects/github-user/definition.json) - GitHub user.
- [objects/gitlab-user](https://github.com/MISP/misp-objects/blob/main/objects/gitlab-user/definition.json) - GitLab user. Gitlab.com user or self-hosted GitLab instance.
- [objects/greynoise-ip](https://github.com/MISP/misp-objects/blob/main/objects/greynoise-ip/definition.json) - GreyNoise IP Information.
- [objects/gtp-attack](https://github.com/MISP/misp-objects/blob/main/objects/gtp-attack/definition.json) - GTP attack object as attack as seen on the GTP signaling protocol supporting GPRS/LTE networks.
- [objects/hashlookup](https://github.com/MISP/misp-objects/blob/main/objects/hashlookup/definition.json) - hashlookup object as described on hashlookup services from circl.lu - https://www.circl.lu/services/hashlookup.
- [objects/http-request](https://github.com/MISP/misp-objects/blob/main/objects/http-request/definition.json) - A single HTTP request header.
@ -307,12 +311,14 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/query](https://github.com/MISP/misp-objects/blob/main/objects/query/definition.json) - An object describing a query, along with its format.
- [objects/r2graphity](https://github.com/MISP/misp-objects/blob/main/objects/r2graphity/definition.json) - Indicators extracted from files using radare2 and graphml.
- [objects/ransom-negotiation](https://github.com/MISP/misp-objects/blob/main/objects/ransom-negotiation/definition.json) - An object to describe ransom negotiations, as seen in ransomware incidents.
- [objects/ransomware-group-post](https://github.com/MISP/misp-objects/blob/main/objects/ransomware-group-post/definition.json) - Ransomware group post as monitored by ransomlook.io.
- [objects/reddit-account](https://github.com/MISP/misp-objects/blob/main/objects/reddit-account/definition.json) - Reddit account.
- [objects/reddit-comment](https://github.com/MISP/misp-objects/blob/main/objects/reddit-comment/definition.json) - A Reddit post comment.
- [objects/reddit-post](https://github.com/MISP/misp-objects/blob/main/objects/reddit-post/definition.json) - A Reddit post.
- [objects/reddit-subreddit](https://github.com/MISP/misp-objects/blob/main/objects/reddit-subreddit/definition.json) - Public or private subreddit.
- [objects/regexp](https://github.com/MISP/misp-objects/blob/main/objects/regexp/definition.json) - An object describing a regular expression (regex or regexp). The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a regular expression.
- [objects/registry-key](https://github.com/MISP/misp-objects/blob/main/objects/registry-key/definition.json) - Registry key object describing a Windows registry key with value and last-modified timestamp.
- [objects/registry-key-value](https://github.com/MISP/misp-objects/blob/main/objects/registry-key-value/definition.json) - Registry key value object describing a Windows registry key value, with its data, data type and name values. To be used when a registry key has multiple values.
- [objects/regripper-NTUser](https://github.com/MISP/misp-objects/blob/main/objects/regripper-NTUser/definition.json) - Regripper Object template designed to present user specific configuration details extracted from the NTUSER.dat hive.
- [objects/regripper-sam-hive-single-user](https://github.com/MISP/misp-objects/blob/main/objects/regripper-sam-hive-single-user/definition.json) - Regripper Object template designed to present user profile details extracted from the SAM hive.
- [objects/regripper-sam-hive-user-group](https://github.com/MISP/misp-objects/blob/main/objects/regripper-sam-hive-user-group/definition.json) - Regripper Object template designed to present group profile details extracted from the SAM hive.
@ -330,6 +336,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/regripper-system-hive-services-drivers](https://github.com/MISP/misp-objects/blob/main/objects/regripper-system-hive-services-drivers/definition.json) - Regripper Object template designed to gather information regarding the services/drivers from the system-hive.
- [objects/report](https://github.com/MISP/misp-objects/blob/main/objects/report/definition.json) - Metadata used to generate an executive level report.
- [objects/research-scanner](https://github.com/MISP/misp-objects/blob/main/objects/research-scanner/definition.json) - Information related to known scanning activity (e.g. from research projects).
- [objects/risk-assessment-report](https://github.com/MISP/misp-objects/blob/main/objects/risk-assessment-report/definition.json) - Risk assessment report object which includes the assessment report from a risk assessment platform such as MONARC.
- [objects/rogue-dns](https://github.com/MISP/misp-objects/blob/main/objects/rogue-dns/definition.json) - Rogue DNS as defined by CERT.br.
- [objects/rtir](https://github.com/MISP/misp-objects/blob/main/objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response.
- [objects/sandbox-report](https://github.com/MISP/misp-objects/blob/main/objects/sandbox-report/definition.json) - Sandbox report.
@ -376,6 +383,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/tracking-id](https://github.com/MISP/misp-objects/blob/main/objects/tracking-id/definition.json) - Analytics and tracking ID such as used in Google Analytics or other analytic platform.
- [objects/transaction](https://github.com/MISP/misp-objects/blob/main/objects/transaction/definition.json) - An object to describe a financial transaction.
- [objects/translation](https://github.com/MISP/misp-objects/blob/main/objects/translation/definition.json) - Used to keep a text and its translation.
- [objects/transport-ticket](https://github.com/MISP/misp-objects/blob/main/objects/transport-ticket/definition.json) - A transport ticket.
- [objects/trustar_report](https://github.com/MISP/misp-objects/blob/main/objects/trustar_report/definition.json) - TruStar Report.
- [objects/tsk-chats](https://github.com/MISP/misp-objects/blob/main/objects/tsk-chats/definition.json) - An Object Template to gather information from evidential or interesting exchange of messages identified during a digital forensic investigation.
- [objects/tsk-web-bookmark](https://github.com/MISP/misp-objects/blob/main/objects/tsk-web-bookmark/definition.json) - An Object Template to add evidential bookmarks identified during a digital forensic investigation.
@ -460,11 +468,11 @@ The MISP objects (JSON files) are dual-licensed under:
or
~~~~
Copyright (c) 2016-2021 Alexandre Dulaunoy - a@foo.be
Copyright (c) 2016-2021 CIRCL - Computer Incident Response Center Luxembourg
Copyright (c) 2016-2021 Andras Iklody
Copyright (c) 2016-2021 Raphael Vinot
Copyright (c) 2016-2021 Various contributors to MISP Project
Copyright (c) 2016-2023 Alexandre Dulaunoy - a@foo.be
Copyright (c) 2016-2023 CIRCL - Computer Incident Response Center Luxembourg
Copyright (c) 2016-2023 Andras Iklody
Copyright (c) 2016-2023 Raphael Vinot
Copyright (c) 2016-2023 Various contributors to MISP Project
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
@ -494,9 +502,9 @@ If a specific author of a taxonomy wants to license it under a different license
~~~~
Copyright (C) 2016-2021 Andras Iklody
Copyright (C) 2016-2021 Alexandre Dulaunoy
Copyright (C) 2016-2021 CIRCL - Computer Incident Response Center Luxembourg
Copyright (C) 2016-2023 Andras Iklody
Copyright (C) 2016-2023 Alexandre Dulaunoy
Copyright (C) 2016-2023 CIRCL - Computer Incident Response Center Luxembourg
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by

82
objects/ai-chat-prompt/definition.json Normal file
View File

@ -0,0 +1,82 @@
{
"attributes": {
"act-as": {
"description": "Act as a specific person.",
"misp-attribute": "text",
"sane_default": [
"Security Analysts",
"Incident Responder",
"IT Expert",
"Cyber Security Specialists",
"Technical Writer"
],
"ui-priority": 5
},
"comment": {
"description": "Comment associated to the AI chat prompt.",
"misp-attribute": "text",
"ui-priority": 1
},
"model": {
"description": "AI chatbot model used for the prompt.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"sane_default": [
"GPT 3.5",
"GPT 4.0",
"GPT 3.0",
"DALL-E",
"Whisper",
"Embeddings",
"Moderation",
"Codex",
"BioGPT",
"LLaMA",
"GPT4ALL",
"Bing AI",
"Google Bard AI"
],
"ui-priority": 3
},
"prompt": {
"description": "Prompt text used for a specific AI chat.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 2
},
"result": {
"description": "Result",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 4,
"values_list": [
"Unknown",
"Harmless",
"Correct",
"Dangerous",
"Incorrect"
]
},
"role": {
"description": "Role as defined in OpenAI or similar API.",
"misp-attribute": "text",
"sane_default": [
"system",
"user",
"assistant"
],
"ui-priority": 7
}
},
"description": "Object describing an AI prompt such as ChatGPT.",
"meta-category": "misc",
"name": "ai-chat-prompt",
"requiredOneOf": [
"prompt"
],
"uuid": "a78f4156-0bb7-405c-aa25-ba16a73f68e4",
"version": 2
}

135
objects/ais/definition.json Normal file
View File

@ -0,0 +1,135 @@
{
"attributes": {
"ETA": {
"description": "Estimated time of arrival at destination",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 0
},
"IMO-number": {
"description": "IMO ship identification number: a seven digit number that remains unchanged upon transfer of the ship's registration to another country",
"misp-attribute": "text",
"ui-priority": 90
},
"MMSI": {
"description": "Vessel Maritime Maritime Mobile Service Identity (MMSI): a unique nine digit identification number.",
"misp-attribute": "text",
"ui-priority": 99
},
"call-sign": {
"description": "International radio call-sign, up to 7 characters.",
"misp-attribute": "text",
"ui-priority": 97
},
"course-over-ground": {
"description": "The course of the vessel, relative to true north to 0.1 degree",
"disable_correlation": true,
"misp-attribute": "float",
"ui-priority": 78
},
"destination": {
"description": "Destination of the vessel in max 20 characters",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"dimension-a": {
"description": "Distance in meters from Forward Perpendicular (FP)",
"misp-attribute": "float",
"ui-priority": 24
},
"dimension-b": {
"description": "Distance in meters from After Perpendicular (AP)",
"misp-attribute": "float",
"ui-priority": 23
},
"dimension-c": {
"description": "Distance in meters inboard from port side",
"misp-attribute": "float",
"ui-priority": 22
},
"dimension-d": {
"description": "Distance in meters inboard from starboard side",
"misp-attribute": "float",
"ui-priority": 21
},
"draught": {
"description": "Draught of ship. 0.1-25.5 meters",
"misp-attribute": "float",
"ui-priority": 20
},
"first-seen": {
"description": "When the location was seen for the first time.",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 87
},
"last-seen": {
"description": "When the location was seen for the last time.",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 86
},
"latitude": {
"description": "The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.",
"disable_correlation": true,
"misp-attribute": "float",
"ui-priority": 89
},
"longitude": {
"description": "The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference",
"disable_correlation": true,
"misp-attribute": "float",
"ui-priority": 88
},
"name": {
"description": "20 characters to represent the name of the vessel",
"misp-attribute": "text",
"ui-priority": 98
},
"navigational-status": {
"description": "1. at anchor, 2. under command, 3. Restricted Manoeuvrability, etc.",
"disable_correlation": true,
"misp-attribute": "float",
"ui-priority": 80
},
"rate-of-turn": {
"description": "right or left, from 0 to 720 degrees per minute",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 75
},
"speed-over-ground": {
"description": "0.1 knot resolution from 0 to 102 knots",
"disable_correlation": true,
"misp-attribute": "float",
"ui-priority": 79
},
"true-heading": {
"description": "The true heading of the vessel. 0 to 359 degrees",
"disable_correlation": true,
"misp-attribute": "float",
"ui-priority": 77
},
"true-heading-at-own-position": {
"description": "The true heading at own position of the vessel. 0 to 359 degrees",
"disable_correlation": true,
"misp-attribute": "float",
"ui-priority": 76
},
"type-of-ship": {
"description": "Type of ship/cargo",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 91
}
},
"description": "Automatic Identification System (AIS) is an automatic tracking system that uses transceivers on ships.",
"meta-category": "marine",
"name": "ais",
"requiredOneOf": [
"MMSI"
],
"uuid": "ef90551a-ff34-472c-9fba-c272c4435baa",
"version": 3
}

149
objects/crowdsec-ip-context/definition.json Normal file
View File

@ -0,0 +1,149 @@
{
"attributes": {
"as-name": {
"categories": [
"Network activity",
"External analysis"
],
"description": "Autonomous system name",
"disable_correlation": true,
"misp-attribute": "AS",
"multiple": true,
"ui-priority": 0
},
"as-num": {
"categories": [
"Network activity",
"External analysis"
],
"description": "Autonomous system number",
"disable_correlation": true,
"misp-attribute": "AS",
"multiple": true,
"ui-priority": 0
},
"attack-details": {
"description": "Triggered scenarios",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"background-noise": {
"description": "Background noise",
"disable_correlation": true,
"misp-attribute": "float",
"ui-priority": 1
},
"behaviors": {
"description": "Attack categories",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 1
},
"city": {
"description": "City of origin",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"country": {
"description": "Country of origin",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"country-code": {
"description": "Country Code",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"dst-port": {
"categories": [
"Network activity",
"External analysis"
],
"description": "Destination port",
"disable_correlation": true,
"misp-attribute": "port",
"multiple": true,
"ui-priority": 1
},
"ip": {
"categories": [
"Network activity",
"External analysis"
],
"description": "IP Address",
"misp-attribute": "ip-src",
"ui-priority": 1
},
"ip-range": {
"categories": [
"Network activity",
"External analysis"
],
"description": "destination IP address",
"misp-attribute": "ip-src",
"ui-priority": 1
},
"ip-range-score": {
"categories": [
"Network activity",
"External analysis"
],
"description": "destination IP address",
"disable_correlation": true,
"misp-attribute": "float",
"ui-priority": 1
},
"latitude": {
"description": "Latitude of origin",
"disable_correlation": true,
"misp-attribute": "float",
"ui-priority": 1
},
"longitude": {
"description": "Longitude of origin",
"disable_correlation": true,
"misp-attribute": "float",
"ui-priority": 1
},
"reverse-dns": {
"categories": [
"Network activity",
"External analysis"
],
"description": "Reverse DNS name",
"misp-attribute": "hostname",
"ui-priority": 1
},
"scores": {
"description": "Scores",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"target-countries": {
"description": "Target countries (top 10)",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"trust": {
"description": "Trust level",
"disable_correlation": true,
"misp-attribute": "float",
"ui-priority": 1
}
},
"description": "CrowdSec Threat Intelligence - IP CTI search",
"meta-category": "network",
"name": "crowdsec-ip-context",
"requiredOneOf": [
"ip"
],
"uuid": "0f0a6def-a351-4d3b-9868-d732f6f4666f",
"version": 2
}

73
objects/cs-beacon-config/definition.json Normal file
View File

@ -0,0 +1,73 @@
{
"attributes": {
"c2": {
"categories": [
"Network activity"
],
"description": "The C2 sample communicates with",
"misp-attribute": "url",
"multiple": true,
"ui-priority": 1
},
"jar-md5": {
"categories": [
"External analysis"
],
"description": "MD5 of adversary cobaltstrike.jar file",
"misp-attribute": "md5",
"ui-priority": 0
},
"md5": {
"categories": [
"Payload delivery"
],
"description": "MD5 of sample containing the Cobalt Strike shellcode",
"misp-attribute": "md5",
"ui-priority": 1
},
"sha1": {
"categories": [
"Payload delivery"
],
"description": "SHA1 of sample containing the Cobalt Strike shellcode",
"misp-attribute": "sha1",
"ui-priority": 1
},
"sha256": {
"categories": [
"Payload delivery"
],
"description": "SHA256 of sample containing the Cobalt Strike shellcode",
"misp-attribute": "sha256",
"ui-priority": 1
},
"vt-sha256": {
"categories": [
"External analysis"
],
"description": "SHA256 of sample uploaded to VirusTotal",
"misp-attribute": "sha256",
"ui-priority": 0
},
"watermark": {
"categories": [
"Other"
],
"description": "The watermark of sample",
"misp-attribute": "text",
"ui-priority": 0
}
},
"description": "Cobalt Strike Beacon Config",
"meta-category": "file",
"name": "cs-beacon-config",
"required": [
"jar-md5",
"md5",
"sha1",
"sha256",
"watermark"
],
"uuid": "d17355ef-ca1f-4b5a-86cd-65d877991f54",
"version": 1
}

299
objects/directory/definition.json Normal file
View File

@ -0,0 +1,299 @@
{
"attributes": {
"access-time": {
"description": "The last time the directory was accessed",
"misp-attribute": "datetime",
"ui-priority": 0
},
"creation-time": {
"description": "Creation time of the directory",
"misp-attribute": "datetime",
"ui-priority": 0
},
"modification-time": {
"description": "Modification time of the directory",
"misp-attribute": "datetime",
"ui-priority": 0
},
"path": {
"description": "Path of the directory, complete or partial",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"path-encoding": {
"description": "Encoding format of the directory",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"Adobe-Standard-Encoding",
"Adobe-Symbol-Encoding",
"Amiga-1251",
"ANSI_X3.110-1983",
"ASMO_449",
"Big5",
"Big5-HKSCS",
"BOCU-1",
"BRF",
"BS_4730",
"BS_viewdata",
"CESU-8",
"CP50220",
"CP51932",
"CSA_Z243.4-1985-1",
"CSA_Z243.4-1985-2",
"CSA_Z243.4-1985-gr",
"CSN_369103",
"DEC-MCS",
"DIN_66003",
"dk-us",
"DS_2089",
"EBCDIC-AT-DE",
"EBCDIC-AT-DE-A",
"EBCDIC-CA-FR",
"EBCDIC-DK-NO",
"EBCDIC-DK-NO-A",
"EBCDIC-ES",
"EBCDIC-ES-A",
"EBCDIC-ES-S",
"EBCDIC-FI-SE",
"EBCDIC-FI-SE-A",
"EBCDIC-FR",
"EBCDIC-IT",
"EBCDIC-PT",
"EBCDIC-UK",
"EBCDIC-US",
"ECMA-cyrillic",
"ES",
"ES2",
"EUC-KR",
"Extended_UNIX_Code_Fixed_Width_for_Japanese",
"Extended_UNIX_Code_Packed_Format_for_Japanese",
"GB18030",
"GB_1988-80",
"GB2312",
"GB_2312-80",
"GBK",
"GOST_19768-74",
"greek7",
"greek7-old",
"greek-ccitt",
"HP-DeskTop",
"HP-Legal",
"HP-Math8",
"HP-Pi-font",
"hp-roman8",
"HZ-GB-2312",
"IBM00858",
"IBM00924",
"IBM01140",
"IBM01141",
"IBM01142",
"IBM01143",
"IBM01144",
"IBM01145",
"IBM01146",
"IBM01147",
"IBM01148",
"IBM01149",
"IBM037",
"IBM038",
"IBM1026",
"IBM1047",
"IBM273",
"IBM274",
"IBM275",
"IBM277",
"IBM278",
"IBM280",
"IBM281",
"IBM284",
"IBM285",
"IBM290",
"IBM297",
"IBM420",
"IBM423",
"IBM424",
"IBM437",
"IBM500",
"IBM775",
"IBM850",
"IBM851",
"IBM852",
"IBM855",
"IBM857",
"IBM860",
"IBM861",
"IBM862",
"IBM863",
"IBM864",
"IBM865",
"IBM866",
"IBM868",
"IBM869",
"IBM870",
"IBM871",
"IBM880",
"IBM891",
"IBM903",
"IBM904",
"IBM905",
"IBM918",
"IBM-Symbols",
"IBM-Thai",
"IEC_P27-1",
"INIS",
"INIS-8",
"INIS-cyrillic",
"INVARIANT",
"ISO_10367-box",
"ISO-10646-J-1",
"ISO-10646-UCS-2",
"ISO-10646-UCS-4",
"ISO-10646-UCS-Basic",
"ISO-10646-Unicode-Latin1",
"ISO-10646-UTF-1",
"ISO-11548-1",
"ISO-2022-CN",
"ISO-2022-CN-EXT",
"ISO-2022-JP",
"ISO-2022-JP-2",
"ISO-2022-KR",
"ISO_2033-1983",
"ISO_5427",
"ISO_5427:1981",
"ISO_5428:1980",
"ISO_646.basic:1983",
"ISO_646.irv:1983",
"ISO_6937-2-25",
"ISO_6937-2-add",
"ISO-8859-10",
"ISO_8859-1:1987",
"ISO-8859-13",
"ISO-8859-14",
"ISO-8859-15",
"ISO-8859-16",
"ISO-8859-1-Windows-3.0-Latin-1",
"ISO-8859-1-Windows-3.1-Latin-1",
"ISO_8859-2:1987",
"ISO-8859-2-Windows-Latin-2",
"ISO_8859-3:1988",
"ISO_8859-4:1988",
"ISO_8859-5:1988",
"ISO_8859-6:1987",
"ISO_8859-6-E",
"ISO_8859-6-I",
"ISO_8859-7:1987",
"ISO_8859-8:1988",
"ISO_8859-8-E",
"ISO_8859-8-I",
"ISO_8859-9:1989",
"ISO-8859-9-Windows-Latin-5",
"ISO_8859-supp",
"iso-ir-90",
"ISO-Unicode-IBM-1261",
"ISO-Unicode-IBM-1264",
"ISO-Unicode-IBM-1265",
"ISO-Unicode-IBM-1268",
"ISO-Unicode-IBM-1276",
"IT",
"JIS_C6220-1969-jp",
"JIS_C6220-1969-ro",
"JIS_C6226-1978",
"JIS_C6226-1983",
"JIS_C6229-1984-a",
"JIS_C6229-1984-b",
"JIS_C6229-1984-b-add",
"JIS_C6229-1984-hand",
"JIS_C6229-1984-hand-add",
"JIS_C6229-1984-kana",
"JIS_Encoding",
"JIS_X0201",
"JIS_X0212-1990",
"JUS_I.B1.002",
"JUS_I.B1.003-mac",
"JUS_I.B1.003-serb",
"KOI7-switched",
"KOI8-R",
"KOI8-U",
"KS_C_5601-1987",
"KSC5636",
"KZ-1048",
"latin-greek",
"Latin-greek-1",
"latin-lap",
"macintosh",
"Microsoft-Publishing",
"MNEM",
"MNEMONIC",
"MSZ_7795.3",
"Name",
"NATS-DANO",
"NATS-DANO-ADD",
"NATS-SEFI",
"NATS-SEFI-ADD",
"NC_NC00-10:81",
"NF_Z_62-010",
"NF_Z_62-010_(1973)",
"NS_4551-1",
"NS_4551-2",
"OSD_EBCDIC_DF03_IRV",
"OSD_EBCDIC_DF04_1",
"OSD_EBCDIC_DF04_15",
"PC8-Danish-Norwegian",
"PC8-Turkish",
"PT",
"PT2",
"PTCP154",
"SCSU",
"SEN_850200_B",
"SEN_850200_C",
"Shift_JIS",
"T.101-G2",
"T.61-7bit",
"T.61-8bit",
"TIS-620",
"TSCII",
"UNICODE-1-1",
"UNICODE-1-1-UTF-7",
"UNKNOWN-8BIT",
"US-ASCII",
"us-dk",
"UTF-16",
"UTF-16BE",
"UTF-16LE",
"UTF-32",
"UTF-32BE",
"UTF-32LE",
"UTF-7",
"UTF-8",
"Ventura-International",
"Ventura-Math",
"Ventura-US",
"videotex-suppl",
"VIQR",
"VISCII",
"windows-1250",
"windows-1251",
"windows-1252",
"windows-1253",
"windows-1254",
"windows-1255",
"windows-1256",
"windows-1257",
"windows-1258",
"Windows-31J",
"windows-874"
],
"ui-priority": 0
}
},
"description": "Directory object describing a directory with meta-information",
"meta-category": "file",
"name": "directory",
"requiredOneOf": [
"path"
],
"uuid": "23ac6a02-1017-4ea6-a4df-148ed563988d",
"version": 1
}

15
objects/file/definition.json
View File

@ -1,5 +1,10 @@
{
"attributes": {
"access-time": {
"description": "The last time the file was accessed",
"misp-attribute": "datetime",
"ui-priority": 0
},
"attachment": {
"description": "A non-malicious file.",
"misp-attribute": "attachment",
@ -21,6 +26,11 @@
"misp-attribute": "datetime",
"ui-priority": 0
},
"creation-time": {
"description": "Creation time of the file",
"misp-attribute": "datetime",
"ui-priority": 0
},
"entropy": {
"description": "Entropy of the whole file",
"disable_correlation": true,
@ -334,6 +344,11 @@
"misp-attribute": "mime-type",
"ui-priority": 0
},
"modification-time": {
"description": "Last time the file was modified",
"misp-attribute": "datetime",
"ui-priority": 0
},
"path": {
"description": "Path of the filename complete or partial",
"disable_correlation": true,

71
objects/greynoise-ip/definition.json Normal file
View File

@ -0,0 +1,71 @@
{
"attributes": {
"actor": {
"description": "GreyNoise Actor",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"classification": {
"description": "GreyNoise Classification",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"first-seen": {
"description": "First Seen",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 2
},
"ip-src": {
"description": "Source IP address of the network connection.",
"misp-attribute": "ip-src",
"ui-priority": 1
},
"last-seen": {
"description": "Last Seen",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 1
},
"link": {
"description": "GreyNoise Visualizer Link",
"disable_correlation": true,
"misp-attribute": "link",
"ui-priority": 2
},
"noise": {
"description": "GreyNoise Internet Scanning Flag",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"provider": {
"description": "GreyNoise Service Provider",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"riot": {
"description": "GreyNoise Common Business Service Flag",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"trust-level": {
"description": "GreyNoise RIOT Trust Level",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
}
},
"description": "GreyNoise IP Information",
"meta-category": "network",
"name": "greynoise-ip",
"requiredOneOf": [
"ip-src"
],
"uuid": "6B14A94A-46E4-4B82-B24D-0DBF8E8B3FD9",
"version": 1
}

42
objects/network-connection/definition.json
View File

@ -10,6 +10,18 @@
"misp-attribute": "counter",
"ui-priority": 1
},
"dst-bytes-count": {
"description": "Number of bytes sent from the source to the destination.",
"disable_correlation": true,
"misp-attribute": "counter",
"ui-priority": 0
},
"dst-packets-count": {
"description": "Number of packets sent from the source to the destination.",
"disable_correlation": true,
"misp-attribute": "counter",
"ui-priority": 0
},
"dst-port": {
"categories": [
"Network activity",
@ -53,6 +65,12 @@
"misp-attribute": "ip-src",
"ui-priority": 1
},
"last-packet-seen": {
"description": "Datetime of the last packet seen.",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 1
},
"layer3-protocol": {
"description": "Layer 3 protocol of the network connection.",
"disable_correlation": true,
@ -85,6 +103,28 @@
],
"ui-priority": 0
},
"mac-dst": {
"description": "Destination MAC address of the network connection.",
"misp-attribute": "mac-address",
"ui-priority": 1
},
"mac-src": {
"description": "Source MAC address of the network connection.",
"misp-attribute": "mac-address",
"ui-priority": 1
},
"src-bytes-count": {
"description": "Number of bytes sent from the destination to the source.",
"disable_correlation": true,
"misp-attribute": "counter",
"ui-priority": 0
},
"src-packets-count": {
"description": "Number of packets sent from the destination to the source.",
"disable_correlation": true,
"misp-attribute": "counter",
"ui-priority": 0
},
"src-port": {
"categories": [
"Network activity",
@ -107,5 +147,5 @@
"community-id"
],
"uuid": "af16764b-f8e5-4603-9de1-de34d272f80b",
"version": 4
"version": 6
}

49
objects/network-socket/definition.json
View File

@ -106,6 +106,18 @@
],
"ui-priority": 1
},
"dst-bytes-count": {
"description": "Number of bytes sent from the source to the destination.",
"disable_correlation": true,
"misp-attribute": "counter",
"ui-priority": 0
},
"dst-packets-count": {
"description": "Number of packets sent from the source to the destination.",
"disable_correlation": true,
"misp-attribute": "counter",
"ui-priority": 0
},
"dst-port": {
"categories": [
"Network activity",
@ -120,6 +132,12 @@
"misp-attribute": "filename",
"ui-priority": 1
},
"first-packet-seen": {
"description": "Datetime of the first packet seen.",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 1
},
"hostname-dst": {
"description": "Destination hostname of the network socket connection.",
"misp-attribute": "hostname",
@ -148,6 +166,22 @@
"misp-attribute": "ip-src",
"ui-priority": 1
},
"last-packet-seen": {
"description": "Datetime of the last packet seen.",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 1
},
"mac-dst": {
"description": "Destination MAC address as it is included in the packets sent",
"misp-attribute": "mac-address",
"ui-priority": 1
},
"mac-src": {
"description": "Source (local) MAC address as it is included in the packets sent",
"misp-attribute": "mac-address",
"ui-priority": 1
},
"option": {
"description": "Option on the socket connection.",
"misp-attribute": "text",
@ -157,6 +191,7 @@
"protocol": {
"description": "Protocol used by the network socket.",
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0,
"values_list": [
"TCP",
@ -177,6 +212,18 @@
],
"ui-priority": 1
},
"src-bytes-count": {
"description": "Number of bytes sent from the destination to the source.",
"disable_correlation": true,
"misp-attribute": "counter",
"ui-priority": 0
},
"src-packets-count": {
"description": "Number of packets sent from the destination to the source.",
"disable_correlation": true,
"misp-attribute": "counter",
"ui-priority": 0
},
"src-port": {
"categories": [
"Network activity",
@ -207,5 +254,5 @@
"dst-port"
],
"uuid": "48bbfd72-ef8e-4649-b14d-41b4b5a0eba2",
"version": 3
"version": 4
}

53
objects/registry-key-value/definition.json Normal file
View File

@ -0,0 +1,53 @@
{
"attributes": {
"data": {
"categories": [
"Persistence mechanism"
],
"description": "Data stored in the registry key value",
"misp-attribute": "text",
"ui-priority": 1
},
"data-type": {
"categories": [
"Persistence mechanism"
],
"description": "Registry key value type",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"REG_NONE",
"REG_SZ",
"REG_EXPAND_SZ",
"REG_BINARY",
"REG_DWORD",
"REG_DWORD_LITTLE_ENDIAN",
"REG_DWORD_BIG_ENDIAN",
"REG_LINK",
"REG_MULTI_SZ",
"REG_RESOURCE_LIST",
"REG_FULL_RESOURCE_DESCRIPTOR",
"REG_RESOURCE_REQUIREMENTS_LIST",
"REG_QWORD",
"REG_QWORD_LITTLE_ENDIAN"
],
"ui-priority": 0
},
"name": {
"categories": [
"Persistence mechanism"
],
"description": "Name of the registry key value",
"misp-attribute": "text",
"ui-priority": 1
}
},
"description": "Registry key value object describing a Windows registry key value, with its data, data type and name values. To be used when a registry key has multiple values.",
"meta-category": "file",
"name": "registry-key-value",
"requiredOneOf": [
"data"
],
"uuid": "4626a273-72c1-48d3-8595-ff48ea2277f7",
"version": 1
}

55
objects/risk-assessment-report/definition.json Normal file
View File

@ -0,0 +1,55 @@
{
"attributes": {
"case-number": {
"categories": [
"Internal reference",
"Other"
],
"description": "Case number",
"misp-attribute": "text",
"ui-priority": 1
},
"link": {
"description": "Link to the report mentioned",
"misp-attribute": "link",
"multiple": true,
"ui-priority": 100
},
"report-file": {
"description": "Attachment(s) that is related to the report in human readable format (PDF)",
"misp-attribute": "attachment",
"multiple": true,
"ui-priority": 99
},
"summary": {
"categories": [
"Other",
"Internal reference"
],
"description": "Free text summary of the risk assessment report",
"misp-attribute": "text",
"multiple": true,
"ui-priority": 100
},
"type": {
"description": "Source of the risk assessment report",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"MONARC",
"Serima"
],
"ui-priority": 100
}
},
"description": "Risk assessment report object which includes the assessment report from a risk assessment platform such as MONARC",
"meta-category": "misc",
"name": "risk-assessment-report",
"requiredOneOf": [
"summary",
"link",
"report-file"
],
"uuid": "72989321-6866-40c6-a9b5-4c5869ec2a76",
"version": 1
}

228
objects/scan-result/definition.json Normal file
View File

@ -0,0 +1,228 @@
{
"attributes": {
"description": {
"description": "Description of the scanning performed in this scan-result",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"scan-end": {
"description": "End of scanning activity",
"disable_correlation": true,
"misp-attribute": "datetime",
"multiple": true,
"ui-priority": 0
},
"scan-result": {
"description": "The scan-result as a file (in machine-readable or human-readable format). The file is always consider non-malicious.",
"misp-attribute": "attachment",
"ui-priority": 1
},
"scan-result-format": {
"description": "Format used for the scan-result.",
"misp-attribute": "text",
"ui-priority": 1,
"values_list": [
"free-text output",
"XML",
"JSON",
"CSV",
"HTML",
"PDF",
"Unknown"
]
},
"scan-result-tool": {
"description": "Tool used which generated the scan-result.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"AWS Prowler Scan",
"AWS Scout2 Scan",
"AWS Security Finding Format (ASFF) Scan",
"AWS Security Hub Scan",
"Acunetix Scan",
"Acunetix360 Scan",
"Anchore Engine Scan",
"Anchore Enterprise Policy Check",
"Anchore Grype",
"AnchoreCTL Policies Report",
"AnchoreCTL Vuln Report",
"AppSpider Scan",
"Aqua Scan",
"Arachni Scan",
"AuditJS Scan",
"Azure Security Center Recommendations Scan",
"Bandit Scan",
"BlackDuck API",
"Blackduck Component Risk",
"Blackduck Hub Scan",
"Brakeman Scan",
"BugCrowd Scan",
"Bugcrowd API Import",
"Bundler-Audit Scan",
"Burp Enterprise Scan",
"Burp GraphQL API",
"Burp REST API",
"Burp Scan",
"CargoAudit Scan",
"Checkmarx OSA",
"Checkmarx Scan",
"Checkmarx Scan detailed",
"Checkov Scan",
"Clair Klar Scan",
"Clair Scan",
"Cloudsploit Scan",
"Cobalt.io API Import",
"Cobalt.io Scan",
"Codechecker Report native",
"Contrast Scan",
"Coverity API",
"Crashtest Security JSON File",
"Crashtest Security XML File",
"CredScan Scan",
"CycloneDX Scan",
"DSOP Scan",
"DawnScanner Scan",
"Dependency Check Scan",
"Dependency Track Finding Packaging Format (FPF) Export",
"Detect-secrets Scan",
"Dockle Scan",
"DrHeader JSON Importer",
"ESLint Scan",
"Edgescan Scan",
"Fortify Scan",
"Generic Findings Import",
"Ggshield Scan",
"GitLab API Fuzzing Report Scan",
"GitLab Container Scan",
"GitLab DAST Report",
"GitLab Dependency Scanning Report",
"GitLab SAST Report",
"GitLab Secret Detection Report",
"Github Vulnerability Scan",
"Gitleaks Scan",
"Gosec Scanner",
"HackerOne Cases",
"Hadolint Dockerfile check",
"Harbor Vulnerability Scan",
"Horusec Scan",
"HuskyCI Report",
"Hydra Scan",
"IBM AppScan DAST",
"Immuniweb Scan",
"IntSights Report",
"JFrog Xray API Summary Artifact Scan",
"JFrog Xray Scan",
"JFrog Xray Unified Scan",
"KICS Scan",
"Kiuwan Scan",
"Meterian Scan",
"Microfocus Webinspect Scan",
"MobSF Scan",
"Mobsfscan Scan",
"Mozilla Observatory Scan",
"NPM Audit Scan",
"Nessus Scan",
"Nessus WAS Scan",
"Netsparker Scan",
"NeuVector (REST)",
"NeuVector (compliance)",
"Nexpose Scan",
"Nikto Scan",
"Nmap Scan",
"Node Security Platform Scan",
"Nuclei Scan",
"ORT evaluated model Importer",
"OpenVAS CSV",
"Openscap Vulnerability Scan",
"OssIndex Devaudit SCA Scan Importer",
"Outpost24 Scan",
"PHP Security Audit v2",
"PHP Symfony Security Check",
"PMD Scan",
"PWN SAST",
"Qualys Infrastructure Scan (WebGUI XML)",
"Qualys Scan",
"Qualys Webapp Scan",
"Retire.js Scan",
"Risk Recon API Importer",
"Rubocop Scan",
"Rusty Hog Scan",
"SARIF",
"SKF Scan",
"SSL Labs Scan",
"SSLyze Scan (JSON)",
"Scantist Scan",
"Scout Suite Scan",
"Semgrep JSON Report",
"Snyk Scan",
"Solar Appscreener Scan",
"SonarQube API Import",
"SonarQube Scan",
"SonarQube Scan detailed",
"Sonatype Application Scan",
"SpotBugs Scan",
"Sslscan",
"Sslyze Scan",
"StackHawk HawkScan",
"TFSec Scan",
"Talisman Scan",
"Terrascan Scan",
"Testssl Scan",
"Trivy Operator Scan",
"Trivy Scan",
"Trufflehog Scan",
"Trufflehog3 Scan",
"Trustwave Fusion API Scan",
"Trustwave Scan (CSV)",
"Twistlock Image Scan",
"VCG Scan",
"Veracode Scan",
"Veracode SourceClear Scan",
"Vulners",
"WFuzz JSON report",
"Wapiti Scan",
"Wazuh",
"Whispers Scan",
"WhiteHat Sentinel",
"Whitesource Scan",
"Wpscan",
"Xanitizer Scan",
"Yarn Audit Scan",
"ZAP Scan",
"docker-bench-security Scan",
"kube-bench Scan",
"pip-audit Scan"
],
"ui-priority": 0
},
"scan-start": {
"description": "Start of scanning activity",
"disable_correlation": true,
"misp-attribute": "datetime",
"multiple": true,
"ui-priority": 1
},
"scan-type": {
"description": "Type of scanning in the scan-result.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0,
"values_list": [
"Network",
"System",
"Unknown"
]
}
},
"description": "Scan result object to add meta-data and the output of the scan result by itself.",
"meta-category": "network",
"name": "scan-result",
"required": [
"scan-result"
],
"uuid": "ebe2a359-8f5b-4a45-8106-d1678935b4c4",
"version": 2
}

20
relationships/definition.json
View File

@ -1267,6 +1267,13 @@
],
"name": "drives"
},
{
"description": "The referenced source object is a rewrite specified in the target object. The rewrite can be for a computer program text but also any rewrite of a text.",
"format": [
"misp"
],
"name": "rewrite"
},
{
"description": "The referenced source object is a friend of the target object.",
"format": [
@ -1303,11 +1310,11 @@
"name": "spouse-of"
},
{
"description": "The referenced source object is an ennemy of the target object.",
"description": "The referenced source object is an enemy of the target object.",
"format": [
"foaf"
],
"name": "ennemy-of"
"name": "enemy-of"
},
{
"description": "The referenced source object is an antagonist of the target object.",
@ -1374,6 +1381,13 @@
],
"name": "is-not-targeted-by"
},
{
"description": "This relationship describes that the source object provides services described in the target object.",
"format": [
"misp"
],
"name": "serves"
},
{
"description": "The source object considers the target object as a friend. Is not necessarily symmetric.",
"format": [
@ -1501,5 +1515,5 @@
"name": "Me"
}
],
"version": 35
"version": 37
}

2
schema_objects.json
View File

@ -43,6 +43,7 @@
"anonymised",
"attachment",
"authentihash",
"azure-application-id",
"bank-account-nr",
"bic",
"bin",
@ -280,6 +281,7 @@
"file",
"network",
"financial",
"marine",
"misc",
"mobile",
"internal",