From 892b7ee70fb0bac53aea5e4f3dc59d212221ac2e Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Mon, 20 Feb 2023 19:31:59 +0100 Subject: [PATCH 01/40] add: [file] Added creation, modification & access time attributes --- objects/file/definition.json | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/objects/file/definition.json b/objects/file/definition.json index 8524380..2f1c53d 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -1,5 +1,10 @@ { "attributes": { + "access-time": { + "description": "The last time the file was accessed", + "misp-attribute": "datetime", + "ui-priority": 0 + }, "attachment": { "description": "A non-malicious file.", "misp-attribute": "attachment", @@ -21,6 +26,11 @@ "misp-attribute": "datetime", "ui-priority": 0 }, + "creation-time": { + "description": "Creation time of the file", + "misp-attribute": "datetime", + "ui-priority": 0 + }, "entropy": { "description": "Entropy of the whole file", "disable_correlation": true, @@ -334,6 +344,11 @@ "misp-attribute": "mime-type", "ui-priority": 0 }, + "modification-time": { + "description": "Last time the file was modified", + "misp-attribute": "datetime", + "ui-priority": 0 + }, "path": { "description": "Path of the filename complete or partial", "disable_correlation": true, From 0c7eb831d82ef24f8cc65b955f1c70b23fdeecd9 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Sat, 25 Feb 2023 18:05:42 +0800 Subject: [PATCH 02/40] chg: [AIS] Addition of AIS maritime ship identification and tracking --- README.md | 6 +- objects/ais/definition.json | 135 ++++++++++++++++++++++++++++++++++++ schema_objects.json | 1 + 3 files changed, 140 insertions(+), 2 deletions(-) create mode 100644 objects/ais/definition.json diff --git a/README.md b/README.md index 150b9b4..94f0675 100644 --- a/README.md +++ b/README.md @@ -106,6 +106,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/ADS](https://github.com/MISP/misp-objects/blob/main/objects/ADS/definition.json) - An object defining ADS - Alerting and Detection Strategy by PALANTIR. Can be used for detection engineering. - [objects/ail-leak](https://github.com/MISP/misp-objects/blob/main/objects/ail-leak/definition.json) - An information leak as defined by the AIL Analysis Information Leak framework. +- [objects/ais](https://github.com/MISP/misp-objects/blob/main/objects/ais/definition.json) - Automatic Identification System (AIS) is an automatic tracking system that uses transceivers on ships. - [objects/ais-info](https://github.com/MISP/misp-objects/blob/main/objects/ais-info/definition.json) - Automated Indicator Sharing (AIS) Information Source Markings. - [objects/android-app](https://github.com/MISP/misp-objects/blob/main/objects/android-app/definition.json) - Indicators related to an Android app. - [objects/android-permission](https://github.com/MISP/misp-objects/blob/main/objects/android-permission/definition.json) - A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. malware, app). @@ -125,7 +126,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/blog](https://github.com/MISP/misp-objects/blob/main/objects/blog/definition.json) - Blog post like Medium or WordPress. - [objects/boleto](https://github.com/MISP/misp-objects/blob/main/objects/boleto/definition.json) - A common form of payment used in Brazil. - [objects/btc-transaction](https://github.com/MISP/misp-objects/blob/main/objects/btc-transaction/definition.json) - An object to describe a Bitcoin transaction. Best to be used with bitcoin-wallet. -- [objects/btc-wallet](https://github.com/MISP/misp-objects/blob/main/objects/btc-wallet/definition.json) - An object to describe a Bitcoin wallet. Best to be used with bitcoin-transaction. +- [objects/btc-wallet](https://github.com/MISP/misp-objects/blob/main/objects/btc-wallet/definition.json) - An object to describe a Bitcoin wallet. Best to be used with btc-transaction object. - [objects/cap-alert](https://github.com/MISP/misp-objects/blob/main/objects/cap-alert/definition.json) - Common Alerting Protocol Version (CAP) alert object. - [objects/cap-info](https://github.com/MISP/misp-objects/blob/main/objects/cap-info/definition.json) - Common Alerting Protocol Version (CAP) info object. - [objects/cap-resource](https://github.com/MISP/misp-objects/blob/main/objects/cap-resource/definition.json) - Common Alerting Protocol Version (CAP) resource object. @@ -185,7 +186,6 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/ftm-Call](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Call/definition.json) - Phone call object template including the call and all associated meta-data. - [objects/ftm-Company](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Company/definition.json) - A legal entity representing an association of people, whether natural, legal or a mixture of both, with a specific objective. - [objects/ftm-Contract](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Contract/definition.json) - An contract or contract lot issued by an authority. Multiple lots may be awarded to different suppliers (see ContractAward). -. - [objects/ftm-ContractAward](https://github.com/MISP/misp-objects/blob/main/objects/ftm-ContractAward/definition.json) - A contract or contract lot as awarded to a supplier. - [objects/ftm-CourtCase](https://github.com/MISP/misp-objects/blob/main/objects/ftm-CourtCase/definition.json) - Court case. - [objects/ftm-CourtCaseParty](https://github.com/MISP/misp-objects/blob/main/objects/ftm-CourtCaseParty/definition.json) - Court Case Party. @@ -307,6 +307,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/query](https://github.com/MISP/misp-objects/blob/main/objects/query/definition.json) - An object describing a query, along with its format. - [objects/r2graphity](https://github.com/MISP/misp-objects/blob/main/objects/r2graphity/definition.json) - Indicators extracted from files using radare2 and graphml. - [objects/ransom-negotiation](https://github.com/MISP/misp-objects/blob/main/objects/ransom-negotiation/definition.json) - An object to describe ransom negotiations, as seen in ransomware incidents. +- [objects/ransomware-group-post](https://github.com/MISP/misp-objects/blob/main/objects/ransomware-group-post/definition.json) - Ransomware group post as monitored by ransomlook.io. - [objects/reddit-account](https://github.com/MISP/misp-objects/blob/main/objects/reddit-account/definition.json) - Reddit account. - [objects/reddit-comment](https://github.com/MISP/misp-objects/blob/main/objects/reddit-comment/definition.json) - A Reddit post comment. - [objects/reddit-post](https://github.com/MISP/misp-objects/blob/main/objects/reddit-post/definition.json) - A Reddit post. @@ -376,6 +377,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/tracking-id](https://github.com/MISP/misp-objects/blob/main/objects/tracking-id/definition.json) - Analytics and tracking ID such as used in Google Analytics or other analytic platform. - [objects/transaction](https://github.com/MISP/misp-objects/blob/main/objects/transaction/definition.json) - An object to describe a financial transaction. - [objects/translation](https://github.com/MISP/misp-objects/blob/main/objects/translation/definition.json) - Used to keep a text and its translation. +- [objects/transport-ticket](https://github.com/MISP/misp-objects/blob/main/objects/transport-ticket/definition.json) - A transport ticket. - [objects/trustar_report](https://github.com/MISP/misp-objects/blob/main/objects/trustar_report/definition.json) - TruStar Report. - [objects/tsk-chats](https://github.com/MISP/misp-objects/blob/main/objects/tsk-chats/definition.json) - An Object Template to gather information from evidential or interesting exchange of messages identified during a digital forensic investigation. - [objects/tsk-web-bookmark](https://github.com/MISP/misp-objects/blob/main/objects/tsk-web-bookmark/definition.json) - An Object Template to add evidential bookmarks identified during a digital forensic investigation. diff --git a/objects/ais/definition.json b/objects/ais/definition.json new file mode 100644 index 0000000..da7e1f0 --- /dev/null +++ b/objects/ais/definition.json @@ -0,0 +1,135 @@ +{ + "attributes": { + "ETA": { + "description": "Estimated time of arrival at destination", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "IMO-number": { + "description": "IMO ship identification number: a seven digit number that remains unchanged upon transfer of the ship's registration to another country", + "misp-attribute": "text", + "ui-priority": 90 + }, + "MMSI": { + "description": "Vessel Maritime Maritime Mobile Service Identity (MMSI): a unique nine digit identification number.", + "misp-attribute": "text", + "ui-priority": 99 + }, + "call-sign": { + "description": "International radio call-sign, up to 7 characters.", + "misp-attribute": "text", + "ui-priority": 97 + }, + "course-over-ground": { + "description": "The course of the vessel, relative to true north to 0.1 degree", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 78 + }, + "destination": { + "description": "Destination of the vessel in max 20 characters", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "dimension-a": { + "description": "Distance in meters from Forward Perpendicular (FP)", + "misp-attribute": "float", + "ui-priority": 24 + }, + "dimension-b": { + "description": "Distance in meters from After Perpendicular (AP)", + "misp-attribute": "float", + "ui-priority": 23 + }, + "dimension-c": { + "description": "Distance in meters inboard from port side", + "misp-attribute": "float", + "ui-priority": 22 + }, + "dimension-d": { + "description": "Distance in meters inboard from starboard side", + "misp-attribute": "float", + "ui-priority": 21 + }, + "draught": { + "description": "Draught of ship. 0.1-25.5 meters", + "misp-attribute": "float", + "ui-priority": 20 + }, + "first-seen": { + "description": "When the location was seen for the first time.", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 87 + }, + "last-seen": { + "description": "When the location was seen for the last time.", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 86 + }, + "latitude": { + "description": "The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 89 + }, + "longitude": { + "description": "The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 88 + }, + "name": { + "description": "20 characters to represent the name of the vessel", + "misp-attribute": "text", + "ui-priority": 98 + }, + "navigational-status": { + "description": "1. at anchor, 2. under command, 3. Restricted Manoeuvrability, etc.", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 80 + }, + "rate-of-turn": { + "description": "right or left, from 0 to 720 degrees per minute", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 75 + }, + "speed-over-ground": { + "description": "0.1 knot resolution from 0 to 102 knots", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 79 + }, + "true-heading": { + "description": "The true heading of the vessel. 0 to 359 degrees", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 77 + }, + "true-heading-at-own-position": { + "description": "The true heading at own position of the vessel. 0 to 359 degrees", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 76 + }, + "type-of-ship": { + "description": "Type of ship/cargo", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 91 + } + }, + "description": "Automatic Identification System (AIS) is an automatic tracking system that uses transceivers on ships.", + "meta-category": "marine", + "name": "AIS", + "requiredOneOf": [ + "mmsi" + ], + "uuid": "ef90551a-ff34-472c-9fba-c272c4435baa", + "version": 1 +} \ No newline at end of file diff --git a/schema_objects.json b/schema_objects.json index 9f57a44..2f8ed91 100644 --- a/schema_objects.json +++ b/schema_objects.json @@ -280,6 +280,7 @@ "file", "network", "financial", + "marine", "misc", "mobile", "internal", From 128e24168058265875b01f37c04f4a3f8718619f Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Sat, 25 Feb 2023 20:26:44 +0800 Subject: [PATCH 03/40] chg: [schema] updated attribute types --- schema_objects.json | 1 + 1 file changed, 1 insertion(+) diff --git a/schema_objects.json b/schema_objects.json index 2f8ed91..5a66390 100644 --- a/schema_objects.json +++ b/schema_objects.json @@ -43,6 +43,7 @@ "anonymised", "attachment", "authentihash", + "azure-application-id", "bank-account-nr", "bic", "bin", From 79bf12de68ad779f3420979a30780458dcd1e386 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Mon, 27 Feb 2023 10:56:31 +0100 Subject: [PATCH 04/40] add: [directory] New object template for directories --- objects/directory/definition.json | 299 ++++++++++++++++++++++++++++++ 1 file changed, 299 insertions(+) create mode 100644 objects/directory/definition.json diff --git a/objects/directory/definition.json b/objects/directory/definition.json new file mode 100644 index 0000000..3c7458c --- /dev/null +++ b/objects/directory/definition.json @@ -0,0 +1,299 @@ +{ + "attributes": { + "access-time": { + "description": "The last time the directory was accessed", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "creation-time": { + "description": "Creation time of the directory", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "modification-time": { + "description": "Modification time of the directory", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "path": { + "description": "Path of the directory, complete or partial", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "path-encoding": { + "description": "Encoding format of the directory", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Adobe-Standard-Encoding", + "Adobe-Symbol-Encoding", + "Amiga-1251", + "ANSI_X3.110-1983", + "ASMO_449", + "Big5", + "Big5-HKSCS", + "BOCU-1", + "BRF", + "BS_4730", + "BS_viewdata", + "CESU-8", + "CP50220", + "CP51932", + "CSA_Z243.4-1985-1", + "CSA_Z243.4-1985-2", + "CSA_Z243.4-1985-gr", + "CSN_369103", + "DEC-MCS", + "DIN_66003", + "dk-us", + "DS_2089", + "EBCDIC-AT-DE", + "EBCDIC-AT-DE-A", + "EBCDIC-CA-FR", + "EBCDIC-DK-NO", + "EBCDIC-DK-NO-A", + "EBCDIC-ES", + "EBCDIC-ES-A", + "EBCDIC-ES-S", + "EBCDIC-FI-SE", + "EBCDIC-FI-SE-A", + "EBCDIC-FR", + "EBCDIC-IT", + "EBCDIC-PT", + "EBCDIC-UK", + "EBCDIC-US", + "ECMA-cyrillic", + "ES", + "ES2", + "EUC-KR", + "Extended_UNIX_Code_Fixed_Width_for_Japanese", + "Extended_UNIX_Code_Packed_Format_for_Japanese", + "GB18030", + "GB_1988-80", + "GB2312", + "GB_2312-80", + "GBK", + "GOST_19768-74", + "greek7", + "greek7-old", + "greek-ccitt", + "HP-DeskTop", + "HP-Legal", + "HP-Math8", + "HP-Pi-font", + "hp-roman8", + "HZ-GB-2312", + "IBM00858", + "IBM00924", + "IBM01140", + "IBM01141", + "IBM01142", + "IBM01143", + "IBM01144", + "IBM01145", + "IBM01146", + "IBM01147", + "IBM01148", + "IBM01149", + "IBM037", + "IBM038", + "IBM1026", + "IBM1047", + "IBM273", + "IBM274", + "IBM275", + "IBM277", + "IBM278", + "IBM280", + "IBM281", + "IBM284", + "IBM285", + "IBM290", + "IBM297", + "IBM420", + "IBM423", + "IBM424", + "IBM437", + "IBM500", + "IBM775", + "IBM850", + "IBM851", + "IBM852", + "IBM855", + "IBM857", + "IBM860", + "IBM861", + "IBM862", + "IBM863", + "IBM864", + "IBM865", + "IBM866", + "IBM868", + "IBM869", + "IBM870", + "IBM871", + "IBM880", + "IBM891", + "IBM903", + "IBM904", + "IBM905", + "IBM918", + "IBM-Symbols", + "IBM-Thai", + "IEC_P27-1", + "INIS", + "INIS-8", + "INIS-cyrillic", + "INVARIANT", + "ISO_10367-box", + "ISO-10646-J-1", + "ISO-10646-UCS-2", + "ISO-10646-UCS-4", + "ISO-10646-UCS-Basic", + "ISO-10646-Unicode-Latin1", + "ISO-10646-UTF-1", + "ISO-11548-1", + "ISO-2022-CN", + "ISO-2022-CN-EXT", + "ISO-2022-JP", + "ISO-2022-JP-2", + "ISO-2022-KR", + "ISO_2033-1983", + "ISO_5427", + "ISO_5427:1981", + "ISO_5428:1980", + "ISO_646.basic:1983", + "ISO_646.irv:1983", + "ISO_6937-2-25", + "ISO_6937-2-add", + "ISO-8859-10", + "ISO_8859-1:1987", + "ISO-8859-13", + "ISO-8859-14", + "ISO-8859-15", + "ISO-8859-16", + "ISO-8859-1-Windows-3.0-Latin-1", + "ISO-8859-1-Windows-3.1-Latin-1", + "ISO_8859-2:1987", + "ISO-8859-2-Windows-Latin-2", + "ISO_8859-3:1988", + "ISO_8859-4:1988", + "ISO_8859-5:1988", + "ISO_8859-6:1987", + "ISO_8859-6-E", + "ISO_8859-6-I", + "ISO_8859-7:1987", + "ISO_8859-8:1988", + "ISO_8859-8-E", + "ISO_8859-8-I", + "ISO_8859-9:1989", + "ISO-8859-9-Windows-Latin-5", + "ISO_8859-supp", + "iso-ir-90", + "ISO-Unicode-IBM-1261", + "ISO-Unicode-IBM-1264", + "ISO-Unicode-IBM-1265", + "ISO-Unicode-IBM-1268", + "ISO-Unicode-IBM-1276", + "IT", + "JIS_C6220-1969-jp", + "JIS_C6220-1969-ro", + "JIS_C6226-1978", + "JIS_C6226-1983", + "JIS_C6229-1984-a", + "JIS_C6229-1984-b", + "JIS_C6229-1984-b-add", + "JIS_C6229-1984-hand", + "JIS_C6229-1984-hand-add", + "JIS_C6229-1984-kana", + "JIS_Encoding", + "JIS_X0201", + "JIS_X0212-1990", + "JUS_I.B1.002", + "JUS_I.B1.003-mac", + "JUS_I.B1.003-serb", + "KOI7-switched", + "KOI8-R", + "KOI8-U", + "KS_C_5601-1987", + "KSC5636", + "KZ-1048", + "latin-greek", + "Latin-greek-1", + "latin-lap", + "macintosh", + "Microsoft-Publishing", + "MNEM", + "MNEMONIC", + "MSZ_7795.3", + "Name", + "NATS-DANO", + "NATS-DANO-ADD", + "NATS-SEFI", + "NATS-SEFI-ADD", + "NC_NC00-10:81", + "NF_Z_62-010", + "NF_Z_62-010_(1973)", + "NS_4551-1", + "NS_4551-2", + "OSD_EBCDIC_DF03_IRV", + "OSD_EBCDIC_DF04_1", + "OSD_EBCDIC_DF04_15", + "PC8-Danish-Norwegian", + "PC8-Turkish", + "PT", + "PT2", + "PTCP154", + "SCSU", + "SEN_850200_B", + "SEN_850200_C", + "Shift_JIS", + "T.101-G2", + "T.61-7bit", + "T.61-8bit", + "TIS-620", + "TSCII", + "UNICODE-1-1", + "UNICODE-1-1-UTF-7", + "UNKNOWN-8BIT", + "US-ASCII", + "us-dk", + "UTF-16", + "UTF-16BE", + "UTF-16LE", + "UTF-32", + "UTF-32BE", + "UTF-32LE", + "UTF-7", + "UTF-8", + "Ventura-International", + "Ventura-Math", + "Ventura-US", + "videotex-suppl", + "VIQR", + "VISCII", + "windows-1250", + "windows-1251", + "windows-1252", + "windows-1253", + "windows-1254", + "windows-1255", + "windows-1256", + "windows-1257", + "windows-1258", + "Windows-31J", + "windows-874" + ], + "ui-priority": 0 + } + }, + "description": "Directory object describing a directory with meta-information", + "meta-category": "file", + "name": "directory", + "requiredOneOf": [ + "path" + ], + "uuid": "23ac6a02-1017-4ea6-a4df-148ed563988d", + "version": 1 +} \ No newline at end of file From 58cd60aad83ff7406587256ef44d05ab94973681 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Mon, 27 Feb 2023 11:00:18 +0100 Subject: [PATCH 05/40] add: [readme] Added the `directory` object in the list of available templates --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 94f0675..c3617cc 100644 --- a/README.md +++ b/README.md @@ -153,6 +153,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/ddos](https://github.com/MISP/misp-objects/blob/main/objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy or using the type field. - [objects/device](https://github.com/MISP/misp-objects/blob/main/objects/device/definition.json) - An object to define a device. - [objects/diameter-attack](https://github.com/MISP/misp-objects/blob/main/objects/diameter-attack/definition.json) - Attack as seen on the diameter signaling protocol supporting LTE networks. +- [objects/directory](https://github.com/MISP/misp-objects/blob/main/objects/directory/definition.json) - Directory object describing a directory with meta-information. - [objects/dkim](https://github.com/MISP/misp-objects/blob/main/objects/dkim/definition.json) - DomainKeys Identified Mail - DKIM. - [objects/dns-record](https://github.com/MISP/misp-objects/blob/main/objects/dns-record/definition.json) - A set of DNS records observed for a specific domain. - [objects/domain-crawled](https://github.com/MISP/misp-objects/blob/main/objects/domain-crawled/definition.json) - A domain crawled over time. From ba801678466a0e7675ce36089d0a2e85fdc9f6b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 28 Feb 2023 13:10:31 +0100 Subject: [PATCH 06/40] chg: rename AIS -> ais to match the directory name. --- objects/ais/definition.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/objects/ais/definition.json b/objects/ais/definition.json index da7e1f0..8771fc3 100644 --- a/objects/ais/definition.json +++ b/objects/ais/definition.json @@ -126,10 +126,10 @@ }, "description": "Automatic Identification System (AIS) is an automatic tracking system that uses transceivers on ships.", "meta-category": "marine", - "name": "AIS", + "name": "ais", "requiredOneOf": [ "mmsi" ], "uuid": "ef90551a-ff34-472c-9fba-c272c4435baa", - "version": 1 -} \ No newline at end of file + "version": 2 +} From 38cfc975b52c21ab7117cf92108578be1afd2325 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 28 Feb 2023 13:14:13 +0100 Subject: [PATCH 07/40] fix: [ais] invalid ref name in requirements --- objects/ais/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/ais/definition.json b/objects/ais/definition.json index 8771fc3..fd1c76a 100644 --- a/objects/ais/definition.json +++ b/objects/ais/definition.json @@ -128,8 +128,8 @@ "meta-category": "marine", "name": "ais", "requiredOneOf": [ - "mmsi" + "MMSI" ], "uuid": "ef90551a-ff34-472c-9fba-c272c4435baa", - "version": 2 + "version": 3 } From f5792098846e757711b7b008e0f856962a65c7c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Wed, 1 Mar 2023 15:13:39 +0100 Subject: [PATCH 08/40] fix: forgot to jq all the things. --- objects/ais/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/ais/definition.json b/objects/ais/definition.json index fd1c76a..e77746f 100644 --- a/objects/ais/definition.json +++ b/objects/ais/definition.json @@ -132,4 +132,4 @@ ], "uuid": "ef90551a-ff34-472c-9fba-c272c4435baa", "version": 3 -} +} \ No newline at end of file From 4b5faf196b1218f4cd118de17b2b1e072eb6e6f0 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Wed, 1 Mar 2023 20:50:30 +0100 Subject: [PATCH 09/40] add: [registry-key-value] New template to describe registry key values - The `registry-key` object template includes already the `data`, `data-type` & `name` fields of a registry key value, but there is a limitation in the case of multiple registry key values - In order to describe multiple registry key values, instead of adding a simple `multiple` field to the related and above mentioned fields, it is better to use the `registry-key-value` template so we know which data, data type and name values are related to a given registry key value - It is then possible to have a reference between the registry key object and the related values --- README.md | 1 + objects/registry-key-value/definition.json | 53 ++++++++++++++++++++++ 2 files changed, 54 insertions(+) create mode 100644 objects/registry-key-value/definition.json diff --git a/README.md b/README.md index c3617cc..6f53d34 100644 --- a/README.md +++ b/README.md @@ -315,6 +315,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/reddit-subreddit](https://github.com/MISP/misp-objects/blob/main/objects/reddit-subreddit/definition.json) - Public or private subreddit. - [objects/regexp](https://github.com/MISP/misp-objects/blob/main/objects/regexp/definition.json) - An object describing a regular expression (regex or regexp). The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a regular expression. - [objects/registry-key](https://github.com/MISP/misp-objects/blob/main/objects/registry-key/definition.json) - Registry key object describing a Windows registry key with value and last-modified timestamp. +- [objects/registry-key-value](https://github.com/MISP/misp-objects/blob/main/objects/registry-key-value/definition.json) - Registry key value object describing a Windows registry key value with its data, data type and name, to be used when a registry key has multiple values - [objects/regripper-NTUser](https://github.com/MISP/misp-objects/blob/main/objects/regripper-NTUser/definition.json) - Regripper Object template designed to present user specific configuration details extracted from the NTUSER.dat hive. - [objects/regripper-sam-hive-single-user](https://github.com/MISP/misp-objects/blob/main/objects/regripper-sam-hive-single-user/definition.json) - Regripper Object template designed to present user profile details extracted from the SAM hive. - [objects/regripper-sam-hive-user-group](https://github.com/MISP/misp-objects/blob/main/objects/regripper-sam-hive-user-group/definition.json) - Regripper Object template designed to present group profile details extracted from the SAM hive. diff --git a/objects/registry-key-value/definition.json b/objects/registry-key-value/definition.json new file mode 100644 index 0000000..daf1f05 --- /dev/null +++ b/objects/registry-key-value/definition.json @@ -0,0 +1,53 @@ +{ + "attributes": { + "data": { + "categories": [ + "Persistence mechanism" + ], + "description": "Data stored in the registry key value", + "misp-attribute": "text", + "ui-priority": 1 + }, + "data-type": { + "categories": [ + "Persistence mechanism" + ], + "description": "Registry key value type", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "REG_NONE", + "REG_SZ", + "REG_EXPAND_SZ", + "REG_BINARY", + "REG_DWORD", + "REG_DWORD_LITTLE_ENDIAN", + "REG_DWORD_BIG_ENDIAN", + "REG_LINK", + "REG_MULTI_SZ", + "REG_RESOURCE_LIST", + "REG_FULL_RESOURCE_DESCRIPTOR", + "REG_RESOURCE_REQUIREMENTS_LIST", + "REG_QWORD", + "REG_QWORD_LITTLE_ENDIAN" + ], + "ui-priority": 0 + }, + "name": { + "categories": [ + "Persistence mechanism" + ], + "description": "Name of the registry key value", + "misp-attribute": "text", + "ui-priority": 1 + } + }, + "description": "Registry key value object describing a Windows registry key value, with its data, data type and name values. To be used when a registry key has multiple values.", + "meta-category": "file", + "name": "registry-key-value", + "requiredOneOf": [ + "data" + ], + "uuid": "4626a273-72c1-48d3-8595-ff48ea2277f7", + "version": 1 +} \ No newline at end of file From 9c51feb43bec79ca740c82a045096a3684903719 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Fri, 3 Mar 2023 14:55:09 +0100 Subject: [PATCH 10/40] add: [network-connection] Added MAC address attributes --- objects/network-connection/definition.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/objects/network-connection/definition.json b/objects/network-connection/definition.json index 9d30c5a..d2ef25a 100644 --- a/objects/network-connection/definition.json +++ b/objects/network-connection/definition.json @@ -85,6 +85,16 @@ ], "ui-priority": 0 }, + "mac-dst": { + "description": "Destination MAC address of the network connection.", + "misp-attribute": "mac-address", + "ui-priority": 1 + }, + "mac-src": { + "description": "Source MAC address of the network connection.", + "misp-attribute": "mac-address", + "ui-priority": 1 + }, "src-port": { "categories": [ "Network activity", @@ -107,5 +117,5 @@ "community-id" ], "uuid": "af16764b-f8e5-4603-9de1-de34d272f80b", - "version": 4 + "version": 5 } \ No newline at end of file From 0e9ae98b492bc036753811759c89b9026cc819a2 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Mon, 6 Mar 2023 12:02:24 +0100 Subject: [PATCH 11/40] add: [network-connection] Added a `last-packet-seen` attribute --- objects/network-connection/definition.json | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/objects/network-connection/definition.json b/objects/network-connection/definition.json index d2ef25a..22735ed 100644 --- a/objects/network-connection/definition.json +++ b/objects/network-connection/definition.json @@ -53,6 +53,12 @@ "misp-attribute": "ip-src", "ui-priority": 1 }, + "last-packet-seen": { + "description": "Datetime of the last packet seen.", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 1 + }, "layer3-protocol": { "description": "Layer 3 protocol of the network connection.", "disable_correlation": true, From 57beac3bc70a99686562b53f4a682f8a2044c1b7 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Tue, 7 Mar 2023 16:45:51 +0100 Subject: [PATCH 12/40] add: [network-connection] Added bytes & packets count object relations for both the source and destination --- objects/network-connection/definition.json | 26 +++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/objects/network-connection/definition.json b/objects/network-connection/definition.json index 22735ed..8f7e474 100644 --- a/objects/network-connection/definition.json +++ b/objects/network-connection/definition.json @@ -10,6 +10,18 @@ "misp-attribute": "counter", "ui-priority": 1 }, + "dst-byte-count": { + "description": "Number of bytes sent from the source to the destination.", + "disable_correlation": true, + "misp-attribute": "counter", + "ui-priority": 0 + }, + "dst-packet-count": { + "description": "Number of packets sent from the source to the destination.", + "disable_correlation": true, + "misp-attribute": "counter", + "ui-priority": 0 + }, "dst-port": { "categories": [ "Network activity", @@ -101,6 +113,18 @@ "misp-attribute": "mac-address", "ui-priority": 1 }, + "src-byte-count": { + "description": "Number of bytes sent from the destination to the source.", + "disable_correlation": true, + "misp-attribute": "counter", + "ui-priority": 0 + }, + "src-packet-count": { + "description": "Number of packets sent from the destination to the source.", + "disable_correlation": true, + "misp-attribute": "counter", + "ui-priority": 0 + }, "src-port": { "categories": [ "Network activity", @@ -123,5 +147,5 @@ "community-id" ], "uuid": "af16764b-f8e5-4603-9de1-de34d272f80b", - "version": 5 + "version": 6 } \ No newline at end of file From 1651281d0b1ffbb93b30b1b39b1c198e1f642ef5 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Tue, 7 Mar 2023 16:48:00 +0100 Subject: [PATCH 13/40] add: [network-socket] Added the first & last packet seen object relation and made the protocol attribute multiple --- objects/network-socket/definition.json | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/objects/network-socket/definition.json b/objects/network-socket/definition.json index dd3ee2c..73ef807 100644 --- a/objects/network-socket/definition.json +++ b/objects/network-socket/definition.json @@ -120,6 +120,12 @@ "misp-attribute": "filename", "ui-priority": 1 }, + "first-packet-seen": { + "description": "Datetime of the first packet seen.", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 1 + }, "hostname-dst": { "description": "Destination hostname of the network socket connection.", "misp-attribute": "hostname", @@ -148,6 +154,12 @@ "misp-attribute": "ip-src", "ui-priority": 1 }, + "last-packet-seen": { + "description": "Datetime of the last packet seen.", + "disable_correlatioin": true, + "misp-attribute": "datetime", + "ui-priority": 1 + }, "option": { "description": "Option on the socket connection.", "misp-attribute": "text", @@ -157,6 +169,7 @@ "protocol": { "description": "Protocol used by the network socket.", "misp-attribute": "text", + "multiple": true, "ui-priority": 0, "values_list": [ "TCP", From d71cdf367dfc54eda6df7f3d631f86b7d6e54cd7 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Tue, 7 Mar 2023 16:49:06 +0100 Subject: [PATCH 14/40] add: [network-socket] Added bytes & packets count object relations for both the source and destination --- objects/network-socket/definition.json | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/objects/network-socket/definition.json b/objects/network-socket/definition.json index 73ef807..0e460f1 100644 --- a/objects/network-socket/definition.json +++ b/objects/network-socket/definition.json @@ -106,6 +106,18 @@ ], "ui-priority": 1 }, + "dst-byte-count": { + "description": "Number of bytes sent from the source to the destination.", + "disable_correlation": true, + "misp-attribute": "counter", + "ui-priority": 0 + }, + "dst-packet-count": { + "description": "Number of packets sent from the source to the destination.", + "disable_correlation": true, + "misp-attribute": "counter", + "ui-priority": 0 + }, "dst-port": { "categories": [ "Network activity", @@ -190,6 +202,18 @@ ], "ui-priority": 1 }, + "src-byte-count": { + "description": "Number of bytes sent from the destination to the source.", + "disable_correlation": true, + "misp-attribute": "counter", + "ui-priority": 0 + }, + "src-packet-count": { + "description": "Number of packets sent from the destination to the source.", + "disable_correlation": true, + "misp-attribute": "counter", + "ui-priority": 0 + }, "src-port": { "categories": [ "Network activity", @@ -220,5 +244,5 @@ "dst-port" ], "uuid": "48bbfd72-ef8e-4649-b14d-41b4b5a0eba2", - "version": 3 + "version": 4 } \ No newline at end of file From 1cab455a56296b3855e037a85e83572661d258a6 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Tue, 7 Mar 2023 16:54:30 +0100 Subject: [PATCH 15/40] fix: [network-socket] Typo --- objects/network-socket/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/network-socket/definition.json b/objects/network-socket/definition.json index 0e460f1..ab9c97f 100644 --- a/objects/network-socket/definition.json +++ b/objects/network-socket/definition.json @@ -168,7 +168,7 @@ }, "last-packet-seen": { "description": "Datetime of the last packet seen.", - "disable_correlatioin": true, + "disable_correlation": true, "misp-attribute": "datetime", "ui-priority": 1 }, From 437808339e196c22479fecfc0482d5560d6928bb Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Tue, 7 Mar 2023 23:19:08 +0100 Subject: [PATCH 16/40] fix: [network-connection, network-socket] Packets count is better with an S --- objects/network-connection/definition.json | 4 ++-- objects/network-socket/definition.json | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/objects/network-connection/definition.json b/objects/network-connection/definition.json index 8f7e474..0e1ae44 100644 --- a/objects/network-connection/definition.json +++ b/objects/network-connection/definition.json @@ -16,7 +16,7 @@ "misp-attribute": "counter", "ui-priority": 0 }, - "dst-packet-count": { + "dst-packets-count": { "description": "Number of packets sent from the source to the destination.", "disable_correlation": true, "misp-attribute": "counter", @@ -119,7 +119,7 @@ "misp-attribute": "counter", "ui-priority": 0 }, - "src-packet-count": { + "src-packets-count": { "description": "Number of packets sent from the destination to the source.", "disable_correlation": true, "misp-attribute": "counter", diff --git a/objects/network-socket/definition.json b/objects/network-socket/definition.json index ab9c97f..e47536e 100644 --- a/objects/network-socket/definition.json +++ b/objects/network-socket/definition.json @@ -112,7 +112,7 @@ "misp-attribute": "counter", "ui-priority": 0 }, - "dst-packet-count": { + "dst-packets-count": { "description": "Number of packets sent from the source to the destination.", "disable_correlation": true, "misp-attribute": "counter", @@ -208,7 +208,7 @@ "misp-attribute": "counter", "ui-priority": 0 }, - "src-packet-count": { + "src-packets-count": { "description": "Number of packets sent from the destination to the source.", "disable_correlation": true, "misp-attribute": "counter", From 1da4760dcc99502a2dd5da02cba212b42068fcb8 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Tue, 7 Mar 2023 23:26:51 +0100 Subject: [PATCH 17/40] fix: [network-connection, network-socket] Bytes count if also better with an S --- objects/network-connection/definition.json | 4 ++-- objects/network-socket/definition.json | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/objects/network-connection/definition.json b/objects/network-connection/definition.json index 0e1ae44..75a6567 100644 --- a/objects/network-connection/definition.json +++ b/objects/network-connection/definition.json @@ -10,7 +10,7 @@ "misp-attribute": "counter", "ui-priority": 1 }, - "dst-byte-count": { + "dst-bytes-count": { "description": "Number of bytes sent from the source to the destination.", "disable_correlation": true, "misp-attribute": "counter", @@ -113,7 +113,7 @@ "misp-attribute": "mac-address", "ui-priority": 1 }, - "src-byte-count": { + "src-bytes-count": { "description": "Number of bytes sent from the destination to the source.", "disable_correlation": true, "misp-attribute": "counter", diff --git a/objects/network-socket/definition.json b/objects/network-socket/definition.json index e47536e..57056ac 100644 --- a/objects/network-socket/definition.json +++ b/objects/network-socket/definition.json @@ -106,7 +106,7 @@ ], "ui-priority": 1 }, - "dst-byte-count": { + "dst-bytes-count": { "description": "Number of bytes sent from the source to the destination.", "disable_correlation": true, "misp-attribute": "counter", @@ -202,7 +202,7 @@ ], "ui-priority": 1 }, - "src-byte-count": { + "src-bytes-count": { "description": "Number of bytes sent from the destination to the source.", "disable_correlation": true, "misp-attribute": "counter", From 9b74873fe57181e91608fca28075d78b57a4f420 Mon Sep 17 00:00:00 2001 From: Brad Chiappetta Date: Fri, 10 Mar 2023 09:16:49 -0500 Subject: [PATCH 18/40] add greynoise-ip object --- objects/greynoise-ip/definition.json | 71 ++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 objects/greynoise-ip/definition.json diff --git a/objects/greynoise-ip/definition.json b/objects/greynoise-ip/definition.json new file mode 100644 index 0000000..5c9b2b2 --- /dev/null +++ b/objects/greynoise-ip/definition.json @@ -0,0 +1,71 @@ +{ + "attributes": { + "ip-src": { + "description": "Source IP address of the network connection.", + "misp-attribute": "ip-src", + "ui-priority": 1 + }, + "classification": { + "description": "GreyNoise Classification", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "trust-level": { + "description": "GreyNoise RIOT Trust Level", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "actor": { + "description": "GreyNoise Actor", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "provider": { + "description": "GreyNoise Service Provider", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "first-seen": { + "description": "First Seen", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 2 + }, + "last-seen": { + "description": "Last Seen", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 1 + }, + "link": { + "description": "GreyNoise Visualizer Link", + "disable_correlation": true, + "misp-attribute": "link", + "ui-priority": 2 + }, + "noise": { + "description": "GreyNoise Internet Scanning Flag", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "riot": { + "description": "GreyNoise Common Business Service Flag", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + } + }, + "description": "GreyNoise IP Information", + "meta-category": "network", + "name": "greynoise-ip", + "requiredOneOf": [ + "ip-src" + ], + "uuid": "6B14A94A-46E4-4B82-B24D-0DBF8E8B3FD9", + "version": 1 +} \ No newline at end of file From b49c6824bae7d454e7665a4d2c1127327f67c63b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 10 Mar 2023 15:34:32 +0100 Subject: [PATCH 19/40] chg: [greynoise-intelligence] JSON fixed --- objects/greynoise-ip/definition.json | 38 ++++++++++++++-------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/objects/greynoise-ip/definition.json b/objects/greynoise-ip/definition.json index 5c9b2b2..54a9b8a 100644 --- a/objects/greynoise-ip/definition.json +++ b/objects/greynoise-ip/definition.json @@ -1,30 +1,13 @@ { "attributes": { - "ip-src": { - "description": "Source IP address of the network connection.", - "misp-attribute": "ip-src", - "ui-priority": 1 - }, - "classification": { - "description": "GreyNoise Classification", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 1 - }, - "trust-level": { - "description": "GreyNoise RIOT Trust Level", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 1 - }, "actor": { "description": "GreyNoise Actor", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 1 }, - "provider": { - "description": "GreyNoise Service Provider", + "classification": { + "description": "GreyNoise Classification", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 1 @@ -35,6 +18,11 @@ "misp-attribute": "datetime", "ui-priority": 2 }, + "ip-src": { + "description": "Source IP address of the network connection.", + "misp-attribute": "ip-src", + "ui-priority": 1 + }, "last-seen": { "description": "Last Seen", "disable_correlation": true, @@ -53,11 +41,23 @@ "misp-attribute": "text", "ui-priority": 1 }, + "provider": { + "description": "GreyNoise Service Provider", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, "riot": { "description": "GreyNoise Common Business Service Flag", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 1 + }, + "trust-level": { + "description": "GreyNoise RIOT Trust Level", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 } }, "description": "GreyNoise IP Information", From 402d7ad649e654c1bd45f669136733e732b4c80b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 10 Mar 2023 15:40:48 +0100 Subject: [PATCH 20/40] chg: [doc] updated --- README.md | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 6f53d34..07ff0b5 100644 --- a/README.md +++ b/README.md @@ -187,6 +187,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/ftm-Call](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Call/definition.json) - Phone call object template including the call and all associated meta-data. - [objects/ftm-Company](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Company/definition.json) - A legal entity representing an association of people, whether natural, legal or a mixture of both, with a specific objective. - [objects/ftm-Contract](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Contract/definition.json) - An contract or contract lot issued by an authority. Multiple lots may be awarded to different suppliers (see ContractAward). +. - [objects/ftm-ContractAward](https://github.com/MISP/misp-objects/blob/main/objects/ftm-ContractAward/definition.json) - A contract or contract lot as awarded to a supplier. - [objects/ftm-CourtCase](https://github.com/MISP/misp-objects/blob/main/objects/ftm-CourtCase/definition.json) - Court case. - [objects/ftm-CourtCaseParty](https://github.com/MISP/misp-objects/blob/main/objects/ftm-CourtCaseParty/definition.json) - Court Case Party. @@ -234,6 +235,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/git-vuln-finder](https://github.com/MISP/misp-objects/blob/main/objects/git-vuln-finder/definition.json) - Export from git-vuln-finder. - [objects/github-user](https://github.com/MISP/misp-objects/blob/main/objects/github-user/definition.json) - GitHub user. - [objects/gitlab-user](https://github.com/MISP/misp-objects/blob/main/objects/gitlab-user/definition.json) - GitLab user. Gitlab.com user or self-hosted GitLab instance. +- [objects/greynoise-ip](https://github.com/MISP/misp-objects/blob/main/objects/greynoise-ip/definition.json) - GreyNoise IP Information. - [objects/gtp-attack](https://github.com/MISP/misp-objects/blob/main/objects/gtp-attack/definition.json) - GTP attack object as attack as seen on the GTP signaling protocol supporting GPRS/LTE networks. - [objects/hashlookup](https://github.com/MISP/misp-objects/blob/main/objects/hashlookup/definition.json) - hashlookup object as described on hashlookup services from circl.lu - https://www.circl.lu/services/hashlookup. - [objects/http-request](https://github.com/MISP/misp-objects/blob/main/objects/http-request/definition.json) - A single HTTP request header. @@ -315,7 +317,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/reddit-subreddit](https://github.com/MISP/misp-objects/blob/main/objects/reddit-subreddit/definition.json) - Public or private subreddit. - [objects/regexp](https://github.com/MISP/misp-objects/blob/main/objects/regexp/definition.json) - An object describing a regular expression (regex or regexp). The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a regular expression. - [objects/registry-key](https://github.com/MISP/misp-objects/blob/main/objects/registry-key/definition.json) - Registry key object describing a Windows registry key with value and last-modified timestamp. -- [objects/registry-key-value](https://github.com/MISP/misp-objects/blob/main/objects/registry-key-value/definition.json) - Registry key value object describing a Windows registry key value with its data, data type and name, to be used when a registry key has multiple values +- [objects/registry-key-value](https://github.com/MISP/misp-objects/blob/main/objects/registry-key-value/definition.json) - Registry key value object describing a Windows registry key value, with its data, data type and name values. To be used when a registry key has multiple values. - [objects/regripper-NTUser](https://github.com/MISP/misp-objects/blob/main/objects/regripper-NTUser/definition.json) - Regripper Object template designed to present user specific configuration details extracted from the NTUSER.dat hive. - [objects/regripper-sam-hive-single-user](https://github.com/MISP/misp-objects/blob/main/objects/regripper-sam-hive-single-user/definition.json) - Regripper Object template designed to present user profile details extracted from the SAM hive. - [objects/regripper-sam-hive-user-group](https://github.com/MISP/misp-objects/blob/main/objects/regripper-sam-hive-user-group/definition.json) - Regripper Object template designed to present group profile details extracted from the SAM hive. @@ -464,11 +466,11 @@ The MISP objects (JSON files) are dual-licensed under: or ~~~~ - Copyright (c) 2016-2021 Alexandre Dulaunoy - a@foo.be - Copyright (c) 2016-2021 CIRCL - Computer Incident Response Center Luxembourg - Copyright (c) 2016-2021 Andras Iklody - Copyright (c) 2016-2021 Raphael Vinot - Copyright (c) 2016-2021 Various contributors to MISP Project + Copyright (c) 2016-2023 Alexandre Dulaunoy - a@foo.be + Copyright (c) 2016-2023 CIRCL - Computer Incident Response Center Luxembourg + Copyright (c) 2016-2023 Andras Iklody + Copyright (c) 2016-2023 Raphael Vinot + Copyright (c) 2016-2023 Various contributors to MISP Project Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: @@ -498,9 +500,9 @@ If a specific author of a taxonomy wants to license it under a different license ~~~~ -Copyright (C) 2016-2021 Andras Iklody -Copyright (C) 2016-2021 Alexandre Dulaunoy -Copyright (C) 2016-2021 CIRCL - Computer Incident Response Center Luxembourg +Copyright (C) 2016-2023 Andras Iklody +Copyright (C) 2016-2023 Alexandre Dulaunoy +Copyright (C) 2016-2023 CIRCL - Computer Incident Response Center Luxembourg This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by From 9e4afdfb7a8971867baabd1819fc749a62d93fc4 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Fri, 31 Mar 2023 11:30:33 +0200 Subject: [PATCH 21/40] add: [network-socket] Added MAC address attributes - Even though they are not exactly part of the socket fields, it could be interesting to have them to have the information about them like they are described within the packets that are sent using the socket --- objects/network-socket/definition.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/objects/network-socket/definition.json b/objects/network-socket/definition.json index 57056ac..bae4f7e 100644 --- a/objects/network-socket/definition.json +++ b/objects/network-socket/definition.json @@ -172,6 +172,16 @@ "misp-attribute": "datetime", "ui-priority": 1 }, + "mac-dst": { + "description": "Destination MAC address as it is included in the packets sent", + "misp-attribute": "mac-address", + "ui-priority": 1 + }, + "mac-src": { + "description": "Source (local) MAC address as it is included in the packets sent", + "misp-attribute": "mac-address", + "ui-priority": 1 + }, "option": { "description": "Option on the socket connection.", "misp-attribute": "text", From 27df249584dae977cc8222aa445b37eced0311bb Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 4 Apr 2023 07:56:32 +0200 Subject: [PATCH 22/40] chg: [relationships] `rewrite` relationship type added Ref: https://github.com/MISP/misp-galaxy/pull/833 Following an idea from @jloehel - a new relationship has been added --- relationships/definition.json | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/relationships/definition.json b/relationships/definition.json index 8f83332..a21d920 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1267,6 +1267,13 @@ ], "name": "drives" }, + { + "description": "The referenced source object is a rewrite specified in the target object. The rewrite can be for a computer program text but also any rewrite of a text.", + "format": [ + "misp" + ], + "name": "rewrite" + }, { "description": "The referenced source object is a friend of the target object.", "format": [ @@ -1501,5 +1508,5 @@ "name": "Me" } ], - "version": 35 -} \ No newline at end of file + "version": 36 +} From 059b669d9a8304f197740eace9d2f26e9dcde680 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 4 Apr 2023 07:58:18 +0200 Subject: [PATCH 23/40] chg: [relationships] fix newline --- relationships/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index a21d920..024f458 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1509,4 +1509,4 @@ } ], "version": 36 -} +} \ No newline at end of file From e1327d02bb3354a50a59e73c4719583cd3d592ff Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 13 Apr 2023 10:41:39 +0200 Subject: [PATCH 24/40] new: [risk-assessment-report] New object template Risk assessment report To be used to share risk assessment report from risk assessment platform such as [MONARC](https://github.com/monarc-project/). This extension is done in the scope of the [NISDUC project](https://www.nisduc.eu/). TODO: Maybe add a field for machine-readable version of the report --- .../risk-assessment-report/definition.json | 55 +++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 objects/risk-assessment-report/definition.json diff --git a/objects/risk-assessment-report/definition.json b/objects/risk-assessment-report/definition.json new file mode 100644 index 0000000..0210fce --- /dev/null +++ b/objects/risk-assessment-report/definition.json @@ -0,0 +1,55 @@ +{ + "attributes": { + "case-number": { + "categories": [ + "Internal reference", + "Other" + ], + "description": "Case number", + "misp-attribute": "text", + "ui-priority": 1 + }, + "link": { + "description": "Link to the report mentioned", + "misp-attribute": "link", + "multiple": true, + "ui-priority": 100 + }, + "report-file": { + "description": "Attachment(s) that is related to the report in human readable format (PDF)", + "misp-attribute": "attachment", + "multiple": true, + "ui-priority": 99 + }, + "summary": { + "categories": [ + "Other", + "Internal reference" + ], + "description": "Free text summary of the risk assessment report", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 100 + }, + "type": { + "description": "Source of the risk assessment report", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "MONARC", + "Serima" + ], + "ui-priority": 100 + } + }, + "description": "Risk assessment report object which includes the assessment report from a risk assessment platform such as MONARC", + "meta-category": "misc", + "name": "risk-assessment-report", + "requiredOneOf": [ + "summary", + "link", + "report-file" + ], + "uuid": "72989321-6866-40c6-a9b5-4c5869ec2a76", + "version": 1 +} \ No newline at end of file From b81698ae108fed6e58f27de03e327d5ed4785b51 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 15 Apr 2023 16:31:22 +0200 Subject: [PATCH 25/40] new: [ai-chat-prompt] new object template for AI chat prompt such as ChatGPT Following a discussion with @aaronkaplan in Vienna, this object is a first version to describe an AI chat prompt. The template can describe the model used, the actual quality of results and also what's the actor context. Reference #388 --- objects/ai-chat-prompt/definition.json | 62 ++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 objects/ai-chat-prompt/definition.json diff --git a/objects/ai-chat-prompt/definition.json b/objects/ai-chat-prompt/definition.json new file mode 100644 index 0000000..308a63f --- /dev/null +++ b/objects/ai-chat-prompt/definition.json @@ -0,0 +1,62 @@ +{ + "attributes": { + "act-as": { + "description": "Act as a specific person.", + "misp-attribute": "text", + "sane_default": [ + "Security Analysts", + "Incident Responder", + "IT Expert", + "Cyber Security Specialists", + "Technical Writer" + ] + }, + "comment": { + "description": "Comment associated to the AI chat prompt.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "model": { + "description": "AI chatbot model used for the prompt.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "ChatGPT", + "BioGPT", + "LLaMA", + "GPT4ALL", + "Bing AI", + "Google Bard AI" + ] + }, + "prompt": { + "description": "Prompt text used for a specific AI chat.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true + }, + "result": { + "description": "Result", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0, + "values_list": [ + "Unknown", + "Harmless", + "Correct", + "Dangerous", + "Incorrect" + ] + } + }, + "description": "Object describing an AI prompt such as ChatGPT.", + "meta-category": "misc", + "name": "ai-chat-prompt", + "requiredOneOf": [ + "prompt" + ], + "uuid": "a78f4156-0bb7-405c-aa25-ba16a73f68e4", + "version": 1 +} \ No newline at end of file From 302697e045a64f198fdabe791d7c5ca76b5a9bf1 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 15 Apr 2023 16:38:13 +0200 Subject: [PATCH 26/40] chg: [ai-chat-prompt] ui-priority fixed --- objects/ai-chat-prompt/definition.json | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/objects/ai-chat-prompt/definition.json b/objects/ai-chat-prompt/definition.json index 308a63f..f3a27a6 100644 --- a/objects/ai-chat-prompt/definition.json +++ b/objects/ai-chat-prompt/definition.json @@ -9,7 +9,8 @@ "IT Expert", "Cyber Security Specialists", "Technical Writer" - ] + ], + "ui-priority": 5 }, "comment": { "description": "Comment associated to the AI chat prompt.", @@ -28,20 +29,22 @@ "GPT4ALL", "Bing AI", "Google Bard AI" - ] + ], + "ui-priority": 3 }, "prompt": { "description": "Prompt text used for a specific AI chat.", "disable_correlation": true, "misp-attribute": "text", - "multiple": true + "multiple": true, + "ui-priority": 2 }, "result": { "description": "Result", "disable_correlation": true, "misp-attribute": "text", "multiple": true, - "ui-priority": 0, + "ui-priority": 4, "values_list": [ "Unknown", "Harmless", From fd12a1bcd76efac002c53e5a28e4e3ae4afb2ce7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 16 Apr 2023 10:50:30 +0200 Subject: [PATCH 27/40] fix: [ai-chat-prompt] improved ai-chat-prompt template --- objects/ai-chat-prompt/definition.json | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/objects/ai-chat-prompt/definition.json b/objects/ai-chat-prompt/definition.json index f3a27a6..3c048e7 100644 --- a/objects/ai-chat-prompt/definition.json +++ b/objects/ai-chat-prompt/definition.json @@ -23,7 +23,14 @@ "misp-attribute": "text", "multiple": true, "sane_default": [ - "ChatGPT", + "GPT 3.5", + "GPT 4.0", + "GPT 3.0", + "DALL-E", + "Whisper", + "Embeddings", + "Moderation", + "Codex", "BioGPT", "LLaMA", "GPT4ALL", @@ -52,6 +59,16 @@ "Dangerous", "Incorrect" ] + }, + "role": { + "description": "Role as defined in OpenAI or similar API.", + "misp-attribute": "text", + "sane_default": [ + "system", + "user", + "assistant" + ], + "ui-priority": 7 } }, "description": "Object describing an AI prompt such as ChatGPT.", @@ -61,5 +78,5 @@ "prompt" ], "uuid": "a78f4156-0bb7-405c-aa25-ba16a73f68e4", - "version": 1 + "version": 2 } \ No newline at end of file From 45bb7539a0067e23b709d082c18dcba56c34bfce Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 16 Apr 2023 17:33:33 +0200 Subject: [PATCH 28/40] chg: [doc] misp object template list updated --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 07ff0b5..437d6b7 100644 --- a/README.md +++ b/README.md @@ -105,6 +105,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID ## Existing MISP objects - [objects/ADS](https://github.com/MISP/misp-objects/blob/main/objects/ADS/definition.json) - An object defining ADS - Alerting and Detection Strategy by PALANTIR. Can be used for detection engineering. +- [objects/ai-chat-prompt](https://github.com/MISP/misp-objects/blob/main/objects/ai-chat-prompt/definition.json) - Object describing an AI prompt such as ChatGPT. - [objects/ail-leak](https://github.com/MISP/misp-objects/blob/main/objects/ail-leak/definition.json) - An information leak as defined by the AIL Analysis Information Leak framework. - [objects/ais](https://github.com/MISP/misp-objects/blob/main/objects/ais/definition.json) - Automatic Identification System (AIS) is an automatic tracking system that uses transceivers on ships. - [objects/ais-info](https://github.com/MISP/misp-objects/blob/main/objects/ais-info/definition.json) - Automated Indicator Sharing (AIS) Information Source Markings. @@ -335,6 +336,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/regripper-system-hive-services-drivers](https://github.com/MISP/misp-objects/blob/main/objects/regripper-system-hive-services-drivers/definition.json) - Regripper Object template designed to gather information regarding the services/drivers from the system-hive. - [objects/report](https://github.com/MISP/misp-objects/blob/main/objects/report/definition.json) - Metadata used to generate an executive level report. - [objects/research-scanner](https://github.com/MISP/misp-objects/blob/main/objects/research-scanner/definition.json) - Information related to known scanning activity (e.g. from research projects). +- [objects/risk-assessment-report](https://github.com/MISP/misp-objects/blob/main/objects/risk-assessment-report/definition.json) - Risk assessment report object which includes the assessment report from a risk assessment platform such as MONARC. - [objects/rogue-dns](https://github.com/MISP/misp-objects/blob/main/objects/rogue-dns/definition.json) - Rogue DNS as defined by CERT.br. - [objects/rtir](https://github.com/MISP/misp-objects/blob/main/objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response. - [objects/sandbox-report](https://github.com/MISP/misp-objects/blob/main/objects/sandbox-report/definition.json) - Sandbox report. From 3d736c427ce376eac7c623068325cfce05269f3e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 11 May 2023 16:52:24 +0200 Subject: [PATCH 29/40] new: [crowdsec-ip-context] new initial object for crowdsec expansion --- objects/crowdsec-ip-context/definition.json | 153 ++++++++++++++++++++ 1 file changed, 153 insertions(+) create mode 100644 objects/crowdsec-ip-context/definition.json diff --git a/objects/crowdsec-ip-context/definition.json b/objects/crowdsec-ip-context/definition.json new file mode 100644 index 0000000..9234669 --- /dev/null +++ b/objects/crowdsec-ip-context/definition.json @@ -0,0 +1,153 @@ +{ + "attributes": { + "as-num": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Autonomous system number", + "disable_correlation": true, + "misp-attribute": "AS", + "multiple": true, + "ui-priority": 0 + }, + "as-name": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Autonomous system name", + "disable_correlation": true, + "misp-attribute": "AS", + "multiple": true, + "ui-priority": 0 + }, + "country-code": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Country Code", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "reverse-dns": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Reverse DNS name", + "misp-attribute": "hostname", + "ui-priority": 1 + }, + "dst-port": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Destination port", + "disable_correlation": true, + "misp-attribute": "port", + "multiple": true, + "ui-priority": 1 + }, + "ip": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "IP Address", + "misp-attribute": "ip-src", + "ui-priority": 1 + }, + "ip-range": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "destination IP address", + "misp-attribute": "ip-src", + "ui-priority": 1 + }, + "ip-range-score": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "destination IP address", + "misp-attribute": "float", + "ui-priority": 1, + "disable_correlation": true + }, + "country": { + "description": "Country of origin", + "misp-attribute": "text", + "ui-priority": 1, + "disable_correlation": true + }, + "city": { + "description": "City of origin", + "misp-attribute": "text", + "ui-priority": 1, + "disable_correlation": true + }, + "latitude": { + "description": "Latitude of origin", + "misp-attribute": "float", + "ui-priority": 1, + "disable_correlation": true + }, + "longitude": { + "description": "Longitude of origin", + "misp-attribute": "float", + "ui-priority": 1, + "disable_correlation": true + }, + "behaviors": { + "description": "Attack categories", + "misp-attribute": "text", + "ui-priority": 1, + "disable_correlation": true, + "multiple": true + }, + "attack-details": { + "description": "Triggered scenarios", + "misp-attribute": "text", + "ui-priority": 1, + "disable_correlation": true + }, + "target-countries": { + "description": "Target countries (top 10)", + "misp-attribute": "text", + "ui-priority": 1, + "disable_correlation": true + }, + "trust": { + "description": "Trust level", + "misp-attribute": "float", + "ui-priority": 1, + "disable_correlation": true + }, + "background-noise": { + "description": "Background noise", + "misp-attribute": "float", + "ui-priority": 1, + "disable_correlation": true + }, + "scores": { + "description": "Scores", + "misp-attribute": "text", + "ui-priority": 1, + "disable_correlation": true + } + }, + "description": "CrowdSec Threat Intelligence - IP CTI search", + "meta-category": "network", + "name": "crowdsec-ip-context", + "requiredOneOf": [ + "ip" + ], + "uuid": "0f0a6def-a351-4d3b-9868-d732f6f4666f", + "version": 1 +} From 65f4be51d58c76d0c27d6e2f8558df79b492abb9 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 12 May 2023 08:52:19 +0200 Subject: [PATCH 30/40] chg: [crowdsec] updated --- objects/crowdsec-ip-context/definition.json | 140 ++++++++++---------- 1 file changed, 70 insertions(+), 70 deletions(-) diff --git a/objects/crowdsec-ip-context/definition.json b/objects/crowdsec-ip-context/definition.json index 9234669..cd95540 100644 --- a/objects/crowdsec-ip-context/definition.json +++ b/objects/crowdsec-ip-context/definition.json @@ -1,16 +1,5 @@ { "attributes": { - "as-num": { - "categories": [ - "Network activity", - "External analysis" - ], - "description": "Autonomous system number", - "disable_correlation": true, - "misp-attribute": "AS", - "multiple": true, - "ui-priority": 0 - }, "as-name": { "categories": [ "Network activity", @@ -22,6 +11,48 @@ "multiple": true, "ui-priority": 0 }, + "as-num": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Autonomous system number", + "disable_correlation": true, + "misp-attribute": "AS", + "multiple": true, + "ui-priority": 0 + }, + "attack-details": { + "description": "Triggered scenarios", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "background-noise": { + "description": "Background noise", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 1 + }, + "behaviors": { + "description": "Attack categories", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, + "city": { + "description": "City of origin", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "country": { + "description": "Country of origin", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, "country-code": { "categories": [ "Network activity", @@ -32,15 +63,6 @@ "misp-attribute": "text", "ui-priority": 0 }, - "reverse-dns": { - "categories": [ - "Network activity", - "External analysis" - ], - "description": "Reverse DNS name", - "misp-attribute": "hostname", - "ui-priority": 1 - }, "dst-port": { "categories": [ "Network activity", @@ -76,70 +98,48 @@ "External analysis" ], "description": "destination IP address", + "disable_correlation": true, "misp-attribute": "float", - "ui-priority": 1, - "disable_correlation": true - }, - "country": { - "description": "Country of origin", - "misp-attribute": "text", - "ui-priority": 1, - "disable_correlation": true - }, - "city": { - "description": "City of origin", - "misp-attribute": "text", - "ui-priority": 1, - "disable_correlation": true + "ui-priority": 1 }, "latitude": { "description": "Latitude of origin", + "disable_correlation": true, "misp-attribute": "float", - "ui-priority": 1, - "disable_correlation": true + "ui-priority": 1 }, "longitude": { "description": "Longitude of origin", - "misp-attribute": "float", - "ui-priority": 1, - "disable_correlation": true - }, - "behaviors": { - "description": "Attack categories", - "misp-attribute": "text", - "ui-priority": 1, "disable_correlation": true, - "multiple": true - }, - "attack-details": { - "description": "Triggered scenarios", - "misp-attribute": "text", - "ui-priority": 1, - "disable_correlation": true - }, - "target-countries": { - "description": "Target countries (top 10)", - "misp-attribute": "text", - "ui-priority": 1, - "disable_correlation": true - }, - "trust": { - "description": "Trust level", "misp-attribute": "float", - "ui-priority": 1, - "disable_correlation": true + "ui-priority": 1 }, - "background-noise": { - "description": "Background noise", - "misp-attribute": "float", - "ui-priority": 1, - "disable_correlation": true + "reverse-dns": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Reverse DNS name", + "misp-attribute": "hostname", + "ui-priority": 1 }, "scores": { "description": "Scores", + "disable_correlation": true, "misp-attribute": "text", - "ui-priority": 1, - "disable_correlation": true + "ui-priority": 1 + }, + "target-countries": { + "description": "Target countries (top 10)", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "trust": { + "description": "Trust level", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 1 } }, "description": "CrowdSec Threat Intelligence - IP CTI search", @@ -150,4 +150,4 @@ ], "uuid": "0f0a6def-a351-4d3b-9868-d732f6f4666f", "version": 1 -} +} \ No newline at end of file From b0e5f39f26e0d4896240a77c09ce5d4f25572491 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 12 May 2023 10:31:33 +0200 Subject: [PATCH 31/40] Update definition.json --- objects/crowdsec-ip-context/definition.json | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/objects/crowdsec-ip-context/definition.json b/objects/crowdsec-ip-context/definition.json index cd95540..9cdde39 100644 --- a/objects/crowdsec-ip-context/definition.json +++ b/objects/crowdsec-ip-context/definition.json @@ -54,10 +54,6 @@ "ui-priority": 1 }, "country-code": { - "categories": [ - "Network activity", - "External analysis" - ], "description": "Country Code", "disable_correlation": true, "misp-attribute": "text", @@ -149,5 +145,5 @@ "ip" ], "uuid": "0f0a6def-a351-4d3b-9868-d732f6f4666f", - "version": 1 -} \ No newline at end of file + "version": 2 +} From a605792844d13cdd2f8b8825f4bd0dc85e5c5f6c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 12 May 2023 10:34:19 +0200 Subject: [PATCH 32/40] chg: [crowdsec] jq all the things --- objects/crowdsec-ip-context/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/crowdsec-ip-context/definition.json b/objects/crowdsec-ip-context/definition.json index 9cdde39..19c2734 100644 --- a/objects/crowdsec-ip-context/definition.json +++ b/objects/crowdsec-ip-context/definition.json @@ -146,4 +146,4 @@ ], "uuid": "0f0a6def-a351-4d3b-9868-d732f6f4666f", "version": 2 -} +} \ No newline at end of file From 48dd45519624cabeb6fc7e22f76135312e2715b7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 16 May 2023 09:25:57 +0200 Subject: [PATCH 33/40] chg: [relationships] `serves` added in relationships Additional verb as an alternative to `hosts` --- relationships/definition.json | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/relationships/definition.json b/relationships/definition.json index 024f458..7ddac8e 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1381,6 +1381,13 @@ ], "name": "is-not-targeted-by" }, + { + "description": "This relationship describes that the source object provides services described in the target object.", + "format": [ + "misp" + ], + "name": "serves" + }, { "description": "The source object considers the target object as a friend. Is not necessarily symmetric.", "format": [ @@ -1508,5 +1515,5 @@ "name": "Me" } ], - "version": 36 -} \ No newline at end of file + "version": 37 +} From f7e6cab1bf022a05b22e2d53deba0c704b52b008 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 16 May 2023 21:18:28 +0200 Subject: [PATCH 34/40] chg: [relationships] jq all the things --- relationships/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index 7ddac8e..89e25e1 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1516,4 +1516,4 @@ } ], "version": 37 -} +} \ No newline at end of file From f1b5e5468379987e12e7e5c53ae35bd16f064646 Mon Sep 17 00:00:00 2001 From: tmbc-nl Date: Wed, 17 May 2023 14:37:53 +0200 Subject: [PATCH 35/40] chg: [relationships] Fixed a typo. --- relationships/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/relationships/definition.json b/relationships/definition.json index 89e25e1..3ae958e 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1310,11 +1310,11 @@ "name": "spouse-of" }, { - "description": "The referenced source object is an ennemy of the target object.", + "description": "The referenced source object is an enemy of the target object.", "format": [ "foaf" ], - "name": "ennemy-of" + "name": "enemy-of" }, { "description": "The referenced source object is an antagonist of the target object.", From 4e5719f29a01f9c7283bd958d216ef8c04930695 Mon Sep 17 00:00:00 2001 From: goodlandsecurity Date: Fri, 19 May 2023 14:07:24 -0500 Subject: [PATCH 36/40] adding cobalt strike beacon config object --- objects/cs-beacon-config/definition.json | 73 ++++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 objects/cs-beacon-config/definition.json diff --git a/objects/cs-beacon-config/definition.json b/objects/cs-beacon-config/definition.json new file mode 100644 index 0000000..0330471 --- /dev/null +++ b/objects/cs-beacon-config/definition.json @@ -0,0 +1,73 @@ +{ + "attributes": { + "c2": { + "categories": [ + "Network activity" + ], + "description": "The C2 sample communicates with", + "misp-attribute": "url", + "multiple": true, + "ui-priority": 1 + }, + "jar-md5": { + "categories": [ + "External analysis" + ], + "description": "MD5 of adversary cobaltstrike.jar file", + "misp-attribute": "md5", + "ui-priority": 0 + }, + "md5": { + "categories": [ + "Payload delivery" + ], + "description": "MD5 of sample containing the Cobalt Strike shellcode", + "misp-attribute": "md5", + "ui-priority": 1 + }, + "sha1": { + "categories": [ + "Payload delivery" + ], + "description": "SHA1 of sample containing the Cobalt Strike shellcode", + "misp-attribute": "sha1", + "ui-priority": 1 + }, + "sha256": { + "categories": [ + "Payload delivery" + ], + "description": "SHA256 of sample containing the Cobalt Strike shellcode", + "misp-attribute": "sha256", + "ui-priority": 1 + }, + "vt-sha256": { + "categories": [ + "External analysis" + ], + "description": "SHA256 of sample uploaded to VirusTotal", + "misp-attribute": "sha256", + "ui-priority": 0 + }, + "watermark": { + "categories": [ + "Other" + ], + "description": "The watermark of sample", + "misp-attribute": "text", + "ui-priority": 0 + } + }, + "description": "Cobalt Strike Beacon Config", + "meta-category": "file", + "name": "cs-beacon-config", + "required": [ + "jar-md5", + "md5", + "sha1", + "sha256", + "watermark" + ], + "uuid": "d17355ef-ca1f-4b5a-86cd-65d877991f54", + "version": 1 +} \ No newline at end of file From dec2cbb917b43137606be66db105773995ed8b87 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 22 May 2023 13:59:57 +0200 Subject: [PATCH 37/40] new: [scan-result] object for scanning result This is the metadata of a scanning result including the raw output of the scan result. This objects can be used for tools like Nessus or even source code scanner to share the details about a scan. For additional information such IP address or alike, other objects will be used with the proper relationship added. --- objects/scan-result/definition.json | 91 +++++++++++++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 objects/scan-result/definition.json diff --git a/objects/scan-result/definition.json b/objects/scan-result/definition.json new file mode 100644 index 0000000..d21ac88 --- /dev/null +++ b/objects/scan-result/definition.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "description": { + "description": "Description of the scanning performed in this scan-result", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "scan-end": { + "description": "End of scanning activity", + "disable_correlation": true, + "misp-attribute": "datetime", + "multiple": true, + "ui-priority": 0 + }, + "scan-result": { + "description": "The scan-result as a file (in machine-readable or human-readable format). The file is always consider non-malicious.", + "misp-attribute": "attachment", + "ui-priority": 1 + }, + "scan-result-format": { + "description": "Format used for the scan-result.", + "misp-attribute": "text", + "ui-priority": 1, + "values_lists": [ + "free-text output", + "XML", + "JSON", + "CSV", + "HTML", + "PDF", + "Unknown" + ] + }, + "scan-result-tool": { + "description": "Tool used which generated the scan-result.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Nessus", + "OpenVAS", + "Nmap", + "Nikto", + "masscan", + "zmap", + "Qualys", + "dnscan", + "dnsrecon", + "striker", + "rhawk", + "sslyze", + "wafw00f", + "sqlmap", + "wig", + "knock", + "wpscan", + "joomscan", + "arachni", + "nuclei" + ], + "ui-priority": 0 + }, + "scan-start": { + "description": "Start of scanning activity", + "disable_correlation": true, + "misp-attribute": "datetime", + "multiple": true, + "ui-priority": 1 + }, + "scan-type": { + "description": "Type of scanning in the scan-result.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0, + "values_list": [ + "Network", + "System", + "Unknown" + ] + } + }, + "description": "Scan result object to add meta-data and the output of the scan result by itself.", + "meta-category": "network", + "name": "scan-result", + "required": [ + "scan-result" + ], + "uuid": "ebe2a359-8f5b-4a45-8106-d1678935b4c4", + "version": 1 +} \ No newline at end of file From e33e893b44a28776b65791ee91191624f4cf05ed Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 22 May 2023 13:59:57 +0200 Subject: [PATCH 38/40] new: [scan-result] object for scanning result This is the metadata of a scanning result including the raw output of the scan result. This objects can be used for tools like Nessus or even source code scanner to share the details about a scan. For additional information such IP address or alike, other objects will be used with the proper relationship added. --- objects/scan-result/definition.json | 91 +++++++++++++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 objects/scan-result/definition.json diff --git a/objects/scan-result/definition.json b/objects/scan-result/definition.json new file mode 100644 index 0000000..9ecbba8 --- /dev/null +++ b/objects/scan-result/definition.json @@ -0,0 +1,91 @@ +{ + "attributes": { + "description": { + "description": "Description of the scanning performed in this scan-result", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "scan-end": { + "description": "End of scanning activity", + "disable_correlation": true, + "misp-attribute": "datetime", + "multiple": true, + "ui-priority": 0 + }, + "scan-result": { + "description": "The scan-result as a file (in machine-readable or human-readable format). The file is always consider non-malicious.", + "misp-attribute": "attachment", + "ui-priority": 1 + }, + "scan-result-format": { + "description": "Format used for the scan-result.", + "misp-attribute": "text", + "ui-priority": 1, + "values_list": [ + "free-text output", + "XML", + "JSON", + "CSV", + "HTML", + "PDF", + "Unknown" + ] + }, + "scan-result-tool": { + "description": "Tool used which generated the scan-result.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Nessus", + "OpenVAS", + "Nmap", + "Nikto", + "masscan", + "zmap", + "Qualys", + "dnscan", + "dnsrecon", + "striker", + "rhawk", + "sslyze", + "wafw00f", + "sqlmap", + "wig", + "knock", + "wpscan", + "joomscan", + "arachni", + "nuclei" + ], + "ui-priority": 0 + }, + "scan-start": { + "description": "Start of scanning activity", + "disable_correlation": true, + "misp-attribute": "datetime", + "multiple": true, + "ui-priority": 1 + }, + "scan-type": { + "description": "Type of scanning in the scan-result.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0, + "values_list": [ + "Network", + "System", + "Unknown" + ] + } + }, + "description": "Scan result object to add meta-data and the output of the scan result by itself.", + "meta-category": "network", + "name": "scan-result", + "required": [ + "scan-result" + ], + "uuid": "ebe2a359-8f5b-4a45-8106-d1678935b4c4", + "version": 1 +} From 20f567757d9c91f9e9256084e05adf3f73c9883d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 22 May 2023 14:08:34 +0200 Subject: [PATCH 39/40] chg: [scan-result] jq all the things --- objects/scan-result/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/scan-result/definition.json b/objects/scan-result/definition.json index 9ecbba8..df89dc8 100644 --- a/objects/scan-result/definition.json +++ b/objects/scan-result/definition.json @@ -88,4 +88,4 @@ ], "uuid": "ebe2a359-8f5b-4a45-8106-d1678935b4c4", "version": 1 -} +} \ No newline at end of file From 61608e5d440328b60f88234dbdcd9365cad5a27a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 24 May 2023 11:03:47 +0200 Subject: [PATCH 40/40] chg: [scan-result] updated list of potential scanning tool Source: https://gist.github.com/SteveClement/baf3a9ae0ba030283ecc30acd6f7c2ae --- objects/scan-result/definition.json | 179 ++++++++++++++++++++++++---- 1 file changed, 158 insertions(+), 21 deletions(-) diff --git a/objects/scan-result/definition.json b/objects/scan-result/definition.json index df89dc8..af7fdff 100644 --- a/objects/scan-result/definition.json +++ b/objects/scan-result/definition.json @@ -37,26 +37,163 @@ "disable_correlation": true, "misp-attribute": "text", "sane_default": [ - "Nessus", - "OpenVAS", - "Nmap", - "Nikto", - "masscan", - "zmap", - "Qualys", - "dnscan", - "dnsrecon", - "striker", - "rhawk", - "sslyze", - "wafw00f", - "sqlmap", - "wig", - "knock", - "wpscan", - "joomscan", - "arachni", - "nuclei" + "AWS Prowler Scan", + "AWS Scout2 Scan", + "AWS Security Finding Format (ASFF) Scan", + "AWS Security Hub Scan", + "Acunetix Scan", + "Acunetix360 Scan", + "Anchore Engine Scan", + "Anchore Enterprise Policy Check", + "Anchore Grype", + "AnchoreCTL Policies Report", + "AnchoreCTL Vuln Report", + "AppSpider Scan", + "Aqua Scan", + "Arachni Scan", + "AuditJS Scan", + "Azure Security Center Recommendations Scan", + "Bandit Scan", + "BlackDuck API", + "Blackduck Component Risk", + "Blackduck Hub Scan", + "Brakeman Scan", + "BugCrowd Scan", + "Bugcrowd API Import", + "Bundler-Audit Scan", + "Burp Enterprise Scan", + "Burp GraphQL API", + "Burp REST API", + "Burp Scan", + "CargoAudit Scan", + "Checkmarx OSA", + "Checkmarx Scan", + "Checkmarx Scan detailed", + "Checkov Scan", + "Clair Klar Scan", + "Clair Scan", + "Cloudsploit Scan", + "Cobalt.io API Import", + "Cobalt.io Scan", + "Codechecker Report native", + "Contrast Scan", + "Coverity API", + "Crashtest Security JSON File", + "Crashtest Security XML File", + "CredScan Scan", + "CycloneDX Scan", + "DSOP Scan", + "DawnScanner Scan", + "Dependency Check Scan", + "Dependency Track Finding Packaging Format (FPF) Export", + "Detect-secrets Scan", + "Dockle Scan", + "DrHeader JSON Importer", + "ESLint Scan", + "Edgescan Scan", + "Fortify Scan", + "Generic Findings Import", + "Ggshield Scan", + "GitLab API Fuzzing Report Scan", + "GitLab Container Scan", + "GitLab DAST Report", + "GitLab Dependency Scanning Report", + "GitLab SAST Report", + "GitLab Secret Detection Report", + "Github Vulnerability Scan", + "Gitleaks Scan", + "Gosec Scanner", + "HackerOne Cases", + "Hadolint Dockerfile check", + "Harbor Vulnerability Scan", + "Horusec Scan", + "HuskyCI Report", + "Hydra Scan", + "IBM AppScan DAST", + "Immuniweb Scan", + "IntSights Report", + "JFrog Xray API Summary Artifact Scan", + "JFrog Xray Scan", + "JFrog Xray Unified Scan", + "KICS Scan", + "Kiuwan Scan", + "Meterian Scan", + "Microfocus Webinspect Scan", + "MobSF Scan", + "Mobsfscan Scan", + "Mozilla Observatory Scan", + "NPM Audit Scan", + "Nessus Scan", + "Nessus WAS Scan", + "Netsparker Scan", + "NeuVector (REST)", + "NeuVector (compliance)", + "Nexpose Scan", + "Nikto Scan", + "Nmap Scan", + "Node Security Platform Scan", + "Nuclei Scan", + "ORT evaluated model Importer", + "OpenVAS CSV", + "Openscap Vulnerability Scan", + "OssIndex Devaudit SCA Scan Importer", + "Outpost24 Scan", + "PHP Security Audit v2", + "PHP Symfony Security Check", + "PMD Scan", + "PWN SAST", + "Qualys Infrastructure Scan (WebGUI XML)", + "Qualys Scan", + "Qualys Webapp Scan", + "Retire.js Scan", + "Risk Recon API Importer", + "Rubocop Scan", + "Rusty Hog Scan", + "SARIF", + "SKF Scan", + "SSL Labs Scan", + "SSLyze Scan (JSON)", + "Scantist Scan", + "Scout Suite Scan", + "Semgrep JSON Report", + "Snyk Scan", + "Solar Appscreener Scan", + "SonarQube API Import", + "SonarQube Scan", + "SonarQube Scan detailed", + "Sonatype Application Scan", + "SpotBugs Scan", + "Sslscan", + "Sslyze Scan", + "StackHawk HawkScan", + "TFSec Scan", + "Talisman Scan", + "Terrascan Scan", + "Testssl Scan", + "Trivy Operator Scan", + "Trivy Scan", + "Trufflehog Scan", + "Trufflehog3 Scan", + "Trustwave Fusion API Scan", + "Trustwave Scan (CSV)", + "Twistlock Image Scan", + "VCG Scan", + "Veracode Scan", + "Veracode SourceClear Scan", + "Vulners", + "WFuzz JSON report", + "Wapiti Scan", + "Wazuh", + "Whispers Scan", + "WhiteHat Sentinel", + "Whitesource Scan", + "Wpscan", + "Xanitizer Scan", + "Yarn Audit Scan", + "ZAP Scan", + "docker-bench-security Scan", + "kube-bench Scan", + "pip-audit Scan" ], "ui-priority": 0 }, @@ -87,5 +224,5 @@ "scan-result" ], "uuid": "ebe2a359-8f5b-4a45-8106-d1678935b4c4", - "version": 1 + "version": 2 } \ No newline at end of file