Merge branch 'main' of github.com:MISP/misp-objects

.github/workflows/codeql.yml

@@ -0,0 +1,41 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: "43 15 * * 4"
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ python ]
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+          queries: +security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v2
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: "/language:${{ matrix.language }}"

.github/workflows/nosetests.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        python-version: [3.6, 3.7, 3.8, 3.9]
+        python-version: ['3.8', '3.9', '3.10']
 
     steps:
 

README.md

@@ -2,7 +2,7 @@
 
 ![Python application](https://github.com/MISP/misp-objects/workflows/Python%20application/badge.svg)
 
-MISP objects used in MISP system and can be used by other information sharing tool. MISP objects
+MISP objects used in MISP system and can be used by other information sharing tools. MISP objects
 are in addition to MISP attributes to allow advanced combinations of attributes. The creation of these objects
 and their associated attributes are based on real cyber security use-cases and existing practices in information sharing.
 
@@ -83,27 +83,28 @@ Feel free to propose your own MISP objects template to be included in MISP. The
 }
 ~~~~
 
-A MISP object is described in a simple JSON file containing the following element.
+A MISP object is described in a simple JSON file containing the following elements.
 
 * **name** is the name of the your object.
 * **meta-category** is the category where the object falls into. (such as file, network, financial, misc, internal...)
 * **description** is a summary of the object description.
 * **version** is the version number as a decimal value.
 * **required** is an array containing the minimal required attributes to describe the object.
-* **requiredOneOf** is an array containing the attributes where at least one need to be present to describe the object.
+* **requiredOneOf** is an array containing the attributes where at least one needs to be present to describe the object.
 * **attributes** contains another JSON object listing all the attributes composing the object.
 
 Each attribute must contain a reference **misp-attribute** to reference an existing attribute definition in MISP (MISP attributes types are case-sensitive).
-An array **categories** shall be used to described in which categories the attribute is. The **ui-priority**
+An array **categories** shall be used to describe in which categories the attribute is. The **ui-priority**
 describes the usage frequency of an attribute. This helps to only display the most frequently used attributes and
 allowing advanced users to show all the attributes depending of their configuration. An optional **multiple** field
 shall be set to true if multiple elements of the same key can be used in the object. An optional **values_list**
-where this list of value can be selected as a value for an attribute. An optional **sane_default** where this list of value recommend
+where this list of values can be selected as a value for an attribute. An optional **sane_default** where this list of value recommend
 potential a sane default for an attribute. An optional **disable_correlation** boolean field to suggest the disabling of correlation
 for a specific attribute. An optional **to_ids** boolean field to disable the IDS flag of an attribute.
 
 ## Existing MISP objects
 
+- [objects/ADS](https://github.com/MISP/misp-objects/blob/main/objects/ADS/definition.json) - An object defining ADS - Alerting and Detection Strategy by PALANTIR. Can be used for detection engineering.
 - [objects/ail-leak](https://github.com/MISP/misp-objects/blob/main/objects/ail-leak/definition.json) - An information leak as defined by the AIL Analysis Information Leak framework.
 - [objects/ais-info](https://github.com/MISP/misp-objects/blob/main/objects/ais-info/definition.json) - Automated Indicator Sharing (AIS) Information Source Markings.
 - [objects/android-app](https://github.com/MISP/misp-objects/blob/main/objects/android-app/definition.json) - Indicators related to an Android app.
@@ -111,9 +112,10 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
 - [objects/annotation](https://github.com/MISP/misp-objects/blob/main/objects/annotation/definition.json) - An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes.
 - [objects/anonymisation](https://github.com/MISP/misp-objects/blob/main/objects/anonymisation/definition.json) - Anonymisation object describing an anonymisation technique used to encode MISP attribute values. Reference: https://www.caida.org/tools/taxonomy/anonymization.xml.
 - [objects/apivoid-email-verification](https://github.com/MISP/misp-objects/blob/main/objects/apivoid-email-verification/definition.json) - Apivoid email verification API result. Reference: https://www.apivoid.com/api/email-verify/.
-- [objects/artifact](https://github.com/MISP/misp-objects/blob/main/objects/artifact/definition.json) - The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. from STIX 2.1 (6.1).
-- [objects/asn](https://github.com/MISP/misp-objects/blob/main/objects/asn/definition.json) - Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.
+- [objects/artifact](https://github.com/MISP/misp-objects/blob/main/objects/artifact/definition.json) - The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. From STIX 2.1 (6.1).
+- [objects/asn](https://github.com/MISP/misp-objects/blob/main/objects/asn/definition.json) - Autonomous system object describing an autonomous system which can include one or more network operators managing an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.
 - [objects/attack-pattern](https://github.com/MISP/misp-objects/blob/main/objects/attack-pattern/definition.json) - Attack pattern describing a common attack pattern enumeration and classification.
+- [objects/attack-step](https://github.com/MISP/misp-objects/blob/main/objects/attack-step/definition.json) - An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks.
 - [objects/authentication-failure-report](https://github.com/MISP/misp-objects/blob/main/objects/authentication-failure-report/definition.json) - Authentication Failure Report.
 - [objects/authenticode-signerinfo](https://github.com/MISP/misp-objects/blob/main/objects/authenticode-signerinfo/definition.json) - Authenticode Signer Info.
 - [objects/av-signature](https://github.com/MISP/misp-objects/blob/main/objects/av-signature/definition.json) - Antivirus detection signature.
@@ -123,17 +125,18 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
 - [objects/blog](https://github.com/MISP/misp-objects/blob/main/objects/blog/definition.json) - Blog post like Medium or WordPress.
 - [objects/boleto](https://github.com/MISP/misp-objects/blob/main/objects/boleto/definition.json) - A common form of payment used in Brazil.
 - [objects/btc-transaction](https://github.com/MISP/misp-objects/blob/main/objects/btc-transaction/definition.json) - An object to describe a Bitcoin transaction. Best to be used with bitcoin-wallet.
-- [objects/btc-wallet](https://github.com/MISP/misp-objects/blob/main/objects/btc-wallet/definition.json) - An object to describe a Bitcoin wallet. Best to be used with bitcoin-transactions.
+- [objects/btc-wallet](https://github.com/MISP/misp-objects/blob/main/objects/btc-wallet/definition.json) - An object to describe a Bitcoin wallet. Best to be used with bitcoin-transaction.
 - [objects/cap-alert](https://github.com/MISP/misp-objects/blob/main/objects/cap-alert/definition.json) - Common Alerting Protocol Version (CAP) alert object.
 - [objects/cap-info](https://github.com/MISP/misp-objects/blob/main/objects/cap-info/definition.json) - Common Alerting Protocol Version (CAP) info object.
 - [objects/cap-resource](https://github.com/MISP/misp-objects/blob/main/objects/cap-resource/definition.json) - Common Alerting Protocol Version (CAP) resource object.
+- [objects/cloth](https://github.com/MISP/misp-objects/blob/main/objects/cloth/definition.json) - Describes clothes a natural person wears.
 - [objects/coin-address](https://github.com/MISP/misp-objects/blob/main/objects/coin-address/definition.json) - An address used in a cryptocurrency.
 - [objects/command](https://github.com/MISP/misp-objects/blob/main/objects/command/definition.json) - Command functionalities related to specific commands executed by a program, whether it is malicious or not. Command-line are attached to this object for the related commands.
 - [objects/command-line](https://github.com/MISP/misp-objects/blob/main/objects/command-line/definition.json) - Command line and options related to a specific command executed by a program, whether it is malicious or not.
 - [objects/concordia-mtmf-intrusion-set](https://github.com/MISP/misp-objects/blob/main/objects/concordia-mtmf-intrusion-set/definition.json) - Intrusion Set - Phase Description.
-- [objects/cookie](https://github.com/MISP/misp-objects/blob/main/objects/cookie/definition.json) - An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol. (as defined by the Mozilla foundation.
-- [objects/cortex](https://github.com/MISP/misp-objects/blob/main/objects/cortex/definition.json) - Cortex object describing a complete cortex analysis. Observables would be attribute with a relationship from this object.
-- [objects/cortex-taxonomy](https://github.com/MISP/misp-objects/blob/main/objects/cortex-taxonomy/definition.json) - Cortex object describing an Cortex Taxonomy (or mini report).
+- [objects/cookie](https://github.com/MISP/misp-objects/blob/main/objects/cookie/definition.json) - An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol. As defined by the Mozilla foundation.
+- [objects/cortex](https://github.com/MISP/misp-objects/blob/main/objects/cortex/definition.json) - Cortex object describing a complete Cortex analysis. Observables would be attribute with a relationship from this object.
+- [objects/cortex-taxonomy](https://github.com/MISP/misp-objects/blob/main/objects/cortex-taxonomy/definition.json) - Cortex object describing a Cortex Taxonomy (or mini report).
 - [objects/course-of-action](https://github.com/MISP/misp-objects/blob/main/objects/course-of-action/definition.json) - An object describing a specific measure taken to prevent or respond to an attack.
 - [objects/covid19-csse-daily-report](https://github.com/MISP/misp-objects/blob/main/objects/covid19-csse-daily-report/definition.json) - CSSE COVID-19 Daily report.
 - [objects/covid19-dxy-live-city](https://github.com/MISP/misp-objects/blob/main/objects/covid19-dxy-live-city/definition.json) - COVID 19 from dxy.cn - Aggregation by city.
@@ -146,7 +149,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
 - [objects/cytomic-orion-file](https://github.com/MISP/misp-objects/blob/main/objects/cytomic-orion-file/definition.json) - Cytomic Orion File Detection.
 - [objects/cytomic-orion-machine](https://github.com/MISP/misp-objects/blob/main/objects/cytomic-orion-machine/definition.json) - Cytomic Orion File at Machine Detection.
 - [objects/dark-pattern-item](https://github.com/MISP/misp-objects/blob/main/objects/dark-pattern-item/definition.json) - An Item whose User Interface implements a dark pattern.
-- [objects/ddos](https://github.com/MISP/misp-objects/blob/main/objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy.
+- [objects/ddos](https://github.com/MISP/misp-objects/blob/main/objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy or using the type field.
 - [objects/device](https://github.com/MISP/misp-objects/blob/main/objects/device/definition.json) - An object to define a device.
 - [objects/diameter-attack](https://github.com/MISP/misp-objects/blob/main/objects/diameter-attack/definition.json) - Attack as seen on the diameter signaling protocol supporting LTE networks.
 - [objects/dkim](https://github.com/MISP/misp-objects/blob/main/objects/dkim/definition.json) - DomainKeys Identified Mail - DKIM.
@@ -158,11 +161,14 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
 - [objects/elf-section](https://github.com/MISP/misp-objects/blob/main/objects/elf-section/definition.json) - Object describing a section of an Executable and Linkable Format.
 - [objects/email](https://github.com/MISP/misp-objects/blob/main/objects/email/definition.json) - Email object describing an email with meta-information.
 - [objects/employee](https://github.com/MISP/misp-objects/blob/main/objects/employee/definition.json) - An employee and related data points.
+- [objects/error-message](https://github.com/MISP/misp-objects/blob/main/objects/error-message/definition.json) - An error message which can be related to the processing of data such as import, export scripts from the original MISP instance.
+- [objects/exploit](https://github.com/MISP/misp-objects/blob/main/objects/exploit/definition.json) - Exploit object describes a program in binary or source code form used to abuse one or more vulnerabilities.
 - [objects/exploit-poc](https://github.com/MISP/misp-objects/blob/main/objects/exploit-poc/definition.json) - Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object.
 - [objects/facebook-account](https://github.com/MISP/misp-objects/blob/main/objects/facebook-account/definition.json) - Facebook account.
 - [objects/facebook-group](https://github.com/MISP/misp-objects/blob/main/objects/facebook-group/definition.json) - Public or private facebook group.
 - [objects/facebook-page](https://github.com/MISP/misp-objects/blob/main/objects/facebook-page/definition.json) - Facebook page.
 - [objects/facebook-post](https://github.com/MISP/misp-objects/blob/main/objects/facebook-post/definition.json) - Post on a Facebook wall.
+- [objects/facebook-reaction](https://github.com/MISP/misp-objects/blob/main/objects/facebook-reaction/definition.json) - Reaction to facebook posts.
 - [objects/facial-composite](https://github.com/MISP/misp-objects/blob/main/objects/facial-composite/definition.json) - An object which describes a facial composite.
 - [objects/fail2ban](https://github.com/MISP/misp-objects/blob/main/objects/fail2ban/definition.json) - Fail2ban event.
 - [objects/favicon](https://github.com/MISP/misp-objects/blob/main/objects/favicon/definition.json) - A favicon, also known as a shortcut icon, website icon, tab icon, URL icon, or bookmark icon, is a file containing one or more small icons, associated with a particular website or web page. The object template can include the murmur3 hash of the favicon to facilitate correlation.
@@ -170,58 +176,59 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
 - [objects/forensic-case](https://github.com/MISP/misp-objects/blob/main/objects/forensic-case/definition.json) - An object template to describe a digital forensic case.
 - [objects/forensic-evidence](https://github.com/MISP/misp-objects/blob/main/objects/forensic-evidence/definition.json) - An object template to describe a digital forensic evidence.
 - [objects/forged-document](https://github.com/MISP/misp-objects/blob/main/objects/forged-document/definition.json) - Object describing a forged document.
-- [objects/ftm-Airplane](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Airplane/definition.json) - .
-- [objects/ftm-Assessment](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Assessment/definition.json) - .
-- [objects/ftm-Asset](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Asset/definition.json) - .
+- [objects/ftm-Airplane](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Airplane/definition.json) - An airplane, helicopter or other flying vehicle.
+- [objects/ftm-Assessment](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Assessment/definition.json) - Assessment with meta-data.
+- [objects/ftm-Asset](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Asset/definition.json) - A piece of property which can be owned and assigned a monetary value.
 - [objects/ftm-Associate](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Associate/definition.json) - Non-family association between two people.
-- [objects/ftm-Audio](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Audio/definition.json) - .
-- [objects/ftm-BankAccount](https://github.com/MISP/misp-objects/blob/main/objects/ftm-BankAccount/definition.json) - .
-- [objects/ftm-Call](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Call/definition.json) - .
+- [objects/ftm-Audio](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Audio/definition.json) - Audio with meta-data.
+- [objects/ftm-BankAccount](https://github.com/MISP/misp-objects/blob/main/objects/ftm-BankAccount/definition.json) - An account held at a bank and controlled by an owner. This may also be used to describe more complex arrangements like correspondent bank settlement accounts.
+- [objects/ftm-Call](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Call/definition.json) - Phone call object template including the call and all associated meta-data.
 - [objects/ftm-Company](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Company/definition.json) - A legal entity representing an association of people, whether natural, legal or a mixture of both, with a specific objective.
 - [objects/ftm-Contract](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Contract/definition.json) - An contract or contract lot issued by an authority. Multiple lots may be awarded to different suppliers (see ContractAward).
 .
 - [objects/ftm-ContractAward](https://github.com/MISP/misp-objects/blob/main/objects/ftm-ContractAward/definition.json) - A contract or contract lot as awarded to a supplier.
-- [objects/ftm-CourtCase](https://github.com/MISP/misp-objects/blob/main/objects/ftm-CourtCase/definition.json) - .
-- [objects/ftm-CourtCaseParty](https://github.com/MISP/misp-objects/blob/main/objects/ftm-CourtCaseParty/definition.json) - .
+- [objects/ftm-CourtCase](https://github.com/MISP/misp-objects/blob/main/objects/ftm-CourtCase/definition.json) - Court case.
+- [objects/ftm-CourtCaseParty](https://github.com/MISP/misp-objects/blob/main/objects/ftm-CourtCaseParty/definition.json) - Court Case Party.
 - [objects/ftm-Debt](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Debt/definition.json) - A monetary debt between two parties.
-- [objects/ftm-Directorship](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Directorship/definition.json) - .
-- [objects/ftm-Document](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Document/definition.json) - .
-- [objects/ftm-Documentation](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Documentation/definition.json) - .
+- [objects/ftm-Directorship](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Directorship/definition.json) - Directorship.
+- [objects/ftm-Document](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Document/definition.json) - Document.
+- [objects/ftm-Documentation](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Documentation/definition.json) - Documentation.
 - [objects/ftm-EconomicActivity](https://github.com/MISP/misp-objects/blob/main/objects/ftm-EconomicActivity/definition.json) - A foreign economic activity.
-- [objects/ftm-Email](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Email/definition.json) - .
-- [objects/ftm-Event](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Event/definition.json) - .
+- [objects/ftm-Email](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Email/definition.json) - Email.
+- [objects/ftm-Event](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Event/definition.json) - Event.
 - [objects/ftm-Family](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Family/definition.json) - Family relationship between two people.
-- [objects/ftm-Folder](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Folder/definition.json) - .
-- [objects/ftm-HyperText](https://github.com/MISP/misp-objects/blob/main/objects/ftm-HyperText/definition.json) - .
-- [objects/ftm-Image](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Image/definition.json) - .
-- [objects/ftm-Land](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Land/definition.json) - .
+- [objects/ftm-Folder](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Folder/definition.json) - Folder.
+- [objects/ftm-HyperText](https://github.com/MISP/misp-objects/blob/main/objects/ftm-HyperText/definition.json) - HyperText.
+- [objects/ftm-Image](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Image/definition.json) - Image.
+- [objects/ftm-Land](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Land/definition.json) - Land.
 - [objects/ftm-LegalEntity](https://github.com/MISP/misp-objects/blob/main/objects/ftm-LegalEntity/definition.json) - A legal entity may be a person or a company.
 - [objects/ftm-License](https://github.com/MISP/misp-objects/blob/main/objects/ftm-License/definition.json) - A grant of land, rights or property. A type of Contract.
-- [objects/ftm-Membership](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Membership/definition.json) - .
-- [objects/ftm-Message](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Message/definition.json) - .
-- [objects/ftm-Organization](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Organization/definition.json) - .
-- [objects/ftm-Ownership](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Ownership/definition.json) - .
-- [objects/ftm-Package](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Package/definition.json) - .
-- [objects/ftm-Page](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Page/definition.json) - .
-- [objects/ftm-Pages](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Pages/definition.json) - .
+- [objects/ftm-Membership](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Membership/definition.json) - Membership.
+- [objects/ftm-Message](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Message/definition.json) - Message.
+- [objects/ftm-Organization](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Organization/definition.json) - Organization.
+- [objects/ftm-Ownership](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Ownership/definition.json) - Ownership.
+- [objects/ftm-Package](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Package/definition.json) - Package.
+- [objects/ftm-Page](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Page/definition.json) - Page.
+- [objects/ftm-Pages](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Pages/definition.json) - Pages.
 - [objects/ftm-Passport](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Passport/definition.json) - Passport.
 - [objects/ftm-Payment](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Payment/definition.json) - A monetary payment between two parties.
 - [objects/ftm-Person](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Person/definition.json) - An individual.
-- [objects/ftm-PlainText](https://github.com/MISP/misp-objects/blob/main/objects/ftm-PlainText/definition.json) - .
+- [objects/ftm-PlainText](https://github.com/MISP/misp-objects/blob/main/objects/ftm-PlainText/definition.json) - Plaintext.
 - [objects/ftm-PublicBody](https://github.com/MISP/misp-objects/blob/main/objects/ftm-PublicBody/definition.json) - A public body, such as a ministry, department or state company.
 - [objects/ftm-RealEstate](https://github.com/MISP/misp-objects/blob/main/objects/ftm-RealEstate/definition.json) - A piece of land or property.
 - [objects/ftm-Representation](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Representation/definition.json) - A mediatory, intermediary, middleman, or broker acting on behalf of a legal entity.
-- [objects/ftm-Row](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Row/definition.json) - .
+- [objects/ftm-Row](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Row/definition.json) - Row.
 - [objects/ftm-Sanction](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Sanction/definition.json) - A sanction designation.
 - [objects/ftm-Succession](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Succession/definition.json) - Two entities that legally succeed each other.
-- [objects/ftm-Table](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Table/definition.json) - .
+- [objects/ftm-Table](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Table/definition.json) - Table.
 - [objects/ftm-TaxRoll](https://github.com/MISP/misp-objects/blob/main/objects/ftm-TaxRoll/definition.json) - A tax declaration of an individual.
-- [objects/ftm-UnknownLink](https://github.com/MISP/misp-objects/blob/main/objects/ftm-UnknownLink/definition.json) - .
-- [objects/ftm-UserAccount](https://github.com/MISP/misp-objects/blob/main/objects/ftm-UserAccount/definition.json) - .
-- [objects/ftm-Vehicle](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Vehicle/definition.json) - .
+- [objects/ftm-UnknownLink](https://github.com/MISP/misp-objects/blob/main/objects/ftm-UnknownLink/definition.json) - Unknown Link.
+- [objects/ftm-UserAccount](https://github.com/MISP/misp-objects/blob/main/objects/ftm-UserAccount/definition.json) - User Account.
+- [objects/ftm-Vehicle](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Vehicle/definition.json) - Vehicle.
 - [objects/ftm-Vessel](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Vessel/definition.json) - A boat or ship.
-- [objects/ftm-Video](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Video/definition.json) - .
-- [objects/ftm-Workbook](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Workbook/definition.json) - .
+- [objects/ftm-Video](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Video/definition.json) - Video.
+- [objects/ftm-Workbook](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Workbook/definition.json) - Workbook.
+- [objects/game-cheat](https://github.com/MISP/misp-objects/blob/main/objects/game-cheat/definition.json) - Describes a game cheat or a cheatware.
 - [objects/geolocation](https://github.com/MISP/misp-objects/blob/main/objects/geolocation/definition.json) - An object to describe a geographic location.
 - [objects/git-vuln-finder](https://github.com/MISP/misp-objects/blob/main/objects/git-vuln-finder/definition.json) - Export from git-vuln-finder.
 - [objects/github-user](https://github.com/MISP/misp-objects/blob/main/objects/github-user/definition.json) - GitHub user.
@@ -243,6 +250,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
 - [objects/intelmq_report](https://github.com/MISP/misp-objects/blob/main/objects/intelmq_report/definition.json) - IntelMQ Report.
 - [objects/internal-reference](https://github.com/MISP/misp-objects/blob/main/objects/internal-reference/definition.json) - Internal reference.
 - [objects/interpol-notice](https://github.com/MISP/misp-objects/blob/main/objects/interpol-notice/definition.json) - An object which describes a Interpol notice.
+- [objects/intrusion-set](https://github.com/MISP/misp-objects/blob/main/objects/intrusion-set/definition.json) - A object template describing an Intrusion Set as defined in STIX 2.1. An Intrusion Set is a grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization. An Intrusion Set may capture multiple Campaigns or other activities that are all tied together by shared attributes indicating a commonly known or unknown Threat Actor. New activity can be attributed to an Intrusion Set even if the Threat Actors behind the attack are not known. Threat Actors can move from supporting one Intrusion Set to supporting another, or they may support multiple Intrusion Sets.  Where a Campaign is a set of attacks over a period of time against a specific set of targets to achieve some objective, an Intrusion Set is the entire attack package and may be used over a very long period of time in multiple Campaigns to achieve potentially multiple purposes.  While sometimes an Intrusion Set is not active, or changes focus, it is usually difficult to know if it has truly disappeared or ended. Analysts may have varying level of fidelity on attributing an Intrusion Set back to Threat Actors and may be able to only attribute it back to a nation state or perhaps back to an organization within that nation state.
 - [objects/iot-device](https://github.com/MISP/misp-objects/blob/main/objects/iot-device/definition.json) - An IoT device.
 - [objects/iot-firmware](https://github.com/MISP/misp-objects/blob/main/objects/iot-firmware/definition.json) - A firmware for an IoT device.
 - [objects/ip-api-address](https://github.com/MISP/misp-objects/blob/main/objects/ip-api-address/definition.json) - IP Address information. Useful if you are pulling your ip information from ip-api.com.
@@ -284,7 +292,9 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
 - [objects/pcap-metadata](https://github.com/MISP/misp-objects/blob/main/objects/pcap-metadata/definition.json) - Network packet capture metadata.
 - [objects/pe](https://github.com/MISP/misp-objects/blob/main/objects/pe/definition.json) - Object describing a Portable Executable.
 - [objects/pe-section](https://github.com/MISP/misp-objects/blob/main/objects/pe-section/definition.json) - Object describing a section of a Portable Executable.
+- [objects/Deception PersNOna](https://github.com/MISP/misp-objects/blob/main/objects/Deception PersNOna/definition.json) - Fake persona with tasks.
 - [objects/person](https://github.com/MISP/misp-objects/blob/main/objects/person/definition.json) - An object which describes a person or an identity.
+- [objects/personification](https://github.com/MISP/misp-objects/blob/main/objects/personification/definition.json) - An object which describes a person or an identity.
 - [objects/pgp-meta](https://github.com/MISP/misp-objects/blob/main/objects/pgp-meta/definition.json) - Metadata extracted from a PGP keyblock, message or signature.
 - [objects/phishing](https://github.com/MISP/misp-objects/blob/main/objects/phishing/definition.json) - Phishing template to describe a phishing website and its analysis.
 - [objects/phishing-kit](https://github.com/MISP/misp-objects/blob/main/objects/phishing-kit/definition.json) - Object to describe a phishing-kit.
@@ -294,7 +304,9 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
 - [objects/process](https://github.com/MISP/misp-objects/blob/main/objects/process/definition.json) - Object describing a system process.
 - [objects/publication](https://github.com/MISP/misp-objects/blob/main/objects/publication/definition.json) - An object to describe a book, journal, or academic publication.
 - [objects/python-etvx-event-log](https://github.com/MISP/misp-objects/blob/main/objects/python-etvx-event-log/definition.json) - Event log object template to share information of the activities conducted on a system. .
+- [objects/query](https://github.com/MISP/misp-objects/blob/main/objects/query/definition.json) - An object describing a query, along with its format.
 - [objects/r2graphity](https://github.com/MISP/misp-objects/blob/main/objects/r2graphity/definition.json) - Indicators extracted from files using radare2 and graphml.
+- [objects/ransom-negotiation](https://github.com/MISP/misp-objects/blob/main/objects/ransom-negotiation/definition.json) - An object to describe ransom negotiations, as seen in ransomware incidents.
 - [objects/reddit-account](https://github.com/MISP/misp-objects/blob/main/objects/reddit-account/definition.json) - Reddit account.
 - [objects/reddit-comment](https://github.com/MISP/misp-objects/blob/main/objects/reddit-comment/definition.json) - A Reddit post comment.
 - [objects/reddit-post](https://github.com/MISP/misp-objects/blob/main/objects/reddit-post/definition.json) - A Reddit post.
@@ -323,6 +335,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
 - [objects/sandbox-report](https://github.com/MISP/misp-objects/blob/main/objects/sandbox-report/definition.json) - Sandbox report.
 - [objects/sb-signature](https://github.com/MISP/misp-objects/blob/main/objects/sb-signature/definition.json) - Sandbox detection signature.
 - [objects/scheduled-event](https://github.com/MISP/misp-objects/blob/main/objects/scheduled-event/definition.json) - Event object template describing a gathering of individuals in meatspace.
+- [objects/scheduled-task](https://github.com/MISP/misp-objects/blob/main/objects/scheduled-task/definition.json) - Windows scheduled task description.
 - [objects/scrippsco2-c13-daily](https://github.com/MISP/misp-objects/blob/main/objects/scrippsco2-c13-daily/definition.json) - Daily average C13 concentrations (ppm) derived from flask air samples.
 - [objects/scrippsco2-c13-monthly](https://github.com/MISP/misp-objects/blob/main/objects/scrippsco2-c13-monthly/definition.json) - Monthly average C13 concentrations (ppm) derived from flask air samples.
 - [objects/scrippsco2-co2-daily](https://github.com/MISP/misp-objects/blob/main/objects/scrippsco2-co2-daily/definition.json) - Daily average CO2 concentrations (ppm) derived from flask air samples.
@@ -330,22 +343,29 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
 - [objects/scrippsco2-o18-daily](https://github.com/MISP/misp-objects/blob/main/objects/scrippsco2-o18-daily/definition.json) - Daily average O18 concentrations (ppm) derived from flask air samples.
 - [objects/scrippsco2-o18-monthly](https://github.com/MISP/misp-objects/blob/main/objects/scrippsco2-o18-monthly/definition.json) - Monthly average O18 concentrations (ppm) derived from flask air samples.
 - [objects/script](https://github.com/MISP/misp-objects/blob/main/objects/script/definition.json) - Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.
-- [objects/security-playbook](https://github.com/MISP/misp-objects/blob/main/objects/security-playbook/definition.json) - An object to manage, represent, and share course of action playbooks (security playbooks) for cyberspace defense.
+- [objects/security-playbook](https://github.com/MISP/misp-objects/blob/main/objects/security-playbook/definition.json) - The security-playbook object provides meta-information and allows managing, storing, and sharing cybersecurity playbooks and orchestration workflows.
 - [objects/shell-commands](https://github.com/MISP/misp-objects/blob/main/objects/shell-commands/definition.json) - Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands.
 - [objects/shodan-report](https://github.com/MISP/misp-objects/blob/main/objects/shodan-report/definition.json) - Shodan Report for a given IP.
 - [objects/short-message-service](https://github.com/MISP/misp-objects/blob/main/objects/short-message-service/definition.json) - Short Message Service (SMS) object template describing one or more SMS message. Restriction of the initial format 3GPP 23.038 GSM character set doesn't apply.
 - [objects/shortened-link](https://github.com/MISP/misp-objects/blob/main/objects/shortened-link/definition.json) - Shortened link and its redirect target.
+- [objects/sigma](https://github.com/MISP/misp-objects/blob/main/objects/sigma/definition.json) - An object describing a Sigma rule (or a Sigma rule name).
 - [objects/social-media-group](https://github.com/MISP/misp-objects/blob/main/objects/social-media-group/definition.json) - Social media group object template describing a public or private group or channel.
 - [objects/software](https://github.com/MISP/misp-objects/blob/main/objects/software/definition.json) - The Software object represents high-level properties associated with software, including software products. STIX 2.1 - 6.14.
+- [objects/spearphishing-attachment](https://github.com/MISP/misp-objects/blob/main/objects/spearphishing-attachment/definition.json) - Spearphishing Attachment.
+- [objects/spearphishing-link](https://github.com/MISP/misp-objects/blob/main/objects/spearphishing-link/definition.json) - Spearphishing Link.
 - [objects/splunk](https://github.com/MISP/misp-objects/blob/main/objects/splunk/definition.json) - Splunk / Splunk ES object.
 - [objects/ss7-attack](https://github.com/MISP/misp-objects/blob/main/objects/ss7-attack/definition.json) - SS7 object of an attack as seen on the SS7 signaling protocol supporting GSM/GPRS/UMTS networks.
 - [objects/ssh-authorized-keys](https://github.com/MISP/misp-objects/blob/main/objects/ssh-authorized-keys/definition.json) - An object to store ssh authorized keys file.
 - [objects/stix2-pattern](https://github.com/MISP/misp-objects/blob/main/objects/stix2-pattern/definition.json) - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern.
+- [objects/stock](https://github.com/MISP/misp-objects/blob/main/objects/stock/definition.json) - Object to describe stock market.
 - [objects/submarine](https://github.com/MISP/misp-objects/blob/main/objects/submarine/definition.json) - Submarine description.
 - [objects/suricata](https://github.com/MISP/misp-objects/blob/main/objects/suricata/definition.json) - An object describing one or more Suricata rule(s) along with version and contextual information.
 - [objects/target-system](https://github.com/MISP/misp-objects/blob/main/objects/target-system/definition.json) - Description about an targeted system, this could potentially be a compromissed internal system.
+- [objects/tattoo](https://github.com/MISP/misp-objects/blob/main/objects/tattoo/definition.json) - Describes tattoos on a natural person's body.
 - [objects/telegram-account](https://github.com/MISP/misp-objects/blob/main/objects/telegram-account/definition.json) - Information related to a telegram account.
+- [objects/telegram-bot](https://github.com/MISP/misp-objects/blob/main/objects/telegram-bot/definition.json) - Information related to a telegram bot.
 - [objects/temporal-event](https://github.com/MISP/misp-objects/blob/main/objects/temporal-event/definition.json) - A temporal event consists of some temporal and spacial boundaries. Spacial boundaries can be physical, virtual or hybrid.
+- [objects/thaicert-group-cards](https://github.com/MISP/misp-objects/blob/main/objects/thaicert-group-cards/definition.json) - Adversary group cards inspired by ThaiCERT.
 - [objects/threatgrid-report](https://github.com/MISP/misp-objects/blob/main/objects/threatgrid-report/definition.json) - ThreatGrid report.
 - [objects/timecode](https://github.com/MISP/misp-objects/blob/main/objects/timecode/definition.json) - Timecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the video sequence.
 - [objects/timesketch-timeline](https://github.com/MISP/misp-objects/blob/main/objects/timesketch-timeline/definition.json) - A timesketch timeline object based on mandatory field in timesketch to describe a log entry.
@@ -366,12 +386,15 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
 - [objects/twitter-account](https://github.com/MISP/misp-objects/blob/main/objects/twitter-account/definition.json) - Twitter account.
 - [objects/twitter-list](https://github.com/MISP/misp-objects/blob/main/objects/twitter-list/definition.json) - Twitter list.
 - [objects/twitter-post](https://github.com/MISP/misp-objects/blob/main/objects/twitter-post/definition.json) - Twitter post (tweet).
+- [objects/typosquatting-finder](https://github.com/MISP/misp-objects/blob/main/objects/typosquatting-finder/definition.json) - Typosquatting info.
+- [objects/typosquatting-finder-result](https://github.com/MISP/misp-objects/blob/main/objects/typosquatting-finder-result/definition.json) - Typosquatting result.
 - [objects/url](https://github.com/MISP/misp-objects/blob/main/objects/url/definition.json) - url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.
 - [objects/user-account](https://github.com/MISP/misp-objects/blob/main/objects/user-account/definition.json) - User-account object, defining aspects of user identification, authentication, privileges and other relevant data points.
 - [objects/vehicle](https://github.com/MISP/misp-objects/blob/main/objects/vehicle/definition.json) - Vehicle object template to describe a vehicle information and registration.
 - [objects/victim](https://github.com/MISP/misp-objects/blob/main/objects/victim/definition.json) - Victim object describes the target of an attack or abuse.
 - [objects/virustotal-graph](https://github.com/MISP/misp-objects/blob/main/objects/virustotal-graph/definition.json) - VirusTotal graph.
 - [objects/virustotal-report](https://github.com/MISP/misp-objects/blob/main/objects/virustotal-report/definition.json) - VirusTotal report.
+- [objects/virustotal-submission](https://github.com/MISP/misp-objects/blob/main/objects/virustotal-submission/definition.json) - VirusTotal Submission.
 - [objects/vulnerability](https://github.com/MISP/misp-objects/blob/main/objects/vulnerability/definition.json) - Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware.
 - [objects/weakness](https://github.com/MISP/misp-objects/blob/main/objects/weakness/definition.json) - Weakness object describing a common weakness enumeration which can describe usable, incomplete, draft or deprecated weakness for software, equipment of hardware.
 - [objects/whois](https://github.com/MISP/misp-objects/blob/main/objects/whois/definition.json) - Whois records information for a domain name or an IP address.
@@ -393,9 +416,9 @@ The MISP object model is open and allows user to use their own relationships. MI
 ## How to contribute MISP objects?
 
 Fork the project, create a new directory in the [objects directory](objects/) matching your object name. Objects must be composed
-of existing MISP attributes. If you are missing a specific attributes, feel free to open an issue in the [MISP project](https://www.github.com/MISP/MISP).
+of existing MISP attributes. If you are missing any specific attributes, feel free to open an issue in the [MISP project](https://www.github.com/MISP/MISP).
 
-We recommend to add a **text** attribute in a object to allow users to add comments or correlating text.
+We recommend to add a **text** attribute in an object to allow users to add comments or correlate text.
 
 If the unparsed object can be included, a **raw-base64** attribute can be used in the object to import the whole object.
 
@@ -403,6 +426,15 @@ Every object needs a **uuid** which can be created using **uuidgen -r** on a lin
 
 When the object is created, the `validate_all.sh` and `jq_all_the_things.sh` is run for validation, pull a request on this project. We usually merge the objects if it fits existing use-cases.
 
+### Best practices when creating MISP object templates
+
+- Use lower-case names without underscore or special characters (except minus) for the field names
+- Add a description in the object template explaining the scope and use-cases of your object templates
+- If the object is the mapping of an existing format, add a reference into the description of the object template
+- `first-seen` and `last-seen` are not required in a object template as an object has those fields by default. If you need additional temporal information, add new specific field(s).
+- Be lax on the number of fields required by default (e.g. use `requiredOneOf`). 
+- Review existing object templates before creating a new one. When doing a pull-request, don't hesitate to add the logic why a new template is required.
+
 ## MISP objects documentation
 
 The MISP objects are documented at the following location in [HTML](https://www.misp-project.org/objects.html) and [PDF](https://www.misp-project.org/objects.pdf).
@@ -415,7 +447,7 @@ MISP objects are dynamically used objects that are contributed by users of MISP
 
 The aim is to allow a dynamic update of objects definition in operational distributed sharing systems like MISP. Security threats and their related indicators are quite dynamic, standardized formats are quite static and new indicators require a significant time before being standardized.
 
-The MISP objects model allows to add new combined indicators format based on their usage without changing the underlying code base of MISP or other threat sharing platform using it. The definition of the objects can be then propagated along with the indicators itself.
+The MISP object model allows for adding new combined indicator formats based on their usage without changing the underlying code base of MISP or other threat sharing platform using it. The definition of the objects can then be propagated along with the indicators itself.
 
 ## License
 

jq_all_the_things.sh

@@ -10,6 +10,7 @@ do
   cat ${dir} | jq . >/dev/null
   rc=$?
   if [[ $rc != 0 ]]; then exit $rc; fi
+  cat ${dir} | jq -r .uuid | uuidparse
 done
 
 set -e

objects/ADS/definition.json

@@ -0,0 +1,81 @@
+{
+  "attributes": {
+    "acd-element": {
+      "description": "lists the steps required to generate a representative true positive event which triggers this alert.",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "additional_resources": {
+      "description": "Any other internal, external, or technical references that may be useful for understanding the ADS.",
+      "misp-attribute": "url",
+      "multiple": true,
+      "ui-priority": 2
+    },
+    "blind_spots_and_assumptions": {
+      "description": "Recognized issues, assumptions, and areas where an ADS may not fire.",
+      "misp-attribute": "text",
+      "ui-priority": 7
+    },
+    "categorization": {
+      "description": "Provides a mapping of the ADS to the relevant entry in the Att&CK.",
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 10
+    },
+    "date": {
+      "description": "Enter date, when ADS has been created or edited.",
+      "misp-attribute": "datetime",
+      "ui-priority": 12
+    },
+    "false_positives": {
+      "description": "Known instances of an ADS misfiring due to a misconfiguration, idiosyncrasy in the environment, or other non-malicious scenario.",
+      "misp-attribute": "text",
+      "ui-priority": 6
+    },
+    "goal": {
+      "description": "Short, plaintext description of the type of behavior the ADS is supposed to detect.",
+      "misp-attribute": "text",
+      "ui-priority": 11
+    },
+    "priority": {
+      "description": "Describes the various alerting levels that an ADS may be tagged with.",
+      "misp-attribute": "text",
+      "ui-priority": 4
+    },
+    "responses": {
+      "description": "General response steps in the event that this alert fired.",
+      "misp-attribute": "text",
+      "ui-priority": 3
+    },
+    "sigma_rule": {
+      "description": "Rule in SIGMA format.",
+      "misp-attribute": "sigma",
+      "ui-priority": 1
+    },
+    "strategy_abstract": {
+      "description": "High-level walkthrough of how the ADS functions.",
+      "misp-attribute": "text",
+      "ui-priority": 9
+    },
+    "technical_context": {
+      "description": "Detailed information and background needed for a responder to understand all components of the alert. ",
+      "misp-attribute": "text",
+      "ui-priority": 8
+    },
+    "validation": {
+      "description": "lists the steps required to generate a representative true positive event which triggers this alert.",
+      "misp-attribute": "text",
+      "ui-priority": 5
+    }
+  },
+  "description": "An object defining ADS - Alerting and Detection Strategy by PALANTIR. Can be used for detection engineering.",
+  "meta-category": "misc",
+  "name": "ADS",
+  "required": [
+    "date",
+    "goal",
+    "categorization"
+  ],
+  "uuid": "07a7f4cf-e738-47ad-b045-34c3b382f3b4",
+  "version": 1
+}

objects/artifact/definition.json

@@ -33,7 +33,7 @@
       "ui-priority": 0
     }
   },
-  "description": "The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. from STIX 2.1 (6.1)",
+  "description": "The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. From STIX 2.1 (6.1)",
   "meta-category": "file",
   "name": "artifact",
   "requiredOneOf": [
@@ -41,5 +41,5 @@
     "url"
   ],
   "uuid": "0a46df3a-bd9b-472c-a1e7-6aede7094483",
-  "version": 1
+  "version": 2
 }

objects/asn/definition.json

@@ -58,12 +58,12 @@
       "ui-priority": 0
     }
   },
-  "description": "Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.",
+  "description": "Autonomous system object describing an autonomous system which can include one or more network operators managing an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.",
   "meta-category": "network",
   "name": "asn",
   "requiredOneOf": [
     "asn"
   ],
   "uuid": "4ec55cc6-9e49-4c64-b794-03c25c1a6587",
-  "version": 4
+  "version": 5
 }

objects/attack-step/definition.json

@@ -0,0 +1,83 @@
+{
+  "attributes": {
+    "command-line": {
+      "description": "Command line used to execute attack step, if any.",
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "description": {
+      "description": "Description of the attack step",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "detections": {
+      "description": "Detections by the victim's monitoring capabilities.",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "dst-domain": {
+      "description": "Domain destination of the attack step, if any.",
+      "disable_correlation": true,
+      "misp-attribute": "domain",
+      "ui-priority": 1
+    },
+    "dst-ip": {
+      "description": "IP destination of the attack step, if any.",
+      "disable_correlation": true,
+      "misp-attribute": "ip-dst",
+      "ui-priority": 1
+    },
+    "dst-misc": {
+      "description": "Other type of source of the attack step, if any. This can be e.g. localhost.",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "expected-response": {
+      "description": "Response or detection expected (in case of purple teaming)",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "key-step": {
+      "description": "Was this attack step object a key step within the context of the incident/event?",
+      "misp-attribute": "boolean",
+      "sane_default": [
+        "True",
+        "False"
+      ],
+      "ui-priority": 1
+    },
+    "source-domain": {
+      "description": "Domain source of the attack step, if any.",
+      "misp-attribute": "domain",
+      "ui-priority": 1
+    },
+    "source-ip": {
+      "description": "IP source of the attack step, if any.",
+      "misp-attribute": "ip-src",
+      "ui-priority": 1
+    },
+    "source-misc": {
+      "description": "Other type of source of the attack step, if any. This can be e.g. rotating ip from cloud providers such as AWS, or localhost.",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "succesful": {
+      "description": "Was this attack step succesful?",
+      "misp-attribute": "boolean",
+      "sane_default": [
+        "True",
+        "False"
+      ],
+      "ui-priority": 1
+    }
+  },
+  "description": "An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks.",
+  "meta-category": "misc",
+  "name": "attack-step",
+  "requiredOneOf": [
+    "description"
+  ],
+  "uuid": "F86CD6C4-B89D-454A-95C1-165D456D8A74",
+  "version": 1
+}

objects/btc-wallet/definition.json

@@ -30,12 +30,12 @@
       "ui-priority": 0
     }
   },
-  "description": "An object to describe a Bitcoin wallet. Best to be used with bitcoin-transactions.",
+  "description": "An object to describe a Bitcoin wallet. Best to be used with btc-transaction object.",
   "meta-category": "financial",
   "name": "btc-wallet",
   "requiredOneOf": [
     "wallet-address"
   ],
   "uuid": "22910C83-DD0E-4ED2-9823-45F8CAD562A4",
-  "version": 2
+  "version": 3
 }

objects/cookie/definition.json

@@ -67,12 +67,12 @@
       "ui-priority": 0
     }
   },
-  "description": "An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol. (as defined by the Mozilla foundation.",
+  "description": "An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol. As defined by the Mozilla foundation.",
   "meta-category": "network",
   "name": "cookie",
   "required": [
     "cookie"
   ],
   "uuid": "7755ad19-55c7-4da4-805e-197cf81bbcb8",
-  "version": 4
+  "version": 5
 }

objects/cortex-taxonomy/definition.json

@@ -53,7 +53,7 @@
       "ui-priority": 2
     }
   },
-  "description": "Cortex object describing an Cortex Taxonomy (or mini report)",
+  "description": "Cortex object describing a Cortex Taxonomy (or mini report)",
   "meta-category": "misc",
   "name": "cortex-taxonomy",
   "required": [
@@ -63,5 +63,5 @@
     "level"
   ],
   "uuid": "bef7d23b-e796-4d46-803a-32e317896894",
-  "version": 5
+  "version": 6
 }

objects/cortex/definition.json

@@ -41,12 +41,12 @@
       "ui-priority": 0
     }
   },
-  "description": "Cortex object describing a complete cortex analysis. Observables would be attribute with a relationship from this object.",
+  "description": "Cortex object describing a complete Cortex analysis. Observables would be attribute with a relationship from this object.",
   "meta-category": "misc",
   "name": "cortex",
   "requiredOneOf": [
     "full"
   ],
   "uuid": "144988f3-fa00-4374-8015-c1a32092f451",
-  "version": 2
+  "version": 3
 }

objects/domain-ip/definition.json

@@ -44,6 +44,7 @@
       ],
       "description": "Associated TCP port with the domain",
       "misp-attribute": "port",
+      "multiple": true,
       "ui-priority": 1
     },
     "registration-date": {
@@ -69,5 +70,5 @@
     "hostname"
   ],
   "uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
-  "version": 10
+  "version": 11
 }

objects/exploit/definition.json

@@ -0,0 +1,101 @@
+{
+  "attributes": {
+    "0day-today-id": {
+      "description": "Reference to the 0day.today referencing this exploit.",
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "accessibility": {
+      "description": "Accessibility of the exploit.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0,
+      "values_list": [
+        "Unknown",
+        "Public",
+        "Limited",
+        "Paid"
+      ]
+    },
+    "comment": {
+      "description": "Comment associated to the exploit.",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "credit": {
+      "description": "Credit(s) for the exploit (such as author, distributor or original source).",
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "cve-id": {
+      "description": "Reference to the CVE value targeted by the exploit.",
+      "misp-attribute": "vulnerability",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "description": {
+      "description": "Description of the exploit.",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "exploit": {
+      "description": "Free text of the exploit.",
+      "misp-attribute": "text",
+      "ui-priority": 10
+    },
+    "exploit-as-attachment": {
+      "description": "Attachment of the exploit.",
+      "misp-attribute": "attachment",
+      "ui-priority": 10
+    },
+    "exploitdb-id": {
+      "description": "Reference to the ExploitDB referencing this exploit.",
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "filename": {
+      "description": "Filename used for the exploit.",
+      "disable_correlation": true,
+      "misp-attribute": "filename",
+      "multiple": true,
+      "ui-priority": 8
+    },
+    "level": {
+      "description": "Level of the exploit.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0,
+      "values_list": [
+        "Unknown",
+        "Proof-of-Concept",
+        "Functional",
+        "Production-ready"
+      ]
+    },
+    "reference": {
+      "description": "Reference to the exploit.",
+      "disable_correlation": true,
+      "misp-attribute": "link",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "title": {
+      "description": "Title of the exploit.",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    }
+  },
+  "description": "Exploit object describes a program in binary or source code form used to abuse one or more vulnerabilities.",
+  "meta-category": "misc",
+  "name": "exploit",
+  "requiredOneOf": [
+    "exploit",
+    "filename",
+    "exploit-as-attachment"
+  ],
+  "uuid": "611a25d5-d8aa-4dde-b9c8-c084e786ebf3",
+  "version": 1
+}

objects/facebook-group/definition.json

@@ -63,6 +63,11 @@
       "multiple": true,
       "ui-priority": 0
     },
+    "id": {
+      "description": "Unique identified of the group.",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
     "link": {
       "description": "Original link to the group (supposed harmless).",
       "misp-attribute": "link",
@@ -94,5 +99,5 @@
     "link"
   ],
   "uuid": "165c5507-1cba-4cec-9be4-66e21b590ee6",
-  "version": 1
+  "version": 2
 }

objects/facebook-reaction/definition.json

@@ -0,0 +1,37 @@
+{
+  "attributes": {
+    "link": {
+      "description": "Link to the user account which did the reaction.",
+      "misp-attribute": "link",
+      "ui-priority": 1
+    },
+    "name": {
+      "description": "The name of A user account which did the reaction.",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "type": {
+      "description": "Type of reaction.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "like",
+        "love",
+        "sad",
+        "haha",
+        "wow",
+        "care"
+      ],
+      "ui-priority": 1
+    }
+  },
+  "description": "Reaction to facebook posts.",
+  "meta-category": "misc",
+  "name": "facebook-reaction",
+  "requiredOneOf": [
+    "name",
+    "link"
+  ],
+  "uuid": "f219f784-38b8-47f4-a676-e32efd7df0c3",
+  "version": 1
+}

objects/fail2ban/definition.json

@@ -56,6 +56,6 @@
     "processing-timestamp",
     "attack-type"
   ],
-  "uuid": "8be2271-7326-41a5-a0dd-9b4bec88e1ba",
-  "version": 5
+  "uuid": "32f7ded6-e774-4401-81b0-79634e82f589",
+  "version": 6
 }

objects/ftm-Airplane/definition.json

@@ -239,12 +239,12 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "An airplane, helicopter or other flying vehicle.",
   "meta-category": "followthemoney",
   "name": "ftm-Airplane",
   "required": [
     "name"
   ],
   "uuid": "ea720b4a-8849-44a5-a150-eab87b86de2c",
-  "version": 1
+  "version": 2
 }

objects/ftm-Assessment/definition.json

@@ -169,12 +169,12 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "Assessment with meta-data.",
   "meta-category": "followthemoney",
   "name": "ftm-Assessment",
   "required": [
     "name"
   ],
   "uuid": "25330bcb-d629-4d81-bbb9-51cead65175d",
-  "version": 1
+  "version": 2
 }

objects/ftm-Asset/definition.json

@@ -183,12 +183,12 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "A piece of property which can be owned and assigned a monetary value.",
   "meta-category": "followthemoney",
   "name": "ftm-Asset",
   "required": [
     "name"
   ],
   "uuid": "ece6a00c-2f42-4186-bc96-5254aec002a7",
-  "version": 1
+  "version": 2
 }

objects/ftm-Audio/definition.json

@@ -358,12 +358,12 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "Audio with meta-data.",
   "meta-category": "followthemoney",
   "name": "ftm-Audio",
   "required": [
     "name"
   ],
   "uuid": "92acc7f9-cb98-4b60-93c0-06be77843968",
-  "version": 1
+  "version": 2
 }

objects/ftm-BankAccount/definition.json

@@ -232,12 +232,12 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "An account held at a bank and controlled by an owner. This may also be used to describe more complex arrangements like correspondent bank settlement accounts.",
   "meta-category": "followthemoney",
   "name": "ftm-BankAccount",
   "required": [
     "name"
   ],
   "uuid": "c51ed099-a628-46ee-ad8f-ffed866b6b8d",
-  "version": 1
+  "version": 2
 }

objects/ftm-Call/definition.json

@@ -113,9 +113,9 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "Phone call object template including the call and all associated meta-data.",
   "meta-category": "followthemoney",
   "name": "ftm-Call",
   "uuid": "4ad4661a-59bb-4171-a47b-18d9e7b6d6d7",
-  "version": 1
+  "version": 2
 }

objects/ftm-CourtCase/definition.json

@@ -204,7 +204,7 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "Court case",
   "meta-category": "followthemoney",
   "name": "ftm-CourtCase",
   "required": [

objects/ftm-CourtCaseParty/definition.json

@@ -106,7 +106,7 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "Court Case Party",
   "meta-category": "followthemoney",
   "name": "ftm-CourtCaseParty",
   "uuid": "9f00c22f-348b-48a9-996b-3ba30de851fe",

objects/ftm-Directorship/definition.json

@@ -113,7 +113,7 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "Directorship",
   "meta-category": "followthemoney",
   "name": "ftm-Directorship",
   "uuid": "9d9b0af9-9c8c-42c4-8210-388dc3824239",

objects/ftm-Document/definition.json

@@ -344,7 +344,7 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "Document",
   "meta-category": "followthemoney",
   "name": "ftm-Document",
   "required": [

objects/ftm-Documentation/definition.json

@@ -106,7 +106,7 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "Documentation",
   "meta-category": "followthemoney",
   "name": "ftm-Documentation",
   "uuid": "a5a0c1dd-4438-4520-875d-1e7cf4bcda7d",

objects/ftm-Email/definition.json

@@ -421,7 +421,7 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "Email",
   "meta-category": "followthemoney",
   "name": "ftm-Email",
   "required": [

objects/ftm-Event/definition.json

@@ -267,7 +267,7 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "Event",
   "meta-category": "followthemoney",
   "name": "ftm-Event",
   "required": [

objects/ftm-Folder/definition.json

@@ -344,7 +344,7 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "Folder",
   "meta-category": "followthemoney",
   "name": "ftm-Folder",
   "required": [

objects/ftm-HyperText/definition.json

@@ -358,7 +358,7 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "HyperText",
   "meta-category": "followthemoney",
   "name": "ftm-HyperText",
   "required": [

objects/ftm-Image/definition.json

@@ -351,7 +351,7 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "Image",
   "meta-category": "followthemoney",
   "name": "ftm-Image",
   "required": [

objects/ftm-Land/definition.json

@@ -267,7 +267,7 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "Land",
   "meta-category": "followthemoney",
   "name": "ftm-Land",
   "required": [

objects/ftm-Membership/definition.json

@@ -106,9 +106,9 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "Membership",
   "meta-category": "followthemoney",
   "name": "ftm-Membership",
   "uuid": "42dbbf3a-8c60-483c-a395-44aaaefc77d1",
-  "version": 1
+  "version": 2
 }

objects/ftm-Message/definition.json

@@ -407,7 +407,7 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "Message",
   "meta-category": "followthemoney",
   "name": "ftm-Message",
   "required": [

objects/ftm-Organization/definition.json

@@ -316,7 +316,7 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "Organization",
   "meta-category": "followthemoney",
   "name": "ftm-Organization",
   "required": [

objects/ftm-Ownership/definition.json

@@ -155,9 +155,9 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "Ownership",
   "meta-category": "followthemoney",
   "name": "ftm-Ownership",
   "uuid": "2a09b445-c638-40e1-8f52-b95c9156f4d8",
-  "version": 1
+  "version": 2
 }

objects/ftm-Package/definition.json

@@ -344,12 +344,12 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "Package",
   "meta-category": "followthemoney",
   "name": "ftm-Package",
   "required": [
     "name"
   ],
   "uuid": "f9f13fd9-797c-4e2e-aa17-0ca4a0a60f5c",
-  "version": 1
+  "version": 2
 }

objects/ftm-Page/definition.json

@@ -29,9 +29,9 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "Page",
   "meta-category": "followthemoney",
   "name": "ftm-Page",
   "uuid": "2d9d7605-5105-445e-9ee8-9e39ad34c5c9",
-  "version": 1
+  "version": 2
 }

objects/ftm-Pages/definition.json

@@ -351,12 +351,12 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "Pages",
   "meta-category": "followthemoney",
   "name": "ftm-Pages",
   "required": [
     "name"
   ],
   "uuid": "8e567eab-d893-4a38-9dd9-73442f15ede7",
-  "version": 1
+  "version": 2
 }

objects/ftm-PlainText/definition.json

@@ -351,12 +351,12 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "Plaintext",
   "meta-category": "followthemoney",
   "name": "ftm-PlainText",
   "required": [
     "name"
   ],
   "uuid": "8f260d94-c712-4fdd-a463-6b2487f8a80d",
-  "version": 1
+  "version": 2
 }

objects/ftm-Row/definition.json

@@ -22,9 +22,9 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "Row",
   "meta-category": "followthemoney",
   "name": "ftm-Row",
   "uuid": "282c0f7c-be66-41be-a709-b35032016829",
-  "version": 1
+  "version": 2
 }

objects/ftm-Table/definition.json

@@ -365,12 +365,12 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "Table",
   "meta-category": "followthemoney",
   "name": "ftm-Table",
   "required": [
     "name"
   ],
   "uuid": "5ac61342-9fa9-4f07-a578-261709633358",
-  "version": 1
+  "version": 2
 }

objects/ftm-UnknownLink/definition.json

@@ -106,9 +106,9 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "Unknown Link",
   "meta-category": "followthemoney",
   "name": "ftm-UnknownLink",
   "uuid": "16a29891-df0f-42f7-b466-8b4b718acbfa",
-  "version": 1
+  "version": 2
 }

objects/ftm-UserAccount/definition.json

@@ -190,12 +190,12 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "User Account",
   "meta-category": "followthemoney",
   "name": "ftm-UserAccount",
   "required": [
     "name"
   ],
   "uuid": "094943f5-41c5-4fad-9d61-60d82bce49b1",
-  "version": 1
+  "version": 2
 }

objects/ftm-Vehicle/definition.json

@@ -218,12 +218,12 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "Vehicle",
   "meta-category": "followthemoney",
   "name": "ftm-Vehicle",
   "required": [
     "name"
   ],
   "uuid": "82378b01-aad3-416b-b678-7af7140f6629",
-  "version": 1
+  "version": 2
 }

objects/ftm-Video/definition.json

@@ -351,12 +351,12 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "Video",
   "meta-category": "followthemoney",
   "name": "ftm-Video",
   "required": [
     "name"
   ],
   "uuid": "af4821a6-712f-49d7-8297-92eb8c3b75f1",
-  "version": 1
+  "version": 2
 }

objects/ftm-Workbook/definition.json

@@ -344,12 +344,12 @@
       "ui-priority": 0
     }
   },
-  "description": "",
+  "description": "Workbook",
   "meta-category": "followthemoney",
   "name": "ftm-Workbook",
   "required": [
     "name"
   ],
   "uuid": "ebedfb2a-c666-4870-9b77-baedb1c34dac",
-  "version": 1
+  "version": 2
 }

objects/intrusion-set/definition.json

@@ -0,0 +1,86 @@
+{
+  "attributes": {
+    "aliases": {
+      "description": "Alternative names used to identify this Intrusion Set.",
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "description": {
+      "description": "A description that provides more details and context about the Intrusion Set, potentially including its purpose and its key characteristics.",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "goals": {
+      "description": "The high-level goals of this Intrusion Set, namely, what are they trying to do. For example, they may be motivated by personal gain, but their goal is to steal credit card numbers. To do this, they may execute specific Campaigns that have detailed objectives like compromising point of sale systems at a large retailer.  Another example: to gain information about latest merger and IPO information from ACME Bank.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "name": {
+      "description": "A name used to identify this Intrusion Set.",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "primary-motivation": {
+      "description": "The primary reason, motivation, or purpose behind this Intrusion Set. The motivation is why the Intrusion Set wishes to achieve the goal (what they are trying to achieve).  For example, an Intrusion Set with a goal to disrupt the finance sector in a country might be motivated by ideological hatred of capitalism.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "accidental - A non-hostile actor whose benevolent or harmless intent inadvertently causes harm. For example, a well-meaning and dedicated employee who through distraction or poor training unintentionally causes harm to his or her organization.",
+        "coercion - Being forced to act on someone else's behalf. Adversaries who are motivated by coercion are often forced through intimidation or blackmail to act illegally for someone else’s benefit. Unlike the other motivations, a coerced person does not act for personal gain, but out of fear of incurring a loss.",
+        "dominance - A desire to assert superiority over someone or something else. Adversaries who are seeking dominance over a target are focused on using their power to force their target into submission or irrelevance. Dominance may be found with ideology in some state-sponsored attacks and with notoriety in some cyber vandalism-based attacks.",
+        "ideology - A passion to express a set of ideas, beliefs, and values that may shape and drive harmful and illegal acts. Adversaries who act for ideological reasons (e.g., political, religious, human rights, environmental, desire to cause chaos/anarchy, etc.) are not usually motivated primarily by the desire for profit; they are acting on their own sense of morality, justice, or political loyalty. For example, an activist group may sabotage a company’s equipment because they believe the company is harming the environment.",
+        "notoriety - Seeking prestige or to become well known through some activity. Adversaries motivated by notoriety are often seeking either personal validation or respect within a community and staying covert is not a priority. In fact, one of the main goals is to garner the respect of their target audience.",
+        "organizational-gain - Seeking advantage over a competing organization, including a military organization. Adversaries motivated by increased profit or other gains through an unfairly obtained competitive advantage are often seeking theft of intellectual property, business processes, or supply chain agreements and thus accelerating their position in a market or capability.",
+        "personal-gain - The desire to improve one’s own financial status. Adversaries motivated by a selfish desire for personal gain are often out for gains that come from financial fraud, hacking for hire, or intellectual property theft. While a Threat Actor or Intrusion Set may be seeking personal gain, this does not mean they are acting alone. Individuals can band together solely to maximize their own personal profits.",
+        "personal-satisfaction - A desire to satisfy a strictly personal goal, including curiosity, thrill-seeking, amusement, etc. Threat Actors or Intrusion Set driven by personal satisfaction may incidentally receive some other gain from their actions, such as a profit, but their primary motivation is to gratify a personal, emotional need. Individuals can band together with others toward a mutual, but not necessarily organizational, objective.",
+        "revenge - A desire to avenge perceived wrongs through harmful actions such as sabotage, violence, theft, fraud, or embarrassing certain individuals or the organization. A disgruntled Threat Actor or Intrusion Set seeking revenge can include current or former employees, who may have extensive knowledge to leverage when conducting attacks. Individuals can band together with others if the individual believes that doing so will enable them to cause more harm.",
+        "unpredictable - Acting without identifiable reason or purpose and creating unpredictable events. Unpredictable is not a miscellaneous or default category. Unpredictable means a truly random and likely bizarre event, which seems to have no logical purpose to the victims."
+      ],
+      "ui-priority": 1
+    },
+    "resource_level": {
+      "description": "This property specifies the organizational level at which this Intrusion Set typically works, which in turn determines the resources available to this Intrusion Set for use in an attack. ",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "individual - Resources limited to the average individual; Threat Actor acts independently.",
+        "club - Members interact on a social and volunteer basis, often with little personal interest in the specific target. An example might be a core group of unrelated activists who regularly exchange tips on a particular blog. Group persists long term.",
+        "contest - A short-lived and perhaps anonymous interaction that concludes when the participants have achieved a single goal. For example, people who break into systems just for thrills or prestige may hold a contest to see who can break into a specific target first. It also includes announced 'operations' to achieve a specific goal, such as the original 'OpIsrael' call for volunteers to disrupt all of Israel's Internet functions for a day.",
+        "team - A formally organized group with a leader, typically motivated by a specific goal and organized around that goal. Group persists long term and typically operates within a single geography.",
+        "organization - Larger and better resourced than a team; typically, a company or crime syndicate. Usually operates in multiple geographic areas and persists long term.",
+        "government - Controls public assets and functions within a jurisdiction; very well resourced and persists long term."
+      ],
+      "ui-priority": 1
+    },
+    "secondary-motivation": {
+      "description": "The secondary reasons, motivations, or purposes behind this Intrusion Set. These motivations can exist as an equal or near-equal cause to the primary motivation. However, it does not replace or necessarily magnify the primary motivation, but it might indicate additional context. The position in the list has no significance.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "accidental - A non-hostile actor whose benevolent or harmless intent inadvertently causes harm. For example, a well-meaning and dedicated employee who through distraction or poor training unintentionally causes harm to his or her organization.",
+        "coercion - Being forced to act on someone else's behalf. Adversaries who are motivated by coercion are often forced through intimidation or blackmail to act illegally for someone else’s benefit. Unlike the other motivations, a coerced person does not act for personal gain, but out of fear of incurring a loss.",
+        "dominance - A desire to assert superiority over someone or something else. Adversaries who are seeking dominance over a target are focused on using their power to force their target into submission or irrelevance. Dominance may be found with ideology in some state-sponsored attacks and with notoriety in some cyber vandalism-based attacks.",
+        "ideology - A passion to express a set of ideas, beliefs, and values that may shape and drive harmful and illegal acts. Adversaries who act for ideological reasons (e.g., political, religious, human rights, environmental, desire to cause chaos/anarchy, etc.) are not usually motivated primarily by the desire for profit; they are acting on their own sense of morality, justice, or political loyalty. For example, an activist group may sabotage a company’s equipment because they believe the company is harming the environment.",
+        "notoriety - Seeking prestige or to become well known through some activity. Adversaries motivated by notoriety are often seeking either personal validation or respect within a community and staying covert is not a priority. In fact, one of the main goals is to garner the respect of their target audience.",
+        "organizational-gain - Seeking advantage over a competing organization, including a military organization. Adversaries motivated by increased profit or other gains through an unfairly obtained competitive advantage are often seeking theft of intellectual property, business processes, or supply chain agreements and thus accelerating their position in a market or capability.",
+        "personal-gain - The desire to improve one’s own financial status. Adversaries motivated by a selfish desire for personal gain are often out for gains that come from financial fraud, hacking for hire, or intellectual property theft. While a Threat Actor or Intrusion Set may be seeking personal gain, this does not mean they are acting alone. Individuals can band together solely to maximize their own personal profits.",
+        "personal-satisfaction - A desire to satisfy a strictly personal goal, including curiosity, thrill-seeking, amusement, etc. Threat Actors or Intrusion Set driven by personal satisfaction may incidentally receive some other gain from their actions, such as a profit, but their primary motivation is to gratify a personal, emotional need. Individuals can band together with others toward a mutual, but not necessarily organizational, objective.",
+        "revenge - A desire to avenge perceived wrongs through harmful actions such as sabotage, violence, theft, fraud, or embarrassing certain individuals or the organization. A disgruntled Threat Actor or Intrusion Set seeking revenge can include current or former employees, who may have extensive knowledge to leverage when conducting attacks. Individuals can band together with others if the individual believes that doing so will enable them to cause more harm.",
+        "unpredictable - Acting without identifiable reason or purpose and creating unpredictable events. Unpredictable is not a miscellaneous or default category. Unpredictable means a truly random and likely bizarre event, which seems to have no logical purpose to the victims."
+      ],
+      "ui-priority": 1
+    }
+  },
+  "description": "A object template describing an Intrusion Set as defined in STIX 2.1. An Intrusion Set is a grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization. An Intrusion Set may capture multiple Campaigns or other activities that are all tied together by shared attributes indicating a commonly known or unknown Threat Actor. New activity can be attributed to an Intrusion Set even if the Threat Actors behind the attack are not known. Threat Actors can move from supporting one Intrusion Set to supporting another, or they may support multiple Intrusion Sets.  Where a Campaign is a set of attacks over a period of time against a specific set of targets to achieve some objective, an Intrusion Set is the entire attack package and may be used over a very long period of time in multiple Campaigns to achieve potentially multiple purposes.  While sometimes an Intrusion Set is not active, or changes focus, it is usually difficult to know if it has truly disappeared or ended. Analysts may have varying level of fidelity on attributing an Intrusion Set back to Threat Actors and may be able to only attribute it back to a nation state or perhaps back to an organization within that nation state.",
+  "meta-category": "misc",
+  "name": "intrusion-set",
+  "requiredOneOf": [
+    "description",
+    "name"
+  ],
+  "uuid": "bfe96eae-e37a-4ecf-8012-1cdb478571a5",
+  "version": 1
+}

objects/mactime-timeline-analysis/definition.json

@@ -51,6 +51,6 @@
     "activityType",
     "datetime"
   ],
-  "uuid": "9297982e-be62-4772-a665-c91f5a8d639",
-  "version": 3
+  "uuid": "58149b06-eabe-4937-9dac-01d63f504e14",
+  "version": 4
 }

objects/network-connection/definition.json

@@ -5,6 +5,11 @@
       "misp-attribute": "community-id",
       "ui-priority": 1
     },
+    "count": {
+      "description": "Number of similar network connections seen",
+      "misp-attribute": "counter",
+      "ui-priority": 1
+    },
     "dst-port": {
       "categories": [
         "Network activity",
@@ -102,5 +107,5 @@
     "community-id"
   ],
   "uuid": "af16764b-f8e5-4603-9de1-de34d272f80b",
-  "version": 3
+  "version": 4
 }

objects/organization/definition.json

@@ -20,7 +20,7 @@
     },
     "date-of-inception": {
       "description": "Date of inception of the organization",
-      "misp-attribute": "date-of-birth",
+      "misp-attribute": "datetime",
       "ui-priority": 0
     },
     "description": {
@@ -52,6 +52,11 @@
       "multiple": true,
       "ui-priority": 10
     },
+    "registration-number": {
+      "description": "Registration number of the organization",
+      "misp-attribute": "text",
+      "ui-priority": 15
+    },
     "role": {
       "description": "The role of the organization.",
       "disable_correlation": true,
@@ -86,5 +91,5 @@
     "alias"
   ],
   "uuid": "f750e12b-127a-432c-b022-b3f9153c4e2a",
-  "version": 5
+  "version": 6
 }

objects/paloalto-threat-event/definition.json

@@ -87,5 +87,5 @@
   "meta-category": "network",
   "name": "paloalto-threat-event",
   "uuid": "e6fa7a87-1173-43d6-86c2-b4d02af5fc74",
-  "version": 5
+  "version": 6
 }

objects/passive-ssh/definition.json

@@ -1,5 +1,15 @@
 {
   "attributes": {
+    "banner": {
+      "categories": [
+        "Network activity",
+        "External analysis"
+      ],
+      "description": "SSH banner",
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 1
+    },
     "base64": {
       "description": "Base64 representation of the ssh-key",
       "disable_correlation": true,
@@ -20,6 +30,11 @@
       "misp-attribute": "datetime",
       "ui-priority": 0
     },
+    "hassh": {
+      "description": "Hassh fingerprint",
+      "misp-attribute": "hassh-md5",
+      "ui-priority": 1
+    },
     "host": {
       "categories": [
         "Network activity",
@@ -35,6 +50,11 @@
       "disable_correlation": true,
       "misp-attribute": "datetime",
       "ui-priority": 0
+    },
+    "port": {
+      "description": "Port of the connection",
+      "misp-attribute": "port",
+      "ui-priority": 1
     }
   },
   "description": "Passive-ssh object as described on passive-ssh services from circl.lu - https://github.com/D4-project/passive-ssh",
@@ -43,8 +63,9 @@
   "requiredOneOf": [
     "host",
     "base64",
-    "fingerprint"
+    "fingerprint",
+    "hassh"
   ],
   "uuid": "ec350cdf-2311-4df5-972a-a4342a2c0065",
-  "version": 1
+  "version": 2
 }

objects/persnona/definition.json

@@ -0,0 +1,103 @@
+{
+  "attributes": {
+    "actions": {
+      "description": "Actions by this PersNOna or engagement with adversary or relateda party.",
+      "disable_correlation": false,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 7
+    },
+    "alias": {
+      "description": "Aliases or Nicknames of fake PesNOna on differenet media.",
+      "disable_correlation": false,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "background": {
+      "description": "Background of operation, PersNOna or actions, which needs to be explain to other party in case of share of this profile.",
+      "disable_correlation": false,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 2
+    },
+    "conversations": {
+      "description": "Conversations with targets",
+      "disable_correlation": false,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 10
+    },
+    "critical_tasks": {
+      "description": "Critical Tasks or tasks which this PersNOna has to accomplish.",
+      "disable_correlation": false,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 6
+    },
+    "goals": {
+      "description": "Goals of creating of this PersNOna.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 5
+    },
+    "location": {
+      "description": "Location, where PersNOna is right now at home, home town, county, country etc.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 3
+    },
+    "media": {
+      "description": "Media where is PersNOna active ie. facebook, telegram etc.",
+      "disable_correlation": false,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 10
+    },
+    "name": {
+      "description": "Name - full name of PersNOna.",
+      "disable_correlation": false,
+      "misp-attribute": "full-name",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "oppportunities": {
+      "description": "Opportunities for another development, introducing another PersNOna etc.",
+      "disable_correlation": false,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 9
+    },
+    "photo": {
+      "description": "Photo of PersNOna, url where is photo uploaded or website of fake profile as LinkedIn etc.",
+      "disable_correlation": false,
+      "misp-attribute": "url",
+      "multiple": false,
+      "ui-priority": 0
+    },
+    "questions": {
+      "description": "Questions, which have to be answered by this profile goal.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 8
+    },
+    "responsi": {
+      "description": "Responsibilities of PersNOna, who this PersNOna communicates with, what should discuss and how far.",
+      "disable_correlation": false,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 4
+    }
+  },
+  "description": "Fake persona with tasks",
+  "meta-category": "misc",
+  "name": "Deception PersNOna",
+  "required": [
+    "name"
+  ],
+  "uuid": "a80828dc-07bf-4d5c-ab82-8160ee5bdd6d",
+  "version": 1
+}

objects/person/definition.json

@@ -165,8 +165,14 @@
       "misp-attribute": "passport-country",
       "ui-priority": 0
     },
+    "passport-creation": {
+      "description": "The creation date of the passport.",
+      "disable_correlation": true,
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    },
     "passport-expiration": {
-      "description": "The expiration date of a passport.",
+      "description": "The expiration date of the passport.",
       "disable_correlation": true,
       "misp-attribute": "passport-expiration",
       "ui-priority": 0
@@ -249,5 +255,5 @@
     "handle"
   ],
   "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248",
-  "version": 18
+  "version": 19
 }

objects/query/definition.json

@@ -0,0 +1,53 @@
+{
+  "attributes": {
+    "author": {
+      "description": "Author of the query",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "comment": {
+      "description": "A description of the query rule.",
+      "misp-attribute": "comment",
+      "ui-priority": 0
+    },
+    "format": {
+      "description": "Format of the query.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "event query language (eql)",
+        "keyword query language (kql)",
+        "Kusto Query Language",
+        "Query DSL",
+        "Query (Elastic Search)",
+        "Search Processing Language - SPL (Splunk)",
+        "Sigma",
+        "Lucene query",
+        "Google search query",
+        "Ariel Query Language (qradar)",
+        "Grep",
+        "Devo LINQ"
+      ],
+      "ui-priority": 0
+    },
+    "query": {
+      "description": "Query rule in the format specified in the format field.",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "query-rule-name": {
+      "description": "Query rule name.",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    }
+  },
+  "description": "An object describing a query, along with its format.",
+  "meta-category": "misc",
+  "name": "query",
+  "requiredOneOf": [
+    "query"
+  ],
+  "uuid": "006539b3-f68a-4a02-a213-e600762d39b5",
+  "version": 3
+}

objects/ransom-negotiation/definition.json

@@ -0,0 +1,153 @@
+{
+  "attributes": {
+    "Remarks": {
+      "description": "Remarks",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 860
+    },
+    "annual_revenue_EUR": {
+      "description": "Annual revenue of the targeted organisation in EUR",
+      "disable_correlation": true,
+      "misp-attribute": "float",
+      "ui-priority": 920
+    },
+    "chatsite": {
+      "description": "Chatsite where the negotiations take place",
+      "disable_correlation": true,
+      "misp-attribute": "url",
+      "to_ids": false,
+      "ui-priority": 835
+    },
+    "chatsite_id_private": {
+      "description": "Second, private, chat ID given by actor",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 833
+    },
+    "chatsite_id_public": {
+      "description": "Initial chat ID given by actor",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 834
+    },
+    "currency": {
+      "description": "The currency of the initial demand. Often USD or BTC.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 960
+    },
+    "data_leaked": {
+      "description": "Was data leaked in this incident?",
+      "disable_correlation": true,
+      "misp-attribute": "boolean",
+      "sane_default": [
+        "True",
+        "False"
+      ],
+      "ui-priority": 890
+    },
+    "data_stolen": {
+      "description": "Was data exfiltrated in this incident?",
+      "disable_correlation": true,
+      "misp-attribute": "boolean",
+      "sane_default": [
+        "True",
+        "False"
+      ],
+      "ui-priority": 900
+    },
+    "discount": {
+      "description": "Discount after negotiations",
+      "disable_correlation": true,
+      "misp-attribute": "float",
+      "ui-priority": 970
+    },
+    "email_address": {
+      "description": "Contact address, if any",
+      "disable_correlation": false,
+      "misp-attribute": "text",
+      "ui-priority": 870
+    },
+    "final_ransom": {
+      "description": "Final ransom amount after negotiations, in the currency as displayed in field 'currency'",
+      "disable_correlation": true,
+      "misp-attribute": "float",
+      "ui-priority": 980
+    },
+    "initial_ransom": {
+      "description": "Initial ransom demand in the currency as displayed in field 'currency'",
+      "disable_correlation": true,
+      "misp-attribute": "float",
+      "ui-priority": 900
+    },
+    "negotiations_screenshot": {
+      "description": "Screenshot of the negotiations",
+      "disable_correlation": true,
+      "misp-attribute": "attachment",
+      "multiple": true,
+      "ui-priority": 840
+    },
+    "negotiations_transcript": {
+      "description": "Transcript of the negotiations",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 850
+    },
+    "pay_for_deletion": {
+      "description": "Does the target need/want to pay for data deletion",
+      "disable_correlation": true,
+      "misp-attribute": "boolean",
+      "sane_default": [
+        "True",
+        "False"
+      ],
+      "ui-priority": 906
+    },
+    "pay_for_encryptor": {
+      "description": "Does the target need/want to pay for the decryptor",
+      "disable_correlation": true,
+      "misp-attribute": "boolean",
+      "sane_default": [
+        "True",
+        "False"
+      ],
+      "ui-priority": 908
+    },
+    "percentage_of_revenue": {
+      "description": "Percentage of the annual revenue that the ransom demand amounts to",
+      "disable_correlation": true,
+      "misp-attribute": "float",
+      "ui-priority": 910
+    },
+    "time": {
+      "description": "Date and time of transaction",
+      "disable_correlation": true,
+      "misp-attribute": "datetime",
+      "ui-priority": 940
+    },
+    "url_leaksite": {
+      "description": "URL of the leaksite",
+      "disable_correlation": false,
+      "misp-attribute": "url",
+      "ui-priority": 880
+    },
+    "value_EUR": {
+      "description": "Value in EUR of the final ransom amount, with conversion rate as of date/time displayed in field 'time'",
+      "disable_correlation": true,
+      "misp-attribute": "float",
+      "ui-priority": 950
+    },
+    "wallet-address": {
+      "description": "A cryptocoin wallet address",
+      "disable_correlation": false,
+      "misp-attribute": "btc",
+      "ui-priority": 930
+    }
+  },
+  "description": "An object to describe ransom negotiations, as seen in ransomware incidents.",
+  "meta-category": "financial",
+  "name": "ransom-negotiation",
+  "uuid": "FB72F951-DE2E-4B54-A570-8FC560A74B06",
+  "version": 2
+}

objects/ransomware-group-post/definition.json

@@ -0,0 +1,34 @@
+{
+  "attributes": {
+    "date": {
+      "description": "Last update of the post as seen on the ransomware group blog. Different than the first/last seen from the crawling.",
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    },
+    "description": {
+      "description": "Raw post.",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "link": {
+      "description": "Original URL location of the post.",
+      "misp-attribute": "link",
+      "ui-priority": 1
+    },
+    "title": {
+      "description": "Title of blog post.",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    }
+  },
+  "description": "Ransomware group post as monitored by ransomlook.io",
+  "meta-category": "misc",
+  "name": "ransomware-group-post",
+  "requiredOneOf": [
+    "title",
+    "description",
+    "link"
+  ],
+  "uuid": "52a0e179-4942-41e6-90f5-7db856fd6f39",
+  "version": 1
+}

objects/report/definition.json

@@ -36,14 +36,46 @@
       "disable_correlation": true,
       "misp-attribute": "text",
       "sane_default": [
-        "Report",
         "Alert",
+        "Artwork",
+        "Attachment",
+        "Audio",
+        "Bill",
+        "Blog",
+        "Book",
+        "Case",
+        "Conference",
+        "Dictionary",
+        "Document",
+        "Email",
+        "Encyclopedia",
+        "Film",
+        "Forum",
+        "Hearing",
         "Incident",
+        "Instant",
+        "Interview",
+        "Journal",
+        "Letter",
+        "Magazine",
+        "Manuscript",
+        "Map",
+        "Newspaper",
+        "Note",
+        "Online",
         "Operation",
-        "Press Article",
-        "Press Release",
-        "Online Article",
-        "Blog post"
+        "Patent",
+        "Podcast",
+        "Presentation",
+        "Press",
+        "Radio",
+        "Report",
+        "Software",
+        "Statute",
+        "Thesis",
+        "TV",
+        "Video",
+        "Webpage"
       ],
       "ui-priority": 100
     }
@@ -56,5 +88,5 @@
     "link"
   ],
   "uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
-  "version": 5
+  "version": 7
 }

objects/scheduled-task/definition.json

@@ -0,0 +1,112 @@
+{
+  "attributes": {
+    "Start-time": {
+      "description": "Time when the task is triggered",
+      "disable_correlation": true,
+      "misp-attribute": "datetime",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "author": {
+      "categories": [
+        "Other"
+      ],
+      "description": "Who created the task",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "description": {
+      "categories": [
+        "Other"
+      ],
+      "description": "Description of the task ",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "highest-privileges": {
+      "description": "Should the task run with the highest privileges",
+      "disable_correlation": true,
+      "misp-attribute": "boolean",
+      "ui-priority": 0
+    },
+    "location": {
+      "categories": [
+        "Other"
+      ],
+      "description": "Location (Path including filename) of the scheduled task on the computer",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "name": {
+      "categories": [
+        "Other"
+      ],
+      "description": "Name of the scheduled task",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "password-stored": {
+      "description": "Should the password be stored (Only if log on is not mandatory)",
+      "disable_correlation": true,
+      "misp-attribute": "boolean",
+      "ui-priority": 0
+    },
+    "repeat": {
+      "categories": [
+        "Other"
+      ],
+      "description": "condition to repeat the task",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "run-when-user-logged-on-only": {
+      "description": "Should the task run if the user is logged on only",
+      "disable_correlation": true,
+      "misp-attribute": "boolean",
+      "ui-priority": 0
+    },
+    "running-account": {
+      "categories": [
+        "Other"
+      ],
+      "description": "User account used when running the task",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "trigger": {
+      "categories": [
+        "Other"
+      ],
+      "description": "when should the task being triggered",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "sane_default": [
+        "On a schedule",
+        "At log on",
+        "At startup",
+        "On idle",
+        "On an event",
+        "At task creation/modification",
+        "On connection to user session",
+        "On disconnect from user session",
+        "On workstation lock",
+        "On workstation unlock"
+      ],
+      "ui-priority": 0
+    }
+  },
+  "description": "Windows scheduled task description",
+  "meta-category": "misc",
+  "name": "scheduled-task",
+  "requiredOneOf": [
+    "name",
+    "description",
+    "location"
+  ],
+  "uuid": "076f9362-23f7-4326-b370-a98e47531a44",
+  "version": 1
+}

objects/security-playbook/definition.json

@@ -1,145 +1,127 @@
 {
   "attributes": {
-    "created": {
-      "categories": [
-        "Other"
-      ],
-      "description": "The time at which the playbook was originally created.",
-      "disable_correlation": true,
-      "misp-attribute": "datetime",
-      "ui-priority": 1
-    },
-    "creator": {
-      "categories": [
-        "Other"
-      ],
-      "description": "The entity that created this playbook. It can be a natural person or an organization. It may be represented using an id that identifies the creator.",
-      "disable_correlation": true,
-      "misp-attribute": "text",
-      "ui-priority": 1
-    },
     "description": {
-      "categories": [
-        "Other"
-      ],
-      "description": "More details, context, and possibly an explanation about what this playbook does and tries to accomplish.",
+      "description": "An explanation, details, and more context about what this playbook does and tries to accomplish.",
       "disable_correlation": true,
       "misp-attribute": "text",
       "ui-priority": 1
     },
-    "id": {
-      "categories": [
-        "Other"
-      ],
-      "description": "A value that uniquely identifies the playbook.",
-      "disable_correlation": false,
-      "misp-attribute": "text",
-      "ui-priority": 1
-    },
-    "impact": {
-      "categories": [
-        "Other"
-      ],
-      "description": "An integer that represents the impact the playbook has on the organization from 0 to 100. A value of 0 means specifically undefined. Values range from 1, the lowest impact, to a value of 100, the highest. For example, a purely investigative playbook that is non-invasive would have a low impact value of 1, whereas a playbook that performs changes such as adding rules into a firewall would have a higher impact value.",
-      "disable_correlation": true,
-      "misp-attribute": "counter",
-      "ui-priority": 1
-    },
-    "label": {
-      "categories": [
-        "Other"
-      ],
-      "description": "An optional set of terms, labels or tags associated with this playbook (e.g., aliases of adversary groups or operations that this playbook is related to).",
+    "labels": {
+      "description": "Labels for this playbook (e.g., adversary persona names, associated groups, malware family/variant/name that this playbook is related to). Another option is to use MISP tags, taxonomies, and galaxies.",
       "disable_correlation": true,
       "misp-attribute": "text",
       "multiple": true,
       "ui-priority": 1
     },
-    "modified": {
-      "categories": [
-        "Other"
-      ],
-      "description": "The time that this particular version of the playbook was last modified.",
-      "disable_correlation": true,
-      "misp-attribute": "datetime",
-      "ui-priority": 1
-    },
     "organization-type": {
-      "categories": [
-        "Other"
-      ],
-      "description": "Type of an organization, that the playbook is intended for. This can be an industry sector.",
+      "description": "The type of organization that the playbook is intended for. This can be an industry sector. Another option is to use MISP tags, taxonomies, and galaxies.",
       "disable_correlation": true,
       "misp-attribute": "text",
-      "ui-priority": 1
-    },
-    "playbook": {
-      "categories": [
-        "Payload delivery"
-      ],
-      "description": "The whole playbook in its native format (e.g., CACAO JSON). Producers and consumers of playbooks use this property to share and retrieve playbooks.",
-      "misp-attribute": "attachment",
+      "multiple": true,
       "ui-priority": 1
     },
     "playbook-abstraction": {
-      "categories": [
-        "Other"
-      ],
-      "description": "Identifies the level of completeness of the playbook.",
+      "description": "The playbook’s level of abstraction (with regards to consumption).",
       "disable_correlation": true,
       "misp-attribute": "text",
       "ui-priority": 1,
       "values_list": [
-        "guideline",
-        "playbook template",
-        "playbook",
-        "partial workflow",
-        "full workflow",
-        "fully scripted"
+        "template",
+        "executable"
       ]
     },
+    "playbook-base64": {
+      "description": "The entire playbook file/document encoded in base64.",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "playbook-creation-time": {
+      "description": "The date and time at which the playbook was originally created.",
+      "disable_correlation": true,
+      "misp-attribute": "datetime",
+      "ui-priority": 1
+    },
+    "playbook-creator": {
+      "description": "The entity that created the playbook. It can be a natural person or an organization. It may be represented using a unique identifier that identifies the creator.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "playbook-file": {
+      "description": "The entire playbook file/document in its native format (e.g., CACAO JSON or BPMN).",
+      "misp-attribute": "attachment",
+      "ui-priority": 1
+    },
+    "playbook-id": {
+      "description": "A value that (uniquely) identifies the playbook. If the playbook itself embeds an identifier then the playbook-id SHOULD use the same identifier (value) for correlation purposes.",
+      "disable_correlation": false,
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "playbook-impact": {
+      "description": "From 0 to 100, a value representing the impact the playbook has on the organization. A value of 0 means specifically undefined. Impact values range from 1, the lowest impact, to a value of 100, the highest. For example, a purely investigative playbook that is non-invasive could have a low impact value of 1. In contrast, a playbook that performs changes such as adding rules into a firewall should have a higher impact value.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "playbook-modification-time": {
+      "description": "The date and time at which the playbook was last modified.",
+      "disable_correlation": true,
+      "misp-attribute": "datetime",
+      "ui-priority": 1
+    },
+    "playbook-priority": {
+      "description": "From 0 to 100, a value representing the priority of this playbook relative to other defined playbooks. A value of 0 means specifically undefined. Priority values range from 1, the highest priority, to a value of 100, the lowest.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "playbook-severity": {
+      "description": "From 0 to 100, a value representing the seriousness of the conditions that this playbook addresses. A value of 0 means specifically undefined. Severity values range from 1, the lowest severity, to a value of 100, the highest.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
     "playbook-standard": {
-      "categories": [
-        "Other"
-      ],
-      "description": "Identification of the playbook standard.",
+      "description": "The standard/format/notation the playbook conforms to (e.g., CACAO, BPMN).",
       "disable_correlation": true,
       "misp-attribute": "text",
       "ui-priority": 1
     },
     "playbook-type": {
-      "categories": [
-        "Other"
-      ],
-      "description": "The security operational functions the playbook addresses. A playbook may account for multiple types (e.g., detection, investigation).",
+      "description": "The security-related functions the playbook supports. A playbook may account for multiple types (e.g., detection and investigation). The listed options are based on the CACAO standard and NIST SP 800-61 rev2. Another option is to use MISP tags, taxonomies, and galaxies.",
       "disable_correlation": true,
       "misp-attribute": "text",
       "multiple": true,
       "ui-priority": 1,
       "values_list": [
-        "notification playbook",
-        "detection playbook",
-        "investigation playbook",
-        "prevention playbook",
-        "mitigation playbook",
-        "remediation playbook",
-        "attack playbook"
+        "notification",
+        "detection",
+        "investigation",
+        "prevention",
+        "mitigation",
+        "remediation",
+        "analysis",
+        "containment",
+        "eradication",
+        "recovery",
+        "attack"
       ]
     },
-    "priority": {
-      "categories": [
-        "Other"
-      ],
-      "description": "An integer that represents the priority of this playbook relative to other defined playbooks. A value of 0 means specifically undefined. Values range from 1, the highest priority, to a value of 100, the lowest.",
+    "playbook-valid-from": {
+      "description": "The date and time from which the playbook is considered valid and the steps that it contains can be executed.",
       "disable_correlation": true,
-      "misp-attribute": "counter",
+      "misp-attribute": "datetime",
+      "ui-priority": 1
+    },
+    "playbook-valid-until": {
+      "description": "The date and time from which the playbook should no longer be considered a valid playbook to be executed.",
+      "disable_correlation": true,
+      "misp-attribute": "datetime",
       "ui-priority": 1
     },
     "revoked": {
-      "categories": [
-        "Other"
-      ],
-      "description": "A boolean that identifies if the playbook creator deems that this playbook is no longer valid.",
+      "description": "A boolean that identifies if the playbook is no longer valid (revoked).",
       "disable_correlation": true,
       "misp-attribute": "boolean",
       "sane_default": [
@@ -147,43 +129,15 @@
         "False"
       ],
       "ui-priority": 1
-    },
-    "severity": {
-      "categories": [
-        "Other"
-      ],
-      "description": "A positive integer that represents the seriousness of the conditions that this playbook addresses. A value of 0 means specifically undefined. Values range from 1, the lowest severity, to a value of 100, the highest.",
-      "disable_correlation": true,
-      "misp-attribute": "counter",
-      "ui-priority": 1
-    },
-    "valid-from": {
-      "categories": [
-        "Other"
-      ],
-      "description": "The time from which the playbook is considered valid and the steps that it contains can be executed.",
-      "disable_correlation": true,
-      "misp-attribute": "datetime",
-      "ui-priority": 1
-    },
-    "valid-until": {
-      "categories": [
-        "Other"
-      ],
-      "description": "The time at which this playbook should no longer be considered a valid playbook to be executed.",
-      "disable_correlation": true,
-      "misp-attribute": "datetime",
-      "ui-priority": 1
     }
   },
-  "description": "An object to manage, represent, and share course of action playbooks (security playbooks) for cyberspace defense.",
+  "description": "The security-playbook object provides meta-information and allows managing, storing, and sharing cybersecurity playbooks and orchestration workflows.",
   "meta-category": "misc",
   "name": "security-playbook",
-  "required": [
-    "playbook",
-    "playbook-standard",
-    "playbook-type"
+  "requiredOneOf": [
+    "playbook-file",
+    "playbook-base64"
   ],
   "uuid": "48894c92-447b-4abe-b093-360c4d823e9d",
-  "version": 2
+  "version": 3
 }

objects/sigma/definition.json

@@ -0,0 +1,47 @@
+{
+  "attributes": {
+    "comment": {
+      "description": "A description of the Sigma rule.",
+      "misp-attribute": "comment",
+      "ui-priority": 0
+    },
+    "context": {
+      "description": "Context where the Sigma rule can be applied",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "sane_default": [
+        "all",
+        "disk",
+        "memory",
+        "network",
+        "dns"
+      ],
+      "ui-priority": 0
+    },
+    "reference": {
+      "description": "Reference/origin of the Sigma rule.",
+      "misp-attribute": "link",
+      "ui-priority": 0
+    },
+    "sigma": {
+      "description": "Sigma rule.",
+      "misp-attribute": "sigma",
+      "ui-priority": 0
+    },
+    "sigma-rule-name": {
+      "description": "Sigma rule name.",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    }
+  },
+  "description": "An object describing a Sigma rule (or a Sigma rule name).",
+  "meta-category": "misc",
+  "name": "sigma",
+  "requiredOneOf": [
+    "sigma",
+    "sigma-rule-name"
+  ],
+  "uuid": "aa21a3cd-ab2c-442a-9999-a5e6626591ec",
+  "version": 1
+}

objects/spearphishing-attachment/definition.json

@@ -0,0 +1,124 @@
+{
+  "attributes": {
+    "artifact-dropped-md5": {
+      "description": "The MD5 of an additional file that was either extracted from or downloaded by the attachment.",
+      "misp-attribute": "md5",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "artifact-dropped-name": {
+      "description": "Name of an additional file that was either extracted from or downloaded by the attachment.",
+      "misp-attribute": "filename",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "artifact-dropped-sha1": {
+      "description": "The SHA1 of an additional file that was either extracted from or downloaded by the attachment.",
+      "misp-attribute": "sha1",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "artifact-dropped-sha256": {
+      "description": "The SHA256 of an additional file that was either extracted from or downloaded by the attachment.",
+      "misp-attribute": "sha256",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "attachment-md5": {
+      "description": "The MD5 of the file that was attached to the e-mail itself.",
+      "misp-attribute": "md5",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "attachment-name": {
+      "description": "The name of the file that was attached to the e-mail itself.",
+      "misp-attribute": "filename",
+      "ui-priority": 0
+    },
+    "attachment-sha1": {
+      "description": "The SHA1 of the file that was attached to the e-mail itself.",
+      "misp-attribute": "sha1",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "attachment-sha256": {
+      "description": "The SHA256 of the file that was attached to the e-mail itself.",
+      "misp-attribute": "sha256",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "c2-domain": {
+      "description": "Command and control domain detected during analysis.",
+      "misp-attribute": "domain",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "c2-ip": {
+      "description": "Command and control IP address detected during analysis.",
+      "misp-attribute": "ip-dst",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "c2-url": {
+      "description": "Command and control URL detected during analysis.",
+      "misp-attribute": "url",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "date": {
+      "description": "Date and time the e-mail was sent.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "email-sender": {
+      "description": "The source address from which the e-mail was sent.",
+      "misp-attribute": "email-src",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "malicious-url": {
+      "description": "Malicious URL that downloaded additional malware.",
+      "misp-attribute": "url",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "research-links": {
+      "description": "A link to an external analysis (VirusTotal, urlscan, etc.).",
+      "misp-attribute": "link",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "sender-ip": {
+      "description": "The source IP from which the e-mail was sent.",
+      "misp-attribute": "ip-src",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "subject": {
+      "description": "The subject line of the e-mail.",
+      "misp-attribute": "email-subject",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "supporting-evidence": {
+      "description": "Description of the spearphish e-mail.",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    }
+  },
+  "description": "Spearphishing Attachment",
+  "meta-category": "network",
+  "name": "spearphishing-attachment",
+  "required": [
+    "email-sender",
+    "subject"
+  ],
+  "requiredOneOf": [
+    "attachment-md5",
+    "attachment-sha1",
+    "attachment-sha256"
+  ],
+  "uuid": "5dfcd9a9-d10c-48ae-9ba4-13c2428a994a",
+  "version": 20220825
+}

objects/spearphishing-link/definition.json

@@ -0,0 +1,61 @@
+{
+  "attributes": {
+    "date": {
+      "description": "Date and time e-mail was sent.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "email-sender": {
+      "description": "The source address from which the e-mail was sent.",
+      "misp-attribute": "email-src",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "embedded-link": {
+      "description": "The malicious URL in the e-mail body.",
+      "misp-attribute": "url",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "redirect-url": {
+      "description": "The redirect URL, if any, from the malicious embedded link.",
+      "misp-attribute": "url",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "research-links": {
+      "description": "A link to an external analysis (VirusTotal, urlscan, etc.).",
+      "misp-attribute": "link",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "sender-ip": {
+      "description": "The source IP from which the e-mail was sent.",
+      "misp-attribute": "ip-src",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "subject": {
+      "description": "The subject line of the e-mail.",
+      "misp-attribute": "email-subject",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "supporting-evidence": {
+      "description": "Description of the spearphish e-mail.",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    }
+  },
+  "description": "Spearphishing Link",
+  "meta-category": "network",
+  "name": "spearphishing-link",
+  "required": [
+    "email-sender",
+    "subject",
+    "embedded-link"
+  ],
+  "uuid": "4e758e53-6c84-47b0-a19b-362f587059e2",
+  "version": 20220825
+}

objects/stock/definition.json

@@ -0,0 +1,325 @@
+{
+  "attributes": {
+    "bloomberg-exchange-code": {
+      "description": "Bloomberg Exchange Code",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "AB",
+        "AF",
+        "AO",
+        "AT",
+        "AV",
+        "BB",
+        "BC",
+        "BD",
+        "BI",
+        "BQ",
+        "BS",
+        "CC",
+        "CF",
+        "CG",
+        "CK",
+        "CS",
+        "CT",
+        "CV",
+        "CX",
+        "CY",
+        "DB",
+        "DC",
+        "DH",
+        "DU",
+        "EB",
+        "EC",
+        "FH",
+        "FP",
+        "GA",
+        "GB",
+        "GD",
+        "GF",
+        "GH",
+        "GI",
+        "GM",
+        "GS",
+        "GY",
+        "HB",
+        "HK",
+        "IB",
+        "ID",
+        "IJ",
+        "IM",
+        "IS",
+        "IT",
+        "IX",
+        "JR",
+        "JT",
+        "KK",
+        "KN",
+        "KP",
+        "KQ",
+        "LI",
+        "LN",
+        "LX",
+        "MC",
+        "MK",
+        "MM",
+        "MT",
+        "NA",
+        "NG",
+        "NL",
+        "NO",
+        "NS",
+        "NZ",
+        "OM",
+        "PE",
+        "PK",
+        "PL",
+        "PM",
+        "PO",
+        "PW",
+        "QD",
+        "QF",
+        "QT",
+        "RE",
+        "RF",
+        "RX",
+        "SE",
+        "SJ",
+        "SL",
+        "SM",
+        "SP",
+        "SS",
+        "SV",
+        "SY",
+        "TB",
+        "TG",
+        "TI",
+        "TQ",
+        "TT",
+        "UA",
+        "UF",
+        "UN",
+        "UP",
+        "UQ",
+        "UR",
+        "UV",
+        "UW",
+        "VH",
+        "VM",
+        "VX",
+        "XB",
+        "ZA"
+      ],
+      "ui-priority": 10
+    },
+    "country": {
+      "description": "Country",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "currency": {
+      "description": "Currency",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "exchange": {
+      "description": "Exchange where the stock is traded (Google code)",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "sane_default": [
+        "AMS",
+        "ASX",
+        "ATH",
+        "BAK",
+        "BATS",
+        "BDP",
+        "BIT",
+        "BME",
+        "BMV",
+        "BOM",
+        "BVMF",
+        "CAI",
+        "CPH",
+        "DFM",
+        "EBR",
+        "ELI",
+        "EPA",
+        "ETR",
+        "FRA",
+        "HEL",
+        "HKG",
+        "IRE",
+        "IST",
+        "JAK",
+        "JNB",
+        "KAR",
+        "KOSDAQ",
+        "KRX",
+        "KUL",
+        "LON",
+        "MCX",
+        "NASDAQ",
+        "NSE",
+        "NYSE",
+        "NYSEAMERICAN",
+        "NYSEARCA",
+        "NZE",
+        "OTCMKTS",
+        "PRG",
+        "PSE",
+        "SGX",
+        "SHA",
+        "SHE",
+        "STO",
+        "SWX",
+        "TLV",
+        "TPE",
+        "TSE",
+        "TYO",
+        "VIE",
+        "VTX",
+        "WSE"
+      ],
+      "ui-priority": 0
+    },
+    "high-price": {
+      "description": "Highest price seen",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "iso-mic": {
+      "description": "ISO MIC",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "ARCX",
+        "BATE",
+        "BATS",
+        "BOAT",
+        "BVMF",
+        "CHIX",
+        "DIFX",
+        "DSMD",
+        "HSTC",
+        "MISX",
+        "MTAA",
+        "NEOE",
+        "NOTC",
+        "OOTC",
+        "ROCO",
+        "TOMX",
+        "TRQX",
+        "XADS",
+        "XAMM",
+        "XAMS",
+        "XASE",
+        "XASX",
+        "XATH",
+        "XBAH",
+        "XBER",
+        "XBKK",
+        "XBOG",
+        "XBOM",
+        "XBRU",
+        "XBRV",
+        "XBSE",
+        "XBUD",
+        "XBUE",
+        "XCAI",
+        "XCAS",
+        "XCNQ",
+        "XCOL",
+        "XCSE",
+        "XCYS",
+        "XDFM",
+        "XDHA",
+        "XDSE",
+        "XDUB",
+        "XDUS",
+        "XEQT",
+        "XETR",
+        "XFRA",
+        "XHAM",
+        "XHAN",
+        "XHEL",
+        "XHKG",
+        "XICE",
+        "XIDX",
+        "XIST",
+        "XJSE",
+        "XKAR",
+        "XKLS",
+        "XKOS",
+        "XKRX",
+        "XKUW",
+        "XLIM",
+        "XLIS",
+        "XLJU",
+        "XLON",
+        "XLUX",
+        "XMAD",
+        "XMEX",
+        "XMUN",
+        "XMUS",
+        "XNAI",
+        "XNCM",
+        "XNEC",
+        "XNGM",
+        "XNGS",
+        "XNMS",
+        "XNSA",
+        "XNSE",
+        "XNYS",
+        "XNZE",
+        "XOSL",
+        "XPAR",
+        "XPHS",
+        "XPOS",
+        "XPRA",
+        "XQTX",
+        "XSAU",
+        "XSES",
+        "XSGO",
+        "XSHE",
+        "XSHG",
+        "XSTC",
+        "XSTO",
+        "XSTU",
+        "XSWX",
+        "XTAE",
+        "XTAI",
+        "XTKS",
+        "XTSE",
+        "XTSX",
+        "XVTX",
+        "XWAR",
+        "XWBO",
+        "XZAG"
+      ],
+      "ui-priority": 10
+    },
+    "low-price": {
+      "description": "Lowest price seen",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 10
+    },
+    "symbol": {
+      "description": "Symbol of the stock",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    }
+  },
+  "description": "Object to describe stock market",
+  "meta-category": "misc",
+  "name": "stock",
+  "requiredOneOf": [
+    "symbol"
+  ],
+  "uuid": "dd3e00b2-977e-4cf4-9d12-0b009a00a721",
+  "version": 1
+}

objects/telegram-bot/definition.json

@@ -0,0 +1,42 @@
+{
+  "attributes": {
+    "chat-id": {
+      "description": "Telegram chat id",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "comment": {
+      "description": "Phone associated with the telegram user",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "name": {
+      "description": "Telegram bot name",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "token": {
+      "description": "Telegram Token",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "username": {
+      "description": "Telegram bot username, must end with \"bot\"",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    }
+  },
+  "description": "Information related to a telegram bot",
+  "meta-category": "misc",
+  "name": "telegram-bot",
+  "requiredOneOf": [
+    "token",
+    "chat-id",
+    "name",
+    "username",
+    "comment"
+  ],
+  "uuid": "e2cb6c8f-45fa-429d-9cdb-05298ab21f46",
+  "version": 2
+}

objects/thaicert-group-cards/definition.json

@@ -0,0 +1,68 @@
+{
+  "attributes": {
+    "country": {
+      "description": "Country of group - group location where it operates from.",
+      "disable_correlation": false,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "description": {
+      "description": "Description of group activities or TTP used for group actions.",
+      "disable_correlation": false,
+      "misp-attribute": "text",
+      "multiple": false,
+      "ui-priority": 4
+    },
+    "more informations": {
+      "description": "List more informations by url - reports, group links etc..",
+      "disable_correlation": false,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 7
+    },
+    "motivation": {
+      "description": "Motivation behind group ie. espionage, ransomware, other criminal activity, hacktivism . . .",
+      "disable_correlation": false,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 3
+    },
+    "name": {
+      "description": "Names or nicknames for group.",
+      "disable_correlation": false,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "observed": {
+      "description": "What sector is this group active at? Government, telecommunication etc and country of activity.",
+      "disable_correlation": false,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 5
+    },
+    "sponsor": {
+      "description": "Sponsor of group ie. country, state, criminal ring, cartel etc..",
+      "disable_correlation": false,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 2
+    },
+    "tools used": {
+      "description": "What known tools are used by group.",
+      "disable_correlation": false,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 6
+    }
+  },
+  "description": "Adversary group cards inspired by ThaiCERT",
+  "meta-category": "misc",
+  "name": "thaicert-group-cards",
+  "required": [
+    "name"
+  ],
+  "uuid": "f42db88d-1889-4c2f-a903-971cf8e65174",
+  "version": 3
+}

objects/transport-ticket/definition.json

@@ -0,0 +1,107 @@
+{
+  "attributes": {
+    "class": {
+      "description": "Class of the ticket",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "First",
+        "Second",
+        "Business",
+        "Flex",
+        "Economy"
+      ],
+      "ui-priority": 0
+    },
+    "company": {
+      "description": "Street name",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "copy": {
+      "description": "Copy of the ticket such as a photography or a FAX",
+      "misp-attribute": "attachment",
+      "multiple": true,
+      "ui-priority": 10
+    },
+    "date-of-arrival": {
+      "description": "Date of arrival",
+      "disable_correlation": true,
+      "misp-attribute": "datetime",
+      "ui-priority": 1
+    },
+    "date-of-departure": {
+      "description": "Date of departure",
+      "disable_correlation": true,
+      "misp-attribute": "datetime",
+      "ui-priority": 1
+    },
+    "date-of-purchase": {
+      "description": "Date of purchase",
+      "disable_correlation": true,
+      "misp-attribute": "datetime",
+      "ui-priority": 1
+    },
+    "description": {
+      "description": "Description",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "destination": {
+      "description": "Destination",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "origin": {
+      "description": "Origin",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "ticket-number": {
+      "description": "Ticket Number",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "type-of-ticket": {
+      "description": "Type of ticket",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "Purchase ticket",
+        "Boarding pass",
+        "Other"
+      ],
+      "ui-priority": 1
+    },
+    "type-of-transport": {
+      "description": "Type of transport",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "Plane",
+        "Train",
+        "Bus",
+        "Metro",
+        "Taxi",
+        "Ferry",
+        "Other"
+      ],
+      "ui-priority": 1
+    }
+  },
+  "description": "A transport ticket.",
+  "meta-category": "misc",
+  "name": "transport-ticket",
+  "requiredOneOf": [
+    "destination",
+    "origin"
+  ],
+  "uuid": "8d6bd699-86f8-477c-aac3-a7f273c19266",
+  "version": 2
+}

objects/typosquatting-finder-result/definition.json

@@ -0,0 +1,89 @@
+{
+  "attributes": {
+    "a-record": {
+      "categories": [
+        "Network activity",
+        "External analysis"
+      ],
+      "description": "IPv4 address associated with A record",
+      "misp-attribute": "ip-dst",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "aaaa-record": {
+      "categories": [
+        "Network activity",
+        "External analysis"
+      ],
+      "description": "IPv6 address associated with AAAA record",
+      "misp-attribute": "ip-dst",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "mx-record": {
+      "categories": [
+        "Network activity",
+        "External analysis"
+      ],
+      "description": "Domain associated with MX record",
+      "misp-attribute": "domain",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "ns-record": {
+      "categories": [
+        "Network activity",
+        "External analysis"
+      ],
+      "description": "Domain associated with NS record",
+      "misp-attribute": "domain",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "queried-domain": {
+      "categories": [
+        "Network activity",
+        "External analysis"
+      ],
+      "description": "Domain name",
+      "misp-attribute": "domain",
+      "ui-priority": 1
+    },
+    "ratio-similarity": {
+      "description": "Similarity probability",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "recommended": false,
+      "ui-priority": 1
+    },
+    "website-ressource-diff": {
+      "description": "Difference of website's ressources between both, research and current variations domain",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "recommended": false,
+      "ui-priority": 1
+    },
+    "website-similarity": {
+      "description": "Similarity between website of both research and current variations domain",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "recommended": false,
+      "ui-priority": 1
+    },
+    "website-title": {
+      "description": "Website's title of the current queried domain",
+      "disable_correlation": false,
+      "misp-attribute": "text",
+      "recommended": false,
+      "ui-priority": 1
+    }
+  },
+  "description": "Typosquatting result",
+  "meta-category": "network",
+  "name": "typosquatting-finder-result",
+  "required": [
+    "queried-domain"
+  ],
+  "uuid": "22151d90-b39b-498c-86c7-126ddd2e1a55",
+  "version": 1
+}

objects/typosquatting-finder/definition.json

@@ -0,0 +1,37 @@
+{
+  "attributes": {
+    "research-domain": {
+      "categories": [
+        "Network activity",
+        "External analysis"
+      ],
+      "description": "Research domain name",
+      "disable_correlation": false,
+      "misp-attribute": "domain",
+      "recommended": false,
+      "ui-priority": 1
+    },
+    "variations-found-number": {
+      "description": "Number of variations for the research domain that some info is found.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "recommended": false,
+      "ui-priority": 1
+    },
+    "variations-number": {
+      "description": "Number of variations for the research domain.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "recommended": false,
+      "ui-priority": 1
+    }
+  },
+  "description": "Typosquatting info",
+  "meta-category": "network",
+  "name": "typosquatting-finder",
+  "required": [
+    "research-domain"
+  ],
+  "uuid": "3414fbe7-6f8c-4ed5-bc51-9a11a3a29822",
+  "version": 1
+}

objects/vehicle/definition.json

@@ -19,7 +19,7 @@
       "ui-priority": 0
     },
     "exterior-color": {
-      "description": "Exterior color of the vehicule",
+      "description": "Exterior color of the vehicle",
       "disable_correlation": true,
       "misp-attribute": "text",
       "ui-priority": 0
@@ -49,7 +49,7 @@
       "ui-priority": 0
     },
     "interior-color": {
-      "description": "Interior color of the vehicule",
+      "description": "Interior color of the vehicle",
       "disable_correlation": true,
       "misp-attribute": "text",
       "ui-priority": 0
@@ -73,13 +73,13 @@
       "ui-priority": 0
     },
     "state": {
-      "description": "State of the vehicule (stolen or recovered)",
+      "description": "State of the vehicle (stolen or recovered)",
       "disable_correlation": true,
       "misp-attribute": "text",
       "ui-priority": 0
     },
     "type": {
-      "description": "Type of the vehicule",
+      "description": "Type of the vehicle",
       "disable_correlation": true,
       "misp-attribute": "text",
       "sane_default": [
@@ -125,5 +125,5 @@
     "indicative-value"
   ],
   "uuid": "683c076c-f695-4ff2-8efa-e98a418049f4",
-  "version": 3
+  "version": 4
 }

objects/victim/definition.json

@@ -77,8 +77,8 @@
       "misp-attribute": "text",
       "multiple": true,
       "sane_default": [
-        "agriculture",
         "aerospace",
+        "agriculture",
         "automotive",
         "communications",
         "construction",
@@ -88,14 +88,16 @@
         "engineering",
         "entertainment",
         "financial services",
-        "government national",
-        "government regional",
         "government local",
+        "government national",
         "government public services",
+        "government regional",
         "healthcare",
         "hospitality leisure",
+        "information and cultural industries",
         "infrastructure",
         "insurance",
+        "legal",
         "manufacturing",
         "mining",
         "non profit",
@@ -124,5 +126,5 @@
     "sectors"
   ],
   "uuid": "a8806e40-39ad-435f-be02-ac2a13d6fc7d",
-  "version": 6
+  "version": 8
 }

objects/virustotal-submission/definition.json

@@ -0,0 +1,77 @@
+{
+  "attributes": {
+    "city": {
+      "categories": [
+        "Other"
+      ],
+      "description": "The city a file was uploaded from.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "to_ids": false,
+      "ui-priority": 0
+    },
+    "country": {
+      "categories": [
+        "Other"
+      ],
+      "description": "The country a file was uploaded from.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "to_ids": false,
+      "ui-priority": 1
+    },
+    "date": {
+      "categories": [
+        "Other"
+      ],
+      "description": "The upload date.",
+      "disable_correlation": true,
+      "misp-attribute": "datetime",
+      "to_ids": false,
+      "ui-priority": 0
+    },
+    "filename": {
+      "categories": [
+        "Payload delivery"
+      ],
+      "description": "The filename used to submit a file.",
+      "disable_correlation": false,
+      "misp-attribute": "filename",
+      "to_ids": false,
+      "ui-priority": 0
+    },
+    "interface": {
+      "categories": [
+        "Other"
+      ],
+      "description": "The interface used to upload a file.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "to_ids": false,
+      "ui-priority": 0,
+      "values_list": [
+        "web",
+        "api",
+        "email"
+      ]
+    },
+    "submitter-id": {
+      "categories": [
+        "Other"
+      ],
+      "description": "Submitter ID, given as source_key via the VT API.",
+      "disable_correlation": false,
+      "misp-attribute": "text",
+      "to_ids": false,
+      "ui-priority": 1
+    }
+  },
+  "description": "VirusTotal Submission",
+  "meta-category": "misc",
+  "name": "virustotal-submission",
+  "required": [
+    "submitter-id"
+  ],
+  "uuid": "473d289b-f1d4-4f02-a4fe-3b69f534ed45",
+  "version": 1
+}

objects/yara/definition.json

@@ -17,6 +17,11 @@
       ],
       "ui-priority": 0
     },
+    "reference": {
+      "description": "Reference or origin of the YARA rule.",
+      "misp-attribute": "link",
+      "ui-priority": 0
+    },
     "version": {
       "description": "Version of the YARA rule depending where the yara rule is known to work as expected.",
       "disable_correlation": true,
@@ -45,5 +50,5 @@
     "yara-rule-name"
   ],
   "uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
-  "version": 5
+  "version": 6
 }

relationships/definition.json

@@ -1329,7 +1329,177 @@
         "misp"
       ],
       "name": "is-a-translation-of"
+    },
+    {
+      "description": "The referenced source object has met with the target object.",
+      "format": [
+        "misp"
+      ],
+      "name": "has-met"
+    },
+    {
+      "description": "The referenced source object submitted the referenced target object (to an online anti virus scanner).",
+      "format": [
+        "misp"
+      ],
+      "name": "submitted",
+      "opposite": "submitted-by"
+    },
+    {
+      "description": "The referenced source object was submitted (to an online anti virus scanner) by the referenced target object.",
+      "format": [
+        "misp"
+      ],
+      "name": "submitted-by",
+      "opposite": "submitted"
+    },
+    {
+      "description": "This relationship describes that the source object does not target the target object.",
+      "format": [
+        "misp"
+      ],
+      "name": "does-not-target"
+    },
+    {
+      "description": "This relationship describes that the source object is targeted by the target object.",
+      "format": [
+        "misp"
+      ],
+      "name": "is-targeted-by"
+    },
+    {
+      "description": "This relationship describes that the source object is not targeted by the target object.",
+      "format": [
+        "misp"
+      ],
+      "name": "is-not-targeted-by"
+    },
+    {
+      "description": "The source object considers the target object as a friend. Is not necessarily symmetric.",
+      "format": [
+        "XFN"
+      ],
+      "name": "Friend"
+    },
+    {
+      "description": "The source object considers the target object as a acquaintance. Is not necessarily symmetric.",
+      "format": [
+        "XFN"
+      ],
+      "name": "Acquaintance"
+    },
+    {
+      "description": "The source object have information to contact and/or get in touch with the target object.",
+      "format": [
+        "XFN"
+      ],
+      "name": "Contact"
+    },
+    {
+      "description": "The source object have physically met the target object.",
+      "format": [
+        "XFN"
+      ],
+      "name": "Met"
+    },
+    {
+      "description": "The source object shares an employer with the target object. This relationship is not geographically limited.",
+      "format": [
+        "XFN"
+      ],
+      "name": "Co-worker"
+    },
+    {
+      "description": "The source object regards the target object as a peer, someone who they feel is on their level and has skills and interests similar to their own. A colleague does not have to be a co-worker, although of course can be.",
+      "format": [
+        "XFN"
+      ],
+      "name": "Colleague"
+    },
+    {
+      "description": "The source object is co-resident with the target object, which means they share a street address with the target object. Co-resident is symmetric.",
+      "format": [
+        "XFN"
+      ],
+      "name": "Co-resident"
+    },
+    {
+      "description": "The source object is neighbor with the target object. This is not limited to next door neighbor.",
+      "format": [
+        "XFN"
+      ],
+      "name": "Neighbor"
+    },
+    {
+      "description": "The target object is the child of the source object.",
+      "format": [
+        "XFN"
+      ],
+      "name": "Child"
+    },
+    {
+      "description": "The target object is the parent of the source object.",
+      "format": [
+        "XFN"
+      ],
+      "name": "Parent"
+    },
+    {
+      "description": "The source object share a parent with the target object. Brothers, sisters, half-brothers, and half-sisters are all examples of siblings.",
+      "format": [
+        "XFN"
+      ],
+      "name": "Sibling"
+    },
+    {
+      "description": "The source object is -or feels themself to be- married, whether legally or not, to the target object.",
+      "format": [
+        "XFN"
+      ],
+      "name": "Spouse"
+    },
+    {
+      "description": "The target object is a relative of the source object.",
+      "format": [
+        "XFN"
+      ],
+      "name": "Kin"
+    },
+    {
+      "description": "The source object is inspired in some way by the target object.",
+      "format": [
+        "XFN"
+      ],
+      "name": "Muse"
+    },
+    {
+      "description": "The source object is attracted -romantically speaking- to the target object.",
+      "format": [
+        "XFN"
+      ],
+      "name": "Crush"
+    },
+    {
+      "description": "The source object is dating the target object.",
+      "format": [
+        "XFN"
+      ],
+      "name": "Date"
+    },
+    {
+      "description": "The source object is intimate, whether physically or emotionally, with the target object.",
+      "format": [
+        "XFN"
+      ],
+      "name": "Sweetheart"
+    },
+    {
+      "description": "The source object refers to the target object as themself or a representation of themself. Can be a profile on social-networking for example. This value is exclusive of all other XFN values.",
+      "format": [
+        "XFN"
+      ],
+      "name": "Me"
     }
   ],
-  "version": 32
+  "version": 35
 }