From 3d7b09e9c47929a437c10b77b8525ed5fc16def6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Mon, 18 Nov 2019 18:03:01 +0100 Subject: [PATCH 1/7] chg: Update crypto-material and url --- objects/crypto-material/definition.json | 8 +++++++- objects/url/definition.json | 7 ++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/objects/crypto-material/definition.json b/objects/crypto-material/definition.json index c49b16e..3c28827 100644 --- a/objects/crypto-material/definition.json +++ b/objects/crypto-material/definition.json @@ -25,6 +25,12 @@ "ui-priority": 1, "misp-attribute": "text" }, + "e": { + "description": "RSA public exponent", + "disable_correlation": false, + "ui-priority": 1, + "misp-attribute": "text" + }, "p": { "description": "Prime Parameter - P in decimal", "disable_correlation": false, @@ -147,7 +153,7 @@ ] } }, - "version": 2, + "version": 3, "description": "Cryptographic materials such as public or/and private keys.", "meta-category": "misc", "uuid": "50677f82-ec9c-4484-bb29-2519cfe56823", diff --git a/objects/url/definition.json b/objects/url/definition.json index 8248ed6..29f8f40 100644 --- a/objects/url/definition.json +++ b/objects/url/definition.json @@ -90,13 +90,18 @@ "ui-priority": 0, "misp-attribute": "datetime" }, + "ip": { + "description": "Better type when the host is an IP.", + "ui-priority": 0, + "misp-attribute": "ip-dst" + }, "host": { "description": "Full hostname", "ui-priority": 0, "misp-attribute": "hostname" } }, - "version": 7, + "version": 8, "description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.", "meta-category": "network", "uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5", From 2fe41c1c4618439473357b487f9ca228488dc632 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Mon, 25 Nov 2019 14:43:28 +0100 Subject: [PATCH 2/7] new: IntelQM objects --- objects/intelmq_event/definition.json | 337 +++++++++++++++++++++++++ objects/intelmq_report/definition.json | 49 ++++ 2 files changed, 386 insertions(+) create mode 100644 objects/intelmq_event/definition.json create mode 100644 objects/intelmq_report/definition.json diff --git a/objects/intelmq_event/definition.json b/objects/intelmq_event/definition.json new file mode 100644 index 0000000..845fd22 --- /dev/null +++ b/objects/intelmq_event/definition.json @@ -0,0 +1,337 @@ +{ + "attributes": { + "classification.identifier": { + "description": "The lowercase identifier defines the actual software or service (e.g. 'heartbleed' or 'ntp_version') or standardized malware name (e.g. 'zeus'). Note that you MAY overwrite this field during processing for your individual setup. This field is not standardized across IntelMQ setups/users.", + "misp-attribute": "text" + }, + "classification.taxonomy": { + "description": "We recognize the need for the CSIRT teams to apply a static (incident) taxonomy to abuse data. With this goal in mind the type IOC will serve as a basis for this activity. Each value of the dynamic type mapping translates to a an element in the static taxonomy. The European CSIRT teams for example have decided to apply the eCSIRT.net incident classification. The value of the taxonomy key is thus a derivative of the dynamic type above. For more information about check [ENISA taxonomies](http://www.enisa.europa.eu/activities/cert/support/incident-management/browsable/incident-handling-process/incident-taxonomy/existing-taxonomies).", + "misp-attribute": "text" + }, + "classification.type": { + "description": "The abuse type IOC is one of the most crucial pieces of information for any given abuse event. The main idea of dynamic typing is to keep our ontology flexible, since we need to evolve with the evolving threatscape of abuse data. In contrast with the static taxonomy below, the dynamic typing is used to perform business decisions in the abuse handling pipeline. Furthermore, the value data set should be kept as minimal as possible to avoid \u201ctype explosion\u201d, which in turn dilutes the business value of the dynamic typing. In general, we normally have two types of abuse type IOC: ones referring to a compromised resource or ones referring to pieces of the criminal infrastructure, such as a command and control servers for example.", + "misp-attribute": "text" + }, + "comment": { + "description": "Free text commentary about the abuse event inserted by an analyst.", + "misp-attribute": "text" + }, + "destination.abuse_contact": { + "description": "Abuse contact for destination address. A comma separated list.", + "misp-attribute": "text" + }, + "destination.account": { + "description": "An account name or email address, which has been identified to relate to the destination of an abuse event.", + "misp-attribute": "text" + }, + "destination.allocated": { + "description": "Allocation date corresponding to BGP prefix.", + "misp-attribute": "datetime" + }, + "destination.as_name": { + "description": "The autonomous system name to which the connection headed.", + "misp-attribute": "text" + }, + "destination.asn": { + "description": "The autonomous system number to which the connection headed.", + "misp-attribute": "asn" + }, + "destination.domain_suffix": { + "description": "The suffix of the domain from the public suffix list.", + "misp-attribute": "text" + }, + "destination.fqdn": { + "description": "A DNS name related to the host from which the connection originated. DNS allows even binary data in DNS, so we have to allow everything. A final point is stripped, string is converted to lower case characters.", + "misp-attribute": "text" + }, + "destination.geolocation.cc": { + "description": "Country-Code according to ISO3166-1 alpha-2 for the destination IP.", + "misp-attribute": "text" + }, + "destination.geolocation.city": { + "description": "Some geolocation services refer to city-level geolocation.", + "misp-attribute": "text" + }, + "destination.geolocation.country": { + "description": "The country name derived from the ISO3166 country code (assigned to cc field).", + "misp-attribute": "text" + }, + "destination.geolocation.latitude": { + "description": "Latitude coordinates derived from a geolocation service, such as MaxMind geoip db.", + "misp-attribute": "float" + }, + "destination.geolocation.longitude": { + "description": "Longitude coordinates derived from a geolocation service, such as MaxMind geoip db.", + "misp-attribute": "float" + }, + "destination.geolocation.region": { + "description": "Some geolocation services refer to region-level geolocation.", + "misp-attribute": "text" + }, + "destination.geolocation.state": { + "description": "Some geolocation services refer to state-level geolocation.", + "misp-attribute": "text" + }, + "destination.ip": { + "description": "The IP which is the target of the observed connections.", + "misp-attribute": "ip-dst" + }, + "destination.local_hostname": { + "description": "Some sources report a internal hostname within a NAT related to the name configured for a compromized system", + "misp-attribute": "text" + }, + "destination.local_ip": { + "description": "Some sources report a internal (NATed) IP address related a compromized system. N.B. RFC1918 IPs are OK here.", + "misp-attribute": "ip-dst" + }, + "destination.network": { + "description": "CIDR for an autonomous system. Also known as BGP prefix. If multiple values are possible, select the most specific.", + "misp-attribute": "ip-dst" + }, + "destination.port": { + "description": "The port to which the connection headed.", + "misp-attribute": "counter" + }, + "destination.registry": { + "description": "The IP registry a given ip address is allocated by.", + "misp-attribute": "text" + }, + "destination.reverse_dns": { + "description": "Reverse DNS name acquired through a reverse DNS query on an IP address. N.B. Record types other than PTR records may also appear in the reverse DNS tree. Furthermore, unfortunately, there is no rule prohibiting people from writing anything in a PTR record. Even JavaScript will work. A final point is stripped, string is converted to lower case characters.", + "misp-attribute": "text" + }, + "destination.tor_node": { + "description": "If the destination IP was a known tor node.", + "misp-attribute": "boolean" + }, + "destination.url": { + "description": "A URL denotes on IOC, which refers to a malicious resource, whose interpretation is defined by the abuse type. A URL with the abuse type phishing refers to a phishing resource.", + "misp-attribute": "url" + }, + "destination.urlpath": { + "description": "The path portion of an HTTP or related network request.", + "misp-attribute": "text" + }, + "event_description.target": { + "description": "Some sources denominate the target (organization) of a an attack.", + "misp-attribute": "text" + }, + "event_description.text": { + "description": "A free-form textual description of an abuse event.", + "misp-attribute": "text" + }, + "event_description.url": { + "description": "A description URL is a link to a further description of the the abuse event in question.", + "misp-attribute": "url" + }, + "event_hash": { + "description": "Computed event hash with specific keys and values that identify a unique event. At present, the hash should default to using the SHA1 function. Please note that for an event hash to be able to match more than one event (deduplication) the receiver of an event should calculate it based on a minimal set of keys and values present in the event. Using for example the observation time in the calculation will most likely render the checksum useless for deduplication purposes.", + "misp-attribute": "text" + }, + "extra": { + "description": "All anecdotal information, which cannot be parsed into the data harmonization elements. E.g. os.name, os.version, etc. **Note**: this is only intended for mapping any fields which can not map naturally into the data harmonization. It is not intended for extending the data harmonization with your own fields.", + "misp-attribute": "text" + }, + "feed.accuracy": { + "description": "A float between 0 and 100 that represents how accurate the data in the feed is", + "misp-attribute": "float" + }, + "feed.code": { + "description": "Code name for the feed, e.g. DFGS, HSDAG etc.", + "misp-attribute": "text" + }, + "feed.documentation": { + "description": "A URL or hint where to find the documentation of this feed.", + "misp-attribute": "text" + }, + "feed.name": { + "description": "Name for the feed, usually found in collector bot configuration.", + "misp-attribute": "text" + }, + "feed.provider": { + "description": "Name for the provider of the feed, usually found in collector bot configuration.", + "misp-attribute": "text" + }, + "feed.url": { + "description": "The URL of a given abuse feed, where applicable", + "misp-attribute": "url" + }, + "malware.hash.md5": { + "description": "A string depicting an MD5 checksum for a file, be it a malware sample for example.", + "misp-attribute": "text" + }, + "malware.hash.sha1": { + "description": "A string depicting a SHA1 checksum for a file, be it a malware sample for example.", + "misp-attribute": "text" + }, + "malware.hash.sha256": { + "description": "A string depicting a SHA256 checksum for a file, be it a malware sample for example.", + "misp-attribute": "text" + }, + "malware.name": { + "description": "The malware name in lower case.", + "misp-attribute": "text" + }, + "malware.version": { + "description": "A version string for an identified artifact generation, e.g. a crime-ware kit.", + "misp-attribute": "text" + }, + "misp.attribute_uuid": { + "description": "MISP - Malware Information Sharing Platform & Threat Sharing UUID of an attribute.", + "misp-attribute": "text" + }, + "misp.event_uuid": { + "description": "MISP - Malware Information Sharing Platform & Threat Sharing UUID.", + "misp-attribute": "text" + }, + "output": { + "description": "Event data converted into foreign format, intended to be exported by output plugin.", + "misp-attribute": "text" + }, + "protocol.application": { + "description": "e.g. vnc, ssh, sip, irc, http or smtp.", + "misp-attribute": "text" + }, + "protocol.transport": { + "description": "e.g. tcp, udp, icmp.", + "misp-attribute": "text" + }, + "raw": { + "description": "The original line of the event from encoded in base64.", + "misp-attribute": "text" + }, + "rtir_id": { + "description": "Request Tracker Incident Response ticket id.", + "misp-attribute": "counter" + }, + "screenshot_url": { + "description": "Some source may report URLs related to a an image generated of a resource without any metadata. Or an URL pointing to resource, which has been rendered into a webshot, e.g. a PNG image and the relevant metadata related to its retrieval/generation.", + "misp-attribute": "url" + }, + "source.abuse_contact": { + "description": "Abuse contact for source address. A comma separated list.", + "misp-attribute": "text" + }, + "source.account": { + "description": "An account name or email address, which has been identified to relate to the source of an abuse event.", + "misp-attribute": "text" + }, + "source.allocated": { + "description": "Allocation date corresponding to BGP prefix.", + "misp-attribute": "datetime" + }, + "source.as_name": { + "description": "The autonomous system name from which the connection originated.", + "misp-attribute": "text" + }, + "source.asn": { + "description": "The autonomous system number from which originated the connection.", + "misp-attribute": "asn" + }, + "source.domain_suffix": { + "description": "The suffix of the domain from the public suffix list.", + "misp-attribute": "text" + }, + "source.fqdn": { + "description": "A DNS name related to the host from which the connection originated. DNS allows even binary data in DNS, so we have to allow everything. A final point is stripped, string is converted to lower case characters.", + "misp-attribute": "text" + }, + "source.geolocation.cc": { + "description": "Country-Code according to ISO3166-1 alpha-2 for the source IP.", + "misp-attribute": "text" + }, + "source.geolocation.city": { + "description": "Some geolocation services refer to city-level geolocation.", + "misp-attribute": "text" + }, + "source.geolocation.country": { + "description": "The country name derived from the ISO3166 country code (assigned to cc field).", + "misp-attribute": "text" + }, + "source.geolocation.cymru_cc": { + "description": "The country code denoted for the ip by the Team Cymru asn to ip mapping service.", + "misp-attribute": "text" + }, + "source.geolocation.geoip_cc": { + "description": "MaxMind Country Code (ISO3166-1 alpha-2).", + "misp-attribute": "text" + }, + "source.geolocation.latitude": { + "description": "Latitude coordinates derived from a geolocation service, such as MaxMind geoip db.", + "misp-attribute": "float" + }, + "source.geolocation.longitude": { + "description": "Longitude coordinates derived from a geolocation service, such as MaxMind geoip db.", + "misp-attribute": "float" + }, + "source.geolocation.region": { + "description": "Some geolocation services refer to region-level geolocation.", + "misp-attribute": "text" + }, + "source.geolocation.state": { + "description": "Some geolocation services refer to state-level geolocation.", + "misp-attribute": "text" + }, + "source.ip": { + "description": "The ip observed to initiate the connection", + "misp-attribute": "ip-src" + }, + "source.local_hostname": { + "description": "Some sources report a internal hostname within a NAT related to the name configured for a compromised system", + "misp-attribute": "text" + }, + "source.local_ip": { + "description": "Some sources report a internal (NATed) IP address related a compromised system. N.B. RFC1918 IPs are OK here.", + "misp-attribute": "ip-src" + }, + "source.network": { + "description": "CIDR for an autonomous system. Also known as BGP prefix. If multiple values are possible, select the most specific.", + "misp-attribute": "ip-src" + }, + "source.port": { + "description": "The port from which the connection originated.", + "misp-attribute": "counter" + }, + "source.registry": { + "description": "The IP registry a given ip address is allocated by.", + "misp-attribute": "text" + }, + "source.reverse_dns": { + "description": "Reverse DNS name acquired through a reverse DNS query on an IP address. N.B. Record types other than PTR records may also appear in the reverse DNS tree. Furthermore, unfortunately, there is no rule prohibiting people from writing anything in a PTR record. Even JavaScript will work. A final point is stripped, string is converted to lower case characters.", + "misp-attribute": "text" + }, + "source.tor_node": { + "description": "If the source IP was a known tor node.", + "misp-attribute": "boolean" + }, + "source.url": { + "description": "A URL denotes an IOC, which refers to a malicious resource, whose interpretation is defined by the abuse type. A URL with the abuse type phishing refers to a phishing resource.", + "misp-attribute": "url" + }, + "source.urlpath": { + "description": "The path portion of an HTTP or related network request.", + "misp-attribute": "text" + }, + "status": { + "description": "Status of the malicious resource (phishing, dropzone, etc), e.g. online, offline.", + "misp-attribute": "text" + }, + "time.observation": { + "description": "The time the collector of the local instance processed (observed) the event.", + "misp-attribute": "datetime" + }, + "time.source": { + "description": "The time of occurence of the event as reported the feed (source).", + "misp-attribute": "datetime" + }, + "tlp": { + "description": "Traffic Light Protocol level of the event.", + "misp-attribute": "text" + } + }, + "description": "IntelMQ Event", + "meta-category": "network", + "name": "intelmq_event", + "uuid": "491ac7d2-25a1-4078-8246-b04a132d003d", + "version": 1 +} \ No newline at end of file diff --git a/objects/intelmq_report/definition.json b/objects/intelmq_report/definition.json new file mode 100644 index 0000000..35e889e --- /dev/null +++ b/objects/intelmq_report/definition.json @@ -0,0 +1,49 @@ +{ + "attributes": { + "extra": { + "description": "All anecdotal information of the report, which cannot be parsed into the data harmonization elements. E.g. subject of mails, etc. This is data is not automatically propagated to the events.", + "misp-attribute": "text" + }, + "feed.accuracy": { + "description": "A float between 0 and 100 that represents how accurate the data in the feed is", + "misp-attribute": "float" + }, + "feed.code": { + "description": "Code name for the feed, e.g. DFGS, HSDAG etc.", + "misp-attribute": "text" + }, + "feed.documentation": { + "description": "A URL or hint where to find the documentation of this feed.", + "misp-attribute": "text" + }, + "feed.name": { + "description": "Name for the feed, usually found in collector bot configuration.", + "misp-attribute": "text" + }, + "feed.provider": { + "description": "Name for the provider of the feed, usually found in collector bot configuration.", + "misp-attribute": "text" + }, + "feed.url": { + "description": "The URL of a given abuse feed, where applicable", + "misp-attribute": "url" + }, + "raw": { + "description": "The original raw and unparsed data encoded in base64.", + "misp-attribute": "text" + }, + "rtir_id": { + "description": "Request Tracker Incident Response ticket id.", + "misp-attribute": "counter" + }, + "time.observation": { + "description": "The time the collector of the local instance processed (observed) the event.", + "misp-attribute": "datetime" + } + }, + "description": "IntelMQ Report", + "meta-category": "network", + "name": "intelmq_report", + "uuid": "c3d34be1-904b-455b-bceb-509418392110", + "version": 1 +} \ No newline at end of file From 185fae4a6101f37053c29b6278ad71315ce68cba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Mon, 25 Nov 2019 14:48:51 +0100 Subject: [PATCH 3/7] fix: Make jq happy --- objects/intelmq_event/definition.json | 4 ++-- objects/intelmq_report/definition.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/objects/intelmq_event/definition.json b/objects/intelmq_event/definition.json index 845fd22..e6df291 100644 --- a/objects/intelmq_event/definition.json +++ b/objects/intelmq_event/definition.json @@ -9,7 +9,7 @@ "misp-attribute": "text" }, "classification.type": { - "description": "The abuse type IOC is one of the most crucial pieces of information for any given abuse event. The main idea of dynamic typing is to keep our ontology flexible, since we need to evolve with the evolving threatscape of abuse data. In contrast with the static taxonomy below, the dynamic typing is used to perform business decisions in the abuse handling pipeline. Furthermore, the value data set should be kept as minimal as possible to avoid \u201ctype explosion\u201d, which in turn dilutes the business value of the dynamic typing. In general, we normally have two types of abuse type IOC: ones referring to a compromised resource or ones referring to pieces of the criminal infrastructure, such as a command and control servers for example.", + "description": "The abuse type IOC is one of the most crucial pieces of information for any given abuse event. The main idea of dynamic typing is to keep our ontology flexible, since we need to evolve with the evolving threatscape of abuse data. In contrast with the static taxonomy below, the dynamic typing is used to perform business decisions in the abuse handling pipeline. Furthermore, the value data set should be kept as minimal as possible to avoid “type explosion”, which in turn dilutes the business value of the dynamic typing. In general, we normally have two types of abuse type IOC: ones referring to a compromised resource or ones referring to pieces of the criminal infrastructure, such as a command and control servers for example.", "misp-attribute": "text" }, "comment": { @@ -334,4 +334,4 @@ "name": "intelmq_event", "uuid": "491ac7d2-25a1-4078-8246-b04a132d003d", "version": 1 -} \ No newline at end of file +} diff --git a/objects/intelmq_report/definition.json b/objects/intelmq_report/definition.json index 35e889e..b6f563e 100644 --- a/objects/intelmq_report/definition.json +++ b/objects/intelmq_report/definition.json @@ -46,4 +46,4 @@ "name": "intelmq_report", "uuid": "c3d34be1-904b-455b-bceb-509418392110", "version": 1 -} \ No newline at end of file +} From 2ce87945284377c70df65c8521eedff0749cf22e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Mon, 25 Nov 2019 16:21:19 +0100 Subject: [PATCH 4/7] fix: ui-priority is required in the object template --- objects/intelmq_event/definition.json | 248 ++++++++++++++++--------- objects/intelmq_report/definition.json | 32 ++-- 2 files changed, 186 insertions(+), 94 deletions(-) diff --git a/objects/intelmq_event/definition.json b/objects/intelmq_event/definition.json index e6df291..a8af1a8 100644 --- a/objects/intelmq_event/definition.json +++ b/objects/intelmq_event/definition.json @@ -2,336 +2,418 @@ "attributes": { "classification.identifier": { "description": "The lowercase identifier defines the actual software or service (e.g. 'heartbleed' or 'ntp_version') or standardized malware name (e.g. 'zeus'). Note that you MAY overwrite this field during processing for your individual setup. This field is not standardized across IntelMQ setups/users.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "classification.taxonomy": { "description": "We recognize the need for the CSIRT teams to apply a static (incident) taxonomy to abuse data. With this goal in mind the type IOC will serve as a basis for this activity. Each value of the dynamic type mapping translates to a an element in the static taxonomy. The European CSIRT teams for example have decided to apply the eCSIRT.net incident classification. The value of the taxonomy key is thus a derivative of the dynamic type above. For more information about check [ENISA taxonomies](http://www.enisa.europa.eu/activities/cert/support/incident-management/browsable/incident-handling-process/incident-taxonomy/existing-taxonomies).", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "classification.type": { "description": "The abuse type IOC is one of the most crucial pieces of information for any given abuse event. The main idea of dynamic typing is to keep our ontology flexible, since we need to evolve with the evolving threatscape of abuse data. In contrast with the static taxonomy below, the dynamic typing is used to perform business decisions in the abuse handling pipeline. Furthermore, the value data set should be kept as minimal as possible to avoid “type explosion”, which in turn dilutes the business value of the dynamic typing. In general, we normally have two types of abuse type IOC: ones referring to a compromised resource or ones referring to pieces of the criminal infrastructure, such as a command and control servers for example.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "comment": { "description": "Free text commentary about the abuse event inserted by an analyst.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "destination.abuse_contact": { "description": "Abuse contact for destination address. A comma separated list.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "destination.account": { "description": "An account name or email address, which has been identified to relate to the destination of an abuse event.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "destination.allocated": { "description": "Allocation date corresponding to BGP prefix.", - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "ui-priority": 1 }, "destination.as_name": { "description": "The autonomous system name to which the connection headed.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "destination.asn": { "description": "The autonomous system number to which the connection headed.", - "misp-attribute": "asn" + "misp-attribute": "asn", + "ui-priority": 1 }, "destination.domain_suffix": { "description": "The suffix of the domain from the public suffix list.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "destination.fqdn": { "description": "A DNS name related to the host from which the connection originated. DNS allows even binary data in DNS, so we have to allow everything. A final point is stripped, string is converted to lower case characters.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "destination.geolocation.cc": { "description": "Country-Code according to ISO3166-1 alpha-2 for the destination IP.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "destination.geolocation.city": { "description": "Some geolocation services refer to city-level geolocation.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "destination.geolocation.country": { "description": "The country name derived from the ISO3166 country code (assigned to cc field).", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "destination.geolocation.latitude": { "description": "Latitude coordinates derived from a geolocation service, such as MaxMind geoip db.", - "misp-attribute": "float" + "misp-attribute": "float", + "ui-priority": 1 }, "destination.geolocation.longitude": { "description": "Longitude coordinates derived from a geolocation service, such as MaxMind geoip db.", - "misp-attribute": "float" + "misp-attribute": "float", + "ui-priority": 1 }, "destination.geolocation.region": { "description": "Some geolocation services refer to region-level geolocation.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "destination.geolocation.state": { "description": "Some geolocation services refer to state-level geolocation.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "destination.ip": { "description": "The IP which is the target of the observed connections.", - "misp-attribute": "ip-dst" + "misp-attribute": "ip-dst", + "ui-priority": 1 }, "destination.local_hostname": { "description": "Some sources report a internal hostname within a NAT related to the name configured for a compromized system", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "destination.local_ip": { "description": "Some sources report a internal (NATed) IP address related a compromized system. N.B. RFC1918 IPs are OK here.", - "misp-attribute": "ip-dst" + "misp-attribute": "ip-dst", + "ui-priority": 1 }, "destination.network": { "description": "CIDR for an autonomous system. Also known as BGP prefix. If multiple values are possible, select the most specific.", - "misp-attribute": "ip-dst" + "misp-attribute": "ip-dst", + "ui-priority": 1 }, "destination.port": { "description": "The port to which the connection headed.", - "misp-attribute": "counter" + "misp-attribute": "counter", + "ui-priority": 1 }, "destination.registry": { "description": "The IP registry a given ip address is allocated by.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "destination.reverse_dns": { "description": "Reverse DNS name acquired through a reverse DNS query on an IP address. N.B. Record types other than PTR records may also appear in the reverse DNS tree. Furthermore, unfortunately, there is no rule prohibiting people from writing anything in a PTR record. Even JavaScript will work. A final point is stripped, string is converted to lower case characters.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "destination.tor_node": { "description": "If the destination IP was a known tor node.", - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "ui-priority": 1 }, "destination.url": { "description": "A URL denotes on IOC, which refers to a malicious resource, whose interpretation is defined by the abuse type. A URL with the abuse type phishing refers to a phishing resource.", - "misp-attribute": "url" + "misp-attribute": "url", + "ui-priority": 1 }, "destination.urlpath": { "description": "The path portion of an HTTP or related network request.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "event_description.target": { "description": "Some sources denominate the target (organization) of a an attack.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "event_description.text": { "description": "A free-form textual description of an abuse event.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "event_description.url": { "description": "A description URL is a link to a further description of the the abuse event in question.", - "misp-attribute": "url" + "misp-attribute": "url", + "ui-priority": 1 }, "event_hash": { "description": "Computed event hash with specific keys and values that identify a unique event. At present, the hash should default to using the SHA1 function. Please note that for an event hash to be able to match more than one event (deduplication) the receiver of an event should calculate it based on a minimal set of keys and values present in the event. Using for example the observation time in the calculation will most likely render the checksum useless for deduplication purposes.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "extra": { "description": "All anecdotal information, which cannot be parsed into the data harmonization elements. E.g. os.name, os.version, etc. **Note**: this is only intended for mapping any fields which can not map naturally into the data harmonization. It is not intended for extending the data harmonization with your own fields.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "feed.accuracy": { "description": "A float between 0 and 100 that represents how accurate the data in the feed is", - "misp-attribute": "float" + "misp-attribute": "float", + "ui-priority": 1 }, "feed.code": { "description": "Code name for the feed, e.g. DFGS, HSDAG etc.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "feed.documentation": { "description": "A URL or hint where to find the documentation of this feed.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "feed.name": { "description": "Name for the feed, usually found in collector bot configuration.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "feed.provider": { "description": "Name for the provider of the feed, usually found in collector bot configuration.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "feed.url": { "description": "The URL of a given abuse feed, where applicable", - "misp-attribute": "url" + "misp-attribute": "url", + "ui-priority": 1 }, "malware.hash.md5": { "description": "A string depicting an MD5 checksum for a file, be it a malware sample for example.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "malware.hash.sha1": { "description": "A string depicting a SHA1 checksum for a file, be it a malware sample for example.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "malware.hash.sha256": { "description": "A string depicting a SHA256 checksum for a file, be it a malware sample for example.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "malware.name": { "description": "The malware name in lower case.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "malware.version": { "description": "A version string for an identified artifact generation, e.g. a crime-ware kit.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "misp.attribute_uuid": { "description": "MISP - Malware Information Sharing Platform & Threat Sharing UUID of an attribute.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "misp.event_uuid": { "description": "MISP - Malware Information Sharing Platform & Threat Sharing UUID.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "output": { "description": "Event data converted into foreign format, intended to be exported by output plugin.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "protocol.application": { "description": "e.g. vnc, ssh, sip, irc, http or smtp.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "protocol.transport": { "description": "e.g. tcp, udp, icmp.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "raw": { "description": "The original line of the event from encoded in base64.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "rtir_id": { "description": "Request Tracker Incident Response ticket id.", - "misp-attribute": "counter" + "misp-attribute": "counter", + "ui-priority": 1 }, "screenshot_url": { "description": "Some source may report URLs related to a an image generated of a resource without any metadata. Or an URL pointing to resource, which has been rendered into a webshot, e.g. a PNG image and the relevant metadata related to its retrieval/generation.", - "misp-attribute": "url" + "misp-attribute": "url", + "ui-priority": 1 }, "source.abuse_contact": { "description": "Abuse contact for source address. A comma separated list.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "source.account": { "description": "An account name or email address, which has been identified to relate to the source of an abuse event.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "source.allocated": { "description": "Allocation date corresponding to BGP prefix.", - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "ui-priority": 1 }, "source.as_name": { "description": "The autonomous system name from which the connection originated.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "source.asn": { "description": "The autonomous system number from which originated the connection.", - "misp-attribute": "asn" + "misp-attribute": "asn", + "ui-priority": 1 }, "source.domain_suffix": { "description": "The suffix of the domain from the public suffix list.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "source.fqdn": { "description": "A DNS name related to the host from which the connection originated. DNS allows even binary data in DNS, so we have to allow everything. A final point is stripped, string is converted to lower case characters.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "source.geolocation.cc": { "description": "Country-Code according to ISO3166-1 alpha-2 for the source IP.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "source.geolocation.city": { "description": "Some geolocation services refer to city-level geolocation.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "source.geolocation.country": { "description": "The country name derived from the ISO3166 country code (assigned to cc field).", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "source.geolocation.cymru_cc": { "description": "The country code denoted for the ip by the Team Cymru asn to ip mapping service.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "source.geolocation.geoip_cc": { "description": "MaxMind Country Code (ISO3166-1 alpha-2).", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "source.geolocation.latitude": { "description": "Latitude coordinates derived from a geolocation service, such as MaxMind geoip db.", - "misp-attribute": "float" + "misp-attribute": "float", + "ui-priority": 1 }, "source.geolocation.longitude": { "description": "Longitude coordinates derived from a geolocation service, such as MaxMind geoip db.", - "misp-attribute": "float" + "misp-attribute": "float", + "ui-priority": 1 }, "source.geolocation.region": { "description": "Some geolocation services refer to region-level geolocation.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "source.geolocation.state": { "description": "Some geolocation services refer to state-level geolocation.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "source.ip": { "description": "The ip observed to initiate the connection", - "misp-attribute": "ip-src" + "misp-attribute": "ip-src", + "ui-priority": 1 }, "source.local_hostname": { "description": "Some sources report a internal hostname within a NAT related to the name configured for a compromised system", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "source.local_ip": { "description": "Some sources report a internal (NATed) IP address related a compromised system. N.B. RFC1918 IPs are OK here.", - "misp-attribute": "ip-src" + "misp-attribute": "ip-src", + "ui-priority": 1 }, "source.network": { "description": "CIDR for an autonomous system. Also known as BGP prefix. If multiple values are possible, select the most specific.", - "misp-attribute": "ip-src" + "misp-attribute": "ip-src", + "ui-priority": 1 }, "source.port": { "description": "The port from which the connection originated.", - "misp-attribute": "counter" + "misp-attribute": "counter", + "ui-priority": 1 }, "source.registry": { "description": "The IP registry a given ip address is allocated by.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "source.reverse_dns": { "description": "Reverse DNS name acquired through a reverse DNS query on an IP address. N.B. Record types other than PTR records may also appear in the reverse DNS tree. Furthermore, unfortunately, there is no rule prohibiting people from writing anything in a PTR record. Even JavaScript will work. A final point is stripped, string is converted to lower case characters.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "source.tor_node": { "description": "If the source IP was a known tor node.", - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "ui-priority": 1 }, "source.url": { "description": "A URL denotes an IOC, which refers to a malicious resource, whose interpretation is defined by the abuse type. A URL with the abuse type phishing refers to a phishing resource.", - "misp-attribute": "url" + "misp-attribute": "url", + "ui-priority": 1 }, "source.urlpath": { "description": "The path portion of an HTTP or related network request.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "status": { "description": "Status of the malicious resource (phishing, dropzone, etc), e.g. online, offline.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "time.observation": { "description": "The time the collector of the local instance processed (observed) the event.", - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "ui-priority": 1 }, "time.source": { "description": "The time of occurence of the event as reported the feed (source).", - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "ui-priority": 1 }, "tlp": { "description": "Traffic Light Protocol level of the event.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 } }, "description": "IntelMQ Event", "meta-category": "network", "name": "intelmq_event", "uuid": "491ac7d2-25a1-4078-8246-b04a132d003d", - "version": 1 + "version": 2 } diff --git a/objects/intelmq_report/definition.json b/objects/intelmq_report/definition.json index b6f563e..32ea0d1 100644 --- a/objects/intelmq_report/definition.json +++ b/objects/intelmq_report/definition.json @@ -2,48 +2,58 @@ "attributes": { "extra": { "description": "All anecdotal information of the report, which cannot be parsed into the data harmonization elements. E.g. subject of mails, etc. This is data is not automatically propagated to the events.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "feed.accuracy": { "description": "A float between 0 and 100 that represents how accurate the data in the feed is", - "misp-attribute": "float" + "misp-attribute": "float", + "ui-priority": 1 }, "feed.code": { "description": "Code name for the feed, e.g. DFGS, HSDAG etc.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "feed.documentation": { "description": "A URL or hint where to find the documentation of this feed.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "feed.name": { "description": "Name for the feed, usually found in collector bot configuration.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "feed.provider": { "description": "Name for the provider of the feed, usually found in collector bot configuration.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "feed.url": { "description": "The URL of a given abuse feed, where applicable", - "misp-attribute": "url" + "misp-attribute": "url", + "ui-priority": 1 }, "raw": { "description": "The original raw and unparsed data encoded in base64.", - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 1 }, "rtir_id": { "description": "Request Tracker Incident Response ticket id.", - "misp-attribute": "counter" + "misp-attribute": "counter", + "ui-priority": 1 }, "time.observation": { "description": "The time the collector of the local instance processed (observed) the event.", - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "ui-priority": 1 } }, "description": "IntelMQ Report", "meta-category": "network", "name": "intelmq_report", "uuid": "c3d34be1-904b-455b-bceb-509418392110", - "version": 1 + "version": 2 } From 68d61d25d9fabd43acd3430e7be196863317233d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Mon, 25 Nov 2019 16:23:42 +0100 Subject: [PATCH 5/7] fix: Type asn -> AS --- objects/intelmq_event/definition.json | 6 +++--- objects/intelmq_report/definition.json | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/objects/intelmq_event/definition.json b/objects/intelmq_event/definition.json index a8af1a8..966ea2b 100644 --- a/objects/intelmq_event/definition.json +++ b/objects/intelmq_event/definition.json @@ -42,7 +42,7 @@ }, "destination.asn": { "description": "The autonomous system number to which the connection headed.", - "misp-attribute": "asn", + "misp-attribute": "AS", "ui-priority": 1 }, "destination.domain_suffix": { @@ -282,7 +282,7 @@ }, "source.asn": { "description": "The autonomous system number from which originated the connection.", - "misp-attribute": "asn", + "misp-attribute": "AS", "ui-priority": 1 }, "source.domain_suffix": { @@ -415,5 +415,5 @@ "meta-category": "network", "name": "intelmq_event", "uuid": "491ac7d2-25a1-4078-8246-b04a132d003d", - "version": 2 + "version": 3 } diff --git a/objects/intelmq_report/definition.json b/objects/intelmq_report/definition.json index 32ea0d1..2b07893 100644 --- a/objects/intelmq_report/definition.json +++ b/objects/intelmq_report/definition.json @@ -55,5 +55,5 @@ "meta-category": "network", "name": "intelmq_report", "uuid": "c3d34be1-904b-455b-bceb-509418392110", - "version": 2 + "version": 3 } From cd08dc32a02cee7a7f1e0a6fc200baff72968502 Mon Sep 17 00:00:00 2001 From: m4tze Date: Fri, 29 Nov 2019 08:56:55 +0100 Subject: [PATCH 6/7] added "type" to "requiredOneOf" --- objects/pe/definition.json | 1 + 1 file changed, 1 insertion(+) diff --git a/objects/pe/definition.json b/objects/pe/definition.json index 86f37b5..c7356d1 100644 --- a/objects/pe/definition.json +++ b/objects/pe/definition.json @@ -1,6 +1,7 @@ { "requiredOneOf": [ "text", + "type", "original-filename", "internal-filename", "entrypoint-address" From 33a75fe4f295dc8f2dee7fe5e11d279b7b212d47 Mon Sep 17 00:00:00 2001 From: m4tze Date: Fri, 29 Nov 2019 09:09:30 +0100 Subject: [PATCH 7/7] updated "version" to 4 --- objects/pe/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/pe/definition.json b/objects/pe/definition.json index c7356d1..1188c48 100644 --- a/objects/pe/definition.json +++ b/objects/pe/definition.json @@ -119,7 +119,7 @@ "misp-attribute": "text" } }, - "version": 3, + "version": 4, "description": "Object describing a Portable Executable", "meta-category": "file", "uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07",