diff --git a/README.md b/README.md index 1ad9682..3220f95 100644 --- a/README.md +++ b/README.md @@ -119,6 +119,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/asn](https://github.com/MISP/misp-objects/blob/main/objects/asn/definition.json) - Autonomous system object describing an autonomous system which can include one or more network operators managing an entity (e.g. ISP) along with their routing policy, routing prefixes or alike. - [objects/attack-pattern](https://github.com/MISP/misp-objects/blob/main/objects/attack-pattern/definition.json) - Attack pattern describing a common attack pattern enumeration and classification. - [objects/attack-step](https://github.com/MISP/misp-objects/blob/main/objects/attack-step/definition.json) - An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks. +- [objects/attacker-infra](https://github.com/MISP/misp-objects/blob/main/objects/attacker-infra/definition.json) - Attacker Infrastructure. - [objects/authentication-failure-report](https://github.com/MISP/misp-objects/blob/main/objects/authentication-failure-report/definition.json) - Authentication Failure Report. - [objects/authenticode-signerinfo](https://github.com/MISP/misp-objects/blob/main/objects/authenticode-signerinfo/definition.json) - Authenticode Signer Info. - [objects/av-signature](https://github.com/MISP/misp-objects/blob/main/objects/av-signature/definition.json) - Antivirus detection signature. @@ -162,6 +163,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/dark-pattern-item](https://github.com/MISP/misp-objects/blob/main/objects/dark-pattern-item/definition.json) - An Item whose User Interface implements a dark pattern. - [objects/ddos](https://github.com/MISP/misp-objects/blob/main/objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy or using the type field. - [objects/ddos-claim](https://github.com/MISP/misp-objects/blob/main/objects/ddos-claim/definition.json) - DDoS-claim object describes a current claim of DDoS activity. +- [objects/ddos-config](https://github.com/MISP/misp-objects/blob/main/objects/ddos-config/definition.json) - DDoS-claim object describes a current claim of DDoS activity. - [objects/device](https://github.com/MISP/misp-objects/blob/main/objects/device/definition.json) - An object to define a device. - [objects/diameter-attack](https://github.com/MISP/misp-objects/blob/main/objects/diameter-attack/definition.json) - Attack as seen on the diameter signaling protocol supporting LTE networks. - [objects/diamond-event](https://github.com/MISP/misp-objects/blob/main/objects/diamond-event/definition.json) - A diamond model event object consisting of the four diamond features advesary, infrastructure, capability and victim, several meta-features and ioc attributes. @@ -254,6 +256,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/github-user](https://github.com/MISP/misp-objects/blob/main/objects/github-user/definition.json) - GitHub user. - [objects/gitlab-user](https://github.com/MISP/misp-objects/blob/main/objects/gitlab-user/definition.json) - GitLab user. Gitlab.com user or self-hosted GitLab instance. - [objects/google-safe-browsing](https://github.com/MISP/misp-objects/blob/main/objects/google-safe-browsing/definition.json) - Google Safe checks a URL against Google's constantly updated list of unsafe web resources. +- [objects/google-threat-intelligence-report](https://github.com/MISP/misp-objects/blob/main/objects/google-threat-intelligence-report/definition.json) - Google Threat Intelligence report that provides an assessment (verdict, severity and scoring) and combined information from VirusTotal and Mandiant. - [objects/greynoise-ip](https://github.com/MISP/misp-objects/blob/main/objects/greynoise-ip/definition.json) - GreyNoise IP Information. - [objects/gtp-attack](https://github.com/MISP/misp-objects/blob/main/objects/gtp-attack/definition.json) - GTP attack object as attack as seen on the GTP signaling protocol supporting GPRS/LTE networks. - [objects/hashlookup](https://github.com/MISP/misp-objects/blob/main/objects/hashlookup/definition.json) - hashlookup object as described on hashlookup services from circl.lu - https://www.circl.lu/services/hashlookup. @@ -382,6 +385,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/script](https://github.com/MISP/misp-objects/blob/main/objects/script/definition.json) - Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts. - [objects/security-playbook](https://github.com/MISP/misp-objects/blob/main/objects/security-playbook/definition.json) - The security-playbook object provides meta-information and allows managing, storing, and sharing cybersecurity playbooks and orchestration workflows. - [objects/shadowserver-malware-url-report](https://github.com/MISP/misp-objects/blob/main/objects/shadowserver-malware-url-report/definition.json) - This report identifies URLs that were observed in exploitation attempts in the last 24 hours. They are assumed to contain a malware payload or serve as C2 controllers. If a payload was successfully downloaded in the last 24 hours, it’s SHA256 hash will also be published. The data is primarily sourced from honeypots (in which case they will often be IoT related), but other sources are possible. As always, you only receive information on IPs found on your network/constituency or in the case of a National CSIRT, your country. Ref: https://www.shadowserver.org/what-we-do/network-reporting/malware-url-report/. +- [objects/shadowserver-scan-http-proxy](https://github.com/MISP/misp-objects/blob/main/objects/shadowserver-scan-http-proxy/definition.json) - This report identifies open HTTP proxy servers on multiple ports. While HTTP proxies have legitimate uses, they are also used for attacks or other forms of abuse. https://www.shadowserver.org/what-we-do/network-reporting/open-http-proxy-report/. - [objects/shell-commands](https://github.com/MISP/misp-objects/blob/main/objects/shell-commands/definition.json) - Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands. - [objects/shodan-report](https://github.com/MISP/misp-objects/blob/main/objects/shodan-report/definition.json) - Shodan Report for a given IP. - [objects/short-message-service](https://github.com/MISP/misp-objects/blob/main/objects/short-message-service/definition.json) - Short Message Service (SMS) object template describing one or more SMS message. Restriction of the initial format 3GPP 23.038 GSM character set doesn't apply. @@ -435,6 +439,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/typosquatting-finder-result](https://github.com/MISP/misp-objects/blob/main/objects/typosquatting-finder-result/definition.json) - Typosquatting result. - [objects/url](https://github.com/MISP/misp-objects/blob/main/objects/url/definition.json) - url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata. - [objects/user-account](https://github.com/MISP/misp-objects/blob/main/objects/user-account/definition.json) - User-account object, defining aspects of user identification, authentication, privileges and other relevant data points. +- [objects/user-action](https://github.com/MISP/misp-objects/blob/main/objects/user-action/definition.json) - Represent an user action. - [objects/vehicle](https://github.com/MISP/misp-objects/blob/main/objects/vehicle/definition.json) - Vehicle object template to describe a vehicle information and registration. - [objects/victim](https://github.com/MISP/misp-objects/blob/main/objects/victim/definition.json) - Victim object describes the target of an attack or abuse. - [objects/virustotal-graph](https://github.com/MISP/misp-objects/blob/main/objects/virustotal-graph/definition.json) - VirusTotal graph. diff --git a/objects/ADS/definition.json b/objects/ADS/definition.json index 2d23077..ba1c64f 100644 --- a/objects/ADS/definition.json +++ b/objects/ADS/definition.json @@ -22,6 +22,12 @@ "multiple": true, "ui-priority": 10 }, + "categorization_others": { + "description": "Provides a mapping of the ADS to the relevant entry in the Att&CK if 'categorization is not sufficient'.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 13 + }, "date": { "description": "Enter date, when ADS has been created or edited.", "misp-attribute": "datetime", @@ -77,5 +83,5 @@ "categorization" ], "uuid": "07a7f4cf-e738-47ad-b045-34c3b382f3b4", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/attacker-infra/definition.json b/objects/attacker-infra/definition.json new file mode 100644 index 0000000..974b275 --- /dev/null +++ b/objects/attacker-infra/definition.json @@ -0,0 +1,327 @@ +{ + "attributes": { + "architecture": { + "categories": [ + "External analysis" + ], + "description": "The CPU architecture of the beacon. Either x86 or x64", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "asn": { + "categories": [ + "Network activity" + ], + "description": "ASN where the IP resides", + "misp-attribute": "AS", + "ui-priority": 0 + }, + "beacon_host": { + "categories": [ + "External analysis" + ], + "description": "C2 of the beacon IP/hostname. (often matches the host that was scanned)", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "beacon_http_get": { + "categories": [ + "External analysis" + ], + "description": "Path that the beacon uses for the GET method", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "beacon_http_post": { + "categories": [ + "External analysis" + ], + "description": "Path that the beacon uses for the POST method", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "beacon_type": { + "categories": [ + "External analysis" + ], + "description": "Protocol that the beacon speaks. Usually HTTP", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "binary_md5": { + "categories": [ + "Payload delivery" + ], + "description": "MD5 of the PE binary", + "disable_correlation": true, + "misp-attribute": "md5", + "multiple": true, + "ui-priority": 0 + }, + "binary_sha1": { + "categories": [ + "Payload delivery" + ], + "description": "SHA1 of the PE binary", + "disable_correlation": true, + "misp-attribute": "sha1", + "multiple": true, + "ui-priority": 0 + }, + "binary_sha256": { + "categories": [ + "Payload delivery" + ], + "description": "SHA256 of the PE binary", + "disable_correlation": true, + "misp-attribute": "sha256", + "multiple": true, + "ui-priority": 0 + }, + "city": { + "categories": [ + "Other" + ], + "description": "City location of the IP in question", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "config_md5": { + "categories": [ + "External analysis" + ], + "description": "MD5 of the config file", + "disable_correlation": true, + "misp-attribute": "md5", + "multiple": true, + "ui-priority": 0 + }, + "config_sha1": { + "categories": [ + "External analysis" + ], + "description": "SHA1 of the config file", + "disable_correlation": true, + "misp-attribute": "sha1", + "multiple": true, + "ui-priority": 0 + }, + "config_sha256": { + "categories": [ + "External analysis" + ], + "description": "SHA256 of the config file", + "disable_correlation": true, + "misp-attribute": "sha256", + "multiple": true, + "ui-priority": 0 + }, + "content_length": { + "categories": [ + "Other" + ], + "description": "The length of the response body in octets", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "content_type": { + "categories": [ + "Other" + ], + "description": "The MIME type of the body of the request", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "encoded_data": { + "categories": [ + "Other" + ], + "description": "Base64 encoded config file", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "encoded_length": { + "categories": [ + "Other" + ], + "description": "Length of the base64 decoded raw config", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "geo": { + "categories": [ + "Other" + ], + "description": "Country location of the IP", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "hostname": { + "categories": [ + "Network activity" + ], + "description": "Reverse DNS name of the device in question", + "misp-attribute": "text", + "ui-priority": 0 + }, + "hostname_source": { + "categories": [ + "Other" + ], + "description": "Source of the hostname field contents", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "http": { + "categories": [ + "Network activity" + ], + "description": "HTTP version in used in response, e.g HTTP/1.1", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "http_code": { + "categories": [ + "Network activity" + ], + "description": "HTTP Response code: e.g., 200, 401, 404", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "http_url": { + "categories": [ + "Network activity" + ], + "description": "URL used to illicit the server response", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "ip": { + "categories": [ + "Network activity" + ], + "description": "IP of the of the URL", + "misp-attribute": "ip-src", + "multiple": true, + "ui-priority": 0 + }, + "license_id": { + "categories": [ + "External analysis" + ], + "description": "The license number", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "naics": { + "categories": [ + "Other" + ], + "description": "North American Industry Classification System Code", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "port": { + "categories": [ + "Network activity" + ], + "description": "Port that the response came from", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "protocol": { + "categories": [ + "Network activity" + ], + "description": "Protocol the response came in on", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "region": { + "categories": [ + "Other" + ], + "description": "State / Province / Administrative region where the device in question resides", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "sector": { + "categories": [ + "Other" + ], + "description": "Sector of the device in question", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "severity": { + "categories": [ + "Other" + ], + "description": "Severity of the event", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "tag": { + "categories": [ + "Other" + ], + "description": "Attribute tags", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "timestamp": { + "description": "Time that the IP was probed in UTC+0", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 0 + } + }, + "description": "Attacker Infrastructure", + "meta-category": "misc", + "name": "attacker-infra", + "required": [ + "ip", + "port" + ], + "uuid": "0211496c-dbcf-465b-a147-3d965da016cd", + "version": 2 +} \ No newline at end of file diff --git a/objects/crowdsec-ip-context/definition.json b/objects/crowdsec-ip-context/definition.json index 2d425c9..6b98e47 100644 --- a/objects/crowdsec-ip-context/definition.json +++ b/objects/crowdsec-ip-context/definition.json @@ -29,7 +29,7 @@ "ui-priority": 1 }, "background-noise": { - "description": "Background noise", + "description": "High background noise scores highlight untargeted, mild threat mass-attacks", "disable_correlation": true, "misp-attribute": "float", "ui-priority": 1 @@ -66,6 +66,13 @@ "misp-attribute": "text", "ui-priority": 0 }, + "cves": { + "description": "CVEs exploited by the observed IP", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, "dst-port": { "categories": [ "Network activity", @@ -124,6 +131,19 @@ "misp-attribute": "float", "ui-priority": 1 }, + "mitre-techniques": { + "description": "MITRE ATT&CK techniques used by the observed IP", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, + "reputation": { + "description": "Real-time, actionable IP reputation score derived from trusted reports and consensus-validated data in CrowdSec CTI", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, "reverse-dns": { "categories": [ "Network activity", @@ -159,5 +179,5 @@ "ip" ], "uuid": "0f0a6def-a351-4d3b-9868-d732f6f4666f", - "version": 3 + "version": 4 } \ No newline at end of file diff --git a/objects/ctf-challenge/definition.json b/objects/ctf-challenge/definition.json new file mode 100644 index 0000000..bfd60cb --- /dev/null +++ b/objects/ctf-challenge/definition.json @@ -0,0 +1,79 @@ +{ + "attributes": { + "attachment": { + "description": "Any relevant supporting files or resources that are attached to the challenge", + "disable_correlation": true, + "misp-attribute": "attachment", + "multiple": true, + "ui-priority": 1 + }, + "category": { + "description": "The type of challenge (e.g., web, binary, forensics)", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 3, + "values_list": [ + "Web", + "Reverse Engineering", + "Binary Exploitation", + "Forensics", + "Networking", + "Cryptography", + "OSINT", + "Misc" + ] + }, + "description": { + "description": "A brief explanation of the challenge", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 2 + }, + "flag": { + "description": "Submitted and accepted CTF Challenge's flag", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "hints": { + "description": "Clues to help solve the challenge", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, + "max_attempts": { + "description": "Maximum tries allowed", + "disable_correlation": true, + "misp-attribute": "counter", + "ui-priority": 1 + }, + "points": { + "description": "The rewarded points for completing the challenge", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 1 + }, + "solves": { + "description": "Number of people who solved the challenge", + "disable_correlation": true, + "misp-attribute": "counter", + "ui-priority": 1 + }, + "title": { + "description": "The name of the challenge", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 4 + } + }, + "description": "Capture-the-flag challenge object as defined by Rectifyq", + "meta-category": "misc", + "name": "ctf-challenge", + "required": [ + "title" + ], + "uuid": "f9bb5d47-ff5b-4569-9987-4bb970639a55", + "version": 1 +} \ No newline at end of file diff --git a/objects/diameter-attack/definition.json b/objects/diameter-attack/definition.json index 22a7e00..99b1130 100644 --- a/objects/diameter-attack/definition.json +++ b/objects/diameter-attack/definition.json @@ -35,12 +35,48 @@ "multiple": true, "ui-priority": 0 }, + "Origin-Host-CountryISO2": { + "description": "Origin-Host Country ISO2", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "Origin-Host-OperatorName": { + "description": "Origin-Host Operator Name", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "Origin-Host-TADIG": { + "description": "Origin-Host Operator TADIG", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, "Origin-Realm": { "description": "Origin-Realm.", "misp-attribute": "text", "multiple": true, "ui-priority": 0 }, + "Origin-Realm-CountryISO2": { + "description": "Origin-Realm Country ISO2", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "Origin-Realm-OperatorName": { + "description": "Origin-Realm Operator Name", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "Origin-Realm-TADIG": { + "description": "Origin-Realm Operator TADIG", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, "SessionId": { "description": "Session-ID.", "misp-attribute": "text", diff --git a/objects/google-threat-intelligence-report/definition.json b/objects/google-threat-intelligence-report/definition.json new file mode 100644 index 0000000..9dab99c --- /dev/null +++ b/objects/google-threat-intelligence-report/definition.json @@ -0,0 +1,75 @@ +{ + "attributes": { + "detection-ratio": { + "categories": [ + "External analysis" + ], + "description": "Detection Ratio", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "first-submission": { + "categories": [ + "Other" + ], + "description": "First Submission", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "last-submission": { + "categories": [ + "Other" + ], + "description": "Last Submission", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "permalink": { + "categories": [ + "External analysis" + ], + "description": "Permalink Reference", + "disable_correlation": true, + "misp-attribute": "link", + "ui-priority": 2 + }, + "severity": { + "categories": [ + "External analysis" + ], + "description": "GTI Severity", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "threat-score": { + "categories": [ + "External analysis" + ], + "description": "GTI Threat Score", + "disable_correlation": true, + "misp-attribute": "integer", + "ui-priority": 1 + }, + "verdict": { + "categories": [ + "External analysis" + ], + "description": "GTI Verdict", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + } + }, + "description": "Google Threat Intelligence report that provides an assessment (verdict, severity and scoring) and combined information from VirusTotal and Mandiant", + "meta-category": "misc", + "name": "google-threat-intelligence-report", + "required": [ + "permalink" + ], + "uuid": "e288e533-2736-438a-8136-26cac06be1e7", + "version": 1 +} \ No newline at end of file diff --git a/objects/network-profile/definition.json b/objects/network-profile/definition.json index 687ac6b..a44cf8b 100644 --- a/objects/network-profile/definition.json +++ b/objects/network-profile/definition.json @@ -129,7 +129,8 @@ "Google", "DuckDNS", "Cloudflare", - "AWS" + "AWS", + "Yandex" ] }, "subdomain": { @@ -214,5 +215,5 @@ "url" ], "uuid": "f0f9e287-8067-49a4-b0f8-7a0fed8d4e43", - "version": 5 + "version": 6 } \ No newline at end of file diff --git a/objects/pe-optional-header/definition.json b/objects/pe-optional-header/definition.json index 6d477d4..c6bbc22 100644 --- a/objects/pe-optional-header/definition.json +++ b/objects/pe-optional-header/definition.json @@ -237,7 +237,7 @@ "meta-category": "file", "name": "pe-optional-header", "requiredOneOf": [ - "address_of_entrypoint" + "address-of-entrypoint" ], "uuid": "ebde65ab-ce98-413d-a518-8f37bc79bcb9", "version": 2 diff --git a/objects/shadowserver-scan-http-proxy/definition.json b/objects/shadowserver-scan-http-proxy/definition.json new file mode 100644 index 0000000..dd1e354 --- /dev/null +++ b/objects/shadowserver-scan-http-proxy/definition.json @@ -0,0 +1,185 @@ +{ + "attributes": { + "asn": { + "description": "ASN where the IP resides", + "misp-attribute": "AS", + "ui-priority": 0 + }, + "city": { + "description": "City location of the IP in question", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "connection": { + "description": "Control options for the current connection and list of hop-by-hop request fields", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "content_length": { + "description": "The length of the response body in octets", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "content_type": { + "description": "The MIME type of the body of the request", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "geo": { + "description": "Country location of the IP", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "hostname": { + "description": "Any of the capabilities identified for the malware instance or family.", + "misp-attribute": "hostname", + "multiple": true, + "ui-priority": 0 + }, + "hostname_source": { + "description": "Hostname source", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "http": { + "description": "Hypertext Transfer Protocol Version", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "http_code": { + "description": "HTTP Response code: e.g., 200, 401, 404", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "http_date": { + "description": "The date and time that the message was sent", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "http_reason": { + "description": "The text reason to go with the HTTP Code", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "ip": { + "description": "The IP address of the device in question", + "misp-attribute": "ip-src", + "multiple": true, + "ui-priority": 0 + }, + "naics": { + "description": "North American Industry Classification System Code", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "port": { + "description": "Port the response came from", + "misp-attribute": "port", + "multiple": true, + "ui-priority": 0 + }, + "protocol": { + "description": "Protocol observed in the network traffic", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "proxy_authenticate": { + "description": "The authentication method that should be used to gain access to a resource behind a proxy server", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "region": { + "description": "Regional location of the IP in question", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "sector": { + "description": "Sector of the IP in question", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "server": { + "description": "HTTP Server type", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "severity": { + "description": "Severity leve", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "critical", + "high", + "medium", + "low", + "info" + ], + "ui-priority": 0 + }, + "tag": { + "description": "Array of tags associated with the URL if any. In this report typically it will be a CVE entry, for example CVE-2021-44228. This allows for better understanding of the URL context observed (ie. usage associated with a particular CVE).", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "timestamp": { + "description": "Time that the IP was probed in UTC+0", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "transfer_encoding": { + "description": "The form of encoding used to safely transfer the entity to the user", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "via": { + "description": "General header added by proxies", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + } + }, + "description": "This report identifies open HTTP proxy servers on multiple ports. While HTTP proxies have legitimate uses, they are also used for attacks or other forms of abuse. https://www.shadowserver.org/what-we-do/network-reporting/open-http-proxy-report/", + "meta-category": "misc", + "name": "shadowserver-scan-http-proxy", + "required": [ + "timestamp", + "ip", + "port", + "tag" + ], + "uuid": "ad0c83d5-56bf-4300-8743-ed2b4caf6206", + "version": 1 +} \ No newline at end of file diff --git a/objects/user-action/definition.json b/objects/user-action/definition.json new file mode 100644 index 0000000..a61bf43 --- /dev/null +++ b/objects/user-action/definition.json @@ -0,0 +1,30 @@ +{ + "attributes": { + "action": { + "description": "Action performed by the user", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "Click", + "Install", + "Execute", + "Plug", + "Scan", + "Unknown" + ], + "ui-priority": 1 + }, + "description": { + "description": "Description of the action performed by the user", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + } + }, + "description": "Represent an user action", + "meta-category": "misc", + "name": "user-action", + "uuid": "699dcf9d-2fa2-4200-a5cf-1d1e124e28c1", + "version": 1 +} \ No newline at end of file