MISP
/
misp-objects
mirror of https://github.com/MISP/misp-objects
2
0
Fork 0
Code Issues Releases Wiki Activity

merge

pull/197/head
Deborah Servili 2019-08-05 16:33:01 +02:00
parent 005b6027da b92243a8db
commit 65d37d8167
No known key found for this signature in database
GPG Key ID: 7E3A832850D4D7D1
53 changed files with 2186 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
README.md
View File

@ -70,9 +70,12 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
* [objects/ais-info](objects/ais-info/definition.json) - Object describing Automated Indicator Sharing (AIS) information source markings.
* [objects/android-permission](objects/android-permission/definition.json) - A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. file).
* [objects/asn](objects/asn/definition.json) - Autonomous system object describing a BGP autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.
* [objects/authenticode-signerinfo](objects/authenticode-signerinfo/definition.json) - Authenticode signer info.
* [objects/av-signature](objects/av-signature/definition.json) - Antivirus detection signature.
* [objects/bank-account](objects/bank-account/definition.json) - Object describing bank account information based on account description from goAML 4.0.
* [objects/bgp-hijack](objects/bgp-hijack/definition.json) - Object encapsulating BGP Hijack description as specified, for example, by bgpstream.com
* [objects/btc-transaction](objects/btc-transaction/definition.json) - Object describing BTC transaction (often attached to a btc-wallet object.
* [objects/btc-wallet](objects/btc-wallet/definition.json) - Object describing a BTC wallet.
* [objects/cap-alert](objects/cap-alert/definition.json) - Common Alerting Protocol Version (CAP) alert object.
* [objects/cap-info](objects/cap-info/definition.json) - Common Alerting Protocol Version (CAP) info object.
* [objects/cap-resource](objects/cap-resource/definition.json) - Common Alerting Protocol Version (CAP) resource object.
@ -82,11 +85,14 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
* [objects/cowrie](objects/cowrie/definition.json) - A cowrie object describes cowrie honeypot sessions.
* [objects/credential](objects/credential/definition.json) - A credential object describes one or more credential(s) including password(s), api key(s) or decryption key(s).
* [objects/ddos](objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target.
* [objects/device](objects/device/definition.json) - An object to describe a device such as a computer, laptop or alike.
* [objects/diameter-attack](objects/diameter-attack/definition.json) - Attack as seen on diameter authentication against a GSM, UMTS or LTE network.
* [objects/dns-record](objects/dns-record/definition.json) - A DNS record object to describe the associated records for a domain.
* [objects/domain-ip](objects/domain-ip/definition.json) - A domain and IP address seen as a tuple in a specific time frame.
* [objects/elf](objects/elf/definition.json) - Object describing an Executable and Linkable Format (ELF).
* [objects/elf-section](objects/elf-section/definition.json) - Object describing a section of an Executable and Linkable Format (ELF).
* [objects/email](objects/email/definition.json) - An email object.
* [objects/employee](objects/employee/definition.json) - An employee object.
* [objects/exploit-poc](objects/exploit-poc/definition.json) - Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object.
* [objects/facial-composite](objects/facial-composite/definition.json) A facial composite object.
* [objects/fail2ban](objects/fail2ban/definition.json) - A fail2ban object.
@ -96,11 +102,13 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
* [objects/geolocation](objects/geolocation/definition.json) - A geolocation object to describe a location.
* [objects/gtp-attack](objects/gtp-attack/definition.json) - GTP attack object as seen on a GSM, UMTS or LTE network.
* [objects/http-request](objects/http-request/definition.json) - A single HTTP request header object.
* [objects/imsi-catcher](objects/imsi-catcher/definition.json) - Object describing IMSI catcher associated event.
* [objects/interpol-notice](objects/interpol-notice/definition.json) - Object used to represent an Interpol notice
* [objects/ip-api-address](objects/ip-api-address/definition.json) - Object describing IP Address information, as defined in [ip-api.com](http://ip-api.com).
* [objects/ip-port](objects/ip-port/definition.json) - An IP address and a port seen as a tuple (or as a triple) in a specific time frame.
* [objects/ja3](objects/ja3/definition.json) - A ja3 object which describes an SSL client fingerprint in an easy to produce and shareable way.
* [objects/legal-entity](objects/legal-entity/definition.json) - Object describing a legal entity, such as an organisation.
* [objects/lnk](objects/lnk/definition.json) - Object describing a Windows LNK (Windows Shortcut) file.
* [objects/macho](objects/macho/definition.json) - Object describing a Mach object file format.
* [objects/macho-section](objects/macho-section/definition.json) - Object describing a section of a Mach object file format.
* [objects/mactime-timeline-analysis](objects/mactime-timeline-analysis/definition.json) - Mactime template, used in forensic investigations to describe the timeline of a file activity.
@ -111,12 +119,14 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
* [objects/network-connection](objects/network-connection/definition.json) - Network object describes a local or remote network connection.
* [objects/network-socket](objects/network-socket/definition.json) - Object to describe a local or remote network connections based on the socket data structure.
* [objects/original-imported-file](objects/original-imported-file/definition.json) - Object to describe the original files used to import data in MISP.
* [objects/organization](objects/organization/definition.json) - An object which describes an organization.
* [objects/passive-dns](objects/passive-dns/definition.json) - Passive DNS records as expressed in [draft-dulaunoy-dnsop-passive-dns-cof-01](https://tools.ietf.org/html/draft-dulaunoy-dnsop-passive-dns-cof-01).
* [objects/paste](objects/paste/definition.json) - Object describing a paste or similar post from a website allowing to share privately or publicly posts.
* [objects/pe](objects/pe/definition.json) - Portable Executable (PE) object.
* [objects/pe-section](objects/pe-section/definition.json) - Portable Executable (PE) object - section description.
* [objects/person](objects/person/definition.json) - A person object which describes a person or an identity.
* [objects/phishing](objects/phishing/definition.json) - Phishing template to describe a phishing website and its analysis.
* [objects/phishing-kit](objects/phishing-kit/definition.json) - Object to describe a phishing kit.
* [objects/phone](objects/phone/definition.json) - A phone or mobile phone object.
* [objects/process](objects/process/definition.json) - A process object.
* [objects/regexp](objects/regexp/definition.json) - An object describing a regular expression (regex or regexp). The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a regular expression.
@ -128,20 +138,25 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
* [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object.
* [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object.
* [objects/script](objects/script/definition.json) - Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.
* [objects/shell-commands](objects/shell-commands/definition.json) - Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands.
* [objects/shodan](objects/shodan/definition.json) - A shodan object to describe a shodan report.
* [objects/shortened-link](objects/shortened-link/definition.json) - Shortened link and its redirect target.
* [objects/short-message-service](objects/short-message-service/definition.json) - Short Message Service (SMS) object template describing one or more SMS message(s).
* [objects/ss7-attack](objects/ss7-attack/definition.json) - SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging.
* [objects/stix2-pattern](objects/stix2-pattern/definition.json) - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern.
* [objects/ssh-authorized-keys](objects/ssh-authorized-keys/definition.json) - SSH authorized keys object to store keys and option from SSH authorized_keys file.
* [objects/suricata](objects/suricata/definition.json) - Suricata rule with context.
* [objects/target-system](objects/target-system/definition.json) - Description about an targeted system, this could potentially be a compromised internal system.
* [objects/threatgrid-report](objects/threatgrid-report/definition.json) - A threatgrid report object.
* [objects/timecode](objects/timecode/definition.json) - Timecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the video sequence.
* [objects/timesketch-timeline](objects/timesketch-timeline/definition.json) - A timesketch timeline object based on mandatory field in timesketch to describe a log entry.
* [objects/timestamp](objects/timestamp/definition.json) - A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship.
* [objects/tor-hiddenservice](objects/tor-hiddenservice/definition.json) - Tor hidden service (Onion Service) object to describe a Tor hidden service.
* [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time.
* [objects/tracking-id](objects/tracking-id/definition.json) - Analytics and tracking ID such as used in Google Analytics or other analytic platform.
* [objects/transaction](objects/transaction/definition.json) - Object describing a financial transaction.
* [objects/url](objects/url/definition.json) - url object describes an url along with its normalized field (e.g. using faup parsing library) and its metadata.
* [objects/user-account](objects/user-account/definition.json) - Object describing a user account (UNIX, Windows, etc).
* [objects/vehicle](objects/vehicle/definition.json) - Vehicle object template to describe a vehicle information and registration.
* [objects/victim](objects/victim/definition.json) - a victim object to describe the organisation being targeted or abused.
* [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report.

6
objects/annotation/definition.json
View File

@ -61,6 +61,12 @@
"description": "Last update of the annotation",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"attachment": {
"description": "An attachment to support the annotation",
"ui-priority": 0,
"misp-attribute": "attachment",
"multiple": true
}
},
"version": 2,

45
objects/attack-pattern/definition.json Normal file
View File

@ -0,0 +1,45 @@
{
"requiredOneOf": [
"name",
"id"
],
"attributes": {
"id": {
"description": "CAPEC ID.",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"name": {
"description": "Name of the attack pattern.",
"ui-priority": 0,
"misp-attribute": "text"
},
"summary": {
"description": "Summary description of the attack pattern.",
"ui-priority": 0,
"misp-attribute": "text"
},
"prerequisites": {
"description": "Prerequisites for the attack pattern to succeed.",
"ui-priority": 0,
"misp-attribute": "text"
},
"solutions": {
"description": "Solutions for the attack pattern to be countered.",
"ui-priority": 0,
"misp-attribute": "text"
},
"related-weakness": {
"description": "Weakness related to the attack pattern.",
"ui-priority": 0,
"multiple": true,
"misp-attribute": "weakness"
}
},
"version": 1,
"description": "Attack pattern describing a common attack pattern enumeration and classification.",
"meta-category": "vulnerability",
"uuid": "35928348-56be-4d7f-9752-a80927936351",
"name": "attack-pattern"
}

62
objects/authenticode-signerinfo/definition.json Normal file
View File

@ -0,0 +1,62 @@
{
"requiredOneOf": [
"url",
"program-name"
],
"attributes": {
"text": {
"description": "Free text description of the signer info",
"ui-priority": 1,
"misp-attribute": "text"
},
"issuer": {
"description": "Issuer of the certificate",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"version": {
"description": "Version of the certificate",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"url": {
"description": "Url",
"multiple": true,
"misp-attribute": "url",
"ui-priority": 0
},
"content-type": {
"description": "Content type",
"misp-attribute": "text",
"ui-priority": 0
},
"program-name": {
"description": "Program name",
"misp-attribute": "text",
"ui-priority": 0
},
"digest_algorithm": {
"description": "Digest algorithm",
"misp-attribute": "text",
"ui-priority": 0,
"disable_correlation": true
},
"signature_algorithm": {
"description": "Signature algorithm",
"misp-attribute": "text",
"ui-priority": 0,
"disable_correlation": true,
"sane_default": [
"SHA1_WITH_RSA_ENCRYPTION",
"SHA256_WITH_RSA_ENCRYPTION"
]
}
},
"version": 1,
"description": "Authenticode Signer Info",
"meta-category": "file",
"uuid": "965cb0aa-baf1-4cc6-9070-68f5c1698c1e",
"name": "authenticode-signerinfo"
}

51
objects/btc-transaction/definition.json Normal file
View File

@ -0,0 +1,51 @@
{
"requiredOneOf": [
"transaction-number",
"time",
"value_BTC"
],
"attributes": {
"transaction-number": {
"description": "A Bitcoin transaction number in a sequence of transactions",
"ui-priority": 0,
"disable_correlation": true,
"multiple": true,
"misp-attribute": "text"
},
"time": {
"description": "Date and time of transaction",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "datetime"
},
"value_BTC": {
"description": "Value in BTC at date/time displayed in field 'time'",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "float"
},
"value_EUR": {
"description": "Value in EUR with conversion rate as of date/time displayed in field 'time'",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "float"
},
"value_USD": {
"description": "Value in USD with conversion rate as of date/time displayed in field 'time'",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "float"
},
"btc-address": {
"description": "A Bitcoin transactional address",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "btc"
}
},
"version": 4,
"description": "An object to describe a Bitcoin transaction. Best to be used with bitcoin-wallet.",
"meta-category": "financial",
"uuid": "B7341729-5A8A-439F-A775-6D814DA3C7B5",
"name": "btc-transaction"
}

41
objects/btc-wallet/definition.json Normal file
View File

@ -0,0 +1,41 @@
{
"requiredOneOf": [
"wallet-address"
],
"attributes": {
"wallet-address": {
"description": "A Bitcoin wallet address",
"ui-priority": 0,
"misp-attribute": "btc"
},
"balance_BTC": {
"description": "Value in BTC at date/time displayed in field 'time'",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "float"
},
"BTC_received": {
"description": "Value of received BTC",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "float"
},
"BTC_sent": {
"description": "Value of sent BTC",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "float"
},
"time": {
"description": "Date and time of lookup/conversion",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "datetime"
}
},
"version": 2,
"description": "An object to describe a Bitcoin wallet. Best to be used with bitcoin-transactions.",
"meta-category": "financial",
"uuid": "22910C83-DD0E-4ED2-9823-45F8CAD562A4",
"name": "btc-wallet"
}

3
objects/course-of-action/definition.json
View File

@ -53,7 +53,8 @@
"disable_correlation": true,
"sane_default": [
"Remedy",
"Response"
"Response",
"Further Analysis Required"
]
},
"cost": {

5
objects/credential/definition.json
View File

@ -1,6 +1,7 @@
{
"requiredOneOf": [
"password"
"password",
"username"
],
"attributes": {
"text": {
@ -67,7 +68,7 @@
]
}
},
"version": 2,
"version": 3,
"description": "Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).",
"meta-category": "misc",
"uuid": "a27e98c9-9b0e-414c-8076-d201e039ca09",

12
objects/credit-card/definition.json
View File

@ -3,6 +3,16 @@
"cc-number"
],
"attributes": {
"iin": {
"description": "International Issuer Number (First eight digits of the credit card number",
"ui-priority": 0,
"misp-attribute": "text"
},
"bank_name": {
"description": "Name of the bank which have issued the card",
"ui-priority": 0,
"misp-attribute": "text"
},
"version": {
"description": "Version of the card.",
"ui-priority": 0,
@ -39,7 +49,7 @@
"misp-attribute": "cc-number"
}
},
"version": 2,
"version": 3,
"description": "A payment card like credit card, debit card or any similar cards which can be used for financial transactions.",
"meta-category": "financial",
"uuid": "2b9c57aa-daba-4330-a738-56f18743b0c7",

87
objects/device/definition.json Normal file
View File

@ -0,0 +1,87 @@
{
"requiredOneOf": [
"name",
"alias"
],
"attributes": {
"description": {
"description": "Description of the Device",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"name": {
"description": "Name of the Device",
"ui-priority": 101,
"misp-attribute": "text"
},
"alias": {
"description": "Alias of the Device",
"ui-priority": 100,
"misp-attribute": "text",
"multiple": true
},
"device-type": {
"description": "Type of the device",
"ui-priority": 99,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"PC",
"Mobile",
"Laptop",
"HID",
"TV",
"IoT",
"Hardware",
"Other"
]
},
"OS": {
"description": "OS of the device",
"ui-priority": 98,
"misp-attribute": "text",
"disable_correlation": true,
"multiple": true
},
"version": {
"description": "Version of the device/ OS",
"ui-priority": 97,
"misp-attribute": "text",
"disable_correlation": true
},
"ip-address": {
"description": "Device IP address",
"ui-priority": 0,
"misp-attribute": "ip-src",
"multiple": true
},
"dns-name": {
"description": "Device DNS Name",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"MAC-address": {
"description": "Device MAC address",
"ui-priority": 0,
"misp-attribute": "mac-address"
},
"analysis-date": {
"description": "Date of device analysis",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"attachment": {
"description": "An attachment",
"ui-priority": 0,
"misp-attribute": "attachment",
"multiple": true
}
},
"version": 7,
"description": "An object to define a device",
"meta-category": "misc",
"uuid": "0c64b41a-e583-4f4d-ac92-d484163b9e52",
"name": "device"
}

62
objects/dns-record/definition.json Normal file
View File

@ -0,0 +1,62 @@
{
"required": [
"queried-domain"
],
"requiredOneOf": [
"a-record",
"mx-record",
"ns-record"
],
"attributes": {
"text": {
"description": "A description of the records",
"ui-priority": 1,
"misp-attribute": "text",
"recommended": false
},
"queried-domain": {
"description": "Domain name",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "domain"
},
"a-record": {
"description": "IP Address sassociated with A Records",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "ip-dst",
"multiple": true
},
"mx-record": {
"description": "Domain associated with MX Record",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "domain",
"multiple": true
},
"ns-record": {
"description": "Domain associated with NS Records",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "domain",
"multiple": true
}
},
"version": 1,
"description": "A set of dns records observed for a specific domain.",
"meta-category": "network",
"uuid": "f023c8f0-81ab-41f3-9f5d-fa597a34a9b9",
"name": "dns-record"
}

6
objects/domain-ip/definition.json
View File

@ -23,6 +23,12 @@
"ui-priority": 0,
"misp-attribute": "datetime"
},
"registration-date": {
"description": "Registration date of domain",
"disable_correlation": false,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"domain": {
"description": "Domain name",
"categories": [

66
objects/employee/definition.json Normal file
View File

@ -0,0 +1,66 @@
{
"required": [
"email-address"
],
"attributes": {
"text": {
"description": "A description of the person or identity.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"last-name": {
"description": "Last name Employee",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "last-name"
},
"first-name": {
"description": "First name of Employee",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "first-name"
},
"email-address": {
"description": "Employee Email Address",
"ui-priority": 0,
"misp-attribute": "target-email"
},
"userid": {
"description": "EMployee user identification",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "target-user"
},
"primary-asset": {
"description": "Asset tag of the primary asset assigned to employee",
"ui-priority": 0,
"misp-attribute": "target-machine"
},
"business-unit": {
"description": "the organizational business unit associated with the employee",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "target-org"
},
"employee-type": {
"description": "type of employee",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text",
"values_list": [
"Mid-Level Manager",
"Senior Manager",
"Non-Manager",
"Supervisor",
"First-Line Manager",
"Director"
]
}
},
"version": 1,
"description": "An employee and related data points",
"meta-category": "misc",
"uuid": "443b2f15-d7c9-4d3d-bfd2-38f099753e83",
"name": "employee"
}

10
objects/file/definition.json
View File

@ -14,8 +14,9 @@
"sha512/256",
"tlsh",
"pattern-in-file",
"x509-fingerprint-sha1",
"certificate",
"malware-sample",
"attachment",
"path",
"fullpath"
],
@ -112,6 +113,11 @@
"ui-priority": 1,
"misp-attribute": "malware-sample"
},
"attachment": {
"description": "A non-malicious file.",
"ui-priority": 1,
"misp-attribute": "attachment"
},
"filename": {
"description": "Filename on disk",
"disable_correlation": true,
@ -436,7 +442,7 @@
]
}
},
"version": 16,
"version": 17,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",

89
objects/imsi-catcher/definition.json Normal file
View File

@ -0,0 +1,89 @@
{
"requiredOneOf": [
"text",
"first-seen",
"imsi"
],
"attributes": {
"imsi": {
"description": "A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.",
"misp-attribute": "text",
"ui-priority": 1
},
"tmsi-1": {
"description": "Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated.",
"misp-attribute": "text",
"ui-priority": 0
},
"tmsi-2": {
"description": "Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated.",
"misp-attribute": "text",
"ui-priority": 0
},
"country": {
"description": "Country where the IMSI is registered.",
"misp-attribute": "text",
"ui-priority": 0,
"disable_correlation": true
},
"brand": {
"description": "Brand associated with the IMSI registration.",
"misp-attribute": "text",
"ui-priority": 0,
"disable_correlation": true
},
"operator": {
"description": "Operator associated with the IMSI registration.",
"misp-attribute": "text",
"ui-priority": 0,
"disable_correlation": true
},
"mcc": {
"description": "MCC - Mobile Country Code",
"misp-attribute": "text",
"ui-priority": 0,
"disable_correlation": true
},
"mnc": {
"description": "MNC - Mobile Network Code",
"misp-attribute": "text",
"ui-priority": 0,
"disable_correlation": true
},
"lac": {
"description": "LAC - Location Area Code",
"misp-attribute": "text",
"ui-priority": 0,
"disable_correlation": true
},
"cellid": {
"description": "CellID",
"misp-attribute": "text",
"ui-priority": 0,
"disable_correlation": true
},
"text": {
"description": "A description of the IMSI record.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"first-seen": {
"description": "When the IMSI has been accessible or seen for the first time.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"seq": {
"description": "A sequence number for the collection",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "counter"
}
},
"version": 1,
"description": "IMSI Catcher entry object based on the open source IMSI cather",
"meta-category": "misc",
"uuid": "a64f21b1-2f1b-4298-8243-c45db2c4aa7c",
"name": "imsi-catcher"
}

26
objects/ip-port/definition.json
View File

@ -4,7 +4,9 @@
"src-port",
"domain",
"hostname",
"ip"
"ip",
"ip-src",
"ip-dst"
],
"attributes": {
"text": {
@ -74,9 +76,29 @@
"ui-priority": 1,
"misp-attribute": "ip-dst",
"multiple": true
},
"ip-src": {
"description": "source IP address",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "ip-src",
"multiple": true
},
"ip-dst": {
"description": "destination IP address",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "ip-dst",
"multiple": true
}
},
"version": 7,
"version": 8,
"description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.",
"meta-category": "network",
"uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6",

76
objects/irc/definition.json Normal file
View File

@ -0,0 +1,76 @@
{
"requiredOneOf": [
"ip",
"hostname",
"channel",
"nickname"
],
"attributes": {
"text": {
"description": "Description of the IRC server",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"last-seen": {
"description": "Last time the IRC server with the associated channels has been seen",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"first-seen": {
"description": "First time the IRC server with the associated channels has been seen",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"dst-port": {
"description": "Destination port to reach the IRC server",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "port",
"disable_correlation": true,
"multiple": true
},
"channel": {
"description": "IRC channel associated to the IRC server",
"ui-priority": 1,
"misp-attribute": "text",
"multiple": true
},
"nickname": {
"description": "IRC nickname used to connect to the associated IRC server and channels",
"ui-priority": 1,
"misp-attribute": "text",
"multiple": true
},
"hostname": {
"description": "Hostname of the IRC server",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "hostname",
"multiple": true
},
"ip": {
"description": "IP address of the IRC server",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "ip-dst",
"multiple": true
}
},
"version": 2,
"description": "An IRC object to describe an IRC server and the associated channels.",
"meta-category": "network",
"uuid": "4bbbc004-c344-4b20-8672-b41102177fc7",
"name": "irc"
}

279
objects/lnk/definition.json Normal file
View File

@ -0,0 +1,279 @@
{
"requiredOneOf": [
"filename",
"ssdeep",
"md5",
"sha1",
"sha224",
"sha256",
"sha384",
"sha512",
"sha512/224",
"sha512/256"
],
"attributes": {
"md5": {
"description": "[Insecure] MD5 hash (128 bits)",
"ui-priority": 1,
"misp-attribute": "md5",
"recommended": false
},
"sha1": {
"description": "[Insecure] Secure Hash Algorithm 1 (160 bits)",
"ui-priority": 1,
"misp-attribute": "sha1",
"recommended": false
},
"sha224": {
"description": "Secure Hash Algorithm 2 (224 bits)",
"ui-priority": 0,
"misp-attribute": "sha224",
"recommended": false
},
"sha256": {
"description": "Secure Hash Algorithm 2 (256 bits)",
"ui-priority": 1,
"misp-attribute": "sha256"
},
"sha384": {
"description": "Secure Hash Algorithm 2 (384 bits)",
"ui-priority": 0,
"misp-attribute": "sha384",
"recommended": false
},
"sha512": {
"description": "Secure Hash Algorithm 2 (512 bits)",
"ui-priority": 1,
"misp-attribute": "sha512"
},
"sha512/224": {
"description": "Secure Hash Algorithm 2 (224 bits)",
"ui-priority": 0,
"misp-attribute": "sha512/224",
"recommended": false
},
"sha512/256": {
"description": "Secure Hash Algorithm 2 (256 bits)",
"ui-priority": 0,
"misp-attribute": "sha512/256",
"recommended": false
},
"ssdeep": {
"description": "Fuzzy hash using context triggered piecewise hashes (CTPH)",
"ui-priority": 0,
"misp-attribute": "ssdeep"
},
"size-in-bytes": {
"description": "Size of the LNK file, in bytes",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "size-in-bytes"
},
"entropy": {
"description": "Entropy of the whole file",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "float"
},
"pattern-in-file": {
"description": "Pattern that can be found in the file",
"categories": [
"Artifacts dropped",
"Payload installation",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "pattern-in-file",
"multiple": true
},
"text": {
"description": "Free text value to attach to the file",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text",
"recommended": false
},
"malware-sample": {
"description": "The LNK file itself (binary)",
"ui-priority": 1,
"misp-attribute": "malware-sample"
},
"filename": {
"description": "Filename on disk",
"disable_correlation": true,
"multiple": true,
"categories": [
"Payload delivery",
"Artifacts dropped",
"Payload installation",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "filename"
},
"path": {
"description": "Path of the LNK filename complete or partial",
"disable_correlation": true,
"multiple": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"fullpath": {
"description": "Complete path of the LNK filename including the filename",
"multiple": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"tlsh": {
"description": "Fuzzy hash by Trend Micro: Locality Sensitive Hash",
"ui-priority": 0,
"misp-attribute": "tlsh"
},
"state": {
"misp-attribute": "text",
"ui-priority": 0,
"description": "State of the LNK file",
"multiple": true,
"disable_correlation": true,
"values_list": [
"Malicious",
"Harmless",
"Trusted"
]
},
"lnk-creation-time": {
"description": "Creation time of the LNK",
"categories": [
"Other"
],
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"lnk-modification-time": {
"description": "Modification time of the LNK",
"categories": [
"Other"
],
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"lnk-access-time": {
"description": "Access time of the LNK",
"categories": [
"Other"
],
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"lnk-file-size": {
"description": "Size of the target file, in bytes",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "size-in-bytes"
},
"lnk-icon-index": {
"description": "Icon index",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"lnk-show-window-value": {
"description": "Show Window value",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"lnk-hot-key-value": {
"description": "Hot Key value",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"lnk-file-attribute-flags": {
"description": "File attribute flags",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"lnk-drive-type": {
"description": "Drive type",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"lnk-drive-serial-number": {
"description": "Drive serial number",
"ui-priority": 0,
"misp-attribute": "text"
},
"lnk-volume-label": {
"description": "Volume label",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"lnk-local-path": {
"description": "Local path",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"lnk-description": {
"description": "LNK description",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"lnk-relative-path": {
"description": "Relative path",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"lnk-working-directory": {
"description": "LNK working path",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"lnk-command-line-arguments": {
"description": "LNK command line arguments",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"machine-identifier": {
"description": "Machine identifier",
"ui-priority": 0,
"misp-attribute": "text"
},
"droid-volume-identifier": {
"description": "Droid volume identifier",
"ui-priority": 0,
"misp-attribute": "text"
},
"droid-file-identifier": {
"description": "Droid file identifier (UUIDv1 where MAC can be extracted)",
"ui-priority": 0,
"misp-attribute": "text"
},
"birth-droid-volume-identifier": {
"description": "Droid volume identifier",
"ui-priority": 0,
"misp-attribute": "text"
},
"birth-droid-file-identifier": {
"description": "Birth droid volume identifier (UUIDv1 where MAC can be extracted)",
"ui-priority": 0,
"misp-attribute": "text"
}
},
"version": 1,
"description": "LNK object describing a Windows LNK binary file (aka Windows shortcut)",
"meta-category": "file",
"uuid": "ad13533e-1853-4da0-a111-33a7ce7e6c09",
"name": "lnk"
}

4
objects/mactime-timeline-analysis/definition.json
View File

@ -1,7 +1,7 @@
{
"requiredOneOf": [
"filepath",
"file_activity",
"file-path",
"activityType",
"datetime"
],
"attributes": {

13
objects/microblog/definition.json
View File

@ -29,6 +29,17 @@
"Other"
]
},
"state": {
"misp-attribute": "text",
"ui-priority": 0,
"description": "State of the microblog post",
"disable_correlation": true,
"values_list": [
"Informative",
"Malicious",
"Unknown"
]
},
"username": {
"description": "Username who posted the microblog post (without the @ prefix)",
"ui-priority": 0,
@ -62,7 +73,7 @@
"misp-attribute": "text"
}
},
"version": 5,
"version": 6,
"description": "Microblog post like a Twitter tweet or a post on a Facebook wall.",
"meta-category": "misc",
"uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60",

17
objects/netflow/definition.json
View File

@ -3,7 +3,7 @@
"uuid": "bf148c58-3e7e-414e-8de8-5d96379ca77e",
"meta-category": "network",
"description": "Netflow object describes an network object based on the Netflowv5/v9 minimal definition",
"version": 1,
"version": 2,
"attributes": {
"ip-dst": {
"misp-attribute": "ip-dst",
@ -70,6 +70,7 @@
"protocol": {
"misp-attribute": "text",
"ui-priority": 0,
"disable_correlation": true,
"values_list": [
"TCP",
"UDP",
@ -133,18 +134,26 @@
"first-packet-seen": {
"misp-attribute": "datetime",
"ui-priority": 1,
"description": "First packet seen in this flow"
"description": "First packet seen in this flow",
"disable_correlation": true
},
"last-packet-seen": {
"misp-attribute": "datetime",
"ui-priority": 0,
"description": "Last packet seen in this flow"
"description": "Last packet seen in this flow",
"disable_correlation": true
},
"community-id": {
"misp-attribute": "community-id",
"ui-priority": 0,
"description": "Community id of the represented flow"
}
},
"requiredOneOf": [
"first-packet-seen",
"ip-src",
"ip-dst",
"dst-port"
"dst-port",
"community-id"
]
}

13
objects/network-connection/definition.json
View File

@ -3,7 +3,7 @@
"uuid": "af16764b-f8e5-4603-9de1-de34d272f80b",
"meta-category": "network",
"description": "A local or remote network connection.",
"version": 2,
"version": 3,
"attributes": {
"ip-src": {
"description": "Source IP address of the nework connection.",
@ -86,7 +86,13 @@
"first-packet-seen": {
"misp-attribute": "datetime",
"ui-priority": 1,
"description": "Datetime of the first packet seen."
"description": "Datetime of the first packet seen.",
"disable_correlation": true
},
"community-id": {
"misp-attribute": "community-id",
"ui-priority": 1,
"description": "Flow description as a community ID hash value"
}
},
"requiredOneOf": [
@ -94,6 +100,7 @@
"ip-src",
"ip-dst",
"src-port",
"dst-port"
"dst-port",
"community-id"
]
}

75
objects/organization/definition.json Normal file
View File

@ -0,0 +1,75 @@
{
"requiredOneOf": [
"name",
"alias"
],
"attributes": {
"name": {
"description": "Name of the organization",
"disable_correlation": false,
"ui-priority": 100,
"misp-attribute": "text"
},
"alias": {
"description": "Alias of the organization",
"ui-priority": 99,
"misp-attribute": "text",
"multiple": true
},
"type-of-organizarion": {
"description": "Type of the organization",
"ui-priority": 97,
"misp-attribute": "text"
},
"date-of-inception": {
"description": "Date of inception of the organization",
"ui-priority": 0,
"misp-attribute": "date-of-birth"
},
"phone-number": {
"description": "Phone number of the organization.",
"ui-priority": 10,
"misp-attribute": "phone-number",
"multiple": true
},
"fax-number": {
"description": "Fax number of the organization.",
"ui-priority": 10,
"misp-attribute": "phone-number",
"multiple": true
},
"address": {
"description": "Postal address of the organization.",
"ui-priority": 10,
"misp-attribute": "text",
"multiple": true
},
"e-mail": {
"description": "Email address of the organization.",
"ui-priority": 10,
"misp-attribute": "email-src",
"multiple": true
},
"role": {
"description": "The role of the organization.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true,
"values_list": [
"Suspect",
"Victim",
"Defendent",
"Accused",
"Culprit",
"Accomplice",
"Target"
],
"disable_correlation": true
}
},
"version": 1,
"description": "An object which describes an organization.",
"meta-category": "misc",
"uuid": "f750e12b-127a-432c-b022-b3f9153c4e2a",
"name": "misc"
}

2
objects/original-imported-file/definition.json
View File

@ -1,7 +1,7 @@
{
"requiredOneOf": [
"imported-sample",
"type"
"format"
],
"attributes": {
"imported-sample": {

20
objects/pe-section/definition.json
View File

@ -88,6 +88,24 @@
"ui-priority": 1,
"misp-attribute": "size-in-bytes"
},
"offset": {
"description": "Sections offset",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "hex"
},
"virtual_address": {
"description": "Sections virtual address",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "hex"
},
"virtual_size": {
"description": "Sections virtual size",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "size-in-bytes"
},
"text": {
"description": "Free text value to attach to the section",
"disable_correlation": true,
@ -106,7 +124,7 @@
"misp-attribute": "text"
}
},
"version": 2,
"version": 3,
"description": "Object describing a section of a Portable Executable",
"meta-category": "file",
"uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a",

36
objects/person/definition.json
View File

@ -13,17 +13,17 @@
},
"last-name": {
"description": "Last name of a natural person.",
"ui-priority": 0,
"ui-priority": 100,
"misp-attribute": "last-name"
},
"middle-name": {
"description": "Middle name of a natural person.",
"ui-priority": 0,
"ui-priority": 99,
"misp-attribute": "middle-name"
},
"first-name": {
"description": "First name of a natural person.",
"ui-priority": 0,
"ui-priority": 98,
"misp-attribute": "first-name",
"disable_correlation": true
},
@ -34,13 +34,13 @@
},
"title": {
"description": "Title of the natural person such as Dr. or equivalent.",
"ui-priority": 0,
"ui-priority": 101,
"misp-attribute": "text",
"disable_correlation": true
},
"alias": {
"description": "Alias name or known as.",
"ui-priority": 0,
"ui-priority": 97,
"misp-attribute": "text",
"multiple": true
},
@ -63,7 +63,8 @@
"Male",
"Female",
"Other",
"Prefer not to say"
"Prefer not to say",
"Unknown"
],
"disable_correlation": true
},
@ -140,6 +141,24 @@
"misp-attribute": "text",
"multiple": true
},
"dni": {
"description": "Spanish National ID",
"ui-priority": 10,
"misp-attribute": "text",
"multiple": true
},
"nie": {
"description": "Foreign National ID (Spain)",
"ui-priority": 10,
"misp-attribute": "text",
"multiple": true
},
"nif": {
"description": "Tax ID Number (Spain)",
"ui-priority": 10,
"misp-attribute": "text",
"multiple": true
},
"e-mail": {
"description": "Email address of the person.",
"ui-priority": 10,
@ -164,12 +183,13 @@
"Accused",
"Culprit",
"Accomplice",
"Witness"
"Witness",
"Target"
],
"disable_correlation": true
}
},
"version": 8,
"version": 10,
"description": "An object which describes a person or an identity.",
"meta-category": "misc",
"uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248",

95
objects/phishing-kit/definition.json Normal file
View File

@ -0,0 +1,95 @@
{
"name": "phishing-kit",
"uuid": "f452c16b-12fa-4f87-84a2-15a9e8ca6e7c",
"meta-category": "network",
"description": "Object to describe a phishing-kit.",
"version": 3,
"attributes": {
"internal reference": {
"categories": [
"Internal reference"
],
"misp-attribute": "text",
"ui-priority": 1,
"description": "Internal reference such as ticket ID"
},
"date-found": {
"multiple": true,
"misp-attribute": "datetime",
"ui-priority": 0,
"description": "Date when the phishing kit was found",
"to_ids": false,
"disable_correlation": true
},
"reference-link": {
"to_ids": false,
"multiple": true,
"ui-priority": 1,
"misp-attribute": "link",
"description": "Link where the Phishing Kit was observed"
},
"threat-actor-email": {
"description": "Email of the Threat Actor",
"multiple": true,
"ui-priority": 0,
"misp-attribute": "email-src"
},
"email-type": {
"description": "Type of the Email",
"multiple": false,
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"kit-mailer": {
"description": "Mailer Kit Used",
"multiple": true,
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"target": {
"description": "What was targeted using this phishing kit",
"multiple": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"phishing-domain": {
"description": "Domain used for Phishing",
"multiple": true,
"ui-priority": 1,
"misp-attribute": "url"
},
"online": {
"disable_correlation": true,
"misp-attribute": "text",
"values_list": [
"Yes",
"No"
],
"ui-priority": 0,
"description": "If the phishing kit is online and operational, by default is yes"
},
"kit-url": {
"misp-attribute": "url",
"ui-priority": 1,
"description": "URL of Phishing Kit"
},
"threat-actor": {
"description": "Identified threat actor",
"ui-priority": 0,
"multiple": true,
"misp-attribute": "text"
},
"kit-name": {
"description": "Name of the Phishing Kit",
"ui-priority": 10,
"misp-attribute": "text"
}
},
"requiredOneOf": [
"kit-url",
"reference-link",
"kit-name"
]
}

64
objects/process/definition.json
View File

@ -3,16 +3,16 @@
"uuid": "02aeef94-ac23-455c-addb-731757ceafb5",
"meta-category": "misc",
"description": "Object describing a system process.",
"version": 3,
"version": 6,
"attributes": {
"creation-time": {
"description": "Local date/time at which the process was created.",
"description": "Local date/time at which the process was created",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"start-time": {
"description": "Local date/time at which the process was started.",
"description": "Local date/time at which the process was started",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
@ -23,26 +23,42 @@
"misp-attribute": "text"
},
"pid": {
"description": "Process ID of the process.",
"description": "Process ID of the process",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true
},
"pgid": {
"description": "Identifier of the group of processes the process belong to",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true
},
"guid": {
"description": "The globally unique identifier of the assigned by the vendor product",
"ui-priority": 1,
"misp-attribute": "uuid"
},
"parent-pid": {
"description": "Process ID of the parent process.",
"description": "Process ID of the parent process",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true
},
"parent-guid": {
"description": "The globally unique idenifier of the parent process assigned by the vendor product",
"ui-priority": 1,
"misp-attribute": "uuid"
},
"child-pid": {
"description": "Process ID of the child(ren) process.",
"description": "Process ID of the child(ren) process",
"ui-priority": 1,
"misp-attribute": "text",
"multiple": true,
"disable_correlation": true
},
"port": {
"description": "Port(s) owned by the process.",
"description": "Port(s) owned by the process",
"ui-priority": 1,
"misp-attribute": "src-port",
"multiple": true,
@ -53,10 +69,16 @@
"ui-priority": 1,
"misp-attribute": "text"
},
"args": {
"description": "Arguments of the process",
"ui-priority": 1,
"misp-attribute": "text",
"disable_correlation": true
},
"current-directory": {
"description": "Current working directory of the process",
"ui-priority": 2,
"misp-attribute": "filename",
"misp-attribute": "text",
"disable_correlation": true
},
"image": {
@ -74,6 +96,16 @@
"ui-priority": 1,
"misp-attribute": "filename"
},
"parent-process-name": {
"description": "Process name of the parent",
"ui-priority": 1,
"misp-attribute": "text"
},
"parent-process-path": {
"description": "Parent process path of the parent",
"ui-priority": 1,
"misp-attribute": "text"
},
"user": {
"description": "User context of the process",
"ui-priority": 2,
@ -84,6 +116,19 @@
"description": "Integrity level of the process",
"ui-priority": 2,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"system",
"high",
"medium",
"low",
"untrusted"
]
},
"hidden": {
"description": "Specifies whether the process is hidden",
"ui-priority": 1,
"misp-attribute": "boolean",
"disable_correlation": true
}
},
@ -91,6 +136,7 @@
"name",
"pid",
"image",
"command-line"
"command-line",
"current-directory"
]
}

2
objects/python-etvx-event-log/definition.json
View File

@ -1,7 +1,7 @@
{
"required": [
"source",
"type",
"event-type",
"name"
],
"attributes": {

4
objects/regripper-system-hive-general-configuration/definition.json
View File

@ -77,11 +77,11 @@
"comment": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "",
"misp-attribute": "text",
"disable_correlation": true
}
},
"version": 1,
"version": 2,
"description": "Regripper Object template designed to present general system properties extracted from the system-hive.",
"meta-category": "misc",
"uuid": "5ac85401-cbf1-4d05-a85e-1784546881e4",

4
objects/regripper-system-hive-service-drivers/definition.json
View File

@ -86,11 +86,11 @@
"comment": {
"description": "Additional comments.",
"ui-priority": 0,
"misp-attribute": "",
"misp-attribute": "text",
"disable_correlation": true
}
},
"version": 1,
"version": 2,
"description": "Regripper Object template designed to gather information regarding the services/drivers from the system-hive.",
"meta-category": "misc",
"uuid": "78cdae45-2061-4b49-b1d6-71f562094a73",

8
objects/report/definition.json
View File

@ -5,7 +5,7 @@
"attributes": {
"summary": {
"description": "Free text summary of the report",
"ui-priority": 1,
"ui-priority": 100,
"misp-attribute": "text",
"categories": [
"Other",
@ -21,6 +21,12 @@
"Internal reference",
"Other"
]
},
"report-file(s)": {
"description": "Attachment(s) that is related to the report",
"ui-priority": 99,
"misp-attribute": "attachment",
"multiple": true
}
},
"version": 1,

46
objects/rogue-dns/definition.json Normal file
View File

@ -0,0 +1,46 @@
{
"required": [
"rogue-dns"
],
"attributes": {
"timestamp": {
"description": "Last time that the rogue DNS value was seen.",
"ui-priority": 0,
"misp-attribute": "datetime",
"disable_correlation": true
},
"rogue-dns": {
"description": "IP address of the rogue DNS",
"ui-priority": 0,
"misp-attribute": "ip-dst"
},
"status": {
"description": "How many authoritative DNS answers were received at the Passive DNS Server's collectors with exactly the given set of values as answers.",
"ui-priority": 0,
"misp-attribute": "text",
"sane_default": [
"ROGUE DNS",
"Unknown"
],
"disable_correlation": true
},
"hijacked-domain": {
"description": "Domain/hostname hijacked by the the rogue DNS",
"categories": [
"Network activity"
],
"ui-priority": 1,
"misp-attribute": "hostname"
},
"phishing-ip": {
"description": "Resource records returns by the rogue DNS",
"ui-priority": 1,
"misp-attribute": "ip-dst"
}
},
"version": 1,
"description": "Rogue DNS as defined by CERT.br",
"meta-category": "network",
"uuid": "b7e7859b-6872-4fd2-ac49-f66ccb904505",
"name": "rogue-dns"
}

6
objects/sb-signature/definition.json
View File

@ -8,7 +8,7 @@
"description": "Name of Sandbox software",
"disable_correlation": true,
"categories": [
"Sandbox detection"
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "text"
@ -16,7 +16,7 @@
"signature": {
"description": "Name of detection signature - set the description of the detection signature as a comment",
"categories": [
"Sandbox detection"
"External analysis"
],
"ui-priority": 2,
"misp-attribute": "text",
@ -41,7 +41,7 @@
"misp-attribute": "datetime"
}
},
"version": 1,
"version": 2,
"description": "Sandbox detection signature",
"meta-category": "misc",
"uuid": "984c5c39-be7f-4e1e-b034-d3213bac51cb",

53
objects/scrippsco2-c13-daily/definition.json Normal file
View File

@ -0,0 +1,53 @@
{
"requiredOneOf": [
"sample-datetime",
"sample-date-excel",
"sample-date-fractional",
"number-flask",
"flag",
"c13-value"
],
"attributes": {
"sample-datetime": {
"description": "Datetime the sample has been taken",
"ui-priority": 1,
"misp-attribute": "datetime",
"disable_correlation": true
},
"sample-date-excel": {
"description": "M$Excel spreadsheet date format.",
"ui-priority": 1,
"misp-attribute": "float",
"disable_correlation": true
},
"sample-date-fractional": {
"description": "Decimal year and fractional year.",
"ui-priority": 1,
"misp-attribute": "float",
"disable_correlation": true
},
"number-flask": {
"description": "Number of flasks used in daily average.",
"misp-attribute": "counter",
"disable_correlation": true,
"ui-priority": 1
},
"flag": {
"description": "Flag (see taxonomy for details).",
"misp-attribute": "counter",
"disable_correlation": true,
"ui-priority": 0
},
"c13-value": {
"description": "C13 value (ppm) - C13 concentrations are measured on the '08A' Calibration Scale",
"misp-attribute": "float",
"disable_correlation": true,
"ui-priority": 1
}
},
"version": 2,
"description": "Daily average C13 concentrations (ppm) derived from flask air samples.",
"meta-category": "climate",
"uuid": "5f71a99e-4a56-45b5-b7d6-19949d22409a",
"name": "scrippsco2-c13-daily"
}

56
objects/scrippsco2-c13-monthly/definition.json Normal file
View File

@ -0,0 +1,56 @@
{
"required": [
"sample-datetime",
"sample-date-excel",
"sample-date-fractional"
],
"attributes": {
"sample-datetime": {
"description": "The monthly values have been adjusted to 24:00 hours on the 15th of each month.",
"ui-priority": 1,
"misp-attribute": "datetime",
"disable_correlation": true
},
"sample-date-excel": {
"description": "M$Excel spreadsheet date format.",
"ui-priority": 1,
"misp-attribute": "float",
"disable_correlation": true
},
"sample-date-fractional": {
"description": "Decimal year and fractional year.",
"ui-priority": 1,
"misp-attribute": "float",
"disable_correlation": true
},
"monthly-c13": {
"description": "Monthly C13 concentrations in micro-mol C13 per mole (ppm) reported on the 2008A SIO manometric mole fraction scale. This is the standard version of the data most often sought.",
"misp-attribute": "float",
"disable_correlation": true,
"ui-priority": 1
},
"monthly-c13-seasonal-adjustment": {
"description": "Same data after a seasonal adjustment to remove the quasi-regular seasonal cycle. The adjustment involves subtracting from the data a 4-harmonic fit with a linear gain factor.",
"misp-attribute": "float",
"disable_correlation": true,
"ui-priority": 0
},
"monthly-c13-smoothed": {
"description": "Smoothed version of the data generated from a stiff cubic spline function plus 4-harmonic functions with linear gain.",
"misp-attribute": "float",
"disable_correlation": true,
"ui-priority": 1
},
"monthly-c13-smoothed-seasonal-adjustment": {
"description": "Same smoothed version with the seasonal cycle removed.",
"misp-attribute": "float",
"disable_correlation": true,
"ui-priority": 1
}
},
"version": 2,
"description": "Monthly average C13 concentrations (ppm) derived from flask air samples.",
"meta-category": "climate",
"uuid": "812125c7-47de-4503-8bbc-19067d3a1c38",
"name": "scrippsco2-c13-monthly"
}

53
objects/scrippsco2-co2-daily/definition.json Normal file
View File

@ -0,0 +1,53 @@
{
"requiredOneOf": [
"sample-datetime",
"sample-date-excel",
"sample-date-fractional",
"number-flask",
"flag",
"co2-value"
],
"attributes": {
"sample-datetime": {
"description": "Datetime the sample has been taken",
"ui-priority": 1,
"misp-attribute": "datetime",
"disable_correlation": true
},
"sample-date-excel": {
"description": "M$Excel spreadsheet date format.",
"ui-priority": 1,
"misp-attribute": "float",
"disable_correlation": true
},
"sample-date-fractional": {
"description": "Decimal year and fractional year.",
"ui-priority": 1,
"misp-attribute": "float",
"disable_correlation": true
},
"number-flask": {
"description": "Number of flasks used in daily average.",
"misp-attribute": "counter",
"disable_correlation": true,
"ui-priority": 1
},
"flag": {
"description": "Flag (see taxonomy for details).",
"misp-attribute": "counter",
"disable_correlation": true,
"ui-priority": 0
},
"co2-value": {
"description": "CO2 value (ppm) - CO2 concentrations are measured on the '08A' Calibration Scale",
"misp-attribute": "float",
"disable_correlation": true,
"ui-priority": 1
}
},
"version": 2,
"description": "Daily average CO2 concentrations (ppm) derived from flask air samples.",
"meta-category": "climate",
"uuid": "0779baca-06b9-491e-9ab7-ccc3e1538fd3",
"name": "scrippsco2-co2-daily"
}

56
objects/scrippsco2-co2-monthly/definition.json Normal file
View File

@ -0,0 +1,56 @@
{
"required": [
"sample-datetime",
"sample-date-excel",
"sample-date-fractional"
],
"attributes": {
"sample-datetime": {
"description": "The monthly values have been adjusted to 24:00 hours on the 15th of each month.",
"ui-priority": 1,
"misp-attribute": "datetime",
"disable_correlation": true
},
"sample-date-excel": {
"description": "M$Excel spreadsheet date format.",
"ui-priority": 1,
"misp-attribute": "float",
"disable_correlation": true
},
"sample-date-fractional": {
"description": "Decimal year and fractional year.",
"ui-priority": 1,
"misp-attribute": "float",
"disable_correlation": true
},
"monthly-co2": {
"description": "Monthly CO2 concentrations in micro-mol CO2 per mole (ppm) reported on the 2008A SIO manometric mole fraction scale. This is the standard version of the data most often sought.",
"misp-attribute": "float",
"disable_correlation": true,
"ui-priority": 1
},
"monthly-co2-seasonal-adjustment": {
"description": "Same data after a seasonal adjustment to remove the quasi-regular seasonal cycle. The adjustment involves subtracting from the data a 4-harmonic fit with a linear gain factor.",
"misp-attribute": "float",
"disable_correlation": true,
"ui-priority": 0
},
"monthly-co2-smoothed": {
"description": "Smoothed version of the data generated from a stiff cubic spline function plus 4-harmonic functions with linear gain.",
"misp-attribute": "float",
"disable_correlation": true,
"ui-priority": 1
},
"monthly-co2-smoothed-seasonal-adjustment": {
"description": "Same smoothed version with the seasonal cycle removed.",
"misp-attribute": "float",
"disable_correlation": true,
"ui-priority": 1
}
},
"version": 2,
"description": "Monthly average CO2 concentrations (ppm) derived from flask air samples.",
"meta-category": "climate",
"uuid": "3350fc46-7120-4fb1-b5b3-c931465c9b2a",
"name": "scrippsco2-co2-monthly"
}

53
objects/scrippsco2-o18-daily/definition.json Normal file
View File

@ -0,0 +1,53 @@
{
"requiredOneOf": [
"sample-datetime",
"sample-date-excel",
"sample-date-fractional",
"number-flask",
"flag",
"o18-value"
],
"attributes": {
"sample-datetime": {
"description": "Datetime the sample has been taken",
"ui-priority": 1,
"misp-attribute": "datetime",
"disable_correlation": true
},
"sample-date-excel": {
"description": "M$Excel spreadsheet date format.",
"ui-priority": 1,
"misp-attribute": "float",
"disable_correlation": true
},
"sample-date-fractional": {
"description": "Decimal year and fractional year.",
"ui-priority": 1,
"misp-attribute": "float",
"disable_correlation": true
},
"number-flask": {
"description": "Number of flasks used in daily average.",
"misp-attribute": "counter",
"disable_correlation": true,
"ui-priority": 1
},
"flag": {
"description": "Flag (see taxonomy for details).",
"misp-attribute": "counter",
"disable_correlation": true,
"ui-priority": 0
},
"o18-value": {
"description": "O18 value (ppm) - O18 concentrations are measured on the '08A' Calibration Scale",
"misp-attribute": "float",
"disable_correlation": true,
"ui-priority": 1
}
},
"version": 2,
"description": "Daily average O18 concentrations (ppm) derived from flask air samples.",
"meta-category": "climate",
"uuid": "8b6878a7-577d-4845-b165-ead6e58bec04",
"name": "scrippsco2-o18-daily"
}

56
objects/scrippsco2-o18-monthly/definition.json Normal file
View File

@ -0,0 +1,56 @@
{
"required": [
"sample-datetime",
"sample-date-excel",
"sample-date-fractional"
],
"attributes": {
"sample-datetime": {
"description": "The monthly values have been adjusted to 24:00 hours on the 15th of each month.",
"ui-priority": 1,
"misp-attribute": "datetime",
"disable_correlation": true
},
"sample-date-excel": {
"description": "M$Excel spreadsheet date format.",
"ui-priority": 1,
"misp-attribute": "float",
"disable_correlation": true
},
"sample-date-fractional": {
"description": "Decimal year and fractional year.",
"ui-priority": 1,
"misp-attribute": "float",
"disable_correlation": true
},
"monthly-o18": {
"description": "Monthly O18 concentrations in micro-mol O18 per mole (ppm) reported on the 2008A SIO manometric mole fraction scale. This is the standard version of the data most often sought.",
"misp-attribute": "float",
"disable_correlation": true,
"ui-priority": 1
},
"monthly-o18-seasonal-adjustment": {
"description": "Same data after a seasonal adjustment to remove the quasi-regular seasonal cycle. The adjustment involves subtracting from the data a 4-harmonic fit with a linear gain factor.",
"misp-attribute": "float",
"disable_correlation": true,
"ui-priority": 0
},
"monthly-o18-smoothed": {
"description": "Smoothed version of the data generated from a stiff cubic spline function plus 4-harmonic functions with linear gain.",
"misp-attribute": "float",
"disable_correlation": true,
"ui-priority": 1
},
"monthly-o18-smoothed-seasonal-adjustment": {
"description": "Same smoothed version with the seasonal cycle removed.",
"misp-attribute": "float",
"disable_correlation": true,
"ui-priority": 1
}
},
"version": 2,
"description": "Monthly average O18 concentrations (ppm) derived from flask air samples.",
"meta-category": "climate",
"uuid": "86bd588b-cd0c-486a-8ea0-17fd95312fa0",
"name": "scrippsco2-o18-monthly"
}

7
objects/script/definition.json
View File

@ -1,6 +1,7 @@
{
"required": [
"script"
"requiredOneOf": [
"script",
"filename"
],
"attributes": {
"script": {
@ -55,7 +56,7 @@
]
}
},
"version": 2,
"version": 4,
"description": "Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.",
"meta-category": "misc",
"uuid": "6bce7d01-dbec-4054-b3c2-3655a19382e2",

62
objects/shell-commands/definition.json Normal file
View File

@ -0,0 +1,62 @@
{
"requiredOneOf": [
"shell-command"
],
"attributes": {
"script": {
"description": "Free text of the script if available which executed the shell commands.",
"ui-priority": 10,
"misp-attribute": "text"
},
"comment": {
"description": "Comment associated to the shell commands executed.",
"ui-priority": 1,
"misp-attribute": "text"
},
"language": {
"description": "Scripting language used for the shell commands executed.",
"ui-priority": 9,
"misp-attribute": "text",
"disable_correlation": true,
"sane_default": [
"PowerShell",
"VBScript",
"Bash",
"Lua",
"JavaScript",
"AppleScript",
"AWK",
"Python",
"Perl",
"Ruby",
"Winbatch",
"AutoIt",
"PHP"
]
},
"shell-command": {
"description": "",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"state": {
"misp-attribute": "text",
"ui-priority": 0,
"description": "Known state of the script.",
"multiple": true,
"disable_correlation": true,
"values_list": [
"Malicious",
"Unknown",
"Harmless",
"Trusted"
]
}
},
"version": 1,
"description": "Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands.",
"meta-category": "misc",
"uuid": "fee65efa-eb64-4516-8611-1db76c589f79",
"name": "shell-commands"
}

70
objects/shodan-report/definition.json Normal file
View File

@ -0,0 +1,70 @@
{
"required": [
"ip"
],
"requiredOneOf": [
"hostname",
"org",
"port",
"banner"
],
"attributes": {
"text": {
"description": "A description of the report",
"ui-priority": 1,
"misp-attribute": "text",
"recommended": false
},
"ip": {
"description": "IP Address Queried",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "ip-dst"
},
"hostname": {
"description": "Hostnames found",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "domain",
"multiple": true
},
"org": {
"description": "Associated Organization",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "text"
},
"port": {
"description": "Listening Port",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "port"
},
"banner": {
"description": "server banner reported",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "text"
}
},
"version": 1,
"description": "Shodan Report for a given IP",
"meta-category": "network",
"uuid": "10b03d93-3694-4a79-9cd1-4a273746303a",
"name": "shodan-report"
}

72
objects/ssh-authorized-keys/definition.json Normal file
View File

@ -0,0 +1,72 @@
{
"requiredOneOf": [
"ip",
"hostname",
"full-line",
"key"
],
"attributes": {
"text": {
"description": "A description of the ssh authorized keys",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text",
"recommended": false
},
"last-seen": {
"description": "Last time the ssh authorized keys file has been seen",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"first-seen": {
"description": "First time the ssh authorized keys file has been seen",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"full-line": {
"description": "One full-line of the authorized key file",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"key": {
"description": "Public key in base64 as found in the authorized key file",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"key-id": {
"description": "Key-id and option part of the public key line",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"hostname": {
"description": "hostname",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "hostname",
"multiple": true
},
"ip": {
"description": "IP Address",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "ip-dst",
"multiple": true
}
},
"version": 1,
"description": "An object to store ssh authorized keys file.",
"meta-category": "network",
"uuid": "d1db3e4d-c932-4d8b-a915-4cff088cb678",
"name": "ssh-authorized-keys"
}

41
objects/tor-hiddenservice/definition.json Normal file
View File

@ -0,0 +1,41 @@
{
"requiredOneOf": [
"address",
"first-seen",
"last-seen",
"description"
],
"required": [
"address"
],
"attributes": {
"description": {
"description": "Tor onion service comment.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"address": {
"description": "onion address of the Tor node seen.",
"ui-priority": 1,
"misp-attribute": "text"
},
"last-seen": {
"description": "When the Tor hidden service was seen for the last time.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"first-seen": {
"description": "When the Tor hidden service was been seen for the first time.",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
}
},
"version": 1,
"description": "Tor hidden service (onion service) object.",
"meta-category": "misc",
"uuid": "cbac07d6-fbe9-43b8-8d91-d515812ce330",
"name": "tor-hiddenservice"
}

137
objects/user-account/definition.json Normal file
View File

@ -0,0 +1,137 @@
{
"name": "user-account",
"uuid": "49606b06-22f0-4ac8-8eee-2f12ad46f3d3",
"meta-category": "misc",
"description": "",
"version": 1,
"requiredOneOf": [
"password",
"username",
"user-id"
],
"attributes": {
"text": {
"description": "A description of the user account.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"username": {
"description": "Username related to the password.",
"ui-priority": 1,
"misp-attribute": "text"
},
"user-id": {
"description": "Identifier of the account.",
"ui-priority": 1,
"misp-attribute": "text"
},
"password": {
"description": "Password related to the username.",
"ui-priority": 1,
"misp-attribute": "text"
},
"display-name": {
"description": "Display name of the account.",
"ui-priority": 1,
"misp-attribute": "text"
},
"account-type": {
"description": "Type of the account.",
"ui-priority": 1,
"misp-attribute": "text",
"sane_default": [
"facebook",
"ldap",
"nis",
"openid",
"radius",
"skype",
"tacacs",
"twitter",
"unix",
"windows-local",
"windows-domain"
]
},
"is_service_account": {
"description": "Specifies if the account is associated with a network service.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "boolean"
},
"privileged": {
"description": "Specifies if the account has privileges such as root rights.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "boolean"
},
"can_escalate_privs": {
"description": "Specifies if the account has the ability to escalate privileges.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "boolean"
},
"disabled": {
"description": "Specifies if the account is desabled.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "boolean"
},
"created": {
"description": "Creation time of the account.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "datetime"
},
"expires": {
"description": "Expiration time of the account",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "datetime"
},
"first_login": {
"description": "First time someone logged in to the account.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "datetime"
},
"last_login": {
"description": "Last time someone logged in to the account.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "datetime"
},
"password_last_changed": {
"description": "Last time the password has been changed.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "datetime"
},
"group-id": {
"description": "Identifier of the primary group of the account, in case of a UNIX account.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"group": {
"description": "UNIX group(s) the account is member of.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text",
"multiple": true
},
"home_dir": {
"description": "Home directory of the UNIX account.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"shell": {
"description": "UNIX command shell of the account.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
}
}
}

46
objects/vehicle/definition.json
View File

@ -1,11 +1,15 @@
{
"requiredOneOf": [
"description",
"year",
"make",
"model",
"license-plate-number",
"vin"
"vin",
"dyno-power",
"date-first-registration",
"image-url",
"gearbox",
"indicative-value"
],
"attributes": {
"description": {
@ -14,12 +18,6 @@
"misp-attribute": "text",
"disable_correlation": true
},
"year": {
"description": "Year of manufacturing of the vehicle",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"make": {
"description": "Manufacturer of the vehicle",
"ui-priority": 0,
@ -42,9 +40,39 @@
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"dyno-power": {
"description": "Dyno power output",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"date-first-registration": {
"description": "Date of first registration",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"image-url": {
"description": "Image URL",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"gearbox": {
"description": "Gearbox",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"indicative-value": {
"description": "Indicative value",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
}
},
"version": 1,
"version": 2,
"description": "Vehicle object template to describe a vehicle information and registration",
"meta-category": "misc",
"uuid": "683c076c-f695-4ff2-8efa-e98a418049f4",

52
objects/weakness/definition.json Normal file
View File

@ -0,0 +1,52 @@
{
"requiredOneOf": [
"id",
"name",
"description"
],
"attributes": {
"id": {
"description": "Weakness ID (generally CWE).",
"ui-priority": 0,
"misp-attribute": "text"
},
"description": {
"description": "Description of the weakness.",
"ui-priority": 0,
"misp-attribute": "text"
},
"name": {
"description": "Name of the weakness.",
"ui-priority": 0,
"misp-attribute": "text"
},
"status": {
"description": "Status of the weakness.",
"ui-priority": 0,
"sane_default": [
"Incomplete",
"Deprecated",
"Draft",
"Usable"
],
"disable_correlation": true,
"misp-attribute": "text"
},
"weakness-abs": {
"description": "Abstraction of the weakness.",
"ui-priority": 0,
"sane_default": [
"Class",
"Base",
"Variant"
],
"disable_correlation": true,
"misp-attribute": "text"
}
},
"version": 1,
"description": "Weakness object describing a common weakness enumeration which can describe usable, incomplete, draft or deprecated weakness for software, equipment of hardware.",
"meta-category": "vulnerability",
"uuid": "b8713fc0-d7a2-4b27-a182-38ed47966802",
"name": "weakness"
}

41
objects/x509/definition.json
View File

@ -3,7 +3,8 @@
"x509-fingerprint-md5",
"x509-fingerprint-sha1",
"x509-fingerprint-sha256",
"serial-number"
"serial-number",
"issuer"
],
"attributes": {
"subject": {
@ -14,12 +15,14 @@
"pubkey-info-algorithm": {
"description": "Algorithm of the public key",
"ui-priority": 0,
"misp-attribute": "text"
"misp-attribute": "text",
"disable_correlation": true
},
"pubkey-info-size": {
"description": "Length of the public key (in bits)",
"ui-priority": 0,
"misp-attribute": "text"
"misp-attribute": "text",
"disable_correlation": true
},
"pubkey-info-exponent": {
"description": "Exponent of the public key",
@ -59,24 +62,27 @@
"misp-attribute": "text"
},
"text": {
"description": "Free text description of hte certificate",
"description": "Free text description of the certificate",
"ui-priority": 1,
"misp-attribute": "text"
},
"validity-not-before": {
"description": "Certificate invalid before that date",
"ui-priority": 0,
"misp-attribute": "datetime"
"misp-attribute": "datetime",
"disable_correlation": true
},
"validity-not-after": {
"description": "Certificate invalid after that date",
"ui-priority": 0,
"misp-attribute": "datetime"
"misp-attribute": "datetime",
"disable_correlation": true
},
"issuer": {
"description": "Issuer of the certificate",
"ui-priority": 0,
"misp-attribute": "text"
"misp-attribute": "text",
"disable_correlation": true
},
"serial-number": {
"description": "Serial number of the certificate",
@ -86,26 +92,39 @@
"version": {
"description": "Version of the certificate",
"ui-priority": 0,
"misp-attribute": "text"
"misp-attribute": "text",
"disable_correlation": true
},
"self_signed": {
"description": "Self-signed certificate",
"ui-priority": 0,
"misp-attribute": "boolean"
"misp-attribute": "boolean",
"disable_correlation": true
},
"is_ca": {
"description": "CA certificate",
"ui-priority": 0,
"misp-attribute": "boolean"
"misp-attribute": "boolean",
"disable_correlation": true
},
"dns_names": {
"description": "DNS names",
"multiple": true,
"misp-attribute": "text",
"ui-priority": 0
},
"signature_algorithm": {
"description": "Signature algorithm",
"misp-attribute": "text",
"ui-priority": 0,
"disable_correlation": true,
"sane_default": [
"SHA1_WITH_RSA_ENCRYPTION",
"SHA256_WITH_RSA_ENCRYPTION"
]
}
},
"version": 7,
"version": 9,
"description": "x509 object describing a X.509 certificate",
"meta-category": "network",
"uuid": "d1ab756a-26b5-4349-9f43-765630f0911c",

12
objects/yara/definition.json
View File

@ -1,6 +1,7 @@
{
"requiredOneOf": [
"yara"
"yara",
"yara-rule-name"
],
"attributes": {
"comment": {
@ -13,6 +14,11 @@
"ui-priority": 0,
"misp-attribute": "yara"
},
"yara-rule-name": {
"description": "YARA rule name.",
"ui-priority": 0,
"misp-attribute": "text"
},
"version": {
"sane_default": [
"3.7.1"
@ -33,8 +39,8 @@
"ui-priority": 0
}
},
"version": 3,
"description": "An object describing a YARA rule along with its version.",
"version": 4,
"description": "An object describing a YARA rule (or a YARA rule name) along with its version.",
"meta-category": "misc",
"uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3",
"name": "yara"

36
relationships/definition.json
View File

@ -10,6 +10,13 @@
"alfred"
]
},
{
"name": "executes",
"description": "This relationship describes an object which executes another object",
"format": [
"misp"
]
},
{
"name": "duplicate-of",
"description": "The referenced source and target objects are semantically duplicates of each other.",
@ -222,6 +229,13 @@
"stix-2.0"
]
},
{
"name": "retrieved-from",
"description": "This relationship describes an object retrieved from the target object.",
"format": [
"misp"
]
},
{
"name": "authored-by",
"description": "This relationship describes the author of a specific object.",
@ -243,6 +257,13 @@
"misp"
]
},
{
"name": "includes",
"description": "This relationship describes an object that includes an other object.",
"format": [
"misp"
]
},
{
"name": "analysed-with",
"description": "This relationship describes an object analysed by another object.",
@ -941,6 +962,21 @@
"format": [
"misp"
]
},
{
"name": "creates",
"description": "Represents an object that creates something.",
"format": [
"misp",
"haxpak"
]
},
{
"name": "screenshot-of",
"description": "Represents an object being the screenshot of something.",
"format": [
"misp"
]
}
],
"description": "Default type of relationships in MISP objects.",

3
schema_objects.json
View File

@ -68,7 +68,8 @@
"financial",
"misc",
"internal",
"vulnerability"
"vulnerability",
"climate"
]
},
"name": {

4
tools/adoc_objects.py
View File

@ -3,7 +3,7 @@
#
#
# A simple converter of MISP objects to asciidoctor format
# Copyright (C) 2017-2018 Alexandre Dulaunoy
# Copyright (C) 2017-2019 Alexandre Dulaunoy
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
@ -73,12 +73,14 @@ def asciidoc(content=False, adoc=None, t='title',title=''):
if t == 'title':
output = '== ' + content
elif t == 'info':
content = content.rstrip('\.')
output = "\n{}.\n\n{} {} {}{}/definition.json[*this location*] {}.\n".format(content, 'NOTE: ', title, 'is a MISP object available in JSON format at https://github.com/MISP/misp-objects/blob/master/objects/',title.lower(),' The JSON format can be freely reused in your application or automatically enabled in https://www.github.com/MISP/MISP[MISP]')
elif t == 'author':
output = '\nauthors:: {}\n'.format(' - '.join(content))
elif t == 'value':
output = '=== ' + content
elif t == 'description':
content = content.rstrip('\.')
output = '\n{}\n'.format(content)
elif t == 'attributes':
#output = '\n{}\n'.format