diff --git a/README.md b/README.md index f1cf85f..2636538 100644 --- a/README.md +++ b/README.md @@ -70,9 +70,12 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID * [objects/ais-info](objects/ais-info/definition.json) - Object describing Automated Indicator Sharing (AIS) information source markings. * [objects/android-permission](objects/android-permission/definition.json) - A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. file). * [objects/asn](objects/asn/definition.json) - Autonomous system object describing a BGP autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike. +* [objects/authenticode-signerinfo](objects/authenticode-signerinfo/definition.json) - Authenticode signer info. * [objects/av-signature](objects/av-signature/definition.json) - Antivirus detection signature. * [objects/bank-account](objects/bank-account/definition.json) - Object describing bank account information based on account description from goAML 4.0. * [objects/bgp-hijack](objects/bgp-hijack/definition.json) - Object encapsulating BGP Hijack description as specified, for example, by bgpstream.com +* [objects/btc-transaction](objects/btc-transaction/definition.json) - Object describing BTC transaction (often attached to a btc-wallet object. +* [objects/btc-wallet](objects/btc-wallet/definition.json) - Object describing a BTC wallet. * [objects/cap-alert](objects/cap-alert/definition.json) - Common Alerting Protocol Version (CAP) alert object. * [objects/cap-info](objects/cap-info/definition.json) - Common Alerting Protocol Version (CAP) info object. * [objects/cap-resource](objects/cap-resource/definition.json) - Common Alerting Protocol Version (CAP) resource object. @@ -82,11 +85,14 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID * [objects/cowrie](objects/cowrie/definition.json) - A cowrie object describes cowrie honeypot sessions. * [objects/credential](objects/credential/definition.json) - A credential object describes one or more credential(s) including password(s), api key(s) or decryption key(s). * [objects/ddos](objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. +* [objects/device](objects/device/definition.json) - An object to describe a device such as a computer, laptop or alike. * [objects/diameter-attack](objects/diameter-attack/definition.json) - Attack as seen on diameter authentication against a GSM, UMTS or LTE network. +* [objects/dns-record](objects/dns-record/definition.json) - A DNS record object to describe the associated records for a domain. * [objects/domain-ip](objects/domain-ip/definition.json) - A domain and IP address seen as a tuple in a specific time frame. * [objects/elf](objects/elf/definition.json) - Object describing an Executable and Linkable Format (ELF). * [objects/elf-section](objects/elf-section/definition.json) - Object describing a section of an Executable and Linkable Format (ELF). * [objects/email](objects/email/definition.json) - An email object. +* [objects/employee](objects/employee/definition.json) - An employee object. * [objects/exploit-poc](objects/exploit-poc/definition.json) - Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object. * [objects/facial-composite](objects/facial-composite/definition.json) A facial composite object. * [objects/fail2ban](objects/fail2ban/definition.json) - A fail2ban object. @@ -96,11 +102,13 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID * [objects/geolocation](objects/geolocation/definition.json) - A geolocation object to describe a location. * [objects/gtp-attack](objects/gtp-attack/definition.json) - GTP attack object as seen on a GSM, UMTS or LTE network. * [objects/http-request](objects/http-request/definition.json) - A single HTTP request header object. +* [objects/imsi-catcher](objects/imsi-catcher/definition.json) - Object describing IMSI catcher associated event. * [objects/interpol-notice](objects/interpol-notice/definition.json) - Object used to represent an Interpol notice * [objects/ip-api-address](objects/ip-api-address/definition.json) - Object describing IP Address information, as defined in [ip-api.com](http://ip-api.com). * [objects/ip-port](objects/ip-port/definition.json) - An IP address and a port seen as a tuple (or as a triple) in a specific time frame. * [objects/ja3](objects/ja3/definition.json) - A ja3 object which describes an SSL client fingerprint in an easy to produce and shareable way. * [objects/legal-entity](objects/legal-entity/definition.json) - Object describing a legal entity, such as an organisation. +* [objects/lnk](objects/lnk/definition.json) - Object describing a Windows LNK (Windows Shortcut) file. * [objects/macho](objects/macho/definition.json) - Object describing a Mach object file format. * [objects/macho-section](objects/macho-section/definition.json) - Object describing a section of a Mach object file format. * [objects/mactime-timeline-analysis](objects/mactime-timeline-analysis/definition.json) - Mactime template, used in forensic investigations to describe the timeline of a file activity. @@ -111,12 +119,14 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID * [objects/network-connection](objects/network-connection/definition.json) - Network object describes a local or remote network connection. * [objects/network-socket](objects/network-socket/definition.json) - Object to describe a local or remote network connections based on the socket data structure. * [objects/original-imported-file](objects/original-imported-file/definition.json) - Object to describe the original files used to import data in MISP. +* [objects/organization](objects/organization/definition.json) - An object which describes an organization. * [objects/passive-dns](objects/passive-dns/definition.json) - Passive DNS records as expressed in [draft-dulaunoy-dnsop-passive-dns-cof-01](https://tools.ietf.org/html/draft-dulaunoy-dnsop-passive-dns-cof-01). * [objects/paste](objects/paste/definition.json) - Object describing a paste or similar post from a website allowing to share privately or publicly posts. * [objects/pe](objects/pe/definition.json) - Portable Executable (PE) object. * [objects/pe-section](objects/pe-section/definition.json) - Portable Executable (PE) object - section description. * [objects/person](objects/person/definition.json) - A person object which describes a person or an identity. * [objects/phishing](objects/phishing/definition.json) - Phishing template to describe a phishing website and its analysis. +* [objects/phishing-kit](objects/phishing-kit/definition.json) - Object to describe a phishing kit. * [objects/phone](objects/phone/definition.json) - A phone or mobile phone object. * [objects/process](objects/process/definition.json) - A process object. * [objects/regexp](objects/regexp/definition.json) - An object describing a regular expression (regex or regexp). The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a regular expression. @@ -128,20 +138,25 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID * [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object. * [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object. * [objects/script](objects/script/definition.json) - Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts. +* [objects/shell-commands](objects/shell-commands/definition.json) - Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands. +* [objects/shodan](objects/shodan/definition.json) - A shodan object to describe a shodan report. * [objects/shortened-link](objects/shortened-link/definition.json) - Shortened link and its redirect target. * [objects/short-message-service](objects/short-message-service/definition.json) - Short Message Service (SMS) object template describing one or more SMS message(s). * [objects/ss7-attack](objects/ss7-attack/definition.json) - SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging. * [objects/stix2-pattern](objects/stix2-pattern/definition.json) - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern. +* [objects/ssh-authorized-keys](objects/ssh-authorized-keys/definition.json) - SSH authorized keys object to store keys and option from SSH authorized_keys file. * [objects/suricata](objects/suricata/definition.json) - Suricata rule with context. * [objects/target-system](objects/target-system/definition.json) - Description about an targeted system, this could potentially be a compromised internal system. * [objects/threatgrid-report](objects/threatgrid-report/definition.json) - A threatgrid report object. * [objects/timecode](objects/timecode/definition.json) - Timecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the video sequence. * [objects/timesketch-timeline](objects/timesketch-timeline/definition.json) - A timesketch timeline object based on mandatory field in timesketch to describe a log entry. * [objects/timestamp](objects/timestamp/definition.json) - A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship. +* [objects/tor-hiddenservice](objects/tor-hiddenservice/definition.json) - Tor hidden service (Onion Service) object to describe a Tor hidden service. * [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time. * [objects/tracking-id](objects/tracking-id/definition.json) - Analytics and tracking ID such as used in Google Analytics or other analytic platform. * [objects/transaction](objects/transaction/definition.json) - Object describing a financial transaction. * [objects/url](objects/url/definition.json) - url object describes an url along with its normalized field (e.g. using faup parsing library) and its metadata. +* [objects/user-account](objects/user-account/definition.json) - Object describing a user account (UNIX, Windows, etc). * [objects/vehicle](objects/vehicle/definition.json) - Vehicle object template to describe a vehicle information and registration. * [objects/victim](objects/victim/definition.json) - a victim object to describe the organisation being targeted or abused. * [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report. diff --git a/objects/annotation/definition.json b/objects/annotation/definition.json index d062eca..cfadfc1 100644 --- a/objects/annotation/definition.json +++ b/objects/annotation/definition.json @@ -61,6 +61,12 @@ "description": "Last update of the annotation", "ui-priority": 0, "misp-attribute": "datetime" + }, + "attachment": { + "description": "An attachment to support the annotation", + "ui-priority": 0, + "misp-attribute": "attachment", + "multiple": true } }, "version": 2, diff --git a/objects/attack-pattern/definition.json b/objects/attack-pattern/definition.json new file mode 100644 index 0000000..322555b --- /dev/null +++ b/objects/attack-pattern/definition.json @@ -0,0 +1,45 @@ +{ + "requiredOneOf": [ + "name", + "id" + ], + "attributes": { + "id": { + "description": "CAPEC ID.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "name": { + "description": "Name of the attack pattern.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "summary": { + "description": "Summary description of the attack pattern.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "prerequisites": { + "description": "Prerequisites for the attack pattern to succeed.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "solutions": { + "description": "Solutions for the attack pattern to be countered.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "related-weakness": { + "description": "Weakness related to the attack pattern.", + "ui-priority": 0, + "multiple": true, + "misp-attribute": "weakness" + } + }, + "version": 1, + "description": "Attack pattern describing a common attack pattern enumeration and classification.", + "meta-category": "vulnerability", + "uuid": "35928348-56be-4d7f-9752-a80927936351", + "name": "attack-pattern" +} diff --git a/objects/authenticode-signerinfo/definition.json b/objects/authenticode-signerinfo/definition.json new file mode 100644 index 0000000..7010ce9 --- /dev/null +++ b/objects/authenticode-signerinfo/definition.json @@ -0,0 +1,62 @@ +{ + "requiredOneOf": [ + "url", + "program-name" + ], + "attributes": { + "text": { + "description": "Free text description of the signer info", + "ui-priority": 1, + "misp-attribute": "text" + }, + "issuer": { + "description": "Issuer of the certificate", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "version": { + "description": "Version of the certificate", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "url": { + "description": "Url", + "multiple": true, + "misp-attribute": "url", + "ui-priority": 0 + }, + "content-type": { + "description": "Content type", + "misp-attribute": "text", + "ui-priority": 0 + }, + "program-name": { + "description": "Program name", + "misp-attribute": "text", + "ui-priority": 0 + }, + "digest_algorithm": { + "description": "Digest algorithm", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "signature_algorithm": { + "description": "Signature algorithm", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true, + "sane_default": [ + "SHA1_WITH_RSA_ENCRYPTION", + "SHA256_WITH_RSA_ENCRYPTION" + ] + } + }, + "version": 1, + "description": "Authenticode Signer Info", + "meta-category": "file", + "uuid": "965cb0aa-baf1-4cc6-9070-68f5c1698c1e", + "name": "authenticode-signerinfo" +} diff --git a/objects/btc-transaction/definition.json b/objects/btc-transaction/definition.json new file mode 100644 index 0000000..109b70b --- /dev/null +++ b/objects/btc-transaction/definition.json @@ -0,0 +1,51 @@ +{ + "requiredOneOf": [ + "transaction-number", + "time", + "value_BTC" + ], + "attributes": { + "transaction-number": { + "description": "A Bitcoin transaction number in a sequence of transactions", + "ui-priority": 0, + "disable_correlation": true, + "multiple": true, + "misp-attribute": "text" + }, + "time": { + "description": "Date and time of transaction", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "datetime" + }, + "value_BTC": { + "description": "Value in BTC at date/time displayed in field 'time'", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "float" + }, + "value_EUR": { + "description": "Value in EUR with conversion rate as of date/time displayed in field 'time'", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "float" + }, + "value_USD": { + "description": "Value in USD with conversion rate as of date/time displayed in field 'time'", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "float" + }, + "btc-address": { + "description": "A Bitcoin transactional address", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "btc" + } + }, + "version": 4, + "description": "An object to describe a Bitcoin transaction. Best to be used with bitcoin-wallet.", + "meta-category": "financial", + "uuid": "B7341729-5A8A-439F-A775-6D814DA3C7B5", + "name": "btc-transaction" +} diff --git a/objects/btc-wallet/definition.json b/objects/btc-wallet/definition.json new file mode 100644 index 0000000..e73bdef --- /dev/null +++ b/objects/btc-wallet/definition.json @@ -0,0 +1,41 @@ +{ + "requiredOneOf": [ + "wallet-address" + ], + "attributes": { + "wallet-address": { + "description": "A Bitcoin wallet address", + "ui-priority": 0, + "misp-attribute": "btc" + }, + "balance_BTC": { + "description": "Value in BTC at date/time displayed in field 'time'", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "float" + }, + "BTC_received": { + "description": "Value of received BTC", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "float" + }, + "BTC_sent": { + "description": "Value of sent BTC", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "float" + }, + "time": { + "description": "Date and time of lookup/conversion", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "datetime" + } + }, + "version": 2, + "description": "An object to describe a Bitcoin wallet. Best to be used with bitcoin-transactions.", + "meta-category": "financial", + "uuid": "22910C83-DD0E-4ED2-9823-45F8CAD562A4", + "name": "btc-wallet" +} diff --git a/objects/course-of-action/definition.json b/objects/course-of-action/definition.json index ee5b157..b2099e0 100644 --- a/objects/course-of-action/definition.json +++ b/objects/course-of-action/definition.json @@ -53,7 +53,8 @@ "disable_correlation": true, "sane_default": [ "Remedy", - "Response" + "Response", + "Further Analysis Required" ] }, "cost": { diff --git a/objects/credential/definition.json b/objects/credential/definition.json index 5ea36ea..0a4f7a9 100644 --- a/objects/credential/definition.json +++ b/objects/credential/definition.json @@ -1,6 +1,7 @@ { "requiredOneOf": [ - "password" + "password", + "username" ], "attributes": { "text": { @@ -67,7 +68,7 @@ ] } }, - "version": 2, + "version": 3, "description": "Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).", "meta-category": "misc", "uuid": "a27e98c9-9b0e-414c-8076-d201e039ca09", diff --git a/objects/credit-card/definition.json b/objects/credit-card/definition.json index 0be416f..2a2e36b 100644 --- a/objects/credit-card/definition.json +++ b/objects/credit-card/definition.json @@ -3,6 +3,16 @@ "cc-number" ], "attributes": { + "iin": { + "description": "International Issuer Number (First eight digits of the credit card number", + "ui-priority": 0, + "misp-attribute": "text" + }, + "bank_name": { + "description": "Name of the bank which have issued the card", + "ui-priority": 0, + "misp-attribute": "text" + }, "version": { "description": "Version of the card.", "ui-priority": 0, @@ -39,7 +49,7 @@ "misp-attribute": "cc-number" } }, - "version": 2, + "version": 3, "description": "A payment card like credit card, debit card or any similar cards which can be used for financial transactions.", "meta-category": "financial", "uuid": "2b9c57aa-daba-4330-a738-56f18743b0c7", diff --git a/objects/device/definition.json b/objects/device/definition.json new file mode 100644 index 0000000..d9f05d5 --- /dev/null +++ b/objects/device/definition.json @@ -0,0 +1,87 @@ +{ + "requiredOneOf": [ + "name", + "alias" + ], + "attributes": { + "description": { + "description": "Description of the Device", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "name": { + "description": "Name of the Device", + "ui-priority": 101, + "misp-attribute": "text" + }, + "alias": { + "description": "Alias of the Device", + "ui-priority": 100, + "misp-attribute": "text", + "multiple": true + }, + "device-type": { + "description": "Type of the device", + "ui-priority": 99, + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "PC", + "Mobile", + "Laptop", + "HID", + "TV", + "IoT", + "Hardware", + "Other" + ] + }, + "OS": { + "description": "OS of the device", + "ui-priority": 98, + "misp-attribute": "text", + "disable_correlation": true, + "multiple": true + }, + "version": { + "description": "Version of the device/ OS", + "ui-priority": 97, + "misp-attribute": "text", + "disable_correlation": true + }, + "ip-address": { + "description": "Device IP address", + "ui-priority": 0, + "misp-attribute": "ip-src", + "multiple": true + }, + "dns-name": { + "description": "Device DNS Name", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "MAC-address": { + "description": "Device MAC address", + "ui-priority": 0, + "misp-attribute": "mac-address" + }, + "analysis-date": { + "description": "Date of device analysis", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "attachment": { + "description": "An attachment", + "ui-priority": 0, + "misp-attribute": "attachment", + "multiple": true + } + }, + "version": 7, + "description": "An object to define a device", + "meta-category": "misc", + "uuid": "0c64b41a-e583-4f4d-ac92-d484163b9e52", + "name": "device" +} diff --git a/objects/dns-record/definition.json b/objects/dns-record/definition.json new file mode 100644 index 0000000..8c4d5c1 --- /dev/null +++ b/objects/dns-record/definition.json @@ -0,0 +1,62 @@ +{ + "required": [ + "queried-domain" + ], + "requiredOneOf": [ + "a-record", + "mx-record", + "ns-record" + ], + "attributes": { + "text": { + "description": "A description of the records", + "ui-priority": 1, + "misp-attribute": "text", + "recommended": false + }, + "queried-domain": { + "description": "Domain name", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "domain" + }, + "a-record": { + "description": "IP Address sassociated with A Records", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "ip-dst", + "multiple": true + }, + "mx-record": { + "description": "Domain associated with MX Record", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "domain", + "multiple": true + }, + "ns-record": { + "description": "Domain associated with NS Records", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "domain", + "multiple": true + } + }, + "version": 1, + "description": "A set of dns records observed for a specific domain.", + "meta-category": "network", + "uuid": "f023c8f0-81ab-41f3-9f5d-fa597a34a9b9", + "name": "dns-record" +} diff --git a/objects/domain-ip/definition.json b/objects/domain-ip/definition.json index 8e56f07..fe12939 100644 --- a/objects/domain-ip/definition.json +++ b/objects/domain-ip/definition.json @@ -23,6 +23,12 @@ "ui-priority": 0, "misp-attribute": "datetime" }, + "registration-date": { + "description": "Registration date of domain", + "disable_correlation": false, + "ui-priority": 0, + "misp-attribute": "datetime" + }, "domain": { "description": "Domain name", "categories": [ diff --git a/objects/employee/definition.json b/objects/employee/definition.json new file mode 100644 index 0000000..8db5a4e --- /dev/null +++ b/objects/employee/definition.json @@ -0,0 +1,66 @@ +{ + "required": [ + "email-address" + ], + "attributes": { + "text": { + "description": "A description of the person or identity.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "last-name": { + "description": "Last name Employee", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "last-name" + }, + "first-name": { + "description": "First name of Employee", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "first-name" + }, + "email-address": { + "description": "Employee Email Address", + "ui-priority": 0, + "misp-attribute": "target-email" + }, + "userid": { + "description": "EMployee user identification", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "target-user" + }, + "primary-asset": { + "description": "Asset tag of the primary asset assigned to employee", + "ui-priority": 0, + "misp-attribute": "target-machine" + }, + "business-unit": { + "description": "the organizational business unit associated with the employee", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "target-org" + }, + "employee-type": { + "description": "type of employee", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text", + "values_list": [ + "Mid-Level Manager", + "Senior Manager", + "Non-Manager", + "Supervisor", + "First-Line Manager", + "Director" + ] + } + }, + "version": 1, + "description": "An employee and related data points", + "meta-category": "misc", + "uuid": "443b2f15-d7c9-4d3d-bfd2-38f099753e83", + "name": "employee" +} diff --git a/objects/file/definition.json b/objects/file/definition.json index 7c79f77..944834c 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -14,8 +14,9 @@ "sha512/256", "tlsh", "pattern-in-file", - "x509-fingerprint-sha1", + "certificate", "malware-sample", + "attachment", "path", "fullpath" ], @@ -112,6 +113,11 @@ "ui-priority": 1, "misp-attribute": "malware-sample" }, + "attachment": { + "description": "A non-malicious file.", + "ui-priority": 1, + "misp-attribute": "attachment" + }, "filename": { "description": "Filename on disk", "disable_correlation": true, @@ -436,7 +442,7 @@ ] } }, - "version": 16, + "version": 17, "description": "File object describing a file with meta-information", "meta-category": "file", "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", diff --git a/objects/imsi-catcher/definition.json b/objects/imsi-catcher/definition.json new file mode 100644 index 0000000..061ebc5 --- /dev/null +++ b/objects/imsi-catcher/definition.json @@ -0,0 +1,89 @@ +{ + "requiredOneOf": [ + "text", + "first-seen", + "imsi" + ], + "attributes": { + "imsi": { + "description": "A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "tmsi-1": { + "description": "Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "tmsi-2": { + "description": "Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "country": { + "description": "Country where the IMSI is registered.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "brand": { + "description": "Brand associated with the IMSI registration.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "operator": { + "description": "Operator associated with the IMSI registration.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "mcc": { + "description": "MCC - Mobile Country Code", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "mnc": { + "description": "MNC - Mobile Network Code", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "lac": { + "description": "LAC - Location Area Code", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "cellid": { + "description": "CellID", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "text": { + "description": "A description of the IMSI record.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "first-seen": { + "description": "When the IMSI has been accessible or seen for the first time.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "seq": { + "description": "A sequence number for the collection", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "counter" + } + }, + "version": 1, + "description": "IMSI Catcher entry object based on the open source IMSI cather", + "meta-category": "misc", + "uuid": "a64f21b1-2f1b-4298-8243-c45db2c4aa7c", + "name": "imsi-catcher" +} diff --git a/objects/ip-port/definition.json b/objects/ip-port/definition.json index a91ed90..bb9a1f6 100644 --- a/objects/ip-port/definition.json +++ b/objects/ip-port/definition.json @@ -4,7 +4,9 @@ "src-port", "domain", "hostname", - "ip" + "ip", + "ip-src", + "ip-dst" ], "attributes": { "text": { @@ -74,9 +76,29 @@ "ui-priority": 1, "misp-attribute": "ip-dst", "multiple": true + }, + "ip-src": { + "description": "source IP address", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "ip-src", + "multiple": true + }, + "ip-dst": { + "description": "destination IP address", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "ip-dst", + "multiple": true } }, - "version": 7, + "version": 8, "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", diff --git a/objects/irc/definition.json b/objects/irc/definition.json new file mode 100644 index 0000000..a371761 --- /dev/null +++ b/objects/irc/definition.json @@ -0,0 +1,76 @@ +{ + "requiredOneOf": [ + "ip", + "hostname", + "channel", + "nickname" + ], + "attributes": { + "text": { + "description": "Description of the IRC server", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "last-seen": { + "description": "Last time the IRC server with the associated channels has been seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "first-seen": { + "description": "First time the IRC server with the associated channels has been seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "dst-port": { + "description": "Destination port to reach the IRC server", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "port", + "disable_correlation": true, + "multiple": true + }, + "channel": { + "description": "IRC channel associated to the IRC server", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, + "nickname": { + "description": "IRC nickname used to connect to the associated IRC server and channels", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, + "hostname": { + "description": "Hostname of the IRC server", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "hostname", + "multiple": true + }, + "ip": { + "description": "IP address of the IRC server", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "ip-dst", + "multiple": true + } + }, + "version": 2, + "description": "An IRC object to describe an IRC server and the associated channels.", + "meta-category": "network", + "uuid": "4bbbc004-c344-4b20-8672-b41102177fc7", + "name": "irc" +} diff --git a/objects/lnk/definition.json b/objects/lnk/definition.json new file mode 100644 index 0000000..83eca79 --- /dev/null +++ b/objects/lnk/definition.json @@ -0,0 +1,279 @@ +{ + "requiredOneOf": [ + "filename", + "ssdeep", + "md5", + "sha1", + "sha224", + "sha256", + "sha384", + "sha512", + "sha512/224", + "sha512/256" + ], + "attributes": { + "md5": { + "description": "[Insecure] MD5 hash (128 bits)", + "ui-priority": 1, + "misp-attribute": "md5", + "recommended": false + }, + "sha1": { + "description": "[Insecure] Secure Hash Algorithm 1 (160 bits)", + "ui-priority": 1, + "misp-attribute": "sha1", + "recommended": false + }, + "sha224": { + "description": "Secure Hash Algorithm 2 (224 bits)", + "ui-priority": 0, + "misp-attribute": "sha224", + "recommended": false + }, + "sha256": { + "description": "Secure Hash Algorithm 2 (256 bits)", + "ui-priority": 1, + "misp-attribute": "sha256" + }, + "sha384": { + "description": "Secure Hash Algorithm 2 (384 bits)", + "ui-priority": 0, + "misp-attribute": "sha384", + "recommended": false + }, + "sha512": { + "description": "Secure Hash Algorithm 2 (512 bits)", + "ui-priority": 1, + "misp-attribute": "sha512" + }, + "sha512/224": { + "description": "Secure Hash Algorithm 2 (224 bits)", + "ui-priority": 0, + "misp-attribute": "sha512/224", + "recommended": false + }, + "sha512/256": { + "description": "Secure Hash Algorithm 2 (256 bits)", + "ui-priority": 0, + "misp-attribute": "sha512/256", + "recommended": false + }, + "ssdeep": { + "description": "Fuzzy hash using context triggered piecewise hashes (CTPH)", + "ui-priority": 0, + "misp-attribute": "ssdeep" + }, + "size-in-bytes": { + "description": "Size of the LNK file, in bytes", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "size-in-bytes" + }, + "entropy": { + "description": "Entropy of the whole file", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "float" + }, + "pattern-in-file": { + "description": "Pattern that can be found in the file", + "categories": [ + "Artifacts dropped", + "Payload installation", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "pattern-in-file", + "multiple": true + }, + "text": { + "description": "Free text value to attach to the file", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text", + "recommended": false + }, + "malware-sample": { + "description": "The LNK file itself (binary)", + "ui-priority": 1, + "misp-attribute": "malware-sample" + }, + "filename": { + "description": "Filename on disk", + "disable_correlation": true, + "multiple": true, + "categories": [ + "Payload delivery", + "Artifacts dropped", + "Payload installation", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "filename" + }, + "path": { + "description": "Path of the LNK filename complete or partial", + "disable_correlation": true, + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "fullpath": { + "description": "Complete path of the LNK filename including the filename", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "tlsh": { + "description": "Fuzzy hash by Trend Micro: Locality Sensitive Hash", + "ui-priority": 0, + "misp-attribute": "tlsh" + }, + "state": { + "misp-attribute": "text", + "ui-priority": 0, + "description": "State of the LNK file", + "multiple": true, + "disable_correlation": true, + "values_list": [ + "Malicious", + "Harmless", + "Trusted" + ] + }, + "lnk-creation-time": { + "description": "Creation time of the LNK", + "categories": [ + "Other" + ], + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "lnk-modification-time": { + "description": "Modification time of the LNK", + "categories": [ + "Other" + ], + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "lnk-access-time": { + "description": "Access time of the LNK", + "categories": [ + "Other" + ], + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "lnk-file-size": { + "description": "Size of the target file, in bytes", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "size-in-bytes" + }, + "lnk-icon-index": { + "description": "Icon index", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-show-window-value": { + "description": "Show Window value", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-hot-key-value": { + "description": "Hot Key value", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-file-attribute-flags": { + "description": "File attribute flags", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-drive-type": { + "description": "Drive type", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-drive-serial-number": { + "description": "Drive serial number", + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-volume-label": { + "description": "Volume label", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-local-path": { + "description": "Local path", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-description": { + "description": "LNK description", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-relative-path": { + "description": "Relative path", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-working-directory": { + "description": "LNK working path", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "lnk-command-line-arguments": { + "description": "LNK command line arguments", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "machine-identifier": { + "description": "Machine identifier", + "ui-priority": 0, + "misp-attribute": "text" + }, + "droid-volume-identifier": { + "description": "Droid volume identifier", + "ui-priority": 0, + "misp-attribute": "text" + }, + "droid-file-identifier": { + "description": "Droid file identifier (UUIDv1 where MAC can be extracted)", + "ui-priority": 0, + "misp-attribute": "text" + }, + "birth-droid-volume-identifier": { + "description": "Droid volume identifier", + "ui-priority": 0, + "misp-attribute": "text" + }, + "birth-droid-file-identifier": { + "description": "Birth droid volume identifier (UUIDv1 where MAC can be extracted)", + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "LNK object describing a Windows LNK binary file (aka Windows shortcut)", + "meta-category": "file", + "uuid": "ad13533e-1853-4da0-a111-33a7ce7e6c09", + "name": "lnk" +} diff --git a/objects/mactime-timeline-analysis/definition.json b/objects/mactime-timeline-analysis/definition.json index a8f32e9..cb20d2b 100644 --- a/objects/mactime-timeline-analysis/definition.json +++ b/objects/mactime-timeline-analysis/definition.json @@ -1,7 +1,7 @@ { "requiredOneOf": [ - "filepath", - "file_activity", + "file-path", + "activityType", "datetime" ], "attributes": { diff --git a/objects/microblog/definition.json b/objects/microblog/definition.json index 847fceb..877226b 100644 --- a/objects/microblog/definition.json +++ b/objects/microblog/definition.json @@ -29,6 +29,17 @@ "Other" ] }, + "state": { + "misp-attribute": "text", + "ui-priority": 0, + "description": "State of the microblog post", + "disable_correlation": true, + "values_list": [ + "Informative", + "Malicious", + "Unknown" + ] + }, "username": { "description": "Username who posted the microblog post (without the @ prefix)", "ui-priority": 0, @@ -62,7 +73,7 @@ "misp-attribute": "text" } }, - "version": 5, + "version": 6, "description": "Microblog post like a Twitter tweet or a post on a Facebook wall.", "meta-category": "misc", "uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60", diff --git a/objects/netflow/definition.json b/objects/netflow/definition.json index ade4527..35d412b 100644 --- a/objects/netflow/definition.json +++ b/objects/netflow/definition.json @@ -3,7 +3,7 @@ "uuid": "bf148c58-3e7e-414e-8de8-5d96379ca77e", "meta-category": "network", "description": "Netflow object describes an network object based on the Netflowv5/v9 minimal definition", - "version": 1, + "version": 2, "attributes": { "ip-dst": { "misp-attribute": "ip-dst", @@ -70,6 +70,7 @@ "protocol": { "misp-attribute": "text", "ui-priority": 0, + "disable_correlation": true, "values_list": [ "TCP", "UDP", @@ -133,18 +134,26 @@ "first-packet-seen": { "misp-attribute": "datetime", "ui-priority": 1, - "description": "First packet seen in this flow" + "description": "First packet seen in this flow", + "disable_correlation": true }, "last-packet-seen": { "misp-attribute": "datetime", "ui-priority": 0, - "description": "Last packet seen in this flow" + "description": "Last packet seen in this flow", + "disable_correlation": true + }, + "community-id": { + "misp-attribute": "community-id", + "ui-priority": 0, + "description": "Community id of the represented flow" } }, "requiredOneOf": [ "first-packet-seen", "ip-src", "ip-dst", - "dst-port" + "dst-port", + "community-id" ] } diff --git a/objects/network-connection/definition.json b/objects/network-connection/definition.json index a9f4c01..e0ac368 100644 --- a/objects/network-connection/definition.json +++ b/objects/network-connection/definition.json @@ -3,7 +3,7 @@ "uuid": "af16764b-f8e5-4603-9de1-de34d272f80b", "meta-category": "network", "description": "A local or remote network connection.", - "version": 2, + "version": 3, "attributes": { "ip-src": { "description": "Source IP address of the nework connection.", @@ -86,7 +86,13 @@ "first-packet-seen": { "misp-attribute": "datetime", "ui-priority": 1, - "description": "Datetime of the first packet seen." + "description": "Datetime of the first packet seen.", + "disable_correlation": true + }, + "community-id": { + "misp-attribute": "community-id", + "ui-priority": 1, + "description": "Flow description as a community ID hash value" } }, "requiredOneOf": [ @@ -94,6 +100,7 @@ "ip-src", "ip-dst", "src-port", - "dst-port" + "dst-port", + "community-id" ] } diff --git a/objects/organization/definition.json b/objects/organization/definition.json new file mode 100644 index 0000000..f575479 --- /dev/null +++ b/objects/organization/definition.json @@ -0,0 +1,75 @@ +{ + "requiredOneOf": [ + "name", + "alias" + ], + "attributes": { + "name": { + "description": "Name of the organization", + "disable_correlation": false, + "ui-priority": 100, + "misp-attribute": "text" + }, + "alias": { + "description": "Alias of the organization", + "ui-priority": 99, + "misp-attribute": "text", + "multiple": true + }, + "type-of-organizarion": { + "description": "Type of the organization", + "ui-priority": 97, + "misp-attribute": "text" + }, + "date-of-inception": { + "description": "Date of inception of the organization", + "ui-priority": 0, + "misp-attribute": "date-of-birth" + }, + "phone-number": { + "description": "Phone number of the organization.", + "ui-priority": 10, + "misp-attribute": "phone-number", + "multiple": true + }, + "fax-number": { + "description": "Fax number of the organization.", + "ui-priority": 10, + "misp-attribute": "phone-number", + "multiple": true + }, + "address": { + "description": "Postal address of the organization.", + "ui-priority": 10, + "misp-attribute": "text", + "multiple": true + }, + "e-mail": { + "description": "Email address of the organization.", + "ui-priority": 10, + "misp-attribute": "email-src", + "multiple": true + }, + "role": { + "description": "The role of the organization.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true, + "values_list": [ + "Suspect", + "Victim", + "Defendent", + "Accused", + "Culprit", + "Accomplice", + "Target" + ], + "disable_correlation": true + } + }, + "version": 1, + "description": "An object which describes an organization.", + "meta-category": "misc", + "uuid": "f750e12b-127a-432c-b022-b3f9153c4e2a", + "name": "misc" +} diff --git a/objects/original-imported-file/definition.json b/objects/original-imported-file/definition.json index 5bd93ff..6436924 100644 --- a/objects/original-imported-file/definition.json +++ b/objects/original-imported-file/definition.json @@ -1,7 +1,7 @@ { "requiredOneOf": [ "imported-sample", - "type" + "format" ], "attributes": { "imported-sample": { diff --git a/objects/pe-section/definition.json b/objects/pe-section/definition.json index 3d1d792..2ef4c3c 100644 --- a/objects/pe-section/definition.json +++ b/objects/pe-section/definition.json @@ -88,6 +88,24 @@ "ui-priority": 1, "misp-attribute": "size-in-bytes" }, + "offset": { + "description": "Section’s offset", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "hex" + }, + "virtual_address": { + "description": "Section’s virtual address", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "hex" + }, + "virtual_size": { + "description": "Section’s virtual size", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "size-in-bytes" + }, "text": { "description": "Free text value to attach to the section", "disable_correlation": true, @@ -106,7 +124,7 @@ "misp-attribute": "text" } }, - "version": 2, + "version": 3, "description": "Object describing a section of a Portable Executable", "meta-category": "file", "uuid": "198a17d2-a135-4b25-9a32-5aa4e632014a", diff --git a/objects/person/definition.json b/objects/person/definition.json index 361b4eb..2a0befe 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -13,17 +13,17 @@ }, "last-name": { "description": "Last name of a natural person.", - "ui-priority": 0, + "ui-priority": 100, "misp-attribute": "last-name" }, "middle-name": { "description": "Middle name of a natural person.", - "ui-priority": 0, + "ui-priority": 99, "misp-attribute": "middle-name" }, "first-name": { "description": "First name of a natural person.", - "ui-priority": 0, + "ui-priority": 98, "misp-attribute": "first-name", "disable_correlation": true }, @@ -34,13 +34,13 @@ }, "title": { "description": "Title of the natural person such as Dr. or equivalent.", - "ui-priority": 0, + "ui-priority": 101, "misp-attribute": "text", "disable_correlation": true }, "alias": { "description": "Alias name or known as.", - "ui-priority": 0, + "ui-priority": 97, "misp-attribute": "text", "multiple": true }, @@ -63,7 +63,8 @@ "Male", "Female", "Other", - "Prefer not to say" + "Prefer not to say", + "Unknown" ], "disable_correlation": true }, @@ -140,6 +141,24 @@ "misp-attribute": "text", "multiple": true }, + "dni": { + "description": "Spanish National ID", + "ui-priority": 10, + "misp-attribute": "text", + "multiple": true + }, + "nie": { + "description": "Foreign National ID (Spain)", + "ui-priority": 10, + "misp-attribute": "text", + "multiple": true + }, + "nif": { + "description": "Tax ID Number (Spain)", + "ui-priority": 10, + "misp-attribute": "text", + "multiple": true + }, "e-mail": { "description": "Email address of the person.", "ui-priority": 10, @@ -164,12 +183,13 @@ "Accused", "Culprit", "Accomplice", - "Witness" + "Witness", + "Target" ], "disable_correlation": true } }, - "version": 8, + "version": 10, "description": "An object which describes a person or an identity.", "meta-category": "misc", "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", diff --git a/objects/phishing-kit/definition.json b/objects/phishing-kit/definition.json new file mode 100644 index 0000000..2112d20 --- /dev/null +++ b/objects/phishing-kit/definition.json @@ -0,0 +1,95 @@ +{ + "name": "phishing-kit", + "uuid": "f452c16b-12fa-4f87-84a2-15a9e8ca6e7c", + "meta-category": "network", + "description": "Object to describe a phishing-kit.", + "version": 3, + "attributes": { + "internal reference": { + "categories": [ + "Internal reference" + ], + "misp-attribute": "text", + "ui-priority": 1, + "description": "Internal reference such as ticket ID" + }, + "date-found": { + "multiple": true, + "misp-attribute": "datetime", + "ui-priority": 0, + "description": "Date when the phishing kit was found", + "to_ids": false, + "disable_correlation": true + }, + "reference-link": { + "to_ids": false, + "multiple": true, + "ui-priority": 1, + "misp-attribute": "link", + "description": "Link where the Phishing Kit was observed" + }, + "threat-actor-email": { + "description": "Email of the Threat Actor", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "email-src" + }, + "email-type": { + "description": "Type of the Email", + "multiple": false, + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "kit-mailer": { + "description": "Mailer Kit Used", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "target": { + "description": "What was targeted using this phishing kit", + "multiple": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "phishing-domain": { + "description": "Domain used for Phishing", + "multiple": true, + "ui-priority": 1, + "misp-attribute": "url" + }, + "online": { + "disable_correlation": true, + "misp-attribute": "text", + "values_list": [ + "Yes", + "No" + ], + "ui-priority": 0, + "description": "If the phishing kit is online and operational, by default is yes" + }, + "kit-url": { + "misp-attribute": "url", + "ui-priority": 1, + "description": "URL of Phishing Kit" + }, + "threat-actor": { + "description": "Identified threat actor", + "ui-priority": 0, + "multiple": true, + "misp-attribute": "text" + }, + "kit-name": { + "description": "Name of the Phishing Kit", + "ui-priority": 10, + "misp-attribute": "text" + } + }, + "requiredOneOf": [ + "kit-url", + "reference-link", + "kit-name" + ] +} diff --git a/objects/process/definition.json b/objects/process/definition.json index e0420ee..2d51789 100644 --- a/objects/process/definition.json +++ b/objects/process/definition.json @@ -3,16 +3,16 @@ "uuid": "02aeef94-ac23-455c-addb-731757ceafb5", "meta-category": "misc", "description": "Object describing a system process.", - "version": 3, + "version": 6, "attributes": { "creation-time": { - "description": "Local date/time at which the process was created.", + "description": "Local date/time at which the process was created", "ui-priority": 0, "misp-attribute": "datetime", "disable_correlation": true }, "start-time": { - "description": "Local date/time at which the process was started.", + "description": "Local date/time at which the process was started", "ui-priority": 0, "misp-attribute": "datetime", "disable_correlation": true @@ -23,26 +23,42 @@ "misp-attribute": "text" }, "pid": { - "description": "Process ID of the process.", + "description": "Process ID of the process", "ui-priority": 1, "misp-attribute": "text", "disable_correlation": true }, + "pgid": { + "description": "Identifier of the group of processes the process belong to", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true + }, + "guid": { + "description": "The globally unique identifier of the assigned by the vendor product", + "ui-priority": 1, + "misp-attribute": "uuid" + }, "parent-pid": { - "description": "Process ID of the parent process.", + "description": "Process ID of the parent process", "ui-priority": 1, "misp-attribute": "text", "disable_correlation": true }, + "parent-guid": { + "description": "The globally unique idenifier of the parent process assigned by the vendor product", + "ui-priority": 1, + "misp-attribute": "uuid" + }, "child-pid": { - "description": "Process ID of the child(ren) process.", + "description": "Process ID of the child(ren) process", "ui-priority": 1, "misp-attribute": "text", "multiple": true, "disable_correlation": true }, "port": { - "description": "Port(s) owned by the process.", + "description": "Port(s) owned by the process", "ui-priority": 1, "misp-attribute": "src-port", "multiple": true, @@ -53,10 +69,16 @@ "ui-priority": 1, "misp-attribute": "text" }, + "args": { + "description": "Arguments of the process", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true + }, "current-directory": { "description": "Current working directory of the process", "ui-priority": 2, - "misp-attribute": "filename", + "misp-attribute": "text", "disable_correlation": true }, "image": { @@ -74,6 +96,16 @@ "ui-priority": 1, "misp-attribute": "filename" }, + "parent-process-name": { + "description": "Process name of the parent", + "ui-priority": 1, + "misp-attribute": "text" + }, + "parent-process-path": { + "description": "Parent process path of the parent", + "ui-priority": 1, + "misp-attribute": "text" + }, "user": { "description": "User context of the process", "ui-priority": 2, @@ -84,6 +116,19 @@ "description": "Integrity level of the process", "ui-priority": 2, "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "system", + "high", + "medium", + "low", + "untrusted" + ] + }, + "hidden": { + "description": "Specifies whether the process is hidden", + "ui-priority": 1, + "misp-attribute": "boolean", "disable_correlation": true } }, @@ -91,6 +136,7 @@ "name", "pid", "image", - "command-line" + "command-line", + "current-directory" ] } diff --git a/objects/python-etvx-event-log/definition.json b/objects/python-etvx-event-log/definition.json index 2c50d9a..a2f9a7b 100644 --- a/objects/python-etvx-event-log/definition.json +++ b/objects/python-etvx-event-log/definition.json @@ -1,7 +1,7 @@ { "required": [ "source", - "type", + "event-type", "name" ], "attributes": { diff --git a/objects/regripper-system-hive-general-configuration/definition.json b/objects/regripper-system-hive-general-configuration/definition.json index b2fe81b..2851077 100644 --- a/objects/regripper-system-hive-general-configuration/definition.json +++ b/objects/regripper-system-hive-general-configuration/definition.json @@ -77,11 +77,11 @@ "comment": { "description": "Additional comments.", "ui-priority": 0, - "misp-attribute": "", + "misp-attribute": "text", "disable_correlation": true } }, - "version": 1, + "version": 2, "description": "Regripper Object template designed to present general system properties extracted from the system-hive.", "meta-category": "misc", "uuid": "5ac85401-cbf1-4d05-a85e-1784546881e4", diff --git a/objects/regripper-system-hive-service-drivers/definition.json b/objects/regripper-system-hive-service-drivers/definition.json index b5dcaf5..38a560a 100644 --- a/objects/regripper-system-hive-service-drivers/definition.json +++ b/objects/regripper-system-hive-service-drivers/definition.json @@ -86,11 +86,11 @@ "comment": { "description": "Additional comments.", "ui-priority": 0, - "misp-attribute": "", + "misp-attribute": "text", "disable_correlation": true } }, - "version": 1, + "version": 2, "description": "Regripper Object template designed to gather information regarding the services/drivers from the system-hive.", "meta-category": "misc", "uuid": "78cdae45-2061-4b49-b1d6-71f562094a73", diff --git a/objects/report/definition.json b/objects/report/definition.json index cce9d89..053677d 100644 --- a/objects/report/definition.json +++ b/objects/report/definition.json @@ -5,7 +5,7 @@ "attributes": { "summary": { "description": "Free text summary of the report", - "ui-priority": 1, + "ui-priority": 100, "misp-attribute": "text", "categories": [ "Other", @@ -21,6 +21,12 @@ "Internal reference", "Other" ] + }, + "report-file(s)": { + "description": "Attachment(s) that is related to the report", + "ui-priority": 99, + "misp-attribute": "attachment", + "multiple": true } }, "version": 1, diff --git a/objects/rogue-dns/definition.json b/objects/rogue-dns/definition.json new file mode 100644 index 0000000..3e6e4a9 --- /dev/null +++ b/objects/rogue-dns/definition.json @@ -0,0 +1,46 @@ +{ + "required": [ + "rogue-dns" + ], + "attributes": { + "timestamp": { + "description": "Last time that the rogue DNS value was seen.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "rogue-dns": { + "description": "IP address of the rogue DNS", + "ui-priority": 0, + "misp-attribute": "ip-dst" + }, + "status": { + "description": "How many authoritative DNS answers were received at the Passive DNS Server's collectors with exactly the given set of values as answers.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "ROGUE DNS", + "Unknown" + ], + "disable_correlation": true + }, + "hijacked-domain": { + "description": "Domain/hostname hijacked by the the rogue DNS", + "categories": [ + "Network activity" + ], + "ui-priority": 1, + "misp-attribute": "hostname" + }, + "phishing-ip": { + "description": "Resource records returns by the rogue DNS", + "ui-priority": 1, + "misp-attribute": "ip-dst" + } + }, + "version": 1, + "description": "Rogue DNS as defined by CERT.br", + "meta-category": "network", + "uuid": "b7e7859b-6872-4fd2-ac49-f66ccb904505", + "name": "rogue-dns" +} diff --git a/objects/sb-signature/definition.json b/objects/sb-signature/definition.json index 481d02d..2ee7cde 100644 --- a/objects/sb-signature/definition.json +++ b/objects/sb-signature/definition.json @@ -8,7 +8,7 @@ "description": "Name of Sandbox software", "disable_correlation": true, "categories": [ - "Sandbox detection" + "External analysis" ], "ui-priority": 1, "misp-attribute": "text" @@ -16,7 +16,7 @@ "signature": { "description": "Name of detection signature - set the description of the detection signature as a comment", "categories": [ - "Sandbox detection" + "External analysis" ], "ui-priority": 2, "misp-attribute": "text", @@ -41,7 +41,7 @@ "misp-attribute": "datetime" } }, - "version": 1, + "version": 2, "description": "Sandbox detection signature", "meta-category": "misc", "uuid": "984c5c39-be7f-4e1e-b034-d3213bac51cb", diff --git a/objects/scrippsco2-c13-daily/definition.json b/objects/scrippsco2-c13-daily/definition.json new file mode 100644 index 0000000..9c5d932 --- /dev/null +++ b/objects/scrippsco2-c13-daily/definition.json @@ -0,0 +1,53 @@ +{ + "requiredOneOf": [ + "sample-datetime", + "sample-date-excel", + "sample-date-fractional", + "number-flask", + "flag", + "c13-value" + ], + "attributes": { + "sample-datetime": { + "description": "Datetime the sample has been taken", + "ui-priority": 1, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "sample-date-excel": { + "description": "M$Excel spreadsheet date format.", + "ui-priority": 1, + "misp-attribute": "float", + "disable_correlation": true + }, + "sample-date-fractional": { + "description": "Decimal year and fractional year.", + "ui-priority": 1, + "misp-attribute": "float", + "disable_correlation": true + }, + "number-flask": { + "description": "Number of flasks used in daily average.", + "misp-attribute": "counter", + "disable_correlation": true, + "ui-priority": 1 + }, + "flag": { + "description": "Flag (see taxonomy for details).", + "misp-attribute": "counter", + "disable_correlation": true, + "ui-priority": 0 + }, + "c13-value": { + "description": "C13 value (ppm) - C13 concentrations are measured on the '08A' Calibration Scale", + "misp-attribute": "float", + "disable_correlation": true, + "ui-priority": 1 + } + }, + "version": 2, + "description": "Daily average C13 concentrations (ppm) derived from flask air samples.", + "meta-category": "climate", + "uuid": "5f71a99e-4a56-45b5-b7d6-19949d22409a", + "name": "scrippsco2-c13-daily" +} diff --git a/objects/scrippsco2-c13-monthly/definition.json b/objects/scrippsco2-c13-monthly/definition.json new file mode 100644 index 0000000..65aaff2 --- /dev/null +++ b/objects/scrippsco2-c13-monthly/definition.json @@ -0,0 +1,56 @@ +{ + "required": [ + "sample-datetime", + "sample-date-excel", + "sample-date-fractional" + ], + "attributes": { + "sample-datetime": { + "description": "The monthly values have been adjusted to 24:00 hours on the 15th of each month.", + "ui-priority": 1, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "sample-date-excel": { + "description": "M$Excel spreadsheet date format.", + "ui-priority": 1, + "misp-attribute": "float", + "disable_correlation": true + }, + "sample-date-fractional": { + "description": "Decimal year and fractional year.", + "ui-priority": 1, + "misp-attribute": "float", + "disable_correlation": true + }, + "monthly-c13": { + "description": "Monthly C13 concentrations in micro-mol C13 per mole (ppm) reported on the 2008A SIO manometric mole fraction scale. This is the standard version of the data most often sought.", + "misp-attribute": "float", + "disable_correlation": true, + "ui-priority": 1 + }, + "monthly-c13-seasonal-adjustment": { + "description": "Same data after a seasonal adjustment to remove the quasi-regular seasonal cycle. The adjustment involves subtracting from the data a 4-harmonic fit with a linear gain factor.", + "misp-attribute": "float", + "disable_correlation": true, + "ui-priority": 0 + }, + "monthly-c13-smoothed": { + "description": "Smoothed version of the data generated from a stiff cubic spline function plus 4-harmonic functions with linear gain.", + "misp-attribute": "float", + "disable_correlation": true, + "ui-priority": 1 + }, + "monthly-c13-smoothed-seasonal-adjustment": { + "description": "Same smoothed version with the seasonal cycle removed.", + "misp-attribute": "float", + "disable_correlation": true, + "ui-priority": 1 + } + }, + "version": 2, + "description": "Monthly average C13 concentrations (ppm) derived from flask air samples.", + "meta-category": "climate", + "uuid": "812125c7-47de-4503-8bbc-19067d3a1c38", + "name": "scrippsco2-c13-monthly" +} diff --git a/objects/scrippsco2-co2-daily/definition.json b/objects/scrippsco2-co2-daily/definition.json new file mode 100644 index 0000000..ae44d9d --- /dev/null +++ b/objects/scrippsco2-co2-daily/definition.json @@ -0,0 +1,53 @@ +{ + "requiredOneOf": [ + "sample-datetime", + "sample-date-excel", + "sample-date-fractional", + "number-flask", + "flag", + "co2-value" + ], + "attributes": { + "sample-datetime": { + "description": "Datetime the sample has been taken", + "ui-priority": 1, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "sample-date-excel": { + "description": "M$Excel spreadsheet date format.", + "ui-priority": 1, + "misp-attribute": "float", + "disable_correlation": true + }, + "sample-date-fractional": { + "description": "Decimal year and fractional year.", + "ui-priority": 1, + "misp-attribute": "float", + "disable_correlation": true + }, + "number-flask": { + "description": "Number of flasks used in daily average.", + "misp-attribute": "counter", + "disable_correlation": true, + "ui-priority": 1 + }, + "flag": { + "description": "Flag (see taxonomy for details).", + "misp-attribute": "counter", + "disable_correlation": true, + "ui-priority": 0 + }, + "co2-value": { + "description": "CO2 value (ppm) - CO2 concentrations are measured on the '08A' Calibration Scale", + "misp-attribute": "float", + "disable_correlation": true, + "ui-priority": 1 + } + }, + "version": 2, + "description": "Daily average CO2 concentrations (ppm) derived from flask air samples.", + "meta-category": "climate", + "uuid": "0779baca-06b9-491e-9ab7-ccc3e1538fd3", + "name": "scrippsco2-co2-daily" +} diff --git a/objects/scrippsco2-co2-monthly/definition.json b/objects/scrippsco2-co2-monthly/definition.json new file mode 100644 index 0000000..9363014 --- /dev/null +++ b/objects/scrippsco2-co2-monthly/definition.json @@ -0,0 +1,56 @@ +{ + "required": [ + "sample-datetime", + "sample-date-excel", + "sample-date-fractional" + ], + "attributes": { + "sample-datetime": { + "description": "The monthly values have been adjusted to 24:00 hours on the 15th of each month.", + "ui-priority": 1, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "sample-date-excel": { + "description": "M$Excel spreadsheet date format.", + "ui-priority": 1, + "misp-attribute": "float", + "disable_correlation": true + }, + "sample-date-fractional": { + "description": "Decimal year and fractional year.", + "ui-priority": 1, + "misp-attribute": "float", + "disable_correlation": true + }, + "monthly-co2": { + "description": "Monthly CO2 concentrations in micro-mol CO2 per mole (ppm) reported on the 2008A SIO manometric mole fraction scale. This is the standard version of the data most often sought.", + "misp-attribute": "float", + "disable_correlation": true, + "ui-priority": 1 + }, + "monthly-co2-seasonal-adjustment": { + "description": "Same data after a seasonal adjustment to remove the quasi-regular seasonal cycle. The adjustment involves subtracting from the data a 4-harmonic fit with a linear gain factor.", + "misp-attribute": "float", + "disable_correlation": true, + "ui-priority": 0 + }, + "monthly-co2-smoothed": { + "description": "Smoothed version of the data generated from a stiff cubic spline function plus 4-harmonic functions with linear gain.", + "misp-attribute": "float", + "disable_correlation": true, + "ui-priority": 1 + }, + "monthly-co2-smoothed-seasonal-adjustment": { + "description": "Same smoothed version with the seasonal cycle removed.", + "misp-attribute": "float", + "disable_correlation": true, + "ui-priority": 1 + } + }, + "version": 2, + "description": "Monthly average CO2 concentrations (ppm) derived from flask air samples.", + "meta-category": "climate", + "uuid": "3350fc46-7120-4fb1-b5b3-c931465c9b2a", + "name": "scrippsco2-co2-monthly" +} diff --git a/objects/scrippsco2-o18-daily/definition.json b/objects/scrippsco2-o18-daily/definition.json new file mode 100644 index 0000000..98ed102 --- /dev/null +++ b/objects/scrippsco2-o18-daily/definition.json @@ -0,0 +1,53 @@ +{ + "requiredOneOf": [ + "sample-datetime", + "sample-date-excel", + "sample-date-fractional", + "number-flask", + "flag", + "o18-value" + ], + "attributes": { + "sample-datetime": { + "description": "Datetime the sample has been taken", + "ui-priority": 1, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "sample-date-excel": { + "description": "M$Excel spreadsheet date format.", + "ui-priority": 1, + "misp-attribute": "float", + "disable_correlation": true + }, + "sample-date-fractional": { + "description": "Decimal year and fractional year.", + "ui-priority": 1, + "misp-attribute": "float", + "disable_correlation": true + }, + "number-flask": { + "description": "Number of flasks used in daily average.", + "misp-attribute": "counter", + "disable_correlation": true, + "ui-priority": 1 + }, + "flag": { + "description": "Flag (see taxonomy for details).", + "misp-attribute": "counter", + "disable_correlation": true, + "ui-priority": 0 + }, + "o18-value": { + "description": "O18 value (ppm) - O18 concentrations are measured on the '08A' Calibration Scale", + "misp-attribute": "float", + "disable_correlation": true, + "ui-priority": 1 + } + }, + "version": 2, + "description": "Daily average O18 concentrations (ppm) derived from flask air samples.", + "meta-category": "climate", + "uuid": "8b6878a7-577d-4845-b165-ead6e58bec04", + "name": "scrippsco2-o18-daily" +} diff --git a/objects/scrippsco2-o18-monthly/definition.json b/objects/scrippsco2-o18-monthly/definition.json new file mode 100644 index 0000000..0782b5f --- /dev/null +++ b/objects/scrippsco2-o18-monthly/definition.json @@ -0,0 +1,56 @@ +{ + "required": [ + "sample-datetime", + "sample-date-excel", + "sample-date-fractional" + ], + "attributes": { + "sample-datetime": { + "description": "The monthly values have been adjusted to 24:00 hours on the 15th of each month.", + "ui-priority": 1, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "sample-date-excel": { + "description": "M$Excel spreadsheet date format.", + "ui-priority": 1, + "misp-attribute": "float", + "disable_correlation": true + }, + "sample-date-fractional": { + "description": "Decimal year and fractional year.", + "ui-priority": 1, + "misp-attribute": "float", + "disable_correlation": true + }, + "monthly-o18": { + "description": "Monthly O18 concentrations in micro-mol O18 per mole (ppm) reported on the 2008A SIO manometric mole fraction scale. This is the standard version of the data most often sought.", + "misp-attribute": "float", + "disable_correlation": true, + "ui-priority": 1 + }, + "monthly-o18-seasonal-adjustment": { + "description": "Same data after a seasonal adjustment to remove the quasi-regular seasonal cycle. The adjustment involves subtracting from the data a 4-harmonic fit with a linear gain factor.", + "misp-attribute": "float", + "disable_correlation": true, + "ui-priority": 0 + }, + "monthly-o18-smoothed": { + "description": "Smoothed version of the data generated from a stiff cubic spline function plus 4-harmonic functions with linear gain.", + "misp-attribute": "float", + "disable_correlation": true, + "ui-priority": 1 + }, + "monthly-o18-smoothed-seasonal-adjustment": { + "description": "Same smoothed version with the seasonal cycle removed.", + "misp-attribute": "float", + "disable_correlation": true, + "ui-priority": 1 + } + }, + "version": 2, + "description": "Monthly average O18 concentrations (ppm) derived from flask air samples.", + "meta-category": "climate", + "uuid": "86bd588b-cd0c-486a-8ea0-17fd95312fa0", + "name": "scrippsco2-o18-monthly" +} diff --git a/objects/script/definition.json b/objects/script/definition.json index f95d34f..c7eb0f6 100644 --- a/objects/script/definition.json +++ b/objects/script/definition.json @@ -1,6 +1,7 @@ { - "required": [ - "script" + "requiredOneOf": [ + "script", + "filename" ], "attributes": { "script": { @@ -55,7 +56,7 @@ ] } }, - "version": 2, + "version": 4, "description": "Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.", "meta-category": "misc", "uuid": "6bce7d01-dbec-4054-b3c2-3655a19382e2", diff --git a/objects/shell-commands/definition.json b/objects/shell-commands/definition.json new file mode 100644 index 0000000..8600073 --- /dev/null +++ b/objects/shell-commands/definition.json @@ -0,0 +1,62 @@ +{ + "requiredOneOf": [ + "shell-command" + ], + "attributes": { + "script": { + "description": "Free text of the script if available which executed the shell commands.", + "ui-priority": 10, + "misp-attribute": "text" + }, + "comment": { + "description": "Comment associated to the shell commands executed.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "language": { + "description": "Scripting language used for the shell commands executed.", + "ui-priority": 9, + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "PowerShell", + "VBScript", + "Bash", + "Lua", + "JavaScript", + "AppleScript", + "AWK", + "Python", + "Perl", + "Ruby", + "Winbatch", + "AutoIt", + "PHP" + ] + }, + "shell-command": { + "description": "", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "state": { + "misp-attribute": "text", + "ui-priority": 0, + "description": "Known state of the script.", + "multiple": true, + "disable_correlation": true, + "values_list": [ + "Malicious", + "Unknown", + "Harmless", + "Trusted" + ] + } + }, + "version": 1, + "description": "Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands.", + "meta-category": "misc", + "uuid": "fee65efa-eb64-4516-8611-1db76c589f79", + "name": "shell-commands" +} diff --git a/objects/shodan-report/definition.json b/objects/shodan-report/definition.json new file mode 100644 index 0000000..13cef41 --- /dev/null +++ b/objects/shodan-report/definition.json @@ -0,0 +1,70 @@ +{ + "required": [ + "ip" + ], + "requiredOneOf": [ + "hostname", + "org", + "port", + "banner" + ], + "attributes": { + "text": { + "description": "A description of the report", + "ui-priority": 1, + "misp-attribute": "text", + "recommended": false + }, + "ip": { + "description": "IP Address Queried", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "ip-dst" + }, + "hostname": { + "description": "Hostnames found", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "domain", + "multiple": true + }, + "org": { + "description": "Associated Organization", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "text" + }, + "port": { + "description": "Listening Port", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "port" + }, + "banner": { + "description": "server banner reported", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "Shodan Report for a given IP", + "meta-category": "network", + "uuid": "10b03d93-3694-4a79-9cd1-4a273746303a", + "name": "shodan-report" +} diff --git a/objects/ssh-authorized-keys/definition.json b/objects/ssh-authorized-keys/definition.json new file mode 100644 index 0000000..3e6f047 --- /dev/null +++ b/objects/ssh-authorized-keys/definition.json @@ -0,0 +1,72 @@ +{ + "requiredOneOf": [ + "ip", + "hostname", + "full-line", + "key" + ], + "attributes": { + "text": { + "description": "A description of the ssh authorized keys", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text", + "recommended": false + }, + "last-seen": { + "description": "Last time the ssh authorized keys file has been seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "first-seen": { + "description": "First time the ssh authorized keys file has been seen", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "full-line": { + "description": "One full-line of the authorized key file", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "key": { + "description": "Public key in base64 as found in the authorized key file", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "key-id": { + "description": "Key-id and option part of the public key line", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "hostname": { + "description": "hostname", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "hostname", + "multiple": true + }, + "ip": { + "description": "IP Address", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "ip-dst", + "multiple": true + } + }, + "version": 1, + "description": "An object to store ssh authorized keys file.", + "meta-category": "network", + "uuid": "d1db3e4d-c932-4d8b-a915-4cff088cb678", + "name": "ssh-authorized-keys" +} diff --git a/objects/tor-hiddenservice/definition.json b/objects/tor-hiddenservice/definition.json new file mode 100644 index 0000000..0ff9fa5 --- /dev/null +++ b/objects/tor-hiddenservice/definition.json @@ -0,0 +1,41 @@ +{ + "requiredOneOf": [ + "address", + "first-seen", + "last-seen", + "description" + ], + "required": [ + "address" + ], + "attributes": { + "description": { + "description": "Tor onion service comment.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "address": { + "description": "onion address of the Tor node seen.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "last-seen": { + "description": "When the Tor hidden service was seen for the last time.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "first-seen": { + "description": "When the Tor hidden service was been seen for the first time.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "version": 1, + "description": "Tor hidden service (onion service) object.", + "meta-category": "misc", + "uuid": "cbac07d6-fbe9-43b8-8d91-d515812ce330", + "name": "tor-hiddenservice" +} diff --git a/objects/user-account/definition.json b/objects/user-account/definition.json new file mode 100644 index 0000000..203bb28 --- /dev/null +++ b/objects/user-account/definition.json @@ -0,0 +1,137 @@ +{ + "name": "user-account", + "uuid": "49606b06-22f0-4ac8-8eee-2f12ad46f3d3", + "meta-category": "misc", + "description": "", + "version": 1, + "requiredOneOf": [ + "password", + "username", + "user-id" + ], + "attributes": { + "text": { + "description": "A description of the user account.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "username": { + "description": "Username related to the password.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "user-id": { + "description": "Identifier of the account.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "password": { + "description": "Password related to the username.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "display-name": { + "description": "Display name of the account.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "account-type": { + "description": "Type of the account.", + "ui-priority": 1, + "misp-attribute": "text", + "sane_default": [ + "facebook", + "ldap", + "nis", + "openid", + "radius", + "skype", + "tacacs", + "twitter", + "unix", + "windows-local", + "windows-domain" + ] + }, + "is_service_account": { + "description": "Specifies if the account is associated with a network service.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "boolean" + }, + "privileged": { + "description": "Specifies if the account has privileges such as root rights.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "boolean" + }, + "can_escalate_privs": { + "description": "Specifies if the account has the ability to escalate privileges.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "boolean" + }, + "disabled": { + "description": "Specifies if the account is desabled.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "boolean" + }, + "created": { + "description": "Creation time of the account.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "datetime" + }, + "expires": { + "description": "Expiration time of the account", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "datetime" + }, + "first_login": { + "description": "First time someone logged in to the account.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "datetime" + }, + "last_login": { + "description": "Last time someone logged in to the account.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "datetime" + }, + "password_last_changed": { + "description": "Last time the password has been changed.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "datetime" + }, + "group-id": { + "description": "Identifier of the primary group of the account, in case of a UNIX account.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "group": { + "description": "UNIX group(s) the account is member of.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, + "home_dir": { + "description": "Home directory of the UNIX account.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "shell": { + "description": "UNIX command shell of the account.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + } + } +} diff --git a/objects/vehicle/definition.json b/objects/vehicle/definition.json index cc302f0..c558a46 100644 --- a/objects/vehicle/definition.json +++ b/objects/vehicle/definition.json @@ -1,11 +1,15 @@ { "requiredOneOf": [ "description", - "year", "make", "model", "license-plate-number", - "vin" + "vin", + "dyno-power", + "date-first-registration", + "image-url", + "gearbox", + "indicative-value" ], "attributes": { "description": { @@ -14,12 +18,6 @@ "misp-attribute": "text", "disable_correlation": true }, - "year": { - "description": "Year of manufacturing of the vehicle", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true - }, "make": { "description": "Manufacturer of the vehicle", "ui-priority": 0, @@ -42,9 +40,39 @@ "ui-priority": 0, "misp-attribute": "text", "multiple": true + }, + "dyno-power": { + "description": "Dyno power output", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "date-first-registration": { + "description": "Date of first registration", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "image-url": { + "description": "Image URL", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "gearbox": { + "description": "Gearbox", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + }, + "indicative-value": { + "description": "Indicative value", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true } }, - "version": 1, + "version": 2, "description": "Vehicle object template to describe a vehicle information and registration", "meta-category": "misc", "uuid": "683c076c-f695-4ff2-8efa-e98a418049f4", diff --git a/objects/weakness/definition.json b/objects/weakness/definition.json new file mode 100644 index 0000000..cc0c881 --- /dev/null +++ b/objects/weakness/definition.json @@ -0,0 +1,52 @@ +{ + "requiredOneOf": [ + "id", + "name", + "description" + ], + "attributes": { + "id": { + "description": "Weakness ID (generally CWE).", + "ui-priority": 0, + "misp-attribute": "text" + }, + "description": { + "description": "Description of the weakness.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "name": { + "description": "Name of the weakness.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "status": { + "description": "Status of the weakness.", + "ui-priority": 0, + "sane_default": [ + "Incomplete", + "Deprecated", + "Draft", + "Usable" + ], + "disable_correlation": true, + "misp-attribute": "text" + }, + "weakness-abs": { + "description": "Abstraction of the weakness.", + "ui-priority": 0, + "sane_default": [ + "Class", + "Base", + "Variant" + ], + "disable_correlation": true, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "Weakness object describing a common weakness enumeration which can describe usable, incomplete, draft or deprecated weakness for software, equipment of hardware.", + "meta-category": "vulnerability", + "uuid": "b8713fc0-d7a2-4b27-a182-38ed47966802", + "name": "weakness" +} diff --git a/objects/x509/definition.json b/objects/x509/definition.json index 106a90c..cf9fe39 100644 --- a/objects/x509/definition.json +++ b/objects/x509/definition.json @@ -3,7 +3,8 @@ "x509-fingerprint-md5", "x509-fingerprint-sha1", "x509-fingerprint-sha256", - "serial-number" + "serial-number", + "issuer" ], "attributes": { "subject": { @@ -14,12 +15,14 @@ "pubkey-info-algorithm": { "description": "Algorithm of the public key", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "pubkey-info-size": { "description": "Length of the public key (in bits)", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "pubkey-info-exponent": { "description": "Exponent of the public key", @@ -59,24 +62,27 @@ "misp-attribute": "text" }, "text": { - "description": "Free text description of hte certificate", + "description": "Free text description of the certificate", "ui-priority": 1, "misp-attribute": "text" }, "validity-not-before": { "description": "Certificate invalid before that date", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "validity-not-after": { "description": "Certificate invalid after that date", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "issuer": { "description": "Issuer of the certificate", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "serial-number": { "description": "Serial number of the certificate", @@ -86,26 +92,39 @@ "version": { "description": "Version of the certificate", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "self_signed": { "description": "Self-signed certificate", "ui-priority": 0, - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "disable_correlation": true }, "is_ca": { "description": "CA certificate", "ui-priority": 0, - "misp-attribute": "boolean" + "misp-attribute": "boolean", + "disable_correlation": true }, "dns_names": { "description": "DNS names", "multiple": true, "misp-attribute": "text", "ui-priority": 0 + }, + "signature_algorithm": { + "description": "Signature algorithm", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true, + "sane_default": [ + "SHA1_WITH_RSA_ENCRYPTION", + "SHA256_WITH_RSA_ENCRYPTION" + ] } }, - "version": 7, + "version": 9, "description": "x509 object describing a X.509 certificate", "meta-category": "network", "uuid": "d1ab756a-26b5-4349-9f43-765630f0911c", diff --git a/objects/yara/definition.json b/objects/yara/definition.json index 370bfdb..4b9ba94 100644 --- a/objects/yara/definition.json +++ b/objects/yara/definition.json @@ -1,6 +1,7 @@ { "requiredOneOf": [ - "yara" + "yara", + "yara-rule-name" ], "attributes": { "comment": { @@ -13,6 +14,11 @@ "ui-priority": 0, "misp-attribute": "yara" }, + "yara-rule-name": { + "description": "YARA rule name.", + "ui-priority": 0, + "misp-attribute": "text" + }, "version": { "sane_default": [ "3.7.1" @@ -33,8 +39,8 @@ "ui-priority": 0 } }, - "version": 3, - "description": "An object describing a YARA rule along with its version.", + "version": 4, + "description": "An object describing a YARA rule (or a YARA rule name) along with its version.", "meta-category": "misc", "uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", "name": "yara" diff --git a/relationships/definition.json b/relationships/definition.json index 8262441..a4bcef0 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -10,6 +10,13 @@ "alfred" ] }, + { + "name": "executes", + "description": "This relationship describes an object which executes another object", + "format": [ + "misp" + ] + }, { "name": "duplicate-of", "description": "The referenced source and target objects are semantically duplicates of each other.", @@ -222,6 +229,13 @@ "stix-2.0" ] }, + { + "name": "retrieved-from", + "description": "This relationship describes an object retrieved from the target object.", + "format": [ + "misp" + ] + }, { "name": "authored-by", "description": "This relationship describes the author of a specific object.", @@ -243,6 +257,13 @@ "misp" ] }, + { + "name": "includes", + "description": "This relationship describes an object that includes an other object.", + "format": [ + "misp" + ] + }, { "name": "analysed-with", "description": "This relationship describes an object analysed by another object.", @@ -941,6 +962,21 @@ "format": [ "misp" ] + }, + { + "name": "creates", + "description": "Represents an object that creates something.", + "format": [ + "misp", + "haxpak" + ] + }, + { + "name": "screenshot-of", + "description": "Represents an object being the screenshot of something.", + "format": [ + "misp" + ] } ], "description": "Default type of relationships in MISP objects.", diff --git a/schema_objects.json b/schema_objects.json index 0d80fa0..9c1e073 100644 --- a/schema_objects.json +++ b/schema_objects.json @@ -68,7 +68,8 @@ "financial", "misc", "internal", - "vulnerability" + "vulnerability", + "climate" ] }, "name": { diff --git a/tools/adoc_objects.py b/tools/adoc_objects.py index c75e282..0b77c40 100755 --- a/tools/adoc_objects.py +++ b/tools/adoc_objects.py @@ -3,7 +3,7 @@ # # # A simple converter of MISP objects to asciidoctor format -# Copyright (C) 2017-2018 Alexandre Dulaunoy +# Copyright (C) 2017-2019 Alexandre Dulaunoy # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as @@ -73,12 +73,14 @@ def asciidoc(content=False, adoc=None, t='title',title=''): if t == 'title': output = '== ' + content elif t == 'info': + content = content.rstrip('\.') output = "\n{}.\n\n{} {} {}{}/definition.json[*this location*] {}.\n".format(content, 'NOTE: ', title, 'is a MISP object available in JSON format at https://github.com/MISP/misp-objects/blob/master/objects/',title.lower(),' The JSON format can be freely reused in your application or automatically enabled in https://www.github.com/MISP/MISP[MISP]') elif t == 'author': output = '\nauthors:: {}\n'.format(' - '.join(content)) elif t == 'value': output = '=== ' + content elif t == 'description': + content = content.rstrip('\.') output = '\n{}\n'.format(content) elif t == 'attributes': #output = '\n{}\n'.format