From 1a40095f1ad58a515740038eee797d692d1cc8f5 Mon Sep 17 00:00:00 2001 From: VVX7 Date: Sun, 9 Feb 2020 11:39:36 -0500 Subject: [PATCH] new: [objects] add instant-message object. add instant-message-group object. --- objects/instant-message-group/definition.json | 80 +++++++++++++ objects/instant-message/definition.json | 113 ++++++++++++++++++ 2 files changed, 193 insertions(+) create mode 100644 objects/instant-message-group/definition.json create mode 100644 objects/instant-message/definition.json diff --git a/objects/instant-message-group/definition.json b/objects/instant-message-group/definition.json new file mode 100644 index 0000000..6232afb --- /dev/null +++ b/objects/instant-message-group/definition.json @@ -0,0 +1,80 @@ +{ + "requiredOneOf": [ + "group-name", + "group-alias", + "archive", + "attachment" + ], + "attributes": { + "group-name": { + "description": "The name of the group, channel or community.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "group-alias": { + "description": "Aliases of group, channel or community.", + "ui-priority": 1, + "multiple": true, + "misp-attribute": "text" + }, + "app-used": { + "description": "The IM application used to send the message.", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true, + "multiple": true, + "sane_default": [ + "WhatsApp", + "Google Hangouts", + "Facebook Messenger", + "Telegram", + "Signal", + "WeChat", + "BlackBerry Messenger", + "TeamSpeak", + "TorChat", + "RetroShare", + "Slack" + ] + }, + "username": { + "description": "A user account who is a member of the group.", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, + "person-name": { + "description": "A person who is a member of the group.", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, + "url": { + "description": "Original URL location of the group (potentially malicious).", + "ui-priority": 1, + "misp-attribute": "url" + }, + "link": { + "description": "Original link into the group (Supposed harmless).", + "ui-priority": 1, + "misp-attribute": "link" + }, + "archive": { + "description": "Archive of the original group (Internet Archive, Archive.is, etc).", + "ui-priority": 1, + "multiple": true, + "misp-attribute": "link" + }, + "attachment": { + "description": "A screen capture or exported list of contacts, group members, etc.", + "ui-priority": 1, + "multiple": true, + "misp-attribute": "attachment" + } + }, + "version": 1, + "description": "Instant Message (IM) group object template describing a public or private IM group, channel or conversation.", + "meta-category": "misc", + "uuid": "e26becca-2149-4bc0-b3fb-7090d43af28f", + "name": "instant-message-group" +} diff --git a/objects/instant-message/definition.json b/objects/instant-message/definition.json new file mode 100644 index 0000000..ecddaa2 --- /dev/null +++ b/objects/instant-message/definition.json @@ -0,0 +1,113 @@ +{ + "requiredOneOf": [ + "body", + "from", + "from-user" + ], + "attributes": { + "body": { + "description": "Message body of the IM.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "from-number": { + "description": "Phone number used to send the message.", + "ui-priority": 1, + "misp-attribute": "phone-number", + "multiple": true + }, + "to-number": { + "description": "Phone number receiving the message.", + "ui-priority": 1, + "misp-attribute": "phone-number", + "multiple": true + }, + "from-user": { + "description": "User account that sent the message.", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, + "to-user": { + "description": "User account that received the message.", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, + "from-name": { + "description": "Name of the person that sent the message.", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, + "to-name": { + "description": "Name of the person that received the message.", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, + "subject": { + "description": "Subject of the message if any.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "app-used": { + "description": "The IM application used to send the message.", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "WhatsApp", + "Google Hangouts", + "Facebook Messenger", + "Telegram", + "Signal", + "WeChat", + "BlackBerry Messenger", + "TeamSpeak", + "TorChat", + "RetroShare", + "Slack" + ] + }, + "url": { + "description": "Original URL location of the message (potentially malicious).", + "ui-priority": 1, + "misp-attribute": "url" + }, + "link": { + "description": "Original link into the message (Supposed harmless).", + "ui-priority": 1, + "misp-attribute": "link" + }, + "archive": { + "description": "Archive of the original message (Internet Archive, Archive.is, etc).", + "ui-priority": 1, + "multiple": true, + "misp-attribute": "link" + }, + "attachment": { + "description": "The message file or screen capture.", + "ui-priority": 1, + "multiple": true, + "misp-attribute": "attachment" + }, + "sent-date": { + "description": "Initial sent date of the message.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "received-date": { + "description": "Received date of the message.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + } + }, + "version": 1, + "description": "Instant Message (IM) object template describing one or more IM message.", + "meta-category": "misc", + "uuid": "5fa51a24-f40f-4696-a77e-d31e26bab5fc", + "name": "instant-message" +}