MISP
/
misp-objects
mirror of https://github.com/MISP/misp-objects
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'main' of github.com:MISP/misp-objects

pull/405/head
Christian Studer 2023-09-14 15:41:54 +02:00
parent f0223f2b66 0edf925a59
commit 6d5b06ec52
28 changed files with 2175 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -271,6 +271,8 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/macho](https://github.com/MISP/misp-objects/blob/main/objects/macho/definition.json) - Object describing a file in Mach-O format.
- [objects/macho-section](https://github.com/MISP/misp-objects/blob/main/objects/macho-section/definition.json) - Object describing a section of a file in Mach-O format.
- [objects/mactime-timeline-analysis](https://github.com/MISP/misp-objects/blob/main/objects/mactime-timeline-analysis/definition.json) - Mactime template, used in forensic investigations to describe the timeline of a file activity.
- [objects/malware](https://github.com/MISP/misp-objects/blob/main/objects/malware/definition.json) - Malware object to describe a malware instance. From STIX 2.1,
- [objects/malware-analysis](https://github.com/MISP/misp-objects/blob/main/objects/malware-analysis/definition.json) - Malware analysis object to capture the metadata and results of a particular static or dynamic analysis performed on a malware instance or family. From STIX 2.1
- [objects/malware-config](https://github.com/MISP/misp-objects/blob/main/objects/malware-config/definition.json) - Malware configuration recovered or extracted from a malicious binary.
- [objects/meme-image](https://github.com/MISP/misp-objects/blob/main/objects/meme-image/definition.json) - Object describing a meme (image).
- [objects/microblog](https://github.com/MISP/misp-objects/blob/main/objects/microblog/definition.json) - Microblog post like a Twitter tweet or a post on a Facebook wall.

34
objects/abuseipdb/definition.json Normal file
View File

@ -0,0 +1,34 @@
{
"attributes": {
"abuse-confidence-score": {
"description": "Rating (0-100) of how confident AbuseIPDB is that an IP address is entirely malicious",
"misp-attribute": "counter",
"ui-priority": 0
},
"is-malicious": {
"description": "If the IP is malicious based on the abuse-confidence-score and threshold",
"misp-attribute": "boolean",
"ui-priority": 0
},
"is-public": {
"description": "If an IP is public",
"misp-attribute": "boolean",
"ui-priority": 0
},
"is-tor": {
"description": "If Tor (The Onion Router) was used",
"misp-attribute": "boolean",
"ui-priority": 0
},
"is-whitelisted": {
"description": "If an IP is spotted in any of AbuseIPDB's whitelists",
"misp-attribute": "boolean",
"ui-priority": 0
}
},
"description": "AbuseIPDB checks an ip address, domain name, or subnet against a central blacklist",
"meta-category": "network",
"name": "abuseipdb",
"uuid": "cccdaaf6-c140-461c-8d1c-aa79bbd029e0",
"version": 1
}

52
objects/artifact/definition.json
View File

@ -10,11 +10,11 @@
"misp-attribute": "text",
"ui-priority": 0
},
"hashes": {
"description": "Specifies a dictionary of hashes for the contents of the url or the payload_bin. This property MUST be present when the url property is present. (should be file with relationships?)",
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
"md5": {
"description": "[Insecure] MD5 hash (128 bits)",
"misp-attribute": "md5",
"recommended": false,
"ui-priority": 1
},
"mime_type": {
"description": "Whenever feasible, this value SHOULD be one of the values defined in the Template column in the IANA media type registry [Media Types]. Maintaining a comprehensive universal catalog of all extant file types is obviously not possible. When specifying a MIME Type not included in the IANA registry, implementers should use their best judgement so as to facilitate interoperability.",
@ -27,8 +27,46 @@
"misp-attribute": "text",
"ui-priority": 0
},
"sha1": {
"description": "[Insecure] Secure Hash Algorithm 1 (160 bits)",
"misp-attribute": "sha1",
"recommended": false,
"ui-priority": 1
},
"sha256": {
"description": "Secure Hash Algorithm 2 (256 bits)",
"misp-attribute": "sha256",
"ui-priority": 1
},
"sha3-256": {
"description": "Secure Hash Algorithm 3 (256 bits)",
"misp-attribute": "sha3-256",
"recommended": false,
"ui-priority": 0
},
"sha3-512": {
"description": "Secure Hash Algorithm 3 (512 bits)",
"misp-attribute": "sha3-512",
"recommended": false,
"ui-priority": 0
},
"sha512": {
"description": "Secure Hash Algorithm 2 (512 bits)",
"misp-attribute": "sha512",
"ui-priority": 1
},
"ssdeep": {
"description": "Fuzzy hash using context triggered piecewise hashes (CTPH)",
"misp-attribute": "ssdeep",
"ui-priority": 0
},
"tlsh": {
"description": "Fuzzy hash by Trend Micro: Locality Sensitive Hash",
"misp-attribute": "tlsh",
"ui-priority": 0
},
"url": {
"description": "The value of this property MUST be a valid URL that resolves to the unencoded content.",
"description": "The value of this property MUST be a valid URL that resolves to the unencoded content. When present, at least one hash value MUST be present too.",
"misp-attribute": "url",
"ui-priority": 0
}
@ -41,5 +79,5 @@
"url"
],
"uuid": "0a46df3a-bd9b-472c-a1e7-6aede7094483",
"version": 2
"version": 3
}

96
objects/availability-impact/definition.json Normal file
View File

@ -0,0 +1,96 @@
{
"attributes": {
"availability_impact": {
"description": "The availability impact.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"Not Specified",
"None",
"Minimal",
"Significant",
"Denial",
"Loss of Control"
],
"ui-priority": 0
},
"criticality": {
"description": "Criticality of the impact",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"Not Specified",
"False Positive",
"Low",
"Moderate",
"High",
"Extreme"
],
"ui-priority": 0
},
"description": {
"description": "Additional details about the impact.",
"misp-attribute": "text",
"ui-priority": 0
},
"end_time": {
"description": "The date and time the impact was last recorded.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"end_time_fidelity": {
"description": "Level of fidelity that the `end_time` is recorded in.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"day",
"hour",
"minute",
"month",
"second",
"year"
],
"ui-priority": 0
},
"recoverability": {
"description": "Recoverability of this particular impact with respect to feasibility and required time and resources.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"extended",
"not-applicable",
"not-recoverable",
"regular",
"supplemented"
],
"ui-priority": 0
},
"start_time": {
"description": "The date and time the impact was first recorded.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"start_time_fidelity": {
"description": "Level of fidelity that the `start_time` is recorded in.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"day",
"hour",
"minute",
"month",
"second",
"year"
],
"ui-priority": 0
}
},
"description": "Availability Impact object as described in STIX 2.1 Incident object extension.",
"meta-category": "misc",
"name": "availability-impact",
"required": [
"availability_impact"
],
"uuid": "19b4394a-46a9-4196-a30c-080eaed06273",
"version": 1
}

125
objects/confidentiality-impact/definition.json Normal file
View File

@ -0,0 +1,125 @@
{
"attributes": {
"criticality": {
"description": "Criticality of the impact",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"Not Specified",
"False Positive",
"Low",
"Moderate",
"High",
"Extreme"
],
"ui-priority": 0
},
"description": {
"description": "Additional details about the impact.",
"misp-attribute": "text",
"ui-priority": 0
},
"end_time": {
"description": "The date and time the impact was last recorded.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"end_time_fidelity": {
"description": "Level of fidelity that the `end_time` is recorded in.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"day",
"hour",
"minute",
"month",
"second",
"year"
],
"ui-priority": 0
},
"information_type": {
"description": "Type of information that had its confidentiality compromised.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"classified-material",
"communication",
"credentials-admin",
"credentials-user",
"financial",
"leval",
"payment",
"phi",
"pii",
"proprietary"
],
"ui-priority": 0
},
"loss_type": {
"description": "The type of loss that occurred to the relevant information.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"confirmed-loss",
"contained",
"exploited-loss",
"none",
"suspected-loss"
],
"ui-priority": 0
},
"record_count": {
"description": "The number of records of this type that were compromised.",
"disable_correlation": true,
"misp-attribute": "counter",
"ui-priority": 0
},
"record_size": {
"description": "The amount of data that was compromised in bytes.",
"disable_correlation": true,
"misp-attribute": "size-in-bytes",
"ui-priority": 0
},
"recoverability": {
"description": "Recoverability of this particular impact with respect to feasibility and required time and resources.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"extended",
"not-applicable",
"not-recoverable",
"regular",
"supplemented"
],
"ui-priority": 0
},
"start_time": {
"description": "The date and time the impact was first recorded.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"start_time_fidelity": {
"description": "Level of fidelity that the `start_time` is recorded in.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"day",
"hour",
"minute",
"month",
"second",
"year"
],
"ui-priority": 0
}
},
"description": "Confidentiality Impact object as described in STIX 2.1 Incident object extension.",
"meta-category": "misc",
"name": "confidentiality-impact",
"required": [
"loss_type"
],
"uuid": "b0027f13-56e4-4c85-9632-3cf81208429b",
"version": 1
}

9
objects/email/definition.json
View File

@ -57,6 +57,12 @@
"multiple": true,
"ui-priority": 1
},
"email-body-attachment": {
"description": "Body of the email as an attachment",
"disable_correlation": true,
"misp-attribute": "attachment",
"ui-priority": 1
},
"eml": {
"description": "Full EML",
"disable_correlation": true,
@ -258,9 +264,10 @@
"x-mailer",
"return-path",
"email-body",
"email-body-attachment",
"eml",
"msg"
],
"uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552",
"version": 18
"version": 19
}

172
objects/event/definition.json Normal file
View File

@ -0,0 +1,172 @@
{
"attributes": {
"description": {
"description": "Description of the event.",
"misp-attribute": "text",
"ui-priority": 0
},
"end_time": {
"description": "The date and time the event was last recorded.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"end_time_fidelity": {
"description": "Level of fidelity that the `end_time` is recorded in.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"day",
"hour",
"minute",
"month",
"second",
"year"
],
"ui-priority": 0
},
"event_type": {
"description": "Type of event.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"sane_default": [
"aggregation-information-phishing-schemes",
"benign",
"blocked",
"brute-force-attempt",
"c&c-server-hosting",
"compromised-system",
"confirmed",
"connection-malware-port",
"connection-malware-system",
"content-forbidden-by-law",
"control-system-bypass",
"copyrighted-content",
"data-exfiltration",
"deferred",
"deletion-information",
"denial-of-service",
"destruction",
"dictionary-attack-attempt",
"discarded",
"disruption-data-transmission",
"dissemination-malware-email",
"dissemination-phishing-emails",
"dns-cache-poisoning",
"dns-local-resolver-hijacking",
"dns-spoofing-registered",
"dns-rebinding",
"dns-server-compromise",
"dns-spoofing-unregistered",
"dns-stub-resolver-hijacking",
"dns-zone-transfer",
"domain-name-compromise",
"duplicate",
"email-flooding",
"equipment-loss",
"equipment-theft",
"exploit",
"exploit-attempt",
"exploit-framework-exhausting-resources",
"exploit-tool-exhausting-resources",
"failed",
"file-inclusion",
"file-inclusion-attempt",
"hosting-malware-webpage",
"hosting-phishing-sites",
"illegitimate-use-name",
"illegitimate-use-resources",
"infected-by-known-malware",
"insufficient-data",
"known-malware",
"lame-delegations",
"major",
"modification-information",
"misconfiguration",
"natural",
"network-scanning",
"no-apt",
"packet-flood",
"password-cracking-attempt",
"ransomware",
"refuted",
"scan-probe",
"silently-discarded",
"supply-chain-customer",
"supply-chain-vendor",
"spam",
"sql-injection",
"sql-injection-attempt",
"successful",
"system-probe",
"theft-access-credentials",
"unattributed",
"unauthorized-access-information",
"unauthorized-access-system",
"unauthorized-equipment",
"unauthorized-release",
"unauthorized-use",
"undetermined",
"unintentional",
"unknown-apt",
"unspecified",
"vandalism",
"wiretapping",
"worm-spreading",
"xss",
"xss-attempt"
],
"ui-priority": 0
},
"goal": {
"description": "The assumed objective of the event.",
"misp-attribute": "text",
"ui-priority": 0
},
"name": {
"description": "Name of the event.",
"misp-attribute": "text",
"ui-priority": 0
},
"start_time": {
"description": "The date and time the event was first recorded.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"start_time_fidelity": {
"description": "Level of fidelity that the `start_time` is recorded in.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"day",
"hour",
"minute",
"month",
"second",
"year"
],
"ui-priority": 0
},
"status": {
"description": "Current status of the event.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"not-occurred",
"ongoing",
"occurred",
"pending",
"undetermined"
],
"ui-priority": 1
}
},
"description": "Event object as described in STIX 2.1 Incident object extension.",
"meta-category": "misc",
"name": "event",
"required": [
"status"
],
"uuid": "3853b726-6a9c-43b3-8ffb-23839b07d5a9",
"version": 1
}

97
objects/external-impact/definition.json Normal file
View File

@ -0,0 +1,97 @@
{
"attributes": {
"criticality": {
"description": "Criticality of the impact",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"Not Specified",
"False Positive",
"Low",
"Moderate",
"High",
"Extreme"
],
"ui-priority": 0
},
"description": {
"description": "Additional details about the impact.",
"misp-attribute": "text",
"ui-priority": 0
},
"end_time": {
"description": "The date and time the impact was last recorded.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"end_time_fidelity": {
"description": "Level of fidelity that the `end_time` is recorded in.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"day",
"hour",
"minute",
"month",
"second",
"year"
],
"ui-priority": 0
},
"impact_type": {
"description": "Type of impact.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"economic",
"emergency-services",
"foreign-relations",
"national-secuirty",
"public-confidence",
"public-health",
"public-safety"
],
"ui-priority": 0
},
"recoverability": {
"description": "Recoverability of this particular impact with respect to feasibility and required time and resources.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"extended",
"not-applicable",
"not-recoverable",
"regular",
"supplemented"
],
"ui-priority": 0
},
"start_time": {
"description": "The date and time the impact was first recorded.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"start_time_fidelity": {
"description": "Level of fidelity that the `start_time` is recorded in.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"day",
"hour",
"minute",
"month",
"second",
"year"
],
"ui-priority": 0
}
},
"description": "External Impact object as described in STIX 2.1 Incident object extension.",
"meta-category": "misc",
"name": "external-impact",
"required": [
"impact_type"
],
"uuid": "4ac36991-9333-4ada-8e17-bcbeb988160a",
"version": 1
}

24
objects/google-safe-browsing/definition.json Normal file
View File

@ -0,0 +1,24 @@
{
"attributes": {
"malicious": {
"description": "If the URL comes back as malicious",
"misp-attribute": "boolean",
"ui-priority": 0
},
"platforms": {
"description": "The platform identified (windows, linux, etc...)",
"misp-attribute": "text",
"ui-priority": 0
},
"threats": {
"description": "The threat type related to that URL (malware, social engineering, etc...)",
"misp-attribute": "text",
"ui-priority": 0
}
},
"description": "Google Safe checks a URL against Google's constantly updated list of unsafe web resources.",
"meta-category": "network",
"name": "google-safe-browsing",
"uuid": "1f8af312-dfbb-4572-b894-dabe7c8798d8",
"version": 1
}

48
objects/hhhash/definition.json Normal file
View File

@ -0,0 +1,48 @@
{
"attributes": {
"comment": {
"description": "A description of the HHHash object.",
"misp-attribute": "comment",
"ui-priority": 0
},
"hhhash": {
"description": "HHHash hash in format hhh:version:hash_value",
"misp-attribute": "text",
"ui-priority": 0
},
"hhhash-headers": {
"description": "HHHash value before being hash in the format each header is separated by a :.",
"misp-attribute": "text",
"ui-priority": 0
},
"hhhash-query-headers": {
"description": "Set of headers used for the query in the format where each header is separated by a : .",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"hhhash-tool": {
"description": "HHHash crawling infrastructure or tool used to produce the HHHash value. ",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"python-hhhash",
"c-hhhash",
"go-hhhash",
"r-hhhash",
"lacus",
"Common Crawl",
"other"
],
"ui-priority": 0
}
},
"description": "An object describing a HHHash object with the hash value along with the crawling parameters. For more information: https://www.foo.be/2023/07/HTTP-Headers-Hashing_HHHash",
"meta-category": "misc",
"name": "hhhash",
"requiredOneOf": [
"hhhash"
],
"uuid": "4dbcde93-a4e0-4bee-913c-0988b5259d14",
"version": 1
}

188
objects/incident/definition.json Normal file
View File

@ -0,0 +1,188 @@
{
"attributes": {
"criticality": {
"description": "Criticality of the incident",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"Not Specified",
"False Positive",
"Low",
"Moderate",
"High",
"Extreme"
],
"ui-priority": 0
},
"description": {
"description": "Description of the incident.",
"misp-attribute": "text",
"ui-priority": 1
},
"detection_method": {
"description": "Methods used to detect the activity.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"sane_default": [
"automated-tool",
"human-review",
"message-from-attacker",
"system-outage",
"user-reporting"
],
"ui-priority": 0
},
"determination": {
"description": "Determination on the outcome of the incident.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"blocked",
"successful-attempt",
"failed-attempt",
"false-positive",
"low-value",
"suspected"
],
"ui-priority": 0
},
"incident_type": {
"description": "Type of incident",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"sane_default": [
"aggregation-information-phishing-schemes",
"benign",
"blocked",
"brute-force-attempt",
"c&c-server-hosting",
"compromised-system",
"confirmed",
"connection-malware-port",
"connection-malware-system",
"content-forbidden-by-law",
"control-system-bypass",
"copyrighted-content",
"data-exfiltration",
"deferred",
"deletion-information",
"denial-of-service",
"destruction",
"dictionary-attack-attempt",
"discarded",
"disruption-data-transmission",
"dissemination-malware-email",
"dissemination-phishing-emails",
"dns-cache-poisoning",
"dns-local-resolver-hijacking",
"dns-spoofing-registered",
"dns-rebinding",
"dns-server-compromise",
"dns-spoofing-unregistered",
"dns-stub-resolver-hijacking",
"dns-zone-transfer",
"domain-name-compromise",
"duplicate",
"email-flooding",
"equipment-loss",
"equipment-theft",
"exploit",
"exploit-attempt",
"exploit-framework-exhausting-resources",
"exploit-tool-exhausting-resources",
"failed",
"file-inclusion",
"file-inclusion-attempt",
"hosting-malware-webpage",
"hosting-phishing-sites",
"illegitimate-use-name",
"illegitimate-use-resources",
"infected-by-known-malware",
"insufficient-data",
"known-malware",
"lame-delegations",
"major",
"modification-information",
"misconfiguration",
"natural",
"network-scanning",
"no-apt",
"packet-flood",
"password-cracking-attempt",
"ransomware",
"refuted",
"scan-probe",
"silently-discarded",
"supply-chain-customer",
"supply-chain-vendor",
"spam",
"sql-injection",
"sql-injection-attempt",
"successful",
"system-probe",
"theft-access-credentials",
"unattributed",
"unauthorized-access-information",
"unauthorized-access-system",
"unauthorized-equipment",
"unauthorized-release",
"unauthorized-use",
"undetermined",
"unintentional",
"unknown-apt",
"unspecified",
"vandalism",
"wiretapping",
"worm-spreading",
"xss",
"xss-attempt"
],
"ui-priority": 0
},
"investigation_status": {
"description": "Current status of the incident investigation.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"closed",
"new",
"open"
],
"ui-priority": 0
},
"name": {
"description": "Name of the incident.",
"misp-attribute": "text",
"ui-priority": 1
},
"recoverability": {
"description": "Recoverability of the incident, with respect to feasibility and required time and resources.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"extended",
"not-applicable",
"not-recoverable",
"regular",
"supplemented"
],
"ui-priority": 0
},
"score": {
"description": "Incident score, with a name, an optional description and the numeric score value.",
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
}
},
"description": "Incident object template as described in STIX 2.1 Incident object and its core extension.",
"meta-category": "misc",
"name": "incident",
"required": [
"name"
],
"uuid": "38597424-f9bb-4865-9b4b-819172df0334",
"version": 1
}

127
objects/integrity-impact/definition.json Normal file
View File

@ -0,0 +1,127 @@
{
"attributes": {
"alteration": {
"description": "",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"potential-destruction",
"potential-modification",
"partial-destruction",
"partial-modification",
"full-destruction",
"full-modification",
"none"
],
"ui-priority": 0
},
"criticality": {
"description": "Criticality of the impact",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"Not Specified",
"False Positive",
"Low",
"Moderate",
"High",
"Extreme"
],
"ui-priority": 0
},
"description": {
"description": "Additional details about the impact.",
"misp-attribute": "text",
"ui-priority": 0
},
"end_time": {
"description": "The date and time the impact was last recorded.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"end_time_fidelity": {
"description": "Level of fidelity that the `end_time` is recorded in.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"day",
"hour",
"minute",
"month",
"second",
"year"
],
"ui-priority": 0
},
"information_type": {
"description": "Type of information that had its confidentiality compromised.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"classified-material",
"communication",
"credentials-admin",
"credentials-user",
"financial",
"leval",
"payment",
"phi",
"pii",
"proprietary"
],
"ui-priority": 0
},
"record_count": {
"description": "The number of records of this type that were compromised.",
"disable_correlation": true,
"misp-attribute": "counter",
"ui-priority": 0
},
"record_size": {
"description": "The amount of data that was compromised in bytes.",
"disable_correlation": true,
"misp-attribute": "size-in-bytes",
"ui-priority": 0
},
"recoverability": {
"description": "Recoverability of this particular impact with respect to feasibility and required time and resources.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"extended",
"not-applicable",
"not-recoverable",
"regular",
"supplemented"
],
"ui-priority": 0
},
"start_time": {
"description": "The date and time the impact was first recorded.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"start_time_fidelity": {
"description": "Level of fidelity that the `start_time` is recorded in.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"day",
"hour",
"minute",
"month",
"second",
"year"
],
"ui-priority": 0
}
},
"description": "Integrity Impact object as described in STIX 2.1 Incident object extension.",
"meta-category": "misc",
"name": "integrity-impact",
"required": [
"alteration"
],
"uuid": "604830f2-8035-4454-aa32-7f6eee1f04c6",
"version": 1
}

12
objects/ja3s/definition.json
View File

@ -5,12 +5,22 @@
"misp-attribute": "text",
"ui-priority": 1
},
"domain": {
"description": "Destination domain",
"misp-attribute": "domain",
"ui-priority": 1
},
"first-seen": {
"description": "First seen of the SSL/TLS handshake",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 0
},
"hostname": {
"description": "Destination hostname",
"misp-attribute": "hostname",
"ui-priority": 1
},
"ip-dst": {
"description": "Destination IP address",
"misp-attribute": "ip-dst",
@ -46,5 +56,5 @@
"ja3s-fingerprint-md5"
],
"uuid": "7f377f66-d128-4b97-897f-592d06ba2ff7",
"version": 4
"version": 5
}

79
objects/malware-analysis/definition.json Normal file
View File

@ -0,0 +1,79 @@
{
"attributes": {
"analysis_definition_version": {
"description": "The version of the analysis definitions used by the analysis tool.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"analysis_engine_version": {
"description": "The version of the analysis engine or product that was used to perform the analysis.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"configuration_version": {
"description": "The named configuration of additional product configuration parameters for this analysis run.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"end_time": {
"description": "The date and time that the malware analysis ended.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"module": {
"description": "The specific analysis module that was used and configured in the product during this analysis run.",
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"product": {
"description": "The name of the analysis engine or product that was used.",
"misp-attribute": "text",
"ui-priority": 1
},
"result": {
"description": "The classification result as determined by the scanner or tool analysis process.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"benign",
"malicious",
"suspicious",
"unknown"
],
"ui-priority": 0
},
"result_name": {
"description": "The classification result or name assigned to the malware instance by the scanner tool.",
"misp-attribute": "text",
"ui-priority": 0
},
"start_time": {
"description": "The date and time that the malware analysis was initiated.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"submitted_time": {
"description": "The date and time that the malware was first submitted for scanning or analysis.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"version": {
"description": "The version of the analysis product that was used to perform the analysis.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
}
},
"description": "Malware Analysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family.",
"meta-category": "misc",
"name": "malware-analysis",
"required": [
"product"
],
"uuid": "8229ee82-7218-4ff5-9eac-57961a6f0288",
"version": 1
}

15
objects/malware-config/definition.json
View File

@ -5,11 +5,21 @@
"misp-attribute": "text",
"ui-priority": 1
},
"description": {
"description": "Description of the malware configuration",
"misp-attribute": "text",
"ui-priority": 1
},
"encrypted": {
"description": "Encrypted or encoded text of the malware configuration in base64.",
"misp-attribute": "text",
"ui-priority": 1
},
"file-config": {
"description": "File configuration as an attachment",
"misp-attribute": "attachment",
"ui-priority": 1
},
"first-seen": {
"description": "When the malware configuration has been seen for the first time.",
"disable_correlation": true,
@ -44,8 +54,9 @@
"meta-category": "file",
"name": "malware-config",
"requiredOneOf": [
"config"
"config",
"file-config"
],
"uuid": "8200b79b-1d8c-49a8-9a63-7710e613c059",
"version": 1
"version": 2
}

168
objects/malware/definition.json Normal file
View File

@ -0,0 +1,168 @@
{
"attributes": {
"alias": {
"description": "Alternative name used to identify this malware or malware family.",
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"architecture_execution_env": {
"description": "The processor architecture that the malware instance or family is executable on.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"sane_default": [
"alpha",
"arm",
"ia-64",
"mips",
"powerpc",
"sparc",
"x86",
"x86-64"
],
"ui-priority": 0
},
"capability": {
"description": "Any of the capabilities identified for the malware instance or family.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"sane_default": [
"accesses-remote-machines",
"anti-debugging",
"anti-disassembly",
"anti-emulation",
"anti-memory-forensics",
"anti-sandbox",
"anti-vm",
"captures-input-peripherals",
"captures-output-peripherals",
"captures-system-state-data",
"cleans-traces-of-infection",
"commits-fraud",
"communicates-with-c2",
"compromises-data-availability",
"compromises-data-integrity",
"compromises-system-availability",
"controls-local-machine",
"degrades-security-software",
"degrades-system-updates",
"determines-c2-server",
"emails-spam",
"escalates-privileges",
"evades-av",
"exfiltrates-data",
"fingerprints-host",
"hides-artifacts",
"hides-executing-code",
"infects-files",
"infects-remote-machines",
"installs-other-components",
"persists-after-system-reboot",
"prevents-artifact-access",
"prevents-artifact-deletion",
"probes-network-environment",
"self-modifies",
"steals-authentication-credentials",
"violates-system-operational-integrity"
],
"ui-priority": 0
},
"description": {
"description": "A description that provides more details and context about the malware instance or family, potentially including its purpose and its key characteristics.",
"misp-attribute": "text",
"ui-priority": 0
},
"first_seen": {
"description": "The time that the malware instance or family was first seen.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"implementation_language": {
"description": "The programming language used to implement the malware instance or family.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"sane_default": [
"applescript",
"bash",
"c",
"c++",
"c#",
"go",
"java",
"javascript",
"lua",
"objective-c",
"perl",
"php",
"powershell",
"python",
"ruby",
"scala",
"swift",
"typescript",
"visual-basic",
"x86-32",
"x86-64"
],
"ui-priority": 0
},
"is_family": {
"description": "Defines whether the object represents a malware family or a malware instance.",
"disable_correlation": true,
"misp-attribute": "boolean",
"ui-priority": 1
},
"last_seen": {
"description": "The time that the malware family or malware instance was last seen.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"malware_type": {
"description": "A set of categorizations for the malware being described.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"sane_default": [
"adware",
"backdoor",
"bot",
"bootkit",
"ddos",
"downloader",
"dropper",
"exploit-kit",
"keylogger",
"ransomware",
"remote-access-trojan",
"resource-exploitation",
"rogue-security-software",
"rootkit",
"screen-capture",
"spyware",
"trojan",
"unknown",
"virus",
"webshell",
"wiper",
"worm"
],
"ui-priority": 0
},
"name": {
"description": "A name used to identify the malware instance or family. For a malware family the name MUST be defined. If a name for a malware instance is not available, the SHA-256 hash value or sample's filename MAY be used instead.",
"misp-attribute": "text",
"ui-priority": 0
}
},
"description": "Malware is a type of TTP that represents malicious code.",
"meta-category": "misc",
"name": "malware",
"required": [
"is_family"
],
"uuid": "e5ad1d64-4b4e-44f5-9e00-88a705a67f9d",
"version": 1
}

135
objects/monetary-impact/definition.json Normal file
View File

@ -0,0 +1,135 @@
{
"attributes": {
"conversion_rate": {
"description": "Conversion rate between currency and currency_actual (if needed).",
"disable_correlation": true,
"misp-attribute": "float",
"ui-priority": 0
},
"conversion_time": {
"description": "Timestamp when the conversion rate was queried.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"criticality": {
"description": "Criticality of the impact",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"Not Specified",
"False Positive",
"Low",
"Moderate",
"High",
"Extreme"
],
"ui-priority": 0
},
"currency": {
"description": "Currency used to describe the max and min amount of the impact.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"currency_actual": {
"description": "Currency that the impact actually used.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"description": {
"description": "Additional details about the impact.",
"misp-attribute": "text",
"ui-priority": 0
},
"end_time": {
"description": "The date and time the impact was last recorded.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"end_time_fidelity": {
"description": "Level of fidelity that the `end_time` is recorded in.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"day",
"hour",
"minute",
"month",
"second",
"year"
],
"ui-priority": 0
},
"max_amount": {
"description": "Maximum damage estimate.",
"disable_correlation": true,
"misp-attribute": "float",
"ui-priority": 0
},
"min_amount": {
"description": "Minimum damage estimate.",
"disable_correlation": true,
"misp-attribute": "float",
"ui-priority": 0
},
"recoverability": {
"description": "Recoverability of this particular impact with respect to feasibility and required time and resources.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"extended",
"not-applicable",
"not-recoverable",
"regular",
"supplemented"
],
"ui-priority": 0
},
"start_time": {
"description": "The date and time the impact was first recorded.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"start_time_fidelity": {
"description": "Level of fidelity that the `start_time` is recorded in.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"day",
"hour",
"minute",
"month",
"second",
"year"
],
"ui-priority": 0
},
"variety": {
"description": "Variety of the moneraty impact.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"asset-and-fraud",
"brand-damage",
"business-disruption",
"competitive-advantage",
"legal-and-regulatory",
"operating-costs",
"ransom-demand",
"ransom-payment",
"response-and-recovery",
"uncategorized"
],
"ui-priority": 0
}
},
"description": "Monetary Impact object as described in STIX 2.1 Incident object extension.",
"meta-category": "misc",
"name": "monetary-impact",
"required": [
"variety"
],
"uuid": "3376296c-c1ef-4847-979f-2bfc49aa983e",
"version": 1
}

47
objects/organization/definition.json
View File

@ -18,6 +18,11 @@
"multiple": true,
"ui-priority": 99
},
"contact_information": {
"description": "Generic contact information (e-mail, phone number, etc.) for this Organization, with no specific format requirement.",
"misp-attribute": "text",
"ui-priority": 18
},
"date-of-inception": {
"description": "Date of inception of the organization",
"misp-attribute": "datetime",
@ -77,6 +82,48 @@
"Emitter"
]
},
"sector": {
"description": "Describing the organization's sector of activity.",
"misp-attribute": "text",
"multiple": true,
"sane_default": [
"agriculture",
"aerospace",
"automotive",
"chemical",
"commercial",
"communication",
"construction",
"defense",
"education",
"energy",
"entertainment",
"financial-services",
"government",
"government emergency-services",
"government government-local",
"government-national",
"government-public-services",
"government-regional",
"healthcare",
"hospitality-leasure",
"infrastructure",
"infrastructure dams",
"infrastructure nuclear",
"infrastructure water",
"insurance",
"manufacturing",
"mining",
"non-profit",
"pharmaceuticals",
"retail",
"technology",
"telecommunication",
"transportation",
"utilities"
],
"ui-priority": 17
},
"type-of-organization": {
"description": "Type of the organization",
"misp-attribute": "text",

124
objects/physical-impact/definition.json Normal file
View File

@ -0,0 +1,124 @@
{
"attributes": {
"asset_type": {
"description": "The type or property or system that was affected by this impact.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"building-doors",
"building-windows",
"buildings",
"computers-mobile",
"computers-personal",
"computers-server",
"environment",
"ics-actuator",
"ics-engineering-workstation",
"ics-historian",
"ics-hmi",
"ics-other",
"ics-plc",
"ics-safety-system",
"ics-sensor",
"inventory",
"network-device",
"private-infrastructure",
"public-infrastructure",
"security-containers",
"vehicles"
],
"ui-priority": 0
},
"criticality": {
"description": "Criticality of the impact",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"Not Specified",
"False Positive",
"Low",
"Moderate",
"High",
"Extreme"
],
"ui-priority": 0
},
"description": {
"description": "Additional details about the impact.",
"misp-attribute": "text",
"ui-priority": 0
},
"end_time": {
"description": "The date and time the impact was last recorded.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"end_time_fidelity": {
"description": "Level of fidelity that the `end_time` is recorded in.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"day",
"hour",
"minute",
"month",
"second",
"year"
],
"ui-priority": 0
},
"impact_type": {
"description": "Type of physical impact.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"damaged-functional",
"damaged-nonfunctional",
"destruction",
"none",
"unknown"
],
"ui-priority": 0
},
"recoverability": {
"description": "Recoverability of this particular impact with respect to feasibility and required time and resources.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"extended",
"not-applicable",
"not-recoverable",
"regular",
"supplemented"
],
"ui-priority": 0
},
"start_time": {
"description": "The date and time the impact was first recorded.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"start_time_fidelity": {
"description": "Level of fidelity that the `start_time` is recorded in.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"day",
"hour",
"minute",
"month",
"second",
"year"
],
"ui-priority": 0
}
},
"description": "Physical Impact object as described in STIX 2.1 Incident object extension.",
"meta-category": "misc",
"name": "physical-impact",
"required": [
"impact_type"
],
"uuid": "ae979b91-5896-46f7-ad70-4f3036d79251",
"version": 1
}

17
objects/scan-result/definition.json
View File

@ -32,6 +32,11 @@
"Unknown"
]
},
"scan-result-query": {
"description": "Query or parameters provided to scan-result-tool to generate the scan-result.",
"misp-attribute": "text",
"ui-priority": 1
},
"scan-result-tool": {
"description": "Tool used which generated the scan-result.",
"disable_correlation": true,
@ -54,6 +59,7 @@
"AuditJS Scan",
"Azure Security Center Recommendations Scan",
"Bandit Scan",
"BinaryEdge",
"BlackDuck API",
"Blackduck Component Risk",
"Blackduck Hub Scan",
@ -66,6 +72,7 @@
"Burp REST API",
"Burp Scan",
"CargoAudit Scan",
"Censys",
"Checkmarx OSA",
"Checkmarx Scan",
"Checkmarx Scan detailed",
@ -133,6 +140,7 @@
"Nmap Scan",
"Node Security Platform Scan",
"Nuclei Scan",
"ONYPHE",
"ORT evaluated model Importer",
"OpenVAS CSV",
"Openscap Vulnerability Scan",
@ -156,6 +164,7 @@
"Scantist Scan",
"Scout Suite Scan",
"Semgrep JSON Report",
"Shodan",
"Snyk Scan",
"Solar Appscreener Scan",
"SonarQube API Import",
@ -191,6 +200,7 @@
"Xanitizer Scan",
"Yarn Audit Scan",
"ZAP Scan",
"ZoomEye",
"docker-bench-security Scan",
"kube-bench Scan",
"pip-audit Scan"
@ -220,9 +230,10 @@
"description": "Scan result object to add meta-data and the output of the scan result by itself.",
"meta-category": "network",
"name": "scan-result",
"required": [
"scan-result"
"requiredOneOf": [
"scan-result",
"scan-result-query"
],
"uuid": "ebe2a359-8f5b-4a45-8106-d1678935b4c4",
"version": 2
"version": 3
}

18
objects/sigmf-archive/definition.json Normal file
View File

@ -0,0 +1,18 @@
{
"attributes": {
"SigMF-archive": {
"description": "tar archive (.sigmf)",
"disable_correlation": true,
"misp-attribute": "attachment",
"ui-priority": 1
}
},
"description": "An object representing an archive containing one or multiple recordings in the Signal Metadata Format Specification (SigMF)",
"meta-category": "misc",
"name": "sigmf-archive",
"required": [
"SigMF-archive"
],
"uuid": "5985d34d-3657-4828-9788-470175bcc3b1",
"version": 1
}

147
objects/sigmf-expanded-recording/definition.json Normal file
View File

@ -0,0 +1,147 @@
{
"attributes": {
"author": {
"description": "A text identifier for the author potentially including name, handle, email, and/or other ID like Amateur Call Sign.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"collection": {
"description": "The base filename of a collection with which this Recording is associated.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"data_doi": {
"description": "The registered DOI (ISO 26324) for a Recording's Dataset file.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"dataset": {
"description": "The full filename of the Dataset file this Metadata file describes.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"datatype": {
"description": "",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"description": {
"description": "A text description of the SigMF Recording.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"fft-plot": {
"description": "FFT plot of the signal",
"disable_correlation": true,
"misp-attribute": "attachment",
"ui-priority": 0
},
"geolocation_alt": {
"description": "The location of the Recording system (altitude).",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"geolocation_lat": {
"description": "The location of the Recording system (latitude).",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"geolocation_long": {
"description": "The location of the Recording system (longitude).",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"hw": {
"description": "A text description of the hardware used to make the Recording.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"iq-sample": {
"description": "Binary file of IQ samples",
"disable_correlation": true,
"misp-attribute": "attachment",
"ui-priority": 0
},
"license": {
"description": "A URL for the license document under which the Recording is offered.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"meta_doi": {
"description": "The registered DOI (ISO 26324) for a Recording's Metadata file.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"metadata_only": {
"description": "Indicates the Metadata file is intentionally distributed without the Dataset.",
"disable_correlation": true,
"misp-attribute": "boolean",
"ui-priority": 0
},
"num_channels": {
"description": "Total number of interleaved channels in the Dataset file. If omitted, this defaults to one.",
"disable_correlation": true,
"misp-attribute": "counter",
"ui-priority": 0
},
"offset": {
"description": "The index number of the first sample in the Dataset. If not provided, this value defaults to zero. Typically used when a Recording is split over multiple files. All sample indices in SigMF are absolute, and so all other indices referenced in metadata for this recording SHOULD be greater than or equal to this value.",
"disable_correlation": true,
"misp-attribute": "counter",
"ui-priority": 0
},
"recorder": {
"description": "The name of the software used to make this SigMF Recording.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"sample_rate": {
"description": "The sample rate of the signal in samples per second.",
"disable_correlation": true,
"misp-attribute": "float",
"ui-priority": 0
},
"sha512": {
"description": "The SHA512 hash of the Dataset file associated with the SigMF file.",
"disable_correlation": true,
"misp-attribute": "sha512",
"ui-priority": 0
},
"trailing_bytes": {
"description": "The number of bytes to ignore at the end of a Non-Conforming Dataset file.",
"disable_correlation": true,
"misp-attribute": "counter",
"ui-priority": 0
},
"version": {
"description": "The version of the SigMF specification used to create the Metadata file.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"waterfall-plot": {
"description": "Waterfall plot of the signal",
"disable_correlation": true,
"misp-attribute": "attachment",
"ui-priority": 0
}
},
"description": "An object representing a single IQ/RF sample in the Signal Metadata Format Specification (SigMF)",
"meta-category": "misc",
"name": "sigmf-expanded-recording",
"uuid": "f1c2c4e1-d3bf-46b1-b34d-f5e9544a4795",
"version": 1
}

24
objects/sigmf-recording/definition.json Normal file
View File

@ -0,0 +1,24 @@
{
"attributes": {
"SigMF-data": {
"description": "Binary file of IQ or RF samples (.sigmf-data)",
"disable_correlation": true,
"misp-attribute": "attachment",
"ui-priority": 1
},
"SigMF-meta": {
"description": "Metadata file in SigMF format (.sigmf-meta)",
"disable_correlation": true,
"misp-attribute": "attachment",
"ui-priority": 0
}
},
"description": "An object representing a single IQ/RF sample in the Signal Metadata Format Specification (SigMF)",
"meta-category": "misc",
"name": "sigmf-recording",
"required": [
"SigMF-meta"
],
"uuid": "0ca64648-38ca-4e48-99ce-2e655cdac02c",
"version": 1
}

122
objects/task/definition.json Normal file
View File

@ -0,0 +1,122 @@
{
"attributes": {
"description": {
"description": "Description of the task.",
"misp-attribute": "text",
"ui-priority": 1
},
"end_time": {
"description": "The date and time the event was last recorded.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"end_time_fidelity": {
"description": "Level of fidelity that the `end_time` is recorded in.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"day",
"hour",
"minute",
"month",
"second",
"year"
],
"ui-priority": 0
},
"error": {
"description": "Details about any failure or deviation that occurred in the task.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"name": {
"description": "Name of the task.",
"misp-attribute": "text",
"ui-priority": 1
},
"outcome": {
"description": "Outcome of the task",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"cancelled",
"failed",
"ongoing",
"pending",
"successful",
"unknown"
],
"ui-priority": 0
},
"priority": {
"description": "Priority or importance of the task.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"Not Specified",
"False Positive",
"Low",
"Moderate",
"High",
"Extreme"
],
"ui-priority": 0
},
"start_time": {
"description": "The date and time the event was first recorded.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"start_time_fidelity": {
"description": "Level of fidelity that the `start_time` is recorded in.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"day",
"hour",
"minute",
"month",
"second",
"year"
],
"ui-priority": 0
},
"task_type": {
"description": "Type of task.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"sane_default": [
"administrative",
"attribution",
"containment",
"declared",
"detected",
"eradication",
"escalated",
"exercised-control",
"external-intelligence",
"external-outreach",
"external-support",
"implemented-control",
"negotiation",
"playbook-execution",
"playbook-step-execution",
"recovery",
"reported",
"routine-updates",
"victim-notification"
],
"ui-priority": 0
}
},
"description": "Task object as described in STIX 2.1 Incident object extension.",
"meta-category": "misc",
"name": "task",
"required": [
"outcome"
],
"uuid": "384734e7-8710-4ab0-901a-6f0e73a551e6",
"version": 1
}

93
objects/traceability-impact/definition.json Normal file
View File

@ -0,0 +1,93 @@
{
"attributes": {
"criticality": {
"description": "Criticality of the impact",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"Not Specified",
"False Positive",
"Low",
"Moderate",
"High",
"Extreme"
],
"ui-priority": 0
},
"description": {
"description": "Additional details about the impact.",
"misp-attribute": "text",
"ui-priority": 0
},
"end_time": {
"description": "The date and time the impact was last recorded.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"end_time_fidelity": {
"description": "Level of fidelity that the `end_time` is recorded in.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"day",
"hour",
"minute",
"month",
"second",
"year"
],
"ui-priority": 0
},
"recoverability": {
"description": "Recoverability of this particular impact with respect to feasibility and required time and resources.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"extended",
"not-applicable",
"not-recoverable",
"regular",
"supplemented"
],
"ui-priority": 0
},
"start_time": {
"description": "The date and time the impact was first recorded.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"start_time_fidelity": {
"description": "Level of fidelity that the `start_time` is recorded in.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"day",
"hour",
"minute",
"month",
"second",
"year"
],
"ui-priority": 0
},
"traceability_impact": {
"description": "Impact on a system or organization's ability to perform audits or provvide non-repudiation.",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"accountability-lost",
"partial-accountability",
"provable-accountability"
],
"ui-priority": 0
}
},
"description": "Traceability Impact object as described in STIX 2.1 Incident object extension.",
"meta-category": "misc",
"name": "traceability-impact",
"required": [
"traceability_impact"
],
"uuid": "1dd26500-6246-4750-ad47-94ae4e200d8f",
"version": 1
}

2
objects/virustotal-report/definition.json
View File

@ -63,5 +63,5 @@
"permalink"
],
"uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4",
"version": 4
"version": 5
}

24
objects/x-header/definition.json Normal file
View File

@ -0,0 +1,24 @@
{
"attributes": {
"x-header-name": {
"description": "X header name is the value of the header key. The name is case sensitive.",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"x-value": {
"description": "X value is the value of the specified header name.",
"misp-attribute": "text",
"ui-priority": 0
}
},
"description": "X header generic object for SMTP, HTTP or any other protocols using X headers.",
"meta-category": "network",
"name": "x-header",
"requiredOneOf": [
"x-header-name",
"x-value"
],
"uuid": "9a7028df-e238-45e8-893c-8e67d273fb61",
"version": 1
}

194
relationships/definition.json
View File

@ -200,7 +200,8 @@
"misp",
"stix-2.0"
],
"name": "targets"
"name": "targets",
"opposite": "targeted-by"
},
{
"description": "This relationship describes the use by the source object of the target object.",
@ -400,14 +401,14 @@
"misp"
],
"name": "followed-by",
"opposite": "preceding-by"
"opposite": "preceded-by"
},
{
"description": "This relationship describes an object which is preceded by another object. This can be used when a time reference is missing but a sequence is known.",
"format": [
"misp"
],
"name": "preceding-by",
"name": "preceded-by",
"opposite": "followed-by"
},
{
@ -1058,7 +1059,8 @@
"misp",
"haxpak"
],
"name": "creates"
"name": "creates",
"opposite": "created-by"
},
{
"description": "Represents an object being the screenshot of something.",
@ -1513,7 +1515,189 @@
"XFN"
],
"name": "Me"
},
{
"description": "The source object is redirected to the target object.",
"format": [
"misp"
],
"name": "redirects-to"
},
{
"description": "The source object is rendered to the target object.",
"format": [
"misp"
],
"name": "rendered-as"
},
{
"description": "The source object is known as the target object.",
"format": [
"misp"
],
"name": "known-as"
},
{
"description": "The source object is led to the target object.",
"format": [
"stix-2.1"
],
"name": "led-to"
},
{
"description": "The source object has an impact on the target.",
"format": [
"stix-2.1"
],
"name": "impacts",
"opposite": "impacted-by"
},
{
"description": "The source object is impacted by the target.",
"format": [
"misp"
],
"name": "impacted-by",
"opposite": "impacts"
},
{
"description": "An object occured at a specific location.",
"format": [
"stix-2.1"
],
"name": "located-at"
},
{
"description": "The source object should be considered a point of contact for the target.",
"format": [
"stix-2.1"
],
"name": "contact-for"
},
{
"description": "The source object was responsible for detecting the target object.",
"format": [
"stix-2.1"
],
"name": "detects",
"opposite": "detected-by"
},
{
"description": "The source object is detected by the target object.",
"format": [
"misp"
],
"name": "detected-by",
"opposite": "detects"
},
{
"description": "The target object was observed as part of a source event.",
"format": [
"stix-2.1"
],
"name": "observed",
"opposite": "observed-by"
},
{
"description": "The source object was observed by the target object.",
"format": [
"misp"
],
"name": "observed-by",
"opposite": "observed"
},
{
"description": "The source object is based on the target.",
"format": [
"stix-2.1"
],
"name": "based-on"
},
{
"description": "The source object performed the target event.",
"format": [
"stix-2.1"
],
"name": "performed",
"opposite": "performed-by"
},
{
"description": "The source object was performed by the target.",
"format": [
"misp"
],
"name": "performed-by",
"opposite": "performed"
},
{
"description": "The source object blocks the target object.",
"format": [
"stix-2.1"
],
"name": "blocks",
"opposite": "blocked-by"
},
{
"description": "The source object is blocked by the target object.",
"format": [
"misp"
],
"name": "blocked-by",
"opposite": "blocks"
},
{
"description": "The source object causes the target event.",
"format": [
"stix-2.1"
],
"name": "causes",
"opposite": "caused-by"
},
{
"description": "The source object is caused by the target object.",
"format": [
"misp"
],
"name": "caused-by",
"opposite": "causes"
},
{
"description": "The source object is followed by the target because of an error.",
"format": [
"stix-2.1"
],
"name": "errored-to"
},
{
"description": "The source object has been assigned the target.",
"format": [
"stix-2.1"
],
"name": "assigned"
},
{
"description": "The source object participated in the target task.",
"format": [
"stix-2.1"
],
"name": "participated-in"
},
{
"description": "The source object is targeted by the target object.",
"format": [
"misp"
],
"name": "targeted-by",
"opposite": "targets"
},
{
"description": "The source object was created by the target object.",
"format": [
"misp"
],
"name": "created-by",
"opposite": "creates"
}
],
"version": 37
"version": 40
}