From 1f3b9312cc198a75961bcee62941144e7e388f52 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Thu, 15 Jun 2023 13:27:55 +0200 Subject: [PATCH 01/43] add: [organization] Added the generic `contact_information` and `sector` fields for an organization --- objects/organization/definition.json | 47 ++++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) diff --git a/objects/organization/definition.json b/objects/organization/definition.json index cdffce0..b69e313 100644 --- a/objects/organization/definition.json +++ b/objects/organization/definition.json @@ -18,6 +18,11 @@ "multiple": true, "ui-priority": 99 }, + "contact_information": { + "description": "Generic contact information (e-mail, phone number, etc.) for this Organization, with no specific format requirement.", + "misp-attribute": "text", + "ui-priority": 18 + }, "date-of-inception": { "description": "Date of inception of the organization", "misp-attribute": "datetime", @@ -77,6 +82,48 @@ "Emitter" ] }, + "sector": { + "description": "Description of the organization sector" + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "agriculture", + "aerospace", + "automotive", + "chemical", + "commercial", + "communication", + "construction", + "defense", + "education", + "energy", + "entertainment", + "financial-services", + "government", + "government emergency-services", + "government government-local", + "government-national", + "government-public-services", + "government-regional", + "healthcare", + "hospitality-leasure", + "infrastructure", + "infrastructure dams", + "infrastructure nuclear", + "infrastructure water", + "insurance", + "manufacturing", + "mining", + "non-profit", + "pharmaceuticals", + "retail", + "technology", + "telecommunication", + "transportation", + "utilities" + ], + "ui-priority": 17 + }, "type-of-organization": { "description": "Type of the organization", "misp-attribute": "text", From f6d069dc3db521f38108d682db78e3a12daf0b6d Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Thu, 15 Jun 2023 13:51:08 +0200 Subject: [PATCH 02/43] fix: [organization] Fixed missing comma - Managed to improve the description too --- objects/organization/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/organization/definition.json b/objects/organization/definition.json index b69e313..5b6faeb 100644 --- a/objects/organization/definition.json +++ b/objects/organization/definition.json @@ -83,7 +83,7 @@ ] }, "sector": { - "description": "Description of the organization sector" + "description": "Describing the organization's sector of activity.", "misp-attribute": "text", "multiple": true, "sane_default": [ From ef04ff80200a13d9bb6b22be8f981a9b4187f4f3 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Wed, 21 Jun 2023 16:32:30 +0200 Subject: [PATCH 03/43] add: [incident] Incident object based on the STIX 2.1 Incident object as well as its core extension --- objects/incident/definition.json | 179 +++++++++++++++++++++++++++++++ 1 file changed, 179 insertions(+) create mode 100644 objects/incident/definition.json diff --git a/objects/incident/definition.json b/objects/incident/definition.json new file mode 100644 index 0000000..d61644c --- /dev/null +++ b/objects/incident/definition.json @@ -0,0 +1,179 @@ +{ + "attributes": { + "criticality": { + "description": "Criticality of the incident", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Not Specified", + "False Positive", + "Low", + "Moderate", + "High", + "Extreme" + ], + "ui-priority": 0 + }, + "description": { + "description": "Description of the incident.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "detection_method": { + "description": "Methods used to detect the activity.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "automated-tool", + "human-review", + "message-from-attacker", + "system-outage", + "user-reporting" + ], + "ui-priority": 0 + }, + "determination": { + "description": "Determination on the outcome of the incident.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "blocked", + "successful-attempt", + "failed-attempt", + "false-positive", + "low-value", + "suspected" + ], + "ui-priority": 0 + }, + "incident_type": { + "description": "Type of incident", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "aggregation-information-phishing-schemes", + "benign", + "blocked", + "brute-force-attempt", + "c&c-server-hosting", + "compromised-system", + "confirmed", + "connection-malware-port", + "connection-malware-system", + "content-forbidden-by-law", + "control-system-bypass", + "copyrighted-content", + "data-exfiltration", + "deferred", + "deletion-information", + "denial-of-service", + "destruction", + "dictionary-attack-attempt", + "discarded", + "disruption-data-transmission", + "dissemination-malware-email", + "dissemination-phishing-emails", + "dns-cache-poisoning", + "dns-local-resolver-hijacking", + "dns-spoofing-registered", + "dns-rebinding", + "dns-server-compromise", + "dns-spoofing-unregistered", + "dns-stub-resolver-hijacking", + "dns-zone-transfer", + "domain-name-compromise", + "duplicate", + "email-flooding", + "equipment-loss", + "equipment-theft", + "exploit", + "exploit-attempt", + "exploit-framework-exhausting-resources", + "exploit-tool-exhausting-resources", + "failed", + "file-inclusion", + "file-inclusion-attempt", + "hosting-malware-webpage", + "hosting-phishing-sites", + "illegitimate-use-name", + "illegitimate-use-resources", + "infected-by-known-malware", + "insufficient-data", + "known-malware", + "lame-delegations", + "major", + "modification-information", + "misconfiguration", + "natural", + "network-scanning", + "no-apt", + "packet-flood", + "password-cracking-attempt", + "ransomware", + "refuted", + "scan-probe", + "silently-discarded", + "supply-chain-customer", + "supply-chain-vendor", + "spam", + "sql-injection", + "sql-injection-attempt", + "successful", + "system-probe", + "theft-access-credentials", + "unattributed", + "unauthorized-access-information", + "unauthorized-access-system", + "unauthorized-equipment", + "unauthorized-release", + "unauthorized-use", + "undetermined", + "unintentional", + "unknown-apt", + "unspecified", + "vandalism", + "wiretapping", + "worm-spreading", + "xss", + "xss-attempt" + ], + "ui-priority": 0 + }, + "investigation_status": { + "description": "Current status of the incident investigation.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "closed", + "new", + "open" + ], + "ui-priority": 0 + }, + "name": { + "description": "Name of the incident.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "recoverability": { + "description": "Recoverability of the incident, with respect to feasibility and required time and resources.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "extended", + "not-applicable", + "not-recoverable", + "regular", + "supplemented" + ], + "ui-priority": 0 + } + }, + "description": "Incident object template as described in STIX 2.1 Incident object and its core extension.", + "meta-category": "misc", + "name": "incident", + "uuid": "38597424-f9bb-4865-9b4b-819172df0334", + "version": 1 +} \ No newline at end of file From 1a05a9f253f4a99b3e1606db0abc980838c3e92f Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Thu, 22 Jun 2023 12:28:04 +0200 Subject: [PATCH 04/43] add: [incident] Added the required object relation --- objects/incident/definition.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/objects/incident/definition.json b/objects/incident/definition.json index d61644c..0824509 100644 --- a/objects/incident/definition.json +++ b/objects/incident/definition.json @@ -174,6 +174,9 @@ "description": "Incident object template as described in STIX 2.1 Incident object and its core extension.", "meta-category": "misc", "name": "incident", + "required": [ + "name" + ], "uuid": "38597424-f9bb-4865-9b4b-819172df0334", "version": 1 } \ No newline at end of file From c5c8f35fb40444bc21c1db634729806c090eb43f Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Thu, 22 Jun 2023 12:28:47 +0200 Subject: [PATCH 05/43] wip: [event] New object template to describe events that can happen during an incident --- objects/event/definition.json | 172 ++++++++++++++++++++++++++++++++++ 1 file changed, 172 insertions(+) create mode 100644 objects/event/definition.json diff --git a/objects/event/definition.json b/objects/event/definition.json new file mode 100644 index 0000000..58c6e1b --- /dev/null +++ b/objects/event/definition.json @@ -0,0 +1,172 @@ +{ + "attributes": { + "description": { + "description": "Description of the event.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "end_time": { + "description": "The date and time the event was last recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "end_time_fidelity": { + "description": "Level of fidelity that the `end_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + }, + "event_type": { + "description": "Type of event.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "aggregation-information-phishing-schemes", + "benign", + "blocked", + "brute-force-attempt", + "c&c-server-hosting", + "compromised-system", + "confirmed", + "connection-malware-port", + "connection-malware-system", + "content-forbidden-by-law", + "control-system-bypass", + "copyrighted-content", + "data-exfiltration", + "deferred", + "deletion-information", + "denial-of-service", + "destruction", + "dictionary-attack-attempt", + "discarded", + "disruption-data-transmission", + "dissemination-malware-email", + "dissemination-phishing-emails", + "dns-cache-poisoning", + "dns-local-resolver-hijacking", + "dns-spoofing-registered", + "dns-rebinding", + "dns-server-compromise", + "dns-spoofing-unregistered", + "dns-stub-resolver-hijacking", + "dns-zone-transfer", + "domain-name-compromise", + "duplicate", + "email-flooding", + "equipment-loss", + "equipment-theft", + "exploit", + "exploit-attempt", + "exploit-framework-exhausting-resources", + "exploit-tool-exhausting-resources", + "failed", + "file-inclusion", + "file-inclusion-attempt", + "hosting-malware-webpage", + "hosting-phishing-sites", + "illegitimate-use-name", + "illegitimate-use-resources", + "infected-by-known-malware", + "insufficient-data", + "known-malware", + "lame-delegations", + "major", + "modification-information", + "misconfiguration", + "natural", + "network-scanning", + "no-apt", + "packet-flood", + "password-cracking-attempt", + "ransomware", + "refuted", + "scan-probe", + "silently-discarded", + "supply-chain-customer", + "supply-chain-vendor", + "spam", + "sql-injection", + "sql-injection-attempt", + "successful", + "system-probe", + "theft-access-credentials", + "unattributed", + "unauthorized-access-information", + "unauthorized-access-system", + "unauthorized-equipment", + "unauthorized-release", + "unauthorized-use", + "undetermined", + "unintentional", + "unknown-apt", + "unspecified", + "vandalism", + "wiretapping", + "worm-spreading", + "xss", + "xss-attempt" + ], + "ui-priority": 0 + }, + "goal": { + "description": "The assumed objective of the event.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "name": { + "description": "Name of the event.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "start_time": { + "description": "The date and time the event was first recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "start_time_fidelity": { + "description": "Level of fidelity that the `start_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + }, + "status": { + "description": "Current status of the event.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "not-occurred", + "ongoing", + "occurred", + "pending", + "undetermined" + ], + "ui-priority": 1 + } + }, + "description": "Event object as described in STIX 2.1 Incident object extension.", + "meta-category": "misc", + "name": "event", + "required": [ + "status" + ], + "uuid": "3853b726-6a9c-43b3-8ffb-23839b07d5a9", + "version": 1 +} \ No newline at end of file From 3c17729f0ec5d8d03f53d7588ad487428c91fa5e Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Thu, 22 Jun 2023 15:16:48 +0200 Subject: [PATCH 06/43] wip: [impacts] New template for different types of impacts as described in STIX 2.1 Incident object extensions --- objects/availability-impact/definition.json | 96 +++++++++++++ .../confidentiality-impact/definition.json | 125 ++++++++++++++++ objects/external-impact/definition.json | 97 +++++++++++++ objects/integrity-impact/definition.json | 127 ++++++++++++++++ objects/monetary-impact/definition.json | 135 ++++++++++++++++++ objects/physical-impact/definition.json | 124 ++++++++++++++++ objects/traceability-impact/definition.json | 93 ++++++++++++ 7 files changed, 797 insertions(+) create mode 100644 objects/availability-impact/definition.json create mode 100644 objects/confidentiality-impact/definition.json create mode 100644 objects/external-impact/definition.json create mode 100644 objects/integrity-impact/definition.json create mode 100644 objects/monetary-impact/definition.json create mode 100644 objects/physical-impact/definition.json create mode 100644 objects/traceability-impact/definition.json diff --git a/objects/availability-impact/definition.json b/objects/availability-impact/definition.json new file mode 100644 index 0000000..ff6daa1 --- /dev/null +++ b/objects/availability-impact/definition.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "availability_impact": { + "description": "The availability impact.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Not Specified", + "None", + "Minimal", + "Significant", + "Denial", + "Loss of Control" + ], + "ui-priority": 0 + }, + "criticality": { + "description": "Criticality of the impact", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Not Specified", + "False Positive", + "Low", + "Moderate", + "High", + "Extreme" + ], + "ui-priority": 0 + }, + "description": { + "description": "Additional details about the impact.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "end_time": { + "description": "The date and time the impact was last recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "end_time_fidelity": { + "description": "Level of fidelity that the `end_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + }, + "recoverability": { + "description": "Recoverability of this particular impact with respect to feasibility and required time and resources.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "extended", + "not-applicable", + "not-recoverable", + "regular", + "supplemented" + ], + "ui-priority": 0 + }, + "start_time": { + "description": "The date and time the impact was first recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "start_time_fidelity": { + "description": "Level of fidelity that the `start_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + } + }, + "description": "Availability Impact object as described in STIX 2.1 Incident object extension.", + "meta-category": "misc", + "name": "availability-impact", + "required": [ + "availability_impact" + ], + "uuid": "19b4394a-46a9-4196-a30c-080eaed06273", + "version": 1 +} \ No newline at end of file diff --git a/objects/confidentiality-impact/definition.json b/objects/confidentiality-impact/definition.json new file mode 100644 index 0000000..022dad0 --- /dev/null +++ b/objects/confidentiality-impact/definition.json @@ -0,0 +1,125 @@ +{ + "attributes": { + "criticality": { + "description": "Criticality of the impact", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Not Specified", + "False Positive", + "Low", + "Moderate", + "High", + "Extreme" + ], + "ui-priority": 0 + }, + "description": { + "description": "Additional details about the impact.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "end_time": { + "description": "The date and time the impact was last recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "end_time_fidelity": { + "description": "Level of fidelity that the `end_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + }, + "information_type": { + "description": "Type of information that had its confidentiality compromised.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "classified-material", + "communication", + "credentials-admin", + "credentials-user", + "financial", + "leval", + "payment", + "phi", + "pii", + "proprietary" + ], + "ui-priority": 0 + }, + "loss_type": { + "description": "The type of loss that occurred to the relevant information.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "confirmed-loss", + "contained", + "exploited-loss", + "none", + "suspected-loss" + ], + "ui-priority": 0 + }, + "record_count":{ + "description": "The number of records of this type that were compromised.", + "disable_correlation": true, + "misp_attribute": "counter", + "ui-priority": 0 + }, + "record_size":{ + "description": "The amount of data that was compromised in bytes.", + "disable_correlation": true, + "misp_attribute": "size-in-bytes", + "ui-priority": 0 + }, + "recoverability": { + "description": "Recoverability of this particular impact with respect to feasibility and required time and resources.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "extended", + "not-applicable", + "not-recoverable", + "regular", + "supplemented" + ], + "ui-priority": 0 + }, + "start_time": { + "description": "The date and time the impact was first recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "start_time_fidelity": { + "description": "Level of fidelity that the `start_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + } + }, + "description": "Confidentiality Impact object as described in STIX 2.1 Incident object extension.", + "meta-category": "misc", + "name": "confidentiality-impact", + "required": [ + "loss_type" + ], + "uuid": "b0027f13-56e4-4c85-9632-3cf81208429b", + "version": 1 +} \ No newline at end of file diff --git a/objects/external-impact/definition.json b/objects/external-impact/definition.json new file mode 100644 index 0000000..045cb20 --- /dev/null +++ b/objects/external-impact/definition.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "criticality": { + "description": "Criticality of the impact", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Not Specified", + "False Positive", + "Low", + "Moderate", + "High", + "Extreme" + ], + "ui-priority": 0 + }, + "description": { + "description": "Additional details about the impact.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "end_time": { + "description": "The date and time the impact was last recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "end_time_fidelity": { + "description": "Level of fidelity that the `end_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + }, + "impact_type": { + "description": "Type of impact.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "economic", + "emergency-services", + "foreign-relations", + "national-secuirty", + "public-confidence", + "public-health", + "public-safety" + ], + "ui-priority": 0 + }, + "recoverability": { + "description": "Recoverability of this particular impact with respect to feasibility and required time and resources.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "extended", + "not-applicable", + "not-recoverable", + "regular", + "supplemented" + ], + "ui-priority": 0 + }, + "start_time": { + "description": "The date and time the impact was first recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "start_time_fidelity": { + "description": "Level of fidelity that the `start_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + } + }, + "description": "External Impact object as described in STIX 2.1 Incident object extension.", + "meta-category": "misc", + "name": "external-impact", + "required": [ + "impact_type" + ], + "uuid": "4ac36991-9333-4ada-8e17-bcbeb988160a", + "version": 1 +} \ No newline at end of file diff --git a/objects/integrity-impact/definition.json b/objects/integrity-impact/definition.json new file mode 100644 index 0000000..b53dca1 --- /dev/null +++ b/objects/integrity-impact/definition.json @@ -0,0 +1,127 @@ +{ + "attributes": { + "alteration": { + "description": "", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "potential-destruction", + "potential-modification", + "partial-destruction", + "partial-modification", + "full-destruction", + "full-modification", + "none" + ], + "ui-priority": 0 + }, + "criticality": { + "description": "Criticality of the impact", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Not Specified", + "False Positive", + "Low", + "Moderate", + "High", + "Extreme" + ], + "ui-priority": 0 + }, + "description": { + "description": "Additional details about the impact.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "end_time": { + "description": "The date and time the impact was last recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "end_time_fidelity": { + "description": "Level of fidelity that the `end_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + }, + "information_type": { + "description": "Type of information that had its confidentiality compromised.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "classified-material", + "communication", + "credentials-admin", + "credentials-user", + "financial", + "leval", + "payment", + "phi", + "pii", + "proprietary" + ], + "ui-priority": 0 + }, + "record_count": { + "description": "The number of records of this type that were compromised.", + "disable_correlation": true, + "misp_attribute": "counter", + "ui-priority": 0 + }, + "record_size": { + "description": "The amount of data that was compromised in bytes.", + "disable_correlation": true, + "misp_attribute": "size-in-bytes", + "ui-priority": 0 + }, + "recoverability": { + "description": "Recoverability of this particular impact with respect to feasibility and required time and resources.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "extended", + "not-applicable", + "not-recoverable", + "regular", + "supplemented" + ], + "ui-priority": 0 + }, + "start_time": { + "description": "The date and time the impact was first recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "start_time_fidelity": { + "description": "Level of fidelity that the `start_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + } + }, + "description": "Integrity Impact object as described in STIX 2.1 Incident object extension.", + "meta-category": "misc", + "name": "integrity-impact", + "required": [ + "alteration" + ], + "uuid": "604830f2-8035-4454-aa32-7f6eee1f04c6", + "version": 1 +} \ No newline at end of file diff --git a/objects/monetary-impact/definition.json b/objects/monetary-impact/definition.json new file mode 100644 index 0000000..0fe7c37 --- /dev/null +++ b/objects/monetary-impact/definition.json @@ -0,0 +1,135 @@ +{ + "attributes": { + "conversion_rate": { + "description": "Conversion rate between currency and currency_actual (if needed).", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 0 + }, + "conversion_time": { + "description": "Timestamp when the conversion rate was queried.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "criticality": { + "description": "Criticality of the impact", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Not Specified", + "False Positive", + "Low", + "Moderate", + "High", + "Extreme" + ], + "ui-priority": 0 + }, + "currency": { + "description": "Currency used to describe the max and min amount of the impact.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "currency_actual": { + "description": "Currency that the impact actually used.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "description": { + "description": "Additional details about the impact.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "end_time": { + "description": "The date and time the impact was last recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "end_time_fidelity": { + "description": "Level of fidelity that the `end_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + }, + "max_amount": { + "description": "Maximum damage estimate.", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 0 + }, + "min_amount": { + "description": "Minimum damage estimate.", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 0 + }, + "recoverability": { + "description": "Recoverability of this particular impact with respect to feasibility and required time and resources.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "extended", + "not-applicable", + "not-recoverable", + "regular", + "supplemented" + ], + "ui-priority": 0 + }, + "start_time": { + "description": "The date and time the impact was first recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "start_time_fidelity": { + "description": "Level of fidelity that the `start_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + }, + "variety": { + "description": "Variety of the moneraty impact.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "asset-and-fraud", + "brand-damage", + "business-disruption", + "competitive-advantage", + "legal-and-regulatory", + "operating-costs", + "ransom-demand", + "ransom-payment", + "response-and-recovery", + "uncategorized" + ], + "ui-priority": 0 + } + }, + "description": "Monetary Impact object as described in STIX 2.1 Incident object extension.", + "meta-category": "misc", + "name": "monetary-impact", + "required": [ + "variety" + ], + "uuid": "3376296c-c1ef-4847-979f-2bfc49aa983e", + "version": 1 +} \ No newline at end of file diff --git a/objects/physical-impact/definition.json b/objects/physical-impact/definition.json new file mode 100644 index 0000000..54cd04a --- /dev/null +++ b/objects/physical-impact/definition.json @@ -0,0 +1,124 @@ +{ + "attributes": { + "asset_type": { + "description": "The type or property or system that was affected by this impact.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "building-doors", + "building-windows", + "buildings", + "computers-mobile", + "computers-personal", + "computers-server", + "environment", + "ics-actuator", + "ics-engineering-workstation", + "ics-historian", + "ics-hmi", + "ics-other", + "ics-plc", + "ics-safety-system", + "ics-sensor", + "inventory", + "network-device", + "private-infrastructure", + "public-infrastructure", + "security-containers", + "vehicles" + ], + "ui-priority": 0 + }, + "criticality": { + "description": "Criticality of the impact", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Not Specified", + "False Positive", + "Low", + "Moderate", + "High", + "Extreme" + ], + "ui-priority": 0 + }, + "description": { + "description": "Additional details about the impact.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "end_time": { + "description": "The date and time the impact was last recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "end_time_fidelity": { + "description": "Level of fidelity that the `end_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + }, + "impact_type": { + "description": "Type of physical impact.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "damaged-functional", + "damaged-nonfunctional", + "destruction", + "none", + "unknown" + ], + "ui-priority": 0 + }, + "recoverability": { + "description": "Recoverability of this particular impact with respect to feasibility and required time and resources.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "extended", + "not-applicable", + "not-recoverable", + "regular", + "supplemented" + ], + "ui-priority": 0 + }, + "start_time": { + "description": "The date and time the impact was first recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "start_time_fidelity": { + "description": "Level of fidelity that the `start_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + } + }, + "description": "Physical Impact object as described in STIX 2.1 Incident object extension.", + "meta-category": "misc", + "name": "physical-impact", + "required": [ + "impact_type" + ], + "uuid": "ae979b91-5896-46f7-ad70-4f3036d79251", + "version": 1 +} \ No newline at end of file diff --git a/objects/traceability-impact/definition.json b/objects/traceability-impact/definition.json new file mode 100644 index 0000000..5aa5f55 --- /dev/null +++ b/objects/traceability-impact/definition.json @@ -0,0 +1,93 @@ +{ + "attributes": { + "criticality": { + "description": "Criticality of the impact", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Not Specified", + "False Positive", + "Low", + "Moderate", + "High", + "Extreme" + ], + "ui-priority": 0 + }, + "description": { + "description": "Additional details about the impact.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "end_time": { + "description": "The date and time the impact was last recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "end_time_fidelity": { + "description": "Level of fidelity that the `end_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + }, + "recoverability": { + "description": "Recoverability of this particular impact with respect to feasibility and required time and resources.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "extended", + "not-applicable", + "not-recoverable", + "regular", + "supplemented" + ], + "ui-priority": 0 + }, + "start_time": { + "description": "The date and time the impact was first recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "start_time_fidelity": { + "description": "Level of fidelity that the `start_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + }, + "traceability_impact": { + "description": "Impact on a system or organization's ability to perform audits or provvide non-repudiation.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "accountability-lost", + "partial-accountability", + "provable-accountability" + ], + "ui-priority": 0 + } + }, + "description": "Traceability Impact object as described in STIX 2.1 Incident object extension.", + "meta-category": "misc", + "name": "traceability-impact", + "required": [ + "traceability_impact" + ], + "uuid": "1dd26500-6246-4750-ad47-94ae4e200d8f", + "version": 1 +} \ No newline at end of file From e3556784b5c06d072f5bf06af6b233acd05f131e Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Thu, 22 Jun 2023 15:39:02 +0200 Subject: [PATCH 07/43] wip: [task] New object template for tasks as described in STIX 2.1 Incident object extensions --- objects/task/definition.json | 122 +++++++++++++++++++++++++++++++++++ 1 file changed, 122 insertions(+) create mode 100644 objects/task/definition.json diff --git a/objects/task/definition.json b/objects/task/definition.json new file mode 100644 index 0000000..2b0774a --- /dev/null +++ b/objects/task/definition.json @@ -0,0 +1,122 @@ +{ + "attributes": { + "description": { + "description": "Description of the task.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "end_time": { + "description": "The date and time the event was last recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "end_time_fidelity": { + "description": "Level of fidelity that the `end_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + }, + "error": { + "description": "Details about any failure or deviation that occurred in the task.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "name": { + "description": "Name of the task.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "outcome": { + "description": "Outcome of the task", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "cancelled", + "failed", + "ongoing", + "pending", + "successful", + "unknown" + ], + "ui-priority": 0 + }, + "priority": { + "description": "Priority or importance of the task.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Not Specified", + "False Positive", + "Low", + "Moderate", + "High", + "Extreme" + ], + "ui-priority": 0 + }, + "start_time": { + "description": "The date and time the event was first recorded.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "start_time_fidelity": { + "description": "Level of fidelity that the `start_time` is recorded in.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "day", + "hour", + "minute", + "month", + "second", + "year" + ], + "ui-priority": 0 + }, + "task_type": { + "description": "Type of task.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "administrative", + "attribution", + "containment", + "declared", + "detected", + "eradication", + "escalated", + "exercised-control", + "external-intelligence", + "external-outreach", + "external-support", + "implemented-control", + "negotiation", + "playbook-execution", + "playbook-step-execution", + "recovery", + "reported", + "routine-updates", + "victim-notification" + ], + "ui-priority": 0 + } + }, + "description": "Task object as described in STIX 2.1 Incident object extension.", + "meta-category": "misc", + "name": "task", + "required": [ + "outcome" + ], + "uuid": "384734e7-8710-4ab0-901a-6f0e73a551e6", + "version": 1 +} \ No newline at end of file From 49a715e1cfec6d8160219b3ba7ec853e7672ca72 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Thu, 22 Jun 2023 15:41:06 +0200 Subject: [PATCH 08/43] fix: [confidentiality-impact] JQed --- objects/confidentiality-impact/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/confidentiality-impact/definition.json b/objects/confidentiality-impact/definition.json index 022dad0..0a550ed 100644 --- a/objects/confidentiality-impact/definition.json +++ b/objects/confidentiality-impact/definition.json @@ -69,13 +69,13 @@ ], "ui-priority": 0 }, - "record_count":{ + "record_count": { "description": "The number of records of this type that were compromised.", "disable_correlation": true, "misp_attribute": "counter", "ui-priority": 0 }, - "record_size":{ + "record_size": { "description": "The amount of data that was compromised in bytes.", "disable_correlation": true, "misp_attribute": "size-in-bytes", From ae62d5f9b3de6d21dabbf58f5aac3a42c3c4e8f2 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Thu, 22 Jun 2023 15:50:54 +0200 Subject: [PATCH 09/43] fix: [impacts] Typo --- objects/confidentiality-impact/definition.json | 4 ++-- objects/integrity-impact/definition.json | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/objects/confidentiality-impact/definition.json b/objects/confidentiality-impact/definition.json index 0a550ed..71d9449 100644 --- a/objects/confidentiality-impact/definition.json +++ b/objects/confidentiality-impact/definition.json @@ -72,13 +72,13 @@ "record_count": { "description": "The number of records of this type that were compromised.", "disable_correlation": true, - "misp_attribute": "counter", + "misp-attribute": "counter", "ui-priority": 0 }, "record_size": { "description": "The amount of data that was compromised in bytes.", "disable_correlation": true, - "misp_attribute": "size-in-bytes", + "misp-attribute": "size-in-bytes", "ui-priority": 0 }, "recoverability": { diff --git a/objects/integrity-impact/definition.json b/objects/integrity-impact/definition.json index b53dca1..87d1d10 100644 --- a/objects/integrity-impact/definition.json +++ b/objects/integrity-impact/definition.json @@ -74,13 +74,13 @@ "record_count": { "description": "The number of records of this type that were compromised.", "disable_correlation": true, - "misp_attribute": "counter", + "misp-attribute": "counter", "ui-priority": 0 }, "record_size": { "description": "The amount of data that was compromised in bytes.", "disable_correlation": true, - "misp_attribute": "size-in-bytes", + "misp-attribute": "size-in-bytes", "ui-priority": 0 }, "recoverability": { From e9446939ae99bb970972a1c50a439dcf50dc18b2 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 26 Jun 2023 13:46:50 +0200 Subject: [PATCH 10/43] chg: [relationships] add the `redirects-to` relationship as used in LookyLoo --- relationships/definition.json | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/relationships/definition.json b/relationships/definition.json index 3ae958e..3bd3123 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1513,7 +1513,14 @@ "XFN" ], "name": "Me" + }, + { + "description": "The source object is redirected to the target object.", + "format": [ + "misp" + ], + "name": "redirects-to" } ], - "version": 37 -} \ No newline at end of file + "version": 38 +} From 5dd99015d046c7ff81f55f99aff55b99bc6b955a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 26 Jun 2023 13:51:04 +0200 Subject: [PATCH 11/43] chg: [relationships] because newlines --- relationships/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index 3bd3123..7df3872 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1523,4 +1523,4 @@ } ], "version": 38 -} +} \ No newline at end of file From da801ab146fb622a6447c8d2922a95b6049bb70a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 29 Jun 2023 16:22:50 +0200 Subject: [PATCH 12/43] chg: [relationships] relationships names used by LookyLoo added --- relationships/definition.json | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index 7df3872..a2f8b1e 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1520,7 +1520,21 @@ "misp" ], "name": "redirects-to" + }, + { + "description": "The source object is rendered to the target object.", + "format": [ + "misp" + ], + "name": "rendered-as" + }, + { + "description": "The source object is known as the target object.", + "format": [ + "misp" + ], + "name": "known-as" } ], - "version": 38 + "version": 39 } \ No newline at end of file From e215a0ff1a15d4cc36a88642acf4893c60125cc0 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Fri, 7 Jul 2023 11:36:42 +0200 Subject: [PATCH 13/43] add: [incident] Added the score attribute - We will probably parse scores and build the attribute value the following way: "{name} - {description}: {score}" --- objects/incident/definition.json | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/objects/incident/definition.json b/objects/incident/definition.json index 0824509..ddfe798 100644 --- a/objects/incident/definition.json +++ b/objects/incident/definition.json @@ -169,6 +169,12 @@ "supplemented" ], "ui-priority": 0 + }, + "score": { + "description": "Incident score, with a name, an optional description and the numeric score value.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 } }, "description": "Incident object template as described in STIX 2.1 Incident object and its core extension.", From 2b7d5634394d7d68e4d0a01608c4b2959e19c7ec Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Sat, 8 Jul 2023 11:52:40 +0200 Subject: [PATCH 14/43] chg: [relationships] Added some relationships defined in STIX 2.1 & updated some opposite relationships in consequence --- relationships/definition.json | 173 +++++++++++++++++++++++++++++++++- 1 file changed, 168 insertions(+), 5 deletions(-) diff --git a/relationships/definition.json b/relationships/definition.json index a2f8b1e..bc228c1 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -200,7 +200,8 @@ "misp", "stix-2.0" ], - "name": "targets" + "name": "targets", + "opposite": "targeted-by" }, { "description": "This relationship describes the use by the source object of the target object.", @@ -400,14 +401,14 @@ "misp" ], "name": "followed-by", - "opposite": "preceding-by" + "opposite": "preceded-by" }, { "description": "This relationship describes an object which is preceded by another object. This can be used when a time reference is missing but a sequence is known.", "format": [ "misp" ], - "name": "preceding-by", + "name": "preceded-by", "opposite": "followed-by" }, { @@ -1058,7 +1059,8 @@ "misp", "haxpak" ], - "name": "creates" + "name": "creates", + "opposite": "created-by" }, { "description": "Represents an object being the screenshot of something.", @@ -1534,7 +1536,168 @@ "misp" ], "name": "known-as" + }, + { + "description": "The source object is led to the target object.", + "format": [ + "stix-2.1" + ], + "name": "led-to" + }, + { + "description": "The source object has an impact on the target.", + "format": [ + "stix-2.1" + ], + "name": "impacts", + "opposite": "impacted-by" + }, + { + "description": "The source object is impacted by the target.", + "format": [ + "misp" + ], + "name": "impacted-by", + "opposite": "impacts" + }, + { + "description": "An object occured at a specific location.", + "format": [ + "stix-2.1" + ], + "name": "located-at" + }, + { + "description": "The source object should be considered a point of contact for the target.", + "format": [ + "stix-2.1" + ], + "name": "contact-for" + }, + { + "description": "The source object was responsible for detecting the target object.", + "format": [ + "stix-2.1" + ], + "name": "detects", + "opposite": "detected-by" + }, + { + "description": "The source object is detected by the target object.", + "format": [ + "misp" + ], + "name": "detected-by", + "opposite": "detects" + }, + { + "description": "The target object was observed as part of a source event.", + "format": [ + "stix-2.1" + ], + "name": "observed", + "opposite": "observed-by" + }, + { + "description": "The source object was observed by the target object.", + "format": [ + "misp" + ], + "name": "observed-by", + "opposite": "observed" + }, + { + "description": "The source object is based on the target.", + "format": [ + "stix-2.1" + ], + "name": "based-on" + }, + { + "description": "The source object performed the target event.", + "format": [ + "stix-2.1" + ], + "name": "performed", + "opposite": "performed-by" + }, + { + "description": "The source object was performed by the target.", + "format": [ + "misp" + ], + "name": "performed-by", + "opposite": "performed" + }, + { + "description": "The source object blocks the target object.", + "format": [ + "stix-2.1" + ], + "name": "blocks", + "opposite": "blocked-by" + }, + { + "description": "The source object is blocked by the target object.", + "format": [ + "misp" + ], + "name": "blocked-by", + "opposite": "blocks" + }, + { + "description": "The source object causes the target event.", + "format": [ + "stix-2.1" + ], + "name": "causes", + "opposite": "caused-by" + }, + { + "description": "The source object is caused by the target object.", + "format": [ + "misp" + ], + "name": "caused-by", + "opposite": "causes" + }, + { + "description": "The source object is followed by the target because of an error.", + "format": [ + "stix-2.1" + ], + "name": "errored-to" + }, + { + "description": "The source object has been assigned the target.", + "format": [ + "stix-2.1" + ], + "name": "assigned" + }, + { + "description": "The source object participated in the target task.", + "format": [ + "stix-2.1" + ], + "name": "participated-in" + }, + { + "description": "The source object is targeted by the target object.", + "format": [ + "misp" + ], + "name": "targeted-by", + "opposite": "targets" + }, + { + "description": "The source object was created by the target object.", + "format": [ + "misp" + ], + "name": "created-by", + "opposite": "creates" } ], - "version": 39 + "version": 40 } \ No newline at end of file From f7da39c5575c237a1e10f194136b2658e77617d7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 10 Jul 2023 16:38:12 +0200 Subject: [PATCH 15/43] new: [hhhassh object] An object describing a HHHash object with the hash value along with the crawling parameters. For more information: https://www.foo.be/2023/07/HTTP-Headers-Hashing_HHHash --- objects/hhhash/definition.json | 48 ++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 objects/hhhash/definition.json diff --git a/objects/hhhash/definition.json b/objects/hhhash/definition.json new file mode 100644 index 0000000..2f6d976 --- /dev/null +++ b/objects/hhhash/definition.json @@ -0,0 +1,48 @@ +{ + "attributes": { + "comment": { + "description": "A description of the HHHash object.", + "misp-attribute": "comment", + "ui-priority": 0 + }, + "hhhash": { + "description": "HHHash hash in format hhh:version:hash_value", + "misp-attribute": "text", + "ui-priority": 0 + }, + "hhhash-headers": { + "description": "HHHash value before being hash in the format each header is separated by a :.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "hhhash-query-headers": { + "description": "Set of headers used for the query in the format where each header is separated by a : .", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "hhhash-tool": { + "description": "HHHash crawling infrastructure or tool used to produce the HHHash value. ", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "python-hhhash", + "c-hhhash", + "go-hhhash", + "r-hhhash", + "lacus", + "Common Crawl", + "other" + ], + "ui-priority": 0 + } + }, + "description": "An object describing a HHHash object with the hash value along with the crawling parameters. For more information: https://www.foo.be/2023/07/HTTP-Headers-Hashing_HHHash", + "meta-category": "misc", + "name": "hhhash", + "requiredOneOf": [ + "hhhash" + ], + "uuid": "4dbcde93-a4e0-4bee-913c-0988b5259d14", + "version": 1 +} From e6864eb745b0ec9aea6b3ac176aa93b7e6683bf8 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 10 Jul 2023 16:40:22 +0200 Subject: [PATCH 16/43] chg: [hhhash] newline fixed --- objects/hhhash/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/hhhash/definition.json b/objects/hhhash/definition.json index 2f6d976..777b20a 100644 --- a/objects/hhhash/definition.json +++ b/objects/hhhash/definition.json @@ -45,4 +45,4 @@ ], "uuid": "4dbcde93-a4e0-4bee-913c-0988b5259d14", "version": 1 -} +} \ No newline at end of file From 1374b0c7f0a468ab4a47575456159fa3ebdafd75 Mon Sep 17 00:00:00 2001 From: Steph S Date: Mon, 10 Jul 2023 15:22:27 -0400 Subject: [PATCH 17/43] Added AbuseIPDB object template for the AbuseIPDB expansion module --- objects/abuseipdb/definition.json | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 objects/abuseipdb/definition.json diff --git a/objects/abuseipdb/definition.json b/objects/abuseipdb/definition.json new file mode 100644 index 0000000..da5030e --- /dev/null +++ b/objects/abuseipdb/definition.json @@ -0,0 +1,29 @@ +{ + "attributes": { + "abuse-confidence-score": { + "description": "Rating (0-100) of how confident AbuseIPDB is that an IP address is entirely malicious", + "misp-attribute": "counter", + "ui-priority": 0 + }, + "is-public": { + "description": "If an IP is public", + "misp-attribute": "boolean", + "ui-priority": 0 + }, + "is-tor": { + "description": "If Tor (The Onion Router) was used", + "misp-attribute": "boolean", + "ui-priority": 0 + }, + "is-whitelisted": { + "description": "If an IP is spotted in any of AbuseIPDB's whitelists", + "misp-attribute": "boolean", + "ui-priority": 0 + } + }, + "description": "AbuseIPDB checks an ip address, domain name, or subnet against a central blacklist", + "meta-category": "network", + "name": "abuseipdb", + "uuid": "cccdaaf6-c140-461c-8d1c-aa79bbd029e0", + "version": 1 +} \ No newline at end of file From 59d2a301b9fbcb81a34e346c0d9f7961cb2a95ad Mon Sep 17 00:00:00 2001 From: Luciano Righetti Date: Tue, 11 Jul 2023 16:54:11 +0200 Subject: [PATCH 18/43] new: add basic SigMF templates --- .../sigmf-expanded-recording/definition.json | 136 ++++++++++++++++++ objects/sigmf-recording/definition.json | 25 ++++ 2 files changed, 161 insertions(+) create mode 100644 objects/sigmf-expanded-recording/definition.json create mode 100644 objects/sigmf-recording/definition.json diff --git a/objects/sigmf-expanded-recording/definition.json b/objects/sigmf-expanded-recording/definition.json new file mode 100644 index 0000000..a9dbdae --- /dev/null +++ b/objects/sigmf-expanded-recording/definition.json @@ -0,0 +1,136 @@ +{ + "attributes": { + "iq-sample": { + "description": "Binary file of IQ samples", + "disable_correlation": true, + "misp-attribute": "attachment", + "multiple": true, + "ui-priority": 0 + }, + "datatype": { + "description": "", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "sample_rate": { + "description": "The sample rate of the signal in samples per second.", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 0 + }, + "version": { + "description": "The version of the SigMF specification used to create the Metadata file.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "num_channels": { + "description": "Total number of interleaved channels in the Dataset file. If omitted, this defaults to one.", + "disable_correlation": true, + "misp-attribute": "counter", + "ui-priority": 0 + }, + "sha512": { + "description": "The SHA512 hash of the Dataset file associated with the SigMF file.", + "disable_correlation": true, + "misp-attribute": "sha512", + "ui-priority": 0 + }, + "offset": { + "description": "The index number of the first sample in the Dataset. If not provided, this value defaults to zero. Typically used when a Recording is split over multiple files. All sample indices in SigMF are absolute, and so all other indices referenced in metadata for this recording SHOULD be greater than or equal to this value.", + "disable_correlation": true, + "misp-attribute": "counter", + "ui-priority": 0 + }, + "description": { + "description": "A text description of the SigMF Recording.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "author": { + "description": "A text identifier for the author potentially including name, handle, email, and/or other ID like Amateur Call Sign.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "meta_doi": { + "description": "The registered DOI (ISO 26324) for a Recording's Metadata file.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "data_doi": { + "description": "The registered DOI (ISO 26324) for a Recording's Dataset file.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "recorder": { + "description": "The name of the software used to make this SigMF Recording.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "license": { + "description": "A URL for the license document under which the Recording is offered.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "hw": { + "description": "A text description of the hardware used to make the Recording.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "dataset": { + "description": "The full filename of the Dataset file this Metadata file describes.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "trailing_bytes": { + "description": "The number of bytes to ignore at the end of a Non-Conforming Dataset file.", + "disable_correlation": true, + "misp-attribute": "counter", + "ui-priority": 0 + }, + "metadata_only": { + "description": "Indicates the Metadata file is intentionally distributed without the Dataset.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 0 + }, + "geolocation_lat": { + "description": "The location of the Recording system (latitude).", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "geolocation_long": { + "description": "The location of the Recording system (longitude).", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "geolocation_alt": { + "description": "The location of the Recording system (altitude).", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "collection": { + "description": "The base filename of a collection with which this Recording is associated.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + } + }, + "description": "An object representing a single IQ/RF sample in the Signal Metadata Format Specification (SigMF)", + "meta-category": "misc", + "name": "sigmf-expanded-recording", + "uuid": "f1c2c4e1-d3bf-46b1-b34d-f5e9544a4795", + "version": 1 +} \ No newline at end of file diff --git a/objects/sigmf-recording/definition.json b/objects/sigmf-recording/definition.json new file mode 100644 index 0000000..afe313e --- /dev/null +++ b/objects/sigmf-recording/definition.json @@ -0,0 +1,25 @@ +{ + "attributes": { + "SigMF-meta": { + "description": "Metadata file in SigMF format (.sigmf-meta)", + "disable_correlation": true, + "misp-attribute": "attachment", + "ui-priority": 0 + }, + "SigMF-data": { + "description": "Binary file of IQ or RF samples (.sigmf-data)", + "disable_correlation": true, + "misp-attribute": "attachment", + "multiple": true, + "ui-priority": 1 + } + }, + "description": "An object representing a single IQ/RF sample in the Signal Metadata Format Specification (SigMF)", + "meta-category": "misc", + "name": "sigmf-recording", + "required": [ + "SigMF-meta" + ], + "uuid": "0ca64648-38ca-4e48-99ce-2e655cdac02c", + "version": 1 +} \ No newline at end of file From ba6bad723b1b124ed65aaca166a1a26fb01de6fa Mon Sep 17 00:00:00 2001 From: Luciano Righetti Date: Tue, 11 Jul 2023 17:04:18 +0200 Subject: [PATCH 19/43] fix: jq all the things --- .../sigmf-expanded-recording/definition.json | 266 +++++++++--------- objects/sigmf-recording/definition.json | 44 +-- 2 files changed, 155 insertions(+), 155 deletions(-) diff --git a/objects/sigmf-expanded-recording/definition.json b/objects/sigmf-expanded-recording/definition.json index a9dbdae..ae50d7c 100644 --- a/objects/sigmf-expanded-recording/definition.json +++ b/objects/sigmf-expanded-recording/definition.json @@ -1,136 +1,136 @@ { - "attributes": { - "iq-sample": { - "description": "Binary file of IQ samples", - "disable_correlation": true, - "misp-attribute": "attachment", - "multiple": true, - "ui-priority": 0 - }, - "datatype": { - "description": "", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 0 - }, - "sample_rate": { - "description": "The sample rate of the signal in samples per second.", - "disable_correlation": true, - "misp-attribute": "float", - "ui-priority": 0 - }, - "version": { - "description": "The version of the SigMF specification used to create the Metadata file.", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 0 - }, - "num_channels": { - "description": "Total number of interleaved channels in the Dataset file. If omitted, this defaults to one.", - "disable_correlation": true, - "misp-attribute": "counter", - "ui-priority": 0 - }, - "sha512": { - "description": "The SHA512 hash of the Dataset file associated with the SigMF file.", - "disable_correlation": true, - "misp-attribute": "sha512", - "ui-priority": 0 - }, - "offset": { - "description": "The index number of the first sample in the Dataset. If not provided, this value defaults to zero. Typically used when a Recording is split over multiple files. All sample indices in SigMF are absolute, and so all other indices referenced in metadata for this recording SHOULD be greater than or equal to this value.", - "disable_correlation": true, - "misp-attribute": "counter", - "ui-priority": 0 - }, - "description": { - "description": "A text description of the SigMF Recording.", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 0 - }, - "author": { - "description": "A text identifier for the author potentially including name, handle, email, and/or other ID like Amateur Call Sign.", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 0 - }, - "meta_doi": { - "description": "The registered DOI (ISO 26324) for a Recording's Metadata file.", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 0 - }, - "data_doi": { - "description": "The registered DOI (ISO 26324) for a Recording's Dataset file.", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 0 - }, - "recorder": { - "description": "The name of the software used to make this SigMF Recording.", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 0 - }, - "license": { - "description": "A URL for the license document under which the Recording is offered.", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 0 - }, - "hw": { - "description": "A text description of the hardware used to make the Recording.", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 0 - }, - "dataset": { - "description": "The full filename of the Dataset file this Metadata file describes.", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 0 - }, - "trailing_bytes": { - "description": "The number of bytes to ignore at the end of a Non-Conforming Dataset file.", - "disable_correlation": true, - "misp-attribute": "counter", - "ui-priority": 0 - }, - "metadata_only": { - "description": "Indicates the Metadata file is intentionally distributed without the Dataset.", - "disable_correlation": true, - "misp-attribute": "boolean", - "ui-priority": 0 - }, - "geolocation_lat": { - "description": "The location of the Recording system (latitude).", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 0 - }, - "geolocation_long": { - "description": "The location of the Recording system (longitude).", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 0 - }, - "geolocation_alt": { - "description": "The location of the Recording system (altitude).", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 0 - }, - "collection": { - "description": "The base filename of a collection with which this Recording is associated.", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 0 - } + "attributes": { + "author": { + "description": "A text identifier for the author potentially including name, handle, email, and/or other ID like Amateur Call Sign.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 }, - "description": "An object representing a single IQ/RF sample in the Signal Metadata Format Specification (SigMF)", - "meta-category": "misc", - "name": "sigmf-expanded-recording", - "uuid": "f1c2c4e1-d3bf-46b1-b34d-f5e9544a4795", - "version": 1 + "collection": { + "description": "The base filename of a collection with which this Recording is associated.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "data_doi": { + "description": "The registered DOI (ISO 26324) for a Recording's Dataset file.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "dataset": { + "description": "The full filename of the Dataset file this Metadata file describes.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "datatype": { + "description": "", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "description": { + "description": "A text description of the SigMF Recording.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "geolocation_alt": { + "description": "The location of the Recording system (altitude).", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "geolocation_lat": { + "description": "The location of the Recording system (latitude).", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "geolocation_long": { + "description": "The location of the Recording system (longitude).", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "hw": { + "description": "A text description of the hardware used to make the Recording.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "iq-sample": { + "description": "Binary file of IQ samples", + "disable_correlation": true, + "misp-attribute": "attachment", + "multiple": true, + "ui-priority": 0 + }, + "license": { + "description": "A URL for the license document under which the Recording is offered.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "meta_doi": { + "description": "The registered DOI (ISO 26324) for a Recording's Metadata file.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "metadata_only": { + "description": "Indicates the Metadata file is intentionally distributed without the Dataset.", + "disable_correlation": true, + "misp-attribute": "boolean", + "ui-priority": 0 + }, + "num_channels": { + "description": "Total number of interleaved channels in the Dataset file. If omitted, this defaults to one.", + "disable_correlation": true, + "misp-attribute": "counter", + "ui-priority": 0 + }, + "offset": { + "description": "The index number of the first sample in the Dataset. If not provided, this value defaults to zero. Typically used when a Recording is split over multiple files. All sample indices in SigMF are absolute, and so all other indices referenced in metadata for this recording SHOULD be greater than or equal to this value.", + "disable_correlation": true, + "misp-attribute": "counter", + "ui-priority": 0 + }, + "recorder": { + "description": "The name of the software used to make this SigMF Recording.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "sample_rate": { + "description": "The sample rate of the signal in samples per second.", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 0 + }, + "sha512": { + "description": "The SHA512 hash of the Dataset file associated with the SigMF file.", + "disable_correlation": true, + "misp-attribute": "sha512", + "ui-priority": 0 + }, + "trailing_bytes": { + "description": "The number of bytes to ignore at the end of a Non-Conforming Dataset file.", + "disable_correlation": true, + "misp-attribute": "counter", + "ui-priority": 0 + }, + "version": { + "description": "The version of the SigMF specification used to create the Metadata file.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + } + }, + "description": "An object representing a single IQ/RF sample in the Signal Metadata Format Specification (SigMF)", + "meta-category": "misc", + "name": "sigmf-expanded-recording", + "uuid": "f1c2c4e1-d3bf-46b1-b34d-f5e9544a4795", + "version": 1 } \ No newline at end of file diff --git a/objects/sigmf-recording/definition.json b/objects/sigmf-recording/definition.json index afe313e..af68a0b 100644 --- a/objects/sigmf-recording/definition.json +++ b/objects/sigmf-recording/definition.json @@ -1,25 +1,25 @@ { - "attributes": { - "SigMF-meta": { - "description": "Metadata file in SigMF format (.sigmf-meta)", - "disable_correlation": true, - "misp-attribute": "attachment", - "ui-priority": 0 - }, - "SigMF-data": { - "description": "Binary file of IQ or RF samples (.sigmf-data)", - "disable_correlation": true, - "misp-attribute": "attachment", - "multiple": true, - "ui-priority": 1 - } + "attributes": { + "SigMF-data": { + "description": "Binary file of IQ or RF samples (.sigmf-data)", + "disable_correlation": true, + "misp-attribute": "attachment", + "multiple": true, + "ui-priority": 1 }, - "description": "An object representing a single IQ/RF sample in the Signal Metadata Format Specification (SigMF)", - "meta-category": "misc", - "name": "sigmf-recording", - "required": [ - "SigMF-meta" - ], - "uuid": "0ca64648-38ca-4e48-99ce-2e655cdac02c", - "version": 1 + "SigMF-meta": { + "description": "Metadata file in SigMF format (.sigmf-meta)", + "disable_correlation": true, + "misp-attribute": "attachment", + "ui-priority": 0 + } + }, + "description": "An object representing a single IQ/RF sample in the Signal Metadata Format Specification (SigMF)", + "meta-category": "misc", + "name": "sigmf-recording", + "required": [ + "SigMF-meta" + ], + "uuid": "0ca64648-38ca-4e48-99ce-2e655cdac02c", + "version": 1 } \ No newline at end of file From 316a4b07d1ba49be3c52043f7e59e4f0c7d89152 Mon Sep 17 00:00:00 2001 From: Luciano Righetti Date: Wed, 12 Jul 2023 15:33:23 +0200 Subject: [PATCH 20/43] new: add fft and waterfall attributes --- objects/sigmf-expanded-recording/definition.json | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/objects/sigmf-expanded-recording/definition.json b/objects/sigmf-expanded-recording/definition.json index ae50d7c..d852864 100644 --- a/objects/sigmf-expanded-recording/definition.json +++ b/objects/sigmf-expanded-recording/definition.json @@ -36,6 +36,13 @@ "misp-attribute": "text", "ui-priority": 0 }, + "fft-plot": { + "description": "FFT plot of the signal", + "disable_correlation": true, + "misp-attribute": "attachment", + "multiple": true, + "ui-priority": 0 + }, "geolocation_alt": { "description": "The location of the Recording system (altitude).", "disable_correlation": true, @@ -126,6 +133,13 @@ "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 + }, + "waterfall-plot": { + "description": "Waterfall plot of the signal", + "disable_correlation": true, + "misp-attribute": "attachment", + "multiple": true, + "ui-priority": 0 } }, "description": "An object representing a single IQ/RF sample in the Signal Metadata Format Specification (SigMF)", From c7bade5c8b88ce6705704851dedc5185db8be7d9 Mon Sep 17 00:00:00 2001 From: Steph S Date: Thu, 13 Jul 2023 09:25:26 -0400 Subject: [PATCH 21/43] Added a is-malicious attribute for abuseipdb and added a google-safe-browsing object for the google-safe-browsing expansion module --- objects/abuseipdb/definition.json | 5 ++++ objects/google-safe-browsing/definition.json | 24 ++++++++++++++++++++ 2 files changed, 29 insertions(+) create mode 100644 objects/google-safe-browsing/definition.json diff --git a/objects/abuseipdb/definition.json b/objects/abuseipdb/definition.json index da5030e..d46536e 100644 --- a/objects/abuseipdb/definition.json +++ b/objects/abuseipdb/definition.json @@ -1,5 +1,10 @@ { "attributes": { + "is-malicious": { + "description": "If the IP is malicious based on the abuse-confidence-score and threshold", + "misp-attribute": "boolean", + "ui-priority": 0 + }, "abuse-confidence-score": { "description": "Rating (0-100) of how confident AbuseIPDB is that an IP address is entirely malicious", "misp-attribute": "counter", diff --git a/objects/google-safe-browsing/definition.json b/objects/google-safe-browsing/definition.json new file mode 100644 index 0000000..2c39a38 --- /dev/null +++ b/objects/google-safe-browsing/definition.json @@ -0,0 +1,24 @@ +{ + "attributes": { + "malicious": { + "description": "If the URL comes back as malicious", + "misp-attribute": "boolean", + "ui-priority": 0 + }, + "platforms": { + "description": "The platform identified (windows, linux, etc...)", + "misp-attribute": "text", + "ui-priority": 0 + }, + "threats": { + "description": "The threat type related to that URL (malware, social engineering, etc...)", + "misp-attribute": "text", + "ui-priority": 0 + } + }, + "description": "Google Safe checks a URL against Google's constantly updated list of unsafe web resources.", + "meta-category": "network", + "name": "google-safe-browsing", + "uuid": "1f8af312-dfbb-4572-b894-dabe7c8798d8", + "version": 1 +} \ No newline at end of file From 32e21c880653b33c3be6beabc1f6affc99802c94 Mon Sep 17 00:00:00 2001 From: Steph S Date: Thu, 13 Jul 2023 09:48:12 -0400 Subject: [PATCH 22/43] Fixed json formatting --- objects/abuseipdb/definition.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/objects/abuseipdb/definition.json b/objects/abuseipdb/definition.json index d46536e..6f1b309 100644 --- a/objects/abuseipdb/definition.json +++ b/objects/abuseipdb/definition.json @@ -1,15 +1,15 @@ { "attributes": { - "is-malicious": { - "description": "If the IP is malicious based on the abuse-confidence-score and threshold", - "misp-attribute": "boolean", - "ui-priority": 0 - }, "abuse-confidence-score": { "description": "Rating (0-100) of how confident AbuseIPDB is that an IP address is entirely malicious", "misp-attribute": "counter", "ui-priority": 0 }, + "is-malicious": { + "description": "If the IP is malicious based on the abuse-confidence-score and threshold", + "misp-attribute": "boolean", + "ui-priority": 0 + }, "is-public": { "description": "If an IP is public", "misp-attribute": "boolean", From ab1f97b881c8d3f0035fe93586053860cc12a33a Mon Sep 17 00:00:00 2001 From: 417190e5c48babc7 <417190e5c48babc7@proton.me> Date: Thu, 20 Jul 2023 10:24:42 +0300 Subject: [PATCH 23/43] chg: [ja3s] Add domain and hostname attributes --- objects/ja3s/definition.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/objects/ja3s/definition.json b/objects/ja3s/definition.json index e37b883..11c7654 100644 --- a/objects/ja3s/definition.json +++ b/objects/ja3s/definition.json @@ -5,12 +5,22 @@ "misp-attribute": "text", "ui-priority": 1 }, + "domain": { + "description": "Destination domain", + "misp-attribute": "domain", + "ui-priority": 1 + }, "first-seen": { "description": "First seen of the SSL/TLS handshake", "disable_correlation": true, "misp-attribute": "datetime", "ui-priority": 0 }, + "hostname": { + "description": "Destination hostname", + "misp-attribute": "hostname", + "ui-priority": 1 + }, "ip-dst": { "description": "Destination IP address", "misp-attribute": "ip-dst", @@ -46,5 +56,5 @@ "ja3s-fingerprint-md5" ], "uuid": "7f377f66-d128-4b97-897f-592d06ba2ff7", - "version": 4 + "version": 5 } \ No newline at end of file From 5c830087a095337d4b408836031b1f1ac4aebdcc Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Tue, 25 Jul 2023 15:24:39 +0200 Subject: [PATCH 24/43] add: [malware-analysis] New object template to describe a static or dynamic analysis performed on a malware instance or family --- objects/malware-analysis/definition.json | 79 ++++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 objects/malware-analysis/definition.json diff --git a/objects/malware-analysis/definition.json b/objects/malware-analysis/definition.json new file mode 100644 index 0000000..1d158ce --- /dev/null +++ b/objects/malware-analysis/definition.json @@ -0,0 +1,79 @@ +{ + "attributes": { + "analysis_definition_version": { + "description": "The version of the analysis definitions used by the analysis tool.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "analysis_engine_version": { + "description": "The version of the analysis engine or product that was used to perform the analysis.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "configuration_version": { + "description": "The named configuration of additional product configuration parameters for this analysis run.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "end_time": { + "description": "The date and time that the malware analysis ended.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "module": { + "description": "The specific analysis module that was used and configured in the product during this analysis run.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "product": { + "description": "The name of the analysis engine or product that was used.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "result": { + "description": "The classification result as determined by the scanner or tool analysis process.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "benign", + "malicious", + "suspicious", + "unknown" + ], + "ui-priority": 0 + }, + "result_name": { + "description": "The classification result or name assigned to the malware instance by the scanner tool.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "start_time": { + "description": "The date and time that the malware analysis was initiated.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "submitted_time": { + "description": "The date and time that the malware was first submitted for scanning or analysis.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "version": { + "description": "The version of the analysis product that was used to perform the analysis.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + } + }, + "description": "Malware Analysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family.", + "meta-category": "misc", + "name": "malware-analysis", + "required": [ + "product" + ], + "uuid": "8229ee82-7218-4ff5-9eac-57961a6f0288", + "version": 1 +} \ No newline at end of file From 9486bbbab1884c37a800377a8673959c1c7de11c Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Tue, 25 Jul 2023 16:30:00 +0200 Subject: [PATCH 25/43] add: [malware] New object template to describe a malware --- objects/malware/definition.json | 168 ++++++++++++++++++++++++++++++++ 1 file changed, 168 insertions(+) create mode 100644 objects/malware/definition.json diff --git a/objects/malware/definition.json b/objects/malware/definition.json new file mode 100644 index 0000000..89162d0 --- /dev/null +++ b/objects/malware/definition.json @@ -0,0 +1,168 @@ +{ + "attributes": { + "alias": { + "description": "Alternative name used to identify this malware or malware family.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "architecture_execution_env": { + "description": "The processor architecture that the malware instance or family is executable on.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "alpha", + "arm", + "ia-64", + "mips", + "powerpc", + "sparc", + "x86", + "x86-64" + ], + "ui-priority": 0 + }, + "capability": { + "description": "Any of the capabilities identified for the malware instance or family.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "accesses-remote-machines", + "anti-debugging", + "anti-disassembly", + "anti-emulation", + "anti-memory-forensics", + "anti-sandbox", + "anti-vm", + "captures-input-peripherals", + "captures-output-peripherals", + "captures-system-state-data", + "cleans-traces-of-infection", + "commits-fraud", + "communicates-with-c2", + "compromises-data-availability", + "compromises-data-integrity", + "compromises-system-availability", + "controls-local-machine", + "degrades-security-software", + "degrades-system-updates", + "determines-c2-server", + "emails-spam", + "escalates-privileges", + "evades-av", + "exfiltrates-data", + "fingerprints-host", + "hides-artifacts", + "hides-executing-code", + "infects-files", + "infects-remote-machines", + "installs-other-components", + "persists-after-system-reboot", + "prevents-artifact-access", + "prevents-artifact-deletion", + "probes-network-environment", + "self-modifies", + "steals-authentication-credentials", + "violates-system-operational-integrity" + ], + "ui-priority": 0 + }, + "description": { + "description": "A description that provides more details and context about the malware instance or family, potentially including its purpose and its key characteristics.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "first_seen": { + "description": "The time that the malware instance or family was first seen.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "implementation_language": { + "description": "The programming language used to implement the malware instance or family.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "applescript", + "bash", + "c", + "c++", + "c#", + "go", + "java", + "javascript", + "lua", + "objective-c", + "perl", + "php", + "powershell", + "python", + "ruby", + "scala", + "swift", + "typescript", + "visual-basic", + "x86-32", + "x86-64" + ], + "ui-priority": 0 + }, + "is_family": { + "description": "Defines whether the object represents a malware family or a malware instance.", + "disable_correlation": true, + "misp-attribute": "bool", + "ui-priority": 1 + }, + "last_seen": { + "description": "The time that the malware family or malware instance was last seen.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "malware_type": { + "description": "A set of categorizations for the malware being described.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "adware", + "backdoor", + "bot", + "bootkit", + "ddos", + "downloader", + "dropper", + "exploit-kit", + "keylogger", + "ransomware", + "remote-access-trojan", + "resource-exploitation", + "rogue-security-software", + "rootkit", + "screen-capture", + "spyware", + "trojan", + "unknown", + "virus", + "webshell", + "wiper", + "worm" + ], + "ui-priority": 0 + }, + "name": { + "description": "A name used to identify the malware instance or family. For a malware family the name MUST be defined. If a name for a malware instance is not available, the SHA-256 hash value or sample's filename MAY be used instead.", + "misp-attribute": "text", + "ui-priority": 0 + } + }, + "description": "Malware is a type of TTP that represents malicious code.", + "meta-category": "misc", + "name": "malware", + "required": [ + "is_family" + ], + "uuid": "e5ad1d64-4b4e-44f5-9e00-88a705a67f9d", + "version": 1 +} \ No newline at end of file From 22477f7bc6b27ee435b3dcecbf382776fda8c8d9 Mon Sep 17 00:00:00 2001 From: Matthieu Faou Date: Fri, 28 Jul 2023 15:09:25 -0400 Subject: [PATCH 26/43] Added internet scanning tools to scan-result --- objects/scan-result/definition.json | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/objects/scan-result/definition.json b/objects/scan-result/definition.json index af7fdff..0eb0a38 100644 --- a/objects/scan-result/definition.json +++ b/objects/scan-result/definition.json @@ -18,6 +18,7 @@ "misp-attribute": "attachment", "ui-priority": 1 }, + "scan-result-format": { "description": "Format used for the scan-result.", "misp-attribute": "text", @@ -54,6 +55,7 @@ "AuditJS Scan", "Azure Security Center Recommendations Scan", "Bandit Scan", + "BinaryEdge", "BlackDuck API", "Blackduck Component Risk", "Blackduck Hub Scan", @@ -66,6 +68,7 @@ "Burp REST API", "Burp Scan", "CargoAudit Scan", + "Censys", "Checkmarx OSA", "Checkmarx Scan", "Checkmarx Scan detailed", @@ -133,6 +136,7 @@ "Nmap Scan", "Node Security Platform Scan", "Nuclei Scan", + "ONYPHE", "ORT evaluated model Importer", "OpenVAS CSV", "Openscap Vulnerability Scan", @@ -156,6 +160,7 @@ "Scantist Scan", "Scout Suite Scan", "Semgrep JSON Report", + "Shodan", "Snyk Scan", "Solar Appscreener Scan", "SonarQube API Import", @@ -191,12 +196,18 @@ "Xanitizer Scan", "Yarn Audit Scan", "ZAP Scan", + "ZoomEye", "docker-bench-security Scan", "kube-bench Scan", "pip-audit Scan" ], "ui-priority": 0 }, + "scan-result-query": { + "description": "Query or parameters provided to scan-result-tool to generate the scan-result.", + "misp-attribute": "text", + "ui-priority": 1 + }, "scan-start": { "description": "Start of scanning activity", "disable_correlation": true, @@ -225,4 +236,4 @@ ], "uuid": "ebe2a359-8f5b-4a45-8106-d1678935b4c4", "version": 2 -} \ No newline at end of file +} From 5e201f4e0dcca7323892f6d9e44a0ffad32050a5 Mon Sep 17 00:00:00 2001 From: Matthieu Faou Date: Fri, 28 Jul 2023 15:15:17 -0400 Subject: [PATCH 27/43] removed line break --- objects/scan-result/definition.json | 1 - 1 file changed, 1 deletion(-) diff --git a/objects/scan-result/definition.json b/objects/scan-result/definition.json index 0eb0a38..b9e5488 100644 --- a/objects/scan-result/definition.json +++ b/objects/scan-result/definition.json @@ -18,7 +18,6 @@ "misp-attribute": "attachment", "ui-priority": 1 }, - "scan-result-format": { "description": "Format used for the scan-result.", "misp-attribute": "text", From 17f71b39bd8b1306afc9139acc62815911533438 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 28 Jul 2023 22:25:37 +0200 Subject: [PATCH 28/43] chg: [scan-results] jq all the things --- objects/scan-result/definition.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/objects/scan-result/definition.json b/objects/scan-result/definition.json index b9e5488..eeda424 100644 --- a/objects/scan-result/definition.json +++ b/objects/scan-result/definition.json @@ -32,6 +32,11 @@ "Unknown" ] }, + "scan-result-query": { + "description": "Query or parameters provided to scan-result-tool to generate the scan-result.", + "misp-attribute": "text", + "ui-priority": 1 + }, "scan-result-tool": { "description": "Tool used which generated the scan-result.", "disable_correlation": true, @@ -202,11 +207,6 @@ ], "ui-priority": 0 }, - "scan-result-query": { - "description": "Query or parameters provided to scan-result-tool to generate the scan-result.", - "misp-attribute": "text", - "ui-priority": 1 - }, "scan-start": { "description": "Start of scanning activity", "disable_correlation": true, @@ -235,4 +235,4 @@ ], "uuid": "ebe2a359-8f5b-4a45-8106-d1678935b4c4", "version": 2 -} +} \ No newline at end of file From fb0ffd5d4b0a16f89b4a6293ad559ac2d75f1256 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 31 Jul 2023 11:17:23 +0200 Subject: [PATCH 29/43] chg: [malware-config] to add attachment and description of the malware config --- objects/malware-config/definition.json | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/objects/malware-config/definition.json b/objects/malware-config/definition.json index e8ec946..06072f3 100644 --- a/objects/malware-config/definition.json +++ b/objects/malware-config/definition.json @@ -5,11 +5,21 @@ "misp-attribute": "text", "ui-priority": 1 }, + "description": { + "description": "Description of the malware configuration", + "misp-attribite": "text", + "ui-priority": 1 + }, "encrypted": { "description": "Encrypted or encoded text of the malware configuration in base64.", "misp-attribute": "text", "ui-priority": 1 }, + "file-config": { + "description": "File configuration as an attachment", + "misp-attribute": "attachment", + "ui-priority": 1 + }, "first-seen": { "description": "When the malware configuration has been seen for the first time.", "disable_correlation": true, @@ -44,8 +54,9 @@ "meta-category": "file", "name": "malware-config", "requiredOneOf": [ - "config" + "config", + "file-config" ], "uuid": "8200b79b-1d8c-49a8-9a63-7710e613c059", - "version": 1 + "version": 2 } \ No newline at end of file From 4da05293d723ad6f9db4a3e349e140daa5d2a28d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 31 Jul 2023 11:21:29 +0200 Subject: [PATCH 30/43] fix: [malware-config] typo fixed --- objects/malware-config/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/malware-config/definition.json b/objects/malware-config/definition.json index 06072f3..a69b168 100644 --- a/objects/malware-config/definition.json +++ b/objects/malware-config/definition.json @@ -7,7 +7,7 @@ }, "description": { "description": "Description of the malware configuration", - "misp-attribite": "text", + "misp-attribute": "text", "ui-priority": 1 }, "encrypted": { From 56941c6e937442938edc3194e5b2ba6c36159cf6 Mon Sep 17 00:00:00 2001 From: Matthieu Faou Date: Tue, 1 Aug 2023 16:33:23 -0400 Subject: [PATCH 31/43] Removed the scan-result field requirement in the scan-result object --- objects/scan-result/definition.json | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/objects/scan-result/definition.json b/objects/scan-result/definition.json index eeda424..1ddcf6a 100644 --- a/objects/scan-result/definition.json +++ b/objects/scan-result/definition.json @@ -230,9 +230,6 @@ "description": "Scan result object to add meta-data and the output of the scan result by itself.", "meta-category": "network", "name": "scan-result", - "required": [ - "scan-result" - ], "uuid": "ebe2a359-8f5b-4a45-8106-d1678935b4c4", "version": 2 -} \ No newline at end of file +} From 0515870942d60e4a97561271a15635946ec4a7eb Mon Sep 17 00:00:00 2001 From: Matthieu Faou Date: Wed, 2 Aug 2023 15:35:12 -0400 Subject: [PATCH 32/43] Added requiredOneOf to scan-result object definition --- objects/scan-result/definition.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/objects/scan-result/definition.json b/objects/scan-result/definition.json index 1ddcf6a..d92e92f 100644 --- a/objects/scan-result/definition.json +++ b/objects/scan-result/definition.json @@ -230,6 +230,10 @@ "description": "Scan result object to add meta-data and the output of the scan result by itself.", "meta-category": "network", "name": "scan-result", + "requiredOneOf": [ + "scan-result", + "scan-result-query", + ], "uuid": "ebe2a359-8f5b-4a45-8106-d1678935b4c4", "version": 2 } From ac201f475ae90ff929c3c51843006336e8983303 Mon Sep 17 00:00:00 2001 From: Luciano Righetti Date: Thu, 3 Aug 2023 08:07:33 +0200 Subject: [PATCH 33/43] new: sigmf archive object --- objects/sigmf-archive/definition.json | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 objects/sigmf-archive/definition.json diff --git a/objects/sigmf-archive/definition.json b/objects/sigmf-archive/definition.json new file mode 100644 index 0000000..b846ba5 --- /dev/null +++ b/objects/sigmf-archive/definition.json @@ -0,0 +1,18 @@ +{ + "attributes": { + "SigMF-archive": { + "description": "tar archive (.sigmf)", + "disable_correlation": true, + "misp-attribute": "attachment", + "ui-priority": 1 + } + }, + "description": "An object representing an archive containing one or multiple recordings in the Signal Metadata Format Specification (SigMF)", + "meta-category": "misc", + "name": "sigmf-archive", + "required": [ + "SigMF-archive" + ], + "uuid": "5985d34d-3657-4828-9788-470175bcc3b1", + "version": 1 + } \ No newline at end of file From 17a68d93aefe0eb13c54ce5d7f95046aea5650e3 Mon Sep 17 00:00:00 2001 From: Luciano Righetti Date: Thu, 3 Aug 2023 08:07:47 +0200 Subject: [PATCH 34/43] fix: minor fixes --- objects/sigmf-expanded-recording/definition.json | 3 --- objects/sigmf-recording/definition.json | 3 +-- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/objects/sigmf-expanded-recording/definition.json b/objects/sigmf-expanded-recording/definition.json index d852864..e4254e5 100644 --- a/objects/sigmf-expanded-recording/definition.json +++ b/objects/sigmf-expanded-recording/definition.json @@ -40,7 +40,6 @@ "description": "FFT plot of the signal", "disable_correlation": true, "misp-attribute": "attachment", - "multiple": true, "ui-priority": 0 }, "geolocation_alt": { @@ -71,7 +70,6 @@ "description": "Binary file of IQ samples", "disable_correlation": true, "misp-attribute": "attachment", - "multiple": true, "ui-priority": 0 }, "license": { @@ -138,7 +136,6 @@ "description": "Waterfall plot of the signal", "disable_correlation": true, "misp-attribute": "attachment", - "multiple": true, "ui-priority": 0 } }, diff --git a/objects/sigmf-recording/definition.json b/objects/sigmf-recording/definition.json index af68a0b..1bc98d8 100644 --- a/objects/sigmf-recording/definition.json +++ b/objects/sigmf-recording/definition.json @@ -4,7 +4,6 @@ "description": "Binary file of IQ or RF samples (.sigmf-data)", "disable_correlation": true, "misp-attribute": "attachment", - "multiple": true, "ui-priority": 1 }, "SigMF-meta": { @@ -14,7 +13,7 @@ "ui-priority": 0 } }, - "description": "An object representing a single IQ/RF sample in the Signal Metadata Format Specification (SigMF)", + "description": "An object representing a single IQ/RF sample in the Signal Metadata Format Specification (SigMF)", "meta-category": "misc", "name": "sigmf-recording", "required": [ From 21b06c2f48dc091381bb813160fa257718f0cc51 Mon Sep 17 00:00:00 2001 From: Luciano Righetti Date: Thu, 3 Aug 2023 09:30:58 +0200 Subject: [PATCH 35/43] fix: jq all the things --- objects/sigmf-archive/definition.json | 34 +++++++++++++-------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/objects/sigmf-archive/definition.json b/objects/sigmf-archive/definition.json index b846ba5..d5c3d3e 100644 --- a/objects/sigmf-archive/definition.json +++ b/objects/sigmf-archive/definition.json @@ -1,18 +1,18 @@ { - "attributes": { - "SigMF-archive": { - "description": "tar archive (.sigmf)", - "disable_correlation": true, - "misp-attribute": "attachment", - "ui-priority": 1 - } - }, - "description": "An object representing an archive containing one or multiple recordings in the Signal Metadata Format Specification (SigMF)", - "meta-category": "misc", - "name": "sigmf-archive", - "required": [ - "SigMF-archive" - ], - "uuid": "5985d34d-3657-4828-9788-470175bcc3b1", - "version": 1 - } \ No newline at end of file + "attributes": { + "SigMF-archive": { + "description": "tar archive (.sigmf)", + "disable_correlation": true, + "misp-attribute": "attachment", + "ui-priority": 1 + } + }, + "description": "An object representing an archive containing one or multiple recordings in the Signal Metadata Format Specification (SigMF)", + "meta-category": "misc", + "name": "sigmf-archive", + "required": [ + "SigMF-archive" + ], + "uuid": "5985d34d-3657-4828-9788-470175bcc3b1", + "version": 1 +} \ No newline at end of file From 3d81ef381cc10ba4aa73d2137a460b37a21bad6d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 3 Aug 2023 10:47:45 +0200 Subject: [PATCH 36/43] fix: [scan-results] JSON and trailing comma ;-) --- objects/scan-result/definition.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/objects/scan-result/definition.json b/objects/scan-result/definition.json index d92e92f..da00cd8 100644 --- a/objects/scan-result/definition.json +++ b/objects/scan-result/definition.json @@ -232,8 +232,8 @@ "name": "scan-result", "requiredOneOf": [ "scan-result", - "scan-result-query", + "scan-result-query" ], "uuid": "ebe2a359-8f5b-4a45-8106-d1678935b4c4", - "version": 2 -} + "version": 3 +} \ No newline at end of file From 0037856e60bcf9196eb9b056a10080957c855526 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 7 Aug 2023 14:36:24 +0200 Subject: [PATCH 37/43] new: [x-header] new generic X header object for SMTP, HTTP and others --- objects/x-header/definition.json | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 objects/x-header/definition.json diff --git a/objects/x-header/definition.json b/objects/x-header/definition.json new file mode 100644 index 0000000..bdc063c --- /dev/null +++ b/objects/x-header/definition.json @@ -0,0 +1,24 @@ +{ + "attributes": { + "x-header-name": { + "description": "X header name is the value of the header key. The name is case sensitive.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "x-value": { + "description": "X value is the value of the specified header name.", + "misp-attribute": "text", + "ui-priority": 0 + } + }, + "description": "X header generic object for SMTP, HTTP or any other protocols using X headers.", + "meta-category": "network", + "name": "x-header", + "requiredOneOf": [ + "x-header-name", + "x-value" + ], + "uuid": "9a7028df-e238-45e8-893c-8e67d273fb61", + "version": 1 +} \ No newline at end of file From b87cafc35e4fea4b342de708a754c5f272631b00 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Thu, 10 Aug 2023 11:39:44 +0200 Subject: [PATCH 38/43] fix: [malware] Fixed `is_family` attribute type --- objects/malware/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/malware/definition.json b/objects/malware/definition.json index 89162d0..69e3f73 100644 --- a/objects/malware/definition.json +++ b/objects/malware/definition.json @@ -112,7 +112,7 @@ "is_family": { "description": "Defines whether the object represents a malware family or a malware instance.", "disable_correlation": true, - "misp-attribute": "bool", + "misp-attribute": "boolean", "ui-priority": 1 }, "last_seen": { From c784a4a6e4f841097bbb89625f49dd0b2fd5b1f2 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Wed, 16 Aug 2023 22:27:37 +0200 Subject: [PATCH 39/43] add: [readme] Added `malware` and `malware-analysis` to the list of available object templates, with a small description for each --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 437d6b7..f5a90ab 100644 --- a/README.md +++ b/README.md @@ -271,6 +271,8 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/macho](https://github.com/MISP/misp-objects/blob/main/objects/macho/definition.json) - Object describing a file in Mach-O format. - [objects/macho-section](https://github.com/MISP/misp-objects/blob/main/objects/macho-section/definition.json) - Object describing a section of a file in Mach-O format. - [objects/mactime-timeline-analysis](https://github.com/MISP/misp-objects/blob/main/objects/mactime-timeline-analysis/definition.json) - Mactime template, used in forensic investigations to describe the timeline of a file activity. +- [objects/malware](https://github.com/MISP/misp-objects/blob/main/objects/malware/definition.json) - Malware object to describe a malware instance. From STIX 2.1, +- [objects/malware-analysis](https://github.com/MISP/misp-objects/blob/main/objects/malware-analysis/definition.json) - Malware analysis object to capture the metadata and results of a particular static or dynamic analysis performed on a malware instance or family. From STIX 2.1 - [objects/malware-config](https://github.com/MISP/misp-objects/blob/main/objects/malware-config/definition.json) - Malware configuration recovered or extracted from a malicious binary. - [objects/meme-image](https://github.com/MISP/misp-objects/blob/main/objects/meme-image/definition.json) - Object describing a meme (image). - [objects/microblog](https://github.com/MISP/misp-objects/blob/main/objects/microblog/definition.json) - Microblog post like a Twitter tweet or a post on a Facebook wall. From 9a63309ba43ca2d75aed051669d4e8d1b33af3c1 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Wed, 16 Aug 2023 23:25:32 +0200 Subject: [PATCH 40/43] chg: [artifact] Changed the `hashes` attribute into the different hash type attributes - A change to adopt the same logic as file objects regarding the different hash values - In STIX 2.1 an Artifact object is not necessarily linked to a File object and both referenced by an Observed Data object. In some cases Artifact objects are referenced for instance by Malware objects, in which case they describe the actual malware sample. It is then usefull to have the different hash values in single attributes rather than concatenated in a text attribute --- objects/artifact/definition.json | 54 +++++++++++++++++++++++++++----- 1 file changed, 46 insertions(+), 8 deletions(-) diff --git a/objects/artifact/definition.json b/objects/artifact/definition.json index e7c47eb..1fda590 100644 --- a/objects/artifact/definition.json +++ b/objects/artifact/definition.json @@ -10,11 +10,11 @@ "misp-attribute": "text", "ui-priority": 0 }, - "hashes": { - "description": "Specifies a dictionary of hashes for the contents of the url or the payload_bin. This property MUST be present when the url property is present. (should be file with relationships?)", - "misp-attribute": "text", - "multiple": true, - "ui-priority": 0 + "md5": { + "description": "[Insecure] MD5 hash (128 bits)", + "misp-attribute": "md5", + "recommended": false, + "ui-priority": 1 }, "mime_type": { "description": "Whenever feasible, this value SHOULD be one of the values defined in the Template column in the IANA media type registry [Media Types]. Maintaining a comprehensive universal catalog of all extant file types is obviously not possible. When specifying a MIME Type not included in the IANA registry, implementers should use their best judgement so as to facilitate interoperability.", @@ -27,8 +27,46 @@ "misp-attribute": "text", "ui-priority": 0 }, + "sha1": { + "description": "[Insecure] Secure Hash Algorithm 1 (160 bits)", + "misp-attribute": "sha1", + "recommended": false, + "ui-priority": 1 + }, + "sha256": { + "description": "Secure Hash Algorithm 2 (256 bits)", + "misp-attribute": "sha256", + "ui-priority": 1 + }, + "sha3-256": { + "description": "Secure Hash Algorithm 3 (256 bits)", + "misp-attribute": "sha3-256", + "recommended": false, + "ui-priority": 0 + }, + "sha3-512": { + "description": "Secure Hash Algorithm 3 (512 bits)", + "misp-attribute": "sha3-512", + "recommended": false, + "ui-priority": 0 + }, + "sha512": { + "description": "Secure Hash Algorithm 2 (512 bits)", + "misp-attribute": "sha512", + "ui-priority": 1 + }, + "ssdeep": { + "description": "Fuzzy hash using context triggered piecewise hashes (CTPH)", + "misp-attribute": "ssdeep", + "ui-priority": 0 + }, + "tlsh": { + "description": "Fuzzy hash by Trend Micro: Locality Sensitive Hash", + "misp-attribute": "tlsh", + "ui-priority": 0 + }, "url": { - "description": "The value of this property MUST be a valid URL that resolves to the unencoded content.", + "description": "The value of this property MUST be a valid URL that resolves to the unencoded content. When present, at least one hash value MUST be present too.", "misp-attribute": "url", "ui-priority": 0 } @@ -41,5 +79,5 @@ "url" ], "uuid": "0a46df3a-bd9b-472c-a1e7-6aede7094483", - "version": 2 -} \ No newline at end of file + "version": 3 +} From 1ddb03e3422badac48e3b84d3ff224b10ada55bb Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Thu, 17 Aug 2023 14:49:44 +0200 Subject: [PATCH 41/43] fix: [artifact] Properly JQed the end of file --- objects/artifact/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/artifact/definition.json b/objects/artifact/definition.json index 1fda590..3f19a2d 100644 --- a/objects/artifact/definition.json +++ b/objects/artifact/definition.json @@ -80,4 +80,4 @@ ], "uuid": "0a46df3a-bd9b-472c-a1e7-6aede7094483", "version": 3 -} +} \ No newline at end of file From d32f9b1add939a6a5c4ff816c8173532fc12b38e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 1 Sep 2023 09:34:08 +0200 Subject: [PATCH 42/43] fix: [virustotal-report] bump version --- objects/virustotal-report/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/virustotal-report/definition.json b/objects/virustotal-report/definition.json index b69e256..dde7714 100644 --- a/objects/virustotal-report/definition.json +++ b/objects/virustotal-report/definition.json @@ -63,5 +63,5 @@ "permalink" ], "uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", - "version": 4 + "version": 5 } \ No newline at end of file From 0edf925a59ef0c0b940afee0da0fc1f7a1a7eccf Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 11 Sep 2023 11:28:39 +0200 Subject: [PATCH 43/43] chg: [email] email-body-attachment added --- objects/email/definition.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/objects/email/definition.json b/objects/email/definition.json index 90ed2a5..3fc0fc4 100644 --- a/objects/email/definition.json +++ b/objects/email/definition.json @@ -57,6 +57,12 @@ "multiple": true, "ui-priority": 1 }, + "email-body-attachment": { + "description": "Body of the email as an attachment", + "disable_correlation": true, + "misp-attribute": "attachment", + "ui-priority": 1 + }, "eml": { "description": "Full EML", "disable_correlation": true, @@ -258,9 +264,10 @@ "x-mailer", "return-path", "email-body", + "email-body-attachment", "eml", "msg" ], "uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552", - "version": 18 + "version": 19 } \ No newline at end of file