MISP
/
misp-objects
mirror of https://github.com/MISP/misp-objects
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge https://github.com/MISP/misp-objects

pull/382/head
Delta-Sierra 2023-01-25 09:25:52 +01:00
parent 8e4308ef01 fd603be328
commit 78d31f4564
15 changed files with 459 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
.github/workflows/codeql.yml vendored Normal file
View File

@ -0,0 +1,41 @@
name: "CodeQL"
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
schedule:
- cron: "43 15 * * 4"
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ python ]
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
queries: +security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@v2
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
category: "/language:${{ matrix.language }}"

2
.github/workflows/nosetests.yml vendored
View File

@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: [3.6, 3.7, 3.8, 3.9]
python-version: ['3.8', '3.9', '3.10']
steps:

9
README.md
View File

@ -104,6 +104,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
## Existing MISP objects
- [objects/ADS](https://github.com/MISP/misp-objects/blob/main/objects/ADS/definition.json) - An object defining ADS - Alerting and Detection Strategy by PALANTIR. Can be used for detection engineering.
- [objects/ail-leak](https://github.com/MISP/misp-objects/blob/main/objects/ail-leak/definition.json) - An information leak as defined by the AIL Analysis Information Leak framework.
- [objects/ais-info](https://github.com/MISP/misp-objects/blob/main/objects/ais-info/definition.json) - Automated Indicator Sharing (AIS) Information Source Markings.
- [objects/android-app](https://github.com/MISP/misp-objects/blob/main/objects/android-app/definition.json) - Indicators related to an Android app.
@ -161,11 +162,13 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/email](https://github.com/MISP/misp-objects/blob/main/objects/email/definition.json) - Email object describing an email with meta-information.
- [objects/employee](https://github.com/MISP/misp-objects/blob/main/objects/employee/definition.json) - An employee and related data points.
- [objects/error-message](https://github.com/MISP/misp-objects/blob/main/objects/error-message/definition.json) - An error message which can be related to the processing of data such as import, export scripts from the original MISP instance.
- [objects/exploit](https://github.com/MISP/misp-objects/blob/main/objects/exploit/definition.json) - Exploit object describes a program in binary or source code form used to abuse one or more vulnerabilities.
- [objects/exploit-poc](https://github.com/MISP/misp-objects/blob/main/objects/exploit-poc/definition.json) - Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object.
- [objects/facebook-account](https://github.com/MISP/misp-objects/blob/main/objects/facebook-account/definition.json) - Facebook account.
- [objects/facebook-group](https://github.com/MISP/misp-objects/blob/main/objects/facebook-group/definition.json) - Public or private facebook group.
- [objects/facebook-page](https://github.com/MISP/misp-objects/blob/main/objects/facebook-page/definition.json) - Facebook page.
- [objects/facebook-post](https://github.com/MISP/misp-objects/blob/main/objects/facebook-post/definition.json) - Post on a Facebook wall.
- [objects/facebook-reaction](https://github.com/MISP/misp-objects/blob/main/objects/facebook-reaction/definition.json) - Reaction to facebook posts.
- [objects/facial-composite](https://github.com/MISP/misp-objects/blob/main/objects/facial-composite/definition.json) - An object which describes a facial composite.
- [objects/fail2ban](https://github.com/MISP/misp-objects/blob/main/objects/fail2ban/definition.json) - Fail2ban event.
- [objects/favicon](https://github.com/MISP/misp-objects/blob/main/objects/favicon/definition.json) - A favicon, also known as a shortcut icon, website icon, tab icon, URL icon, or bookmark icon, is a file containing one or more small icons, associated with a particular website or web page. The object template can include the murmur3 hash of the favicon to facilitate correlation.
@ -247,6 +250,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/intelmq_report](https://github.com/MISP/misp-objects/blob/main/objects/intelmq_report/definition.json) - IntelMQ Report.
- [objects/internal-reference](https://github.com/MISP/misp-objects/blob/main/objects/internal-reference/definition.json) - Internal reference.
- [objects/interpol-notice](https://github.com/MISP/misp-objects/blob/main/objects/interpol-notice/definition.json) - An object which describes a Interpol notice.
- [objects/intrusion-set](https://github.com/MISP/misp-objects/blob/main/objects/intrusion-set/definition.json) - A object template describing an Intrusion Set as defined in STIX 2.1. An Intrusion Set is a grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization. An Intrusion Set may capture multiple Campaigns or other activities that are all tied together by shared attributes indicating a commonly known or unknown Threat Actor. New activity can be attributed to an Intrusion Set even if the Threat Actors behind the attack are not known. Threat Actors can move from supporting one Intrusion Set to supporting another, or they may support multiple Intrusion Sets. Where a Campaign is a set of attacks over a period of time against a specific set of targets to achieve some objective, an Intrusion Set is the entire attack package and may be used over a very long period of time in multiple Campaigns to achieve potentially multiple purposes. While sometimes an Intrusion Set is not active, or changes focus, it is usually difficult to know if it has truly disappeared or ended. Analysts may have varying level of fidelity on attributing an Intrusion Set back to Threat Actors and may be able to only attribute it back to a nation state or perhaps back to an organization within that nation state.
- [objects/iot-device](https://github.com/MISP/misp-objects/blob/main/objects/iot-device/definition.json) - An IoT device.
- [objects/iot-firmware](https://github.com/MISP/misp-objects/blob/main/objects/iot-firmware/definition.json) - A firmware for an IoT device.
- [objects/ip-api-address](https://github.com/MISP/misp-objects/blob/main/objects/ip-api-address/definition.json) - IP Address information. Useful if you are pulling your ip information from ip-api.com.
@ -288,6 +292,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/pcap-metadata](https://github.com/MISP/misp-objects/blob/main/objects/pcap-metadata/definition.json) - Network packet capture metadata.
- [objects/pe](https://github.com/MISP/misp-objects/blob/main/objects/pe/definition.json) - Object describing a Portable Executable.
- [objects/pe-section](https://github.com/MISP/misp-objects/blob/main/objects/pe-section/definition.json) - Object describing a section of a Portable Executable.
- [objects/Deception PersNOna](https://github.com/MISP/misp-objects/blob/main/objects/Deception PersNOna/definition.json) - Fake persona with tasks.
- [objects/person](https://github.com/MISP/misp-objects/blob/main/objects/person/definition.json) - An object which describes a person or an identity.
- [objects/personification](https://github.com/MISP/misp-objects/blob/main/objects/personification/definition.json) - An object which describes a person or an identity.
- [objects/pgp-meta](https://github.com/MISP/misp-objects/blob/main/objects/pgp-meta/definition.json) - Metadata extracted from a PGP keyblock, message or signature.
@ -358,7 +363,9 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/target-system](https://github.com/MISP/misp-objects/blob/main/objects/target-system/definition.json) - Description about an targeted system, this could potentially be a compromissed internal system.
- [objects/tattoo](https://github.com/MISP/misp-objects/blob/main/objects/tattoo/definition.json) - Describes tattoos on a natural person's body.
- [objects/telegram-account](https://github.com/MISP/misp-objects/blob/main/objects/telegram-account/definition.json) - Information related to a telegram account.
- [objects/telegram-bot](https://github.com/MISP/misp-objects/blob/main/objects/telegram-bot/definition.json) - Information related to a telegram bot.
- [objects/temporal-event](https://github.com/MISP/misp-objects/blob/main/objects/temporal-event/definition.json) - A temporal event consists of some temporal and spacial boundaries. Spacial boundaries can be physical, virtual or hybrid.
- [objects/thaicert-group-cards](https://github.com/MISP/misp-objects/blob/main/objects/thaicert-group-cards/definition.json) - Adversary group cards inspired by ThaiCERT.
- [objects/threatgrid-report](https://github.com/MISP/misp-objects/blob/main/objects/threatgrid-report/definition.json) - ThreatGrid report.
- [objects/timecode](https://github.com/MISP/misp-objects/blob/main/objects/timecode/definition.json) - Timecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the video sequence.
- [objects/timesketch-timeline](https://github.com/MISP/misp-objects/blob/main/objects/timesketch-timeline/definition.json) - A timesketch timeline object based on mandatory field in timesketch to describe a log entry.
@ -379,6 +386,8 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/twitter-account](https://github.com/MISP/misp-objects/blob/main/objects/twitter-account/definition.json) - Twitter account.
- [objects/twitter-list](https://github.com/MISP/misp-objects/blob/main/objects/twitter-list/definition.json) - Twitter list.
- [objects/twitter-post](https://github.com/MISP/misp-objects/blob/main/objects/twitter-post/definition.json) - Twitter post (tweet).
- [objects/typosquatting-finder](https://github.com/MISP/misp-objects/blob/main/objects/typosquatting-finder/definition.json) - Typosquatting info.
- [objects/typosquatting-finder-result](https://github.com/MISP/misp-objects/blob/main/objects/typosquatting-finder-result/definition.json) - Typosquatting result.
- [objects/url](https://github.com/MISP/misp-objects/blob/main/objects/url/definition.json) - url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.
- [objects/user-account](https://github.com/MISP/misp-objects/blob/main/objects/user-account/definition.json) - User-account object, defining aspects of user identification, authentication, privileges and other relevant data points.
- [objects/vehicle](https://github.com/MISP/misp-objects/blob/main/objects/vehicle/definition.json) - Vehicle object template to describe a vehicle information and registration.

1
jq_all_the_things.sh
View File

@ -10,6 +10,7 @@ do
cat ${dir} | jq . >/dev/null
rc=$?
if [[ $rc != 0 ]]; then exit $rc; fi
cat ${dir} | jq -r .uuid | uuidparse
done
set -e

81
objects/ADS/definition.json Normal file
View File

@ -0,0 +1,81 @@
{
"attributes": {
"acd-element": {
"description": "lists the steps required to generate a representative true positive event which triggers this alert.",
"misp-attribute": "text",
"ui-priority": 0
},
"additional_resources": {
"description": "Any other internal, external, or technical references that may be useful for understanding the ADS.",
"misp-attribute": "url",
"multiple": true,
"ui-priority": 2
},
"blind_spots_and_assumptions": {
"description": "Recognized issues, assumptions, and areas where an ADS may not fire.",
"misp-attribute": "text",
"ui-priority": 7
},
"categorization": {
"description": "Provides a mapping of the ADS to the relevant entry in the Att&CK.",
"misp-attribute": "text",
"multiple": true,
"ui-priority": 10
},
"date": {
"description": "Enter date, when ADS has been created or edited.",
"misp-attribute": "datetime",
"ui-priority": 12
},
"false_positives": {
"description": "Known instances of an ADS misfiring due to a misconfiguration, idiosyncrasy in the environment, or other non-malicious scenario.",
"misp-attribute": "text",
"ui-priority": 6
},
"goal": {
"description": "Short, plaintext description of the type of behavior the ADS is supposed to detect.",
"misp-attribute": "text",
"ui-priority": 11
},
"priority": {
"description": "Describes the various alerting levels that an ADS may be tagged with.",
"misp-attribute": "text",
"ui-priority": 4
},
"responses": {
"description": "General response steps in the event that this alert fired.",
"misp-attribute": "text",
"ui-priority": 3
},
"sigma_rule": {
"description": "Rule in SIGMA format.",
"misp-attribute": "sigma",
"ui-priority": 1
},
"strategy_abstract": {
"description": "High-level walkthrough of how the ADS functions.",
"misp-attribute": "text",
"ui-priority": 9
},
"technical_context": {
"description": "Detailed information and background needed for a responder to understand all components of the alert. ",
"misp-attribute": "text",
"ui-priority": 8
},
"validation": {
"description": "lists the steps required to generate a representative true positive event which triggers this alert.",
"misp-attribute": "text",
"ui-priority": 5
}
},
"description": "An object defining ADS - Alerting and Detection Strategy by PALANTIR. Can be used for detection engineering.",
"meta-category": "misc",
"name": "ADS",
"required": [
"date",
"goal",
"categorization"
],
"uuid": "07a7f4cf-e738-47ad-b045-34c3b382f3b4",
"version": 1
}

10
objects/exploit/definition.json
View File

@ -35,6 +35,11 @@
"multiple": true,
"ui-priority": 0
},
"description": {
"description": "Description of the exploit.",
"misp-attribute": "text",
"ui-priority": 1
},
"exploit": {
"description": "Free text of the exploit.",
"misp-attribute": "text",
@ -76,6 +81,11 @@
"misp-attribute": "link",
"multiple": true,
"ui-priority": 0
},
"title": {
"description": "Title of the exploit.",
"misp-attribute": "text",
"ui-priority": 1
}
},
"description": "Exploit object describes a program in binary or source code form used to abuse one or more vulnerabilities.",

4
objects/fail2ban/definition.json
View File

@ -56,6 +56,6 @@
"processing-timestamp",
"attack-type"
],
"uuid": "8be2271-7326-41a5-a0dd-9b4bec88e1ba",
"version": 5
"uuid": "32f7ded6-e774-4401-81b0-79634e82f589",
"version": 6
}

4
objects/mactime-timeline-analysis/definition.json
View File

@ -51,6 +51,6 @@
"activityType",
"datetime"
],
"uuid": "9297982e-be62-4772-a665-c91f5a8d639",
"version": 3
"uuid": "58149b06-eabe-4937-9dac-01d63f504e14",
"version": 4
}

103
objects/persnona/definition.json Normal file
View File

@ -0,0 +1,103 @@
{
"attributes": {
"actions": {
"description": "Actions by this PersNOna or engagement with adversary or relateda party.",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 7
},
"alias": {
"description": "Aliases or Nicknames of fake PesNOna on differenet media.",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 1
},
"background": {
"description": "Background of operation, PersNOna or actions, which needs to be explain to other party in case of share of this profile.",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 2
},
"conversations": {
"description": "Conversations with targets",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 10
},
"critical_tasks": {
"description": "Critical Tasks or tasks which this PersNOna has to accomplish.",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 6
},
"goals": {
"description": "Goals of creating of this PersNOna.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 5
},
"location": {
"description": "Location, where PersNOna is right now at home, home town, county, country etc.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 3
},
"media": {
"description": "Media where is PersNOna active ie. facebook, telegram etc.",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 10
},
"name": {
"description": "Name - full name of PersNOna.",
"disable_correlation": false,
"misp-attribute": "full-name",
"multiple": true,
"ui-priority": 1
},
"oppportunities": {
"description": "Opportunities for another development, introducing another PersNOna etc.",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 9
},
"photo": {
"description": "Photo of PersNOna, url where is photo uploaded or website of fake profile as LinkedIn etc.",
"disable_correlation": false,
"misp-attribute": "url",
"multiple": false,
"ui-priority": 0
},
"questions": {
"description": "Questions, which have to be answered by this profile goal.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 8
},
"responsi": {
"description": "Responsibilities of PersNOna, who this PersNOna communicates with, what should discuss and how far.",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 4
}
},
"description": "Fake persona with tasks",
"meta-category": "misc",
"name": "Deception PersNOna",
"required": [
"name"
],
"uuid": "a80828dc-07bf-4d5c-ab82-8160ee5bdd6d",
"version": 1
}

10
objects/person/definition.json
View File

@ -165,8 +165,14 @@
"misp-attribute": "passport-country",
"ui-priority": 0
},
"passport-creation": {
"description": "The creation date of the passport.",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 0
},
"passport-expiration": {
"description": "The expiration date of a passport.",
"description": "The expiration date of the passport.",
"disable_correlation": true,
"misp-attribute": "passport-expiration",
"ui-priority": 0
@ -249,5 +255,5 @@
"handle"
],
"uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248",
"version": 18
"version": 19
}

68
objects/thaicert-group-cards/definition.json Normal file
View File

@ -0,0 +1,68 @@
{
"attributes": {
"country": {
"description": "Country of group - group location where it operates from.",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 1
},
"description": {
"description": "Description of group activities or TTP used for group actions.",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": false,
"ui-priority": 4
},
"more informations": {
"description": "List more informations by url - reports, group links etc..",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 7
},
"motivation": {
"description": "Motivation behind group ie. espionage, ransomware, other criminal activity, hacktivism . . .",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 3
},
"name": {
"description": "Names or nicknames for group.",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"observed": {
"description": "What sector is this group active at? Government, telecommunication etc and country of activity.",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 5
},
"sponsor": {
"description": "Sponsor of group ie. country, state, criminal ring, cartel etc..",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 2
},
"tools used": {
"description": "What known tools are used by group.",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 6
}
},
"description": "Adversary group cards inspired by ThaiCERT",
"meta-category": "misc",
"name": "thaicert-group-cards",
"required": [
"name"
],
"uuid": "f42db88d-1889-4c2f-a903-971cf8e65174",
"version": 3
}

89
objects/typosquatting-finder-result/definition.json Normal file
View File

@ -0,0 +1,89 @@
{
"attributes": {
"a-record": {
"categories": [
"Network activity",
"External analysis"
],
"description": "IPv4 address associated with A record",
"misp-attribute": "ip-dst",
"multiple": true,
"ui-priority": 1
},
"aaaa-record": {
"categories": [
"Network activity",
"External analysis"
],
"description": "IPv6 address associated with AAAA record",
"misp-attribute": "ip-dst",
"multiple": true,
"ui-priority": 1
},
"mx-record": {
"categories": [
"Network activity",
"External analysis"
],
"description": "Domain associated with MX record",
"misp-attribute": "domain",
"multiple": true,
"ui-priority": 1
},
"ns-record": {
"categories": [
"Network activity",
"External analysis"
],
"description": "Domain associated with NS record",
"misp-attribute": "domain",
"multiple": true,
"ui-priority": 1
},
"queried-domain": {
"categories": [
"Network activity",
"External analysis"
],
"description": "Domain name",
"misp-attribute": "domain",
"ui-priority": 1
},
"ratio-similarity": {
"description": "Similarity probability",
"disable_correlation": true,
"misp-attribute": "text",
"recommended": false,
"ui-priority": 1
},
"website-ressource-diff": {
"description": "Difference of website's ressources between both, research and current variations domain",
"disable_correlation": true,
"misp-attribute": "text",
"recommended": false,
"ui-priority": 1
},
"website-similarity": {
"description": "Similarity between website of both research and current variations domain",
"disable_correlation": true,
"misp-attribute": "text",
"recommended": false,
"ui-priority": 1
},
"website-title": {
"description": "Website's title of the current queried domain",
"disable_correlation": false,
"misp-attribute": "text",
"recommended": false,
"ui-priority": 1
}
},
"description": "Typosquatting result",
"meta-category": "network",
"name": "typosquatting-finder-result",
"required": [
"queried-domain"
],
"uuid": "22151d90-b39b-498c-86c7-126ddd2e1a55",
"version": 1
}

37
objects/typosquatting-finder/definition.json Normal file
View File

@ -0,0 +1,37 @@
{
"attributes": {
"research-domain": {
"categories": [
"Network activity",
"External analysis"
],
"description": "Research domain name",
"disable_correlation": false,
"misp-attribute": "domain",
"recommended": false,
"ui-priority": 1
},
"variations-found-number": {
"description": "Number of variations for the research domain that some info is found.",
"disable_correlation": true,
"misp-attribute": "text",
"recommended": false,
"ui-priority": 1
},
"variations-number": {
"description": "Number of variations for the research domain.",
"disable_correlation": true,
"misp-attribute": "text",
"recommended": false,
"ui-priority": 1
}
},
"description": "Typosquatting info",
"meta-category": "network",
"name": "typosquatting-finder",
"required": [
"research-domain"
],
"uuid": "3414fbe7-6f8c-4ed5-bc51-9a11a3a29822",
"version": 1
}

10
objects/vehicle/definition.json
View File

@ -19,7 +19,7 @@
"ui-priority": 0
},
"exterior-color": {
"description": "Exterior color of the vehicule",
"description": "Exterior color of the vehicle",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
@ -49,7 +49,7 @@
"ui-priority": 0
},
"interior-color": {
"description": "Interior color of the vehicule",
"description": "Interior color of the vehicle",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
@ -73,13 +73,13 @@
"ui-priority": 0
},
"state": {
"description": "State of the vehicule (stolen or recovered)",
"description": "State of the vehicle (stolen or recovered)",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"type": {
"description": "Type of the vehicule",
"description": "Type of the vehicle",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
@ -125,5 +125,5 @@
"indicative-value"
],
"uuid": "683c076c-f695-4ff2-8efa-e98a418049f4",
"version": 3
"version": 4
}

3
objects/victim/definition.json
View File

@ -96,6 +96,7 @@
"hospitality leisure",
"infrastructure",
"insurance",
"legal",
"manufacturing",
"mining",
"non profit",
@ -124,5 +125,5 @@
"sectors"
],
"uuid": "a8806e40-39ad-435f-be02-ac2a13d6fc7d",
"version": 6
"version": 7
}