Merge remote-tracking branch 'upstream/master'

objects/domain-ip/definition.json

@@ -48,9 +48,19 @@
       "ui-priority": 1,
       "misp-attribute": "ip-dst",
       "multiple": true
+    },
+    "port": {
+      "description": "Associated TCP port with the domain",
+      "categories": [
+        "Network activity",
+        "External analysis"
+      ],
+      "ui-priority": 1,
+      "misp-attribute": "port",
+      "multiple": true
     }
   },
-  "version": 6,
+  "version": 8,
   "description": "A domain and IP address seen as a tuple in a specific time frame.",
   "meta-category": "network",
   "uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",

objects/file/definition.json

@@ -445,9 +445,14 @@
       "description": "Hash (md5) calculated from the import table",
       "ui-priority": 0,
       "misp-attribute": "imphash"
+    },
+    "compilation-timestamp": {
+      "description": "Compilation timestamp",
+      "ui-priority": 0,
+      "misp-attribute": "datetime"
     }
   },
-  "version": 18,
+  "version": 19,
   "description": "File object describing a file with meta-information",
   "meta-category": "file",
   "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",

objects/geolocation/definition.json

@@ -49,6 +49,11 @@
       "misp-attribute": "text",
       "ui-priority": 1
     },
+    "neighborhood": {
+      "description": "Neighborhood.",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
     "zipcode": {
       "description": "Zip Code.",
       "misp-attribute": "text",

objects/microblog/definition.json

@@ -16,7 +16,8 @@
     "link": {
       "description": "Original link into the microblog post (Supposed harmless)",
       "ui-priority": 1,
-      "misp-attribute": "link"
+      "misp-attribute": "link",
+      "to_ids": false
     },
     "type": {
       "description": "Type of the microblog post",
@@ -81,7 +82,8 @@
       "description": "Safe link into the microblog post",
       "ui-priority": 0,
       "misp-attribute": "link",
-      "multiple": true
+      "multiple": true,
+      "to_ids": false
     },
     "removal-date": {
       "description": "When the microblog post was removed",
@@ -101,7 +103,7 @@
       "multiple": true
     }
   },
-  "version": 11,
+  "version": 12,
   "description": "Microblog post like a Twitter tweet or a post on a Facebook wall.",
   "meta-category": "misc",
   "uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60",

objects/script/definition.json

@@ -2,7 +2,7 @@
   "requiredOneOf": [
     "script",
     "filename",
-    "attachment"
+    "script-as-attachment"
   ],
   "attributes": {
     "script": {
@@ -63,7 +63,7 @@
       ]
     }
   },
-  "version": 6,
+  "version": 7,
   "description": "Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.",
   "meta-category": "misc",
   "uuid": "6bce7d01-dbec-4054-b3c2-3655a19382e2",

objects/trustar_report/definition.json

@@ -0,0 +1,81 @@
+{
+  "attributes": {
+    "BITCOIN_ADDRESS": {
+      "description": "A bitcoin address is an identifier of 26-35 alphanumeric characters, beginning with the number 1 or 3, that represents a possible destination for a bitcoin payment.",
+      "misp-attribute": "btc",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "CIDR_BLOCK": {
+      "description": "CIDR (Classless Inter-Domain Routing) identifies a range of IP addresses, and was introduced as a way to allow more flexible allocation of Internet Protocol (IP) addresses than was possible with the original system of IP address classes.",
+      "misp-attribute": "ip-src",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "CVE": {
+      "description": "The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures.",
+      "misp-attribute": "vulnerability",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "EMAIL_ADDRESS": {
+      "description": "An email address is a unique identifier for an email account.",
+      "misp-attribute": "email-src",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "IP": {
+      "description": "An Internet Protocol address (IP address) is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication.",
+      "misp-attribute": "ip-dst",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "MALWARE": {
+      "description": "Names of software that are intended to damage or disable computers and computer systems.",
+      "misp-attribute": "malware-type",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "MD5": {
+      "description": "The MD5 algorithm is a widely used hash function producing a 128-bit hash value.",
+      "misp-attribute": "md5",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "REGISTRY_KEY": {
+      "description": "The registry is a hierarchical database that contains data that is critical for the operation of Windows and the applications and services that run on Windows.",
+      "misp-attribute": "regkey",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "SHA1": {
+      "description": "SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest - typically rendered as a hexadecimal number, 40 digits long. SHA-1 is prone to length extension attacks.",
+      "misp-attribute": "sha1",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "SHA256": {
+      "description": "SHA-256 is a member of the SHA-2 cryptographic hash functions designed by the NSA, which are the successors to SHA-1. It is represented as a 64-character hexadecimal string.",
+      "misp-attribute": "sha256",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "SOFTWARE": {
+      "description": "The name of a file on a filesystem.",
+      "misp-attribute": "filename",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "URL": {
+      "description": "A Uniform Resource Locator (URL) is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it.",
+      "misp-attribute": "url",
+      "multiple": true,
+      "ui-priority": 1
+    }
+  },
+  "description": "TruStar Report",
+  "meta-category": "network",
+  "name": "trustar_report",
+  "uuid": "8ff46cf1-db04-4453-ba46-d004e1ef6b7a",
+  "version": 1
+}

objects/vehicle/definition.json

@@ -9,6 +9,10 @@
     "date-first-registration",
     "image-url",
     "gearbox",
+    "exterior color",
+    "interior color",
+    "type",
+    "state",
     "indicative-value"
   ],
   "attributes": {
@@ -18,6 +22,30 @@
       "misp-attribute": "text",
       "disable_correlation": true
     },
+    "exterior color": {
+      "description": "Exterior color of the vehicule",
+      "ui-priority": 0,
+      "misp-attribute": "text",
+      "disable_correlation": true
+    },
+    "state": {
+      "description": "State of the vehicule (stolen or recovered)",
+      "ui-priority": 0,
+      "misp-attribute": "text",
+      "disable_correlation": true
+    },
+    "interior color": {
+      "description": "Interior color of the vehicule",
+      "ui-priority": 0,
+      "misp-attribute": "text",
+      "disable_correlation": true
+    },
+    "type": {
+      "description": "Type of the vehicule",
+      "ui-priority": 0,
+      "misp-attribute": "text",
+      "disable_correlation": true
+    },
     "make": {
       "description": "Manufacturer of the vehicle",
       "ui-priority": 0,

schema_objects.json

@@ -53,6 +53,7 @@
             "campaign-name",
             "cc-number",
             "cdhash",
+            "chrome-extension-id",
             "comment",
             "community-id",
             "cookie",