From 5f1e6c5fec0a1a7a1a4e5ae0a89c3fc128b1086c Mon Sep 17 00:00:00 2001 From: N1col4s5742 <46679349+N1col4s5742@users.noreply.github.com> Date: Fri, 20 Dec 2019 14:14:49 +0100 Subject: [PATCH 01/13] Add vehicle state --- objects/vehicle/definition.json | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/objects/vehicle/definition.json b/objects/vehicle/definition.json index c558a46..36e55e5 100644 --- a/objects/vehicle/definition.json +++ b/objects/vehicle/definition.json @@ -9,7 +9,8 @@ "date-first-registration", "image-url", "gearbox", - "indicative-value" + "indicative-value", + "state", ], "attributes": { "description": { @@ -70,7 +71,13 @@ "ui-priority": 0, "misp-attribute": "text", "multiple": true - } + }, + "state": { + "description": "State of the vehicle", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, }, "version": 2, "description": "Vehicle object template to describe a vehicle information and registration", From 59027ddc6ac86d6d88d1865a70cd477a1337b342 Mon Sep 17 00:00:00 2001 From: N1col4s5742 <46679349+N1col4s5742@users.noreply.github.com> Date: Fri, 20 Dec 2019 14:18:10 +0100 Subject: [PATCH 02/13] Bump version --- objects/vehicle/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/vehicle/definition.json b/objects/vehicle/definition.json index 36e55e5..433d863 100644 --- a/objects/vehicle/definition.json +++ b/objects/vehicle/definition.json @@ -79,7 +79,7 @@ "disable_correlation": true }, }, - "version": 2, + "version": 3, "description": "Vehicle object template to describe a vehicle information and registration", "meta-category": "misc", "uuid": "683c076c-f695-4ff2-8efa-e98a418049f4", From c611736e35d62754d42b259f126d38822f3c83f7 Mon Sep 17 00:00:00 2001 From: N1col4s5742 <46679349+N1col4s5742@users.noreply.github.com> Date: Fri, 20 Dec 2019 14:20:08 +0100 Subject: [PATCH 03/13] Vehicle state --- objects/vehicle/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/vehicle/definition.json b/objects/vehicle/definition.json index 433d863..929fcfa 100644 --- a/objects/vehicle/definition.json +++ b/objects/vehicle/definition.json @@ -10,7 +10,7 @@ "image-url", "gearbox", "indicative-value", - "state", + "state" ], "attributes": { "description": { @@ -77,7 +77,7 @@ "ui-priority": 0, "misp-attribute": "text", "disable_correlation": true - }, + } }, "version": 3, "description": "Vehicle object template to describe a vehicle information and registration", From 1e096535ef3c4fe5eb5c42c12192e10cdce699f1 Mon Sep 17 00:00:00 2001 From: StefanKelm Date: Fri, 10 Jan 2020 15:00:19 +0100 Subject: [PATCH 04/13] Update definition.json Add compilation timestamp (similar to pe object) --- objects/file/definition.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index fe2ee99..937d407 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -445,9 +445,14 @@ "description": "Hash (md5) calculated from the import table", "ui-priority": 0, "misp-attribute": "imphash" + }, + "compilation-timestamp": { + "description": "Compilation timestamp", + "ui-priority": 0, + "misp-attribute": "datetime" } }, - "version": 18, + "version": 19, "description": "File object describing a file with meta-information", "meta-category": "file", "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", From 92ebb542c24c307705d67e41f82664057e827323 Mon Sep 17 00:00:00 2001 From: Andras Iklody Date: Thu, 16 Jan 2020 10:44:51 +0100 Subject: [PATCH 05/13] fix: [microblog] to_ids changes --- objects/microblog/definition.json | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/objects/microblog/definition.json b/objects/microblog/definition.json index 52641d5..2a63b1c 100644 --- a/objects/microblog/definition.json +++ b/objects/microblog/definition.json @@ -16,7 +16,8 @@ "link": { "description": "Original link into the microblog post (Supposed harmless)", "ui-priority": 1, - "misp-attribute": "link" + "misp-attribute": "link", + "to_ids": 0 }, "type": { "description": "Type of the microblog post", @@ -81,7 +82,8 @@ "description": "Safe link into the microblog post", "ui-priority": 0, "misp-attribute": "link", - "multiple": true + "multiple": true, + "to_ids": 0 }, "removal-date": { "description": "When the microblog post was removed", @@ -101,7 +103,7 @@ "multiple": true } }, - "version": 11, + "version": 12, "description": "Microblog post like a Twitter tweet or a post on a Facebook wall.", "meta-category": "misc", "uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60", From fa634803911d211f993049242d41eebaf342a9c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Thu, 16 Jan 2020 13:46:53 +0100 Subject: [PATCH 06/13] fix: to_ids must be a bool --- objects/microblog/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/microblog/definition.json b/objects/microblog/definition.json index 2a63b1c..309c11e 100644 --- a/objects/microblog/definition.json +++ b/objects/microblog/definition.json @@ -17,7 +17,7 @@ "description": "Original link into the microblog post (Supposed harmless)", "ui-priority": 1, "misp-attribute": "link", - "to_ids": 0 + "to_ids": false }, "type": { "description": "Type of the microblog post", @@ -83,7 +83,7 @@ "ui-priority": 0, "misp-attribute": "link", "multiple": true, - "to_ids": 0 + "to_ids": false }, "removal-date": { "description": "When the microblog post was removed", From 6944680dac8429574c555547527e47eb7807c162 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 21 Jan 2020 09:47:13 +0100 Subject: [PATCH 07/13] new: [attributes] chrome-extension-id added --- schema_objects.json | 1 + 1 file changed, 1 insertion(+) diff --git a/schema_objects.json b/schema_objects.json index 0cfe939..91d1d47 100644 --- a/schema_objects.json +++ b/schema_objects.json @@ -53,6 +53,7 @@ "campaign-name", "cc-number", "cdhash", + "chrome-extension-id", "comment", "community-id", "cookie", From 6cc3f4a51c766da8a6df30481fc5d357dc0ba9a5 Mon Sep 17 00:00:00 2001 From: Nicolas Date: Fri, 24 Jan 2020 10:25:32 +0100 Subject: [PATCH 08/13] change definition.json for vehicle --- objects/vehicle/definition.json | 40 +++++++++++++++++++++++++-------- 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/objects/vehicle/definition.json b/objects/vehicle/definition.json index 929fcfa..d4ff30c 100644 --- a/objects/vehicle/definition.json +++ b/objects/vehicle/definition.json @@ -9,8 +9,11 @@ "date-first-registration", "image-url", "gearbox", - "indicative-value", - "state" + "exterior color", + "interior color", + "type", + "state", + "indicative-value" ], "attributes": { "description": { @@ -19,6 +22,30 @@ "misp-attribute": "text", "disable_correlation": true }, + "exterior color": { + "description": "Exterior color of the vehicule", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "state": { + "description": "State of the vehicule (stolen or recovered)", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "interior color": { + "description": "Interior color of the vehicule", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "type": { + "description": "Type of the vehicule", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, "make": { "description": "Manufacturer of the vehicle", "ui-priority": 0, @@ -71,17 +98,12 @@ "ui-priority": 0, "misp-attribute": "text", "multiple": true - }, - "state": { - "description": "State of the vehicle", - "ui-priority": 0, - "misp-attribute": "text", - "disable_correlation": true } }, - "version": 3, + "version": 2, "description": "Vehicle object template to describe a vehicle information and registration", "meta-category": "misc", "uuid": "683c076c-f695-4ff2-8efa-e98a418049f4", "name": "vehicle" } + From 6fd7dfc896fbff9f48390e3707dfa3f520f46d0f Mon Sep 17 00:00:00 2001 From: Nicolas Date: Fri, 24 Jan 2020 10:30:22 +0100 Subject: [PATCH 09/13] change definition.json for vehicle and geolocation --- objects/geolocation/definition.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/objects/geolocation/definition.json b/objects/geolocation/definition.json index 1189994..f0d2a33 100644 --- a/objects/geolocation/definition.json +++ b/objects/geolocation/definition.json @@ -49,6 +49,11 @@ "misp-attribute": "text", "ui-priority": 1 }, + "neighborhood": { + "description": "Neighborhood.", + "misp-attribute": "text", + "ui-priority": 1 + }, "zipcode": { "description": "Zip Code.", "misp-attribute": "text", From e8583c5e1332f61e9620e308d24f9546f7b8bff2 Mon Sep 17 00:00:00 2001 From: Nicolas Date: Fri, 24 Jan 2020 10:40:50 +0100 Subject: [PATCH 10/13] change definition.json for vehicle and geolocation with verification sponge --- objects/vehicle/definition.json | 1 - 1 file changed, 1 deletion(-) diff --git a/objects/vehicle/definition.json b/objects/vehicle/definition.json index d4ff30c..31650be 100644 --- a/objects/vehicle/definition.json +++ b/objects/vehicle/definition.json @@ -106,4 +106,3 @@ "uuid": "683c076c-f695-4ff2-8efa-e98a418049f4", "name": "vehicle" } - From e6659c7c7ebdd8dd90af3a3e32c7ce002842f40b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Fri, 24 Jan 2020 12:58:28 +0100 Subject: [PATCH 11/13] new: TruStar report object --- objects/trustar_report/definition.json | 81 ++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 objects/trustar_report/definition.json diff --git a/objects/trustar_report/definition.json b/objects/trustar_report/definition.json new file mode 100644 index 0000000..a8dd5bb --- /dev/null +++ b/objects/trustar_report/definition.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "BITCOIN_ADDRESS": { + "description": "A bitcoin address is an identifier of 26-35 alphanumeric characters, beginning with the number 1 or 3, that represents a possible destination for a bitcoin payment.", + "misp-attribute": "btc", + "multiple": true, + "ui-priority": 1 + }, + "CIDR_BLOCK": { + "description": "CIDR (Classless Inter-Domain Routing) identifies a range of IP addresses, and was introduced as a way to allow more flexible allocation of Internet Protocol (IP) addresses than was possible with the original system of IP address classes.", + "misp-attribute": "ip-src", + "multiple": true, + "ui-priority": 1 + }, + "CVE": { + "description": "The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures.", + "misp-attribute": "vulnerability", + "multiple": true, + "ui-priority": 1 + }, + "EMAIL_ADDRESS": { + "description": "An email address is a unique identifier for an email account.", + "misp-attribute": "email-src", + "multiple": true, + "ui-priority": 1 + }, + "IP": { + "description": "An Internet Protocol address (IP address) is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication.", + "misp-attribute": "ip-dst", + "multiple": true, + "ui-priority": 1 + }, + "MALWARE": { + "description": "Names of software that are intended to damage or disable computers and computer systems.", + "misp-attribute": "malware-type", + "multiple": true, + "ui-priority": 1 + }, + "MD5": { + "description": "The MD5 algorithm is a widely used hash function producing a 128-bit hash value.", + "misp-attribute": "md5", + "multiple": true, + "ui-priority": 1 + }, + "REGISTRY_KEY": { + "description": "The registry is a hierarchical database that contains data that is critical for the operation of Windows and the applications and services that run on Windows.", + "misp-attribute": "regkey", + "multiple": true, + "ui-priority": 1 + }, + "SHA1": { + "description": "SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest - typically rendered as a hexadecimal number, 40 digits long. SHA-1 is prone to length extension attacks.", + "misp-attribute": "sha1", + "multiple": true, + "ui-priority": 1 + }, + "SHA256": { + "description": "SHA-256 is a member of the SHA-2 cryptographic hash functions designed by the NSA, which are the successors to SHA-1. It is represented as a 64-character hexadecimal string.", + "misp-attribute": "sha256", + "multiple": true, + "ui-priority": 1 + }, + "SOFTWARE": { + "description": "The name of a file on a filesystem.", + "misp-attribute": "filename", + "multiple": true, + "ui-priority": 1 + }, + "URL": { + "description": "A Uniform Resource Locator (URL) is a reference to a web resource that specifies its location on a computer network and a mechanism for retrieving it.", + "misp-attribute": "url", + "multiple": true, + "ui-priority": 1 + } + }, + "description": "TruStar Report", + "meta-category": "network", + "name": "trustar_report", + "uuid": "8ff46cf1-db04-4453-ba46-d004e1ef6b7a", + "version": 1 +} From cdc463ef1a04583df02c5c57ce3cbc67d2fa2751 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 24 Jan 2020 15:46:06 +0100 Subject: [PATCH 12/13] chg: [domain-ip] port added (required by AIL crawling) --- objects/domain-ip/definition.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/objects/domain-ip/definition.json b/objects/domain-ip/definition.json index fe12939..f5fc64a 100644 --- a/objects/domain-ip/definition.json +++ b/objects/domain-ip/definition.json @@ -48,9 +48,19 @@ "ui-priority": 1, "misp-attribute": "ip-dst", "multiple": true + }, + "port": { + "description": "Associated TCP port with the domain", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "port", + "multiple": true } }, - "version": 6, + "version": 8, "description": "A domain and IP address seen as a tuple in a specific time frame.", "meta-category": "network", "uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", From fb878a6901777fe1612c984427d0ea8ddf19f048 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Tue, 28 Jan 2020 10:47:18 +0100 Subject: [PATCH 13/13] fix: Wrong name in requiredOneOf --- objects/script/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/script/definition.json b/objects/script/definition.json index 42d3201..0b35fa8 100644 --- a/objects/script/definition.json +++ b/objects/script/definition.json @@ -2,7 +2,7 @@ "requiredOneOf": [ "script", "filename", - "attachment" + "script-as-attachment" ], "attributes": { "script": { @@ -63,7 +63,7 @@ ] } }, - "version": 6, + "version": 7, "description": "Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.", "meta-category": "misc", "uuid": "6bce7d01-dbec-4054-b3c2-3655a19382e2",