As discussed with @rafiot, we can't simply add rdata and rrname as

text only into MISP objects. Why? Because otherwise we can't use MISP's correlation engine to correlate attributes (rrname, rdata) inside these MISP objects with other events. Because "text" would not correlate with other "ip-src" or "domain" types in other objects/attributes. Kind of sucks to duplicate the rrname and rdata entries, but that's the only solution we came up with. The COF2MISP module will populate both the rrname,rdata as well as the rrname_{domain,ip} and rdata_{domain,ip} attributes. Checked with jq_all_the_things.sh. Thanks for your consideration.
2021-05-02 15:57:54 +02:00 · 2021-05-02 15:57:54 +02:00 · 7b4c9cd6df
parent e72cf95275
commit 7b4c9cd6df
1 changed files with 40 additions and 4 deletions
--- a/objects/passive-dns/definition.json
+++ b/objects/passive-dns/definition.json
@ -3,7 +3,7 @@
    "bailiwick": {
      "description": "Best estimate of the apex of the zone where this data is authoritative",
      "disable_correlation": true,
-      "misp-attribute": "text",
+      "misp-attribute": "domain",
      "ui-priority": 0
    },
    "count": {
@ -19,15 +19,33 @@
      "ui-priority": 0
    },
    "raw_rdata": {
-      "description": "Resource records of the queried resource, in hexadecimal",
+      "description": "Resource records of the queried resource, in hexadecimal. *All* rdata entries at once.",
      "misp-attribute": "text",
      "ui-priority": 0
    },
    "rdata": {
-      "description": "Resource records of the queried resource",
+      "description": "Resource records of the queried resource. Note that this field is added for *each* rdata entry in the rrset.",
      "misp-attribute": "text",
      "ui-priority": 1
    },
+    "rdata_ip": {
+      "categories": [
+        "Network activity",
+        "External analysis"
+      ],
+      "description": "Resource records of the queried resource. Mapped to MISP 'ip' address type. Valid for rrtypes (A, AAAA, A6, ...).",
+      "misp-attribute": "ip-src",
+      "ui-priority": 1
+    },
+    "rdata_domain": {
+      "categories": [
+        "Network activity",
+        "External analysis"
+      ],
+      "description": "Resource records of the queried resource. Mapped to MISP 'domain' address type. Valid for rrtypes (CNAME, etc.).",
+      "misp-attribute": "domain",
+      "ui-priority": 1
+    },
    "rrname": {
      "categories": [
        "Network activity",
@ -37,6 +55,24 @@
      "misp-attribute": "text",
      "ui-priority": 1
    },
+    "rrname_domain": {
+      "categories": [
+        "Network activity",
+        "External analysis"
+      ],
+      "description": "Resource Record name of the queried resource. Same as the field 'rrname', however already mapped to the MISP 'domain' type so that we can correlate.",
+      "misp-attribute": "domain",
+      "ui-priority": 1
+    },
+    "rrname_ip": {
+      "categories": [
+        "Network activity",
+        "External analysis"
+      ],
+      "description": "Resource Record name of the queried resource. Same as the field 'rrname', however already mapped to the MISP 'ip' type so that we can correlate. Note that this is only valid if 'rrtype' is 'PTR'.",
+      "misp-attribute": "ip-src",
+      "ui-priority": 1
+    },
    "rrtype": {
      "categories": [
        "Network activity",
@ -109,4 +145,4 @@
  ],
  "uuid": "b77b7b1c-66ab-4a41-8da4-83810f6d2d6c",
  "version": 3
-}
+}