From 8bb88fceafe16ab5784a1284564ef42e030bdb0b Mon Sep 17 00:00:00 2001 From: Koen Van Impe Date: Sat, 7 Mar 2020 09:03:01 +0100 Subject: [PATCH 1/5] Objects for data coming from the Cytomic Orion API --- objects/cytomic_orion/definition.json | 65 +++++++++++ objects/cytomic_orion_machine/definition.json | 101 ++++++++++++++++++ 2 files changed, 166 insertions(+) create mode 100755 objects/cytomic_orion/definition.json create mode 100755 objects/cytomic_orion_machine/definition.json diff --git a/objects/cytomic_orion/definition.json b/objects/cytomic_orion/definition.json new file mode 100755 index 0000000..f5788ee --- /dev/null +++ b/objects/cytomic_orion/definition.json @@ -0,0 +1,65 @@ +{ + "required": [ + + ], + "attributes": { + "fileName": { + "description": "Original filename", + "ui-priority": 9, + "categories": [ + "Other" + ], + "misp-attribute": "filename" + }, + "fileSize": { + "description": "Size of the file", + "to_ids": false, + "ui-priority": 0, + "categories": [ + "Other" + ], + "misp-attribute": "size-in-bytes" + }, + "classification": { + "description": "File classification - number", + "to_ids": false, + "ui-priority": 2, + "categories": [ + "Other" + ], + "misp-attribute": "text" + }, + "classificationName": { + "description": "File classification", + "to_ids": false, + "ui-priority": 1, + "categories": [ + "Other" + ], + "misp-attribute": "text" + }, + "firstSeen": { + "description": "First seen timestamp of the file", + "to_ids": false, + "ui-priority": 3, + "categories": [ + "Other" + ], + "misp-attribute": "datetime" + }, + "lastSeen": { + "description": "Last seen timestamp of the file", + "to_ids": false, + "ui-priority": 4, + "categories": [ + "Other" + ], + "misp-attribute": "datetime" + } + }, + "version": 6, + "description": "Cytomic Orion File Detection", + "meta-category": "misc", + "uuid": "0ad86572-ba38-4baf-9fed-1926e9ecc916", + "name": "cytomic-orion-file" +} diff --git a/objects/cytomic_orion_machine/definition.json b/objects/cytomic_orion_machine/definition.json new file mode 100755 index 0000000..ab6098f --- /dev/null +++ b/objects/cytomic_orion_machine/definition.json @@ -0,0 +1,101 @@ +{ + "required": [ + "machineName" + ], + "attributes": { + "machineName": { + "description": "Machine name", + "ui-priority": 9, + "categories": [ + "Other" + ], + "misp-attribute": "target-machine" + }, + "machineMuid": { + "description": "Machine UID", + "to_ids": false, + "ui-priority": 0, + "categories": [ + "Other" + ], + "misp-attribute": "text" + }, + "clientName": { + "description": "Client name", + "to_ids": false, + "ui-priority": 0, + "categories": [ + "Other" + ], + "misp-attribute": "target-org" + }, + "clientId": { + "description": "Client id", + "to_ids": false, + "ui-priority": 0, + "categories": [ + "Other" + ], + "misp-attribute": "text" + }, + "machinePath": { + "description": "Path of observable", + "to_ids": false, + "ui-priority": 2, + "categories": [ + "Other" + ], + "misp-attribute": "text" + }, + "machineFirstSeen": { + "description": "First seen on machine", + "to_ids": false, + "ui-priority": 3, + "categories": [ + "Other" + ], + "misp-attribute": "datetime" + }, + "machineLastSeen": { + "description": "Last seen on machine", + "to_ids": false, + "ui-priority": 4, + "categories": [ + "Other" + ], + "misp-attribute": "datetime" + }, + "clientCreationDateUTC": { + "description": "Client creation date UTC", + "to_ids": false, + "ui-priority": 0, + "categories": [ + "Other" + ], + "misp-attribute": "datetime" + }, + "creationDate": { + "description": "Client creation date", + "to_ids": false, + "ui-priority": 0, + "categories": [ + "Other" + ], + "misp-attribute": "datetime" + }, + "lastSeenUtc": { + "description": "Client last seen UTC", + "to_ids": false, + "ui-priority": 0, + "categories": [ + "Other" + ], + "misp-attribute": "datetime" + } + }, + "version": 3, + "description": "Cytomic Orion File at Machine Detection", + "meta-category": "misc", + "uuid": "e0e46343-43fd-4ce7-b447-51381402c774", + "name": "cytomic-orion-machine" +} From bbac01aa1b73aae055999c56d7f29dc85616796f Mon Sep 17 00:00:00 2001 From: Koen Van Impe Date: Sat, 7 Mar 2020 09:24:51 +0100 Subject: [PATCH 2/5] Fix with jq_all_the_things --- objects/cytomic_orion/definition.json | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/objects/cytomic_orion/definition.json b/objects/cytomic_orion/definition.json index f5788ee..955933a 100755 --- a/objects/cytomic_orion/definition.json +++ b/objects/cytomic_orion/definition.json @@ -1,7 +1,5 @@ { - "required": [ - - ], + "required": [], "attributes": { "fileName": { "description": "Original filename", From bffae90c3dd056922ed69510ceb46f4f1bb52bf9 Mon Sep 17 00:00:00 2001 From: Koen Van Impe Date: Sat, 7 Mar 2020 09:28:43 +0100 Subject: [PATCH 3/5] Remove -x from JSON files --- objects/cytomic_orion/definition.json | 0 objects/cytomic_orion_machine/definition.json | 0 2 files changed, 0 insertions(+), 0 deletions(-) mode change 100755 => 100644 objects/cytomic_orion/definition.json mode change 100755 => 100644 objects/cytomic_orion_machine/definition.json diff --git a/objects/cytomic_orion/definition.json b/objects/cytomic_orion/definition.json old mode 100755 new mode 100644 diff --git a/objects/cytomic_orion_machine/definition.json b/objects/cytomic_orion_machine/definition.json old mode 100755 new mode 100644 From ecac7ea52a63d2c534714f73bca43ba73ed4b6e6 Mon Sep 17 00:00:00 2001 From: Koen Van Impe Date: Mon, 9 Mar 2020 23:26:25 +0100 Subject: [PATCH 4/5] Update object definition with first-|last- seen --- objects/cytomic_orion/definition.json | 10 ++++++---- objects/cytomic_orion_machine/definition.json | 6 +++--- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/objects/cytomic_orion/definition.json b/objects/cytomic_orion/definition.json index 955933a..04527b3 100644 --- a/objects/cytomic_orion/definition.json +++ b/objects/cytomic_orion/definition.json @@ -1,5 +1,7 @@ { - "required": [], + "required": [ + + ], "attributes": { "fileName": { "description": "Original filename", @@ -36,7 +38,7 @@ ], "misp-attribute": "text" }, - "firstSeen": { + "first-seen": { "description": "First seen timestamp of the file", "to_ids": false, "ui-priority": 3, @@ -45,7 +47,7 @@ ], "misp-attribute": "datetime" }, - "lastSeen": { + "last-seen": { "description": "Last seen timestamp of the file", "to_ids": false, "ui-priority": 4, @@ -55,7 +57,7 @@ "misp-attribute": "datetime" } }, - "version": 6, + "version": 7, "description": "Cytomic Orion File Detection", "meta-category": "misc", "uuid": "0ad86572-ba38-4baf-9fed-1926e9ecc916", diff --git a/objects/cytomic_orion_machine/definition.json b/objects/cytomic_orion_machine/definition.json index ab6098f..5a25dd7 100644 --- a/objects/cytomic_orion_machine/definition.json +++ b/objects/cytomic_orion_machine/definition.json @@ -47,7 +47,7 @@ ], "misp-attribute": "text" }, - "machineFirstSeen": { + "first-seen": { "description": "First seen on machine", "to_ids": false, "ui-priority": 3, @@ -56,7 +56,7 @@ ], "misp-attribute": "datetime" }, - "machineLastSeen": { + "last-seen": { "description": "Last seen on machine", "to_ids": false, "ui-priority": 4, @@ -93,7 +93,7 @@ "misp-attribute": "datetime" } }, - "version": 3, + "version": 4, "description": "Cytomic Orion File at Machine Detection", "meta-category": "misc", "uuid": "e0e46343-43fd-4ce7-b447-51381402c774", From 2c584706542f5e84f73c58bf32deacd051bac978 Mon Sep 17 00:00:00 2001 From: Koen Van Impe Date: Mon, 9 Mar 2020 23:29:29 +0100 Subject: [PATCH 5/5] JQ-all-the-things --- objects/cytomic_orion/definition.json | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/objects/cytomic_orion/definition.json b/objects/cytomic_orion/definition.json index 04527b3..050506c 100644 --- a/objects/cytomic_orion/definition.json +++ b/objects/cytomic_orion/definition.json @@ -1,7 +1,5 @@ { - "required": [ - - ], + "required": [], "attributes": { "fileName": { "description": "Original filename",