From 3d12addd56d6e5d00cddcc19cb8a788e7f90c46c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 16 Feb 2024 16:10:04 +0100 Subject: [PATCH 01/39] fix: [relationships] updated --- relationships/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index 396a626..e7d2203 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1751,4 +1751,4 @@ } ], "version": 41 -} +} \ No newline at end of file From 173af552aa2d18f47c02cfdb873fbff9daa3cb0c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 5 Mar 2024 08:59:45 +0100 Subject: [PATCH 02/39] chg: [person/organization] `impersonated` added to the role of person and organization templates Thanks to NRC Cyber Security for the idea. --- objects/organization/definition.json | 5 +++-- objects/person/definition.json | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/objects/organization/definition.json b/objects/organization/definition.json index 5b6faeb..ca3fd9c 100644 --- a/objects/organization/definition.json +++ b/objects/organization/definition.json @@ -79,7 +79,8 @@ "Source", "Originator", "Informant", - "Emitter" + "Emitter", + "Impersonated" ] }, "sector": { @@ -138,5 +139,5 @@ "alias" ], "uuid": "f750e12b-127a-432c-b022-b3f9153c4e2a", - "version": 6 + "version": 7 } \ No newline at end of file diff --git a/objects/person/definition.json b/objects/person/definition.json index c34a977..295d9a7 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -223,7 +223,8 @@ "Source", "Originator", "Informant", - "Emitter" + "Emitter", + "Impersonated" ] }, "social-security-number": { @@ -255,5 +256,5 @@ "handle" ], "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", - "version": 19 + "version": 20 } \ No newline at end of file From a367c43eb9da32c0affa49100b9d5117d4ca8ff6 Mon Sep 17 00:00:00 2001 From: Christos Arvanitis Date: Tue, 5 Mar 2024 11:22:17 +0100 Subject: [PATCH 03/39] Disable correlation for IntelMQ time fields --- objects/intelmq_event/definition.json | 2 ++ objects/intelmq_report/definition.json | 1 + 2 files changed, 3 insertions(+) diff --git a/objects/intelmq_event/definition.json b/objects/intelmq_event/definition.json index 5c7b124..1ec6040 100644 --- a/objects/intelmq_event/definition.json +++ b/objects/intelmq_event/definition.json @@ -405,11 +405,13 @@ }, "time.observation": { "description": "The time the collector of the local instance processed (observed) the event.", + "disable_correlation": true, "misp-attribute": "datetime", "ui-priority": 1 }, "time.source": { "description": "The time of occurence of the event as reported the feed (source).", + "disable_correlation": true, "misp-attribute": "datetime", "ui-priority": 1 }, diff --git a/objects/intelmq_report/definition.json b/objects/intelmq_report/definition.json index bb428ad..8630d2e 100644 --- a/objects/intelmq_report/definition.json +++ b/objects/intelmq_report/definition.json @@ -47,6 +47,7 @@ }, "time.observation": { "description": "The time the collector of the local instance processed (observed) the event.", + "disable_correlation": true, "misp-attribute": "datetime", "ui-priority": 1 } From c72ec740700c43982a26b2e5bc799a7157537230 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 6 Mar 2024 07:24:37 +0100 Subject: [PATCH 04/39] fix: [cs-beacon-config] Partial info from CS beacon are possible Fix #417 - Thanks to @sebdraven --- objects/cs-beacon-config/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/cs-beacon-config/definition.json b/objects/cs-beacon-config/definition.json index bddffb6..48c8111 100644 --- a/objects/cs-beacon-config/definition.json +++ b/objects/cs-beacon-config/definition.json @@ -104,7 +104,7 @@ "description": "Cobalt Strike Beacon Config", "meta-category": "file", "name": "cs-beacon-config", - "required": [ + "requiredOneOf": [ "jar-md5", "md5", "sha1", @@ -112,5 +112,5 @@ "watermark" ], "uuid": "d17355ef-ca1f-4b5a-86cd-65d877991f54", - "version": 3 + "version": 4 } \ No newline at end of file From 9c03f6ab9da94469299fb5bca7c66dee98ae8b7e Mon Sep 17 00:00:00 2001 From: Sebastien Larinier Date: Thu, 7 Mar 2024 10:10:36 +0000 Subject: [PATCH 05/39] add software for cmd line and change type --- objects/command-line/definition.json | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/objects/command-line/definition.json b/objects/command-line/definition.json index f80dd52..b7b0239 100644 --- a/objects/command-line/definition.json +++ b/objects/command-line/definition.json @@ -1,20 +1,28 @@ { "attributes": { + "command_line": { + "description": "command code", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, "description": { "description": "description of the command", "misp-attribute": "text", "ui-priority": 1 }, - "value": { - "description": "command code", + "software": { + "description": "type of shell (bash,zsh,powershell,cmd.exe", "misp-attribute": "text", - "multiple": true, "ui-priority": 1 } }, "description": "Command line and options related to a specific command executed by a program, whether it is malicious or not.", "meta-category": "misc", "name": "command-line", + "required": [ + "command_line" + ], "uuid": "88ebe222-d3cc-11e9-875d-7f13f460adaf", - "version": 1 + "version": 2 } \ No newline at end of file From 53572fe294b13f7f6095be7631753be987287592 Mon Sep 17 00:00:00 2001 From: Sebastien Larinier Date: Thu, 7 Mar 2024 10:12:21 +0000 Subject: [PATCH 06/39] fix typo of description --- objects/command-line/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/command-line/definition.json b/objects/command-line/definition.json index b7b0239..cda1c1d 100644 --- a/objects/command-line/definition.json +++ b/objects/command-line/definition.json @@ -12,7 +12,7 @@ "ui-priority": 1 }, "software": { - "description": "type of shell (bash,zsh,powershell,cmd.exe", + "description": "type of shell (bash/sh,powershell,cmd.exe)", "misp-attribute": "text", "ui-priority": 1 } From acfef2f5e8b16daf6ef492f46d9d19055fd00a45 Mon Sep 17 00:00:00 2001 From: Sebastien Larinier Date: Thu, 7 Mar 2024 12:02:23 +0000 Subject: [PATCH 07/39] change type of ans name --- objects/crowdsec-ip-context/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/crowdsec-ip-context/definition.json b/objects/crowdsec-ip-context/definition.json index a163cde..2d425c9 100644 --- a/objects/crowdsec-ip-context/definition.json +++ b/objects/crowdsec-ip-context/definition.json @@ -7,7 +7,7 @@ ], "description": "Autonomous system name", "disable_correlation": true, - "misp-attribute": "AS", + "misp-attribute": "text", "multiple": true, "ui-priority": 0 }, From c3f17d60604b3ebd9fd8ca03434d91924b7d4a96 Mon Sep 17 00:00:00 2001 From: goodlandsecurity Date: Fri, 15 Mar 2024 12:05:03 -0500 Subject: [PATCH 08/39] adding stairwell object --- objects/stairwell/definition.json | 87 +++++++++++++++++++++++++++++++ 1 file changed, 87 insertions(+) create mode 100644 objects/stairwell/definition.json diff --git a/objects/stairwell/definition.json b/objects/stairwell/definition.json new file mode 100644 index 0000000..4262674 --- /dev/null +++ b/objects/stairwell/definition.json @@ -0,0 +1,87 @@ +{ + "attributes": { + "entropy": { + "description": "Measure of the information contained in a object as opposed to the portion of the object that is determined (or predictable)", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 1 + }, + "environment": { + "description": "Stairwell environments that this object has been seen within", + "misp-attribute": "comment", + "ui-priority": 0 + }, + "imphash": { + "description": "The Mandiant import hash (imphash) of the object", + "misp-attribute": "imphash", + "ui-priority": 0 + }, + "magic": { + "description": "Magic number as determined by yara rule based identification", + "misp-attribute": "comment", + "ui-priority": 0 + }, + "malEval-probability": { + "description": "Confidence that the label applies on the object", + "misp-attribute": "comment", + "ui-priority": 0 + }, + "malEval-severity": { + "description": "Severity of malware detected", + "misp-attribute": "comment", + "ui-priority": 0 + }, + "md5": { + "description": "The md5 hash signature of an object", + "misp-attribute": "md5", + "ui-priority": 1 + }, + "mime-type": { + "description": "MIME type as determined by yara rule based identification", + "disable_correlation": true, + "misp-attribute": "mime-type", + "ui-priority": 0 + }, + "sha1": { + "description": "The sha1 hash signature of an object", + "misp-attribute": "sha1", + "ui-priority": 1 + }, + "sha256": { + "description": "The sha256 hash signature of an object", + "misp-attribute": "sha256", + "ui-priority": 1 + }, + "size-in-bytes": { + "description": "The size of the file in bytes", + "disable_correlation": true, + "misp-attribute": "size-in-bytes", + "ui-priority": 0 + }, + "stairwell-first-seen": { + "description": "The timestamp at which an object was first observed by Stairwell", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "tlsh": { + "description": "The TLSH of the object", + "misp-attribute": "tlsh", + "ui-priority": 0 + }, + "yara-rule-match": { + "description": "Stairwell yara rule resource names which have matched on this object", + "misp-attribute": "comment", + "ui-priority": 0 + } + }, + "description": "Stairwell leverages automated analysis, YARA rule libraries, shared malware feeds, privately run AV verdicts, static & dynamic analysis, malware unpacking, and variant discovery.", + "meta-category": "file", + "name": "stairwell", + "requiredOneOf": [ + "md5", + "sha1", + "sha256" + ], + "uuid": "113d31ab-6eea-46df-976c-e955c369acd2", + "version": 1 +} \ No newline at end of file From 11bf472d8e93a4d5cbc75842a4c63b3cc6bc7e63 Mon Sep 17 00:00:00 2001 From: goodlandsecurity Date: Fri, 15 Mar 2024 13:52:09 -0500 Subject: [PATCH 09/39] forgot multiple flag on two attributes --- objects/stairwell/definition.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/objects/stairwell/definition.json b/objects/stairwell/definition.json index 4262674..8945a8d 100644 --- a/objects/stairwell/definition.json +++ b/objects/stairwell/definition.json @@ -9,6 +9,7 @@ "environment": { "description": "Stairwell environments that this object has been seen within", "misp-attribute": "comment", + "multiple": true, "ui-priority": 0 }, "imphash": { @@ -71,6 +72,7 @@ "yara-rule-match": { "description": "Stairwell yara rule resource names which have matched on this object", "misp-attribute": "comment", + "multiple": true "ui-priority": 0 } }, @@ -84,4 +86,4 @@ ], "uuid": "113d31ab-6eea-46df-976c-e955c369acd2", "version": 1 -} \ No newline at end of file +} From fac453a24711f92226a9c2c3d549b188a80dcd3e Mon Sep 17 00:00:00 2001 From: goodlandsecurity Date: Fri, 15 Mar 2024 14:04:07 -0500 Subject: [PATCH 10/39] fixed parse error --- objects/stairwell/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/stairwell/definition.json b/objects/stairwell/definition.json index 8945a8d..bfb066e 100644 --- a/objects/stairwell/definition.json +++ b/objects/stairwell/definition.json @@ -72,7 +72,7 @@ "yara-rule-match": { "description": "Stairwell yara rule resource names which have matched on this object", "misp-attribute": "comment", - "multiple": true + "multiple": true, "ui-priority": 0 } }, @@ -86,4 +86,4 @@ ], "uuid": "113d31ab-6eea-46df-976c-e955c369acd2", "version": 1 -} +} \ No newline at end of file From ab963cdb5b3e28d4b777555b3ea9cde0c799020f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 16 Mar 2024 09:48:29 +0100 Subject: [PATCH 11/39] chg: [command-line] added sane_default --- objects/command-line/definition.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/objects/command-line/definition.json b/objects/command-line/definition.json index cda1c1d..678a34f 100644 --- a/objects/command-line/definition.json +++ b/objects/command-line/definition.json @@ -1,7 +1,7 @@ { "attributes": { "command_line": { - "description": "command code", + "description": "command code line", "misp-attribute": "text", "multiple": true, "ui-priority": 1 @@ -14,6 +14,13 @@ "software": { "description": "type of shell (bash/sh,powershell,cmd.exe)", "misp-attribute": "text", + "sane_default": [ + "Shell", + "Bash", + "zsh", + "Powershell", + "cmd.exe" + ], "ui-priority": 1 } }, From d6af105b4537a8e91ae92d38c42b0e98f631c496 Mon Sep 17 00:00:00 2001 From: Sebastien Larinier Date: Mon, 18 Mar 2024 14:19:35 +0000 Subject: [PATCH 12/39] Add software impacted by exploit --- objects/exploit/definition.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/objects/exploit/definition.json b/objects/exploit/definition.json index f5d040d..5ad1028 100644 --- a/objects/exploit/definition.json +++ b/objects/exploit/definition.json @@ -82,6 +82,11 @@ "multiple": true, "ui-priority": 0 }, + "software": { + "description": "Software impacted", + "misp-attribute": "text", + "ui-priority": 10 + }, "title": { "description": "Title of the exploit.", "misp-attribute": "text", From b023d0a3de9648632f6f418543283ccd4265c8b2 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 29 Mar 2024 16:22:07 +0100 Subject: [PATCH 13/39] chg: [ddos] object type alone authorized if the source/target cannot be disclosed --- objects/ddos/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/ddos/definition.json b/objects/ddos/definition.json index e43d181..9df4984 100644 --- a/objects/ddos/definition.json +++ b/objects/ddos/definition.json @@ -156,8 +156,9 @@ "requiredOneOf": [ "ip-dst", "ip-src", - "domain-dst" + "domain-dst", + "type" ], "uuid": "e2f124d6-f57c-4f93-99e6-8450545fa05d", - "version": 9 + "version": 10 } \ No newline at end of file From ad952beb603fff3968402c44fa0a54775f69055b Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Tue, 2 Apr 2024 21:21:38 +0200 Subject: [PATCH 14/39] add: [pe] Added some PE fields as available with `lief` API --- objects/pe/definition.json | 32 +++++++++++++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/objects/pe/definition.json b/objects/pe/definition.json index ae89b65..129c2d4 100644 --- a/objects/pe/definition.json +++ b/objects/pe/definition.json @@ -5,6 +5,12 @@ "misp-attribute": "authentihash", "ui-priority": 1 }, + "characteristics": { + "description": "The characteristics that indicate the attributes of the file", + "disable_correlation": true, + "misp-attribute": "hex", + "ui-priority": 0 + }, "company-name": { "description": "CompanyName in the resources", "disable_correlation": true, @@ -68,6 +74,18 @@ "misp-attribute": "text", "ui-priority": 0 }, + "machine-type": { + "description": "Type of machine", + "disable_correlation": true, + "misp-attribute": "hex", + "ui-priority": 0 + }, + "number-of-symbols": { + "description": "Number of entries in the symbol table", + "disable_correlation": true, + "misp-attribute": "counter", + "ui-priority": 0 + }, "number-sections": { "description": "Number of sections", "disable_correlation": true, @@ -85,6 +103,12 @@ "misp-attribute": "pehash", "ui-priority": 0 }, + "pointer-to-symbol-table": { + "description": "The file offset of the COFF symbol table.", + "disable_correlation": true, + "misp-attribute": "hex", + "ui-priority": 0 + }, "product-name": { "description": "ProductName in the resources", "disable_correlation": true, @@ -103,6 +127,12 @@ "multiple": true, "ui-priority": 0 }, + "size-of-optional-header": { + "description": "Size of the optional header and the data directories which follow this header", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 0 + }, "text": { "description": "Free text value to attach to the PE", "disable_correlation": true, @@ -136,5 +166,5 @@ "impfuzzy" ], "uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07", - "version": 7 + "version": 8 } \ No newline at end of file From eb1536f5052e17cdb8e53afeadd305264703eda9 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Wed, 3 Apr 2024 11:19:16 +0200 Subject: [PATCH 15/39] chg: [pe] Added `characteristics` & `machine-type` enumerations - Characteristics are usually in a list, so we have now both the list of characteristics with their name, and the hex value of the addition of all the characteristics numeric values - We represent the machine type with its name --- objects/pe/definition.json | 50 +++++++++++++++++++++++++++++++++++++- 1 file changed, 49 insertions(+), 1 deletion(-) diff --git a/objects/pe/definition.json b/objects/pe/definition.json index 129c2d4..82c6ead 100644 --- a/objects/pe/definition.json +++ b/objects/pe/definition.json @@ -8,6 +8,30 @@ "characteristics": { "description": "The characteristics that indicate the attributes of the file", "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_defaults": [ + "AGGRESSIVE_WS_TRIM", + "BYTES_REVERSED_HI", + "BYTES_REVERSED_LO", + "DEBUG_STRIPPED", + "DLL", + "EXECUTABLE_IMAGE", + "LARGE_ADDRESS_AWARE", + "LINE_NUMS_STRIPPED", + "LOCAL_SYMS_STRIPPED", + "NEED_32BIT_MACHINE", + "NET_RUN_FROM_SWAP", + "RELOCS_STRIPPED", + "REMOVABLE_RUN_FROM_SWAP", + "SYSTEM", + "UP_SYSTEM_ONLY" + ], + "ui-priority": 0 + }, + "characteristics_hex": { + "description": "The characteristics in a single hex value", + "disable_correlation": true, "misp-attribute": "hex", "ui-priority": 0 }, @@ -77,7 +101,31 @@ "machine-type": { "description": "Type of machine", "disable_correlation": true, - "misp-attribute": "hex", + "misp-attribute": "text", + "sane_default": [ + "AM33", + "AMD64", + "ARM", + "ARM64", + "ARMNT", + "EBC", + "I386", + "IA64", + "M32R", + "MIPS16", + "MIPSFPU", + "MIPSFPU16", + "POWERPC", + "POWERPCFP", + "R4000", + "SH3", + "SH3DSP", + "SH4", + "SH5", + "THUMB", + "UNKNOWN", + "WCEMIPSV2" + ], "ui-priority": 0 }, "number-of-symbols": { From e042ac127a3c7aa71c44962a1b0f2385f3922f72 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Wed, 3 Apr 2024 13:31:32 +0200 Subject: [PATCH 16/39] chg: [pe] Using the new `integer` attribute type --- objects/pe/definition.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/objects/pe/definition.json b/objects/pe/definition.json index 82c6ead..578e0d4 100644 --- a/objects/pe/definition.json +++ b/objects/pe/definition.json @@ -131,13 +131,13 @@ "number-of-symbols": { "description": "Number of entries in the symbol table", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "integer", "ui-priority": 0 }, "number-sections": { "description": "Number of sections", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "integer", "ui-priority": 0 }, "original-filename": { @@ -178,7 +178,7 @@ "size-of-optional-header": { "description": "Size of the optional header and the data directories which follow this header", "disable_correlation": true, - "misp-attribute": "float", + "misp-attribute": "integer", "ui-priority": 0 }, "text": { From b45d872424f7cb2c1e858172034fd6e6afcbe757 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 3 Apr 2024 13:55:19 +0200 Subject: [PATCH 17/39] chg: [schema] add the new 'integer' attribute type in the JSON schema --- schema_objects.json | 1 + 1 file changed, 1 insertion(+) diff --git a/schema_objects.json b/schema_objects.json index 5a66390..7095137 100644 --- a/schema_objects.json +++ b/schema_objects.json @@ -127,6 +127,7 @@ "identity-card-number", "impfuzzy", "imphash", + "integer", "ip-dst", "ip-dst|port", "ip-src", From 2afdb6104bc9b049fe07e43a0d39a56b3abdcffc Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Wed, 3 Apr 2024 14:08:17 +0200 Subject: [PATCH 18/39] fix: [pe] `counter` makes more sense here --- objects/pe/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/pe/definition.json b/objects/pe/definition.json index 578e0d4..56c828b 100644 --- a/objects/pe/definition.json +++ b/objects/pe/definition.json @@ -131,13 +131,13 @@ "number-of-symbols": { "description": "Number of entries in the symbol table", "disable_correlation": true, - "misp-attribute": "integer", + "misp-attribute": "counter", "ui-priority": 0 }, "number-sections": { "description": "Number of sections", "disable_correlation": true, - "misp-attribute": "integer", + "misp-attribute": "counter", "ui-priority": 0 }, "original-filename": { From d905c0803133d71086c13a4bf8a4633f2537181b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 3 Apr 2024 14:29:36 +0200 Subject: [PATCH 19/39] fix: [pe] typo fixed --- objects/pe/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/pe/definition.json b/objects/pe/definition.json index 56c828b..31bb1a4 100644 --- a/objects/pe/definition.json +++ b/objects/pe/definition.json @@ -10,7 +10,7 @@ "disable_correlation": true, "misp-attribute": "text", "multiple": true, - "sane_defaults": [ + "sane_default": [ "AGGRESSIVE_WS_TRIM", "BYTES_REVERSED_HI", "BYTES_REVERSED_LO", @@ -214,5 +214,5 @@ "impfuzzy" ], "uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07", - "version": 8 + "version": 9 } \ No newline at end of file From fba223520a82296397c755fe643eada4e16536f1 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Wed, 3 Apr 2024 14:37:55 +0200 Subject: [PATCH 20/39] fix: [pe] Sizes in the PE format should be in bytes --- objects/pe/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/pe/definition.json b/objects/pe/definition.json index 56c828b..c6cb97a 100644 --- a/objects/pe/definition.json +++ b/objects/pe/definition.json @@ -178,7 +178,7 @@ "size-of-optional-header": { "description": "Size of the optional header and the data directories which follow this header", "disable_correlation": true, - "misp-attribute": "integer", + "misp-attribute": "size-in-bytes", "ui-priority": 0 }, "text": { From 980ab615ecf21ab3e602a592290c9d218f7955e8 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Wed, 3 Apr 2024 17:32:47 +0200 Subject: [PATCH 21/39] add: [pe-optional-header] New object template for PE optional headers --- objects/pe-optional-header/definition.json | 217 +++++++++++++++++++++ 1 file changed, 217 insertions(+) create mode 100644 objects/pe-optional-header/definition.json diff --git a/objects/pe-optional-header/definition.json b/objects/pe-optional-header/definition.json new file mode 100644 index 0000000..646ec32 --- /dev/null +++ b/objects/pe-optional-header/definition.json @@ -0,0 +1,217 @@ +{ + "attributes": { + "address_of_entrypoint": { + "description": "The address of the entry point relative to the image base when the executable file is loaded into memory", + "disable_correlation": true, + "misp-attribute": "integer", + "ui-priority": 1 + }, + "base_of_code": { + "description": "Address relative to the imagebase where the binary's code starts", + "disable_correlation": true, + "misp-attribute": "integer", + "ui-priority": 0 + }, + "base_of_data": { + "description": "Address relative to the imagebase where the binary's data starts", + "disable_correlation": true, + "misp-attribute": "integer", + "ui-priority": 0 + }, + "checksum": { + "description": "The image file checksum", + "disable_correlation": true, + "misp-attribute": "hex", + "ui-priority": 0 + }, + "dll_characteristics": { + "description": "Some characteristics of the underlying binary", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "APPCONTAINER", + "DYNAMIC_BASE", + "FORCE_INTEGRITY", + "GUARD_CF", + "HIGH_ENTROPY_VA", + "NO_BIND", + "NO_ISOLATION", + "NO_SEH", + "NX_COMPAT", + "TERMINAL_SERVER_AWARE", + "WDM_DRIVER" + ], + "ui-priority": 0 + }, + "dll_characteristics_hex": { + "description": "The DLL characteristics in a single hex value", + "disable_correlation": true, + "misp-attribute": "hex", + "ui-priority": 0 + }, + "file_alignment": { + "description": "The alignment factor (in bytes) that is used to align the raw data of sections in the image file", + "misp-attribute": "size-in-bytes", + "ui-priority": 0 + }, + "image_base": { + "description": "The preferred base address when mapping the binary in memory", + "disable_correlation": true, + "misp-attribute": "integer", + "ui-priority": 0 + }, + "loader_flags": { + "description": "According to the PE specifications, this value is reserved and should be 0", + "disable_correlation": true, + "misp-attribute": "hex", + "ui-priority": 0 + }, + "magic": { + "description": "Magic value (PE_TYPE) that identifies a PE32 from a PE64", + "disable_correlation": true, + "misp-attribute": "hex", + "ui-priority": 0 + }, + "major_image_version": { + "description": "The major version number of the image", + "disable_correlation": true, + "misp-attribute": "integer", + "ui-priority": 0 + }, + "major_linker_version": { + "description": "The linker major version number", + "disable_correlation": true, + "misp-attribute": "integer", + "ui-priority": 0 + }, + "major_os_version": { + "description": "The major version number of the required operating system", + "disable_correlation": true, + "misp-attribute": "integer", + "ui-priority": 0 + }, + "major_subsystem_version": { + "description": "The major version number of the subsystem", + "disable_correlation": true, + "misp-attribute": "integer", + "ui-priority": 0 + }, + "minor_image_version": { + "description": "The minor version number of the image", + "disable_correlation": true, + "misp-attribute": "integer", + "ui-priority": 0 + }, + "minor_linker_version": { + "description": "The linker minor version number", + "disable_correlation": true, + "misp-attribute": "integer", + "ui-priority": 0 + }, + "minor_os_version": { + "description": "The minor version number of the required operating system", + "disable_correlation": true, + "misp-attribute": "integer", + "ui-priority": 0 + }, + "minor_subsystem_version": { + "description": "The minor version number of the subsystem", + "disable_correlation": true, + "misp-attribute": "integer", + "ui-priority": 0 + }, + "number_of_rva_and_size": { + "description": "The number of DataDirectory that follow this header", + "disable_correlation": true, + "misp-attribute": "integer", + "ui-priority": 0 + }, + "section_alignment": { + "description": "The alignment (in bytes) of sections when they are loaded into memory. It must be greater than or equal to file_alignment and the default is the page size for the architecture", + "misp-attribute": "size-in-bytes", + "ui-priority": 0 + }, + "size_of_code": { + "description": "The size of the code .text section or the sum of all the sections that contain code", + "misp-attribute": "size-in-bytes", + "ui-priority": 0 + }, + "size_of_headers": { + "description": "The combined size of an MS-DOS stub, PE header, and section headers rounded up to a multiple of file_alignment", + "misp-attribute": "size-in-bytes", + "ui-priority": 0 + }, + "size_of_heap_commit": { + "description": "The size of the local heap space to commit", + "misp-attribute": "size-in-bytes", + "ui-priority": 0 + }, + "size_of_heap_reserve": { + "description": "The size of the local heap space to reserve", + "misp-attribute": "size-in-bytes", + "ui-priority": 0 + }, + "size_of_image": { + "description": "The size (in bytes) of the image, including all headers, as the image is loaded in memory", + "misp-attribute": "size-in-bytes", + "ui-priority": 0 + }, + "size_of_initialised_data": { + "description": "The size of the initialized data which are usually located in the .data section. If the initialized data are split across multiple sections, it is the sum of the sections", + "misp-attribute": "size-in-bytes", + "ui-priority": 0 + }, + "size_of_stack_commit": { + "description": "The size of the stack to commit", + "misp-attribute": "size-in-bytes", + "ui-priority": 0 + }, + "size_of_stack_reserve": { + "description": "The size of the stack to reserve", + "misp-attribute": "size-in-bytes", + "ui-priority": 0 + }, + "size_of_uninitialised_data": { + "description": "The size of the uninitialized data which are usually located in the .bss section. If the uninitialized data are split across multiple sections, it is the sum of the sections", + "misp-attribute": "size-in-bytes", + "ui-priority": 0 + }, + "subsystem": { + "description": "Target subsystem", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "EFI_APPLICATION", + "EFI_BOOT_SERVICE_DRIVER", + "EFI_ROM", + "EFI_RUNTIME_DRIVER", + "NATIVE", + "NATIVE_WINDOWS", + "OS2_CUI", + "POSIX_CUI", + "UNKNOWN", + "WINDOWS_BOOT_APPLICATION", + "WINDOWS_CE_GUI", + "WINDOWS_CUI", + "WINDOWS_GUI", + "XBOX" + ], + "ui-priority": 0 + }, + "win32_version_value": { + "description": "Specifies the reserved win32 version value (must be zero)", + "disable_correlation": true, + "misp-attribute": "hex", + "ui-priority": 0 + } + }, + "description": "Object describing a Portable Executable Optional Header", + "meta-category": "file", + "name": "pe-optional-header", + "requiredOneOf": [ + "address_of_entrypoint" + ], + "uuid": "ebde65ab-ce98-413d-a518-8f37bc79bcb9", + "version": 1 +} \ No newline at end of file From 5b95994bdd18065feca40cce1434b931f0cd65bd Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Wed, 3 Apr 2024 17:33:30 +0200 Subject: [PATCH 22/39] fix: [pe] Removing the `disable_correlation` flag for a `size-in-bytes` attribute type --- objects/pe/definition.json | 1 - 1 file changed, 1 deletion(-) diff --git a/objects/pe/definition.json b/objects/pe/definition.json index 0afbdd4..a4c0940 100644 --- a/objects/pe/definition.json +++ b/objects/pe/definition.json @@ -177,7 +177,6 @@ }, "size-of-optional-header": { "description": "Size of the optional header and the data directories which follow this header", - "disable_correlation": true, "misp-attribute": "size-in-bytes", "ui-priority": 0 }, From e056c9c32f78be03df7702179155e42fc5349078 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Wed, 3 Apr 2024 17:37:51 +0200 Subject: [PATCH 23/39] add: [readme] Added `pe-optional-header` description --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 6834bde..c690614 100644 --- a/README.md +++ b/README.md @@ -315,6 +315,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/paste](https://github.com/MISP/misp-objects/blob/main/objects/paste/definition.json) - Paste or similar post from a website allowing to share privately or publicly posts. - [objects/pcap-metadata](https://github.com/MISP/misp-objects/blob/main/objects/pcap-metadata/definition.json) - Network packet capture metadata. - [objects/pe](https://github.com/MISP/misp-objects/blob/main/objects/pe/definition.json) - Object describing a Portable Executable. +- [objects/pe-optional-header](https://github.com/MISP/misp-objects/blob/main/objects/pe-optional-header/definition.json) - Object describing the Optional Header of a Portable Executable. - [objects/pe-section](https://github.com/MISP/misp-objects/blob/main/objects/pe-section/definition.json) - Object describing a section of a Portable Executable. - [objects/Deception PersNOna](https://github.com/MISP/misp-objects/blob/main/objects/Deception PersNOna/definition.json) - Fake persona with tasks. - [objects/person](https://github.com/MISP/misp-objects/blob/main/objects/person/definition.json) - An object which describes a person or an identity. From 4c661b774761abc6b5999daaf98ccc83ecff1b87 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 4 Apr 2024 16:45:33 +0200 Subject: [PATCH 24/39] new: [cert-pl-phishing] first draft of a template for the CERT.PL phishing system --- objects/cert-pl-phishing/definition.json | 42 ++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 objects/cert-pl-phishing/definition.json diff --git a/objects/cert-pl-phishing/definition.json b/objects/cert-pl-phishing/definition.json new file mode 100644 index 0000000..6f5c12a --- /dev/null +++ b/objects/cert-pl-phishing/definition.json @@ -0,0 +1,42 @@ +{ + "attributes": { + "favicon-mmh3": { + "description": "Favicon of the phishing url in Murmurhash3 format (base64).", + "misp-attribute": "text", + "ui-priority": 0 + }, + "html-structure": { + "description": "HTML tags defining the structure of the HTML page.", + "disable-correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "phash-dct-base64": { + "description": "pHash (DCT hash) - as described in https://github.com/thorn-oss/perception.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "truncated-hash-html-structure": { + "description": "Truncated hash value of the html-structure.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "url": { + "description": "Full URL of the phishing object.", + "misp-attribute": "url", + "ui-priority": 1 + } + }, + "description": "cert.pl phishing object template representing an url along with some metadata as such phash, html-structure or partial-hash", + "meta-category": "network", + "name": "cert-pl-phishing", + "requiredOneOf": [ + "url", + "phash-dct-base64", + "html-structure", + "truncated-hash-html-structure", + "favicon-mmh3" + ], + "uuid": "4c37c9af-ca71-4365-bcfb-6393c22dd88e", + "version": 1 +} \ No newline at end of file From ea4892144468cc5a61776d05157d3f09b4010f92 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 4 Apr 2024 16:48:33 +0200 Subject: [PATCH 25/39] chg: [cert-pl-phishing] fixed --- objects/cert-pl-phishing/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/cert-pl-phishing/definition.json b/objects/cert-pl-phishing/definition.json index 6f5c12a..285d624 100644 --- a/objects/cert-pl-phishing/definition.json +++ b/objects/cert-pl-phishing/definition.json @@ -7,7 +7,7 @@ }, "html-structure": { "description": "HTML tags defining the structure of the HTML page.", - "disable-correlation": true, + "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 }, @@ -39,4 +39,4 @@ ], "uuid": "4c37c9af-ca71-4365-bcfb-6393c22dd88e", "version": 1 -} \ No newline at end of file +} From dc52c10844cbed9e2f39f0429665b4f9b1caef3e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 4 Apr 2024 16:53:46 +0200 Subject: [PATCH 26/39] chg: [cert-pl-phishing] fixed --- objects/cert-pl-phishing/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/cert-pl-phishing/definition.json b/objects/cert-pl-phishing/definition.json index 285d624..50d7023 100644 --- a/objects/cert-pl-phishing/definition.json +++ b/objects/cert-pl-phishing/definition.json @@ -39,4 +39,4 @@ ], "uuid": "4c37c9af-ca71-4365-bcfb-6393c22dd88e", "version": 1 -} +} \ No newline at end of file From 661c71e35e5453c77102cc21833a6bfbd7ac1ec0 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Wed, 10 Apr 2024 11:13:16 +0200 Subject: [PATCH 27/39] add: [network-traffic] Generic Network Traffic object - Following the STIX 2.1 spec --- objects/network-traffic/definition.json | 108 ++++++++++++++++++++++++ 1 file changed, 108 insertions(+) create mode 100644 objects/network-traffic/definition.json diff --git a/objects/network-traffic/definition.json b/objects/network-traffic/definition.json new file mode 100644 index 0000000..b85d0c1 --- /dev/null +++ b/objects/network-traffic/definition.json @@ -0,0 +1,108 @@ +{ + "attributes": { + "dst_bytes_count": { + "description": "Number of bytes sent from the destination to the source", + "misp-attribute": "size-in-bytes", + "ui-priority": 0 + }, + "dst_hostname": { + "description": "Destination hostname of the network traffic", + "misp-attribute": "hostname", + "ui-priority": 1 + }, + "dst_ip": { + "description": "Destination IP address of the network traffic", + "misp-attribute": "ip-dst", + "ui-priority": 1 + }, + "dst_mac": { + "description": "Destination MAC address of the network traffic", + "misp-attribute": "mac-address", + "ui-priority": 1 + }, + "dst_packets": { + "description": "Number of packets sent from the destination to the source", + "misp-attribute": "counter", + "ui-priority": 0 + }, + "dst_port": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Destination port of the nework connection", + "misp-attribute": "port", + "ui-priority": 1 + }, + "end_time": { + "description": "Time the network traffic ended", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "is_active": { + "description": "Indicates whether the network traffic is still ongoing. Must be False if the end_time attribute is present", + "misp-attribute": "boolean", + "ui-priority": 0 + }, + "protocols": { + "description": "Protocols observed in the network traffic", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "src_bytes_count": { + "description": "Number of bytes sent from the source to the destination", + "misp-attribute": "size-in-bytes", + "ui-priority": 0 + }, + "src_hostname": { + "description": "Destination hostname of the network traffic", + "misp-attribute": "hostname", + "ui-priority": 1 + }, + "src_ip": { + "description": "Source IP address of the network traffic", + "misp-attribute": "ip-dst", + "ui-priority": 1 + }, + "src_mac": { + "description": "Source MAC address of the network traffic", + "misp-attribute": "mac-address", + "ui-priority": 1 + }, + "src_packets": { + "description": "Number of packets sent from the source to the destination", + "misp-attribute": "counter", + "ui-priority": 0 + }, + "src_port": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Source port of the nework connection", + "misp-attribute": "port", + "ui-priority": 1 + }, + "start_time": { + "description": "Time the network traffic started", + "misp-attribute": "datetime", + "ui-priority": 0 + } + }, + "description": "Generic network traffic that originates from a source and is addressed to a destination.", + "meta-category": "network", + "name": "network-traffic", + "requiredOneOf": [ + "dst_hostname", + "dst_ip", + "dst_mac", + "dst_port", + "src_hostname", + "src_ip", + "src_mac", + "src_port" + ], + "uuid": "16290b18-9af5-4a43-b195-75fe1eef0c35", + "version": 1 +} \ No newline at end of file From 712ab7f10a6fe3e97f7a4ecff7ad8a8cf54e2aed Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Thu, 11 Apr 2024 09:42:06 +0200 Subject: [PATCH 28/39] fix: [network-connection] Using the `size-in-bytes` attribute type for information expressed in bytes --- objects/network-connection/definition.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/objects/network-connection/definition.json b/objects/network-connection/definition.json index 75a6567..ff0205d 100644 --- a/objects/network-connection/definition.json +++ b/objects/network-connection/definition.json @@ -13,7 +13,7 @@ "dst-bytes-count": { "description": "Number of bytes sent from the source to the destination.", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "size-in-bytes", "ui-priority": 0 }, "dst-packets-count": { @@ -116,7 +116,7 @@ "src-bytes-count": { "description": "Number of bytes sent from the destination to the source.", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "size-in-bytes", "ui-priority": 0 }, "src-packets-count": { @@ -147,5 +147,5 @@ "community-id" ], "uuid": "af16764b-f8e5-4603-9de1-de34d272f80b", - "version": 6 + "version": 7 } \ No newline at end of file From b2de8dd7c701756c4f4abf848a773ddd669f3ba1 Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Thu, 11 Apr 2024 12:04:55 +0200 Subject: [PATCH 29/39] chg: [network-traffic] Going for the `protocol` attribute in singular --- objects/network-traffic/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/network-traffic/definition.json b/objects/network-traffic/definition.json index b85d0c1..2865355 100644 --- a/objects/network-traffic/definition.json +++ b/objects/network-traffic/definition.json @@ -44,8 +44,8 @@ "misp-attribute": "boolean", "ui-priority": 0 }, - "protocols": { - "description": "Protocols observed in the network traffic", + "protocol": { + "description": "Protocol observed in the network traffic", "misp-attribute": "text", "multiple": true, "ui-priority": 0 From b5381a3105d42d9005d8b2b44bae0842972f591b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 11 Apr 2024 14:27:54 +0200 Subject: [PATCH 30/39] chg: [relationships] `shares` relationship added Thanks to @gregWDumont for the feedback --- relationships/definition.json | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/relationships/definition.json b/relationships/definition.json index e7d2203..e21b319 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -13,13 +13,21 @@ "name": "derived-from" }, { - "description": "This relationship describes an object which executes another object", + "description": "This relationship describes an object which executes another object.", "format": [ "misp" ], "name": "executes", "opposite": "executed-by" }, + { + "description": "This relationship describes an object which shares another object.", + "format": [ + "misp" + ], + "name": "shares", + "opposite": "shared-by" + }, { "description": "The referenced source and target objects are semantically duplicates of each other.", "format": [ @@ -1750,5 +1758,5 @@ "opposite": "acquires" } ], - "version": 41 -} \ No newline at end of file + "version": 42 +} From 3de8faa15790e57908eadb5cb1b53ca408443506 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 11 Apr 2024 16:52:04 +0200 Subject: [PATCH 31/39] fix: [relationships] newline --- relationships/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index e21b319..aaaf064 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1759,4 +1759,4 @@ } ], "version": 42 -} +} \ No newline at end of file From a79ccb55fb61e5f9181790426a295c58a42bc429 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 11 Apr 2024 16:53:57 +0200 Subject: [PATCH 32/39] chg: [doc] list updated --- README.md | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index c690614..e0c661b 100644 --- a/README.md +++ b/README.md @@ -134,6 +134,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/cap-alert](https://github.com/MISP/misp-objects/blob/main/objects/cap-alert/definition.json) - Common Alerting Protocol Version (CAP) alert object. - [objects/cap-info](https://github.com/MISP/misp-objects/blob/main/objects/cap-info/definition.json) - Common Alerting Protocol Version (CAP) info object. - [objects/cap-resource](https://github.com/MISP/misp-objects/blob/main/objects/cap-resource/definition.json) - Common Alerting Protocol Version (CAP) resource object. +- [objects/cert-pl-phishing](https://github.com/MISP/misp-objects/blob/main/objects/cert-pl-phishing/definition.json) - cert.pl phishing object template representing an url along with some metadata as such phash, html-structure or partial-hash. - [objects/cloth](https://github.com/MISP/misp-objects/blob/main/objects/cloth/definition.json) - Describes clothes a natural person wears. - [objects/coin-address](https://github.com/MISP/misp-objects/blob/main/objects/coin-address/definition.json) - An address used in a cryptocurrency. - [objects/command](https://github.com/MISP/misp-objects/blob/main/objects/command/definition.json) - Command functionalities related to specific commands executed by a program, whether it is malicious or not. Command-line are attached to this object for the related commands. @@ -300,6 +301,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/network-connection](https://github.com/MISP/misp-objects/blob/main/objects/network-connection/definition.json) - A local or remote network connection. - [objects/network-profile](https://github.com/MISP/misp-objects/blob/main/objects/network-profile/definition.json) - Elements that can be used to profile, pivot or identify a network infrastructure, including domains, ip and urls. - [objects/network-socket](https://github.com/MISP/misp-objects/blob/main/objects/network-socket/definition.json) - Network socket object describes a local or remote network connections based on the socket data structure. +- [objects/network-traffic](https://github.com/MISP/misp-objects/blob/main/objects/network-traffic/definition.json) - Generic network traffic that originates from a source and is addressed to a destination. - [objects/news-agency](https://github.com/MISP/misp-objects/blob/main/objects/news-agency/definition.json) - News agencies compile news and disseminate news in bulk. - [objects/news-media](https://github.com/MISP/misp-objects/blob/main/objects/news-media/definition.json) - News media are forms of mass media delivering news to the general public. - [objects/open-data-security](https://github.com/MISP/misp-objects/blob/main/objects/open-data-security/definition.json) - An object describing an open dataset available and described under the open data security model. ref. https://github.com/CIRCL/open-data-security. @@ -315,7 +317,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/paste](https://github.com/MISP/misp-objects/blob/main/objects/paste/definition.json) - Paste or similar post from a website allowing to share privately or publicly posts. - [objects/pcap-metadata](https://github.com/MISP/misp-objects/blob/main/objects/pcap-metadata/definition.json) - Network packet capture metadata. - [objects/pe](https://github.com/MISP/misp-objects/blob/main/objects/pe/definition.json) - Object describing a Portable Executable. -- [objects/pe-optional-header](https://github.com/MISP/misp-objects/blob/main/objects/pe-optional-header/definition.json) - Object describing the Optional Header of a Portable Executable. +- [objects/pe-optional-header](https://github.com/MISP/misp-objects/blob/main/objects/pe-optional-header/definition.json) - Object describing a Portable Executable Optional Header. - [objects/pe-section](https://github.com/MISP/misp-objects/blob/main/objects/pe-section/definition.json) - Object describing a section of a Portable Executable. - [objects/Deception PersNOna](https://github.com/MISP/misp-objects/blob/main/objects/Deception PersNOna/definition.json) - Fake persona with tasks. - [objects/person](https://github.com/MISP/misp-objects/blob/main/objects/person/definition.json) - An object which describes a person or an identity. @@ -390,6 +392,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/splunk](https://github.com/MISP/misp-objects/blob/main/objects/splunk/definition.json) - Splunk / Splunk ES object. - [objects/ss7-attack](https://github.com/MISP/misp-objects/blob/main/objects/ss7-attack/definition.json) - SS7 object of an attack as seen on the SS7 signaling protocol supporting GSM/GPRS/UMTS networks. - [objects/ssh-authorized-keys](https://github.com/MISP/misp-objects/blob/main/objects/ssh-authorized-keys/definition.json) - An object to store ssh authorized keys file. +- [objects/stairwell](https://github.com/MISP/misp-objects/blob/main/objects/stairwell/definition.json) - Stairwell leverages automated analysis, YARA rule libraries, shared malware feeds, privately run AV verdicts, static & dynamic analysis, malware unpacking, and variant discovery. - [objects/stix2-pattern](https://github.com/MISP/misp-objects/blob/main/objects/stix2-pattern/definition.json) - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern. - [objects/stock](https://github.com/MISP/misp-objects/blob/main/objects/stock/definition.json) - Object to describe stock market. - [objects/submarine](https://github.com/MISP/misp-objects/blob/main/objects/submarine/definition.json) - Submarine description. @@ -498,11 +501,12 @@ The MISP objects (JSON files) are dual-licensed under: or ~~~~ - Copyright (c) 2016-2023 Alexandre Dulaunoy - a@foo.be - Copyright (c) 2016-2023 CIRCL - Computer Incident Response Center Luxembourg - Copyright (c) 2016-2023 Andras Iklody - Copyright (c) 2016-2023 Raphael Vinot - Copyright (c) 2016-2023 Various contributors to MISP Project + Copyright (c) 2016-2024 Alexandre Dulaunoy - a@foo.be + Copyright (c) 2016-2024 CIRCL - Computer Incident Response Center Luxembourg + Copyright (c) 2016-2024 Andras Iklody + Copyright (c) 2016-2024 Raphael Vinot + Copyright (c) 2016-2024 Christian Studer + Copyright (c) 2016-2024 Various contributors to MISP Project Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: @@ -532,9 +536,9 @@ If a specific author of a taxonomy wants to license it under a different license ~~~~ -Copyright (C) 2016-2023 Andras Iklody -Copyright (C) 2016-2023 Alexandre Dulaunoy -Copyright (C) 2016-2023 CIRCL - Computer Incident Response Center Luxembourg +Copyright (C) 2016-2024 Andras Iklody +Copyright (C) 2016-2024 Alexandre Dulaunoy +Copyright (C) 2016-2024 CIRCL - Computer Incident Response Center Luxembourg This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by From 07c6888b3c779d2be00c2d6cae00fcda1986cfa0 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 11 Apr 2024 17:44:39 +0200 Subject: [PATCH 33/39] fix: [relatonships] because mirrors are great --- relationships/definition.json | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index aaaf064..a4523d9 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -28,6 +28,14 @@ "name": "shares", "opposite": "shared-by" }, + { + "description": "This relationship describes an object which was shared by another object.", + "format": [ + "misp" + ], + "name": "shared-by", + "opposite": "shares" + }, { "description": "The referenced source and target objects are semantically duplicates of each other.", "format": [ @@ -1758,5 +1766,5 @@ "opposite": "acquires" } ], - "version": 42 + "version": 43 } \ No newline at end of file From 8fe87ab6bce3b60596d358793d755c26f401a927 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Fri, 12 Apr 2024 08:07:44 +0200 Subject: [PATCH 34/39] new: [gpf] Added Generalizing Persuasion Framework --- .../definition.json | 107 ++++++++++++++++++ 1 file changed, 107 insertions(+) create mode 100644 objects/generalizing-persuasion-framework/definition.json diff --git a/objects/generalizing-persuasion-framework/definition.json b/objects/generalizing-persuasion-framework/definition.json new file mode 100644 index 0000000..025fac6 --- /dev/null +++ b/objects/generalizing-persuasion-framework/definition.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "actors_receiver": { + "description": "Assessments across weighted dimensions. Effort, motivation, prior attitudes", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 2 + }, + "actors_speaker": { + "description": "Types (e.g., elites, media, opinion leaders, friends/family). Motivations in crafting messages", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, + "outcomes_attitude": { + "description": "General evaluation of an object (where the 'object' is broadly construed).", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 6 + }, + "outcomes_behavior": { + "description": "Does not always follow from an attitude. Depends on attitude attributes, injunctive and descriptive norms, behavioral control, and emotions.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 7 + }, + "outcomes_emotion": { + "description": "Can inform conscious evaluations or override them.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 8 + }, + "outcomes_identity": { + "description": "A dimension of evaluation. Often activated when threatened.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 9 + }, + "settings_competition": { + "description": "Number of speakers. Number of receivers. Observers.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10 + }, + "settings_culture": { + "description": "Shapes understandings of topics. Alters salience of different values.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 14 + }, + "settings_process": { + "description": "Threatening settings. Political (conflictual) settings versus deliberative settings", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 13 + }, + "settings_space": { + "description": "Attitude or behavioral change in one setting may not generalize to other settings.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 11 + }, + "settings_time": { + "description": "Pretreatment effects—what happened prior to the persuasive message. Posttreatment duration—how long an effect lasts. Time between exposure and outcome measurement.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 12 + }, + "treatments_medium": { + "description": "Alters frames, processing goals, and/or effort. Interactions with other persuasion variables.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 5 + }, + "treatments_message_content": { + "description": "Argument strength (and inadequacy). Framing and evaluations. Matching to receivers' goals. Altering receivers' motivations (e.g., using narratives).", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 4 + }, + "treatments_topic": { + "description": "Persons/groups, issues, institutions, products. Variation within a topic (e.g., different policy issues)", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 3 + } + }, + "description": "By placing their work within the GP Framework, scholars will help the field resolve inconsistencies, identify and address open questions, and ensure collective progress. The GP Framework is not meant to compete with other theories (such as the ELM) but rather to fill in two gaps. First, it allows one to consider how individual persuasion studies connect to one another and why studies may arrive at contradictory conclusions. Second, it highlights the sources of variations that should be studied. (James N. Druckman)", + "meta-category": "misc", + "name": "Generalizing Persuasion Framework", + "uuid": "dc6cdc5f-17d7-4d7b-95fe-86478990c910", + "version": 1 +} \ No newline at end of file From 6e159a03b5bd98959ed5725ce32abc9b15f898e4 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Fri, 12 Apr 2024 08:18:42 +0200 Subject: [PATCH 35/39] chg: [readme] updated list of objects --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index e0c661b..f840cea 100644 --- a/README.md +++ b/README.md @@ -153,7 +153,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/credential](https://github.com/MISP/misp-objects/blob/main/objects/credential/definition.json) - Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s). - [objects/credit-card](https://github.com/MISP/misp-objects/blob/main/objects/credit-card/definition.json) - A payment card like credit card, debit card or any similar cards which can be used for financial transactions. - [objects/crowdsec-ip-context](https://github.com/MISP/misp-objects/blob/main/objects/crowdsec-ip-context/definition.json) - CrowdSec Threat Intelligence - IP CTI search. -- [objects/crowdstrike-report](https://github.com/MISP/misp-objects/blob/main/objects/crowdstrike-report/definition.json) - An Object Template to encode an Crowdstrike detection report. +- [objects/crowdstrike-report](https://github.com/MISP/misp-objects/blob/main/objects/crowdstrike-report/definition.json) - An Object Template to encode an Crowdstrike detection report. - [objects/crypto-material](https://github.com/MISP/misp-objects/blob/main/objects/crypto-material/definition.json) - Cryptographic materials such as public or/and private keys. - [objects/cryptocurrency-transaction](https://github.com/MISP/misp-objects/blob/main/objects/cryptocurrency-transaction/definition.json) - An object to describe a cryptocurrency transaction. - [objects/cs-beacon-config](https://github.com/MISP/misp-objects/blob/main/objects/cs-beacon-config/definition.json) - Cobalt Strike Beacon Config. @@ -169,7 +169,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/dns-record](https://github.com/MISP/misp-objects/blob/main/objects/dns-record/definition.json) - A set of DNS records observed for a specific domain. - [objects/domain-crawled](https://github.com/MISP/misp-objects/blob/main/objects/domain-crawled/definition.json) - A domain crawled over time. - [objects/domain-ip](https://github.com/MISP/misp-objects/blob/main/objects/domain-ip/definition.json) - A domain/hostname and IP address seen as a tuple in a specific time frame. -- [objects/edr-report](https://github.com/MISP/misp-objects/blob/main/objects/edr-report/definition.json) - An Object Template to encode an EDR detection report. +- [objects/edr-report](https://github.com/MISP/misp-objects/blob/main/objects/edr-report/definition.json) - An Object Template to encode an EDR detection report. - [objects/elf](https://github.com/MISP/misp-objects/blob/main/objects/elf/definition.json) - Object describing a Executable and Linkable Format. - [objects/elf-section](https://github.com/MISP/misp-objects/blob/main/objects/elf-section/definition.json) - Object describing a section of an Executable and Linkable Format. - [objects/email](https://github.com/MISP/misp-objects/blob/main/objects/email/definition.json) - Email object describing an email with meta-information. @@ -246,6 +246,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/ftm-Video](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Video/definition.json) - Video. - [objects/ftm-Workbook](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Workbook/definition.json) - Workbook. - [objects/game-cheat](https://github.com/MISP/misp-objects/blob/main/objects/game-cheat/definition.json) - Describes a game cheat or a cheatware. +- [objects/Generalizing Persuasion Framework](https://github.com/MISP/misp-objects/blob/main/objects/Generalizing Persuasion Framework/definition.json) - By placing their work within the GP Framework, scholars will help the field resolve inconsistencies, identify and address open questions, and ensure collective progress. The GP Framework is not meant to compete with other theories (such as the ELM) but rather to fill in two gaps. First, it allows one to consider how individual persuasion studies connect to one another and why studies may arrive at contradictory conclusions. Second, it highlights the sources of variations that should be studied. (James N. Druckman). - [objects/geolocation](https://github.com/MISP/misp-objects/blob/main/objects/geolocation/definition.json) - An object to describe a geographic location. - [objects/git-vuln-finder](https://github.com/MISP/misp-objects/blob/main/objects/git-vuln-finder/definition.json) - Export from git-vuln-finder. - [objects/github-user](https://github.com/MISP/misp-objects/blob/main/objects/github-user/definition.json) - GitHub user. @@ -473,7 +474,7 @@ When the object is created, the `validate_all.sh` and `jq_all_the_things.sh` is - Add a description in the object template explaining the scope and use-cases of your object templates - If the object is the mapping of an existing format, add a reference into the description of the object template - `first-seen` and `last-seen` are not required in a object template as an object has those fields by default. If you need additional temporal information, add new specific field(s). -- Be lax on the number of fields required by default (e.g. use `requiredOneOf`). +- Be lax on the number of fields required by default (e.g. use `requiredOneOf`). - Review existing object templates before creating a new one. When doing a pull-request, don't hesitate to add the logic why a new template is required. ## MISP objects documentation From 223b7342d8bb7f70fd881b93e066ac61bb2d2f54 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 12 Apr 2024 10:22:53 +0200 Subject: [PATCH 36/39] chg: [news-media] add governmental communication and also news agency source (including alert type) --- objects/news-media/definition.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/objects/news-media/definition.json b/objects/news-media/definition.json index a1d4e32..f4eccbd 100644 --- a/objects/news-media/definition.json +++ b/objects/news-media/definition.json @@ -88,6 +88,8 @@ "Pressure Group", "Staging", "Trade Site", + "Governmental Communication", + "Alert", "Other" ] }, @@ -117,6 +119,8 @@ "Radio (Online)", "Podcast", "Alternative Media", + "Governmental", + "News agency", "Other" ], "ui-priority": 1 @@ -146,5 +150,5 @@ "attachment" ], "uuid": "691463c5-5302-4847-9bec-4c56ccfec677", - "version": 2 + "version": 3 } \ No newline at end of file From 2fe584ca6f8ff78312eaceee113550c7d9e9515c Mon Sep 17 00:00:00 2001 From: Christian Studer Date: Sat, 13 Apr 2024 12:24:58 +0200 Subject: [PATCH 37/39] fix: Changed a few attribute types in different template --- objects/abuseipdb/definition.json | 2 +- objects/concordia-mtmf-intrusion-set/definition.json | 6 +++--- objects/covid19-csse-daily-report/definition.json | 4 ++-- objects/ddos/definition.json | 8 ++++---- objects/diamond/definition.json | 2 +- objects/imsi-catcher/definition.json | 2 +- objects/intelmq_event/definition.json | 6 +++--- objects/intelmq_report/definition.json | 2 +- objects/mactime-timeline-analysis/definition.json | 2 +- objects/netflow/definition.json | 6 +++--- objects/network-socket/definition.json | 4 ++-- objects/paloalto-threat-event/definition.json | 4 ++-- objects/probabilistic-data-structure/definition.json | 6 +++--- objects/r2graphity/definition.json | 6 +++--- objects/scrippsco2-c13-daily/definition.json | 2 +- objects/scrippsco2-co2-daily/definition.json | 2 +- objects/scrippsco2-o18-daily/definition.json | 2 +- objects/sigmf-expanded-recording/definition.json | 4 ++-- objects/submarine/definition.json | 10 +++++----- 19 files changed, 40 insertions(+), 40 deletions(-) diff --git a/objects/abuseipdb/definition.json b/objects/abuseipdb/definition.json index 6f1b309..d55d797 100644 --- a/objects/abuseipdb/definition.json +++ b/objects/abuseipdb/definition.json @@ -2,7 +2,7 @@ "attributes": { "abuse-confidence-score": { "description": "Rating (0-100) of how confident AbuseIPDB is that an IP address is entirely malicious", - "misp-attribute": "counter", + "misp-attribute": "integer", "ui-priority": 0 }, "is-malicious": { diff --git a/objects/concordia-mtmf-intrusion-set/definition.json b/objects/concordia-mtmf-intrusion-set/definition.json index f54b6e4..aaf2edb 100644 --- a/objects/concordia-mtmf-intrusion-set/definition.json +++ b/objects/concordia-mtmf-intrusion-set/definition.json @@ -10,14 +10,14 @@ "CMTMF_ATCKID": { "description": "Identifier of the Attack", "disable_correlation": false, - "misp-attribute": "counter", + "misp-attribute": "integer", "recommended": true, "ui-priority": 1 }, "FeedbackLoop": { "description": "Feedback Loop Sequence", "disable_correlation": false, - "misp-attribute": "counter", + "misp-attribute": "integer", "ui-priority": 0 }, "PhName": { @@ -30,7 +30,7 @@ "PhSequence": { "description": "Phase Sequence", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "integer", "recommended": true, "ui-priority": 0 }, diff --git a/objects/covid19-csse-daily-report/definition.json b/objects/covid19-csse-daily-report/definition.json index 59171cf..8b44463 100644 --- a/objects/covid19-csse-daily-report/definition.json +++ b/objects/covid19-csse-daily-report/definition.json @@ -21,7 +21,7 @@ "county": { "description": "US County (US Only)", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "integer", "ui-priority": 0 }, "death": { @@ -33,7 +33,7 @@ "fips": { "description": "Federal Information Processing Standard county code (US Only)", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "integer", "ui-priority": 0 }, "latitude": { diff --git a/objects/ddos/definition.json b/objects/ddos/definition.json index 9df4984..2338aa0 100644 --- a/objects/ddos/definition.json +++ b/objects/ddos/definition.json @@ -3,7 +3,7 @@ "backscatter-threshold": { "description": "The minimum amount of backscatter received in 5 minutes / day. This field is only used when the capture origin is indirect network capture such as backscatter.", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "integer", "ui-priority": 0 }, "capture-origin": { @@ -99,13 +99,13 @@ "total-bps": { "description": "Bits per second (maximum rate of bits per second measured)", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "integer", "ui-priority": 0 }, "total-bytes-sent": { "description": "Total number of bytes sent by the sources mentioned", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "size-in-bytes", "ui-priority": 0 }, "total-packets-sent": { @@ -117,7 +117,7 @@ "total-pps": { "description": "Packets per second (maximum rate of packets per second measured)", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "integer", "ui-priority": 0 }, "type": { diff --git a/objects/diamond/definition.json b/objects/diamond/definition.json index 0833e14..54e184a 100644 --- a/objects/diamond/definition.json +++ b/objects/diamond/definition.json @@ -31,7 +31,7 @@ }, "EventID": { "description": "Id of the event", - "misp-attribute": "counter", + "misp-attribute": "integer", "ui-priority": 0 }, "Infrastructure": { diff --git a/objects/imsi-catcher/definition.json b/objects/imsi-catcher/definition.json index 7c13595..7b856a8 100644 --- a/objects/imsi-catcher/definition.json +++ b/objects/imsi-catcher/definition.json @@ -56,7 +56,7 @@ "seq": { "description": "A sequence number for the collection", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "integer", "ui-priority": 0 }, "text": { diff --git a/objects/intelmq_event/definition.json b/objects/intelmq_event/definition.json index 1ec6040..f1a1a5a 100644 --- a/objects/intelmq_event/definition.json +++ b/objects/intelmq_event/definition.json @@ -112,7 +112,7 @@ }, "destination.port": { "description": "The port to which the connection headed.", - "misp-attribute": "counter", + "misp-attribute": "port", "ui-priority": 1 }, "destination.registry": { @@ -256,7 +256,7 @@ }, "rtir_id": { "description": "Request Tracker Incident Response ticket id.", - "misp-attribute": "counter", + "misp-attribute": "integer", "ui-priority": 1 }, "screenshot_url": { @@ -366,7 +366,7 @@ }, "source.port": { "description": "The port from which the connection originated.", - "misp-attribute": "counter", + "misp-attribute": "port", "ui-priority": 1 }, "source.registry": { diff --git a/objects/intelmq_report/definition.json b/objects/intelmq_report/definition.json index 8630d2e..39d6693 100644 --- a/objects/intelmq_report/definition.json +++ b/objects/intelmq_report/definition.json @@ -42,7 +42,7 @@ }, "rtir_id": { "description": "Request Tracker Incident Response ticket id.", - "misp-attribute": "counter", + "misp-attribute": "integer", "ui-priority": 1 }, "time.observation": { diff --git a/objects/mactime-timeline-analysis/definition.json b/objects/mactime-timeline-analysis/definition.json index f52d4bc..1df45c7 100644 --- a/objects/mactime-timeline-analysis/definition.json +++ b/objects/mactime-timeline-analysis/definition.json @@ -39,7 +39,7 @@ "file_size": { "description": "Determines the file size in bytes", "disable_correlation": true, - "misp-attribute": "text", + "misp-attribute": "size-in-bytes", "ui-priority": 0 } }, diff --git a/objects/netflow/definition.json b/objects/netflow/definition.json index 5e80527..ad6204a 100644 --- a/objects/netflow/definition.json +++ b/objects/netflow/definition.json @@ -3,7 +3,7 @@ "byte-count": { "description": "Bytes counted in this flow", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "size-in-bytes", "ui-priority": 0 }, "community-id": { @@ -73,7 +73,7 @@ "ip-protocol-number": { "description": "IP protocol number of this flow", "disable_correlation": true, - "misp-attribute": "size-in-bytes", + "misp-attribute": "integer", "ui-priority": 0 }, "ip-src": { @@ -88,7 +88,7 @@ "ip_version": { "description": "IP version of this flow", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "integer", "ui-priority": 0 }, "last-packet-seen": { diff --git a/objects/network-socket/definition.json b/objects/network-socket/definition.json index bae4f7e..59ce856 100644 --- a/objects/network-socket/definition.json +++ b/objects/network-socket/definition.json @@ -109,7 +109,7 @@ "dst-bytes-count": { "description": "Number of bytes sent from the source to the destination.", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "size-in-bytes", "ui-priority": 0 }, "dst-packets-count": { @@ -215,7 +215,7 @@ "src-bytes-count": { "description": "Number of bytes sent from the destination to the source.", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "size-in-bytes", "ui-priority": 0 }, "src-packets-count": { diff --git a/objects/paloalto-threat-event/definition.json b/objects/paloalto-threat-event/definition.json index 795a7f5..c9134cb 100644 --- a/objects/paloalto-threat-event/definition.json +++ b/objects/paloalto-threat-event/definition.json @@ -15,7 +15,7 @@ "dport": { "description": "The port to which the connection headed.", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "port", "ui-priority": 1 }, "dst": { @@ -38,7 +38,7 @@ "sport": { "description": "The port from which the connection originated.", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "port", "ui-priority": 1 }, "src": { diff --git a/objects/probabilistic-data-structure/definition.json b/objects/probabilistic-data-structure/definition.json index d1b6a39..79a99aa 100644 --- a/objects/probabilistic-data-structure/definition.json +++ b/objects/probabilistic-data-structure/definition.json @@ -21,13 +21,13 @@ "total-bits": { "description": "The number of bits used by this probabilistic data structure.", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "integer", "ui-priority": 1 }, "total-capacity": { "description": "The total capacity of the total set represented in this probabilistic data structure.", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "integer", "ui-priority": 1 }, "type": { @@ -59,7 +59,7 @@ "used-capacity": { "description": "The used capacity (and cardinality) of the set represented in this probabilistic data structure.", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "integer", "ui-priority": 1 }, "vendor-implementation-ref": { diff --git a/objects/r2graphity/definition.json b/objects/r2graphity/definition.json index bb95ee9..7fe7215 100644 --- a/objects/r2graphity/definition.json +++ b/objects/r2graphity/definition.json @@ -3,13 +3,13 @@ "callback-average": { "description": "Average size of a callback", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "integer", "ui-priority": 0 }, "callback-largest": { "description": "Largest callback", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "integer", "ui-priority": 0 }, "callbacks": { @@ -105,7 +105,7 @@ "shortest-path-to-create-thread": { "description": "Shortest path to the first time the binary calls CreateThread", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "integer", "ui-priority": 0 }, "text": { diff --git a/objects/scrippsco2-c13-daily/definition.json b/objects/scrippsco2-c13-daily/definition.json index d89f572..04eeb56 100644 --- a/objects/scrippsco2-c13-daily/definition.json +++ b/objects/scrippsco2-c13-daily/definition.json @@ -9,7 +9,7 @@ "flag": { "description": "Flag (see taxonomy for details).", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "integer", "ui-priority": 0 }, "number-flask": { diff --git a/objects/scrippsco2-co2-daily/definition.json b/objects/scrippsco2-co2-daily/definition.json index 03dc7b1..2c7ed2c 100644 --- a/objects/scrippsco2-co2-daily/definition.json +++ b/objects/scrippsco2-co2-daily/definition.json @@ -9,7 +9,7 @@ "flag": { "description": "Flag (see taxonomy for details).", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "integer", "ui-priority": 0 }, "number-flask": { diff --git a/objects/scrippsco2-o18-daily/definition.json b/objects/scrippsco2-o18-daily/definition.json index 06ca182..92c8cb4 100644 --- a/objects/scrippsco2-o18-daily/definition.json +++ b/objects/scrippsco2-o18-daily/definition.json @@ -3,7 +3,7 @@ "flag": { "description": "Flag (see taxonomy for details).", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "integer", "ui-priority": 0 }, "number-flask": { diff --git a/objects/sigmf-expanded-recording/definition.json b/objects/sigmf-expanded-recording/definition.json index e4254e5..095d7f2 100644 --- a/objects/sigmf-expanded-recording/definition.json +++ b/objects/sigmf-expanded-recording/definition.json @@ -99,7 +99,7 @@ "offset": { "description": "The index number of the first sample in the Dataset. If not provided, this value defaults to zero. Typically used when a Recording is split over multiple files. All sample indices in SigMF are absolute, and so all other indices referenced in metadata for this recording SHOULD be greater than or equal to this value.", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "integer", "ui-priority": 0 }, "recorder": { @@ -123,7 +123,7 @@ "trailing_bytes": { "description": "The number of bytes to ignore at the end of a Non-Conforming Dataset file.", "disable_correlation": true, - "misp-attribute": "counter", + "misp-attribute": "size-in-bytes", "ui-priority": 0 }, "version": { diff --git a/objects/submarine/definition.json b/objects/submarine/definition.json index 2e27303..993eab9 100644 --- a/objects/submarine/definition.json +++ b/objects/submarine/definition.json @@ -36,7 +36,7 @@ }, "complement": { "description": "Crew size", - "misp-attribute": "counter", + "misp-attribute": "integer", "recommended": false, "ui-priority": 0 }, @@ -46,8 +46,8 @@ "ui-priority": 1 }, "displacement": { - "description": "Displacement in tonns", - "misp-attribute": "counter", + "description": "Displacement in tonnes", + "misp-attribute": "integer", "recommended": true, "ui-priority": 0 }, @@ -64,12 +64,12 @@ }, "in_service_from": { "description": "The year the submarine entered service", - "misp-attribute": "counter", + "misp-attribute": "integer", "ui-priority": 0 }, "in_service_until": { "description": "The year the submarine left service", - "misp-attribute": "counter", + "misp-attribute": "integer", "ui-priority": 0 }, "length": { From f267c28d1fa6ed7c4c42020e5dad87e36f6592ed Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Sun, 14 Apr 2024 07:26:53 +0200 Subject: [PATCH 38/39] new: [gpf] Split actors_speaker and settings_competition into more --- .../definition.json | 84 ++++++++++++++----- 1 file changed, 64 insertions(+), 20 deletions(-) diff --git a/objects/generalizing-persuasion-framework/definition.json b/objects/generalizing-persuasion-framework/definition.json index 025fac6..e16bfa9 100644 --- a/objects/generalizing-persuasion-framework/definition.json +++ b/objects/generalizing-persuasion-framework/definition.json @@ -5,98 +5,142 @@ "disable_correlation": true, "misp-attribute": "text", "multiple": true, - "ui-priority": 2 + "ui-priority": 20 }, - "actors_speaker": { - "description": "Types (e.g., elites, media, opinion leaders, friends/family). Motivations in crafting messages", + "actors_speaker_motivation": { + "description": "Motivations in crafting messages", "disable_correlation": true, "misp-attribute": "text", "multiple": true, - "ui-priority": 1 + "ui-priority": 11 + }, + "actors_speaker_type": { + "description": "Types (e.g., elites, media, opinion leaders, friends/family).", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "Politician", + "Government Official", + "Law Enforcement", + "Media", + "Religious Leader", + "CEO/Executive", + "Community Leader", + "Teacher/Professor", + "Coache/Mentor", + "Expert in a specific field", + "Celebrity", + "Athlete", + "Social Media Personality", + "Trendsetter", + "Salesperson", + "Marketeer", + "Friend/Family", + "Lobbyist", + "Advocacy Group", + "Professional Association", + "Leaked document", + "Whistle-blower", + "Online forum", + "Algorithm" + ], + "ui-priority": 10 }, "outcomes_attitude": { "description": "General evaluation of an object (where the 'object' is broadly construed).", "disable_correlation": true, "misp-attribute": "text", "multiple": true, - "ui-priority": 6 + "ui-priority": 60 }, "outcomes_behavior": { "description": "Does not always follow from an attitude. Depends on attitude attributes, injunctive and descriptive norms, behavioral control, and emotions.", "disable_correlation": true, "misp-attribute": "text", "multiple": true, - "ui-priority": 7 + "ui-priority": 70 }, "outcomes_emotion": { "description": "Can inform conscious evaluations or override them.", "disable_correlation": true, "misp-attribute": "text", "multiple": true, - "ui-priority": 8 + "ui-priority": 80 }, "outcomes_identity": { "description": "A dimension of evaluation. Often activated when threatened.", "disable_correlation": true, "misp-attribute": "text", "multiple": true, - "ui-priority": 9 + "ui-priority": 90 }, - "settings_competition": { - "description": "Number of speakers. Number of receivers. Observers.", + "settings_competition_observers": { + "description": "Number of observers.", "disable_correlation": true, - "misp-attribute": "text", - "multiple": true, - "ui-priority": 10 + "misp-attribute": "float", + "ui-priority": 102 + }, + "settings_competition_receivers": { + "description": "Number of receivers.", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 101 + }, + "settings_competition_speakers": { + "description": "Number of speakers.", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 100 }, "settings_culture": { "description": "Shapes understandings of topics. Alters salience of different values.", "disable_correlation": true, "misp-attribute": "text", "multiple": true, - "ui-priority": 14 + "ui-priority": 140 }, "settings_process": { "description": "Threatening settings. Political (conflictual) settings versus deliberative settings", "disable_correlation": true, "misp-attribute": "text", "multiple": true, - "ui-priority": 13 + "ui-priority": 130 }, "settings_space": { "description": "Attitude or behavioral change in one setting may not generalize to other settings.", "disable_correlation": true, "misp-attribute": "text", "multiple": true, - "ui-priority": 11 + "ui-priority": 110 }, "settings_time": { "description": "Pretreatment effects—what happened prior to the persuasive message. Posttreatment duration—how long an effect lasts. Time between exposure and outcome measurement.", "disable_correlation": true, "misp-attribute": "text", "multiple": true, - "ui-priority": 12 + "ui-priority": 120 }, "treatments_medium": { "description": "Alters frames, processing goals, and/or effort. Interactions with other persuasion variables.", "disable_correlation": true, "misp-attribute": "text", "multiple": true, - "ui-priority": 5 + "ui-priority": 50 }, "treatments_message_content": { "description": "Argument strength (and inadequacy). Framing and evaluations. Matching to receivers' goals. Altering receivers' motivations (e.g., using narratives).", "disable_correlation": true, "misp-attribute": "text", "multiple": true, - "ui-priority": 4 + "ui-priority": 40 }, "treatments_topic": { "description": "Persons/groups, issues, institutions, products. Variation within a topic (e.g., different policy issues)", "disable_correlation": true, "misp-attribute": "text", "multiple": true, - "ui-priority": 3 + "ui-priority": 30 } }, "description": "By placing their work within the GP Framework, scholars will help the field resolve inconsistencies, identify and address open questions, and ensure collective progress. The GP Framework is not meant to compete with other theories (such as the ELM) but rather to fill in two gaps. First, it allows one to consider how individual persuasion studies connect to one another and why studies may arrive at contradictory conclusions. Second, it highlights the sources of variations that should be studied. (James N. Druckman)", From 4e31ad218e852e580eeb6f3ad3b192e7a32df1de Mon Sep 17 00:00:00 2001 From: Jeroen Pinoy Date: Mon, 15 Apr 2024 21:07:07 +0200 Subject: [PATCH 39/39] add: [relationships] add a few relationship types and opposites --- relationships/definition.json | 41 ++++++++++++++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index a4523d9..e51cfaa 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1764,7 +1764,46 @@ ], "name": "is-acquired-by", "opposite": "acquires" + }, + { + "description": "The source object supports the target object.", + "format": [ + "misp" + ], + "name": "supports", + "opposite": "supported-by" + }, + { + "description": "The source object is supported by the target object.", + "format": [ + "misp" + ], + "name": "supported-by", + "opposite": "supports" + }, + { + "description": "The source object sponsors the target object.", + "format": [ + "misp" + ], + "name": "sponsors", + "opposite": "sponsored-by" + }, + { + "description": "The source object is sponsored by the target object.", + "format": [ + "misp" + ], + "name": "sponsored-by", + "opposite": "sponsors" + }, + { + "description": "The source object operates from the target object.", + "format": [ + "misp" + ], + "name": "operates-from" } ], - "version": 43 + "version": 44 } \ No newline at end of file