From c3f17d60604b3ebd9fd8ca03434d91924b7d4a96 Mon Sep 17 00:00:00 2001
From: goodlandsecurity <josing.jj@gmail.com>
Date: Fri, 15 Mar 2024 12:05:03 -0500
Subject: [PATCH 1/3] adding stairwell object

---
 objects/stairwell/definition.json | 87 +++++++++++++++++++++++++++++++
 1 file changed, 87 insertions(+)
 create mode 100644 objects/stairwell/definition.json

diff --git a/objects/stairwell/definition.json b/objects/stairwell/definition.json
new file mode 100644
index 0000000..4262674
--- /dev/null
+++ b/objects/stairwell/definition.json
@@ -0,0 +1,87 @@
+{
+  "attributes": {
+    "entropy": {
+      "description": "Measure of the information contained in a object as opposed to the portion of the object that is determined (or predictable)",
+      "disable_correlation": true,
+      "misp-attribute": "float",
+      "ui-priority": 1
+    },
+    "environment": {
+      "description": "Stairwell environments that this object has been seen within",
+      "misp-attribute": "comment",
+      "ui-priority": 0
+    },
+    "imphash": {
+      "description": "The Mandiant import hash (imphash) of the object",
+      "misp-attribute": "imphash",
+      "ui-priority": 0
+    },
+    "magic": {
+      "description": "Magic number as determined by yara rule based identification",
+      "misp-attribute": "comment",
+      "ui-priority": 0
+    },
+    "malEval-probability": {
+      "description": "Confidence that the label applies on the object",
+      "misp-attribute": "comment",
+      "ui-priority": 0
+    },
+    "malEval-severity": {
+      "description": "Severity of malware detected",
+      "misp-attribute": "comment",
+      "ui-priority": 0
+    },
+    "md5": {
+      "description": "The md5 hash signature of an object",
+      "misp-attribute": "md5",
+      "ui-priority": 1
+    },
+    "mime-type": {
+      "description": "MIME type as determined by yara rule based identification",
+      "disable_correlation": true,
+      "misp-attribute": "mime-type",
+      "ui-priority": 0
+    },
+    "sha1": {
+      "description": "The sha1 hash signature of an object",
+      "misp-attribute": "sha1",
+      "ui-priority": 1
+    },
+    "sha256": {
+      "description": "The sha256 hash signature of an object",
+      "misp-attribute": "sha256",
+      "ui-priority": 1
+    },
+    "size-in-bytes": {
+      "description": "The size of the file in bytes",
+      "disable_correlation": true,
+      "misp-attribute": "size-in-bytes",
+      "ui-priority": 0
+    },
+    "stairwell-first-seen": {
+      "description": "The timestamp at which an object was first observed by Stairwell",
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    },
+    "tlsh": {
+      "description": "The TLSH of the object",
+      "misp-attribute": "tlsh",
+      "ui-priority": 0
+    },
+    "yara-rule-match": {
+      "description": "Stairwell yara rule resource names which have matched on this object",
+      "misp-attribute": "comment",
+      "ui-priority": 0
+    }
+  },
+  "description": "Stairwell leverages automated analysis, YARA rule libraries, shared malware feeds, privately run AV verdicts, static & dynamic analysis, malware unpacking, and variant discovery.",
+  "meta-category": "file",
+  "name": "stairwell",
+  "requiredOneOf": [
+    "md5",
+    "sha1",
+    "sha256"
+  ],
+  "uuid": "113d31ab-6eea-46df-976c-e955c369acd2",
+  "version": 1
+}
\ No newline at end of file

From 11bf472d8e93a4d5cbc75842a4c63b3cc6bc7e63 Mon Sep 17 00:00:00 2001
From: goodlandsecurity <josing.jj@gmail.com>
Date: Fri, 15 Mar 2024 13:52:09 -0500
Subject: [PATCH 2/3] forgot multiple flag on two attributes

---
 objects/stairwell/definition.json | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/objects/stairwell/definition.json b/objects/stairwell/definition.json
index 4262674..8945a8d 100644
--- a/objects/stairwell/definition.json
+++ b/objects/stairwell/definition.json
@@ -9,6 +9,7 @@
     "environment": {
       "description": "Stairwell environments that this object has been seen within",
       "misp-attribute": "comment",
+      "multiple": true,
       "ui-priority": 0
     },
     "imphash": {
@@ -71,6 +72,7 @@
     "yara-rule-match": {
       "description": "Stairwell yara rule resource names which have matched on this object",
       "misp-attribute": "comment",
+      "multiple": true
       "ui-priority": 0
     }
   },
@@ -84,4 +86,4 @@
   ],
   "uuid": "113d31ab-6eea-46df-976c-e955c369acd2",
   "version": 1
-}
\ No newline at end of file
+}

From fac453a24711f92226a9c2c3d549b188a80dcd3e Mon Sep 17 00:00:00 2001
From: goodlandsecurity <josing.jj@gmail.com>
Date: Fri, 15 Mar 2024 14:04:07 -0500
Subject: [PATCH 3/3] fixed parse error

---
 objects/stairwell/definition.json | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/objects/stairwell/definition.json b/objects/stairwell/definition.json
index 8945a8d..bfb066e 100644
--- a/objects/stairwell/definition.json
+++ b/objects/stairwell/definition.json
@@ -72,7 +72,7 @@
     "yara-rule-match": {
       "description": "Stairwell yara rule resource names which have matched on this object",
       "misp-attribute": "comment",
-      "multiple": true
+      "multiple": true,
       "ui-priority": 0
     }
   },
@@ -86,4 +86,4 @@
   ],
   "uuid": "113d31ab-6eea-46df-976c-e955c369acd2",
   "version": 1
-}
+}
\ No newline at end of file