diff --git a/README.md b/README.md index e0c661b..a904b53 100644 --- a/README.md +++ b/README.md @@ -161,6 +161,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/cytomic-orion-machine](https://github.com/MISP/misp-objects/blob/main/objects/cytomic-orion-machine/definition.json) - Cytomic Orion File at Machine Detection. - [objects/dark-pattern-item](https://github.com/MISP/misp-objects/blob/main/objects/dark-pattern-item/definition.json) - An Item whose User Interface implements a dark pattern. - [objects/ddos](https://github.com/MISP/misp-objects/blob/main/objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy or using the type field. +- [objects/ddos-claim](https://github.com/MISP/misp-objects/blob/main/objects/ddos-claim/definition.json) - DDoS-claim object describes a current claim of DDoS activity. - [objects/device](https://github.com/MISP/misp-objects/blob/main/objects/device/definition.json) - An object to define a device. - [objects/diameter-attack](https://github.com/MISP/misp-objects/blob/main/objects/diameter-attack/definition.json) - Attack as seen on the diameter signaling protocol supporting LTE networks. - [objects/diamond-event](https://github.com/MISP/misp-objects/blob/main/objects/diamond-event/definition.json) - A diamond model event object consisting of the four diamond features advesary, infrastructure, capability and victim, several meta-features and ioc attributes. @@ -190,6 +191,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/file](https://github.com/MISP/misp-objects/blob/main/objects/file/definition.json) - File object describing a file with meta-information. - [objects/flowintel-cm-case](https://github.com/MISP/misp-objects/blob/main/objects/flowintel-cm-case/definition.json) - A case as defined by flowintel-cm. - [objects/flowintel-cm-task](https://github.com/MISP/misp-objects/blob/main/objects/flowintel-cm-task/definition.json) - A task as defined by flowintel-cm. +- [objects/flowintel-cm-task-note](https://github.com/MISP/misp-objects/blob/main/objects/flowintel-cm-task-note/definition.json) - A task's note as defined by flowintel-cm. - [objects/forensic-case](https://github.com/MISP/misp-objects/blob/main/objects/forensic-case/definition.json) - An object template to describe a digital forensic case. - [objects/forensic-evidence](https://github.com/MISP/misp-objects/blob/main/objects/forensic-evidence/definition.json) - An object template to describe a digital forensic evidence. - [objects/forged-document](https://github.com/MISP/misp-objects/blob/main/objects/forged-document/definition.json) - Object describing a forged document. @@ -246,6 +248,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/ftm-Video](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Video/definition.json) - Video. - [objects/ftm-Workbook](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Workbook/definition.json) - Workbook. - [objects/game-cheat](https://github.com/MISP/misp-objects/blob/main/objects/game-cheat/definition.json) - Describes a game cheat or a cheatware. +- [objects/Generalizing Persuasion Framework](https://github.com/MISP/misp-objects/blob/main/objects/Generalizing Persuasion Framework/definition.json) - By placing their work within the GP Framework, scholars will help the field resolve inconsistencies, identify and address open questions, and ensure collective progress. The GP Framework is not meant to compete with other theories (such as the ELM) but rather to fill in two gaps. First, it allows one to consider how individual persuasion studies connect to one another and why studies may arrive at contradictory conclusions. Second, it highlights the sources of variations that should be studied. (James N. Druckman). - [objects/geolocation](https://github.com/MISP/misp-objects/blob/main/objects/geolocation/definition.json) - An object to describe a geographic location. - [objects/git-vuln-finder](https://github.com/MISP/misp-objects/blob/main/objects/git-vuln-finder/definition.json) - Export from git-vuln-finder. - [objects/github-user](https://github.com/MISP/misp-objects/blob/main/objects/github-user/definition.json) - GitHub user. @@ -326,6 +329,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/phishing](https://github.com/MISP/misp-objects/blob/main/objects/phishing/definition.json) - Phishing template to describe a phishing website and its analysis. - [objects/phishing-kit](https://github.com/MISP/misp-objects/blob/main/objects/phishing-kit/definition.json) - Object to describe a phishing-kit. - [objects/phone](https://github.com/MISP/misp-objects/blob/main/objects/phone/definition.json) - A phone or mobile phone object which describe a phone. +- [objects/phone-number](https://github.com/MISP/misp-objects/blob/main/objects/phone-number/definition.json) - Phone number based on the E.164 international public telecommunication numbering plan. - [objects/physical-impact](https://github.com/MISP/misp-objects/blob/main/objects/physical-impact/definition.json) - Physical Impact object as described in STIX 2.1 Incident object extension. - [objects/postal-address](https://github.com/MISP/misp-objects/blob/main/objects/postal-address/definition.json) - A postal address. - [objects/probabilistic-data-structure](https://github.com/MISP/misp-objects/blob/main/objects/probabilistic-data-structure/definition.json) - Probabilistic data structure object describe a space-efficient data structure such as Bloom filter or similar structure. @@ -335,7 +339,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/query](https://github.com/MISP/misp-objects/blob/main/objects/query/definition.json) - An object describing a query, along with its format. - [objects/r2graphity](https://github.com/MISP/misp-objects/blob/main/objects/r2graphity/definition.json) - Indicators extracted from files using radare2 and graphml. - [objects/ransom-negotiation](https://github.com/MISP/misp-objects/blob/main/objects/ransom-negotiation/definition.json) - An object to describe ransom negotiations, as seen in ransomware incidents. -- [objects/ransomware-group-post](https://github.com/MISP/misp-objects/blob/main/objects/ransomware-group-post/definition.json) - Ransomware group post as monitored by ransomlook.io. +- [objects/ransomware-group-post](https://github.com/MISP/misp-objects/blob/main/objects/ransomware-group-post/definition.json) - Ransomware group post as monitored by ransomlook.io or others. - [objects/reddit-account](https://github.com/MISP/misp-objects/blob/main/objects/reddit-account/definition.json) - Reddit account. - [objects/reddit-comment](https://github.com/MISP/misp-objects/blob/main/objects/reddit-comment/definition.json) - A Reddit post comment. - [objects/reddit-post](https://github.com/MISP/misp-objects/blob/main/objects/reddit-post/definition.json) - A Reddit post. @@ -473,7 +477,7 @@ When the object is created, the `validate_all.sh` and `jq_all_the_things.sh` is - Add a description in the object template explaining the scope and use-cases of your object templates - If the object is the mapping of an existing format, add a reference into the description of the object template - `first-seen` and `last-seen` are not required in a object template as an object has those fields by default. If you need additional temporal information, add new specific field(s). -- Be lax on the number of fields required by default (e.g. use `requiredOneOf`). +- Be lax on the number of fields required by default (e.g. use `requiredOneOf`). - Review existing object templates before creating a new one. When doing a pull-request, don't hesitate to add the logic why a new template is required. ## MISP objects documentation diff --git a/objects/cs-beacon-config/definition.json b/objects/cs-beacon-config/definition.json index 48c8111..94fccc7 100644 --- a/objects/cs-beacon-config/definition.json +++ b/objects/cs-beacon-config/definition.json @@ -1,11 +1,43 @@ { "attributes": { + "architecture": { + "description": "Hardware architecture of the sample", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, "asn": { "description": "Originating ASN for the CS Beacon Config", "disable_correlation": true, "misp-attribute": "AS", "ui-priority": 0 }, + "beacon-host": { + "description": "Beacon host IP", + "misp-attribute": "ip-dst", + "ui-priority": 0 + }, + "beacon-type": { + "description": "Beacon type used", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "binary-md5": { + "description": "MD5 of the binary delivered", + "misp-attribute": "md5", + "ui-priority": 0 + }, + "binary-sha1": { + "description": "SHA1 of the binary delivered", + "misp-attribute": "sha1", + "ui-priority": 0 + }, + "binary-sha256": { + "description": "SHA256 of the binary delivered", + "misp-attribute": "sha256", + "ui-priority": 0 + }, "c2": { "categories": [ "Network activity" @@ -21,12 +53,67 @@ "misp-attribute": "text", "ui-priority": 0 }, + "config-md5": { + "description": "MD5 of the configuration", + "misp-attribute": "md5", + "ui-priority": 0 + }, + "config-sha1": { + "description": "SHA1 of the configuration", + "misp-attribute": "sha1", + "ui-priority": 0 + }, + "config-sha256": { + "description": "SHA256 of the configuration", + "misp-attribute": "sha256", + "ui-priority": 0 + }, + "content-length": { + "description": "Content length of the payload", + "disable_correlation": true, + "misp-attribute": "size-in-bytes", + "ui-priority": 0 + }, + "content-type": { + "description": "Content/type received", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "encoded-data": { + "description": "Encoded payload data in Base64 as file attachment", + "misp-attribute": "attachment", + "ui-priority": 0 + }, + "encoded-length": { + "description": "Length of the encoded data", + "disable_correlation": true, + "misp-attribute": "size-in-bytes", + "ui-priority": 0 + }, "geo": { "description": "Country location of the CS Beacon Config", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 }, + "http": { + "description": "HTTP protocol used", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "http-code": { + "description": "HTTP return code", + "disable_correlation": true, + "misp-attribute": "integer", + "ui-priority": 0 + }, + "http-url": { + "description": "HTTP url path of the beacon", + "misp-attribute": "text", + "ui-priority": 0 + }, "ip": { "description": "IP of the C2", "misp-attribute": "ip-dst", @@ -55,7 +142,7 @@ "ui-priority": 1 }, "naics": { - "description": "North American Industry Classification System Code", + "description": "North American Industry Classification System Code (NAICS)", "disable_correlation": true, "misp-attribute": "text", "multiple": true, @@ -112,5 +199,5 @@ "watermark" ], "uuid": "d17355ef-ca1f-4b5a-86cd-65d877991f54", - "version": 4 + "version": 7 } \ No newline at end of file diff --git a/objects/ddos-claim/definition.json b/objects/ddos-claim/definition.json new file mode 100644 index 0000000..049b0f6 --- /dev/null +++ b/objects/ddos-claim/definition.json @@ -0,0 +1,51 @@ +{ + "attributes": { + "claim-validity": { + "description": "Validity of the claim. Valid means, a trusted entity having the technical capabilities to perform analysis confirmed the detection of DDoS activities.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Unknown", + "Valid", + "Invalid" + ], + "ui-priority": 0 + }, + "proof": { + "description": "The claim in text format.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "proof-screenshot": { + "description": "Screenshot of the claim.", + "misp-attribute": "attachment", + "multiple": true, + "ui-priority": 0 + }, + "reference": { + "description": "Reference to the DDoS claim.", + "disable_correlation": true, + "misp-attribute": "link", + "multiple": true, + "ui-priority": 0 + }, + "target": { + "description": "Target of the DDoS claim.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + } + }, + "description": "DDoS-claim object describes a current claim of DDoS activity.", + "meta-category": "network", + "name": "ddos-claim", + "requiredOneOf": [ + "target", + "proof", + "reference" + ], + "uuid": "2722ac76-1f1f-43b7-bc68-ba5465ec5c04", + "version": 2 +} \ No newline at end of file diff --git a/objects/flowintel-cm-case/definition.json b/objects/flowintel-cm-case/definition.json index d516bb2..751f8ae 100644 --- a/objects/flowintel-cm-case/definition.json +++ b/objects/flowintel-cm-case/definition.json @@ -42,6 +42,12 @@ "misp-attribute": "datetime", "ui-priority": 0 }, + "notes": { + "description": "Notes of the case", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, "origin-url": { "description": "Origin of the case", "disable_correlation": true, @@ -86,5 +92,5 @@ "meta-category": "misc", "name": "flowintel-cm-case", "uuid": "19df57c7-b315-4fd2-84e5-d81ab221425e", - "version": 2 + "version": 3 } \ No newline at end of file diff --git a/objects/flowintel-cm-task-note/definition.json b/objects/flowintel-cm-task-note/definition.json new file mode 100644 index 0000000..54aa2d5 --- /dev/null +++ b/objects/flowintel-cm-task-note/definition.json @@ -0,0 +1,35 @@ +{ + "attributes": { + "note": { + "description": "Notes of the task", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "note-uuid": { + "description": "UUID of the note", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 2 + }, + "origin-url": { + "description": "Origin of the task", + "disable_correlation": true, + "misp-attribute": "url", + "to_ids": false, + "ui-priority": 1 + }, + "task-uuid": { + "description": "UUID of the parent task", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 2 + } + }, + "description": "A task's note as defined by flowintel-cm.", + "meta-category": "misc", + "name": "flowintel-cm-task-note", + "uuid": "2c6f6aba-48b6-482f-a810-81934d29be9a", + "version": 1 +} \ No newline at end of file diff --git a/objects/flowintel-cm-task/definition.json b/objects/flowintel-cm-task/definition.json index fbd9f0d..3313f9f 100644 --- a/objects/flowintel-cm-task/definition.json +++ b/objects/flowintel-cm-task/definition.json @@ -37,12 +37,6 @@ "misp-attribute": "datetime", "ui-priority": 0 }, - "notes": { - "description": "Notes of the task", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 0 - }, "origin-url": { "description": "Origin of the task", "disable_correlation": true, @@ -88,5 +82,5 @@ "meta-category": "misc", "name": "flowintel-cm-task", "uuid": "2f525f6e-d3f2-4cb9-9ca0-f1160d99397d", - "version": 3 + "version": 4 } \ No newline at end of file diff --git a/objects/generalizing-persuasion-framework/definition.json b/objects/generalizing-persuasion-framework/definition.json new file mode 100644 index 0000000..e16bfa9 --- /dev/null +++ b/objects/generalizing-persuasion-framework/definition.json @@ -0,0 +1,151 @@ +{ + "attributes": { + "actors_receiver": { + "description": "Assessments across weighted dimensions. Effort, motivation, prior attitudes", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 20 + }, + "actors_speaker_motivation": { + "description": "Motivations in crafting messages", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 11 + }, + "actors_speaker_type": { + "description": "Types (e.g., elites, media, opinion leaders, friends/family).", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "Politician", + "Government Official", + "Law Enforcement", + "Media", + "Religious Leader", + "CEO/Executive", + "Community Leader", + "Teacher/Professor", + "Coache/Mentor", + "Expert in a specific field", + "Celebrity", + "Athlete", + "Social Media Personality", + "Trendsetter", + "Salesperson", + "Marketeer", + "Friend/Family", + "Lobbyist", + "Advocacy Group", + "Professional Association", + "Leaked document", + "Whistle-blower", + "Online forum", + "Algorithm" + ], + "ui-priority": 10 + }, + "outcomes_attitude": { + "description": "General evaluation of an object (where the 'object' is broadly construed).", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 60 + }, + "outcomes_behavior": { + "description": "Does not always follow from an attitude. Depends on attitude attributes, injunctive and descriptive norms, behavioral control, and emotions.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 70 + }, + "outcomes_emotion": { + "description": "Can inform conscious evaluations or override them.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 80 + }, + "outcomes_identity": { + "description": "A dimension of evaluation. Often activated when threatened.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 90 + }, + "settings_competition_observers": { + "description": "Number of observers.", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 102 + }, + "settings_competition_receivers": { + "description": "Number of receivers.", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 101 + }, + "settings_competition_speakers": { + "description": "Number of speakers.", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 100 + }, + "settings_culture": { + "description": "Shapes understandings of topics. Alters salience of different values.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 140 + }, + "settings_process": { + "description": "Threatening settings. Political (conflictual) settings versus deliberative settings", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 130 + }, + "settings_space": { + "description": "Attitude or behavioral change in one setting may not generalize to other settings.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 110 + }, + "settings_time": { + "description": "Pretreatment effects—what happened prior to the persuasive message. Posttreatment duration—how long an effect lasts. Time between exposure and outcome measurement.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 120 + }, + "treatments_medium": { + "description": "Alters frames, processing goals, and/or effort. Interactions with other persuasion variables.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 50 + }, + "treatments_message_content": { + "description": "Argument strength (and inadequacy). Framing and evaluations. Matching to receivers' goals. Altering receivers' motivations (e.g., using narratives).", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 40 + }, + "treatments_topic": { + "description": "Persons/groups, issues, institutions, products. Variation within a topic (e.g., different policy issues)", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 30 + } + }, + "description": "By placing their work within the GP Framework, scholars will help the field resolve inconsistencies, identify and address open questions, and ensure collective progress. The GP Framework is not meant to compete with other theories (such as the ELM) but rather to fill in two gaps. First, it allows one to consider how individual persuasion studies connect to one another and why studies may arrive at contradictory conclusions. Second, it highlights the sources of variations that should be studied. (James N. Druckman)", + "meta-category": "misc", + "name": "Generalizing Persuasion Framework", + "uuid": "dc6cdc5f-17d7-4d7b-95fe-86478990c910", + "version": 1 +} \ No newline at end of file diff --git a/objects/instant-message/definition.json b/objects/instant-message/definition.json index 0c54e8f..5847716 100644 --- a/objects/instant-message/definition.json +++ b/objects/instant-message/definition.json @@ -22,7 +22,8 @@ "Discord", "Mumble", "Jabber", - "Twitter" + "Twitter", + "Mattermost" ], "ui-priority": 1 }, diff --git a/objects/organization/definition.json b/objects/organization/definition.json index ca3fd9c..4aac6e9 100644 --- a/objects/organization/definition.json +++ b/objects/organization/definition.json @@ -45,6 +45,12 @@ "multiple": true, "ui-priority": 10 }, + "misp-uuid": { + "description": "MISP UUID of the organization", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 97 + }, "name": { "description": "Name of the organization", "disable_correlation": false, @@ -117,6 +123,7 @@ "mining", "non-profit", "pharmaceuticals", + "private", "retail", "technology", "telecommunication", @@ -139,5 +146,5 @@ "alias" ], "uuid": "f750e12b-127a-432c-b022-b3f9153c4e2a", - "version": 7 + "version": 9 } \ No newline at end of file diff --git a/objects/phone-number/definition.json b/objects/phone-number/definition.json new file mode 100644 index 0000000..4b69efc --- /dev/null +++ b/objects/phone-number/definition.json @@ -0,0 +1,60 @@ +{ + "attributes": { + "country-code": { + "description": "Country code in text format (e.g., US)", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": false, + "to_ids": false, + "ui-priority": 1 + }, + "country-code-numeric": { + "description": "Country code as per the E.164 numbering plan (e.g., +1)", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": false, + "to_ids": false, + "ui-priority": 1 + }, + "national-destination-code": { + "description": "National destination code as per the E.164 numbering plan (e.g., 415)", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": false, + "to_ids": false, + "ui-priority": 0 + }, + "phone-number": { + "description": "Phone number in E.164 format (e.g., +14155552671)", + "disable_correlation": false, + "misp-attribute": "phone-number", + "multiple": false, + "to_ids": false, + "ui-priority": 3 + }, + "subscriber-number": { + "description": "Subscriber number as per the E.164 numbering plan (e.g., 5552671)", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": false, + "to_ids": false, + "ui-priority": 0 + }, + "text": { + "description": "Description or additional information about the phone number.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": false, + "to_ids": false, + "ui-priority": 2 + } + }, + "description": "Phone number based on the E.164 international public telecommunication numbering plan", + "meta-category": "mobile", + "name": "phone-number", + "required": [ + "phone-number" + ], + "uuid": "c4b5a67c-63d2-11ec-90d6-0242ac120003", + "version": 1 +} \ No newline at end of file diff --git a/objects/ransomware-group-post/definition.json b/objects/ransomware-group-post/definition.json index c9e1852..c1f070d 100644 --- a/objects/ransomware-group-post/definition.json +++ b/objects/ransomware-group-post/definition.json @@ -1,7 +1,26 @@ { "attributes": { + "actor-geo-stats-30d": { + "description": "Count of how many other victims were publicly leaked by the same ransomware actor in the country of the victim during the past 30 days", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "actor-total-stats-30d": { + "description": "Count of how many other victims were publicly leaked by the same ransomware actor worldwide during the past 30 days", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, "date": { "description": "Last update of the post as seen on the ransomware group blog. Different than the first/last seen from the crawling.", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "date-published": { + "description": "Initial published date of the post on the ransomware group blog.", + "disable_correlation": true, "misp-attribute": "datetime", "ui-priority": 0 }, @@ -10,25 +29,73 @@ "misp-attribute": "text", "ui-priority": 1 }, + "entity-name": { + "description": "Entity name of the victim referenced in the post of the ransomware group.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "geo": { + "description": "Geographic (main) location of the victim referenced in the post of the ransomware group.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "leak-site-url": { + "description": "Link to the post.", + "misp-attribute": "link", + "ui-priority": 1 + }, "link": { "description": "Original URL location of the post.", "misp-attribute": "link", "ui-priority": 1 }, + "ransomware-group": { + "description": "Ransomware group where the post is mentioned.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "sector": { + "description": "Sector (main) of the victim referenced in the post of the ransomware group.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "severity": { + "description": "Severity of the post mentioned.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "critical", + "high", + "medium", + "low", + "info" + ], + "ui-priority": 1 + }, "title": { "description": "Title of blog post.", "misp-attribute": "text", "ui-priority": 1 + }, + "website": { + "description": "Website of the victim referenced in the post of the ransomware group.", + "misp-attribute": "link", + "ui-priority": 1 } }, - "description": "Ransomware group post as monitored by ransomlook.io", + "description": "Ransomware group post as monitored by ransomlook.io or others", "meta-category": "misc", "name": "ransomware-group-post", "requiredOneOf": [ "title", "description", - "link" + "link", + "website", + "leak-site-url" ], "uuid": "52a0e179-4942-41e6-90f5-7db856fd6f39", - "version": 1 + "version": 4 } \ No newline at end of file diff --git a/objects/registry-key/definition.json b/objects/registry-key/definition.json index 0eea7a7..e2253ef 100644 --- a/objects/registry-key/definition.json +++ b/objects/registry-key/definition.json @@ -2,7 +2,8 @@ "attributes": { "data": { "categories": [ - "Persistence mechanism" + "Persistence mechanism", + "Artifacts dropped" ], "description": "Data stored in the registry key", "misp-attribute": "text", @@ -10,7 +11,8 @@ }, "data-type": { "categories": [ - "Persistence mechanism" + "Persistence mechanism", + "Artifacts dropped" ], "description": "Registry value type", "disable_correlation": true, @@ -35,7 +37,8 @@ }, "hive": { "categories": [ - "Persistence mechanism" + "Persistence mechanism", + "Artifacts dropped" ], "description": "Hive used to store the registry key (file on disk)", "disable_correlation": true, @@ -44,7 +47,8 @@ }, "key": { "categories": [ - "Persistence mechanism" + "Persistence mechanism", + "Artifacts dropped" ], "description": "Full key path", "misp-attribute": "regkey", @@ -60,7 +64,8 @@ }, "name": { "categories": [ - "Persistence mechanism" + "Persistence mechanism", + "Artifacts dropped" ], "description": "Name of the registry key", "misp-attribute": "text", @@ -98,5 +103,5 @@ "data" ], "uuid": "8b3228ad-6d82-4fe6-b2ae-05426308f1d5", - "version": 4 + "version": 5 } \ No newline at end of file diff --git a/objects/research-scanner/definition.json b/objects/research-scanner/definition.json index 2cb71c1..678092c 100644 --- a/objects/research-scanner/definition.json +++ b/objects/research-scanner/definition.json @@ -43,6 +43,16 @@ "multiple": true, "ui-priority": 1 }, + "scanning_host": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Scanning host used by project", + "misp-attribute": "hostname", + "multiple": true, + "ui-priority": 1 + }, "scanning_ip": { "categories": [ "Network activity", @@ -76,5 +86,5 @@ "scanning_ip" ], "uuid": "d690e956-fc8a-11e8-8eb2-f2801f1b9fd1", - "version": 20190102 + "version": 20240527 } \ No newline at end of file diff --git a/relationships/definition.json b/relationships/definition.json index a4523d9..429032a 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -36,6 +36,22 @@ "name": "shared-by", "opposite": "shares" }, + { + "description": "This relationship describes an object which publishes another object.", + "format": [ + "misp" + ], + "name": "publishes", + "opposite": "published-by" + }, + { + "description": "This relationship describes an object which was published by another object.", + "format": [ + "misp" + ], + "name": "published-by", + "opposite": "publishes" + }, { "description": "The referenced source and target objects are semantically duplicates of each other.", "format": [ @@ -866,9 +882,19 @@ { "description": "Represents the semantic link of a communication initiating an event.", "format": [ - "alfred" + "alfred", + "misp" ], - "name": "initiates" + "name": "initiates", + "opposite": "initiated-by" + }, + { + "description": "The source object initiated the target object.", + "format": [ + "misp" + ], + "name": "initiated-by", + "opposite": "initiates" }, { "description": "Represents the semantic link between a FILE and FILE_BINARY.", @@ -1764,7 +1790,117 @@ ], "name": "is-acquired-by", "opposite": "acquires" + }, + { + "description": "The source object supports the target object.", + "format": [ + "misp" + ], + "name": "supports", + "opposite": "supported-by" + }, + { + "description": "The source object is supported by the target object.", + "format": [ + "misp" + ], + "name": "supported-by", + "opposite": "supports" + }, + { + "description": "The source object sponsors the target object.", + "format": [ + "misp" + ], + "name": "sponsors", + "opposite": "sponsored-by" + }, + { + "description": "The source object is sponsored by the target object.", + "format": [ + "misp" + ], + "name": "sponsored-by", + "opposite": "sponsors" + }, + { + "description": "The source object operates from the target object.", + "format": [ + "misp" + ], + "name": "operates-from" + }, + { + "description": "The source object deploys the target object.", + "format": [ + "misp" + ], + "name": "deploys", + "opposite": "is-deployed-by" + }, + { + "description": "The source object is deployed by the target object.", + "format": [ + "misp" + ], + "name": "is-deployed-by", + "opposite": "deploys" + }, + { + "description": "The source object interacts with the target object.", + "format": [ + "misp" + ], + "name": "interacts-with" + }, + { + "description": "The source object injects the target object.", + "format": [ + "misp" + ], + "name": "injects", + "opposite": "is-injected-by" + }, + { + "description": "The source object is injected by the target object.", + "format": [ + "misp" + ], + "name": "is-injected-by", + "opposite": "injects" + }, + { + "description": "The source object interviews the target object.", + "format": [ + "misp" + ], + "name": "interviews", + "opposite": "is-interviewed-by" + }, + { + "description": "The source object is interviewed by the target object.", + "format": [ + "misp" + ], + "name": "is-interviewed-by", + "opposite": "interviews" + }, + { + "description": "The source object summarizes the target object.", + "format": [ + "misp" + ], + "name": "summarizes", + "opposite": "summarized-by" + }, + { + "description": "The source object is summarized by the target object.", + "format": [ + "misp" + ], + "name": "summarized-by", + "opposite": "summarizes" } ], - "version": 43 + "version": 49 } \ No newline at end of file diff --git a/tools/updated.sh b/tools/updated.sh index acc0c56..f385432 100644 --- a/tools/updated.sh +++ b/tools/updated.sh @@ -2,5 +2,5 @@ python3 adoc_objects.py >a.txt mv a.txt objects.txt asciidoctor-pdf -a allow-uri-read objects.txt asciidoctor -a allow-uri-read objects.txt -cp objects.html ../../misp-website-new/static -cp objects.pdf ../../misp-website-new/static +cp objects.html ../../misp-website/static +cp objects.pdf ../../misp-website/static