From 8fe87ab6bce3b60596d358793d755c26f401a927 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Fri, 12 Apr 2024 08:07:44 +0200 Subject: [PATCH 01/37] new: [gpf] Added Generalizing Persuasion Framework --- .../definition.json | 107 ++++++++++++++++++ 1 file changed, 107 insertions(+) create mode 100644 objects/generalizing-persuasion-framework/definition.json diff --git a/objects/generalizing-persuasion-framework/definition.json b/objects/generalizing-persuasion-framework/definition.json new file mode 100644 index 0000000..025fac6 --- /dev/null +++ b/objects/generalizing-persuasion-framework/definition.json @@ -0,0 +1,107 @@ +{ + "attributes": { + "actors_receiver": { + "description": "Assessments across weighted dimensions. Effort, motivation, prior attitudes", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 2 + }, + "actors_speaker": { + "description": "Types (e.g., elites, media, opinion leaders, friends/family). Motivations in crafting messages", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, + "outcomes_attitude": { + "description": "General evaluation of an object (where the 'object' is broadly construed).", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 6 + }, + "outcomes_behavior": { + "description": "Does not always follow from an attitude. Depends on attitude attributes, injunctive and descriptive norms, behavioral control, and emotions.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 7 + }, + "outcomes_emotion": { + "description": "Can inform conscious evaluations or override them.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 8 + }, + "outcomes_identity": { + "description": "A dimension of evaluation. Often activated when threatened.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 9 + }, + "settings_competition": { + "description": "Number of speakers. Number of receivers. Observers.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10 + }, + "settings_culture": { + "description": "Shapes understandings of topics. Alters salience of different values.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 14 + }, + "settings_process": { + "description": "Threatening settings. Political (conflictual) settings versus deliberative settings", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 13 + }, + "settings_space": { + "description": "Attitude or behavioral change in one setting may not generalize to other settings.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 11 + }, + "settings_time": { + "description": "Pretreatment effects—what happened prior to the persuasive message. Posttreatment duration—how long an effect lasts. Time between exposure and outcome measurement.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 12 + }, + "treatments_medium": { + "description": "Alters frames, processing goals, and/or effort. Interactions with other persuasion variables.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 5 + }, + "treatments_message_content": { + "description": "Argument strength (and inadequacy). Framing and evaluations. Matching to receivers' goals. Altering receivers' motivations (e.g., using narratives).", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 4 + }, + "treatments_topic": { + "description": "Persons/groups, issues, institutions, products. Variation within a topic (e.g., different policy issues)", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 3 + } + }, + "description": "By placing their work within the GP Framework, scholars will help the field resolve inconsistencies, identify and address open questions, and ensure collective progress. The GP Framework is not meant to compete with other theories (such as the ELM) but rather to fill in two gaps. First, it allows one to consider how individual persuasion studies connect to one another and why studies may arrive at contradictory conclusions. Second, it highlights the sources of variations that should be studied. (James N. Druckman)", + "meta-category": "misc", + "name": "Generalizing Persuasion Framework", + "uuid": "dc6cdc5f-17d7-4d7b-95fe-86478990c910", + "version": 1 +} \ No newline at end of file From 6e159a03b5bd98959ed5725ce32abc9b15f898e4 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Fri, 12 Apr 2024 08:18:42 +0200 Subject: [PATCH 02/37] chg: [readme] updated list of objects --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index e0c661b..f840cea 100644 --- a/README.md +++ b/README.md @@ -153,7 +153,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/credential](https://github.com/MISP/misp-objects/blob/main/objects/credential/definition.json) - Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s). - [objects/credit-card](https://github.com/MISP/misp-objects/blob/main/objects/credit-card/definition.json) - A payment card like credit card, debit card or any similar cards which can be used for financial transactions. - [objects/crowdsec-ip-context](https://github.com/MISP/misp-objects/blob/main/objects/crowdsec-ip-context/definition.json) - CrowdSec Threat Intelligence - IP CTI search. -- [objects/crowdstrike-report](https://github.com/MISP/misp-objects/blob/main/objects/crowdstrike-report/definition.json) - An Object Template to encode an Crowdstrike detection report. +- [objects/crowdstrike-report](https://github.com/MISP/misp-objects/blob/main/objects/crowdstrike-report/definition.json) - An Object Template to encode an Crowdstrike detection report. - [objects/crypto-material](https://github.com/MISP/misp-objects/blob/main/objects/crypto-material/definition.json) - Cryptographic materials such as public or/and private keys. - [objects/cryptocurrency-transaction](https://github.com/MISP/misp-objects/blob/main/objects/cryptocurrency-transaction/definition.json) - An object to describe a cryptocurrency transaction. - [objects/cs-beacon-config](https://github.com/MISP/misp-objects/blob/main/objects/cs-beacon-config/definition.json) - Cobalt Strike Beacon Config. @@ -169,7 +169,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/dns-record](https://github.com/MISP/misp-objects/blob/main/objects/dns-record/definition.json) - A set of DNS records observed for a specific domain. - [objects/domain-crawled](https://github.com/MISP/misp-objects/blob/main/objects/domain-crawled/definition.json) - A domain crawled over time. - [objects/domain-ip](https://github.com/MISP/misp-objects/blob/main/objects/domain-ip/definition.json) - A domain/hostname and IP address seen as a tuple in a specific time frame. -- [objects/edr-report](https://github.com/MISP/misp-objects/blob/main/objects/edr-report/definition.json) - An Object Template to encode an EDR detection report. +- [objects/edr-report](https://github.com/MISP/misp-objects/blob/main/objects/edr-report/definition.json) - An Object Template to encode an EDR detection report. - [objects/elf](https://github.com/MISP/misp-objects/blob/main/objects/elf/definition.json) - Object describing a Executable and Linkable Format. - [objects/elf-section](https://github.com/MISP/misp-objects/blob/main/objects/elf-section/definition.json) - Object describing a section of an Executable and Linkable Format. - [objects/email](https://github.com/MISP/misp-objects/blob/main/objects/email/definition.json) - Email object describing an email with meta-information. @@ -246,6 +246,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/ftm-Video](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Video/definition.json) - Video. - [objects/ftm-Workbook](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Workbook/definition.json) - Workbook. - [objects/game-cheat](https://github.com/MISP/misp-objects/blob/main/objects/game-cheat/definition.json) - Describes a game cheat or a cheatware. +- [objects/Generalizing Persuasion Framework](https://github.com/MISP/misp-objects/blob/main/objects/Generalizing Persuasion Framework/definition.json) - By placing their work within the GP Framework, scholars will help the field resolve inconsistencies, identify and address open questions, and ensure collective progress. The GP Framework is not meant to compete with other theories (such as the ELM) but rather to fill in two gaps. First, it allows one to consider how individual persuasion studies connect to one another and why studies may arrive at contradictory conclusions. Second, it highlights the sources of variations that should be studied. (James N. Druckman). - [objects/geolocation](https://github.com/MISP/misp-objects/blob/main/objects/geolocation/definition.json) - An object to describe a geographic location. - [objects/git-vuln-finder](https://github.com/MISP/misp-objects/blob/main/objects/git-vuln-finder/definition.json) - Export from git-vuln-finder. - [objects/github-user](https://github.com/MISP/misp-objects/blob/main/objects/github-user/definition.json) - GitHub user. @@ -473,7 +474,7 @@ When the object is created, the `validate_all.sh` and `jq_all_the_things.sh` is - Add a description in the object template explaining the scope and use-cases of your object templates - If the object is the mapping of an existing format, add a reference into the description of the object template - `first-seen` and `last-seen` are not required in a object template as an object has those fields by default. If you need additional temporal information, add new specific field(s). -- Be lax on the number of fields required by default (e.g. use `requiredOneOf`). +- Be lax on the number of fields required by default (e.g. use `requiredOneOf`). - Review existing object templates before creating a new one. When doing a pull-request, don't hesitate to add the logic why a new template is required. ## MISP objects documentation From f267c28d1fa6ed7c4c42020e5dad87e36f6592ed Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Sun, 14 Apr 2024 07:26:53 +0200 Subject: [PATCH 03/37] new: [gpf] Split actors_speaker and settings_competition into more --- .../definition.json | 84 ++++++++++++++----- 1 file changed, 64 insertions(+), 20 deletions(-) diff --git a/objects/generalizing-persuasion-framework/definition.json b/objects/generalizing-persuasion-framework/definition.json index 025fac6..e16bfa9 100644 --- a/objects/generalizing-persuasion-framework/definition.json +++ b/objects/generalizing-persuasion-framework/definition.json @@ -5,98 +5,142 @@ "disable_correlation": true, "misp-attribute": "text", "multiple": true, - "ui-priority": 2 + "ui-priority": 20 }, - "actors_speaker": { - "description": "Types (e.g., elites, media, opinion leaders, friends/family). Motivations in crafting messages", + "actors_speaker_motivation": { + "description": "Motivations in crafting messages", "disable_correlation": true, "misp-attribute": "text", "multiple": true, - "ui-priority": 1 + "ui-priority": 11 + }, + "actors_speaker_type": { + "description": "Types (e.g., elites, media, opinion leaders, friends/family).", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "sane_default": [ + "Politician", + "Government Official", + "Law Enforcement", + "Media", + "Religious Leader", + "CEO/Executive", + "Community Leader", + "Teacher/Professor", + "Coache/Mentor", + "Expert in a specific field", + "Celebrity", + "Athlete", + "Social Media Personality", + "Trendsetter", + "Salesperson", + "Marketeer", + "Friend/Family", + "Lobbyist", + "Advocacy Group", + "Professional Association", + "Leaked document", + "Whistle-blower", + "Online forum", + "Algorithm" + ], + "ui-priority": 10 }, "outcomes_attitude": { "description": "General evaluation of an object (where the 'object' is broadly construed).", "disable_correlation": true, "misp-attribute": "text", "multiple": true, - "ui-priority": 6 + "ui-priority": 60 }, "outcomes_behavior": { "description": "Does not always follow from an attitude. Depends on attitude attributes, injunctive and descriptive norms, behavioral control, and emotions.", "disable_correlation": true, "misp-attribute": "text", "multiple": true, - "ui-priority": 7 + "ui-priority": 70 }, "outcomes_emotion": { "description": "Can inform conscious evaluations or override them.", "disable_correlation": true, "misp-attribute": "text", "multiple": true, - "ui-priority": 8 + "ui-priority": 80 }, "outcomes_identity": { "description": "A dimension of evaluation. Often activated when threatened.", "disable_correlation": true, "misp-attribute": "text", "multiple": true, - "ui-priority": 9 + "ui-priority": 90 }, - "settings_competition": { - "description": "Number of speakers. Number of receivers. Observers.", + "settings_competition_observers": { + "description": "Number of observers.", "disable_correlation": true, - "misp-attribute": "text", - "multiple": true, - "ui-priority": 10 + "misp-attribute": "float", + "ui-priority": 102 + }, + "settings_competition_receivers": { + "description": "Number of receivers.", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 101 + }, + "settings_competition_speakers": { + "description": "Number of speakers.", + "disable_correlation": true, + "misp-attribute": "float", + "ui-priority": 100 }, "settings_culture": { "description": "Shapes understandings of topics. Alters salience of different values.", "disable_correlation": true, "misp-attribute": "text", "multiple": true, - "ui-priority": 14 + "ui-priority": 140 }, "settings_process": { "description": "Threatening settings. Political (conflictual) settings versus deliberative settings", "disable_correlation": true, "misp-attribute": "text", "multiple": true, - "ui-priority": 13 + "ui-priority": 130 }, "settings_space": { "description": "Attitude or behavioral change in one setting may not generalize to other settings.", "disable_correlation": true, "misp-attribute": "text", "multiple": true, - "ui-priority": 11 + "ui-priority": 110 }, "settings_time": { "description": "Pretreatment effects—what happened prior to the persuasive message. Posttreatment duration—how long an effect lasts. Time between exposure and outcome measurement.", "disable_correlation": true, "misp-attribute": "text", "multiple": true, - "ui-priority": 12 + "ui-priority": 120 }, "treatments_medium": { "description": "Alters frames, processing goals, and/or effort. Interactions with other persuasion variables.", "disable_correlation": true, "misp-attribute": "text", "multiple": true, - "ui-priority": 5 + "ui-priority": 50 }, "treatments_message_content": { "description": "Argument strength (and inadequacy). Framing and evaluations. Matching to receivers' goals. Altering receivers' motivations (e.g., using narratives).", "disable_correlation": true, "misp-attribute": "text", "multiple": true, - "ui-priority": 4 + "ui-priority": 40 }, "treatments_topic": { "description": "Persons/groups, issues, institutions, products. Variation within a topic (e.g., different policy issues)", "disable_correlation": true, "misp-attribute": "text", "multiple": true, - "ui-priority": 3 + "ui-priority": 30 } }, "description": "By placing their work within the GP Framework, scholars will help the field resolve inconsistencies, identify and address open questions, and ensure collective progress. The GP Framework is not meant to compete with other theories (such as the ELM) but rather to fill in two gaps. First, it allows one to consider how individual persuasion studies connect to one another and why studies may arrive at contradictory conclusions. Second, it highlights the sources of variations that should be studied. (James N. Druckman)", From 4e31ad218e852e580eeb6f3ad3b192e7a32df1de Mon Sep 17 00:00:00 2001 From: Jeroen Pinoy Date: Mon, 15 Apr 2024 21:07:07 +0200 Subject: [PATCH 04/37] add: [relationships] add a few relationship types and opposites --- relationships/definition.json | 41 ++++++++++++++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index a4523d9..e51cfaa 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1764,7 +1764,46 @@ ], "name": "is-acquired-by", "opposite": "acquires" + }, + { + "description": "The source object supports the target object.", + "format": [ + "misp" + ], + "name": "supports", + "opposite": "supported-by" + }, + { + "description": "The source object is supported by the target object.", + "format": [ + "misp" + ], + "name": "supported-by", + "opposite": "supports" + }, + { + "description": "The source object sponsors the target object.", + "format": [ + "misp" + ], + "name": "sponsors", + "opposite": "sponsored-by" + }, + { + "description": "The source object is sponsored by the target object.", + "format": [ + "misp" + ], + "name": "sponsored-by", + "opposite": "sponsors" + }, + { + "description": "The source object operates from the target object.", + "format": [ + "misp" + ], + "name": "operates-from" } ], - "version": 43 + "version": 44 } \ No newline at end of file From d371245037bf26f0e8af3307bcfd4bd61cb16ae7 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Thu, 18 Apr 2024 12:57:53 +0200 Subject: [PATCH 05/37] add deploy relationship --- relationships/definition.json | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index 396a626..77e0e2e 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1748,7 +1748,23 @@ ], "name": "is-acquired-by", "opposite": "acquires" + }, + { + "description": "The source object deploys the target object.", + "format": [ + "misp" + ], + "name": "deploys", + "opposite": "is-deployed-by" + }, + { + "description": "The source object is deployed by the target object.", + "format": [ + "misp" + ], + "name": "is-deployed-by", + "opposite": "deploys" } ], - "version": 41 + "version": 42 } From 051605763eb4ca79b3f2113c176f698898c91af6 Mon Sep 17 00:00:00 2001 From: David Cruciani Date: Thu, 18 Apr 2024 14:40:16 +0200 Subject: [PATCH 06/37] chg: [flowintel-cm] notes --- objects/flowintel-cm-case/definition.json | 8 ++++- .../flowintel-cm-task-note/definition.json | 35 +++++++++++++++++++ objects/flowintel-cm-task/definition.json | 8 +---- 3 files changed, 43 insertions(+), 8 deletions(-) create mode 100644 objects/flowintel-cm-task-note/definition.json diff --git a/objects/flowintel-cm-case/definition.json b/objects/flowintel-cm-case/definition.json index d516bb2..751f8ae 100644 --- a/objects/flowintel-cm-case/definition.json +++ b/objects/flowintel-cm-case/definition.json @@ -42,6 +42,12 @@ "misp-attribute": "datetime", "ui-priority": 0 }, + "notes": { + "description": "Notes of the case", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, "origin-url": { "description": "Origin of the case", "disable_correlation": true, @@ -86,5 +92,5 @@ "meta-category": "misc", "name": "flowintel-cm-case", "uuid": "19df57c7-b315-4fd2-84e5-d81ab221425e", - "version": 2 + "version": 3 } \ No newline at end of file diff --git a/objects/flowintel-cm-task-note/definition.json b/objects/flowintel-cm-task-note/definition.json new file mode 100644 index 0000000..54aa2d5 --- /dev/null +++ b/objects/flowintel-cm-task-note/definition.json @@ -0,0 +1,35 @@ +{ + "attributes": { + "note": { + "description": "Notes of the task", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "note-uuid": { + "description": "UUID of the note", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 2 + }, + "origin-url": { + "description": "Origin of the task", + "disable_correlation": true, + "misp-attribute": "url", + "to_ids": false, + "ui-priority": 1 + }, + "task-uuid": { + "description": "UUID of the parent task", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 2 + } + }, + "description": "A task's note as defined by flowintel-cm.", + "meta-category": "misc", + "name": "flowintel-cm-task-note", + "uuid": "2c6f6aba-48b6-482f-a810-81934d29be9a", + "version": 1 +} \ No newline at end of file diff --git a/objects/flowintel-cm-task/definition.json b/objects/flowintel-cm-task/definition.json index fbd9f0d..3313f9f 100644 --- a/objects/flowintel-cm-task/definition.json +++ b/objects/flowintel-cm-task/definition.json @@ -37,12 +37,6 @@ "misp-attribute": "datetime", "ui-priority": 0 }, - "notes": { - "description": "Notes of the task", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 0 - }, "origin-url": { "description": "Origin of the task", "disable_correlation": true, @@ -88,5 +82,5 @@ "meta-category": "misc", "name": "flowintel-cm-task", "uuid": "2f525f6e-d3f2-4cb9-9ca0-f1160d99397d", - "version": 3 + "version": 4 } \ No newline at end of file From b65199716fe712c44b4514175dd6929f8af19a0a Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Fri, 19 Apr 2024 13:22:18 +0200 Subject: [PATCH 07/37] Moar relationships --- relationships/definition.json | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/relationships/definition.json b/relationships/definition.json index a8fc888..233e428 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1819,7 +1819,30 @@ ], "name": "is-deployed-by", "opposite": "deploys" + }, + { + "description": "The source object interacts with the target object.", + "format": [ + "misp" + ], + "name": "interacts-with" + }, + { + "description": "The source object injects the target object.", + "format": [ + "misp" + ], + "name": "injects", + "opposite": "is-injected-by" + }, + { + "description": "The source object is injected by the target object.", + "format": [ + "misp" + ], + "name": "is-injected-by", + "opposite": "injects" } ], - "version": 45 -} \ No newline at end of file + "version": 46 +} From a2063078e5878601d4f60a3e47167720fa01a0e5 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 19 Apr 2024 14:42:45 +0200 Subject: [PATCH 08/37] fix: [relationships] newline story --- relationships/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index 233e428..70c9101 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1845,4 +1845,4 @@ } ], "version": 46 -} +} \ No newline at end of file From 1abf2bf705be36d85e59a457551a9e24e55fc732 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 19 Apr 2024 14:53:38 +0200 Subject: [PATCH 09/37] chg: [relationships] `publishes` added --- relationships/definition.json | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index 70c9101..011ea4a 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -36,6 +36,22 @@ "name": "shared-by", "opposite": "shares" }, + { + "description": "This relationship describes an object which publishes another object.", + "format": [ + "misp" + ], + "name": "publishes", + "opposite": "published-by" + }, + { + "description": "This relationship describes an object which was published by another object.", + "format": [ + "misp" + ], + "name": "published-by", + "opposite": "publishes" + }, { "description": "The referenced source and target objects are semantically duplicates of each other.", "format": [ @@ -1844,5 +1860,5 @@ "opposite": "injects" } ], - "version": 46 + "version": 47 } \ No newline at end of file From 93b43a31918c857f5b3867576140f5e5b6fd86ed Mon Sep 17 00:00:00 2001 From: menewol Date: Wed, 24 Apr 2024 14:11:50 +0200 Subject: [PATCH 10/37] Added Mattermost --- objects/instant-message/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/instant-message/definition.json b/objects/instant-message/definition.json index 0c54e8f..d60d17a 100644 --- a/objects/instant-message/definition.json +++ b/objects/instant-message/definition.json @@ -22,7 +22,8 @@ "Discord", "Mumble", "Jabber", - "Twitter" + "Twitter", + "Mattermost" ], "ui-priority": 1 }, @@ -118,4 +119,4 @@ ], "uuid": "5fa51a24-f40f-4696-a77e-d31e26bab5fc", "version": 3 -} \ No newline at end of file +} From 16b354c04c3ef3889baf1c974549b27a91ee946e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 24 Apr 2024 14:30:19 +0200 Subject: [PATCH 11/37] chg: [instant-message] remove newlines --- objects/instant-message/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/instant-message/definition.json b/objects/instant-message/definition.json index d60d17a..5847716 100644 --- a/objects/instant-message/definition.json +++ b/objects/instant-message/definition.json @@ -119,4 +119,4 @@ ], "uuid": "5fa51a24-f40f-4696-a77e-d31e26bab5fc", "version": 3 -} +} \ No newline at end of file From 1cf333f0206b8e525afac9794dca38a543ceeb98 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Wed, 24 Apr 2024 14:53:05 +0200 Subject: [PATCH 12/37] relationship interview --- relationships/definition.json | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/relationships/definition.json b/relationships/definition.json index 233e428..affe3d3 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1842,7 +1842,23 @@ ], "name": "is-injected-by", "opposite": "injects" + }, + { + "description": "The source object interviews the target object.", + "format": [ + "misp" + ], + "name": "interviews", + "opposite": "is-interviewed-by" + }, + { + "description": "The source object is interviewed by the target object.", + "format": [ + "misp" + ], + "name": "is-interviewed-by", + "opposite": "interviews" } ], - "version": 46 -} + "version": 47 +} \ No newline at end of file From b1588baa0e00e3c1d54be43d37836d56befa3919 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Wed, 24 Apr 2024 15:02:10 +0200 Subject: [PATCH 13/37] fix version --- relationships/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/relationships/definition.json b/relationships/definition.json index 4082289..94e5971 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1876,5 +1876,5 @@ "opposite": "interviews" } ], - "version": 47 -} \ No newline at end of file + "version": 48 +} From 3d78e17c4b99e68bee49ed0300c6b36ee08d04ee Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 24 Apr 2024 15:19:02 +0200 Subject: [PATCH 14/37] chg: [ransomware-group-post] updated with shadowserver object template format - underscores replaced with hyphen - descriptions added - decorrelation added for some fields --- objects/ransomware-group-post/definition.json | 66 ++++++++++++++++++- 1 file changed, 63 insertions(+), 3 deletions(-) diff --git a/objects/ransomware-group-post/definition.json b/objects/ransomware-group-post/definition.json index c9e1852..a28cc77 100644 --- a/objects/ransomware-group-post/definition.json +++ b/objects/ransomware-group-post/definition.json @@ -1,7 +1,26 @@ { "attributes": { + "actor-geo-stats-30d": { + "description": "actor-geo-stats-30d", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "actor-total-stats-30d": { + "description": "actor-total-stats-30d", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, "date": { "description": "Last update of the post as seen on the ransomware group blog. Different than the first/last seen from the crawling.", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "date-published": { + "description": "Initial published date of the post on the ransomware group blog.", + "disable_correlation": true, "misp-attribute": "datetime", "ui-priority": 0 }, @@ -10,25 +29,66 @@ "misp-attribute": "text", "ui-priority": 1 }, + "entity-name": { + "description": "Entity name of the victim referenced in the post of the ransomware group.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "geo": { + "description": "Geographic (main) location of the victim referenced in the post of the ransomware group.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "leak-site-url": { + "description": "Link to the post.", + "misp-attribute": "link", + "ui-priority": 1 + }, "link": { "description": "Original URL location of the post.", "misp-attribute": "link", "ui-priority": 1 }, + "ransomware-group": { + "description": "Ransomware group where the post is mentioned.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "sector": { + "description": "Sector (main) of the victim referenced in the post of the ransomware group.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "severity": { + "description": "Severity of the post mentioned.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, "title": { "description": "Title of blog post.", "misp-attribute": "text", "ui-priority": 1 + }, + "website": { + "description": "Website of the victim referenced in the post of the ransomware group.", + "misp-attribute": "link", + "ui-priority": 1 } }, - "description": "Ransomware group post as monitored by ransomlook.io", + "description": "Ransomware group post as monitored by ransomlook.io or others", "meta-category": "misc", "name": "ransomware-group-post", "requiredOneOf": [ "title", "description", - "link" + "link", + "website", + "leak-site-url" ], "uuid": "52a0e179-4942-41e6-90f5-7db856fd6f39", - "version": 1 + "version": 2 } \ No newline at end of file From 7f95d3290a4b55cb9d1ada0d22ce92397b133930 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 24 Apr 2024 16:19:47 +0200 Subject: [PATCH 15/37] chg: [cs-beacon-config] major update following shadowserver.org requirements - Fixed some matching type instead of text (like size-in-bytes or integer) - Added many fields and replace name with `_` to `-` - Added some basic description --- objects/cs-beacon-config/definition.json | 91 +++++++++++++++++++++++- 1 file changed, 88 insertions(+), 3 deletions(-) diff --git a/objects/cs-beacon-config/definition.json b/objects/cs-beacon-config/definition.json index 48c8111..6c9251e 100644 --- a/objects/cs-beacon-config/definition.json +++ b/objects/cs-beacon-config/definition.json @@ -1,11 +1,43 @@ { "attributes": { + "architecture": { + "description": "Hardware architecture of the sample", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, "asn": { "description": "Originating ASN for the CS Beacon Config", "disable_correlation": true, "misp-attribute": "AS", "ui-priority": 0 }, + "beacon-host": { + "description": "Beacon host IP", + "misp-attribute": "ip-dst", + "ui-priority": 0 + }, + "beacon-type": { + "description": "Beacon type used", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "binary-md5": { + "description": "MD5 of the binary delivered", + "misp-attribute": "md5", + "ui-priority": 0 + }, + "binary-sha1": { + "description": "SHA1 of the binary delivered", + "misp-attribute": "sha1", + "ui-priority": 0 + }, + "binary-sha256": { + "description": "SHA256 of the binary delivered", + "misp-attribute": "sha256", + "ui-priority": 0 + }, "c2": { "categories": [ "Network activity" @@ -21,12 +53,66 @@ "misp-attribute": "text", "ui-priority": 0 }, + "config-md5": { + "description": "MD5 of the configuration", + "misp-attribute": "md5", + "ui-priority": 0 + }, + "config-sha1": { + "description": "SHA1 of the configuration", + "misp-attribute": "sha1", + "ui-priority": 0 + }, + "config-sha256": { + "description": "SHA256 of the configuration", + "misp-attribute": "sha256", + "ui-priority": 0 + }, + "content-length": { + "disable_correlation": true, + "misp-attribute": "size-in-bytes", + "ui-priority": 0 + }, + "content-type": { + "description": "Content/type received", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "encoded-data": { + "description": "Encoded payload data in Base64", + "misp-attribute": "text", + "ui-priority": 0 + }, + "encoded-length": { + "description": "Length of the encoded data", + "disable_correlation": true, + "misp-attribute": "size-in-bytes", + "ui-priority": 0 + }, "geo": { "description": "Country location of the CS Beacon Config", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 }, + "http": { + "description": "HTTP protocol used", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "http-code": { + "description": "HTTP return code", + "disable_correlation": true, + "misp-attribute": "integer", + "ui-priority": 0 + }, + "http-url": { + "description": "HTTP url path of the beacon", + "misp-attribute": "text", + "ui-priority": 0 + }, "ip": { "description": "IP of the C2", "misp-attribute": "ip-dst", @@ -55,10 +141,9 @@ "ui-priority": 1 }, "naics": { - "description": "North American Industry Classification System Code", + "description": "NAICS code", "disable_correlation": true, "misp-attribute": "text", - "multiple": true, "ui-priority": 0 }, "sector": { @@ -112,5 +197,5 @@ "watermark" ], "uuid": "d17355ef-ca1f-4b5a-86cd-65d877991f54", - "version": 4 + "version": 5 } \ No newline at end of file From f3724ad19be18deb86b675d6e05c7b1771200ca0 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 24 Apr 2024 16:23:53 +0200 Subject: [PATCH 16/37] fix: [cs-beacon-config] updated the NAICS description --- objects/cs-beacon-config/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/cs-beacon-config/definition.json b/objects/cs-beacon-config/definition.json index 6c9251e..6d27dc1 100644 --- a/objects/cs-beacon-config/definition.json +++ b/objects/cs-beacon-config/definition.json @@ -141,9 +141,10 @@ "ui-priority": 1 }, "naics": { - "description": "NAICS code", + "description": "North American Industry Classification System Code (NAICS)", "disable_correlation": true, "misp-attribute": "text", + "multiple": true, "ui-priority": 0 }, "sector": { @@ -197,5 +198,5 @@ "watermark" ], "uuid": "d17355ef-ca1f-4b5a-86cd-65d877991f54", - "version": 5 + "version": 6 } \ No newline at end of file From 9f98d15a6f264238a1f8b6fd9226f8d0c53ab056 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 24 Apr 2024 16:29:33 +0200 Subject: [PATCH 17/37] fix: [cs-beacong-config] typo fixed --- objects/cs-beacon-config/definition.json | 1 + 1 file changed, 1 insertion(+) diff --git a/objects/cs-beacon-config/definition.json b/objects/cs-beacon-config/definition.json index 6d27dc1..454e0e8 100644 --- a/objects/cs-beacon-config/definition.json +++ b/objects/cs-beacon-config/definition.json @@ -69,6 +69,7 @@ "ui-priority": 0 }, "content-length": { + "description": "Content length of the payload", "disable_correlation": true, "misp-attribute": "size-in-bytes", "ui-priority": 0 From 8aea824bbe5bf4c4f5aa2c1fa507f5a1e9b1ca45 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 24 Apr 2024 16:34:36 +0200 Subject: [PATCH 18/37] chg: [doc] updated --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index f840cea..f71f32b 100644 --- a/README.md +++ b/README.md @@ -153,7 +153,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/credential](https://github.com/MISP/misp-objects/blob/main/objects/credential/definition.json) - Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s). - [objects/credit-card](https://github.com/MISP/misp-objects/blob/main/objects/credit-card/definition.json) - A payment card like credit card, debit card or any similar cards which can be used for financial transactions. - [objects/crowdsec-ip-context](https://github.com/MISP/misp-objects/blob/main/objects/crowdsec-ip-context/definition.json) - CrowdSec Threat Intelligence - IP CTI search. -- [objects/crowdstrike-report](https://github.com/MISP/misp-objects/blob/main/objects/crowdstrike-report/definition.json) - An Object Template to encode an Crowdstrike detection report. +- [objects/crowdstrike-report](https://github.com/MISP/misp-objects/blob/main/objects/crowdstrike-report/definition.json) - An Object Template to encode an Crowdstrike detection report. - [objects/crypto-material](https://github.com/MISP/misp-objects/blob/main/objects/crypto-material/definition.json) - Cryptographic materials such as public or/and private keys. - [objects/cryptocurrency-transaction](https://github.com/MISP/misp-objects/blob/main/objects/cryptocurrency-transaction/definition.json) - An object to describe a cryptocurrency transaction. - [objects/cs-beacon-config](https://github.com/MISP/misp-objects/blob/main/objects/cs-beacon-config/definition.json) - Cobalt Strike Beacon Config. @@ -169,7 +169,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/dns-record](https://github.com/MISP/misp-objects/blob/main/objects/dns-record/definition.json) - A set of DNS records observed for a specific domain. - [objects/domain-crawled](https://github.com/MISP/misp-objects/blob/main/objects/domain-crawled/definition.json) - A domain crawled over time. - [objects/domain-ip](https://github.com/MISP/misp-objects/blob/main/objects/domain-ip/definition.json) - A domain/hostname and IP address seen as a tuple in a specific time frame. -- [objects/edr-report](https://github.com/MISP/misp-objects/blob/main/objects/edr-report/definition.json) - An Object Template to encode an EDR detection report. +- [objects/edr-report](https://github.com/MISP/misp-objects/blob/main/objects/edr-report/definition.json) - An Object Template to encode an EDR detection report. - [objects/elf](https://github.com/MISP/misp-objects/blob/main/objects/elf/definition.json) - Object describing a Executable and Linkable Format. - [objects/elf-section](https://github.com/MISP/misp-objects/blob/main/objects/elf-section/definition.json) - Object describing a section of an Executable and Linkable Format. - [objects/email](https://github.com/MISP/misp-objects/blob/main/objects/email/definition.json) - Email object describing an email with meta-information. @@ -190,6 +190,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/file](https://github.com/MISP/misp-objects/blob/main/objects/file/definition.json) - File object describing a file with meta-information. - [objects/flowintel-cm-case](https://github.com/MISP/misp-objects/blob/main/objects/flowintel-cm-case/definition.json) - A case as defined by flowintel-cm. - [objects/flowintel-cm-task](https://github.com/MISP/misp-objects/blob/main/objects/flowintel-cm-task/definition.json) - A task as defined by flowintel-cm. +- [objects/flowintel-cm-task-note](https://github.com/MISP/misp-objects/blob/main/objects/flowintel-cm-task-note/definition.json) - A task's note as defined by flowintel-cm. - [objects/forensic-case](https://github.com/MISP/misp-objects/blob/main/objects/forensic-case/definition.json) - An object template to describe a digital forensic case. - [objects/forensic-evidence](https://github.com/MISP/misp-objects/blob/main/objects/forensic-evidence/definition.json) - An object template to describe a digital forensic evidence. - [objects/forged-document](https://github.com/MISP/misp-objects/blob/main/objects/forged-document/definition.json) - Object describing a forged document. @@ -336,7 +337,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/query](https://github.com/MISP/misp-objects/blob/main/objects/query/definition.json) - An object describing a query, along with its format. - [objects/r2graphity](https://github.com/MISP/misp-objects/blob/main/objects/r2graphity/definition.json) - Indicators extracted from files using radare2 and graphml. - [objects/ransom-negotiation](https://github.com/MISP/misp-objects/blob/main/objects/ransom-negotiation/definition.json) - An object to describe ransom negotiations, as seen in ransomware incidents. -- [objects/ransomware-group-post](https://github.com/MISP/misp-objects/blob/main/objects/ransomware-group-post/definition.json) - Ransomware group post as monitored by ransomlook.io. +- [objects/ransomware-group-post](https://github.com/MISP/misp-objects/blob/main/objects/ransomware-group-post/definition.json) - Ransomware group post as monitored by ransomlook.io or others. - [objects/reddit-account](https://github.com/MISP/misp-objects/blob/main/objects/reddit-account/definition.json) - Reddit account. - [objects/reddit-comment](https://github.com/MISP/misp-objects/blob/main/objects/reddit-comment/definition.json) - A Reddit post comment. - [objects/reddit-post](https://github.com/MISP/misp-objects/blob/main/objects/reddit-post/definition.json) - A Reddit post. From 42b48439daecb1dbf96df041288e221458669885 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 24 Apr 2024 16:42:39 +0200 Subject: [PATCH 19/37] chg: [ransomware-group-post] severity field sane default added --- objects/ransomware-group-post/definition.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/objects/ransomware-group-post/definition.json b/objects/ransomware-group-post/definition.json index a28cc77..5601f60 100644 --- a/objects/ransomware-group-post/definition.json +++ b/objects/ransomware-group-post/definition.json @@ -66,6 +66,13 @@ "description": "Severity of the post mentioned.", "disable_correlation": true, "misp-attribute": "text", + "sane_default": [ + "critical", + "high", + "medium", + "low", + "info" + ], "ui-priority": 1 }, "title": { @@ -90,5 +97,5 @@ "leak-site-url" ], "uuid": "52a0e179-4942-41e6-90f5-7db856fd6f39", - "version": 2 + "version": 3 } \ No newline at end of file From 2061c353feda50315c2bc901413df17a06432616 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 24 Apr 2024 16:47:47 +0200 Subject: [PATCH 20/37] fix: [ransomware-group-post] added the missing descriptions for `actor-geo-stats-30d` and `actor-total-stats-30d` --- objects/ransomware-group-post/definition.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/objects/ransomware-group-post/definition.json b/objects/ransomware-group-post/definition.json index 5601f60..c1f070d 100644 --- a/objects/ransomware-group-post/definition.json +++ b/objects/ransomware-group-post/definition.json @@ -1,13 +1,13 @@ { "attributes": { "actor-geo-stats-30d": { - "description": "actor-geo-stats-30d", + "description": "Count of how many other victims were publicly leaked by the same ransomware actor in the country of the victim during the past 30 days", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 1 }, "actor-total-stats-30d": { - "description": "actor-total-stats-30d", + "description": "Count of how many other victims were publicly leaked by the same ransomware actor worldwide during the past 30 days", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 1 @@ -97,5 +97,5 @@ "leak-site-url" ], "uuid": "52a0e179-4942-41e6-90f5-7db856fd6f39", - "version": 3 + "version": 4 } \ No newline at end of file From 3a2c160630941f01f9cd989197e1e27a18936012 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 25 Apr 2024 08:59:30 +0200 Subject: [PATCH 21/37] chg: [relationships] updated --- relationships/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index 94e5971..2c52bc6 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1877,4 +1877,4 @@ } ], "version": 48 -} +} \ No newline at end of file From 28328aa53d808921fcab752016c6c6a0b8e40808 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Thu, 25 Apr 2024 11:18:26 +0200 Subject: [PATCH 22/37] chg: [registry-key] added Artifacts dropped as potential category --- objects/registry-key/definition.json | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/objects/registry-key/definition.json b/objects/registry-key/definition.json index 0eea7a7..97ef45c 100644 --- a/objects/registry-key/definition.json +++ b/objects/registry-key/definition.json @@ -2,7 +2,8 @@ "attributes": { "data": { "categories": [ - "Persistence mechanism" + "Persistence mechanism", + "Artifacts dropped" ], "description": "Data stored in the registry key", "misp-attribute": "text", @@ -10,7 +11,8 @@ }, "data-type": { "categories": [ - "Persistence mechanism" + "Persistence mechanism", + "Artifacts dropped" ], "description": "Registry value type", "disable_correlation": true, @@ -35,7 +37,8 @@ }, "hive": { "categories": [ - "Persistence mechanism" + "Persistence mechanism", + "Artifacts dropped" ], "description": "Hive used to store the registry key (file on disk)", "disable_correlation": true, @@ -44,7 +47,8 @@ }, "key": { "categories": [ - "Persistence mechanism" + "Persistence mechanism", + "Artifacts dropped" ], "description": "Full key path", "misp-attribute": "regkey", @@ -60,7 +64,8 @@ }, "name": { "categories": [ - "Persistence mechanism" + "Persistence mechanism", + "Artifacts dropped" ], "description": "Name of the registry key", "misp-attribute": "text", @@ -98,5 +103,5 @@ "data" ], "uuid": "8b3228ad-6d82-4fe6-b2ae-05426308f1d5", - "version": 4 -} \ No newline at end of file + "version": 5 +} From c83372377e518bba9b1d688a073015c69d60d9fc Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 25 Apr 2024 11:20:46 +0200 Subject: [PATCH 23/37] chg: [registry-key] jq all the things --- objects/registry-key/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/registry-key/definition.json b/objects/registry-key/definition.json index 97ef45c..e2253ef 100644 --- a/objects/registry-key/definition.json +++ b/objects/registry-key/definition.json @@ -104,4 +104,4 @@ ], "uuid": "8b3228ad-6d82-4fe6-b2ae-05426308f1d5", "version": 5 -} +} \ No newline at end of file From 63557164cd34b54847511a91f9da6bb96662e747 Mon Sep 17 00:00:00 2001 From: Jeroen Pinoy Date: Sat, 27 Apr 2024 15:30:32 +0200 Subject: [PATCH 24/37] chg: [relationships] add initiated-by, summarizes, summarized-by --- relationships/definition.json | 32 +++++++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/relationships/definition.json b/relationships/definition.json index 2c52bc6..429032a 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -882,9 +882,19 @@ { "description": "Represents the semantic link of a communication initiating an event.", "format": [ - "alfred" + "alfred", + "misp" ], - "name": "initiates" + "name": "initiates", + "opposite": "initiated-by" + }, + { + "description": "The source object initiated the target object.", + "format": [ + "misp" + ], + "name": "initiated-by", + "opposite": "initiates" }, { "description": "Represents the semantic link between a FILE and FILE_BINARY.", @@ -1874,7 +1884,23 @@ ], "name": "is-interviewed-by", "opposite": "interviews" + }, + { + "description": "The source object summarizes the target object.", + "format": [ + "misp" + ], + "name": "summarizes", + "opposite": "summarized-by" + }, + { + "description": "The source object is summarized by the target object.", + "format": [ + "misp" + ], + "name": "summarized-by", + "opposite": "summarizes" } ], - "version": 48 + "version": 49 } \ No newline at end of file From da5a569784107450e23d6d4738498a5641614584 Mon Sep 17 00:00:00 2001 From: Andras Iklody Date: Thu, 2 May 2024 13:18:19 +0200 Subject: [PATCH 25/37] organization object - Added "private" to the list of sectors as suggested by Monsieur Hamm. --- objects/organization/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/organization/definition.json b/objects/organization/definition.json index ca3fd9c..fef883b 100644 --- a/objects/organization/definition.json +++ b/objects/organization/definition.json @@ -117,6 +117,7 @@ "mining", "non-profit", "pharmaceuticals", + "private", "retail", "technology", "telecommunication", @@ -139,5 +140,5 @@ "alias" ], "uuid": "f750e12b-127a-432c-b022-b3f9153c4e2a", - "version": 7 -} \ No newline at end of file + "version": 8 +} From 73d94b8e2deb4a855d0b855726c906b8ed441ff4 Mon Sep 17 00:00:00 2001 From: iglocska Date: Thu, 2 May 2024 13:23:48 +0200 Subject: [PATCH 26/37] fix: [jq] all the things --- objects/organization/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/organization/definition.json b/objects/organization/definition.json index fef883b..2066f40 100644 --- a/objects/organization/definition.json +++ b/objects/organization/definition.json @@ -141,4 +141,4 @@ ], "uuid": "f750e12b-127a-432c-b022-b3f9153c4e2a", "version": 8 -} +} \ No newline at end of file From e65878874e8a6461da9d7548476e6dd5412e780c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 3 May 2024 22:04:04 +0200 Subject: [PATCH 27/37] chg: [organization] add a MISP UUID if present --- objects/organization/definition.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/objects/organization/definition.json b/objects/organization/definition.json index 2066f40..4aac6e9 100644 --- a/objects/organization/definition.json +++ b/objects/organization/definition.json @@ -45,6 +45,12 @@ "multiple": true, "ui-priority": 10 }, + "misp-uuid": { + "description": "MISP UUID of the organization", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 97 + }, "name": { "description": "Name of the organization", "disable_correlation": false, @@ -140,5 +146,5 @@ "alias" ], "uuid": "f750e12b-127a-432c-b022-b3f9153c4e2a", - "version": 8 + "version": 9 } \ No newline at end of file From a193e03ad200baddcdc0d5fad1cc1d8bd1276b7f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 7 May 2024 09:36:13 +0200 Subject: [PATCH 28/37] chg: [cs-beacon-config] encoded-data as file attachment instead of text As encoded-data might be large and not really useful to be displayed in the UI of MISP. We moved it to an `attachment` attribute type. We keep the `attachment` as Base64 to avoid any risk of people downloading or executing as potential malicious file. So it MUST be encoded in Base64 as it was before. --- objects/cs-beacon-config/definition.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/objects/cs-beacon-config/definition.json b/objects/cs-beacon-config/definition.json index 454e0e8..94fccc7 100644 --- a/objects/cs-beacon-config/definition.json +++ b/objects/cs-beacon-config/definition.json @@ -81,8 +81,8 @@ "ui-priority": 0 }, "encoded-data": { - "description": "Encoded payload data in Base64", - "misp-attribute": "text", + "description": "Encoded payload data in Base64 as file attachment", + "misp-attribute": "attachment", "ui-priority": 0 }, "encoded-length": { @@ -199,5 +199,5 @@ "watermark" ], "uuid": "d17355ef-ca1f-4b5a-86cd-65d877991f54", - "version": 6 + "version": 7 } \ No newline at end of file From 97eb9b974d9863a8e91b147276927c7511931e80 Mon Sep 17 00:00:00 2001 From: Martin Waleczek Date: Fri, 24 May 2024 10:20:40 +0200 Subject: [PATCH 29/37] add 'hostname' for scanning host to object 'research-scanner' --- objects/research-scanner/definition.json | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/objects/research-scanner/definition.json b/objects/research-scanner/definition.json index 2cb71c1..bca92b4 100644 --- a/objects/research-scanner/definition.json +++ b/objects/research-scanner/definition.json @@ -43,6 +43,16 @@ "multiple": true, "ui-priority": 1 }, + "scanning_host": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Scanning host used by project", + "misp-attribute": "hostname", + "multiple": true, + "ui-priority": 1 + }, "scanning_ip": { "categories": [ "Network activity", From ffd9120eb1aa346b64b42af0a9ddda50d53a5caa Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 27 May 2024 10:22:53 +0200 Subject: [PATCH 30/37] fix: [research-scanner] version updated --- objects/research-scanner/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/research-scanner/definition.json b/objects/research-scanner/definition.json index bca92b4..678092c 100644 --- a/objects/research-scanner/definition.json +++ b/objects/research-scanner/definition.json @@ -86,5 +86,5 @@ "scanning_ip" ], "uuid": "d690e956-fc8a-11e8-8eb2-f2801f1b9fd1", - "version": 20190102 + "version": 20240527 } \ No newline at end of file From 0b971906ad76455b10a07f82027b03ddbff89ce5 Mon Sep 17 00:00:00 2001 From: samitainio <5585477+samitainio@users.noreply.github.com> Date: Sun, 9 Jun 2024 22:30:04 +0300 Subject: [PATCH 31/37] Add: phone-number object --- objects/phone-number/definition.json | 72 ++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 objects/phone-number/definition.json diff --git a/objects/phone-number/definition.json b/objects/phone-number/definition.json new file mode 100644 index 0000000..c740790 --- /dev/null +++ b/objects/phone-number/definition.json @@ -0,0 +1,72 @@ +{ + "attributes": { + "country-code": { + "category": "Person", + "description": "Country code in text format (e.g., US)", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": false, + "object_relation": "country-code", + "to_ids": false, + "ui-priority": 1 + }, + "country-code-numeric": { + "category": "Person", + "description": "Country code as per the E.164 numbering plan (e.g., +1)", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": false, + "object_relation": "country-code-numeric", + "to_ids": false, + "ui-priority": 1 + }, + "national-destination-code": { + "category": "Person", + "description": "National destination code as per the E.164 numbering plan (e.g., 415)", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": false, + "object_relation": "national-destination-code", + "to_ids": false, + "ui-priority": 0 + }, + "phone-number": { + "category": "Person", + "description": "Phone number in E.164 format (e.g., +14155552671)", + "disable_correlation": false, + "misp-attribute": "phone-number", + "multiple": false, + "object_relation": "phone-number", + "to_ids": false, + "ui-priority": 3 + }, + "subscriber-number": { + "category": "Person", + "description": "Subscriber number as per the E.164 numbering plan (e.g., 5552671)", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": false, + "object_relation": "subscriber-number", + "to_ids": false, + "ui-priority": 0 + }, + "text": { + "category": "Person", + "description": "Description or additional information about the phone number.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": false, + "object_relation": "text", + "to_ids": false, + "ui-priority": 2 + } + }, + "description": "Phone number based on the E.164 international public telecommunication numbering plan", + "meta-category": "mobile", + "name": "phone-number", + "required": [ + "phone-number" + ], + "uuid": "c4b5a67c-63d2-11ec-90d6-0242ac120003", + "version": 1 +} \ No newline at end of file From 23faffab2eecf22e29de14b522b9a4386bc402bb Mon Sep 17 00:00:00 2001 From: samitainio <5585477+samitainio@users.noreply.github.com> Date: Sun, 9 Jun 2024 22:39:41 +0300 Subject: [PATCH 32/37] chg: remove categories and object_relation definitions from phone-number --- objects/phone-number/definition.json | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/objects/phone-number/definition.json b/objects/phone-number/definition.json index c740790..4b69efc 100644 --- a/objects/phone-number/definition.json +++ b/objects/phone-number/definition.json @@ -1,62 +1,50 @@ { "attributes": { "country-code": { - "category": "Person", "description": "Country code in text format (e.g., US)", "disable_correlation": true, "misp-attribute": "text", "multiple": false, - "object_relation": "country-code", "to_ids": false, "ui-priority": 1 }, "country-code-numeric": { - "category": "Person", "description": "Country code as per the E.164 numbering plan (e.g., +1)", "disable_correlation": true, "misp-attribute": "text", "multiple": false, - "object_relation": "country-code-numeric", "to_ids": false, "ui-priority": 1 }, "national-destination-code": { - "category": "Person", "description": "National destination code as per the E.164 numbering plan (e.g., 415)", "disable_correlation": true, "misp-attribute": "text", "multiple": false, - "object_relation": "national-destination-code", "to_ids": false, "ui-priority": 0 }, "phone-number": { - "category": "Person", "description": "Phone number in E.164 format (e.g., +14155552671)", "disable_correlation": false, "misp-attribute": "phone-number", "multiple": false, - "object_relation": "phone-number", "to_ids": false, "ui-priority": 3 }, "subscriber-number": { - "category": "Person", "description": "Subscriber number as per the E.164 numbering plan (e.g., 5552671)", "disable_correlation": true, "misp-attribute": "text", "multiple": false, - "object_relation": "subscriber-number", "to_ids": false, "ui-priority": 0 }, "text": { - "category": "Person", "description": "Description or additional information about the phone number.", "disable_correlation": true, "misp-attribute": "text", "multiple": false, - "object_relation": "text", "to_ids": false, "ui-priority": 2 } From 386530d73aeebaf35286d3308db14f668e4bb2ff Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 14 Jun 2024 07:42:28 +0200 Subject: [PATCH 33/37] new: [ddos-claim] new object added describing DDoS claim (a discussed st FIRST2024 --- objects/ddos-claim/definition.json | 51 ++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 objects/ddos-claim/definition.json diff --git a/objects/ddos-claim/definition.json b/objects/ddos-claim/definition.json new file mode 100644 index 0000000..ff30e3f --- /dev/null +++ b/objects/ddos-claim/definition.json @@ -0,0 +1,51 @@ +{ + "attributes": { + "claim-validity": { + "description": "Validity of the claim. Valid means the target confirmed the detection of DDoS activities.", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Unknown", + "Valid", + "Invalid" + ], + "ui-priority": 0 + }, + "proof": { + "description": "Proof of the claim in text format.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "proof-screenshot": { + "description": "Proof of the screenshot.", + "misp-attribute": "attachment", + "multiple": true, + "ui-priority": 0 + }, + "reference": { + "description": "Reference to the DDoS claim.", + "disable_correlation": true, + "misp-attribute": "link", + "multiple": true, + "ui-priority": 0 + }, + "target": { + "description": "Target of the DDoS claim.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + } + }, + "description": "DDoS-claim object describes a current claim of DDoS activity.", + "meta-category": "network", + "name": "ddos-claim", + "requiredOneOf": [ + "target", + "proof", + "reference" + ], + "uuid": "2722ac76-1f1f-43b7-bc68-ba5465ec5c04", + "version": 1 +} \ No newline at end of file From 1af532033b0835b8b6dfd651dbf171c74e91516e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 14 Jun 2024 08:09:20 +0200 Subject: [PATCH 34/37] fix: [ddos-claim] clarify the validity based on CERT-EU feedback --- objects/ddos-claim/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/ddos-claim/definition.json b/objects/ddos-claim/definition.json index ff30e3f..5494e6d 100644 --- a/objects/ddos-claim/definition.json +++ b/objects/ddos-claim/definition.json @@ -1,7 +1,7 @@ { "attributes": { "claim-validity": { - "description": "Validity of the claim. Valid means the target confirmed the detection of DDoS activities.", + "description": "Validity of the claim. Valid means, a trusted entity having the technical capabilities to perform analysis confirmed the detection of DDoS activities.", "disable_correlation": true, "misp-attribute": "text", "sane_default": [ From cd4c09036a97d9ad2c4cf26fdf2442fa9f1dd869 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 14 Jun 2024 08:23:30 +0200 Subject: [PATCH 35/37] chg: [tools] fix the reference to the standard git repository --- tools/updated.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/updated.sh b/tools/updated.sh index acc0c56..f385432 100644 --- a/tools/updated.sh +++ b/tools/updated.sh @@ -2,5 +2,5 @@ python3 adoc_objects.py >a.txt mv a.txt objects.txt asciidoctor-pdf -a allow-uri-read objects.txt asciidoctor -a allow-uri-read objects.txt -cp objects.html ../../misp-website-new/static -cp objects.pdf ../../misp-website-new/static +cp objects.html ../../misp-website/static +cp objects.pdf ../../misp-website/static From 4e3ea4ff94901f573764b1c5631ed61c9b5e49a4 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 14 Jun 2024 08:25:23 +0200 Subject: [PATCH 36/37] chg: [doc] updated --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index f71f32b..a904b53 100644 --- a/README.md +++ b/README.md @@ -161,6 +161,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/cytomic-orion-machine](https://github.com/MISP/misp-objects/blob/main/objects/cytomic-orion-machine/definition.json) - Cytomic Orion File at Machine Detection. - [objects/dark-pattern-item](https://github.com/MISP/misp-objects/blob/main/objects/dark-pattern-item/definition.json) - An Item whose User Interface implements a dark pattern. - [objects/ddos](https://github.com/MISP/misp-objects/blob/main/objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy or using the type field. +- [objects/ddos-claim](https://github.com/MISP/misp-objects/blob/main/objects/ddos-claim/definition.json) - DDoS-claim object describes a current claim of DDoS activity. - [objects/device](https://github.com/MISP/misp-objects/blob/main/objects/device/definition.json) - An object to define a device. - [objects/diameter-attack](https://github.com/MISP/misp-objects/blob/main/objects/diameter-attack/definition.json) - Attack as seen on the diameter signaling protocol supporting LTE networks. - [objects/diamond-event](https://github.com/MISP/misp-objects/blob/main/objects/diamond-event/definition.json) - A diamond model event object consisting of the four diamond features advesary, infrastructure, capability and victim, several meta-features and ioc attributes. @@ -328,6 +329,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/phishing](https://github.com/MISP/misp-objects/blob/main/objects/phishing/definition.json) - Phishing template to describe a phishing website and its analysis. - [objects/phishing-kit](https://github.com/MISP/misp-objects/blob/main/objects/phishing-kit/definition.json) - Object to describe a phishing-kit. - [objects/phone](https://github.com/MISP/misp-objects/blob/main/objects/phone/definition.json) - A phone or mobile phone object which describe a phone. +- [objects/phone-number](https://github.com/MISP/misp-objects/blob/main/objects/phone-number/definition.json) - Phone number based on the E.164 international public telecommunication numbering plan. - [objects/physical-impact](https://github.com/MISP/misp-objects/blob/main/objects/physical-impact/definition.json) - Physical Impact object as described in STIX 2.1 Incident object extension. - [objects/postal-address](https://github.com/MISP/misp-objects/blob/main/objects/postal-address/definition.json) - A postal address. - [objects/probabilistic-data-structure](https://github.com/MISP/misp-objects/blob/main/objects/probabilistic-data-structure/definition.json) - Probabilistic data structure object describe a space-efficient data structure such as Bloom filter or similar structure. From e3288ef6e516624e3e335939a2b7fe4aef5ce510 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 18 Jun 2024 09:52:57 +0200 Subject: [PATCH 37/37] fix: [ddos-claim] descriptions fixed following CERT-SE feedback --- objects/ddos-claim/definition.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/objects/ddos-claim/definition.json b/objects/ddos-claim/definition.json index 5494e6d..049b0f6 100644 --- a/objects/ddos-claim/definition.json +++ b/objects/ddos-claim/definition.json @@ -12,14 +12,14 @@ "ui-priority": 0 }, "proof": { - "description": "Proof of the claim in text format.", + "description": "The claim in text format.", "disable_correlation": true, "misp-attribute": "text", "multiple": true, "ui-priority": 0 }, "proof-screenshot": { - "description": "Proof of the screenshot.", + "description": "Screenshot of the claim.", "misp-attribute": "attachment", "multiple": true, "ui-priority": 0 @@ -47,5 +47,5 @@ "reference" ], "uuid": "2722ac76-1f1f-43b7-bc68-ba5465ec5c04", - "version": 1 + "version": 2 } \ No newline at end of file