From 430df1cf4818214c794dd1712650467a7c4f2f1c Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Mon, 31 Jan 2022 07:45:38 +0100
Subject: [PATCH 1/2] new: [identity] from STIX 2.1 - 4.5 - new object template
Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, systems or groups (e.g., the finance sector).
Ref: 4.5 Identity
---
objects/identity/definition.json | 90 ++++++++++++++++++++++++++++++++
1 file changed, 90 insertions(+)
create mode 100644 objects/identity/definition.json
diff --git a/objects/identity/definition.json b/objects/identity/definition.json
new file mode 100644
index 0000000..4a08de0
--- /dev/null
+++ b/objects/identity/definition.json
@@ -0,0 +1,90 @@
+{
+ "attributes": {
+ "contact_information": {
+ "description": "The contact information (e-mail, phone number, etc.) for this Identity. No format for this information is currently defined by this specification.",
+ "misp-attribute": "text",
+ "ui-priority": 18
+ },
+ "description": {
+ "description": "A description that provides more details and context about the Identity, potentially including its purpose and its key characteristics.",
+ "disable_correlation": true,
+ "misp-attribute": "text",
+ "ui-priority": 10
+ },
+ "identity_class": {
+ "description": "The type of entity that this Identity describes, e.g., an individual or organization.",
+ "misp-attribute": "text",
+ "sane_default": [
+ "individual",
+ "group",
+ "system",
+ "organization",
+ "class",
+ "unknown"
+ ],
+ "ui-priority": 16
+ },
+ "name": {
+ "description": "The name of this Identity. When referring to a specific entity (e.g., an individual or organization), this property SHOULD contain the canonical name of the specific entity.",
+ "misp-attribute": "text",
+ "multiple": true,
+ "ui-priority": 0
+ },
+ "roles": {
+ "description": "The list of roles that this Identity performs (e.g., CEO, Domain Administrators, Doctors, Hospital, or Retailer).",
+ "misp-attribute": "text",
+ "multiple": true,
+ "ui-priority": 15
+ },
+ "sectors": {
+ "description": "Description of the organization",
+ "misp-attribute": "text",
+ "multiple": true,
+ "sane_default": [
+ "agriculture",
+ "aerospace",
+ "automotive",
+ "chemical",
+ "commercial",
+ "communication",
+ "construction",
+ "defense",
+ "education",
+ "energy",
+ "entertainment",
+ "financial-services",
+ "government",
+ "government emergency-services",
+ "government government-local",
+ "government-national",
+ "government-public-services",
+ "government-regional",
+ "healthcare",
+ "hospitality-leasure",
+ "infrastructure",
+ "infrastructure dams",
+ "infrastructure nuclear",
+ "infrastructure water",
+ "insurance",
+ "manufacturing",
+ "mining",
+ "non-profit",
+ "pharmaceuticals",
+ "retail",
+ "technology",
+ "telecommunication",
+ "transportation",
+ "utilities"
+ ],
+ "ui-priority": 17
+ }
+ },
+ "description": "Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, systems or groups (e.g., the finance sector). The Identity SDO can capture basic identifying information, contact information, and the sectors that the Identity belongs to. Identity is used in STIX to represent, among other things, targets of attacks, information sources, object creators, and threat actor identities. (ref. STIX 2.1 - 4.5)",
+ "meta-category": "misc",
+ "name": "identity",
+ "requiredOneOf": [
+ "name"
+ ],
+ "uuid": "ae85b960-b507-4de2-a32c-9cfb8f25f990",
+ "version": 1
+}
\ No newline at end of file
From 8cd68cdfd60e9097910d655d3a3839561c1f60b2 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Tue, 1 Feb 2022 16:25:24 +0100
Subject: [PATCH 2/2] new: [artifact] The Artifact object permits capturing an
array of bytes (8-bits), as a base64-encoded string, or linking to a
file-like payload.
ref: STIX 2.1 - 6.1
Open point: relationships for the related hashes
---
objects/artifact/definition.json | 45 ++++++++++++++++++++++++++++++++
1 file changed, 45 insertions(+)
create mode 100644 objects/artifact/definition.json
diff --git a/objects/artifact/definition.json b/objects/artifact/definition.json
new file mode 100644
index 0000000..df2b7c9
--- /dev/null
+++ b/objects/artifact/definition.json
@@ -0,0 +1,45 @@
+{
+ "attributes": {
+ "decryption_key": {
+ "description": "Specifies the decryption key for the encrypted binary data (either via payload_bin or url). For example, this may be useful in cases of sharing malware samples, which are often encoded in an encrypted archive.",
+ "misp-attribute": "text",
+ "ui-priority": 0
+ },
+ "encryption_algorithm": {
+ "description": "If the artifact is encrypted, specifies the type of encryption algorithm the binary data (either via payload_bin or url) is encoded in.",
+ "misp-attribute": "text",
+ "ui-priority": 0
+ },
+ "hashes": {
+ "description": "Specifies a dictionary of hashes for the contents of the url or the payload_bin. This property MUST be present when the url property is present. (should be file with relationships?)",
+ "misp-attribute": "text",
+ "multiple": true,
+ "ui-priority": 0
+ },
+ "mime_type": {
+ "description": "Whenever feasible, this value SHOULD be one of the values defined in the Template column in the IANA media type registry [Media Types]. Maintaining a comprehensive universal catalog of all extant file types is obviously not possible. When specifying a MIME Type not included in the IANA registry, implementers should use their best judgement so as to facilitate interoperability.",
+ "disable_correlation": true,
+ "misp-attribute": "mime-type",
+ "ui-priority": 0
+ },
+ "payload_bin": {
+ "description": "Specifies the binary data contained in the artifact as a base64-encoded string.",
+ "misp-attribute": "text",
+ "ui-priority": 0
+ },
+ "url": {
+ "description": "The value of this property MUST be a valid URL that resolves to the unencoded content.",
+ "misp-attribute": "url",
+ "ui-priority": 0
+ }
+ },
+ "description": "The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. from STIX 2.1 (6.1)",
+ "meta-category": "file",
+ "name": "artifact",
+ "requiredOneOf": [
+ "payload_bin",
+ "url"
+ ],
+ "uuid": "0a46df3a-bd9b-472c-a1e7-6aede7094483",
+ "version": 1
+}
\ No newline at end of file