Merge branch 'master' into haxpak/#24

2019-04-15 10:52:48 +02:00 · 2019-04-15 10:52:48 +02:00 · a8e89e3eaa
parent 9f4e7737a1 f5555225aa
commit a8e89e3eaa
5 changed files with 103 additions and 5 deletions
--- a/README.md
+++ b/README.md
@ -82,6 +82,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
 * [objects/cowrie](objects/cowrie/definition.json) - A cowrie object describes cowrie honeypot sessions.
 * [objects/credential](objects/credential/definition.json) - A credential object describes one or more credential(s) including password(s), api key(s) or decryption key(s).
 * [objects/ddos](objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target.
+* [objects/device](objects/device/definition.json) - An object to describe a device such as a computer, laptop or alike.
 * [objects/diameter-attack](objects/diameter-attack/definition.json) - Attack as seen on diameter authentication against a GSM, UMTS or LTE network.
 * [objects/domain-ip](objects/domain-ip/definition.json) - A domain and IP address seen as a tuple in a specific time frame.
 * [objects/elf](objects/elf/definition.json) - Object describing an Executable and Linkable Format (ELF).
@ -112,6 +113,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
 * [objects/network-connection](objects/network-connection/definition.json) - Network object describes a local or remote network connection.
 * [objects/network-socket](objects/network-socket/definition.json) - Object to describe a local or remote network connections based on the socket data structure.
 * [objects/original-imported-file](objects/original-imported-file/definition.json) - Object to describe the original files used to import data in MISP.
+* [objects/organization](objects/organization/definition.json) - An object which describes an organization.
 * [objects/passive-dns](objects/passive-dns/definition.json) - Passive DNS records as expressed in [draft-dulaunoy-dnsop-passive-dns-cof-01](https://tools.ietf.org/html/draft-dulaunoy-dnsop-passive-dns-cof-01).
 * [objects/paste](objects/paste/definition.json) - Object describing a paste or similar post from a website allowing to share privately or publicly posts.
 * [objects/pe](objects/pe/definition.json) - Portable Executable (PE) object.
--- a/objects/organization/definition.json
+++ b/objects/organization/definition.json
@ -69,7 +69,7 @@
  },
  "version": 1,
  "description": "An object which describes an organization.",
-  "meta-category": "organization",
+  "meta-category": "misc",
  "uuid": "f750e12b-127a-432c-b022-b3f9153c4e2a",
-  "name": "organization"
+  "name": "misc"
 }
--- a/objects/phishing-kit/definition.json
+++ b/objects/phishing-kit/definition.json
@ -0,0 +1,96 @@
+{
+  "name": "phishing-kit",
+  "uuid": "f452c16b-12fa-4f87-84a2-15a9e8ca6e7c",
+  "meta-category": "network",
+  "description": "Oject to describe a phishing-kit.",
+  "version": 2,
+  "attributes": {
+    "internal reference": {
+      "categories": [
+        "Internal reference"
+      ],
+      "misp-attribute": "text",
+      "ui-priority": 1,
+      "description": "Internal reference such as ticket ID"
+    },
+    "date-found": {
+      "multiple": true,
+      "misp-attribute": "datetime",
+      "ui-priority": 0,
+      "description": "Date when the phishing kit was found",
+      "to_ids": false,
+      "disable_correlation": true
+    },
+    "reference-link": {
+      "to_ids": false,
+      "multiple": true,
+      "ui-priority": 1,
+      "misp-attribute": "link",
+      "description": "Link where the Phishing Kit was observed"
+    },
+    "threat-actor-email": {
+      "description": "Email of the Threat Actor",
+      "multiple": true,
+      "ui-priority": 0,
+      "misp-attribute": "email-src"
+    },
+    "email-type": {
+      "description": "Type of the Email",
+      "multiple": false,
+      "ui-priority": 0,
+      "misp-attribute": "text",
+      "disable_correlation": true
+    },
+    "kit-mailer": {
+      "description": "Mailer Kit Used",
+      "multiple": true,
+      "ui-priority": 0,
+      "misp-attribute": "text",
+      "disable_correlation": true
+    },
+    "target": {
+      "description": "What was targeted using this phishing kit",
+      "multiple": true,
+      "ui-priority": 1,
+      "misp-attribute": "text"
+    },
+    "phishing-domain": {
+      "description": "Domain used for Phishing",
+      "multiple": true,
+      "ui-priority": 1,
+      "misp-attribute": "url"
+    },
+    "online": {
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "values_list": [
+        "Yes",
+        "No"
+      ],
+      "ui-priority": 0,
+      "description": "If the phishing kit is online and operational, by default is yes"
+    },
+    "kit-url": {
+      "misp-attribute": "url",
+      "ui-priority": 1,
+      "description": "URL of Phishing Kit"
+    },
+    "threat-actor": {
+      "description": "Identified threat actor",
+      "ui-priority": 0,
+      "multiple": true,
+      "misp-attribute": "text"
+    },
+    "kit-name": {
+      "description": "Name of the Phishing Kit",
+      "ui-priority": 10,
+      "misp-attribute": "text"
+    }
+  },
+  "requiredOneOf": [
+    "kit-url",
+    "reference-link",
+    "kit-name",
+    "kit-hash"
+  ]
+}
--- a/relationships/definition.json
+++ b/relationships/definition.json
@ -939,7 +939,8 @@
      "name": "creates",
      "description": "Represents an object that creates something.",
      "format": [
-        "misp"
+        "misp",
+        "haxpak"
      ]
    }
  ],
--- a/schema_objects.json
+++ b/schema_objects.json
@ -68,8 +68,7 @@
        "financial",
        "misc",
        "internal",
-        "vulnerability",
-        "organization"
+        "vulnerability"
      ]
    },
    "name": {