From cb645abb54815910718cca47c2b2c7774648e36a Mon Sep 17 00:00:00 2001 From: LGTM Migrator Date: Thu, 10 Nov 2022 11:18:21 +0000 Subject: [PATCH 01/39] Add CodeQL workflow for GitHub code scanning --- .github/workflows/codeql.yml | 41 ++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 .github/workflows/codeql.yml diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 0000000..020f6cd --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,41 @@ +name: "CodeQL" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: "43 15 * * 4" + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + strategy: + fail-fast: false + matrix: + language: [ python ] + + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Initialize CodeQL + uses: github/codeql-action/init@v2 + with: + languages: ${{ matrix.language }} + queries: +security-and-quality + + - name: Autobuild + uses: github/codeql-action/autobuild@v2 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v2 + with: + category: "/language:${{ matrix.language }}" From 2787dc45d7efbf32e0fbe81ea95f0af642ae8963 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 19 Nov 2022 12:21:16 +0100 Subject: [PATCH 02/39] fix: [person] add a missing passport-creation date field. --- objects/person/definition.json | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index 59acb70..c34a977 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -165,8 +165,14 @@ "misp-attribute": "passport-country", "ui-priority": 0 }, + "passport-creation": { + "description": "The creation date of the passport.", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 0 + }, "passport-expiration": { - "description": "The expiration date of a passport.", + "description": "The expiration date of the passport.", "disable_correlation": true, "misp-attribute": "passport-expiration", "ui-priority": 0 @@ -249,5 +255,5 @@ "handle" ], "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", - "version": 18 + "version": 19 } \ No newline at end of file From d491cde4b15d25725fafbc37fa7f8d69178fa1ed Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 11 Dec 2022 12:54:24 +0100 Subject: [PATCH 03/39] fix: [fail2ban] incorrect UUID fixed --- objects/fail2ban/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/fail2ban/definition.json b/objects/fail2ban/definition.json index 3519740..a85426e 100644 --- a/objects/fail2ban/definition.json +++ b/objects/fail2ban/definition.json @@ -56,6 +56,6 @@ "processing-timestamp", "attack-type" ], - "uuid": "8be2271-7326-41a5-a0dd-9b4bec88e1ba", - "version": 5 + "uuid": "32f7ded6-e774-4401-81b0-79634e82f589", + "version": 6 } \ No newline at end of file From 858e48526315c99e654e079d3f35a0cb210c1b47 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 11 Dec 2022 13:03:18 +0100 Subject: [PATCH 04/39] fix: [mactim-timeline-analysis] invalid UUID fixed --- objects/mactime-timeline-analysis/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/mactime-timeline-analysis/definition.json b/objects/mactime-timeline-analysis/definition.json index f77dfea..f52d4bc 100644 --- a/objects/mactime-timeline-analysis/definition.json +++ b/objects/mactime-timeline-analysis/definition.json @@ -51,6 +51,6 @@ "activityType", "datetime" ], - "uuid": "9297982e-be62-4772-a665-c91f5a8d639", - "version": 3 + "uuid": "58149b06-eabe-4937-9dac-01d63f504e14", + "version": 4 } \ No newline at end of file From a40c08cf2cb635ff3621ca0ff3b978744f4bde78 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 11 Dec 2022 13:04:30 +0100 Subject: [PATCH 05/39] chg: [jq_all_the_things] display if an UUID is invalid --- jq_all_the_things.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/jq_all_the_things.sh b/jq_all_the_things.sh index 1d6cc73..26ce4c1 100755 --- a/jq_all_the_things.sh +++ b/jq_all_the_things.sh @@ -10,6 +10,7 @@ do cat ${dir} | jq . >/dev/null rc=$? if [[ $rc != 0 ]]; then exit $rc; fi + cat ${dir} | jq -r .uuid | uuidparse done set -e From 262e2bee9031e893edcfdac699d65bb9d0442f8d Mon Sep 17 00:00:00 2001 From: th3r3d Date: Mon, 12 Dec 2022 19:01:23 +0100 Subject: [PATCH 06/39] Created definition for ADS For ADS framework - create --- objects/ADS/definition.json | 81 +++++++++++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 objects/ADS/definition.json diff --git a/objects/ADS/definition.json b/objects/ADS/definition.json new file mode 100644 index 0000000..a37afdd --- /dev/null +++ b/objects/ADS/definition.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "additional_resources": { + "description": "Any other internal, external, or technical references that may be useful for understanding the ADS.", + "misp-attribute": "url", + "multiple": true, + "ui-priority": 2 + }, + "blind_spots_and_assumptions": { + "description": "Recognized issues, assumptions, and areas where an ADS may not fire.", + "misp-attribute": "text", + "ui-priority": 7 + }, + "categorization": { + "description": "Provides a mapping of the ADS to the relevant entry in the Att&CK.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10 + }, + "date": { + "description": "Enter date, when ADS has been created or edited.", + "misp-attribute": "datetime", + "ui-priority": 12 + }, + "false_positives": { + "description": "Known instances of an ADS misfiring due to a misconfiguration, idiosyncrasy in the environment, or other non-malicious scenario.", + "misp-attribute": "text", + "ui-priority": 6 + }, + "goal": { + "description": "Short, plaintext description of the type of behavior the ADS is supposed to detect.", + "misp-attribute": "text", + "ui-priority": 11 + }, + "priority": { + "description": "Describes the various alerting levels that an ADS may be tagged with.", + "misp-attribute": "text", + "ui-priority": 4 + }, + "responses": { + "description": "General response steps in the event that this alert fired.", + "misp-attribute": "text", + "ui-priority": 3 + }, + "sigma_rule": { + "description": "Rule in SIGMA format.", + "misp-attribute": "sigma", + "ui-priority": 1 + }, + "strategy_abstract": { + "description": "High-level walkthrough of how the ADS functions.", + "misp-attribute": "text", + "ui-priority": 9 + }, + "technical_context": { + "description": "Detailed information and background needed for a responder to understand all components of the alert. ", + "misp-attribute": "text", + "ui-priority": 8 + }, + "validation": { + "description": "lists the steps required to generate a representative true positive event which triggers this alert.", + "misp-attribute": "text", + "ui-priority": 5 + }, + "acd-element": { + "description": "lists the steps required to generate a representative true positive event which triggers this alert.", + "misp-attribute": "text", + "ui-priority": 0 + } + }, + "description": "An object defining ADS - Alerting and Detection Strategy by PALANTIR. Can be used for detection engineering.", + "meta-category": "misc", + "name": "ADS", + "required": [ + "date", + "goal", + "categorization" + ], + "uuid": "07a7f4cf-e738-47ad-b045-34c3b382f3b4", + "version": 1 +} From 5ff1dff7b0fcaedb8f026e19805f9f4b2b224b5f Mon Sep 17 00:00:00 2001 From: th3r3d Date: Mon, 12 Dec 2022 19:02:23 +0100 Subject: [PATCH 07/39] Create definition in groups Inspired by threat actor group cards --- objects/groups/definition.json | 68 ++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 objects/groups/definition.json diff --git a/objects/groups/definition.json b/objects/groups/definition.json new file mode 100644 index 0000000..a9aa6b4 --- /dev/null +++ b/objects/groups/definition.json @@ -0,0 +1,68 @@ +{ + "attributes": { + "names": { + "description": "Names or nicknames for group.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "country": { + "description": "Country of group - group location where it operates from.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, + "sponsor": { + "description": "Sponsor of group ie. country, state, criminal ring, cartel etc..", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 2 + }, + "motivation": { + "description": "Motivation behind group ie. espionage, ransomware, other criminal activity, hacktivism . . .", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 3 + }, + "description": { + "description": "Description of group activities or TTP used for group actions.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": false, + "ui-priority": 4 + }, + "observed": { + "description": "What sector is this group active at? Government, telecommunication etc and country of activity.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 5 + }, + "tools used": { + "description": "What known tools are used by group.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 6 + }, + "more informations": { + "description": "List more informations by url - reports, group links etc..", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 7 + } + }, + "description": "Adversary group cards inspired by ThaiCERT", + "meta-category": "misc", + "name": "Group Cards", + "required": [ + "name" + ], + "uuid": "f42db88d-1889-4c2f-a903-971cf8e65174", + "version": 1 +} From 56c6b9148c71d9474c7fd819b907521c4a434fc6 Mon Sep 17 00:00:00 2001 From: th3r3d Date: Mon, 12 Dec 2022 19:03:29 +0100 Subject: [PATCH 08/39] Create definition Faked persnona template inspired by MITRE --- objects/persnona/definition.json | 103 +++++++++++++++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100644 objects/persnona/definition.json diff --git a/objects/persnona/definition.json b/objects/persnona/definition.json new file mode 100644 index 0000000..475f153 --- /dev/null +++ b/objects/persnona/definition.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "photo": { + "description": "Photo of PersNOna, url where is photo uploaded or website of fake profile as LinkedIn etc.", + "disable_correlation": false, + "misp-attribute": "url", + "multiple": false, + "ui-priority": 0 + }, + "name": { + "description": "Name - full name of PersNOna.", + "disable_correlation": false, + "misp-attribute": "full-name", + "multiple": true, + "ui-priority": 1 + }, + "alias": { + "description": "Aliases or Nicknames of fake PesNOna on differenet media.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, + "background": { + "description": "Background of operation, PersNOna or actions, which needs to be explain to other party in case of share of this profile.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 2 + }, + "location": { + "description": "Location, where PersNOna is right now at home, home town, county, country etc.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 3 + }, + "responsi": { + "description": "Responsibilities of PersNOna, who this PersNOna communicates with, what should discuss and how far.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 4 + }, + "goals": { + "description": "Goals of creating of this PersNOna.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 5 + }, + "critical_tasks": { + "description": "Critical Tasks or tasks which this PersNOna has to accomplish.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 6 + }, + "actions": { + "description": "Actions by this PersNOna or engagement with adversary or relateda party.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 7 + }, + "questions": { + "description": "Questions, which have to be answered by this profile goal.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 8 + }, + "oppportunities": { + "description": "Opportunities for another development, introducing another PersNOna etc.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 9 + }, + "conversations": { + "description": "Conversations with targets", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10 + }, + "media": { + "description": "Media where is PersNOna active ie. facebook, telegram etc.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10 + } + }, + "description": "Fake persona with tasks", + "meta-category": "misc", + "name": "Deception PersNOna", + "required": [ + "name" + ], + "uuid": "a80828dc-07bf-4d5c-ab82-8160ee5bdd6d", + "version": 1 +} From b9c512a71b24fcc3c1dcbfc9a98b278f24f894b3 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 15 Dec 2022 14:39:52 +0100 Subject: [PATCH 09/39] fix: [jq] JSON fixed --- objects/ADS/definition.json | 12 ++-- objects/groups/definition.json | 58 ++++++++++---------- objects/persnona/definition.json | 94 ++++++++++++++++---------------- 3 files changed, 82 insertions(+), 82 deletions(-) diff --git a/objects/ADS/definition.json b/objects/ADS/definition.json index a37afdd..2d23077 100644 --- a/objects/ADS/definition.json +++ b/objects/ADS/definition.json @@ -1,5 +1,10 @@ { "attributes": { + "acd-element": { + "description": "lists the steps required to generate a representative true positive event which triggers this alert.", + "misp-attribute": "text", + "ui-priority": 0 + }, "additional_resources": { "description": "Any other internal, external, or technical references that may be useful for understanding the ADS.", "misp-attribute": "url", @@ -61,11 +66,6 @@ "description": "lists the steps required to generate a representative true positive event which triggers this alert.", "misp-attribute": "text", "ui-priority": 5 - }, - "acd-element": { - "description": "lists the steps required to generate a representative true positive event which triggers this alert.", - "misp-attribute": "text", - "ui-priority": 0 } }, "description": "An object defining ADS - Alerting and Detection Strategy by PALANTIR. Can be used for detection engineering.", @@ -78,4 +78,4 @@ ], "uuid": "07a7f4cf-e738-47ad-b045-34c3b382f3b4", "version": 1 -} +} \ No newline at end of file diff --git a/objects/groups/definition.json b/objects/groups/definition.json index a9aa6b4..68f1fd0 100644 --- a/objects/groups/definition.json +++ b/objects/groups/definition.json @@ -1,12 +1,5 @@ { "attributes": { - "names": { - "description": "Names or nicknames for group.", - "disable_correlation": false, - "misp-attribute": "text", - "multiple": true, - "ui-priority": 0 - }, "country": { "description": "Country of group - group location where it operates from.", "disable_correlation": false, @@ -14,20 +7,6 @@ "multiple": true, "ui-priority": 1 }, - "sponsor": { - "description": "Sponsor of group ie. country, state, criminal ring, cartel etc..", - "disable_correlation": false, - "misp-attribute": "text", - "multiple": true, - "ui-priority": 2 - }, - "motivation": { - "description": "Motivation behind group ie. espionage, ransomware, other criminal activity, hacktivism . . .", - "disable_correlation": false, - "misp-attribute": "text", - "multiple": true, - "ui-priority": 3 - }, "description": { "description": "Description of group activities or TTP used for group actions.", "disable_correlation": false, @@ -35,6 +14,27 @@ "multiple": false, "ui-priority": 4 }, + "more informations": { + "description": "List more informations by url - reports, group links etc..", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 7 + }, + "motivation": { + "description": "Motivation behind group ie. espionage, ransomware, other criminal activity, hacktivism . . .", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 3 + }, + "names": { + "description": "Names or nicknames for group.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, "observed": { "description": "What sector is this group active at? Government, telecommunication etc and country of activity.", "disable_correlation": false, @@ -42,19 +42,19 @@ "multiple": true, "ui-priority": 5 }, + "sponsor": { + "description": "Sponsor of group ie. country, state, criminal ring, cartel etc..", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 2 + }, "tools used": { "description": "What known tools are used by group.", "disable_correlation": false, "misp-attribute": "text", "multiple": true, "ui-priority": 6 - }, - "more informations": { - "description": "List more informations by url - reports, group links etc..", - "disable_correlation": false, - "misp-attribute": "text", - "multiple": true, - "ui-priority": 7 } }, "description": "Adversary group cards inspired by ThaiCERT", @@ -65,4 +65,4 @@ ], "uuid": "f42db88d-1889-4c2f-a903-971cf8e65174", "version": 1 -} +} \ No newline at end of file diff --git a/objects/persnona/definition.json b/objects/persnona/definition.json index 475f153..d3438d3 100644 --- a/objects/persnona/definition.json +++ b/objects/persnona/definition.json @@ -1,18 +1,11 @@ { "attributes": { - "photo": { - "description": "Photo of PersNOna, url where is photo uploaded or website of fake profile as LinkedIn etc.", + "actions": { + "description": "Actions by this PersNOna or engagement with adversary or relateda party.", "disable_correlation": false, - "misp-attribute": "url", - "multiple": false, - "ui-priority": 0 - }, - "name": { - "description": "Name - full name of PersNOna.", - "disable_correlation": false, - "misp-attribute": "full-name", + "misp-attribute": "text", "multiple": true, - "ui-priority": 1 + "ui-priority": 7 }, "alias": { "description": "Aliases or Nicknames of fake PesNOna on differenet media.", @@ -28,26 +21,12 @@ "multiple": true, "ui-priority": 2 }, - "location": { - "description": "Location, where PersNOna is right now at home, home town, county, country etc.", - "disable_correlation": true, - "misp-attribute": "text", - "multiple": true, - "ui-priority": 3 - }, - "responsi": { - "description": "Responsibilities of PersNOna, who this PersNOna communicates with, what should discuss and how far.", + "conversations": { + "description": "Conversations with targets", "disable_correlation": false, "misp-attribute": "text", "multiple": true, - "ui-priority": 4 - }, - "goals": { - "description": "Goals of creating of this PersNOna.", - "disable_correlation": true, - "misp-attribute": "text", - "multiple": true, - "ui-priority": 5 + "ui-priority": 10 }, "critical_tasks": { "description": "Critical Tasks or tasks which this PersNOna has to accomplish.", @@ -56,19 +35,33 @@ "multiple": true, "ui-priority": 6 }, - "actions": { - "description": "Actions by this PersNOna or engagement with adversary or relateda party.", - "disable_correlation": false, - "misp-attribute": "text", - "multiple": true, - "ui-priority": 7 - }, - "questions": { - "description": "Questions, which have to be answered by this profile goal.", + "goals": { + "description": "Goals of creating of this PersNOna.", "disable_correlation": true, "misp-attribute": "text", "multiple": true, - "ui-priority": 8 + "ui-priority": 5 + }, + "location": { + "description": "Location, where PersNOna is right now at home, home town, county, country etc.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 3 + }, + "media": { + "description": "Media where is PersNOna active ie. facebook, telegram etc.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10 + }, + "name": { + "description": "Name - full name of PersNOna.", + "disable_correlation": false, + "misp-attribute": "full-name", + "multiple": true, + "ui-priority": 1 }, "oppportunities": { "description": "Opportunities for another development, introducing another PersNOna etc.", @@ -77,19 +70,26 @@ "multiple": true, "ui-priority": 9 }, - "conversations": { - "description": "Conversations with targets", + "photo": { + "description": "Photo of PersNOna, url where is photo uploaded or website of fake profile as LinkedIn etc.", "disable_correlation": false, - "misp-attribute": "text", - "multiple": true, - "ui-priority": 10 + "misp-attribute": "url", + "multiple": false, + "ui-priority": 0 }, - "media": { - "description": "Media where is PersNOna active ie. facebook, telegram etc.", + "questions": { + "description": "Questions, which have to be answered by this profile goal.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 8 + }, + "responsi": { + "description": "Responsibilities of PersNOna, who this PersNOna communicates with, what should discuss and how far.", "disable_correlation": false, "misp-attribute": "text", "multiple": true, - "ui-priority": 10 + "ui-priority": 4 } }, "description": "Fake persona with tasks", @@ -100,4 +100,4 @@ ], "uuid": "a80828dc-07bf-4d5c-ab82-8160ee5bdd6d", "version": 1 -} +} \ No newline at end of file From 4f52a227c7f042881dcc1287d257d055f3b4034e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 15 Dec 2022 14:45:53 +0100 Subject: [PATCH 10/39] chg: [github workflow] removed older version of Python --- .github/workflows/nosetests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/nosetests.yml b/.github/workflows/nosetests.yml index 2e72a72..a279f61 100644 --- a/.github/workflows/nosetests.yml +++ b/.github/workflows/nosetests.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - python-version: [3.6, 3.7, 3.8, 3.9] + python-version: [3.8, 3.9, 3.10] steps: From 9c79cebde5f60ec33010eed1c2235fedb971d507 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 15 Dec 2022 14:47:08 +0100 Subject: [PATCH 11/39] fix: [github workflow] version are not float but str --- .github/workflows/nosetests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/nosetests.yml b/.github/workflows/nosetests.yml index a279f61..3f4b434 100644 --- a/.github/workflows/nosetests.yml +++ b/.github/workflows/nosetests.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - python-version: [3.8, 3.9, 3.10] + python-version: ['3.8', '3.9', '3.10'] steps: From 26f77e090b45945ac0084fedc0a26e7c6e737c56 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 15 Dec 2022 15:16:54 +0100 Subject: [PATCH 12/39] chg: [doc] list of object updated --- README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/README.md b/README.md index 5f0a474..3341b95 100644 --- a/README.md +++ b/README.md @@ -104,6 +104,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID ## Existing MISP objects +- [objects/ADS](https://github.com/MISP/misp-objects/blob/main/objects/ADS/definition.json) - An object defining ADS - Alerting and Detection Strategy by PALANTIR. Can be used for detection engineering. - [objects/ail-leak](https://github.com/MISP/misp-objects/blob/main/objects/ail-leak/definition.json) - An information leak as defined by the AIL Analysis Information Leak framework. - [objects/ais-info](https://github.com/MISP/misp-objects/blob/main/objects/ais-info/definition.json) - Automated Indicator Sharing (AIS) Information Source Markings. - [objects/android-app](https://github.com/MISP/misp-objects/blob/main/objects/android-app/definition.json) - Indicators related to an Android app. @@ -161,11 +162,13 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/email](https://github.com/MISP/misp-objects/blob/main/objects/email/definition.json) - Email object describing an email with meta-information. - [objects/employee](https://github.com/MISP/misp-objects/blob/main/objects/employee/definition.json) - An employee and related data points. - [objects/error-message](https://github.com/MISP/misp-objects/blob/main/objects/error-message/definition.json) - An error message which can be related to the processing of data such as import, export scripts from the original MISP instance. +- [objects/exploit](https://github.com/MISP/misp-objects/blob/main/objects/exploit/definition.json) - Exploit object describes a program in binary or source code form used to abuse one or more vulnerabilities. - [objects/exploit-poc](https://github.com/MISP/misp-objects/blob/main/objects/exploit-poc/definition.json) - Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object. - [objects/facebook-account](https://github.com/MISP/misp-objects/blob/main/objects/facebook-account/definition.json) - Facebook account. - [objects/facebook-group](https://github.com/MISP/misp-objects/blob/main/objects/facebook-group/definition.json) - Public or private facebook group. - [objects/facebook-page](https://github.com/MISP/misp-objects/blob/main/objects/facebook-page/definition.json) - Facebook page. - [objects/facebook-post](https://github.com/MISP/misp-objects/blob/main/objects/facebook-post/definition.json) - Post on a Facebook wall. +- [objects/facebook-reaction](https://github.com/MISP/misp-objects/blob/main/objects/facebook-reaction/definition.json) - Reaction to facebook posts. - [objects/facial-composite](https://github.com/MISP/misp-objects/blob/main/objects/facial-composite/definition.json) - An object which describes a facial composite. - [objects/fail2ban](https://github.com/MISP/misp-objects/blob/main/objects/fail2ban/definition.json) - Fail2ban event. - [objects/favicon](https://github.com/MISP/misp-objects/blob/main/objects/favicon/definition.json) - A favicon, also known as a shortcut icon, website icon, tab icon, URL icon, or bookmark icon, is a file containing one or more small icons, associated with a particular website or web page. The object template can include the murmur3 hash of the favicon to facilitate correlation. @@ -230,6 +233,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/git-vuln-finder](https://github.com/MISP/misp-objects/blob/main/objects/git-vuln-finder/definition.json) - Export from git-vuln-finder. - [objects/github-user](https://github.com/MISP/misp-objects/blob/main/objects/github-user/definition.json) - GitHub user. - [objects/gitlab-user](https://github.com/MISP/misp-objects/blob/main/objects/gitlab-user/definition.json) - GitLab user. Gitlab.com user or self-hosted GitLab instance. +- [objects/Group Cards](https://github.com/MISP/misp-objects/blob/main/objects/Group Cards/definition.json) - Adversary group cards inspired by ThaiCERT. - [objects/gtp-attack](https://github.com/MISP/misp-objects/blob/main/objects/gtp-attack/definition.json) - GTP attack object as attack as seen on the GTP signaling protocol supporting GPRS/LTE networks. - [objects/hashlookup](https://github.com/MISP/misp-objects/blob/main/objects/hashlookup/definition.json) - hashlookup object as described on hashlookup services from circl.lu - https://www.circl.lu/services/hashlookup. - [objects/http-request](https://github.com/MISP/misp-objects/blob/main/objects/http-request/definition.json) - A single HTTP request header. @@ -247,6 +251,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/intelmq_report](https://github.com/MISP/misp-objects/blob/main/objects/intelmq_report/definition.json) - IntelMQ Report. - [objects/internal-reference](https://github.com/MISP/misp-objects/blob/main/objects/internal-reference/definition.json) - Internal reference. - [objects/interpol-notice](https://github.com/MISP/misp-objects/blob/main/objects/interpol-notice/definition.json) - An object which describes a Interpol notice. +- [objects/intrusion-set](https://github.com/MISP/misp-objects/blob/main/objects/intrusion-set/definition.json) - A object template describing an Intrusion Set as defined in STIX 2.1. An Intrusion Set is a grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization. An Intrusion Set may capture multiple Campaigns or other activities that are all tied together by shared attributes indicating a commonly known or unknown Threat Actor. New activity can be attributed to an Intrusion Set even if the Threat Actors behind the attack are not known. Threat Actors can move from supporting one Intrusion Set to supporting another, or they may support multiple Intrusion Sets. Where a Campaign is a set of attacks over a period of time against a specific set of targets to achieve some objective, an Intrusion Set is the entire attack package and may be used over a very long period of time in multiple Campaigns to achieve potentially multiple purposes. While sometimes an Intrusion Set is not active, or changes focus, it is usually difficult to know if it has truly disappeared or ended. Analysts may have varying level of fidelity on attributing an Intrusion Set back to Threat Actors and may be able to only attribute it back to a nation state or perhaps back to an organization within that nation state. - [objects/iot-device](https://github.com/MISP/misp-objects/blob/main/objects/iot-device/definition.json) - An IoT device. - [objects/iot-firmware](https://github.com/MISP/misp-objects/blob/main/objects/iot-firmware/definition.json) - A firmware for an IoT device. - [objects/ip-api-address](https://github.com/MISP/misp-objects/blob/main/objects/ip-api-address/definition.json) - IP Address information. Useful if you are pulling your ip information from ip-api.com. @@ -288,6 +293,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/pcap-metadata](https://github.com/MISP/misp-objects/blob/main/objects/pcap-metadata/definition.json) - Network packet capture metadata. - [objects/pe](https://github.com/MISP/misp-objects/blob/main/objects/pe/definition.json) - Object describing a Portable Executable. - [objects/pe-section](https://github.com/MISP/misp-objects/blob/main/objects/pe-section/definition.json) - Object describing a section of a Portable Executable. +- [objects/Deception PersNOna](https://github.com/MISP/misp-objects/blob/main/objects/Deception PersNOna/definition.json) - Fake persona with tasks. - [objects/person](https://github.com/MISP/misp-objects/blob/main/objects/person/definition.json) - An object which describes a person or an identity. - [objects/personification](https://github.com/MISP/misp-objects/blob/main/objects/personification/definition.json) - An object which describes a person or an identity. - [objects/pgp-meta](https://github.com/MISP/misp-objects/blob/main/objects/pgp-meta/definition.json) - Metadata extracted from a PGP keyblock, message or signature. @@ -358,6 +364,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/target-system](https://github.com/MISP/misp-objects/blob/main/objects/target-system/definition.json) - Description about an targeted system, this could potentially be a compromissed internal system. - [objects/tattoo](https://github.com/MISP/misp-objects/blob/main/objects/tattoo/definition.json) - Describes tattoos on a natural person's body. - [objects/telegram-account](https://github.com/MISP/misp-objects/blob/main/objects/telegram-account/definition.json) - Information related to a telegram account. +- [objects/telegram-bot](https://github.com/MISP/misp-objects/blob/main/objects/telegram-bot/definition.json) - Information related to a telegram bot. - [objects/temporal-event](https://github.com/MISP/misp-objects/blob/main/objects/temporal-event/definition.json) - A temporal event consists of some temporal and spacial boundaries. Spacial boundaries can be physical, virtual or hybrid. - [objects/threatgrid-report](https://github.com/MISP/misp-objects/blob/main/objects/threatgrid-report/definition.json) - ThreatGrid report. - [objects/timecode](https://github.com/MISP/misp-objects/blob/main/objects/timecode/definition.json) - Timecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the video sequence. From 83930e211ff57b10966791412b38f9f957a3926c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 22 Dec 2022 13:08:34 +0100 Subject: [PATCH 13/39] chg: [groups->thaicert-group-cards] to make it more logical --- objects/{groups => thaicert-group-cards}/definition.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) rename objects/{groups => thaicert-group-cards}/definition.json (97%) diff --git a/objects/groups/definition.json b/objects/thaicert-group-cards/definition.json similarity index 97% rename from objects/groups/definition.json rename to objects/thaicert-group-cards/definition.json index 68f1fd0..58580c3 100644 --- a/objects/groups/definition.json +++ b/objects/thaicert-group-cards/definition.json @@ -59,10 +59,10 @@ }, "description": "Adversary group cards inspired by ThaiCERT", "meta-category": "misc", - "name": "Group Cards", + "name": "thaicert-group-cards", "required": [ "name" ], "uuid": "f42db88d-1889-4c2f-a903-971cf8e65174", - "version": 1 -} \ No newline at end of file + "version": 2 +} From 2b65dedb4d47a61898352256c595be1055f7ef0c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 22 Dec 2022 13:10:03 +0100 Subject: [PATCH 14/39] fix: [objects] jq all the things --- objects/thaicert-group-cards/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/thaicert-group-cards/definition.json b/objects/thaicert-group-cards/definition.json index 58580c3..ec9ca7a 100644 --- a/objects/thaicert-group-cards/definition.json +++ b/objects/thaicert-group-cards/definition.json @@ -65,4 +65,4 @@ ], "uuid": "f42db88d-1889-4c2f-a903-971cf8e65174", "version": 2 -} +} \ No newline at end of file From c52481cac16e1fd0e182855d4523645041427540 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 22 Dec 2022 13:12:05 +0100 Subject: [PATCH 15/39] fix: [thaicert-group-cards] name is singular has a single value which can be multiple --- objects/thaicert-group-cards/definition.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/objects/thaicert-group-cards/definition.json b/objects/thaicert-group-cards/definition.json index ec9ca7a..c45b022 100644 --- a/objects/thaicert-group-cards/definition.json +++ b/objects/thaicert-group-cards/definition.json @@ -28,7 +28,7 @@ "multiple": true, "ui-priority": 3 }, - "names": { + "name": { "description": "Names or nicknames for group.", "disable_correlation": false, "misp-attribute": "text", @@ -64,5 +64,5 @@ "name" ], "uuid": "f42db88d-1889-4c2f-a903-971cf8e65174", - "version": 2 -} \ No newline at end of file + "version": 3 +} From a3263d72d6a193ca2f12ef73b567fd636e74165a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 22 Dec 2022 13:15:10 +0100 Subject: [PATCH 16/39] fix: [jq] all --- objects/thaicert-group-cards/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/thaicert-group-cards/definition.json b/objects/thaicert-group-cards/definition.json index c45b022..3dbd5f9 100644 --- a/objects/thaicert-group-cards/definition.json +++ b/objects/thaicert-group-cards/definition.json @@ -65,4 +65,4 @@ ], "uuid": "f42db88d-1889-4c2f-a903-971cf8e65174", "version": 3 -} +} \ No newline at end of file From 4e19aa30ba94940e38bf50164248a572139ca520 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 22 Dec 2022 13:16:19 +0100 Subject: [PATCH 17/39] chg: [doc] list updated --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3341b95..1532233 100644 --- a/README.md +++ b/README.md @@ -233,7 +233,6 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/git-vuln-finder](https://github.com/MISP/misp-objects/blob/main/objects/git-vuln-finder/definition.json) - Export from git-vuln-finder. - [objects/github-user](https://github.com/MISP/misp-objects/blob/main/objects/github-user/definition.json) - GitHub user. - [objects/gitlab-user](https://github.com/MISP/misp-objects/blob/main/objects/gitlab-user/definition.json) - GitLab user. Gitlab.com user or self-hosted GitLab instance. -- [objects/Group Cards](https://github.com/MISP/misp-objects/blob/main/objects/Group Cards/definition.json) - Adversary group cards inspired by ThaiCERT. - [objects/gtp-attack](https://github.com/MISP/misp-objects/blob/main/objects/gtp-attack/definition.json) - GTP attack object as attack as seen on the GTP signaling protocol supporting GPRS/LTE networks. - [objects/hashlookup](https://github.com/MISP/misp-objects/blob/main/objects/hashlookup/definition.json) - hashlookup object as described on hashlookup services from circl.lu - https://www.circl.lu/services/hashlookup. - [objects/http-request](https://github.com/MISP/misp-objects/blob/main/objects/http-request/definition.json) - A single HTTP request header. @@ -366,6 +365,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/telegram-account](https://github.com/MISP/misp-objects/blob/main/objects/telegram-account/definition.json) - Information related to a telegram account. - [objects/telegram-bot](https://github.com/MISP/misp-objects/blob/main/objects/telegram-bot/definition.json) - Information related to a telegram bot. - [objects/temporal-event](https://github.com/MISP/misp-objects/blob/main/objects/temporal-event/definition.json) - A temporal event consists of some temporal and spacial boundaries. Spacial boundaries can be physical, virtual or hybrid. +- [objects/thaicert-group-cards](https://github.com/MISP/misp-objects/blob/main/objects/thaicert-group-cards/definition.json) - Adversary group cards inspired by ThaiCERT. - [objects/threatgrid-report](https://github.com/MISP/misp-objects/blob/main/objects/threatgrid-report/definition.json) - ThreatGrid report. - [objects/timecode](https://github.com/MISP/misp-objects/blob/main/objects/timecode/definition.json) - Timecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the video sequence. - [objects/timesketch-timeline](https://github.com/MISP/misp-objects/blob/main/objects/timesketch-timeline/definition.json) - A timesketch timeline object based on mandatory field in timesketch to describe a log entry. From 3e8730cc1ffaaa34dbe2b0ecc782dddfac4e5c11 Mon Sep 17 00:00:00 2001 From: Andras Iklody Date: Fri, 23 Dec 2022 08:59:16 +0100 Subject: [PATCH 18/39] fix: [language] Turning french fries into freedom fries --- objects/vehicle/definition.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/objects/vehicle/definition.json b/objects/vehicle/definition.json index b09c706..daf905b 100644 --- a/objects/vehicle/definition.json +++ b/objects/vehicle/definition.json @@ -19,7 +19,7 @@ "ui-priority": 0 }, "exterior-color": { - "description": "Exterior color of the vehicule", + "description": "Exterior color of the vehicle", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 @@ -49,7 +49,7 @@ "ui-priority": 0 }, "interior-color": { - "description": "Interior color of the vehicule", + "description": "Interior color of the vehicle", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 @@ -73,13 +73,13 @@ "ui-priority": 0 }, "state": { - "description": "State of the vehicule (stolen or recovered)", + "description": "State of the vehicle (stolen or recovered)", "disable_correlation": true, "misp-attribute": "text", "ui-priority": 0 }, "type": { - "description": "Type of the vehicule", + "description": "Type of the vehicle", "disable_correlation": true, "misp-attribute": "text", "sane_default": [ @@ -125,5 +125,5 @@ "indicative-value" ], "uuid": "683c076c-f695-4ff2-8efa-e98a418049f4", - "version": 3 -} \ No newline at end of file + "version": 4 +} From 322cbaa21e3d110849594fba5f60cb4365e417a5 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 30 Dec 2022 07:37:54 +0100 Subject: [PATCH 19/39] fix: [vehicle] jq all the things --- objects/vehicle/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/vehicle/definition.json b/objects/vehicle/definition.json index daf905b..202851c 100644 --- a/objects/vehicle/definition.json +++ b/objects/vehicle/definition.json @@ -126,4 +126,4 @@ ], "uuid": "683c076c-f695-4ff2-8efa-e98a418049f4", "version": 4 -} +} \ No newline at end of file From 9e9540524dedb6c21c53b4a4f421baf7d53949b0 Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Wed, 4 Jan 2023 17:10:18 +0000 Subject: [PATCH 20/39] new: Add legal sector. --- objects/victim/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/victim/definition.json b/objects/victim/definition.json index c83972e..ed3c620 100644 --- a/objects/victim/definition.json +++ b/objects/victim/definition.json @@ -96,6 +96,7 @@ "hospitality leisure", "infrastructure", "insurance", + "legal", "manufacturing", "mining", "non profit", @@ -124,5 +125,5 @@ "sectors" ], "uuid": "a8806e40-39ad-435f-be02-ac2a13d6fc7d", - "version": 6 -} \ No newline at end of file + "version": 7 +} From 5cb7e98e200dcfa7a2e422a6cd1886d889b16c57 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 6 Jan 2023 15:08:28 +0100 Subject: [PATCH 21/39] fix: [victim] jq run --- objects/victim/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/victim/definition.json b/objects/victim/definition.json index ed3c620..41642f4 100644 --- a/objects/victim/definition.json +++ b/objects/victim/definition.json @@ -126,4 +126,4 @@ ], "uuid": "a8806e40-39ad-435f-be02-ac2a13d6fc7d", "version": 7 -} +} \ No newline at end of file From 7518752dff9730f5d6f2e5bdbdebd8259b48eb00 Mon Sep 17 00:00:00 2001 From: David Cruciani Date: Mon, 16 Jan 2023 07:48:03 +0100 Subject: [PATCH 22/39] add: [object] typosquatting-finder --- .../definition.json | 89 +++++++++++++++++++ objects/typosquatting-finder/definition.json | 37 ++++++++ 2 files changed, 126 insertions(+) create mode 100644 objects/typosquatting-finder-result/definition.json create mode 100644 objects/typosquatting-finder/definition.json diff --git a/objects/typosquatting-finder-result/definition.json b/objects/typosquatting-finder-result/definition.json new file mode 100644 index 0000000..e80b1bd --- /dev/null +++ b/objects/typosquatting-finder-result/definition.json @@ -0,0 +1,89 @@ +{ + "attributes": { + "queried-domain": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Domain name", + "misp-attribute": "domain", + "ui-priority": 1 + }, + "a-record": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "IPv4 address associated with A record", + "misp-attribute": "ip-dst", + "multiple": true, + "ui-priority": 1 + }, + "aaaa-record": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "IPv6 address associated with AAAA record", + "misp-attribute": "ip-dst", + "multiple": true, + "ui-priority": 1 + }, + "mx-record": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Domain associated with MX record", + "misp-attribute": "domain", + "multiple": true, + "ui-priority": 1 + }, + "ns-record": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Domain associated with NS record", + "misp-attribute": "domain", + "multiple": true, + "ui-priority": 1 + }, + "website-title": { + "description": "Website's title of the current queried domain", + "disable_correlation": false, + "misp-attribute": "text", + "recommended": false, + "ui-priority": 1 + }, + "website-similarity": { + "description": "Similarity between website of both research and current variations domain", + "disable_correlation": true, + "misp-attribute": "text", + "recommended": false, + "ui-priority": 1 + }, + "website-ressource-diff": { + "description": "Difference of website's ressources between both, research and current variations domain", + "disable_correlation": true, + "misp-attribute": "text", + "recommended": false, + "ui-priority": 1 + }, + "ratio-similarity": { + "description": "Similarity probability", + "disable_correlation": true, + "misp-attribute": "text", + "recommended": false, + "ui-priority": 1 + } + }, + "description": "Typosquatting result", + "meta-category": "network", + "name": "typosquatting-finder-result", + "required": [ + "queried-domain" + ], + "uuid": "22151d90-b39b-498c-86c7-126ddd2e1a55", + "version": 1 + } \ No newline at end of file diff --git a/objects/typosquatting-finder/definition.json b/objects/typosquatting-finder/definition.json new file mode 100644 index 0000000..72bad72 --- /dev/null +++ b/objects/typosquatting-finder/definition.json @@ -0,0 +1,37 @@ +{ + "attributes": { + "research-domain": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Research domain name", + "disable_correlation": false, + "misp-attribute": "domain", + "recommended": false, + "ui-priority": 1 + }, + "variations-number": { + "description": "Number of variations for the research domain.", + "disable_correlation": true, + "misp-attribute": "text", + "recommended": false, + "ui-priority": 1 + }, + "variations-found-number": { + "description": "Number of variations for the research domain that some info is found.", + "disable_correlation": true, + "misp-attribute": "text", + "recommended": false, + "ui-priority": 1 + } + }, + "description": "Typosquatting info", + "meta-category": "network", + "name": "typosquatting-finder", + "required": [ + "research-domain" + ], + "uuid": "3414fbe7-6f8c-4ed5-bc51-9a11a3a29822", + "version": 1 +} \ No newline at end of file From 350c9b07cf52581179efec9828803c10a654507a Mon Sep 17 00:00:00 2001 From: David Cruciani Date: Mon, 16 Jan 2023 08:45:20 +0100 Subject: [PATCH 23/39] chg: [typosquatting] jq_all_the_things --- .../definition.json | 174 +++++++++--------- objects/typosquatting-finder/definition.json | 70 +++---- 2 files changed, 122 insertions(+), 122 deletions(-) diff --git a/objects/typosquatting-finder-result/definition.json b/objects/typosquatting-finder-result/definition.json index e80b1bd..4a6c40a 100644 --- a/objects/typosquatting-finder-result/definition.json +++ b/objects/typosquatting-finder-result/definition.json @@ -1,89 +1,89 @@ { - "attributes": { - "queried-domain": { - "categories": [ - "Network activity", - "External analysis" - ], - "description": "Domain name", - "misp-attribute": "domain", - "ui-priority": 1 - }, - "a-record": { - "categories": [ - "Network activity", - "External analysis" - ], - "description": "IPv4 address associated with A record", - "misp-attribute": "ip-dst", - "multiple": true, - "ui-priority": 1 - }, - "aaaa-record": { - "categories": [ - "Network activity", - "External analysis" - ], - "description": "IPv6 address associated with AAAA record", - "misp-attribute": "ip-dst", - "multiple": true, - "ui-priority": 1 - }, - "mx-record": { - "categories": [ - "Network activity", - "External analysis" - ], - "description": "Domain associated with MX record", - "misp-attribute": "domain", - "multiple": true, - "ui-priority": 1 - }, - "ns-record": { - "categories": [ - "Network activity", - "External analysis" - ], - "description": "Domain associated with NS record", - "misp-attribute": "domain", - "multiple": true, - "ui-priority": 1 - }, - "website-title": { - "description": "Website's title of the current queried domain", - "disable_correlation": false, - "misp-attribute": "text", - "recommended": false, - "ui-priority": 1 - }, - "website-similarity": { - "description": "Similarity between website of both research and current variations domain", - "disable_correlation": true, - "misp-attribute": "text", - "recommended": false, - "ui-priority": 1 - }, - "website-ressource-diff": { - "description": "Difference of website's ressources between both, research and current variations domain", - "disable_correlation": true, - "misp-attribute": "text", - "recommended": false, - "ui-priority": 1 - }, - "ratio-similarity": { - "description": "Similarity probability", - "disable_correlation": true, - "misp-attribute": "text", - "recommended": false, - "ui-priority": 1 - } + "attributes": { + "a-record": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "IPv4 address associated with A record", + "misp-attribute": "ip-dst", + "multiple": true, + "ui-priority": 1 }, - "description": "Typosquatting result", - "meta-category": "network", - "name": "typosquatting-finder-result", - "required": [ - "queried-domain" - ], - "uuid": "22151d90-b39b-498c-86c7-126ddd2e1a55", - "version": 1 - } \ No newline at end of file + "aaaa-record": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "IPv6 address associated with AAAA record", + "misp-attribute": "ip-dst", + "multiple": true, + "ui-priority": 1 + }, + "mx-record": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Domain associated with MX record", + "misp-attribute": "domain", + "multiple": true, + "ui-priority": 1 + }, + "ns-record": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Domain associated with NS record", + "misp-attribute": "domain", + "multiple": true, + "ui-priority": 1 + }, + "queried-domain": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Domain name", + "misp-attribute": "domain", + "ui-priority": 1 + }, + "ratio-similarity": { + "description": "Similarity probability", + "disable_correlation": true, + "misp-attribute": "text", + "recommended": false, + "ui-priority": 1 + }, + "website-ressource-diff": { + "description": "Difference of website's ressources between both, research and current variations domain", + "disable_correlation": true, + "misp-attribute": "text", + "recommended": false, + "ui-priority": 1 + }, + "website-similarity": { + "description": "Similarity between website of both research and current variations domain", + "disable_correlation": true, + "misp-attribute": "text", + "recommended": false, + "ui-priority": 1 + }, + "website-title": { + "description": "Website's title of the current queried domain", + "disable_correlation": false, + "misp-attribute": "text", + "recommended": false, + "ui-priority": 1 + } + }, + "description": "Typosquatting result", + "meta-category": "network", + "name": "typosquatting-finder-result", + "required": [ + "queried-domain" + ], + "uuid": "22151d90-b39b-498c-86c7-126ddd2e1a55", + "version": 1 +} \ No newline at end of file diff --git a/objects/typosquatting-finder/definition.json b/objects/typosquatting-finder/definition.json index 72bad72..9d42690 100644 --- a/objects/typosquatting-finder/definition.json +++ b/objects/typosquatting-finder/definition.json @@ -1,37 +1,37 @@ { - "attributes": { - "research-domain": { - "categories": [ - "Network activity", - "External analysis" - ], - "description": "Research domain name", - "disable_correlation": false, - "misp-attribute": "domain", - "recommended": false, - "ui-priority": 1 - }, - "variations-number": { - "description": "Number of variations for the research domain.", - "disable_correlation": true, - "misp-attribute": "text", - "recommended": false, - "ui-priority": 1 - }, - "variations-found-number": { - "description": "Number of variations for the research domain that some info is found.", - "disable_correlation": true, - "misp-attribute": "text", - "recommended": false, - "ui-priority": 1 - } - }, - "description": "Typosquatting info", - "meta-category": "network", - "name": "typosquatting-finder", - "required": [ - "research-domain" - ], - "uuid": "3414fbe7-6f8c-4ed5-bc51-9a11a3a29822", - "version": 1 + "attributes": { + "research-domain": { + "categories": [ + "Network activity", + "External analysis" + ], + "description": "Research domain name", + "disable_correlation": false, + "misp-attribute": "domain", + "recommended": false, + "ui-priority": 1 + }, + "variations-found-number": { + "description": "Number of variations for the research domain that some info is found.", + "disable_correlation": true, + "misp-attribute": "text", + "recommended": false, + "ui-priority": 1 + }, + "variations-number": { + "description": "Number of variations for the research domain.", + "disable_correlation": true, + "misp-attribute": "text", + "recommended": false, + "ui-priority": 1 + } + }, + "description": "Typosquatting info", + "meta-category": "network", + "name": "typosquatting-finder", + "required": [ + "research-domain" + ], + "uuid": "3414fbe7-6f8c-4ed5-bc51-9a11a3a29822", + "version": 1 } \ No newline at end of file From fd603be3283953b68ed48ede7afd2e19f43577ac Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 18 Jan 2023 08:01:36 +0100 Subject: [PATCH 24/39] chg: [doc] updated --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 1532233..0fd8d94 100644 --- a/README.md +++ b/README.md @@ -386,6 +386,8 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/twitter-account](https://github.com/MISP/misp-objects/blob/main/objects/twitter-account/definition.json) - Twitter account. - [objects/twitter-list](https://github.com/MISP/misp-objects/blob/main/objects/twitter-list/definition.json) - Twitter list. - [objects/twitter-post](https://github.com/MISP/misp-objects/blob/main/objects/twitter-post/definition.json) - Twitter post (tweet). +- [objects/typosquatting-finder](https://github.com/MISP/misp-objects/blob/main/objects/typosquatting-finder/definition.json) - Typosquatting info. +- [objects/typosquatting-finder-result](https://github.com/MISP/misp-objects/blob/main/objects/typosquatting-finder-result/definition.json) - Typosquatting result. - [objects/url](https://github.com/MISP/misp-objects/blob/main/objects/url/definition.json) - url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata. - [objects/user-account](https://github.com/MISP/misp-objects/blob/main/objects/user-account/definition.json) - User-account object, defining aspects of user identification, authentication, privileges and other relevant data points. - [objects/vehicle](https://github.com/MISP/misp-objects/blob/main/objects/vehicle/definition.json) - Vehicle object template to describe a vehicle information and registration. From 8e4308ef01e73517417ec0d4306963ae59a4abec Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Mon, 23 Jan 2023 09:36:35 +0100 Subject: [PATCH 25/39] add relationships --- relationships/definition.json | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/relationships/definition.json b/relationships/definition.json index 6634c8c..affaad7 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1352,7 +1352,28 @@ ], "name": "submitted-by", "opposite": "submitted" + }, + { + "description": "This relationship describes that the source object does not target the target object.", + "format": [ + "misp", + ], + "name": "do-not-target" + }, + { + "description": "This relationship describes that the source object is targetted by the target object.", + "format": [ + "misp", + ], + "name": "is-targetted-by" + }, + { + "description": "This relationship describes that the source object is not targetted by the target object.", + "format": [ + "misp", + ], + "name": "is-not-targetted-by" } ], - "version": 34 -} \ No newline at end of file + "version": 35 +} From ec7da3448be77639b1b94e88077d8fa10395f1ba Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Wed, 25 Jan 2023 09:31:28 +0100 Subject: [PATCH 26/39] fix typo --- relationships/definition.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/relationships/definition.json b/relationships/definition.json index affaad7..6c6a455 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1361,18 +1361,18 @@ "name": "do-not-target" }, { - "description": "This relationship describes that the source object is targetted by the target object.", + "description": "This relationship describes that the source object is targeted by the target object.", "format": [ "misp", ], - "name": "is-targetted-by" + "name": "is-targeted-by" }, { - "description": "This relationship describes that the source object is not targetted by the target object.", + "description": "This relationship describes that the source object is not targeted by the target object.", "format": [ "misp", ], - "name": "is-not-targetted-by" + "name": "is-not-targeted-by" } ], "version": 35 From 9c7c3fa2a19d093ccb72eb5aeb8aa3700ca08a5b Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Wed, 25 Jan 2023 09:33:05 +0100 Subject: [PATCH 27/39] fix typo -or stupid --- relationships/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index 6c6a455..7780c49 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1358,7 +1358,7 @@ "format": [ "misp", ], - "name": "do-not-target" + "name": "does-not-target" }, { "description": "This relationship describes that the source object is targeted by the target object.", From 4ff956f3d6ef3a518e4b5fc51403259051550872 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Wed, 25 Jan 2023 09:45:23 +0100 Subject: [PATCH 28/39] comma --- relationships/definition.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/relationships/definition.json b/relationships/definition.json index 7780c49..c92a3a1 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1356,24 +1356,24 @@ { "description": "This relationship describes that the source object does not target the target object.", "format": [ - "misp", + "misp" ], "name": "does-not-target" }, - { + { "description": "This relationship describes that the source object is targeted by the target object.", "format": [ - "misp", + "misp" ], "name": "is-targeted-by" }, - { + { "description": "This relationship describes that the source object is not targeted by the target object.", "format": [ - "misp", + "misp" ], "name": "is-not-targeted-by" } ], "version": 35 -} +} \ No newline at end of file From 81214acbbeda91c1fe493d715999cf6811173575 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 27 Jan 2023 15:30:32 +0100 Subject: [PATCH 29/39] new: [transport-ticket] new object template to describe a transport ticket Credits for the idea: Maxime Benoit --- objects/transport-ticket/definition.json | 96 ++++++++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100644 objects/transport-ticket/definition.json diff --git a/objects/transport-ticket/definition.json b/objects/transport-ticket/definition.json new file mode 100644 index 0000000..a7f2ffb --- /dev/null +++ b/objects/transport-ticket/definition.json @@ -0,0 +1,96 @@ +{ + "attributes": { + "origin": { + "description": "Origin", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "destination": { + "description": "Destination", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "type-of-transport": { + "description": "Type of transport", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Plane", + "Train", + "Bus", + "Metro", + "Taxi", + "Ferry", + "Other" + ], + "ui-priority": 1 + }, + "description": { + "description": "Description", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "date-of-departure": { + "description": "Date of departure", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 1 + }, + "date-of-arrival": { + "description": "Date of arrival", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 1 + }, + "date-of-purchase": { + "description": "Date of purchase", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 1 + }, + "ticket-number": { + "description": "Ticket Number", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0, + "multiple": true + }, + "class": { + "description": "Class of the ticket", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "First", + "Second", + "Business", + "Flex", + "Economy" + ], + "ui-priority": 0 + }, + "company": { + "description": "Street name", + "misp-attribute": "text", + "disable_correlation": true, + "ui-priority": 1 + }, + "copy": { + "description": "Copy of the ticket such as a photography or a FAX", + "misp-attribute": "attachment", + "multiple": true, + "ui-priority": 10 + } + }, + "description": "A transport ticket.", + "meta-category": "misc", + "name": "transport-ticket", + "requiredOneOf": [ + "destination", + "origin" + ], + "uuid": "8d6bd699-86f8-477c-aac3-a7f273c19266", + "version": 1 +} From 5a45977e23174b897dd4837446f29eb57ce963f8 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 27 Jan 2023 15:33:22 +0100 Subject: [PATCH 30/39] fix: [transport-ticket] JSON orders --- objects/transport-ticket/definition.json | 120 +++++++++++------------ 1 file changed, 60 insertions(+), 60 deletions(-) diff --git a/objects/transport-ticket/definition.json b/objects/transport-ticket/definition.json index a7f2ffb..32ea522 100644 --- a/objects/transport-ticket/definition.json +++ b/objects/transport-ticket/definition.json @@ -1,63 +1,5 @@ { "attributes": { - "origin": { - "description": "Origin", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 0 - }, - "destination": { - "description": "Destination", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 1 - }, - "type-of-transport": { - "description": "Type of transport", - "disable_correlation": true, - "misp-attribute": "text", - "sane_default": [ - "Plane", - "Train", - "Bus", - "Metro", - "Taxi", - "Ferry", - "Other" - ], - "ui-priority": 1 - }, - "description": { - "description": "Description", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 0 - }, - "date-of-departure": { - "description": "Date of departure", - "disable_correlation": true, - "misp-attribute": "datetime", - "ui-priority": 1 - }, - "date-of-arrival": { - "description": "Date of arrival", - "disable_correlation": true, - "misp-attribute": "datetime", - "ui-priority": 1 - }, - "date-of-purchase": { - "description": "Date of purchase", - "disable_correlation": true, - "misp-attribute": "datetime", - "ui-priority": 1 - }, - "ticket-number": { - "description": "Ticket Number", - "disable_correlation": true, - "misp-attribute": "text", - "ui-priority": 0, - "multiple": true - }, "class": { "description": "Class of the ticket", "disable_correlation": true, @@ -73,8 +15,8 @@ }, "company": { "description": "Street name", - "misp-attribute": "text", "disable_correlation": true, + "misp-attribute": "text", "ui-priority": 1 }, "copy": { @@ -82,6 +24,64 @@ "misp-attribute": "attachment", "multiple": true, "ui-priority": 10 + }, + "date-of-arrival": { + "description": "Date of arrival", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 1 + }, + "date-of-departure": { + "description": "Date of departure", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 1 + }, + "date-of-purchase": { + "description": "Date of purchase", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 1 + }, + "description": { + "description": "Description", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "destination": { + "description": "Destination", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "origin": { + "description": "Origin", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "ticket-number": { + "description": "Ticket Number", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "type-of-transport": { + "description": "Type of transport", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Plane", + "Train", + "Bus", + "Metro", + "Taxi", + "Ferry", + "Other" + ], + "ui-priority": 1 } }, "description": "A transport ticket.", @@ -93,4 +93,4 @@ ], "uuid": "8d6bd699-86f8-477c-aac3-a7f273c19266", "version": 1 -} +} \ No newline at end of file From fa39a64dc4665fc98652b6a3c15f06871b9f4556 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 27 Jan 2023 15:55:08 +0100 Subject: [PATCH 31/39] chg: [transport-ticket] update to add the type of ticket (e.g. boarding pass versus ticket) --- objects/transport-ticket/definition.json | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/objects/transport-ticket/definition.json b/objects/transport-ticket/definition.json index 32ea522..3958401 100644 --- a/objects/transport-ticket/definition.json +++ b/objects/transport-ticket/definition.json @@ -68,6 +68,17 @@ "multiple": true, "ui-priority": 0 }, + "type-of-ticket": { + "description": "Type of ticket", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Purchase ticket", + "Boarding pass", + "Other" + ], + "ui-priority": 1 + }, "type-of-transport": { "description": "Type of transport", "disable_correlation": true, @@ -92,5 +103,5 @@ "origin" ], "uuid": "8d6bd699-86f8-477c-aac3-a7f273c19266", - "version": 1 + "version": 2 } \ No newline at end of file From bd168c639ad6fa47602dd6e5c44379f43c689bb8 Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Wed, 1 Feb 2023 16:40:24 +0000 Subject: [PATCH 32/39] chg: [victim] sort sectors --- objects/victim/definition.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/objects/victim/definition.json b/objects/victim/definition.json index 41642f4..94ceb55 100644 --- a/objects/victim/definition.json +++ b/objects/victim/definition.json @@ -77,8 +77,8 @@ "misp-attribute": "text", "multiple": true, "sane_default": [ - "agriculture", "aerospace", + "agriculture", "automotive", "communications", "construction", @@ -88,10 +88,10 @@ "engineering", "entertainment", "financial services", - "government national", - "government regional", "government local", + "government national", "government public services", + "government regional", "healthcare", "hospitality leisure", "infrastructure", From 92ed5d48ad24fb61fc52934731ba78529c18dd4e Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Wed, 1 Feb 2023 16:48:01 +0000 Subject: [PATCH 33/39] new: [victim] add information and cultural industries sector --- objects/victim/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/victim/definition.json b/objects/victim/definition.json index 94ceb55..2a87f23 100644 --- a/objects/victim/definition.json +++ b/objects/victim/definition.json @@ -94,6 +94,7 @@ "government regional", "healthcare", "hospitality leisure", + "information and cultural industries", "infrastructure", "insurance", "legal", @@ -125,5 +126,5 @@ "sectors" ], "uuid": "a8806e40-39ad-435f-be02-ac2a13d6fc7d", - "version": 7 -} \ No newline at end of file + "version": 8 +} From 9b56d1f427de2de69bf1e6b6a4781166a685183f Mon Sep 17 00:00:00 2001 From: Thomas Dupuy Date: Wed, 1 Feb 2023 16:56:32 +0000 Subject: [PATCH 34/39] fix: [victim] replace tab with spaces --- objects/victim/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/victim/definition.json b/objects/victim/definition.json index 2a87f23..47b5f7a 100644 --- a/objects/victim/definition.json +++ b/objects/victim/definition.json @@ -94,7 +94,7 @@ "government regional", "healthcare", "hospitality leisure", - "information and cultural industries", + "information and cultural industries", "infrastructure", "insurance", "legal", From 295c45fccd9cf390fdabd83cb2c4d02f7f25696f Mon Sep 17 00:00:00 2001 From: Rick Henderson Date: Wed, 1 Feb 2023 14:48:56 -0500 Subject: [PATCH 35/39] Correct basic grammar in a few areas. I tried not to be too academic, but to me as a native English (Canadian) speaker and writer I have made some suggestions that include simple grammar corrections. Mostly I just added 's' where it needs to be. --- README.md | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 0fd8d94..150b9b4 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ ![Python application](https://github.com/MISP/misp-objects/workflows/Python%20application/badge.svg) -MISP objects used in MISP system and can be used by other information sharing tool. MISP objects +MISP objects used in MISP system and can be used by other information sharing tools. MISP objects are in addition to MISP attributes to allow advanced combinations of attributes. The creation of these objects and their associated attributes are based on real cyber security use-cases and existing practices in information sharing. @@ -83,22 +83,22 @@ Feel free to propose your own MISP objects template to be included in MISP. The } ~~~~ -A MISP object is described in a simple JSON file containing the following element. +A MISP object is described in a simple JSON file containing the following elements. * **name** is the name of the your object. * **meta-category** is the category where the object falls into. (such as file, network, financial, misc, internal...) * **description** is a summary of the object description. * **version** is the version number as a decimal value. * **required** is an array containing the minimal required attributes to describe the object. -* **requiredOneOf** is an array containing the attributes where at least one need to be present to describe the object. +* **requiredOneOf** is an array containing the attributes where at least one needs to be present to describe the object. * **attributes** contains another JSON object listing all the attributes composing the object. Each attribute must contain a reference **misp-attribute** to reference an existing attribute definition in MISP (MISP attributes types are case-sensitive). -An array **categories** shall be used to described in which categories the attribute is. The **ui-priority** +An array **categories** shall be used to describe in which categories the attribute is. The **ui-priority** describes the usage frequency of an attribute. This helps to only display the most frequently used attributes and allowing advanced users to show all the attributes depending of their configuration. An optional **multiple** field shall be set to true if multiple elements of the same key can be used in the object. An optional **values_list** -where this list of value can be selected as a value for an attribute. An optional **sane_default** where this list of value recommend +where this list of values can be selected as a value for an attribute. An optional **sane_default** where this list of value recommend potential a sane default for an attribute. An optional **disable_correlation** boolean field to suggest the disabling of correlation for a specific attribute. An optional **to_ids** boolean field to disable the IDS flag of an attribute. @@ -112,8 +112,8 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/annotation](https://github.com/MISP/misp-objects/blob/main/objects/annotation/definition.json) - An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes. - [objects/anonymisation](https://github.com/MISP/misp-objects/blob/main/objects/anonymisation/definition.json) - Anonymisation object describing an anonymisation technique used to encode MISP attribute values. Reference: https://www.caida.org/tools/taxonomy/anonymization.xml. - [objects/apivoid-email-verification](https://github.com/MISP/misp-objects/blob/main/objects/apivoid-email-verification/definition.json) - Apivoid email verification API result. Reference: https://www.apivoid.com/api/email-verify/. -- [objects/artifact](https://github.com/MISP/misp-objects/blob/main/objects/artifact/definition.json) - The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. from STIX 2.1 (6.1). -- [objects/asn](https://github.com/MISP/misp-objects/blob/main/objects/asn/definition.json) - Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike. +- [objects/artifact](https://github.com/MISP/misp-objects/blob/main/objects/artifact/definition.json) - The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. From STIX 2.1 (6.1). +- [objects/asn](https://github.com/MISP/misp-objects/blob/main/objects/asn/definition.json) - Autonomous system object describing an autonomous system which can include one or more network operators managing an entity (e.g. ISP) along with their routing policy, routing prefixes or alike. - [objects/attack-pattern](https://github.com/MISP/misp-objects/blob/main/objects/attack-pattern/definition.json) - Attack pattern describing a common attack pattern enumeration and classification. - [objects/attack-step](https://github.com/MISP/misp-objects/blob/main/objects/attack-step/definition.json) - An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks. - [objects/authentication-failure-report](https://github.com/MISP/misp-objects/blob/main/objects/authentication-failure-report/definition.json) - Authentication Failure Report. @@ -125,7 +125,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/blog](https://github.com/MISP/misp-objects/blob/main/objects/blog/definition.json) - Blog post like Medium or WordPress. - [objects/boleto](https://github.com/MISP/misp-objects/blob/main/objects/boleto/definition.json) - A common form of payment used in Brazil. - [objects/btc-transaction](https://github.com/MISP/misp-objects/blob/main/objects/btc-transaction/definition.json) - An object to describe a Bitcoin transaction. Best to be used with bitcoin-wallet. -- [objects/btc-wallet](https://github.com/MISP/misp-objects/blob/main/objects/btc-wallet/definition.json) - An object to describe a Bitcoin wallet. Best to be used with bitcoin-transactions. +- [objects/btc-wallet](https://github.com/MISP/misp-objects/blob/main/objects/btc-wallet/definition.json) - An object to describe a Bitcoin wallet. Best to be used with bitcoin-transaction. - [objects/cap-alert](https://github.com/MISP/misp-objects/blob/main/objects/cap-alert/definition.json) - Common Alerting Protocol Version (CAP) alert object. - [objects/cap-info](https://github.com/MISP/misp-objects/blob/main/objects/cap-info/definition.json) - Common Alerting Protocol Version (CAP) info object. - [objects/cap-resource](https://github.com/MISP/misp-objects/blob/main/objects/cap-resource/definition.json) - Common Alerting Protocol Version (CAP) resource object. @@ -134,9 +134,9 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/command](https://github.com/MISP/misp-objects/blob/main/objects/command/definition.json) - Command functionalities related to specific commands executed by a program, whether it is malicious or not. Command-line are attached to this object for the related commands. - [objects/command-line](https://github.com/MISP/misp-objects/blob/main/objects/command-line/definition.json) - Command line and options related to a specific command executed by a program, whether it is malicious or not. - [objects/concordia-mtmf-intrusion-set](https://github.com/MISP/misp-objects/blob/main/objects/concordia-mtmf-intrusion-set/definition.json) - Intrusion Set - Phase Description. -- [objects/cookie](https://github.com/MISP/misp-objects/blob/main/objects/cookie/definition.json) - An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol. (as defined by the Mozilla foundation. -- [objects/cortex](https://github.com/MISP/misp-objects/blob/main/objects/cortex/definition.json) - Cortex object describing a complete cortex analysis. Observables would be attribute with a relationship from this object. -- [objects/cortex-taxonomy](https://github.com/MISP/misp-objects/blob/main/objects/cortex-taxonomy/definition.json) - Cortex object describing an Cortex Taxonomy (or mini report). +- [objects/cookie](https://github.com/MISP/misp-objects/blob/main/objects/cookie/definition.json) - An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol. As defined by the Mozilla foundation. +- [objects/cortex](https://github.com/MISP/misp-objects/blob/main/objects/cortex/definition.json) - Cortex object describing a complete Cortex analysis. Observables would be attribute with a relationship from this object. +- [objects/cortex-taxonomy](https://github.com/MISP/misp-objects/blob/main/objects/cortex-taxonomy/definition.json) - Cortex object describing a Cortex Taxonomy (or mini report). - [objects/course-of-action](https://github.com/MISP/misp-objects/blob/main/objects/course-of-action/definition.json) - An object describing a specific measure taken to prevent or respond to an attack. - [objects/covid19-csse-daily-report](https://github.com/MISP/misp-objects/blob/main/objects/covid19-csse-daily-report/definition.json) - CSSE COVID-19 Daily report. - [objects/covid19-dxy-live-city](https://github.com/MISP/misp-objects/blob/main/objects/covid19-dxy-live-city/definition.json) - COVID 19 from dxy.cn - Aggregation by city. @@ -416,9 +416,9 @@ The MISP object model is open and allows user to use their own relationships. MI ## How to contribute MISP objects? Fork the project, create a new directory in the [objects directory](objects/) matching your object name. Objects must be composed -of existing MISP attributes. If you are missing a specific attributes, feel free to open an issue in the [MISP project](https://www.github.com/MISP/MISP). +of existing MISP attributes. If you are missing any specific attributes, feel free to open an issue in the [MISP project](https://www.github.com/MISP/MISP). -We recommend to add a **text** attribute in a object to allow users to add comments or correlating text. +We recommend to add a **text** attribute in an object to allow users to add comments or correlate text. If the unparsed object can be included, a **raw-base64** attribute can be used in the object to import the whole object. @@ -428,7 +428,7 @@ When the object is created, the `validate_all.sh` and `jq_all_the_things.sh` is ### Best practices when creating MISP object templates -- Use lower-case name without underscore or special characters (except minus) for the field names +- Use lower-case names without underscore or special characters (except minus) for the field names - Add a description in the object template explaining the scope and use-cases of your object templates - If the object is the mapping of an existing format, add a reference into the description of the object template - `first-seen` and `last-seen` are not required in a object template as an object has those fields by default. If you need additional temporal information, add new specific field(s). @@ -447,7 +447,7 @@ MISP objects are dynamically used objects that are contributed by users of MISP The aim is to allow a dynamic update of objects definition in operational distributed sharing systems like MISP. Security threats and their related indicators are quite dynamic, standardized formats are quite static and new indicators require a significant time before being standardized. -The MISP objects model allows to add new combined indicators format based on their usage without changing the underlying code base of MISP or other threat sharing platform using it. The definition of the objects can be then propagated along with the indicators itself. +The MISP object model allows for adding new combined indicator formats based on their usage without changing the underlying code base of MISP or other threat sharing platform using it. The definition of the objects can then be propagated along with the indicators itself. ## License From cd27802aab06f02e9e4d02e74feaec3d73427298 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 2 Feb 2023 10:51:32 +0100 Subject: [PATCH 36/39] fix: [objects description] ref #384 - Grammar fixes included in the JSON files. --- objects/artifact/definition.json | 4 ++-- objects/asn/definition.json | 4 ++-- objects/btc-wallet/definition.json | 4 ++-- objects/cookie/definition.json | 4 ++-- objects/cortex-taxonomy/definition.json | 4 ++-- objects/cortex/definition.json | 4 ++-- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/objects/artifact/definition.json b/objects/artifact/definition.json index df2b7c9..e7c47eb 100644 --- a/objects/artifact/definition.json +++ b/objects/artifact/definition.json @@ -33,7 +33,7 @@ "ui-priority": 0 } }, - "description": "The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. from STIX 2.1 (6.1)", + "description": "The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. From STIX 2.1 (6.1)", "meta-category": "file", "name": "artifact", "requiredOneOf": [ @@ -41,5 +41,5 @@ "url" ], "uuid": "0a46df3a-bd9b-472c-a1e7-6aede7094483", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/asn/definition.json b/objects/asn/definition.json index 9ca9c6a..c02622a 100644 --- a/objects/asn/definition.json +++ b/objects/asn/definition.json @@ -58,12 +58,12 @@ "ui-priority": 0 } }, - "description": "Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.", + "description": "Autonomous system object describing an autonomous system which can include one or more network operators managing an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.", "meta-category": "network", "name": "asn", "requiredOneOf": [ "asn" ], "uuid": "4ec55cc6-9e49-4c64-b794-03c25c1a6587", - "version": 4 + "version": 5 } \ No newline at end of file diff --git a/objects/btc-wallet/definition.json b/objects/btc-wallet/definition.json index a1db69b..a4b6e61 100644 --- a/objects/btc-wallet/definition.json +++ b/objects/btc-wallet/definition.json @@ -30,12 +30,12 @@ "ui-priority": 0 } }, - "description": "An object to describe a Bitcoin wallet. Best to be used with bitcoin-transactions.", + "description": "An object to describe a Bitcoin wallet. Best to be used with btc-transaction object.", "meta-category": "financial", "name": "btc-wallet", "requiredOneOf": [ "wallet-address" ], "uuid": "22910C83-DD0E-4ED2-9823-45F8CAD562A4", - "version": 2 + "version": 3 } \ No newline at end of file diff --git a/objects/cookie/definition.json b/objects/cookie/definition.json index dce72d5..1b2fe09 100644 --- a/objects/cookie/definition.json +++ b/objects/cookie/definition.json @@ -67,12 +67,12 @@ "ui-priority": 0 } }, - "description": "An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol. (as defined by the Mozilla foundation.", + "description": "An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol. As defined by the Mozilla foundation.", "meta-category": "network", "name": "cookie", "required": [ "cookie" ], "uuid": "7755ad19-55c7-4da4-805e-197cf81bbcb8", - "version": 4 + "version": 5 } \ No newline at end of file diff --git a/objects/cortex-taxonomy/definition.json b/objects/cortex-taxonomy/definition.json index 71701c9..a1b9fa9 100644 --- a/objects/cortex-taxonomy/definition.json +++ b/objects/cortex-taxonomy/definition.json @@ -53,7 +53,7 @@ "ui-priority": 2 } }, - "description": "Cortex object describing an Cortex Taxonomy (or mini report)", + "description": "Cortex object describing a Cortex Taxonomy (or mini report)", "meta-category": "misc", "name": "cortex-taxonomy", "required": [ @@ -63,5 +63,5 @@ "level" ], "uuid": "bef7d23b-e796-4d46-803a-32e317896894", - "version": 5 + "version": 6 } \ No newline at end of file diff --git a/objects/cortex/definition.json b/objects/cortex/definition.json index 6841702..67544d6 100644 --- a/objects/cortex/definition.json +++ b/objects/cortex/definition.json @@ -41,12 +41,12 @@ "ui-priority": 0 } }, - "description": "Cortex object describing a complete cortex analysis. Observables would be attribute with a relationship from this object.", + "description": "Cortex object describing a complete Cortex analysis. Observables would be attribute with a relationship from this object.", "meta-category": "misc", "name": "cortex", "requiredOneOf": [ "full" ], "uuid": "144988f3-fa00-4374-8015-c1a32092f451", - "version": 2 + "version": 3 } \ No newline at end of file From 13f173a3cebd11dc693313dc4e7822bc0fa82f5d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 2 Feb 2023 10:58:30 +0100 Subject: [PATCH 37/39] fix: [victim] format fixed --- objects/victim/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/victim/definition.json b/objects/victim/definition.json index 47b5f7a..e8a897a 100644 --- a/objects/victim/definition.json +++ b/objects/victim/definition.json @@ -127,4 +127,4 @@ ], "uuid": "a8806e40-39ad-435f-be02-ac2a13d6fc7d", "version": 8 -} +} \ No newline at end of file From 9b9379bbacd9e064d8421f7def685ff4690fd602 Mon Sep 17 00:00:00 2001 From: Delta-Sierra Date: Tue, 14 Feb 2023 12:08:50 +0100 Subject: [PATCH 38/39] Add relationships based on XFN format --- relationships/definition.json | 126 ++++++++++++++++++++++++++++++++++ 1 file changed, 126 insertions(+) diff --git a/relationships/definition.json b/relationships/definition.json index c92a3a1..8f83332 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1373,6 +1373,132 @@ "misp" ], "name": "is-not-targeted-by" + }, + { + "description": "The source object considers the target object as a friend. Is not necessarily symmetric.", + "format": [ + "XFN" + ], + "name": "Friend" + }, + { + "description": "The source object considers the target object as a acquaintance. Is not necessarily symmetric.", + "format": [ + "XFN" + ], + "name": "Acquaintance" + }, + { + "description": "The source object have information to contact and/or get in touch with the target object.", + "format": [ + "XFN" + ], + "name": "Contact" + }, + { + "description": "The source object have physically met the target object.", + "format": [ + "XFN" + ], + "name": "Met" + }, + { + "description": "The source object shares an employer with the target object. This relationship is not geographically limited.", + "format": [ + "XFN" + ], + "name": "Co-worker" + }, + { + "description": "The source object regards the target object as a peer, someone who they feel is on their level and has skills and interests similar to their own. A colleague does not have to be a co-worker, although of course can be.", + "format": [ + "XFN" + ], + "name": "Colleague" + }, + { + "description": "The source object is co-resident with the target object, which means they share a street address with the target object. Co-resident is symmetric.", + "format": [ + "XFN" + ], + "name": "Co-resident" + }, + { + "description": "The source object is neighbor with the target object. This is not limited to next door neighbor.", + "format": [ + "XFN" + ], + "name": "Neighbor" + }, + { + "description": "The target object is the child of the source object.", + "format": [ + "XFN" + ], + "name": "Child" + }, + { + "description": "The target object is the parent of the source object.", + "format": [ + "XFN" + ], + "name": "Parent" + }, + { + "description": "The source object share a parent with the target object. Brothers, sisters, half-brothers, and half-sisters are all examples of siblings.", + "format": [ + "XFN" + ], + "name": "Sibling" + }, + { + "description": "The source object is -or feels themself to be- married, whether legally or not, to the target object.", + "format": [ + "XFN" + ], + "name": "Spouse" + }, + { + "description": "The target object is a relative of the source object.", + "format": [ + "XFN" + ], + "name": "Kin" + }, + { + "description": "The source object is inspired in some way by the target object.", + "format": [ + "XFN" + ], + "name": "Muse" + }, + { + "description": "The source object is attracted -romantically speaking- to the target object.", + "format": [ + "XFN" + ], + "name": "Crush" + }, + { + "description": "The source object is dating the target object.", + "format": [ + "XFN" + ], + "name": "Date" + }, + { + "description": "The source object is intimate, whether physically or emotionally, with the target object.", + "format": [ + "XFN" + ], + "name": "Sweetheart" + }, + { + "description": "The source object refers to the target object as themself or a representation of themself. Can be a profile on social-networking for example. This value is exclusive of all other XFN values.", + "format": [ + "XFN" + ], + "name": "Me" } ], "version": 35 From d60112ee661f5b006ae5f631f9e0f59c00c03a1b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 17 Feb 2023 10:33:59 +0100 Subject: [PATCH 39/39] new: [ransomware-group-post] First draft object for ransomlook.io --- objects/ransomware-group-post/definition.json | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 objects/ransomware-group-post/definition.json diff --git a/objects/ransomware-group-post/definition.json b/objects/ransomware-group-post/definition.json new file mode 100644 index 0000000..c9e1852 --- /dev/null +++ b/objects/ransomware-group-post/definition.json @@ -0,0 +1,34 @@ +{ + "attributes": { + "date": { + "description": "Last update of the post as seen on the ransomware group blog. Different than the first/last seen from the crawling.", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "description": { + "description": "Raw post.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "link": { + "description": "Original URL location of the post.", + "misp-attribute": "link", + "ui-priority": 1 + }, + "title": { + "description": "Title of blog post.", + "misp-attribute": "text", + "ui-priority": 1 + } + }, + "description": "Ransomware group post as monitored by ransomlook.io", + "meta-category": "misc", + "name": "ransomware-group-post", + "requiredOneOf": [ + "title", + "description", + "link" + ], + "uuid": "52a0e179-4942-41e6-90f5-7db856fd6f39", + "version": 1 +} \ No newline at end of file