diff --git a/README.md b/README.md index ae6bb52..d4cbba3 100644 --- a/README.md +++ b/README.md @@ -70,37 +70,61 @@ for a specific attribute. * [objects/android-permission](objects/android-permission/definition.json) - A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. file). * [objects/asn](objects/asn/definition.json) - Autonomous system object describing a BGP autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike. * [objects/av-signature](objects/av-signature/definition.json) - Antivirus detection signature. +* [objects/bank-account](objects/bank-account/definition.json) - Object describing bank account information based on account description from goAML 4.0. +* [objects/cap-alert](objects/cap-alert/definition.json) - Common Alerting Protocol Version (CAP) alert object. +* [objects/cap-info](objects/cap-info/definition.json) - Common Alerting Protocol Version (CAP) info object. +* [objects/cap-resource](objects/cap-resource/definition.json) - Common Alerting Protocol Version (CAP) resource object. * [objects/coin-address](objects/coin-address/definition.json) - An address used in a cryptocurrency. * [objects/cookie](objects/cookie/definition.json) - A cookie object describes an HTTP cookie including its use in malicious cases. +* [objects/course-of-action](objects/course-of-action/definition.json) - An object describing a Course of Action such as a specific measure taken to prevent or respond to an attack. +* [objects/cowrie](objects/cowrie/definition.json) - A cowrie object describes cowrie honeypot sessions. +* [objects/credential](objects/credential/definition.json) - A credential object describes one or more credential(s) including password(s), api key(s) or decryption key(s). * [objects/ddos](objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. +* [objects/diameter-attack](objects/diameter-attack/definition.json) - Attack as seen on diameter authentication against a GSM, UMTS or LTE network. * [objects/domain-ip](objects/domain-ip/definition.json) - A domain and IP address seen as a tuple in a specific time frame. * [objects/elf](objects/elf/definition.json) - Object describing an Executable and Linkable Format (ELF). * [objects/elf-section](objects/elf-section/definition.json) - Object describing a section of an Executable and Linkable Format (ELF). * [objects/email](objects/email/definition.json) - An email object. +* [objects/fail2ban](objects/fail2ban/definition.json) - A fail2ban object. * [objects/file](objects/file/definition.json) - File object describing a file with meta-information. * [objects/geolocation](objects/geolocation/definition.json) - A geolocation object to describe a location. +* [objects/gtp-attack](objects/gtp-attack/definition.json) - GTP attack object as seen on a GSM, UMTS or LTE network. +* [objects/http-request](objects/http-request/definition.json) - A single HTTP request header object. * [objects/ip-port](objects/ip-port/definition.json) - An IP address and a port seen as a tuple (or as a triple) in a specific time frame. * [objects/ja3](objects/ja3/definition.json) - A ja3 object which describes an SSL client fingerprint in an easy to produce and shareable way. +* [objects/legal-entity](objects/legal-entity/definition.json) - Object describing a legal entity, such as an organisation. * [objects/macho](objects/macho/definition.json) - Object describing a Mach object file format. * [objects/macho-section](objects/macho-section/definition.json) - Object describing a section of a Mach object file format. * [objects/microblog](objects/microblog/definition.json) - Object describing microblog post like Twitter or Facebook. +* [objects/mutex](objects/mutex/definition.json) - Object to describe mutual exclusion locks (mutex) as seen in memory or computer program. * [objects/netflow](objects/netflow/definition.json) - Netflow object describes an network object based on the Netflowv5/v9 minimal definition. +* [objects/network-connection](objects/network-connection/definition.json) - Network object describes a local or remote network connection. * [objects/passive-dns](objects/passive-dns/definition.json) - Passive DNS records as expressed in [draft-dulaunoy-dnsop-passive-dns-cof-01](https://tools.ietf.org/html/draft-dulaunoy-dnsop-passive-dns-cof-01). * [objects/paste](objects/paste/definition.json) - Object describing a paste or similar post from a website allowing to share privately or publicly posts. * [objects/pe](objects/pe/definition.json) - Portable Executable (PE) object. * [objects/pe-section](objects/pe-section/definition.json) - Portable Executable (PE) object - section description. * [objects/person](objects/person/definition.json) - A person object which describes a person or an identity. * [objects/phone](objects/phone/definition.json) - A phone or mobile phone object. +* [objects/process](objects/process/definition.json) - A process object. * [objects/registry-key](objects/registry-key/definition.json) - A registry-key object. * [objects/r2graphity](objects/r2graphity/definition.json) - Indicators extracted from binary files using radare2 and graphml. * [objects/rtir](objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response. +* [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object. +* [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object. +* [objects/ss7-attack](objects/ss7-attack/definition.json) - SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging. +* [objects/stix2-pattern](objects/stix2-pattern/definition.json) - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern. +* [objects/suricata](objects/suricata/definition.json) - Suricata rule with context. +* [objects/target-system](objects/target-system/definition.json) - Description about an targeted system, this could potentially be a compromissed internal system. +* [objects/timestamp](objects/timestamp/definition.json) - A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship. * [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time. +* [objects/transaction](objects/transaction/definition.json) - Object describing a financial transaction. * [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report. * [objects/vulnerability](objects/vulnerability/definition.json) - Vulnerability object to describe software or hardware vulnerability as described in a CVE. * [objects/url](objects/url/definition.json) - url object describes an url along with its normalized field (e.g. using faup parsing library) and its metadata. * [objects/victim](objects/victim/definition.json) - a victim object to describe the organisation being targeted or abused. * [objects/whois](objects/whois/definition.json) - Whois records information for a domain name. * [objects/x509](objects/x509/definition.json) - x509 object describing a X.509 certificate. +* [objects/yara](objects/yara/definition.json) - YARA object describing a YARA rule along with the version supported and context (such as memory, network, disk). ## MISP objects relationships diff --git a/objects/bank-account/definition.json b/objects/bank-account/definition.json new file mode 100644 index 0000000..4952a7e --- /dev/null +++ b/objects/bank-account/definition.json @@ -0,0 +1,170 @@ +{ + "requiredOneOf": [ + "account" + ], + "attributes": { + "text": { + "description": "A description of the bank account.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "institution-name": { + "description": "Name of the bank or financial organisation.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "institution-code": { + "description": "Institution code of the bank.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "swift": { + "description": "SWIFT or BIC as defined in ISO 9362.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "bic" + }, + "branch": { + "description": "Branch code or name", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "non-banking-institution": { + "description": "A flag to define if this account belong to a non-banking organisation. If set to true, it's a non-banking organisation.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "account": { + "description": "Account number", + "ui-priority": 0, + "misp-attribute": "bank-account-nr" + }, + "currency-code": { + "description": "Currency of the account.", + "ui-priority": 0, + "sane_default": [ + "USD", + "EUR" + ], + "disable_correlation": true, + "misp-attribute": "text" + }, + "aba-rtn": { + "description": " ABA routing transit number", + "ui-priority": 0, + "misp-attribute": "aba-rtn" + }, + "account-name": { + "description": "A field to freely describe the bank account details.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "iban": { + "description": "IBAN of the bank account.", + "ui-priority": 0, + "misp-attribute": "iban" + }, + "client-number": { + "description": "Client number as seen by the bank.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "personal-account-type": { + "description": "Account type.", + "ui-priority": 0, + "sane_default": [ + "A - Business", + "B - Personal Current", + "C - Savings", + "D - Trust Account", + "E - Trading Account", + "O - Other" + ], + "disable_correlation": true, + "misp-attribute": "text" + }, + "opened": { + "description": "When the account was opened.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "closed": { + "description": "When the account was closed.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "balance": { + "description": "The balance of the account after the suspicious transaction was processed.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "date-balance": { + "description": "When the balance was reported.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "status-code": { + "description": "Account status at the time of the transaction processed.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "A - Active", + "B - Inactive", + "C - Dormant" + ] + }, + "beneficiary": { + "description": "Final beneficiary of the bank account.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "beneficiary-comment": { + "description": "Comment about the final beneficiary.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "comments": { + "description": "Comments about the bank account.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "report-code": { + "description": "Report code of the bank account.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "CTR Cash Transaction Report", + "STR Suspicious Transaction Report", + "EFT Electronic Funds Transfer", + "IFT International Funds Transfer", + "TFR Terror Financing Report", + "BCR Border Cash Report", + "UTR Unusual Transaction Report", + "AIF Additional Information File – Can be used for example to get full disclosure of transactions of an account for a period of time without reporting it as a CTR.", + "IRI Incoming Request for Information – International", + "ORI Outgoing Request for Information – International", + "IRD Incoming Request for Information – Domestic", + "ORD Outgoing Request for Information – Domestic" + ] + } + }, + "version": 1, + "description": "An object describing bank account information based on account description from goAML 4.0.", + "meta-category": "financial", + "uuid": "b4712203-95a8-4883-80e9-b566f5df11c9", + "name": "bank-account" +} diff --git a/objects/cap-alert/definition.json b/objects/cap-alert/definition.json new file mode 100644 index 0000000..c9fe3ac --- /dev/null +++ b/objects/cap-alert/definition.json @@ -0,0 +1,108 @@ +{ + "requiredOneOf": [ + "msgType" + ], + "attributes": { + "identifier": { + "description": "The identifier of the alert message in a number or string uniquely identifying this message, assigned by the sender.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "sender": { + "description": "The identifier of the sender of the alert message which identifies the originator of this alert. Guaranteed by assigner to be unique globally; e.g., may be based on an Internet domain name.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "sent": { + "description": "The time and date of the origination of the alert message.", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "status": { + "description": "The code denoting the appropriate handling of the alert message.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Actual", + "Exercise", + "System", + "Test", + "Draft" + ] + }, + "msgType": { + "description": "The code denoting the nature of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Alert", + "Update", + "Cancel", + "Ack", + "Error" + ] + }, + "source": { + "description": "The text identifying the source of the alert message. The particular source of this alert; e.g., an operator or a specific device.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "scope": { + "description": "The code denoting the intended distribution of the alert message. ", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "Public", + "Restricted", + "Private" + ] + }, + "restriction": { + "description": "The text describing the rule for limiting distribution of the restricted alert message.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "addresses": { + "description": "The group listing of intended recipients of the alert message. (1) Required when is “Private”, optional when is “Public” or “Restricted”. (2) Each recipient SHALL be identified by an identifier or an address. (3) Multiple space-delimited addresses MAY be included. Addresses including whitespace MUST be enclosed in double-quotes. ", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "code": { + "description": "The code denoting the special handling of the alert message.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "note": { + "description": "The text describing the purpose or significance of the alert message.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "references": { + "description": "The group listing identifying earlier message(s) referenced by the alert message. (1) The extended message identifier(s) (in the form sender,identifier,sent) of an earlier CAP message or messages referenced by this one. (2) If multiple messages are referenced, they SHALL be separated by whitespace.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "incident": { + "description": "The group listing naming the referent incident(s) of the alert message. (1) Used to collate multiple messages referring to different aspects of the same incident. (2) If multiple incident identifiers are referenced, they SHALL be separated by whitespace. Incident names including whitespace SHALL be surrounded by double-quotes.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "Common Alerting Protocol Version (CAP) alert object", + "meta-category": "misc", + "uuid": "03b107bb-133d-4180-87ff-e3dbe731f828", + "name": "cap-alert" +} diff --git a/objects/cap-info/definition.json b/objects/cap-info/definition.json new file mode 100644 index 0000000..9645f13 --- /dev/null +++ b/objects/cap-info/definition.json @@ -0,0 +1,171 @@ +{ + "requiredOneOf": [ + "category" + ], + "attributes": { + "language": { + "description": "The code denoting the language of the info sub-element of the alert message. ", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "category": { + "description": "The code denoting the category of the subject event of the alert message.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Geo", + "Met", + "Safety", + "Security", + "Rescue", + "Fire", + "Health", + "Env", + "Transport", + "Infra", + "CBRNE", + "Other" + ], + "disable_correlation": true + }, + "event": { + "description": "The text denoting the type of the subject event of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "responseType": { + "description": "The code denoting the type of action recommended for the target audience.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Shelter", + "Evacuate", + "Prepare", + "Execute", + "Avoid", + "Monitor", + "Assess", + "AllClear", + "None" + ] + }, + "urgency": { + "description": "The code denoting the urgency of the subject event of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Immediate", + "Expected", + "Future", + "Past", + "Unknown" + ] + }, + "severity": { + "description": "The code denoting the severity of the subject event of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Extreme", + "Severe", + "Moderate", + "Minor", + "Unknown" + ] + }, + "certainty": { + "description": "The code denoting the certainty of the subject event of the alert message. For backward compatibility with CAP 1.0, the deprecated value of “Very Likely” SHOULD be treated as equivalent to “Likely”.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "Likely", + "Possible", + "Unlikely", + "Unknown" + ] + }, + "audience": { + "description": "The text describing the intended audience of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "eventCode": { + "description": "A system-specific code identifying the event type of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "effective": { + "description": "The effective time of the information of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "datetime" + }, + "onset": { + "description": "The expected time of the beginning of the subject event of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "datetime" + }, + "expires": { + "description": "The expiry time of the information of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "datetime" + }, + "senderName": { + "description": "The text naming the originator of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "headline": { + "description": "The text headline of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "description": { + "description": "The text describing the subject event of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "instruction": { + "description": "The text describing the recommended action to be taken by recipients of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "web": { + "description": "The identifier of the hyperlink associating additional information with the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "link" + }, + "contact": { + "description": "The text describing the contact for follow-up and confirmation of the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "parameter": { + "description": "A system-specific additional parameter associated with the alert message.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "Common Alerting Protocol Version (CAP) info object", + "meta-category": "misc", + "uuid": "826c25e6-fdd5-4e4a-b081-be5ba3ac2c3d", + "name": "cap-info" +} diff --git a/objects/cap-resource/definition.json b/objects/cap-resource/definition.json new file mode 100644 index 0000000..92502a2 --- /dev/null +++ b/objects/cap-resource/definition.json @@ -0,0 +1,46 @@ +{ + "requiredOneOf": [ + "resourceDesc" + ], + "attributes": { + "resourceDesc": { + "description": "The text describing the type and content of the resource file.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "mimeType": { + "description": "The identifier of the MIME content type and sub-type describing the resource file.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "mime-type" + }, + "size": { + "description": "The integer indicating the size of the resource file.", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "uri": { + "description": "The identifier of the hyperlink for the resource file.", + "ui-priority": 0, + "misp-attribute": "link" + }, + "derefUri": { + "description": "The base-64 encoded data content of the resource file.", + "ui-priority": 0, + "misp-attribute": "attachment", + "disable_correlation": true + }, + "digest": { + "description": "The code representing the digital digest (“hash”) computed from the resource file (OPTIONAL).", + "ui-priority": 0, + "misp-attribute": "sha1" + } + }, + "version": 1, + "description": "Common Alerting Protocol Version (CAP) resource object", + "meta-category": "misc", + "uuid": "6fddc76b-59fc-49f6-a673-52f8d15149c4", + "name": "cap-resource" +} diff --git a/objects/course-of-action/definition.json b/objects/course-of-action/definition.json new file mode 100644 index 0000000..ee5b157 --- /dev/null +++ b/objects/course-of-action/definition.json @@ -0,0 +1,104 @@ +{ + "requiredOneOf": [ + "name", + "type" + ], + "attributes": { + "name": { + "description": "The name used to identify the course of action.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "type": { + "description": "The type of the course of action.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true, + "sane_default": [ + "Perimeter Blocking", + "Internal Blocking", + "Redirection", + "Redirection (Honey Pot)", + "Hardening", + "Patching", + "Eradication", + "Rebuilding", + "Training", + "Monitoring", + "Physical Access Restrictions", + "Logical Access Restrictions", + "Public Disclosure", + "Diplomatic Actions", + "Policy Actions", + "Other" + ] + }, + "description": { + "description": "A description of the course of action.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "objective": { + "description": "The objective of the course of action.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "stage": { + "description": "The stage of the threat management lifecycle that the course of action is applicable to.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true, + "sane_default": [ + "Remedy", + "Response" + ] + }, + "cost": { + "description": "The estimated cost of applying the course of action.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true, + "sane_default": [ + "High", + "Medium", + "Low", + "None", + "Unknown" + ] + }, + "impact": { + "description": "The estimated impact of applying the course of action.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true, + "sane_default": [ + "High", + "Medium", + "Low", + "None", + "Unknown" + ] + }, + "efficacy": { + "description": "The estimated efficacy of applying the course of action.", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true, + "sane_default": [ + "High", + "Medium", + "Low", + "None", + "Unknown" + ] + } + }, + "version": 1, + "description": "An object describing a specific measure taken to prevent or respond to an attack.", + "meta-category": "misc", + "uuid": "3d1c2c06-68a9-4394-8c8d-258d115f796f", + "name": "course-of-action" +} diff --git a/objects/cowrie/definition.json b/objects/cowrie/definition.json new file mode 100644 index 0000000..d3926d1 --- /dev/null +++ b/objects/cowrie/definition.json @@ -0,0 +1,126 @@ +{ + "requiredOneOf": [ + "session" + ], + "attributes": { + "eventid": { + "description": "Eventid of the session in the cowrie honeypot", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "system": { + "description": "System origin in cowrie honeypot", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "username": { + "description": "Username related to the password(s)", + "ui-priority": 1, + "misp-attribute": "text" + }, + "password": { + "description": "Password", + "multiple": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "session": { + "description": "Session id", + "ui-priority": 1, + "misp-attribute": "text" + }, + "timestamp": { + "description": "When the event happened", + "ui-priority": 1, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "message": { + "description": "Message of the cowrie honeypot", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true + }, + "protocol": { + "description": "Protocol used in the cowrie honeypot", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true + }, + "sensor": { + "description": "Cowrie sensor name", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true + }, + "src_ip": { + "description": "Source IP address of the session", + "ui-priority": 1, + "misp-attribute": "ip-src" + }, + "dst_ip": { + "description": "Destination IP address of the session", + "ui-priority": 1, + "misp-attribute": "ip-dst", + "disable_correlation": true + }, + "src_port": { + "description": "Source port of the session", + "ui-priority": 1, + "misp-attribute": "port", + "disable_correlation": true + }, + "dst_port": { + "description": "Destination port of the session", + "ui-priority": 1, + "misp-attribute": "port", + "disable_correlation": true + }, + "isError": { + "description": "isError", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true + }, + "input": { + "description": "Input of the session", + "ui-priority": 1, + "misp-attribute": "text" + }, + "macCS": { + "description": "SSH MAC supported in the sesssion", + "multiple": true, + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "keyAlgs": { + "description": "SSH public-key algorithm supported in the session", + "multiple": true, + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "encCS": { + "description": "SSH symmetric encryption algorithm supported in the session", + "multiple": true, + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "compCS": { + "description": "SSH compression algorithm supported in the session", + "multiple": true, + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 2, + "description": "Cowrie honeypot object template", + "meta-category": "network", + "uuid": "ae085d32-6534-4d52-b3eb-063fccb753e7", + "name": "cowrie" +} diff --git a/objects/email/definition.json b/objects/email/definition.json index 7b7f45d..84c1465 100644 --- a/objects/email/definition.json +++ b/objects/email/definition.json @@ -3,7 +3,7 @@ "uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552", "meta-category": "network", "description": "Email object describing an email with meta-information", - "version": 7, + "version": 11, "attributes": { "reply-to": { "description": "Email address the reply will be sent to", @@ -16,6 +16,7 @@ "message-id": { "description": "Message ID", "misp-attribute": "email-message-id", + "disable_correlation": true, "ui-priority": 0, "categories": [ "Payload delivery" @@ -24,6 +25,7 @@ "to": { "description": "Destination email address", "misp-attribute": "email-dst", + "disable_correlation": true, "ui-priority": 1, "categories": [ "Payload delivery" @@ -33,6 +35,7 @@ "cc": { "description": "Carbon copy", "misp-attribute": "email-dst", + "disable_correlation": true, "ui-priority": 1, "categories": [ "Payload delivery" @@ -59,6 +62,7 @@ "screenshot": { "description": "Screenshot of email", "misp-attribute": "attachment", + "disable_correlation": true, "ui-priority": 1, "categories": [ "External analysis" @@ -76,6 +80,7 @@ "x-mailer": { "description": "X-Mailer generally tells the program that was used to draft and send the original email", "misp-attribute": "email-x-mailer", + "disable_correlation": true, "ui-priority": 0, "categories": [ "Payload delivery" @@ -84,6 +89,7 @@ "header": { "description": "Full headers", "misp-attribute": "email-header", + "disable_correlation": true, "ui-priority": 0, "categories": [ "Payload delivery" @@ -102,6 +108,7 @@ "mime-boundary": { "description": "MIME Boundary", "misp-attribute": "email-mime-boundary", + "disable_correlation": true, "ui-priority": 0, "categories": [ "Payload delivery" @@ -110,6 +117,7 @@ "thread-index": { "description": "Identifies a particular conversation thread", "misp-attribute": "email-thread-index", + "disable_correlation": true, "ui-priority": 0, "categories": [ "Payload delivery" @@ -125,7 +133,7 @@ }, "return-path": { "description": "Message return path", - "misp-attribute": "text", + "misp-attribute": "email-src", "ui-priority": 1, "categories": [ "Payload delivery" @@ -138,6 +146,27 @@ "categories": [ "Payload delivery" ] + }, + "email-body": { + "description": "Body of the email", + "misp-attribute": "email-body", + "disable_correlation": true, + "ui-priority": 1, + "categories": [ + "Payload delivery" + ] + }, + "user-agent": { + "description": "User Agent of the sender", + "misp-attribute": "text", + "ui-priority": 0, + "disable_correlation": true + }, + "eml": { + "description": "Full EML", + "misp-attribute": "attachment", + "disable_correlation": true, + "ui-priority": 1 } }, "requiredOneOf": [ @@ -155,6 +184,8 @@ "thread-index", "header", "x-mailer", - "return-path" + "return-path", + "email-body", + "eml" ] } diff --git a/objects/fail2ban/definition.json b/objects/fail2ban/definition.json new file mode 100644 index 0000000..90b0151 --- /dev/null +++ b/objects/fail2ban/definition.json @@ -0,0 +1,61 @@ +{ + "required": [ + "banned-ip", + "processing-timestamp", + "attack-type" + ], + "attributes": { + "banned-ip": { + "description": "IP Address banned by fail2ban", + "ui-priority": 1, + "misp-attribute": "ip-src" + }, + "processing-timestamp": { + "description": "Timestamp of the report", + "ui-priority": 1, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "attack-type": { + "description": "Type of the attack", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true + }, + "failures": { + "description": "Amount of failures that lead to the ban.", + "ui-priority": 1, + "misp-attribute": "counter", + "disable_correlation": true + }, + "sensor": { + "description": "Identifier of the sensor", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true + }, + "victim": { + "description": "Identifier of the victim", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true + }, + "logline": { + "description": "Example log line that caused the ban.", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true + }, + "logfile": { + "description": "Full logfile related to the attack.", + "ui-priority": 1, + "misp-attribute": "attachment", + "disable_correlation": true + } + }, + "version": 5, + "description": "Fail2ban event", + "meta-category": "network", + "uuid": "8be2271-7326-41a5-a0dd-9b4bec88e1ba", + "name": "fail2ban" +} diff --git a/objects/file/definition.json b/objects/file/definition.json index f0f7fe0..4c65a73 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -17,7 +17,8 @@ "tlsh", "pattern-in-file", "x509-fingerprint-sha1", - "malware-sample" + "malware-sample", + "path" ], "attributes": { "md5": { @@ -124,6 +125,13 @@ "ui-priority": 1, "misp-attribute": "filename" }, + "path": { + "description": "Path of the filename complete or partial", + "disable_correlation": true, + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text" + }, "tlsh": { "description": "Fuzzy hash by Trend Micro: Locality Sensitive Hash", "ui-priority": 0, @@ -138,7 +146,7 @@ "description": "Mime type", "disable_correlation": true, "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "mime-type" }, "state": { "misp-attribute": "text", @@ -156,7 +164,7 @@ ] } }, - "version": 9, + "version": 11, "description": "File object describing a file with meta-information", "meta-category": "file", "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", diff --git a/objects/geolocation/definition.json b/objects/geolocation/definition.json index ab6ee46..7a4902b 100644 --- a/objects/geolocation/definition.json +++ b/objects/geolocation/definition.json @@ -42,6 +42,16 @@ "ui-priority": 0, "misp-attribute": "float" }, + "address": { + "description": "Address.", + "misp-attribute": "text", + "ui-priority": 1 + }, + "zipcode": { + "description": "Zip Code.", + "misp-attribute": "text", + "ui-priority": 1 + }, "city": { "description": "City.", "misp-attribute": "text", diff --git a/objects/http-request/definition.json b/objects/http-request/definition.json index 67f7809..76bb081 100644 --- a/objects/http-request/definition.json +++ b/objects/http-request/definition.json @@ -1,6 +1,6 @@ { - "required": [ - "method", + "requiredOneOf": [ + "url", "uri" ], "attributes": { @@ -111,7 +111,7 @@ "misp-attribute": "user-agent" } }, - "version": 1, + "version": 2, "description": "A single HTTP request header", "meta-category": "network", "uuid": "b4a8d163-8110-4239-bfcf-e08f3a9fdf7b", diff --git a/objects/ip-port/definition.json b/objects/ip-port/definition.json index 528ab7c..a91ed90 100644 --- a/objects/ip-port/definition.json +++ b/objects/ip-port/definition.json @@ -1,9 +1,9 @@ { "requiredOneOf": [ "dst-port", - "src-port" - ], - "required": [ + "src-port", + "domain", + "hostname", "ip" ], "attributes": { @@ -41,7 +41,29 @@ "External analysis" ], "ui-priority": 1, - "misp-attribute": "port" + "misp-attribute": "port", + "disable_correlation": true, + "multiple": true + }, + "domain": { + "description": "Domain", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "domain", + "multiple": true + }, + "hostname": { + "description": "Hostname", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "hostname", + "multiple": true }, "ip": { "description": "IP Address", @@ -50,11 +72,12 @@ "External analysis" ], "ui-priority": 1, - "misp-attribute": "ip-dst" + "misp-attribute": "ip-dst", + "multiple": true } }, - "version": 5, - "description": "An IP address and a port seen as a tuple (or as a triple) in a specific time frame.", + "version": 7, + "description": "An IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific time frame.", "meta-category": "network", "uuid": "9f8cea74-16fe-4968-a2b4-026676949ac6", "name": "ip-port" diff --git a/objects/legal-entity/definition.json b/objects/legal-entity/definition.json new file mode 100644 index 0000000..29f89c5 --- /dev/null +++ b/objects/legal-entity/definition.json @@ -0,0 +1,48 @@ +{ + "requiredOneOf": [ + "name" + ], + "attributes": { + "text": { + "description": "A description of the entity.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "name": { + "description": "Name of an entity.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "commercial-name": { + "description": "Commercial name of an entity.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "legal-form": { + "description": "Legal form of an entity.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "registration-number": { + "description": "Registration number of an entity in the relevant authority.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "business": { + "description": "Business area of an entity.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "phone-number": { + "description": "Phone number of an entity.", + "ui-priority": 0, + "misp-attribute": "phone-number" + } + }, + "version": 1, + "description": "An object to describe a legal entity.", + "meta-category": "misc", + "uuid": "14f5688f-d89c-469f-9878-c48bf6c41c65", + "name": "legal-entity" +} diff --git a/objects/mutex/definition.json b/objects/mutex/definition.json new file mode 100644 index 0000000..f9d23aa --- /dev/null +++ b/objects/mutex/definition.json @@ -0,0 +1,31 @@ +{ + "requiredOneOf": [ + "name" + ], + "attributes": { + "description": { + "description": "Description", + "ui-priority": 0, + "misp-attribute": "text" + }, + "operating-system": { + "description": "Operating system where the mutex has been seen", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "Windows", + "Unix" + ] + }, + "name": { + "description": "name of the mutex", + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "Object to describe mutual exclusion locks (mutex) as seen in memory or computer program", + "meta-category": "misc", + "uuid": "9f5c1a68-2021-4faa-b409-61c899c86466", + "name": "mutex" +} diff --git a/objects/network-connection/definition.json b/objects/network-connection/definition.json new file mode 100644 index 0000000..0aa9cba --- /dev/null +++ b/objects/network-connection/definition.json @@ -0,0 +1,96 @@ +{ + "name": "network-connection", + "uuid": "af16764b-f8e5-4603-9de1-de34d272f80b", + "meta-category": "network", + "description": "A local or remote network connection.", + "version": 1, + "attributes": { + "ip-src": { + "description": "Source IP address of the nework connection.", + "ui-priority": 1, + "categories": [ + "Network activity", + "External analysis" + ], + "misp-attribute": "ip-src" + }, + "ip-dst": { + "description": "Destination IP address of the nework connection.", + "ui-priority": 1, + "categories": [ + "Network activity", + "External analysis" + ], + "misp-attribute": "ip-dst" + }, + "src-port": { + "description": "Source port of the nework connection.", + "ui-priority": 1, + "categories": [ + "Network activity", + "External analysis" + ], + "misp-attribute": "port" + }, + "dst-port": { + "description": "Destination port of the nework connection.", + "ui-priority": 1, + "categories": [ + "Network activity", + "External analysis" + ], + "misp-attribute": "port" + }, + "hostname-src": { + "description": "Source hostname of the network connection.", + "ui-priority": 1, + "misp-attribute": "hostname" + }, + "hostname-dst": { + "description": "Destination hostname of the network connection.", + "ui-priority": 1, + "misp-attribute": "hostname" + }, + "layer3-protocol": { + "description": "Layer 3 protocol of the network connection.", + "ui-priority": 0, + "sane_default": [ + "IP", + "ICMP", + "ARP" + ], + "misp-attribute": "text" + }, + "layer4-protocol": { + "description": "Layer 4 protocol of the network connection.", + "ui-priority": 0, + "sane_default": [ + "TCP", + "UDP" + ], + "misp-attribute": "text" + }, + "layer7-protocol": { + "description": "Layer 7 protocol of the network connection.", + "ui-priority": 0, + "sane_default": [ + "HTTP", + "HTTPS", + "FTP" + ], + "misp-attribute": "text" + }, + "first-packet-seen": { + "misp-attribute": "datetime", + "ui-priority": 1, + "description": "Datetime of the first packet seen." + } + }, + "requiredOneOf": [ + "first-packet-seen", + "ip-src", + "ip-dst", + "src-port", + "dst-port" + ] +} diff --git a/objects/network-socket/definition.json b/objects/network-socket/definition.json new file mode 100644 index 0000000..5bbd1ff --- /dev/null +++ b/objects/network-socket/definition.json @@ -0,0 +1,194 @@ +{ + "name": "network-socket", + "uuid": "48bbfd72-ef8e-4649-b14d-41b4b5a0eba2", + "meta-category": "network", + "description": "Network socket object describes a local or remote network connections based on the socket data structure.", + "version": 1, + "attributes": { + "ip-src": { + "description": "Source (local) IP address of the network socket connection.", + "ui-priority": 1, + "categories": [ + "Network activity", + "External analysis" + ], + "misp-attribute": "ip-src" + }, + "hostname-src": { + "description": "Source (local) hostname of the network socket connection.", + "ui-priority": 1, + "misp-attribute": "hostname" + }, + "ip-dst": { + "description": "Destination IP address of the network socket connection.", + "ui-priority": 1, + "categories": [ + "Network activity", + "External analysis" + ], + "misp-attribute": "ip-dst" + }, + "hostname-dst": { + "description": "Destination hostname of the network socket connection.", + "ui-priority": 1, + "misp-attribute": "hostname" + }, + "src-port": { + "description": "Source (local) port of the network socket connection.", + "ui-priority": 1, + "categories": [ + "Network activity", + "External analysis" + ], + "misp-attribute": "port" + }, + "dst-port": { + "description": "Destination port of the network socket connection.", + "ui-priority": 1, + "categories": [ + "Network activity", + "External analysis" + ], + "misp-attribute": "port" + }, + "protocol": { + "misp-attribute": "text", + "ui-priority": 0, + "values_list": [ + "TCP", + "UDP", + "ICMP", + "IP" + ], + "description": "Protocol used by the network socket." + }, + "address-family": { + "description": "Address family who specifies the address family type (AF_*) of the socket connection.", + "ui-priority": 1, + "sane_default": [ + "AF_UNSPEC", + "AF_LOCAL", + "AF_UNIX", + "AF_FILE", + "AF_INET", + "AF_AX25", + "AF_IPX", + "AF_APPLETALK", + "AF_NETROM", + "AF_BRIDGE", + "AF_ATMPVC", + "AF_X25", + "AF_INET6", + "AF_ROSE", + "AF_DECnet", + "AF_NETBEUI", + "AF_SECURITY", + "AF_KEY", + "AF_NETLINK", + "AF_ROUTE", + "AF_PACKET", + "AF_ASH", + "AF_ECONET", + "AF_ATMSVC", + "AF_RDS", + "AF_SNA", + "AF_IRDA", + "AF_PPPOX", + "AF_WANPIPE", + "AF_LLC", + "AF_IB", + "AF_MPLS", + "AF_CAN", + "AF_TIPC", + "AF_BLUETOOTH", + "AF_IUCV", + "AF_RXRPC", + "AF_ISDN", + "AF_PHONET", + "AF_IEEE802154", + "AF_CAIF", + "AF_ALG", + "AF_NFC", + "AF_VSOCK", + "AF_KCM", + "AF_MAX" + ], + "misp-attribute": "text" + }, + "domain-family": { + "description": "Domain family who specifies the communication domain (PF_*) of the socket connection.", + "ui-priority": 1, + "sane_default": [ + "PF_UNSPEC", + "PF_LOCAL", + "PF_UNIX", + "PF_FILE", + "PF_INET", + "PF_AX25", + "PF_IPX", + "PF_APPLETALK", + "PF_NETROM", + "PF_BRIDGE", + "PF_ATMPVC", + "PF_X25", + "PF_INET6", + "PF_ROSE", + "PF_DECnet", + "PF_NETBEUI", + "PF_SECURITY", + "PF_KEY", + "PF_NETLINK", + "PF_ROUTE", + "PF_PACKET", + "PF_ASH", + "PF_ECONET", + "PF_ATMSVC", + "PF_RDS", + "PF_SNA", + "PF_IRDA", + "PF_PPPOX", + "PF_WANPIPE", + "PF_LLC", + "PF_IB", + "PF_MPLS", + "PF_CAN", + "PF_TIPC", + "PF_BLUETOOTH", + "PF_IUCV", + "PF_RXRPC", + "PF_ISDN", + "PF_PHONET", + "PF_IEEE802154", + "PF_CAIF", + "PF_ALG", + "PF_NFC", + "PF_VSOCK", + "PF_KCM", + "PF_MAX" + ], + "misp-attribute": "text" + }, + "state": { + "description": "State of the socket connection.", + "multiple": true, + "sane_default": [ + "blocking", + "listening" + ], + "misp-attribute": "text", + "ui-priority": 1 + }, + "option": { + "description": "Option on the socket connection.", + "multiple": true, + "misp-attribute": "text", + "ui-priority": 1 + } + }, + "requiredOneOf": [ + "ip-src", + "ip-dst", + "src-port", + "dst-port" + ] +} diff --git a/objects/passive-dns/definition.json b/objects/passive-dns/definition.json index b832c40..38994ee 100644 --- a/objects/passive-dns/definition.json +++ b/objects/passive-dns/definition.json @@ -6,22 +6,25 @@ ], "attributes": { "zone_time_last": { - "description": "Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import", + "description": "Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import.", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "text": { - "description": "", + "description": "Description of the passive DNS record.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "count": { - "description": "How many authoritative DNS answers were received at the Passive DNS Server's collectors with exactly the given set of values as answers", + "description": "How many authoritative DNS answers were received at the Passive DNS Server's collectors with exactly the given set of values as answers.", "ui-priority": 0, - "misp-attribute": "counter" + "misp-attribute": "counter", + "disable_correlation": true }, "rrname": { - "description": "Resource Record name of the queried resource", + "description": "Resource Record name of the queried resource.", "categories": [ "Network activity", "External analysis" @@ -30,7 +33,7 @@ "misp-attribute": "text" }, "rrtype": { - "description": "Resource Record type as seen by the passive DNS", + "description": "Resource Record type as seen by the passive DNS.", "categories": [ "Network activity", "External analysis" @@ -51,7 +54,8 @@ "NAPTR", "HINFO", "A6" - ] + ], + "disable_correlation": true }, "rdata": { "description": "Resource records of the queried resource", @@ -61,35 +65,41 @@ "zone_time_first": { "description": "First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "origin": { "description": "Origin of the Passive DNS response", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "time_last": { "description": "Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "time_first": { "description": "First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS", "ui-priority": 0, - "misp-attribute": "datetime" + "misp-attribute": "datetime", + "disable_correlation": true }, "bailiwick": { "description": "Best estimate of the apex of the zone where this data is authoritative", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true }, "sensor_id": { "description": "Sensor information where the record was seen", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "disable_correlation": true } }, - "version": 2, + "version": 3, "description": "Passive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-01", "meta-category": "network", "uuid": "b77b7b1c-66ab-4a41-8da4-83810f6d2d6c", diff --git a/objects/person/definition.json b/objects/person/definition.json index 5f7f5ca..a041ede 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -16,14 +16,32 @@ "misp-attribute": "last-name" }, "middle-name": { - "description": "Middle name of a natural person", + "description": "Middle name of a natural person.", "ui-priority": 0, "misp-attribute": "middle-name" }, "first-name": { "description": "First name of a natural person.", "ui-priority": 0, - "misp-attribute": "first-name" + "misp-attribute": "first-name", + "disable_correlation": true + }, + "mothers-name": { + "description": "Mother name, father, second name or other names following country's regulation.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "title": { + "description": "Title of the natural person such as Dr. or equivalent.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "alias": { + "description": "Alias name or known as.", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true }, "date-of-birth": { "description": "Date of birth of a natural person (in YYYY-MM-DD format).", @@ -33,7 +51,8 @@ "place-of-birth": { "description": "Place of birth of a natural person.", "ui-priority": 0, - "misp-attribute": "place-of-birth" + "misp-attribute": "place-of-birth", + "disable_correlation": true }, "gender": { "description": "The gender of a natural person.", @@ -44,7 +63,13 @@ "Female", "Other", "Prefer not to say" - ] + ], + "disable_correlation": true + }, + "identity-card-number": { + "description": "The identity card number of a natural person.", + "ui-priority": 0, + "misp-attribute": "identity-card-number" }, "passport-number": { "description": "The passport number of a natural person.", @@ -54,26 +79,35 @@ "passport-country": { "description": "The country in which the passport was issued.", "ui-priority": 0, - "misp-attribute": "passport-country" + "misp-attribute": "passport-country", + "disable_correlation": true }, "passport-expiration": { "description": "The expiration date of a passport.", "ui-priority": 0, - "misp-attribute": "passport-expiration" + "misp-attribute": "passport-expiration", + "disable_correlation": true }, "redress-number": { "description": "The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.", "ui-priority": 0, "misp-attribute": "redress-number" }, + "social-security-number": { + "description": "Social security number", + "ui-priority": 0, + "misp-attribute": "text" + }, "nationality": { "description": "The nationality of a natural person.", "ui-priority": 0, - "misp-attribute": "nationality" + "misp-attribute": "nationality", + "multiple": true, + "disable_correlation": true } }, - "version": 2, - "description": "An person which describes a person or an identity.", + "version": 3, + "description": "An object which describes a person or an identity.", "meta-category": "misc", "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", "name": "person" diff --git a/objects/process/definition.json b/objects/process/definition.json new file mode 100644 index 0000000..a213e0d --- /dev/null +++ b/objects/process/definition.json @@ -0,0 +1,52 @@ +{ + "name": "process", + "uuid": "02aeef94-ac23-455c-addb-731757ceafb5", + "meta-category": "misc", + "description": "Object describing a system process.", + "version": 1, + "attributes": { + "creation-time": { + "description": "Local date/time at which the process was created.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "start-time": { + "description": "Local date/time at which the process was started.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "name": { + "description": "Name of the process", + "ui-priority": 1, + "misp-attribute": "text" + }, + "pid": { + "description": "Process ID of the process.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "parent_pid": { + "description": "Process ID of the parent process.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "child-pid": { + "description": "Process ID of the child(ren) process.", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, + "port": { + "description": "Port(s) owned by the process.", + "ui-priority": 1, + "misp-attribute": "src-port", + "multiple": true + } + }, + "requiredOneOf": [ + "name", + "pid" + ] +} diff --git a/objects/regexp/definition.json b/objects/regexp/definition.json index 5f3534c..5322b71 100644 --- a/objects/regexp/definition.json +++ b/objects/regexp/definition.json @@ -42,11 +42,12 @@ "windows-scheduled-task" ], "description": "Specify which type corresponds to this regex.", + "disable_correlation": true, "ui-priority": 0, "misp-attribute": "text" } }, - "version": 3, + "version": 4, "description": "An object describing a regular expression (regex or regexp). The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a regular expression.", "meta-category": "misc", "uuid": "ceffad66-71e5-4e20-9370-1b3fb694c648", diff --git a/objects/sb-signature/definition.json b/objects/sb-signature/definition.json new file mode 100644 index 0000000..481d02d --- /dev/null +++ b/objects/sb-signature/definition.json @@ -0,0 +1,49 @@ +{ + "required": [ + "software", + "signature" + ], + "attributes": { + "software": { + "description": "Name of Sandbox software", + "disable_correlation": true, + "categories": [ + "Sandbox detection" + ], + "ui-priority": 1, + "misp-attribute": "text" + }, + "signature": { + "description": "Name of detection signature - set the description of the detection signature as a comment", + "categories": [ + "Sandbox detection" + ], + "ui-priority": 2, + "misp-attribute": "text", + "multiple": true + }, + "text": { + "description": "Additional signature description", + "disable_correlation": true, + "categories": [ + "Other" + ], + "ui-priority": 0, + "misp-attribute": "text" + }, + "datetime": { + "description": "Datetime", + "disable_correlation": true, + "categories": [ + "Other" + ], + "ui-priority": 0, + "misp-attribute": "datetime" + } + }, + "version": 1, + "description": "Sandbox detection signature", + "meta-category": "misc", + "uuid": "984c5c39-be7f-4e1e-b034-d3213bac51cb", + "name": "sb-signature" +} diff --git a/objects/ss7-attack/definition.json b/objects/ss7-attack/definition.json index 6354c5d..e86cb16 100644 --- a/objects/ss7-attack/definition.json +++ b/objects/ss7-attack/definition.json @@ -34,6 +34,7 @@ }, "SccpCgGT": { "description": "Signaling Connection Control Part (SCCP) CgGT - Phone number.", + "multiple": true, "ui-priority": 0, "misp-attribute": "text" }, @@ -44,6 +45,7 @@ }, "SccpCgPC": { "description": "Signaling Connection Control Part (SCCP) CgPC - Phone number.", + "multiple": true, "ui-priority": 0, "misp-attribute": "text" }, diff --git a/objects/stix2-pattern/definition.json b/objects/stix2-pattern/definition.json index 5abd6f0..ab49a22 100644 --- a/objects/stix2-pattern/definition.json +++ b/objects/stix2-pattern/definition.json @@ -12,9 +12,17 @@ "description": "STIX 2 pattern", "ui-priority": 0, "misp-attribute": "stix2-pattern" + }, + "version": { + "description": "Version of STIX 2 pattern.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "stix 2.0" + ] } }, - "version": 1, + "version": 2, "description": "An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern.", "meta-category": "misc", "uuid": "0c5bd072-7c3e-4d45-86f7-a8104d9143b9", diff --git a/objects/suricata/definition.json b/objects/suricata/definition.json new file mode 100644 index 0000000..ddbe458 --- /dev/null +++ b/objects/suricata/definition.json @@ -0,0 +1,32 @@ +{ + "requiredOneOf": [ + "suricata" + ], + "attributes": { + "comment": { + "description": "A description of the Suricata rule.", + "ui-priority": 0, + "misp-attribute": "comment" + }, + "suricata": { + "description": "Suricata rule.", + "ui-priority": 0, + "misp-attribute": "suricata" + }, + "version": { + "description": "Version of the Suricata rule depending where the suricata rule is known to work as expected.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ref": { + "description": "Reference to the Suricata rule such as origin of the rule or alike.", + "misp-attribute": "link", + "ui-priority": 0 + } + }, + "version": 1, + "description": "An object describing a Suricata rule along with its version and context", + "meta-category": "network", + "uuid": "3c177337-fb80-405a-a6c1-1b2ddea8684a", + "name": "suricata" +} diff --git a/objects/target-system/definition.json b/objects/target-system/definition.json new file mode 100644 index 0000000..6ed6cc0 --- /dev/null +++ b/objects/target-system/definition.json @@ -0,0 +1,39 @@ +{ + "name": "target-system", + "uuid": "3110944f-eca0-4c94-9d61-a84d022228a4", + "meta-category": "internal", + "description": "Description about an targeted system, this could potentially be a compromissed internal system", + "version": 1, + "attributes": { + "targeted_machine": { + "description": "Targeted system", + "ui-priority": 1, + "misp-attribute": "target-machine", + "disable_correlation": true, + "categories": [ + "Targeting data" + ] + }, + "targeted_ip_of_system": { + "description": "Targeted system IP address", + "ui-priority": 1, + "misp-attribute": "ip-src", + "disable_correlation": true, + "categories": [ + "Network activity" + ] + }, + "timestamp_seen": { + "description": "Registered date and time", + "ui-priority": 1, + "misp-attribute": "datetime", + "disable_correlation": true, + "categories": [ + "Other" + ] + } + }, + "requiredOneOf": [ + "targeted_machine" + ] +} diff --git a/objects/timestamp/definition.json b/objects/timestamp/definition.json new file mode 100644 index 0000000..c1a8da0 --- /dev/null +++ b/objects/timestamp/definition.json @@ -0,0 +1,45 @@ +{ + "requiredOneOf": [ + "first-seen", + "last-seen" + ], + "attributes": { + "text": { + "description": "Description of the time object.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "precision": { + "description": "Timestamp precision represents the precision given to first_seen and/or last_seen in this object.", + "ui-priority": 0, + "misp-attribute": "text", + "sane_default": [ + "year", + "month", + "day", + "hour", + "minute", + "full" + ], + "disable_correlation": true + }, + "first-seen": { + "description": "First time that the linked object or attribute has been seen.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "last-seen": { + "description": "First time that the linked object or attribute has been seen.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + } + }, + "version": 1, + "description": "A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship.", + "meta-category": "misc", + "uuid": "c8c91e23-4221-4533-8bf7-64e12b05f265", + "name": "timestamp" +} diff --git a/objects/transaction/definition.json b/objects/transaction/definition.json new file mode 100644 index 0000000..5dc404e --- /dev/null +++ b/objects/transaction/definition.json @@ -0,0 +1,116 @@ +{ + "requiredOneOf": [ + "transaction-number", + "date", + "amount", + "transmode-code" + ], + "attributes": { + "text": { + "description": "A description of the transaction.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "transaction-number": { + "description": "A unique number identifying a transaction.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "location": { + "description": "Location where the transaction took place.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "transmode-code": { + "description": "How the transaction was conducted.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "transmode-comment": { + "description": "Comment describing transmode-code, if needed.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "teller": { + "description": "Person who conducted the transaction.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "authorized": { + "description": "Person who autorized the transaction.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "date": { + "description": "Date and time of the transaction.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "amount": { + "description": "The value of the transaction in local currency.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "date-posting": { + "description": "Date of posting, if different from date of transaction.", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "from-funds-code": { + "description": "Type of funds used to initiate a transaction.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "A Deposit", + "C Currency exchange", + "D Casino chips", + "E Bank draft", + "F Money order", + "G Traveler’s cheques", + "H Life insurance policy", + "I Real estate", + "J Securities", + "K Cash", + "O Other", + "P Cheque" + ] + }, + "to-funds-code": { + "description": "Type of funds used to finalize a transaction.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "A Deposit", + "C Currency exchange", + "D Casino chips", + "E Bank draft", + "F Money order", + "G Traveler’s cheques", + "H Life insurance policy", + "I Real estate", + "J Securities", + "K Cash", + "O Other", + "P Cheque" + ] + }, + "from-country": { + "description": "Origin country of a transaction.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "to-country": { + "description": "Target country of a transaction.", + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "An object to describe a financial transaction.", + "meta-category": "financial", + "uuid": "a47fa26a-01b6-4747-a394-5144e34456dc", + "name": "transaction" +} diff --git a/objects/url/definition.json b/objects/url/definition.json index 368e8f7..10729f9 100644 --- a/objects/url/definition.json +++ b/objects/url/definition.json @@ -6,7 +6,8 @@ "fragment": { "description": "Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "multiple": true }, "tld": { "description": "Top-Level Domain", @@ -42,12 +43,14 @@ "resource_path": { "description": "Path (between hostname:port and query)", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "multiple": true }, "query_string": { "description": "Query (after path, preceded by '?')", "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "multiple": true }, "url": { "description": "Full URL", @@ -92,7 +95,7 @@ "misp-attribute": "hostname" } }, - "version": 5, + "version": 6, "description": "url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.", "meta-category": "network", "uuid": "60efb77b-40b5-4c46-871b-ed1ed999fce5", diff --git a/objects/virustotal-report/definition.json b/objects/virustotal-report/definition.json index 5dee6ab..be0dc3e 100644 --- a/objects/virustotal-report/definition.json +++ b/objects/virustotal-report/definition.json @@ -44,9 +44,18 @@ ], "ui-priority": 2, "misp-attribute": "link" + }, + "comment": { + "description": "Comment related to this hash", + "categories": [ + "Exernal analysis" + ], + "misp-attribute": "text", + "ui-priority": 2, + "multiple": true } }, - "version": 1, + "version": 2, "description": "VirusTotal report", "meta-category": "misc", "uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", diff --git a/objects/whois/definition.json b/objects/whois/definition.json index 320873c..ed91c86 100644 --- a/objects/whois/definition.json +++ b/objects/whois/definition.json @@ -4,10 +4,10 @@ "registrant-phone", "creation-date", "registrant-name", - "registrar" - ], - "required": [ - "domain" + "registrar", + "text", + "domain", + "ip-address" ], "attributes": { "text": { @@ -73,12 +73,24 @@ "Network activity", "External analysis" ], - "ui-priority": 1, + "ui-priority": 0, + "multiple": true, "misp-attribute": "domain" + }, + "comment": { + "description": "Comment of the whois entry", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ip-address": { + "description": "IP address of the whois entry", + "ui-priority": 0, + "multiple": true, + "misp-attribute": "ip-src" } }, - "version": 7, - "description": "Whois records information for a domain name.", + "version": 10, + "description": "Whois records information for a domain name or an IP address.", "meta-category": "network", "uuid": "429faea1-34ff-47af-8a00-7c62d3be5a6a", "name": "whois" diff --git a/objects/x509/definition.json b/objects/x509/definition.json index f87af6d..106a90c 100644 --- a/objects/x509/definition.json +++ b/objects/x509/definition.json @@ -2,7 +2,8 @@ "requiredOneOf": [ "x509-fingerprint-md5", "x509-fingerprint-sha1", - "x509-fingerprint-sha256" + "x509-fingerprint-sha256", + "serial-number" ], "attributes": { "subject": { @@ -48,7 +49,12 @@ "misp-attribute": "x509-fingerprint-sha256" }, "raw-base64": { - "description": "Raw certificate base64 encoded", + "description": "Raw certificate base64 encoded (DER format)", + "ui-priority": 0, + "misp-attribute": "text" + }, + "pem": { + "description": "Raw certificate in PEM formati (Unix-like newlines)", "ui-priority": 0, "misp-attribute": "text" }, @@ -81,9 +87,25 @@ "description": "Version of the certificate", "ui-priority": 0, "misp-attribute": "text" + }, + "self_signed": { + "description": "Self-signed certificate", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "is_ca": { + "description": "CA certificate", + "ui-priority": 0, + "misp-attribute": "boolean" + }, + "dns_names": { + "description": "DNS names", + "multiple": true, + "misp-attribute": "text", + "ui-priority": 0 } }, - "version": 5, + "version": 7, "description": "x509 object describing a X.509 certificate", "meta-category": "network", "uuid": "d1ab756a-26b5-4349-9f43-765630f0911c", diff --git a/objects/yara/definition.json b/objects/yara/definition.json new file mode 100644 index 0000000..370bfdb --- /dev/null +++ b/objects/yara/definition.json @@ -0,0 +1,41 @@ +{ + "requiredOneOf": [ + "yara" + ], + "attributes": { + "comment": { + "description": "A description of the YARA rule.", + "ui-priority": 0, + "misp-attribute": "comment" + }, + "yara": { + "description": "YARA rule.", + "ui-priority": 0, + "misp-attribute": "yara" + }, + "version": { + "sane_default": [ + "3.7.1" + ], + "description": "Version of the YARA rule depending where the yara rule is known to work as expected.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "context": { + "description": "Context where the YARA rule can be applied", + "sane_default": [ + "all", + "disk", + "memory", + "network" + ], + "misp-attribute": "text", + "ui-priority": 0 + } + }, + "version": 3, + "description": "An object describing a YARA rule along with its version.", + "meta-category": "misc", + "uuid": "b5acf82e-ecca-4868-82fe-9dbdf4d808c3", + "name": "yara" +} diff --git a/relationships/definition.json b/relationships/definition.json index 5e6083e..d238116 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -25,6 +25,30 @@ "stix-2.0" ] }, + { + "name": "connected-to", + "description": "The referenced source is connected to the target object.", + "format": [ + "misp", + "stix-1.1" + ] + }, + { + "name": "contains", + "description": "The references source is containing the target object.", + "format": [ + "misp", + "stix-1.1" + ] + }, + { + "name": "resolved-to", + "description": "The referenced source is resolved to the target object.", + "format": [ + "misp", + "stix-1.1" + ] + }, { "name": "attributed-to", "description": "This referenced source is attributed to the target object.",