MISP
/
misp-objects
mirror of https://github.com/MISP/misp-objects
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' of github.com:MISP/misp-objects

pull/143/head
chrisr3d 2019-01-11 16:51:18 +01:00
parent cf8c50b72e 7d7031a5e4
commit b94abc9182
12 changed files with 306 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@ -88,6 +88,7 @@ for a specific attribute.
* [objects/elf-section](objects/elf-section/definition.json) - Object describing a section of an Executable and Linkable Format (ELF).
* [objects/email](objects/email/definition.json) - An email object.
* [objects/exploit-poc](objects/exploit-poc/definition.json) - Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object.
* [objects/facial-composite](objects/facial-composite/definition.json) A facial composite object.
* [objects/fail2ban](objects/fail2ban/definition.json) - A fail2ban object.
* [objects/file](objects/file/definition.json) - File object describing a file with meta-information.
* [objects/forensic-case](objects/forensic-case/definition.json) - An object template to describe a digital forensic case.
@ -121,6 +122,7 @@ for a specific attribute.
* [objects/registry-key](objects/registry-key/definition.json) - A registry-key object.
* [objects/r2graphity](objects/r2graphity/definition.json) - Indicators extracted from binary files using radare2 and graphml.
* [objects/report](objects/report/definition.json) - Object to describe metadata used to generate an executive level report.
* [objects/research-scanner](objects/research-scanner/definition.json) - Information related to known scanning activity (e.g. from research projects)
* [objects/rtir](objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response.
* [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object.
* [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object.
@ -185,9 +187,9 @@ The MISP objects model allows to add new combined indicators format based on the
~~~~
Copyright (C) 2016-2018 Andras Iklody
Copyright (C) 2016-2018 Alexandre Dulaunoy
Copyright (C) 2016-2018 CIRCL - Computer Incident Response Center Luxembourg
Copyright (C) 2016-2019 Andras Iklody
Copyright (C) 2016-2019 Alexandre Dulaunoy
Copyright (C) 2016-2019 CIRCL - Computer Incident Response Center Luxembourg
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by

67
objects/cortex-taxonomy/definition.json Normal file
View File

@ -0,0 +1,67 @@
{
"required": [
"level",
"predicate",
"value",
"namespace"
],
"attributes": {
"namespace": {
"categories": [
"External analysis"
],
"description": "Cortex Taxonomy Namespace",
"disable_correlation": true,
"multiple": false,
"ui-priority": 0,
"misp-attribute": "text"
},
"predicate": {
"categories": [
"External analysis"
],
"description": "Cortex Taxonomy Predicate",
"disable_correlation": true,
"multiple": false,
"ui-priority": 0,
"misp-attribute": "text"
},
"value": {
"categories": [
"External analysis"
],
"description": "Cortex Taxonomy Value",
"disable_correlation": true,
"multiple": false,
"ui-priority": 0,
"misp-attribute": "text"
},
"level": {
"categories": [
"External analysis"
],
"description": "Cortex Taxonomy Level",
"disable_correlation": true,
"multiple": false,
"misp-attribute": "text",
"ui-priority": 0,
"values_list": [
"info",
"safe",
"suspicious",
"malicious"
]
},
"cortex_url": {
"description": "URL to the Cortex job",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "link"
}
},
"version": 4,
"description": "Cortex object describing an Cortex Taxonomy (or mini report)",
"meta-category": "misc",
"uuid": "bef7d23b-e796-4d46-803a-32e317896894",
"name": "cortex-taxonomy"
}

48
objects/cortex/definition.json Normal file
View File

@ -0,0 +1,48 @@
{
"requiredOneOf": [
"full"
],
"attributes": {
"summary": {
"description": "Cortex summary object (summary) in JSON",
"disable_correlation": false,
"ui-priority": 0,
"misp-attribute": "text"
},
"full": {
"description": "Cortex report object (full report) in JSON",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"start-date": {
"description": "When the Cortex analyser was started",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"name": {
"description": "Cortex analyser/worker name",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"server-name": {
"description": "Name of the cortex server",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"success": {
"description": "Result of the cortex job",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "boolean"
}
},
"version": 1,
"description": "Cortex object describing a complete cortex analysis. Observables would be attribute with a relationship from this object.",
"meta-category": "misc",
"uuid": "144988f3-fa00-4374-8015-c1a32092f451",
"name": "cortex"
}

39
objects/facial-composite/definition.json Normal file
View File

@ -0,0 +1,39 @@
{
"requiredOneOf": [
"facial-composite",
"text"
],
"attributes": {
"text": {
"description": "A description of the facial composite.",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"technique": {
"description": "Construction technique of the facial composite.",
"ui-priority": 0,
"misp-attribute": "text",
"values_list": [
"E-FIT",
"PROfit",
"Sketch",
"Photofit",
"EvoFIT",
"PortraitPad"
],
"disable_correlation": true
},
"facial-composite": {
"description": "Facial composite image.",
"ui-priority": 10,
"misp-attribute": "attachment",
"multiple": true
}
},
"version": 1,
"description": "An object which describes a facial composite.",
"meta-category": "misc",
"uuid": "d727bc27-d1b9-4754-972c-dea305bd5976",
"name": "facial-composite"
}

11
objects/http-request/definition.json
View File

@ -51,6 +51,15 @@
"ui-priority": 1,
"misp-attribute": "hostname"
},
"ip": {
"categories": [
"Network activity",
"Payload delivery"
],
"description": "The IP address of the server",
"ui-priority": 1,
"misp-attribute": "ip-dst"
},
"method": {
"categories": [
"Network activity"
@ -111,7 +120,7 @@
"misp-attribute": "user-agent"
}
},
"version": 2,
"version": 3,
"description": "A single HTTP request header",
"meta-category": "network",
"uuid": "b4a8d163-8110-4239-bfcf-e08f3a9fdf7b",

4
objects/ja3/definition.json
View File

@ -2,12 +2,12 @@
"name": "ja3",
"meta-category": "network",
"description": "JA3 is a new technique for creating SSL client fingerprints that are easy to produce and can be easily shared for threat intelligence. Fingerprints are composed of Client Hello packet; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. https://github.com/salesforce/ja3",
"version": 3,
"version": 4,
"uuid": "09b45449-5d6e-492c-a68a-cb2e188cbfac",
"attributes": {
"ja3-fingerprint-md5": {
"description": "Hash identifying source",
"misp-attribute": "md5",
"misp-attribute": "ja3-fingerprint-md5",
"ui-priority": 1
},
"description": {

4
objects/microblog/definition.json
View File

@ -30,7 +30,7 @@
]
},
"username": {
"description": "Username who posted the microblog post",
"description": "Username who posted the microblog post (without the @ prefix)",
"ui-priority": 0,
"misp-attribute": "text"
},
@ -62,7 +62,7 @@
"misp-attribute": "text"
}
},
"version": 4,
"version": 5,
"description": "Microblog post like a Twitter tweet or a post on a Facebook wall.",
"meta-category": "misc",
"uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60",

18
objects/person/definition.json
View File

@ -98,6 +98,16 @@
"ui-priority": 0,
"misp-attribute": "text"
},
"birth-certificate-number": {
"description": "Birth Certificate Number",
"ui-priority": 0,
"misp-attribute": "text"
},
"ofac-identification-number": {
"description": "ofac-identification Number",
"ui-priority": 0,
"misp-attribute": "text"
},
"nationality": {
"description": "The nationality of a natural person.",
"ui-priority": 0,
@ -134,9 +144,15 @@
"ui-priority": 10,
"misp-attribute": "email-src",
"multiple": true
},
"portrait": {
"description": "Portrait of the person.",
"ui-priority": 10,
"misp-attribute": "attachment",
"multiple": true
}
},
"version": 4,
"version": 6,
"description": "An object which describes a person or an identity.",
"meta-category": "misc",
"uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248",

80
objects/research-scanner/definition.json Normal file
View File

@ -0,0 +1,80 @@
{
"required": [
"project",
"scanning_ip"
],
"attributes": {
"project": {
"description": "Description of scanning project",
"ui-priority": 1,
"disable_correlation": true,
"misp-attribute": "text"
},
"scanning_ip": {
"description": "IP address used by project",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "ip-src",
"multiple": true
},
"domain": {
"description": "Domain related to project",
"ui-priority": 1,
"multiple": true,
"misp-attribute": "domain"
},
"asn": {
"description": "Autonomous System Number related to project",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "AS"
},
"scheduled_start": {
"description": "Scheduled start of scanning activity",
"disable_correlation": true,
"ui-priority": 1,
"multiple": true,
"misp-attribute": "datetime"
},
"scheduled_end": {
"description": "Scheduled end of scanning activity",
"disable_correlation": true,
"ui-priority": 0,
"multiple": true,
"misp-attribute": "datetime"
},
"contact_email": {
"description": "Project contact information",
"disable_correlation": true,
"categories": [
"Network activity",
"Social network"
],
"ui-priority": 1,
"misp-attribute": "email-dst",
"multiple": true
},
"contact_phone": {
"description": "Phone number related to project",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "phone-number",
"multiple": true
},
"project_url": {
"description": "URL related to project",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "link",
"multiple": true
}
},
"version": 20190102,
"description": "Information related to known scanning activity (e.g. from research projects)",
"meta-category": "network",
"uuid": "d690e956-fc8a-11e8-8eb2-f2801f1b9fd1",
"name": "research-scanner"
}

26
objects/timesketch_message/definition.json Normal file
View File

@ -0,0 +1,26 @@
{
"required": [
"datetime",
"message"
],
"attributes": {
"datetime": {
"description": "datetime of the message",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "datetime",
"recommended": true
},
"message": {
"description": "message",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
}
},
"version": 1,
"description": "A timesketch message entry.",
"meta-category": "misc",
"uuid": "ef27fb19-7e71-43e0-b6f6-6f03ab67666f",
"name": "timesketch_message"
}

4
objects/victim/definition.json
View File

@ -1,6 +1,8 @@
{
"requiredOneOf": [
"name"
"name",
"regions",
"sectors"
],
"attributes": {
"description": {

14
relationships/definition.json
View File

@ -264,13 +264,6 @@
"misp"
]
},
{
"name": "dropped-by",
"description": "This relationship describes an object dropped by another object.",
"format": [
"misp"
]
},
{
"name": "drops",
"description": "This relationship describes an object which drops another object",
@ -927,6 +920,13 @@
"format": [
"alfred"
]
},
{
"name": "witness-of",
"description": "Represents an object being a witness of something.",
"format": [
"misp"
]
}
],
"description": "Default type of relationships in MISP objects.",