diff --git a/README.md b/README.md index 13cdafc..48aab48 100644 --- a/README.md +++ b/README.md @@ -88,6 +88,7 @@ for a specific attribute. * [objects/elf-section](objects/elf-section/definition.json) - Object describing a section of an Executable and Linkable Format (ELF). * [objects/email](objects/email/definition.json) - An email object. * [objects/exploit-poc](objects/exploit-poc/definition.json) - Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object. +* [objects/facial-composite](objects/facial-composite/definition.json) A facial composite object. * [objects/fail2ban](objects/fail2ban/definition.json) - A fail2ban object. * [objects/file](objects/file/definition.json) - File object describing a file with meta-information. * [objects/forensic-case](objects/forensic-case/definition.json) - An object template to describe a digital forensic case. @@ -121,6 +122,7 @@ for a specific attribute. * [objects/registry-key](objects/registry-key/definition.json) - A registry-key object. * [objects/r2graphity](objects/r2graphity/definition.json) - Indicators extracted from binary files using radare2 and graphml. * [objects/report](objects/report/definition.json) - Object to describe metadata used to generate an executive level report. +* [objects/research-scanner](objects/research-scanner/definition.json) - Information related to known scanning activity (e.g. from research projects) * [objects/rtir](objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response. * [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object. * [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object. @@ -185,9 +187,9 @@ The MISP objects model allows to add new combined indicators format based on the ~~~~ -Copyright (C) 2016-2018 Andras Iklody -Copyright (C) 2016-2018 Alexandre Dulaunoy -Copyright (C) 2016-2018 CIRCL - Computer Incident Response Center Luxembourg +Copyright (C) 2016-2019 Andras Iklody +Copyright (C) 2016-2019 Alexandre Dulaunoy +Copyright (C) 2016-2019 CIRCL - Computer Incident Response Center Luxembourg This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by diff --git a/objects/cortex-taxonomy/definition.json b/objects/cortex-taxonomy/definition.json new file mode 100644 index 0000000..edb3580 --- /dev/null +++ b/objects/cortex-taxonomy/definition.json @@ -0,0 +1,67 @@ +{ + "required": [ + "level", + "predicate", + "value", + "namespace" + ], + "attributes": { + "namespace": { + "categories": [ + "External analysis" + ], + "description": "Cortex Taxonomy Namespace", + "disable_correlation": true, + "multiple": false, + "ui-priority": 0, + "misp-attribute": "text" + }, + "predicate": { + "categories": [ + "External analysis" + ], + "description": "Cortex Taxonomy Predicate", + "disable_correlation": true, + "multiple": false, + "ui-priority": 0, + "misp-attribute": "text" + }, + "value": { + "categories": [ + "External analysis" + ], + "description": "Cortex Taxonomy Value", + "disable_correlation": true, + "multiple": false, + "ui-priority": 0, + "misp-attribute": "text" + }, + "level": { + "categories": [ + "External analysis" + ], + "description": "Cortex Taxonomy Level", + "disable_correlation": true, + "multiple": false, + "misp-attribute": "text", + "ui-priority": 0, + "values_list": [ + "info", + "safe", + "suspicious", + "malicious" + ] + }, + "cortex_url": { + "description": "URL to the Cortex job", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "link" + } + }, + "version": 4, + "description": "Cortex object describing an Cortex Taxonomy (or mini report)", + "meta-category": "misc", + "uuid": "bef7d23b-e796-4d46-803a-32e317896894", + "name": "cortex-taxonomy" +} diff --git a/objects/cortex/definition.json b/objects/cortex/definition.json new file mode 100644 index 0000000..a45a0a3 --- /dev/null +++ b/objects/cortex/definition.json @@ -0,0 +1,48 @@ +{ + "requiredOneOf": [ + "full" + ], + "attributes": { + "summary": { + "description": "Cortex summary object (summary) in JSON", + "disable_correlation": false, + "ui-priority": 0, + "misp-attribute": "text" + }, + "full": { + "description": "Cortex report object (full report) in JSON", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "start-date": { + "description": "When the Cortex analyser was started", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "name": { + "description": "Cortex analyser/worker name", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "server-name": { + "description": "Name of the cortex server", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "success": { + "description": "Result of the cortex job", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "boolean" + } + }, + "version": 1, + "description": "Cortex object describing a complete cortex analysis. Observables would be attribute with a relationship from this object.", + "meta-category": "misc", + "uuid": "144988f3-fa00-4374-8015-c1a32092f451", + "name": "cortex" +} diff --git a/objects/facial-composite/definition.json b/objects/facial-composite/definition.json new file mode 100644 index 0000000..585f4ee --- /dev/null +++ b/objects/facial-composite/definition.json @@ -0,0 +1,39 @@ +{ + "requiredOneOf": [ + "facial-composite", + "text" + ], + "attributes": { + "text": { + "description": "A description of the facial composite.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "technique": { + "description": "Construction technique of the facial composite.", + "ui-priority": 0, + "misp-attribute": "text", + "values_list": [ + "E-FIT", + "PROfit", + "Sketch", + "Photofit", + "EvoFIT", + "PortraitPad" + ], + "disable_correlation": true + }, + "facial-composite": { + "description": "Facial composite image.", + "ui-priority": 10, + "misp-attribute": "attachment", + "multiple": true + } + }, + "version": 1, + "description": "An object which describes a facial composite.", + "meta-category": "misc", + "uuid": "d727bc27-d1b9-4754-972c-dea305bd5976", + "name": "facial-composite" +} diff --git a/objects/http-request/definition.json b/objects/http-request/definition.json index 76bb081..04c4e6e 100644 --- a/objects/http-request/definition.json +++ b/objects/http-request/definition.json @@ -51,6 +51,15 @@ "ui-priority": 1, "misp-attribute": "hostname" }, + "ip": { + "categories": [ + "Network activity", + "Payload delivery" + ], + "description": "The IP address of the server", + "ui-priority": 1, + "misp-attribute": "ip-dst" + }, "method": { "categories": [ "Network activity" @@ -111,7 +120,7 @@ "misp-attribute": "user-agent" } }, - "version": 2, + "version": 3, "description": "A single HTTP request header", "meta-category": "network", "uuid": "b4a8d163-8110-4239-bfcf-e08f3a9fdf7b", diff --git a/objects/ja3/definition.json b/objects/ja3/definition.json index 6dcee9f..39b539d 100644 --- a/objects/ja3/definition.json +++ b/objects/ja3/definition.json @@ -2,12 +2,12 @@ "name": "ja3", "meta-category": "network", "description": "JA3 is a new technique for creating SSL client fingerprints that are easy to produce and can be easily shared for threat intelligence. Fingerprints are composed of Client Hello packet; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. https://github.com/salesforce/ja3", - "version": 3, + "version": 4, "uuid": "09b45449-5d6e-492c-a68a-cb2e188cbfac", "attributes": { "ja3-fingerprint-md5": { "description": "Hash identifying source", - "misp-attribute": "md5", + "misp-attribute": "ja3-fingerprint-md5", "ui-priority": 1 }, "description": { diff --git a/objects/microblog/definition.json b/objects/microblog/definition.json index 906a03c..847fceb 100644 --- a/objects/microblog/definition.json +++ b/objects/microblog/definition.json @@ -30,7 +30,7 @@ ] }, "username": { - "description": "Username who posted the microblog post", + "description": "Username who posted the microblog post (without the @ prefix)", "ui-priority": 0, "misp-attribute": "text" }, @@ -62,7 +62,7 @@ "misp-attribute": "text" } }, - "version": 4, + "version": 5, "description": "Microblog post like a Twitter tweet or a post on a Facebook wall.", "meta-category": "misc", "uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60", diff --git a/objects/person/definition.json b/objects/person/definition.json index d8950f0..6dd31b5 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -98,6 +98,16 @@ "ui-priority": 0, "misp-attribute": "text" }, + "birth-certificate-number": { + "description": "Birth Certificate Number", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ofac-identification-number": { + "description": "ofac-identification Number", + "ui-priority": 0, + "misp-attribute": "text" + }, "nationality": { "description": "The nationality of a natural person.", "ui-priority": 0, @@ -134,9 +144,15 @@ "ui-priority": 10, "misp-attribute": "email-src", "multiple": true + }, + "portrait": { + "description": "Portrait of the person.", + "ui-priority": 10, + "misp-attribute": "attachment", + "multiple": true } }, - "version": 4, + "version": 6, "description": "An object which describes a person or an identity.", "meta-category": "misc", "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", diff --git a/objects/research-scanner/definition.json b/objects/research-scanner/definition.json new file mode 100644 index 0000000..8822c4e --- /dev/null +++ b/objects/research-scanner/definition.json @@ -0,0 +1,80 @@ +{ + "required": [ + "project", + "scanning_ip" + ], + "attributes": { + "project": { + "description": "Description of scanning project", + "ui-priority": 1, + "disable_correlation": true, + "misp-attribute": "text" + }, + "scanning_ip": { + "description": "IP address used by project", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "ip-src", + "multiple": true + }, + "domain": { + "description": "Domain related to project", + "ui-priority": 1, + "multiple": true, + "misp-attribute": "domain" + }, + "asn": { + "description": "Autonomous System Number related to project", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "AS" + }, + "scheduled_start": { + "description": "Scheduled start of scanning activity", + "disable_correlation": true, + "ui-priority": 1, + "multiple": true, + "misp-attribute": "datetime" + }, + "scheduled_end": { + "description": "Scheduled end of scanning activity", + "disable_correlation": true, + "ui-priority": 0, + "multiple": true, + "misp-attribute": "datetime" + }, + "contact_email": { + "description": "Project contact information", + "disable_correlation": true, + "categories": [ + "Network activity", + "Social network" + ], + "ui-priority": 1, + "misp-attribute": "email-dst", + "multiple": true + }, + "contact_phone": { + "description": "Phone number related to project", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "phone-number", + "multiple": true + }, + "project_url": { + "description": "URL related to project", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "link", + "multiple": true + } + }, + "version": 20190102, + "description": "Information related to known scanning activity (e.g. from research projects)", + "meta-category": "network", + "uuid": "d690e956-fc8a-11e8-8eb2-f2801f1b9fd1", + "name": "research-scanner" +} diff --git a/objects/timesketch_message/definition.json b/objects/timesketch_message/definition.json new file mode 100644 index 0000000..9185646 --- /dev/null +++ b/objects/timesketch_message/definition.json @@ -0,0 +1,26 @@ +{ + "required": [ + "datetime", + "message" + ], + "attributes": { + "datetime": { + "description": "datetime of the message", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "datetime", + "recommended": true + }, + "message": { + "description": "message", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "A timesketch message entry.", + "meta-category": "misc", + "uuid": "ef27fb19-7e71-43e0-b6f6-6f03ab67666f", + "name": "timesketch_message" +} diff --git a/objects/victim/definition.json b/objects/victim/definition.json index 346dc70..2ef946c 100644 --- a/objects/victim/definition.json +++ b/objects/victim/definition.json @@ -1,6 +1,8 @@ { "requiredOneOf": [ - "name" + "name", + "regions", + "sectors" ], "attributes": { "description": { diff --git a/relationships/definition.json b/relationships/definition.json index c6c94bb..6b12f4a 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -264,13 +264,6 @@ "misp" ] }, - { - "name": "dropped-by", - "description": "This relationship describes an object dropped by another object.", - "format": [ - "misp" - ] - }, { "name": "drops", "description": "This relationship describes an object which drops another object", @@ -927,6 +920,13 @@ "format": [ "alfred" ] + }, + { + "name": "witness-of", + "description": "Represents an object being a witness of something.", + "format": [ + "misp" + ] } ], "description": "Default type of relationships in MISP objects.",