From d61a1f33909f8f8d996ef526ee0db75a8a1052f6 Mon Sep 17 00:00:00 2001 From: Hendrik Date: Fri, 9 Nov 2018 12:37:34 +0100 Subject: [PATCH 01/18] Added cortex taxonomy object definition --- objects/cortex-taxonomy/definition.json | 59 +++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 objects/cortex-taxonomy/definition.json diff --git a/objects/cortex-taxonomy/definition.json b/objects/cortex-taxonomy/definition.json new file mode 100644 index 0000000..6ece6f9 --- /dev/null +++ b/objects/cortex-taxonomy/definition.json @@ -0,0 +1,59 @@ +{ + "required": [ + "level", + "predicate", + "value", + "namespace" + ], + "attributes": { + "namespace": { + "categories": ["External analysis"], + "description": "Cortex Taxonomy Namespace", + "disable_correlation": true, + "multiple": false, + "ui-priority": 0, + "misp-attribute": "text" + }, + "predicate": { + "categories": ["External analysis"], + "description": "Cortex Taxonomy Predicate", + "disable_correlation": true, + "multiple": false, + "ui-priority": 0, + "misp-attribute": "text" + }, + "value": { + "categories": ["External analysis"], + "description": "Cortex Taxonomy Value", + "disable_correlation": true, + "multiple": false, + "ui-priority": 0, + "misp-attribute": "text" + }, + "level": { + "categories": ["External analysis"], + "description": "Cortex Taxonomy Level", + "disable_correlation": true, + "multiple": false, + "misp-attribute": "text", + "ui-priority": 0, + "values_list": [ + "info", + "safe", + "suspicious", + "malicious" + ] + }, + "cortex_url": { + "description": "URL to the Cortex job", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "link" + } + }, + "version": 3, + "description": "Cortex object describing an Cortex Taxonomy", + "meta-category": "misc", + "uuid": "bef7d23b-e796-4d46-803a-32e317896894", + "name": "cortex-taxonomy" +} From 0f1f23fbb546870e383daac28784d91e9568b137 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 9 Nov 2018 14:21:10 +0100 Subject: [PATCH 02/18] fix: [cortex-taxonomy] jq all the things(tm) --- objects/cortex-taxonomy/definition.json | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/objects/cortex-taxonomy/definition.json b/objects/cortex-taxonomy/definition.json index 6ece6f9..f368967 100644 --- a/objects/cortex-taxonomy/definition.json +++ b/objects/cortex-taxonomy/definition.json @@ -7,7 +7,9 @@ ], "attributes": { "namespace": { - "categories": ["External analysis"], + "categories": [ + "External analysis" + ], "description": "Cortex Taxonomy Namespace", "disable_correlation": true, "multiple": false, @@ -15,7 +17,9 @@ "misp-attribute": "text" }, "predicate": { - "categories": ["External analysis"], + "categories": [ + "External analysis" + ], "description": "Cortex Taxonomy Predicate", "disable_correlation": true, "multiple": false, @@ -23,7 +27,9 @@ "misp-attribute": "text" }, "value": { - "categories": ["External analysis"], + "categories": [ + "External analysis" + ], "description": "Cortex Taxonomy Value", "disable_correlation": true, "multiple": false, @@ -31,7 +37,9 @@ "misp-attribute": "text" }, "level": { - "categories": ["External analysis"], + "categories": [ + "External analysis" + ], "description": "Cortex Taxonomy Level", "disable_correlation": true, "multiple": false, From 3ec98a8a6590276e46ae3a47c50971397d9a18bc Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 18 Nov 2018 10:11:25 +0100 Subject: [PATCH 03/18] chg: [cortex-taxonomy] aka mini-report --- objects/cortex-taxonomy/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/cortex-taxonomy/definition.json b/objects/cortex-taxonomy/definition.json index f368967..edb3580 100644 --- a/objects/cortex-taxonomy/definition.json +++ b/objects/cortex-taxonomy/definition.json @@ -59,8 +59,8 @@ "misp-attribute": "link" } }, - "version": 3, - "description": "Cortex object describing an Cortex Taxonomy", + "version": 4, + "description": "Cortex object describing an Cortex Taxonomy (or mini report)", "meta-category": "misc", "uuid": "bef7d23b-e796-4d46-803a-32e317896894", "name": "cortex-taxonomy" From 39dd150e2a85b2b5a041a202343ecefa4d34b43a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 18 Nov 2018 10:28:18 +0100 Subject: [PATCH 04/18] add: [cortex] new object based on a discussion with Jerome L. from TheHive (thanks to SNCF) --- objects/cortex/definition.json | 48 ++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 objects/cortex/definition.json diff --git a/objects/cortex/definition.json b/objects/cortex/definition.json new file mode 100644 index 0000000..1d6679c --- /dev/null +++ b/objects/cortex/definition.json @@ -0,0 +1,48 @@ +{ + "requiredOneOf": [ + "full" + ], + "attributes": { + "summary": { + "description": "Cortex summary object (summary) in JSON", + "disable_correlation": false, + "ui-priority": 0, + "misp-attribute": "text" + }, + "full": { + "description": "Cortex report object (full report) in JSON", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "start-date": { + "description": "When the Cortex analyser was started", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "name": { + "description": "Cortex analyser/worker name", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "server-name": { + "description": "Name of the cortex server", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + }, + "success": { + "description": "Result of the cortex job", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "boolean" + } + }, + "version": 1, + "description": "Cortex object describing a complete cortex analysis", + "meta-category": "misc", + "uuid": "144988f3-fa00-4374-8015-c1a32092f451", + "name": "cortex" +} From 7808850ce246b901e485552b45fbdc295982455e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 18 Nov 2018 10:29:42 +0100 Subject: [PATCH 05/18] chg: [cortex] description updated as TheHive/Cortex observables will be attributes with relationships from this object --- objects/cortex/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/cortex/definition.json b/objects/cortex/definition.json index 1d6679c..a45a0a3 100644 --- a/objects/cortex/definition.json +++ b/objects/cortex/definition.json @@ -41,7 +41,7 @@ } }, "version": 1, - "description": "Cortex object describing a complete cortex analysis", + "description": "Cortex object describing a complete cortex analysis. Observables would be attribute with a relationship from this object.", "meta-category": "misc", "uuid": "144988f3-fa00-4374-8015-c1a32092f451", "name": "cortex" From e44dd16b1841035df0f4a2e8e98a753952eff9cc Mon Sep 17 00:00:00 2001 From: Alexander J Date: Fri, 23 Nov 2018 15:40:57 +0100 Subject: [PATCH 06/18] new misp object for a timesketch message to be able to push timesketch messages (timesketch.org) to a misp event it is handy to have a specific type of object for it. --- objects/timesketch_message/definition.json | 26 ++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 objects/timesketch_message/definition.json diff --git a/objects/timesketch_message/definition.json b/objects/timesketch_message/definition.json new file mode 100644 index 0000000..9185646 --- /dev/null +++ b/objects/timesketch_message/definition.json @@ -0,0 +1,26 @@ +{ + "required": [ + "datetime", + "message" + ], + "attributes": { + "datetime": { + "description": "datetime of the message", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "datetime", + "recommended": true + }, + "message": { + "description": "message", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "text" + } + }, + "version": 1, + "description": "A timesketch message entry.", + "meta-category": "misc", + "uuid": "ef27fb19-7e71-43e0-b6f6-6f03ab67666f", + "name": "timesketch_message" +} From 6cc29aad3dda895de95fe9f0d86bb9a7007af7c2 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 26 Nov 2018 22:21:51 +0100 Subject: [PATCH 07/18] chg: [microblog] a small clarification about the username to avoid the @ --- objects/microblog/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/microblog/definition.json b/objects/microblog/definition.json index 906a03c..847fceb 100644 --- a/objects/microblog/definition.json +++ b/objects/microblog/definition.json @@ -30,7 +30,7 @@ ] }, "username": { - "description": "Username who posted the microblog post", + "description": "Username who posted the microblog post (without the @ prefix)", "ui-priority": 0, "misp-attribute": "text" }, @@ -62,7 +62,7 @@ "misp-attribute": "text" } }, - "version": 4, + "version": 5, "description": "Microblog post like a Twitter tweet or a post on a Facebook wall.", "meta-category": "misc", "uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60", From 11a462e79b02428a08b11698d45aa8aa5ab6887d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 4 Dec 2018 15:39:51 +0100 Subject: [PATCH 08/18] chg: [person] OFAC fields - Office of Foreign Assets Control --- objects/person/definition.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index d8950f0..d2ad496 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -98,6 +98,16 @@ "ui-priority": 0, "misp-attribute": "text" }, + "birth-certificate-number": { + "description": "Birth Certificate Number", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ofac-identification-number": { + "description": "ofac-identification Number", + "ui-priority": 0, + "misp-attribute": "text" + }, "nationality": { "description": "The nationality of a natural person.", "ui-priority": 0, @@ -136,7 +146,7 @@ "multiple": true } }, - "version": 4, + "version": 5, "description": "An object which describes a person or an identity.", "meta-category": "misc", "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", From 7dfa69a743078d8bdddb664604aaff3e40054b3f Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 21 Dec 2018 12:27:11 +0100 Subject: [PATCH 09/18] Object Victim - Extended requiredOneof --- objects/victim/definition.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/objects/victim/definition.json b/objects/victim/definition.json index 346dc70..2ef946c 100644 --- a/objects/victim/definition.json +++ b/objects/victim/definition.json @@ -1,6 +1,8 @@ { "requiredOneOf": [ - "name" + "name", + "regions", + "sectors" ], "attributes": { "description": { From 5a9800ab6aba54fe1019fabd167b6dc13e4e2fd7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 21 Dec 2018 20:28:24 +0100 Subject: [PATCH 10/18] chg: [person] portrait added #133 --- objects/person/definition.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/objects/person/definition.json b/objects/person/definition.json index d2ad496..6dd31b5 100644 --- a/objects/person/definition.json +++ b/objects/person/definition.json @@ -144,9 +144,15 @@ "ui-priority": 10, "misp-attribute": "email-src", "multiple": true + }, + "portrait": { + "description": "Portrait of the person.", + "ui-priority": 10, + "misp-attribute": "attachment", + "multiple": true } }, - "version": 5, + "version": 6, "description": "An object which describes a person or an identity.", "meta-category": "misc", "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248", From 9b84576442c82259104814404f21264f1f94a790 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 21 Dec 2018 20:41:45 +0100 Subject: [PATCH 11/18] add: [facial-composite] new facial composite object --- objects/facial-composite/definition.json | 39 ++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 objects/facial-composite/definition.json diff --git a/objects/facial-composite/definition.json b/objects/facial-composite/definition.json new file mode 100644 index 0000000..585f4ee --- /dev/null +++ b/objects/facial-composite/definition.json @@ -0,0 +1,39 @@ +{ + "requiredOneOf": [ + "facial-composite", + "text" + ], + "attributes": { + "text": { + "description": "A description of the facial composite.", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text" + }, + "technique": { + "description": "Construction technique of the facial composite.", + "ui-priority": 0, + "misp-attribute": "text", + "values_list": [ + "E-FIT", + "PROfit", + "Sketch", + "Photofit", + "EvoFIT", + "PortraitPad" + ], + "disable_correlation": true + }, + "facial-composite": { + "description": "Facial composite image.", + "ui-priority": 10, + "misp-attribute": "attachment", + "multiple": true + } + }, + "version": 1, + "description": "An object which describes a facial composite.", + "meta-category": "misc", + "uuid": "d727bc27-d1b9-4754-972c-dea305bd5976", + "name": "facial-composite" +} From e634e50e898e27a2cc0ad1a84a225d64ce8e30c3 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 21 Dec 2018 20:44:01 +0100 Subject: [PATCH 12/18] chg: [doc] facial-composite object added --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 13cdafc..5bf98d9 100644 --- a/README.md +++ b/README.md @@ -88,6 +88,7 @@ for a specific attribute. * [objects/elf-section](objects/elf-section/definition.json) - Object describing a section of an Executable and Linkable Format (ELF). * [objects/email](objects/email/definition.json) - An email object. * [objects/exploit-poc](objects/exploit-poc/definition.json) - Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object. +* [objects/facial-composite](objects/facial-composite/definition.json) A facial composite object. * [objects/fail2ban](objects/fail2ban/definition.json) - A fail2ban object. * [objects/file](objects/file/definition.json) - File object describing a file with meta-information. * [objects/forensic-case](objects/forensic-case/definition.json) - An object template to describe a digital forensic case. From 39bd2641aa33ce733151bbf74fdbd3da6118a20e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 21 Dec 2018 20:50:12 +0100 Subject: [PATCH 13/18] chg: [relationships] witness-of added --- relationships/definition.json | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/relationships/definition.json b/relationships/definition.json index c6c94bb..0242365 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -927,6 +927,13 @@ "format": [ "alfred" ] + }, + { + "name": "witness-of", + "description": "Represents an object being a witness of something.", + "format": [ + "misp" + ] } ], "description": "Default type of relationships in MISP objects.", From 25dc125a307648ff3d48d148ca57328cecf625d9 Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Sat, 22 Dec 2018 07:23:17 +0100 Subject: [PATCH 14/18] fix: [relationships] removed duplicate --- relationships/definition.json | 7 ------- 1 file changed, 7 deletions(-) diff --git a/relationships/definition.json b/relationships/definition.json index 0242365..6b12f4a 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -264,13 +264,6 @@ "misp" ] }, - { - "name": "dropped-by", - "description": "This relationship describes an object dropped by another object.", - "format": [ - "misp" - ] - }, { "name": "drops", "description": "This relationship describes an object which drops another object", From 68ca8b0a92cfc145d74a11703785718c8d35af62 Mon Sep 17 00:00:00 2001 From: eCrimeLabs Date: Sun, 30 Dec 2018 12:31:17 +0100 Subject: [PATCH 15/18] Updated JA3 to have own data type ja3-fingerprint-md5 and bumped the version --- objects/ja3/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/ja3/definition.json b/objects/ja3/definition.json index 6dcee9f..39b539d 100644 --- a/objects/ja3/definition.json +++ b/objects/ja3/definition.json @@ -2,12 +2,12 @@ "name": "ja3", "meta-category": "network", "description": "JA3 is a new technique for creating SSL client fingerprints that are easy to produce and can be easily shared for threat intelligence. Fingerprints are composed of Client Hello packet; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. https://github.com/salesforce/ja3", - "version": 3, + "version": 4, "uuid": "09b45449-5d6e-492c-a68a-cb2e188cbfac", "attributes": { "ja3-fingerprint-md5": { "description": "Hash identifying source", - "misp-attribute": "md5", + "misp-attribute": "ja3-fingerprint-md5", "ui-priority": 1 }, "description": { From d98cfd6d1601fabe6a6260f3765fbf0c5b4cd804 Mon Sep 17 00:00:00 2001 From: Stefan Kelm Date: Wed, 2 Jan 2019 16:19:08 +0100 Subject: [PATCH 16/18] New object: Information related to known scanning activity (e.g. from research projects) --- README.md | 1 + objects/research-scanner/definition.json | 80 ++++++++++++++++++++++++ 2 files changed, 81 insertions(+) create mode 100644 objects/research-scanner/definition.json diff --git a/README.md b/README.md index 5bf98d9..2be07a3 100644 --- a/README.md +++ b/README.md @@ -122,6 +122,7 @@ for a specific attribute. * [objects/registry-key](objects/registry-key/definition.json) - A registry-key object. * [objects/r2graphity](objects/r2graphity/definition.json) - Indicators extracted from binary files using radare2 and graphml. * [objects/report](objects/report/definition.json) - Object to describe metadata used to generate an executive level report. +* [objects/research-scanner](objects/research-scanner/definition.json) - Information related to known scanning activity (e.g. from research projects) * [objects/rtir](objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response. * [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object. * [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object. diff --git a/objects/research-scanner/definition.json b/objects/research-scanner/definition.json new file mode 100644 index 0000000..8822c4e --- /dev/null +++ b/objects/research-scanner/definition.json @@ -0,0 +1,80 @@ +{ + "required": [ + "project", + "scanning_ip" + ], + "attributes": { + "project": { + "description": "Description of scanning project", + "ui-priority": 1, + "disable_correlation": true, + "misp-attribute": "text" + }, + "scanning_ip": { + "description": "IP address used by project", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "ip-src", + "multiple": true + }, + "domain": { + "description": "Domain related to project", + "ui-priority": 1, + "multiple": true, + "misp-attribute": "domain" + }, + "asn": { + "description": "Autonomous System Number related to project", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "AS" + }, + "scheduled_start": { + "description": "Scheduled start of scanning activity", + "disable_correlation": true, + "ui-priority": 1, + "multiple": true, + "misp-attribute": "datetime" + }, + "scheduled_end": { + "description": "Scheduled end of scanning activity", + "disable_correlation": true, + "ui-priority": 0, + "multiple": true, + "misp-attribute": "datetime" + }, + "contact_email": { + "description": "Project contact information", + "disable_correlation": true, + "categories": [ + "Network activity", + "Social network" + ], + "ui-priority": 1, + "misp-attribute": "email-dst", + "multiple": true + }, + "contact_phone": { + "description": "Phone number related to project", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "phone-number", + "multiple": true + }, + "project_url": { + "description": "URL related to project", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "link", + "multiple": true + } + }, + "version": 20190102, + "description": "Information related to known scanning activity (e.g. from research projects)", + "meta-category": "network", + "uuid": "d690e956-fc8a-11e8-8eb2-f2801f1b9fd1", + "name": "research-scanner" +} From 12f51e2ad5378fe7615b7b1a4fb929540f7ccc33 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 2 Jan 2019 22:05:02 +0100 Subject: [PATCH 17/18] chg: [doc] copyright date fixed --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 2be07a3..48aab48 100644 --- a/README.md +++ b/README.md @@ -187,9 +187,9 @@ The MISP objects model allows to add new combined indicators format based on the ~~~~ -Copyright (C) 2016-2018 Andras Iklody -Copyright (C) 2016-2018 Alexandre Dulaunoy -Copyright (C) 2016-2018 CIRCL - Computer Incident Response Center Luxembourg +Copyright (C) 2016-2019 Andras Iklody +Copyright (C) 2016-2019 Alexandre Dulaunoy +Copyright (C) 2016-2019 CIRCL - Computer Incident Response Center Luxembourg This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by From ae32e23fbf79d106caa0d3341e2a403171d9799c Mon Sep 17 00:00:00 2001 From: Christophe Vandeplas Date: Thu, 3 Jan 2019 15:07:08 +0100 Subject: [PATCH 18/18] chg: [http-request] IP as allowed type --- objects/http-request/definition.json | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/objects/http-request/definition.json b/objects/http-request/definition.json index 76bb081..04c4e6e 100644 --- a/objects/http-request/definition.json +++ b/objects/http-request/definition.json @@ -51,6 +51,15 @@ "ui-priority": 1, "misp-attribute": "hostname" }, + "ip": { + "categories": [ + "Network activity", + "Payload delivery" + ], + "description": "The IP address of the server", + "ui-priority": 1, + "misp-attribute": "ip-dst" + }, "method": { "categories": [ "Network activity" @@ -111,7 +120,7 @@ "misp-attribute": "user-agent" } }, - "version": 2, + "version": 3, "description": "A single HTTP request header", "meta-category": "network", "uuid": "b4a8d163-8110-4239-bfcf-e08f3a9fdf7b",