Merge branch 'master' of github.com:MISP/misp-objects

README.md

@@ -88,6 +88,7 @@ for a specific attribute.
 * [objects/elf-section](objects/elf-section/definition.json) - Object describing a section of an Executable and Linkable Format (ELF).
 * [objects/email](objects/email/definition.json) - An email object.
 * [objects/exploit-poc](objects/exploit-poc/definition.json) - Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object.
+* [objects/facial-composite](objects/facial-composite/definition.json) A facial composite object.
 * [objects/fail2ban](objects/fail2ban/definition.json) - A fail2ban object.
 * [objects/file](objects/file/definition.json) - File object describing a file with meta-information.
 * [objects/forensic-case](objects/forensic-case/definition.json) - An object template to describe a digital forensic case.
@@ -121,6 +122,7 @@ for a specific attribute.
 * [objects/registry-key](objects/registry-key/definition.json) - A registry-key object.
 * [objects/r2graphity](objects/r2graphity/definition.json) - Indicators extracted from binary files using radare2 and graphml.
 * [objects/report](objects/report/definition.json) - Object to describe metadata used to generate an executive level report.
+* [objects/research-scanner](objects/research-scanner/definition.json) - Information related to known scanning activity (e.g. from research projects)
 * [objects/rtir](objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response.
 * [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object.
 * [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object.
@@ -185,9 +187,9 @@ The MISP objects model allows to add new combined indicators format based on the
 
 ~~~~
 
-Copyright (C) 2016-2018 Andras Iklody
+Copyright (C) 2016-2019 Andras Iklody
-Copyright (C) 2016-2018 Alexandre Dulaunoy
+Copyright (C) 2016-2019 Alexandre Dulaunoy
-Copyright (C) 2016-2018 CIRCL - Computer Incident Response Center Luxembourg
+Copyright (C) 2016-2019 CIRCL - Computer Incident Response Center Luxembourg
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU Affero General Public License as published by

objects/cortex-taxonomy/definition.json

@@ -0,0 +1,67 @@
+{
+  "required": [
+    "level",
+    "predicate",
+    "value",
+    "namespace"
+  ],
+  "attributes": {
+    "namespace": {
+      "categories": [
+        "External analysis"
+      ],
+      "description": "Cortex Taxonomy Namespace",
+      "disable_correlation": true,
+      "multiple": false,
+      "ui-priority": 0,
+      "misp-attribute": "text"
+    },
+    "predicate": {
+      "categories": [
+        "External analysis"
+      ],
+      "description": "Cortex Taxonomy Predicate",
+      "disable_correlation": true,
+      "multiple": false,
+      "ui-priority": 0,
+      "misp-attribute": "text"
+    },
+    "value": {
+      "categories": [
+        "External analysis"
+      ],
+      "description": "Cortex Taxonomy Value",
+      "disable_correlation": true,
+      "multiple": false,
+      "ui-priority": 0,
+      "misp-attribute": "text"
+    },
+    "level": {
+      "categories": [
+        "External analysis"
+      ],
+      "description": "Cortex Taxonomy Level",
+      "disable_correlation": true,
+      "multiple": false,
+      "misp-attribute": "text",
+      "ui-priority": 0,
+      "values_list": [
+        "info",
+        "safe",
+        "suspicious",
+        "malicious"
+      ]
+    },
+    "cortex_url": {
+      "description": "URL to the Cortex job",
+      "disable_correlation": true,
+      "ui-priority": 0,
+      "misp-attribute": "link"
+    }
+  },
+  "version": 4,
+  "description": "Cortex object describing an Cortex Taxonomy (or mini report)",
+  "meta-category": "misc",
+  "uuid": "bef7d23b-e796-4d46-803a-32e317896894",
+  "name": "cortex-taxonomy"
+}

objects/cortex/definition.json

@@ -0,0 +1,48 @@
+{
+  "requiredOneOf": [
+    "full"
+  ],
+  "attributes": {
+    "summary": {
+      "description": "Cortex summary object (summary) in JSON",
+      "disable_correlation": false,
+      "ui-priority": 0,
+      "misp-attribute": "text"
+    },
+    "full": {
+      "description": "Cortex report object (full report) in JSON",
+      "disable_correlation": true,
+      "ui-priority": 0,
+      "misp-attribute": "text"
+    },
+    "start-date": {
+      "description": "When the Cortex analyser was started",
+      "disable_correlation": true,
+      "ui-priority": 0,
+      "misp-attribute": "datetime"
+    },
+    "name": {
+      "description": "Cortex analyser/worker name",
+      "disable_correlation": true,
+      "ui-priority": 0,
+      "misp-attribute": "text"
+    },
+    "server-name": {
+      "description": "Name of the cortex server",
+      "disable_correlation": true,
+      "ui-priority": 0,
+      "misp-attribute": "text"
+    },
+    "success": {
+      "description": "Result of the cortex job",
+      "disable_correlation": true,
+      "ui-priority": 0,
+      "misp-attribute": "boolean"
+    }
+  },
+  "version": 1,
+  "description": "Cortex object describing a complete cortex analysis. Observables would be attribute with a relationship from this object.",
+  "meta-category": "misc",
+  "uuid": "144988f3-fa00-4374-8015-c1a32092f451",
+  "name": "cortex"
+}

objects/facial-composite/definition.json

@@ -0,0 +1,39 @@
+{
+  "requiredOneOf": [
+    "facial-composite",
+    "text"
+  ],
+  "attributes": {
+    "text": {
+      "description": "A description of the facial composite.",
+      "disable_correlation": true,
+      "ui-priority": 1,
+      "misp-attribute": "text"
+    },
+    "technique": {
+      "description": "Construction technique of the facial composite.",
+      "ui-priority": 0,
+      "misp-attribute": "text",
+      "values_list": [
+        "E-FIT",
+        "PROfit",
+        "Sketch",
+        "Photofit",
+        "EvoFIT",
+        "PortraitPad"
+      ],
+      "disable_correlation": true
+    },
+    "facial-composite": {
+      "description": "Facial composite image.",
+      "ui-priority": 10,
+      "misp-attribute": "attachment",
+      "multiple": true
+    }
+  },
+  "version": 1,
+  "description": "An object which describes a facial composite.",
+  "meta-category": "misc",
+  "uuid": "d727bc27-d1b9-4754-972c-dea305bd5976",
+  "name": "facial-composite"
+}

objects/http-request/definition.json

@@ -51,6 +51,15 @@
       "ui-priority": 1,
       "misp-attribute": "hostname"
     },
+    "ip": {
+      "categories": [
+        "Network activity",
+        "Payload delivery"
+      ],
+      "description": "The IP address of the server",
+      "ui-priority": 1,
+      "misp-attribute": "ip-dst"
+    },
     "method": {
       "categories": [
         "Network activity"
@@ -111,7 +120,7 @@
       "misp-attribute": "user-agent"
     }
   },
-  "version": 2,
+  "version": 3,
   "description": "A single HTTP request header",
   "meta-category": "network",
   "uuid": "b4a8d163-8110-4239-bfcf-e08f3a9fdf7b",

objects/ja3/definition.json

@@ -2,12 +2,12 @@
   "name": "ja3",
   "meta-category": "network",
   "description": "JA3 is a new technique for creating SSL client fingerprints that are easy to produce and can be easily shared for threat intelligence. Fingerprints are composed of Client Hello packet; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. https://github.com/salesforce/ja3",
-  "version": 3,
+  "version": 4,
   "uuid": "09b45449-5d6e-492c-a68a-cb2e188cbfac",
   "attributes": {
     "ja3-fingerprint-md5": {
       "description": "Hash identifying source",
-      "misp-attribute": "md5",
+      "misp-attribute": "ja3-fingerprint-md5",
       "ui-priority": 1
     },
     "description": {

objects/microblog/definition.json

@@ -30,7 +30,7 @@
       ]
     },
     "username": {
-      "description": "Username who posted the microblog post",
+      "description": "Username who posted the microblog post (without the @ prefix)",
       "ui-priority": 0,
       "misp-attribute": "text"
     },
@@ -62,7 +62,7 @@
       "misp-attribute": "text"
     }
   },
-  "version": 4,
+  "version": 5,
   "description": "Microblog post like a Twitter tweet or a post on a Facebook wall.",
   "meta-category": "misc",
   "uuid": "8ec8c911-ddbe-4f5b-895b-fbff70c42a60",

objects/person/definition.json

@@ -98,6 +98,16 @@
       "ui-priority": 0,
       "misp-attribute": "text"
     },
+    "birth-certificate-number": {
+      "description": "Birth Certificate Number",
+      "ui-priority": 0,
+      "misp-attribute": "text"
+    },
+    "ofac-identification-number": {
+      "description": "ofac-identification Number",
+      "ui-priority": 0,
+      "misp-attribute": "text"
+    },
     "nationality": {
       "description": "The nationality of a natural person.",
       "ui-priority": 0,
@@ -134,9 +144,15 @@
       "ui-priority": 10,
       "misp-attribute": "email-src",
       "multiple": true
+    },
+    "portrait": {
+      "description": "Portrait of the person.",
+      "ui-priority": 10,
+      "misp-attribute": "attachment",
+      "multiple": true
     }
   },
-  "version": 4,
+  "version": 6,
   "description": "An object which describes a person or an identity.",
   "meta-category": "misc",
   "uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248",

objects/research-scanner/definition.json

@@ -0,0 +1,80 @@
+{
+  "required": [
+    "project",
+    "scanning_ip"
+  ],
+  "attributes": {
+    "project": {
+      "description": "Description of scanning project",
+      "ui-priority": 1,
+      "disable_correlation": true,
+      "misp-attribute": "text"
+    },
+    "scanning_ip": {
+      "description": "IP address used by project",
+      "categories": [
+        "Network activity",
+        "External analysis"
+      ],
+      "ui-priority": 1,
+      "misp-attribute": "ip-src",
+      "multiple": true
+    },
+    "domain": {
+      "description": "Domain related to project",
+      "ui-priority": 1,
+      "multiple": true,
+      "misp-attribute": "domain"
+    },
+    "asn": {
+      "description": "Autonomous System Number related to project",
+      "ui-priority": 0,
+      "disable_correlation": true,
+      "misp-attribute": "AS"
+    },
+    "scheduled_start": {
+      "description": "Scheduled start of scanning activity",
+      "disable_correlation": true,
+      "ui-priority": 1,
+      "multiple": true,
+      "misp-attribute": "datetime"
+    },
+    "scheduled_end": {
+      "description": "Scheduled end of scanning activity",
+      "disable_correlation": true,
+      "ui-priority": 0,
+      "multiple": true,
+      "misp-attribute": "datetime"
+    },
+    "contact_email": {
+      "description": "Project contact information",
+      "disable_correlation": true,
+      "categories": [
+        "Network activity",
+        "Social network"
+      ],
+      "ui-priority": 1,
+      "misp-attribute": "email-dst",
+      "multiple": true
+    },
+    "contact_phone": {
+      "description": "Phone number related to project",
+      "disable_correlation": true,
+      "ui-priority": 0,
+      "misp-attribute": "phone-number",
+      "multiple": true
+    },
+    "project_url": {
+      "description": "URL related to project",
+      "disable_correlation": true,
+      "ui-priority": 1,
+      "misp-attribute": "link",
+      "multiple": true
+    }
+  },
+  "version": 20190102,
+  "description": "Information related to known scanning activity (e.g. from research projects)",
+  "meta-category": "network",
+  "uuid": "d690e956-fc8a-11e8-8eb2-f2801f1b9fd1",
+  "name": "research-scanner"
+}

objects/timesketch_message/definition.json

@@ -0,0 +1,26 @@
+{
+  "required": [
+    "datetime",
+    "message"
+  ],
+  "attributes": {
+    "datetime": {
+      "description": "datetime of the message",
+      "disable_correlation": true,
+      "ui-priority": 1,
+      "misp-attribute": "datetime",
+      "recommended": true
+    },
+    "message": {
+      "description": "message",
+      "disable_correlation": true,
+      "ui-priority": 0,
+      "misp-attribute": "text"
+    }
+  },
+  "version": 1,
+  "description": "A timesketch message entry.",
+  "meta-category": "misc",
+  "uuid": "ef27fb19-7e71-43e0-b6f6-6f03ab67666f",
+  "name": "timesketch_message"
+}

objects/victim/definition.json

@@ -1,6 +1,8 @@
 {
   "requiredOneOf": [
-    "name"
+    "name",
+    "regions",
+    "sectors"
   ],
   "attributes": {
     "description": {

relationships/definition.json

@@ -264,13 +264,6 @@
         "misp"
       ]
     },
-    {
-      "name": "dropped-by",
-      "description": "This relationship describes an object dropped by another object.",
-      "format": [
-        "misp"
-      ]
-    },
     {
       "name": "drops",
       "description": "This relationship describes an object which drops another object",
@@ -927,6 +920,13 @@
       "format": [
         "alfred"
       ]
+    },
+    {
+      "name": "witness-of",
+      "description": "Represents an object being a witness of something.",
+      "format": [
+        "misp"
+      ]
     }
   ],
   "description": "Default type of relationships in MISP objects.",