From b96e7ed8be77c601b3b8ab70067eda3734a83dc2 Mon Sep 17 00:00:00 2001
From: chrisr3d <chris.studer.68@gmail.com>
Date: Mon, 8 Jul 2019 11:18:21 +0200
Subject: [PATCH] new: New object describing user accounts

---
 README.md                            |   1 +
 objects/user-account/definition.json | 136 +++++++++++++++++++++++++++
 2 files changed, 137 insertions(+)
 create mode 100644 objects/user-account/definition.json

diff --git a/README.md b/README.md
index 1cb0714..84d2692 100644
--- a/README.md
+++ b/README.md
@@ -150,6 +150,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
 * [objects/tracking-id](objects/tracking-id/definition.json) - Analytics and tracking ID such as used in Google Analytics or other analytic platform.
 * [objects/transaction](objects/transaction/definition.json) - Object describing a financial transaction.
 * [objects/url](objects/url/definition.json) - url object describes an url along with its normalized field (e.g. using faup parsing library) and its metadata.
+* [objects/user-account](objects/user-account/definition.json) - Object describing a user account (UNIX, Windows, etc).
 * [objects/vehicle](objects/vehicle/definition.json) - Vehicle object template to describe a vehicle information and registration.
 * [objects/victim](objects/victim/definition.json) - a victim object to describe the organisation being targeted or abused.
 * [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report.
diff --git a/objects/user-account/definition.json b/objects/user-account/definition.json
new file mode 100644
index 0000000..8719809
--- /dev/null
+++ b/objects/user-account/definition.json
@@ -0,0 +1,136 @@
+{
+  "name": "user-account",
+  "uuid": "49606b06-22f0-4ac8-8eee-2f12ad46f3d3",
+  "meta-category": "misc",
+  "description": "",
+  "version": 1,
+  "requiredOneOf": [
+    "password",
+    "username"
+  ],
+  "attributes": {
+    "text": {
+      "description": "A description of the user account.",
+      "disable_correlation": true,
+      "ui-priority": 1,
+      "misp-attributes": "text"
+    },
+    "username": {
+      "description": "Username related to the password.",
+      "ui-priority": 1,
+      "misp-attributes": "text"
+    },
+    "user-id": {
+      "description": "Identifier of the account.",
+      "ui-priority": 1,
+      "misp-attributes": "text"
+    },
+    "password": {
+      "description": "Password related to the username.",
+      "ui-priority": 1,
+      "misp-attributes": "text"
+    },
+    "display-name": {
+      "description": "Display name of the account.",
+      "ui-priority": 1,
+      "misp-attributes": "text"
+    },
+    "account-type": {
+      "description": "Type of the account.",
+      "ui-priority": 1,
+      "misp-attributes": "text",
+      "sane_default": [
+        "facebook",
+        "ldap",
+        "nis",
+        "openid",
+        "radius",
+        "skype",
+        "tacacs",
+        "twitter",
+        "unix",
+        "windows-local",
+        "windows-domain"
+      ]
+    },
+    "is_service_account": {
+      "description": "Specifies if the account is associated with a network service.",
+      "disable_correlation": true,
+      "ui-priority": 1,
+      "misp-attributes": "boolean"
+    },
+    "privileged": {
+      "description": "Specifies if the account has privileges such as root rights.",
+      "disable_correlation": true,
+      "ui-priority": 1,
+      "misp-attributes": "boolean"
+    },
+    "can_escalate_privs": {
+      "description": "Specifies if the account has the ability to escalate privileges.",
+      "disable_correlation": true,
+      "ui-priority": 1,
+      "misp-attributes": "boolean"
+    },
+    "disabled": {
+      "description": "Specifies if the account is desabled.",
+      "disable_correlation": true,
+      "ui-priority": 1,
+      "misp-attributes": "boolean"
+    },
+    "created": {
+      "description": "Creation time of the account.",
+      "disable_correlation": true,
+      "ui-priority": 1,
+      "misp-attributes": "datetime"
+    },
+    "expires": {
+      "description": "Expiration time of the account",
+      "disable_correlation": true,
+      "ui-priority": 1,
+      "misp-attributes": "datetime"
+    },
+    "first_login": {
+      "description": "First time someone logged in to the account.",
+      "disable_correlation": true,
+      "ui-priority": 1,
+      "misp-attributes": "datetime"
+    },
+    "last_login": {
+      "description": "Last time someone logged in to the account.",
+      "disable_correlation": true,
+      "ui-priority": 1,
+      "misp-attributes": "datetime"
+    },
+    "password_last_changed": {
+      "description": "Last time the password has been changed.",
+      "disable_correlation": true,
+      "ui-priority": 1,
+      "misp-attributes": "datetime"
+    },
+    "group-id": {
+      "description": "Identifier of the primary group of the account, in case of a UNIX account.",
+      "disable_correlation": true,
+      "ui-priority": 1,
+      "misp-attributes": "text"
+    },
+    "group": {
+      "description": "UNIX group(s) the account is member of.",
+      "disable_correlation": true,
+      "ui-priority": 1,
+      "misp-attributes": "text",
+      "multiple": true
+    },
+    "home_dir": {
+      "description": "Home directory of the UNIX account.",
+      "disable_correlation": true,
+      "ui-priority": 1,
+      "misp-attributes": "text"
+    },
+    "shell": {
+      "description": "UNIX command shell of the account.",
+      "disable_correlation": true,
+      "ui-priority": 1,
+      "misp-attributes": "text"
+    }
+  }
+}