diff --git a/objects/ADS/definition.json b/objects/ADS/definition.json new file mode 100644 index 0000000..2d23077 --- /dev/null +++ b/objects/ADS/definition.json @@ -0,0 +1,81 @@ +{ + "attributes": { + "acd-element": { + "description": "lists the steps required to generate a representative true positive event which triggers this alert.", + "misp-attribute": "text", + "ui-priority": 0 + }, + "additional_resources": { + "description": "Any other internal, external, or technical references that may be useful for understanding the ADS.", + "misp-attribute": "url", + "multiple": true, + "ui-priority": 2 + }, + "blind_spots_and_assumptions": { + "description": "Recognized issues, assumptions, and areas where an ADS may not fire.", + "misp-attribute": "text", + "ui-priority": 7 + }, + "categorization": { + "description": "Provides a mapping of the ADS to the relevant entry in the Att&CK.", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10 + }, + "date": { + "description": "Enter date, when ADS has been created or edited.", + "misp-attribute": "datetime", + "ui-priority": 12 + }, + "false_positives": { + "description": "Known instances of an ADS misfiring due to a misconfiguration, idiosyncrasy in the environment, or other non-malicious scenario.", + "misp-attribute": "text", + "ui-priority": 6 + }, + "goal": { + "description": "Short, plaintext description of the type of behavior the ADS is supposed to detect.", + "misp-attribute": "text", + "ui-priority": 11 + }, + "priority": { + "description": "Describes the various alerting levels that an ADS may be tagged with.", + "misp-attribute": "text", + "ui-priority": 4 + }, + "responses": { + "description": "General response steps in the event that this alert fired.", + "misp-attribute": "text", + "ui-priority": 3 + }, + "sigma_rule": { + "description": "Rule in SIGMA format.", + "misp-attribute": "sigma", + "ui-priority": 1 + }, + "strategy_abstract": { + "description": "High-level walkthrough of how the ADS functions.", + "misp-attribute": "text", + "ui-priority": 9 + }, + "technical_context": { + "description": "Detailed information and background needed for a responder to understand all components of the alert. ", + "misp-attribute": "text", + "ui-priority": 8 + }, + "validation": { + "description": "lists the steps required to generate a representative true positive event which triggers this alert.", + "misp-attribute": "text", + "ui-priority": 5 + } + }, + "description": "An object defining ADS - Alerting and Detection Strategy by PALANTIR. Can be used for detection engineering.", + "meta-category": "misc", + "name": "ADS", + "required": [ + "date", + "goal", + "categorization" + ], + "uuid": "07a7f4cf-e738-47ad-b045-34c3b382f3b4", + "version": 1 +} \ No newline at end of file diff --git a/objects/groups/definition.json b/objects/groups/definition.json new file mode 100644 index 0000000..68f1fd0 --- /dev/null +++ b/objects/groups/definition.json @@ -0,0 +1,68 @@ +{ + "attributes": { + "country": { + "description": "Country of group - group location where it operates from.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, + "description": { + "description": "Description of group activities or TTP used for group actions.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": false, + "ui-priority": 4 + }, + "more informations": { + "description": "List more informations by url - reports, group links etc..", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 7 + }, + "motivation": { + "description": "Motivation behind group ie. espionage, ransomware, other criminal activity, hacktivism . . .", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 3 + }, + "names": { + "description": "Names or nicknames for group.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "observed": { + "description": "What sector is this group active at? Government, telecommunication etc and country of activity.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 5 + }, + "sponsor": { + "description": "Sponsor of group ie. country, state, criminal ring, cartel etc..", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 2 + }, + "tools used": { + "description": "What known tools are used by group.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 6 + } + }, + "description": "Adversary group cards inspired by ThaiCERT", + "meta-category": "misc", + "name": "Group Cards", + "required": [ + "name" + ], + "uuid": "f42db88d-1889-4c2f-a903-971cf8e65174", + "version": 1 +} \ No newline at end of file diff --git a/objects/persnona/definition.json b/objects/persnona/definition.json new file mode 100644 index 0000000..d3438d3 --- /dev/null +++ b/objects/persnona/definition.json @@ -0,0 +1,103 @@ +{ + "attributes": { + "actions": { + "description": "Actions by this PersNOna or engagement with adversary or relateda party.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 7 + }, + "alias": { + "description": "Aliases or Nicknames of fake PesNOna on differenet media.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, + "background": { + "description": "Background of operation, PersNOna or actions, which needs to be explain to other party in case of share of this profile.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 2 + }, + "conversations": { + "description": "Conversations with targets", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10 + }, + "critical_tasks": { + "description": "Critical Tasks or tasks which this PersNOna has to accomplish.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 6 + }, + "goals": { + "description": "Goals of creating of this PersNOna.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 5 + }, + "location": { + "description": "Location, where PersNOna is right now at home, home town, county, country etc.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 3 + }, + "media": { + "description": "Media where is PersNOna active ie. facebook, telegram etc.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 10 + }, + "name": { + "description": "Name - full name of PersNOna.", + "disable_correlation": false, + "misp-attribute": "full-name", + "multiple": true, + "ui-priority": 1 + }, + "oppportunities": { + "description": "Opportunities for another development, introducing another PersNOna etc.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 9 + }, + "photo": { + "description": "Photo of PersNOna, url where is photo uploaded or website of fake profile as LinkedIn etc.", + "disable_correlation": false, + "misp-attribute": "url", + "multiple": false, + "ui-priority": 0 + }, + "questions": { + "description": "Questions, which have to be answered by this profile goal.", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 8 + }, + "responsi": { + "description": "Responsibilities of PersNOna, who this PersNOna communicates with, what should discuss and how far.", + "disable_correlation": false, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 4 + } + }, + "description": "Fake persona with tasks", + "meta-category": "misc", + "name": "Deception PersNOna", + "required": [ + "name" + ], + "uuid": "a80828dc-07bf-4d5c-ab82-8160ee5bdd6d", + "version": 1 +} \ No newline at end of file