From dcb44bcc5a77a709603ee03698a3db2c156ef009 Mon Sep 17 00:00:00 2001 From: 3c7 Date: Tue, 26 Apr 2022 14:02:43 +0200 Subject: [PATCH 1/4] Added VirusTotal Submission object and uploaded/uploaded-by relation --- objects/virustotal-submitter/definition.json | 77 ++++++++++++++++++++ relationships/definition.json | 18 ++++- 2 files changed, 94 insertions(+), 1 deletion(-) create mode 100644 objects/virustotal-submitter/definition.json diff --git a/objects/virustotal-submitter/definition.json b/objects/virustotal-submitter/definition.json new file mode 100644 index 0000000..14271f6 --- /dev/null +++ b/objects/virustotal-submitter/definition.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "city": { + "categories": [ + "Other" + ], + "description": "The city a file was uploaded from.", + "disable_correlation": true, + "misp-attribute": "text", + "to_ids": false, + "ui-priority": 0 + }, + "country": { + "categories": [ + "Other" + ], + "description": "The country a file was uploaded from.", + "disable_correlation": true, + "misp-attribute": "text", + "to_ids": false, + "ui-priority": 1 + }, + "date": { + "categories": [ + "Other" + ], + "description": "The upload date.", + "disable_correlation": true, + "misp-attribute": "datetime", + "to_ids": false, + "ui-priority": 0 + }, + "filename": { + "categories": [ + "Payload Delivery" + ], + "description": "The filename used to submit a file.", + "disable_correlation": false, + "misp-attribute": "filename", + "to_ids": false, + "ui-priority": 0 + }, + "interface": { + "categories": [ + "Other" + ], + "description": "The interface used to upload a file.", + "disable_correlation": true, + "misp-attribute": "text", + "to_ids": false, + "ui-priority": 0, + "values-list": [ + "web", + "api", + "email" + ] + }, + "submitter-id": { + "categories": [ + "Other" + ], + "description": "Submitter ID, given as source_key via the VT API.", + "disable_correlation": false, + "misp-attribute": "text", + "to_ids": false, + "ui-priority": 1 + } + }, + "description": "VirusTotal Submission", + "meta-category": "misc", + "name": "virustotal-submission", + "required": [ + "submitter-id" + ], + "uuid": "473d289b-f1d4-4f02-a4fe-3b69f534ed45", + "version": 1 +} \ No newline at end of file diff --git a/relationships/definition.json b/relationships/definition.json index 9eadce3..f9b695e 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1336,7 +1336,23 @@ "misp" ], "name": "has-met" + }, + { + "description": "The referenced source object uploaded the referenced target object.", + "format": [ + "misp" + ], + "name": "uploaded", + "opposite": "uploaded-by" + }, + { + "description": "The referenced source object was uploaded by the referenced target object.", + "format": [ + "misp" + ], + "name": "uploaded-by", + "opposite": "uploaded" } ], - "version": 33 + "version": 34 } \ No newline at end of file From e57ab0f52239471feb0b7382d3a09a39ce286eec Mon Sep 17 00:00:00 2001 From: 3c7 Date: Tue, 26 Apr 2022 14:07:20 +0200 Subject: [PATCH 2/4] uploaded -> submitted; otherwise possible semantic collision with "uploads" relationship --- .../definition.json | 0 relationships/definition.json | 12 ++++++------ 2 files changed, 6 insertions(+), 6 deletions(-) rename objects/{virustotal-submitter => virustotal-submission}/definition.json (100%) diff --git a/objects/virustotal-submitter/definition.json b/objects/virustotal-submission/definition.json similarity index 100% rename from objects/virustotal-submitter/definition.json rename to objects/virustotal-submission/definition.json diff --git a/relationships/definition.json b/relationships/definition.json index f9b695e..6634c8c 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1338,20 +1338,20 @@ "name": "has-met" }, { - "description": "The referenced source object uploaded the referenced target object.", + "description": "The referenced source object submitted the referenced target object (to an online anti virus scanner).", "format": [ "misp" ], - "name": "uploaded", - "opposite": "uploaded-by" + "name": "submitted", + "opposite": "submitted-by" }, { - "description": "The referenced source object was uploaded by the referenced target object.", + "description": "The referenced source object was submitted (to an online anti virus scanner) by the referenced target object.", "format": [ "misp" ], - "name": "uploaded-by", - "opposite": "uploaded" + "name": "submitted-by", + "opposite": "submitted" } ], "version": 34 From 314d72f948b6451edad1ff8afe8627695aa33bc0 Mon Sep 17 00:00:00 2001 From: 3c7 Date: Tue, 26 Apr 2022 15:05:05 +0200 Subject: [PATCH 3/4] Fixes wrong category and typo in value list --- objects/virustotal-submission/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/virustotal-submission/definition.json b/objects/virustotal-submission/definition.json index 14271f6..9ec9566 100644 --- a/objects/virustotal-submission/definition.json +++ b/objects/virustotal-submission/definition.json @@ -32,7 +32,7 @@ }, "filename": { "categories": [ - "Payload Delivery" + "Payload delivery" ], "description": "The filename used to submit a file.", "disable_correlation": false, @@ -49,7 +49,7 @@ "misp-attribute": "text", "to_ids": false, "ui-priority": 0, - "values-list": [ + "values_list": [ "web", "api", "email" From 384397423222e8161ff07c87531ac5b55b86b3c9 Mon Sep 17 00:00:00 2001 From: 3c7 Date: Tue, 26 Apr 2022 15:08:14 +0200 Subject: [PATCH 4/4] Added new object to README --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index f14ff55..a774b0a 100644 --- a/README.md +++ b/README.md @@ -372,6 +372,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/victim](https://github.com/MISP/misp-objects/blob/main/objects/victim/definition.json) - Victim object describes the target of an attack or abuse. - [objects/virustotal-graph](https://github.com/MISP/misp-objects/blob/main/objects/virustotal-graph/definition.json) - VirusTotal graph. - [objects/virustotal-report](https://github.com/MISP/misp-objects/blob/main/objects/virustotal-report/definition.json) - VirusTotal report. +- [objects/virustotal-submission](https://github.com/MISP/misp-objects/blob/main/objects/virustotal-submission/definition.json) - VirusTotal Submission. - [objects/vulnerability](https://github.com/MISP/misp-objects/blob/main/objects/vulnerability/definition.json) - Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware. - [objects/weakness](https://github.com/MISP/misp-objects/blob/main/objects/weakness/definition.json) - Weakness object describing a common weakness enumeration which can describe usable, incomplete, draft or deprecated weakness for software, equipment of hardware. - [objects/whois](https://github.com/MISP/misp-objects/blob/main/objects/whois/definition.json) - Whois records information for a domain name or an IP address.