From f90ff8c3c02231442d552f671a6eea7a2a5d3255 Mon Sep 17 00:00:00 2001 From: Matthijs van Polen Date: Fri, 10 Nov 2023 15:18:48 +0100 Subject: [PATCH 01/24] [attack-step] Fixed typo, added multiples. --- objects/attack-step/definition.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/objects/attack-step/definition.json b/objects/attack-step/definition.json index ec30a13..7b80a95 100644 --- a/objects/attack-step/definition.json +++ b/objects/attack-step/definition.json @@ -26,11 +26,13 @@ "description": "IP destination of the attack step, if any.", "disable_correlation": true, "misp-attribute": "ip-dst", + "multiple": true, "ui-priority": 1 }, "dst-misc": { - "description": "Other type of source of the attack step, if any. This can be e.g. localhost.", + "description": "Other type of destination of the attack step, if any. This can be e.g. localhost.", "misp-attribute": "text", + "multiple": true, "ui-priority": 1 }, "expected-response": { @@ -50,16 +52,19 @@ "source-domain": { "description": "Domain source of the attack step, if any.", "misp-attribute": "domain", + "multiple": true, "ui-priority": 1 }, "source-ip": { "description": "IP source of the attack step, if any.", "misp-attribute": "ip-src", + "multiple": true, "ui-priority": 1 }, "source-misc": { "description": "Other type of source of the attack step, if any. This can be e.g. rotating ip from cloud providers such as AWS, or localhost.", "misp-attribute": "text", + "multiple": true, "ui-priority": 1 }, "succesful": { From feeaa600b7aa142456ce90e00b3d6cfbaa519f4c Mon Sep 17 00:00:00 2001 From: akshayjain-1 <135832006+akshayjain-1@users.noreply.github.com> Date: Mon, 20 Nov 2023 12:09:18 -0500 Subject: [PATCH 02/24] Create definition.json for Crowdstrike report --- objects/crowdstrike-report/definition.json | 53 ++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 objects/crowdstrike-report/definition.json diff --git a/objects/crowdstrike-report/definition.json b/objects/crowdstrike-report/definition.json new file mode 100644 index 0000000..9a2aaa0 --- /dev/null +++ b/objects/crowdstrike-report/definition.json @@ -0,0 +1,53 @@ +{ + "attributes": { + "filename": { + "description": "Filename on disk", + "disable_correlation": true, + "misp-attribute": "filename", + "multiple": true, + "ui-priority": 1 + }, + "fullpath": { + "description": "Complete path of the filename including the filename", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "process-name": { + "description": "Name of the process trigerring the detection", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, + "parent-command": { + "description": "Commandline of the parent process", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, + "command": { + "description": "Commandline triggering the detection", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, + "file-hash": { + "description": "Unique file hash", + "misp-attribute": "text", + "ui-priority": 1 + }, + "ip": { + "description": "Source IP address", + "misp-attribute": "ip-src", + "ui-priority": 1 + } + }, + "description": "An Object Template to encode an Crowdstrike detection report", + "meta-category": "misc", + "name": "crowdstrike-report", + "uuid": "805b327c-8f1b-4d76-a3ba-c8bc4964e740", + "version": 1 + } From 516d5ac6681e05e350583825e2156d898df81534 Mon Sep 17 00:00:00 2001 From: akshayjain-1 <135832006+akshayjain-1@users.noreply.github.com> Date: Mon, 20 Nov 2023 13:54:12 -0500 Subject: [PATCH 03/24] Update definition.json Changed the file hash attribute type to sha256 from text --- objects/crowdstrike-report/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/crowdstrike-report/definition.json b/objects/crowdstrike-report/definition.json index 9a2aaa0..bbb23ba 100644 --- a/objects/crowdstrike-report/definition.json +++ b/objects/crowdstrike-report/definition.json @@ -36,7 +36,7 @@ }, "file-hash": { "description": "Unique file hash", - "misp-attribute": "text", + "misp-attribute": "sha256", "ui-priority": 1 }, "ip": { From d4b6596a9d965923b29113971585e7e747fd4245 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 21 Nov 2023 08:20:35 +0100 Subject: [PATCH 04/24] fix: [crowdstrike-report] jq all the things --- objects/crowdstrike-report/definition.json | 102 ++++++++++----------- 1 file changed, 51 insertions(+), 51 deletions(-) diff --git a/objects/crowdstrike-report/definition.json b/objects/crowdstrike-report/definition.json index bbb23ba..eefdf38 100644 --- a/objects/crowdstrike-report/definition.json +++ b/objects/crowdstrike-report/definition.json @@ -1,53 +1,53 @@ { - "attributes": { - "filename": { - "description": "Filename on disk", - "disable_correlation": true, - "misp-attribute": "filename", - "multiple": true, - "ui-priority": 1 - }, - "fullpath": { - "description": "Complete path of the filename including the filename", - "disable_correlation": true, - "misp-attribute": "text", - "multiple": true, - "ui-priority": 0 - }, - "process-name": { - "description": "Name of the process trigerring the detection", - "misp-attribute": "text", - "multiple": true, - "ui-priority": 1 - }, - "parent-command": { - "description": "Commandline of the parent process", - "disable_correlation": true, - "misp-attribute": "text", - "multiple": true, - "ui-priority": 1 - }, - "command": { - "description": "Commandline triggering the detection", - "disable_correlation": true, - "misp-attribute": "text", - "multiple": true, - "ui-priority": 1 - }, - "file-hash": { - "description": "Unique file hash", - "misp-attribute": "sha256", - "ui-priority": 1 - }, - "ip": { - "description": "Source IP address", - "misp-attribute": "ip-src", - "ui-priority": 1 - } + "attributes": { + "command": { + "description": "Commandline triggering the detection", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 }, - "description": "An Object Template to encode an Crowdstrike detection report", - "meta-category": "misc", - "name": "crowdstrike-report", - "uuid": "805b327c-8f1b-4d76-a3ba-c8bc4964e740", - "version": 1 - } + "file-hash": { + "description": "Unique file hash", + "misp-attribute": "sha256", + "ui-priority": 1 + }, + "filename": { + "description": "Filename on disk", + "disable_correlation": true, + "misp-attribute": "filename", + "multiple": true, + "ui-priority": 1 + }, + "fullpath": { + "description": "Complete path of the filename including the filename", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "ip": { + "description": "Source IP address", + "misp-attribute": "ip-src", + "ui-priority": 1 + }, + "parent-command": { + "description": "Commandline of the parent process", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + }, + "process-name": { + "description": "Name of the process trigerring the detection", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 1 + } + }, + "description": "An Object Template to encode an Crowdstrike detection report", + "meta-category": "misc", + "name": "crowdstrike-report", + "uuid": "805b327c-8f1b-4d76-a3ba-c8bc4964e740", + "version": 1 +} \ No newline at end of file From d105769d6f39c20f279e31049ff5d2e034879863 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 21 Nov 2023 08:29:49 +0100 Subject: [PATCH 05/24] chg: [doc] MISP objects list updated --- README.md | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f5a90ab..62fdeb2 100644 --- a/README.md +++ b/README.md @@ -105,6 +105,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID ## Existing MISP objects - [objects/ADS](https://github.com/MISP/misp-objects/blob/main/objects/ADS/definition.json) - An object defining ADS - Alerting and Detection Strategy by PALANTIR. Can be used for detection engineering. +- [objects/abuseipdb](https://github.com/MISP/misp-objects/blob/main/objects/abuseipdb/definition.json) - AbuseIPDB checks an ip address, domain name, or subnet against a central blacklist. - [objects/ai-chat-prompt](https://github.com/MISP/misp-objects/blob/main/objects/ai-chat-prompt/definition.json) - Object describing an AI prompt such as ChatGPT. - [objects/ail-leak](https://github.com/MISP/misp-objects/blob/main/objects/ail-leak/definition.json) - An information leak as defined by the AIL Analysis Information Leak framework. - [objects/ais](https://github.com/MISP/misp-objects/blob/main/objects/ais/definition.json) - Automatic Identification System (AIS) is an automatic tracking system that uses transceivers on ships. @@ -121,6 +122,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/authentication-failure-report](https://github.com/MISP/misp-objects/blob/main/objects/authentication-failure-report/definition.json) - Authentication Failure Report. - [objects/authenticode-signerinfo](https://github.com/MISP/misp-objects/blob/main/objects/authenticode-signerinfo/definition.json) - Authenticode Signer Info. - [objects/av-signature](https://github.com/MISP/misp-objects/blob/main/objects/av-signature/definition.json) - Antivirus detection signature. +- [objects/availability-impact](https://github.com/MISP/misp-objects/blob/main/objects/availability-impact/definition.json) - Availability Impact object as described in STIX 2.1 Incident object extension. - [objects/bank-account](https://github.com/MISP/misp-objects/blob/main/objects/bank-account/definition.json) - An object describing bank account information based on account description from goAML 4.0. - [objects/bgp-hijack](https://github.com/MISP/misp-objects/blob/main/objects/bgp-hijack/definition.json) - Object encapsulating BGP Hijack description as specified, for example, by bgpstream.com. - [objects/bgp-ranking](https://github.com/MISP/misp-objects/blob/main/objects/bgp-ranking/definition.json) - BGP Ranking object describing the ranking of an ASN for a given day, along with its position, 1 being the most malicious ASN of the day, with the highest ranking. This object is meant to have a relationship with the corresponding ASN object and represents its ranking for a specific date. @@ -128,6 +130,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/boleto](https://github.com/MISP/misp-objects/blob/main/objects/boleto/definition.json) - A common form of payment used in Brazil. - [objects/btc-transaction](https://github.com/MISP/misp-objects/blob/main/objects/btc-transaction/definition.json) - An object to describe a Bitcoin transaction. Best to be used with bitcoin-wallet. - [objects/btc-wallet](https://github.com/MISP/misp-objects/blob/main/objects/btc-wallet/definition.json) - An object to describe a Bitcoin wallet. Best to be used with btc-transaction object. +- [objects/c2-list](https://github.com/MISP/misp-objects/blob/main/objects/c2-list/definition.json) - List of C2-servers with common ground, e.g. extracted from a blog post or ransomware analysis. - [objects/cap-alert](https://github.com/MISP/misp-objects/blob/main/objects/cap-alert/definition.json) - Common Alerting Protocol Version (CAP) alert object. - [objects/cap-info](https://github.com/MISP/misp-objects/blob/main/objects/cap-info/definition.json) - Common Alerting Protocol Version (CAP) info object. - [objects/cap-resource](https://github.com/MISP/misp-objects/blob/main/objects/cap-resource/definition.json) - Common Alerting Protocol Version (CAP) resource object. @@ -136,6 +139,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/command](https://github.com/MISP/misp-objects/blob/main/objects/command/definition.json) - Command functionalities related to specific commands executed by a program, whether it is malicious or not. Command-line are attached to this object for the related commands. - [objects/command-line](https://github.com/MISP/misp-objects/blob/main/objects/command-line/definition.json) - Command line and options related to a specific command executed by a program, whether it is malicious or not. - [objects/concordia-mtmf-intrusion-set](https://github.com/MISP/misp-objects/blob/main/objects/concordia-mtmf-intrusion-set/definition.json) - Intrusion Set - Phase Description. +- [objects/confidentiality-impact](https://github.com/MISP/misp-objects/blob/main/objects/confidentiality-impact/definition.json) - Confidentiality Impact object as described in STIX 2.1 Incident object extension. - [objects/cookie](https://github.com/MISP/misp-objects/blob/main/objects/cookie/definition.json) - An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol. As defined by the Mozilla foundation. - [objects/cortex](https://github.com/MISP/misp-objects/blob/main/objects/cortex/definition.json) - Cortex object describing a complete Cortex analysis. Observables would be attribute with a relationship from this object. - [objects/cortex-taxonomy](https://github.com/MISP/misp-objects/blob/main/objects/cortex-taxonomy/definition.json) - Cortex object describing a Cortex Taxonomy (or mini report). @@ -147,13 +151,18 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/cpe-asset](https://github.com/MISP/misp-objects/blob/main/objects/cpe-asset/definition.json) - An asset which can be defined by a CPE. This can be a generic asset. CPE is a structured naming scheme for information technology systems, software, and packages. - [objects/credential](https://github.com/MISP/misp-objects/blob/main/objects/credential/definition.json) - Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s). - [objects/credit-card](https://github.com/MISP/misp-objects/blob/main/objects/credit-card/definition.json) - A payment card like credit card, debit card or any similar cards which can be used for financial transactions. +- [objects/crowdsec-ip-context](https://github.com/MISP/misp-objects/blob/main/objects/crowdsec-ip-context/definition.json) - CrowdSec Threat Intelligence - IP CTI search. +- [objects/crowdstrike-report](https://github.com/MISP/misp-objects/blob/main/objects/crowdstrike-report/definition.json) - An Object Template to encode an Crowdstrike detection report. - [objects/crypto-material](https://github.com/MISP/misp-objects/blob/main/objects/crypto-material/definition.json) - Cryptographic materials such as public or/and private keys. +- [objects/cryptocurrency-transaction](https://github.com/MISP/misp-objects/blob/main/objects/cryptocurrency-transaction/definition.json) - An object to describe a cryptocurrency transaction. +- [objects/cs-beacon-config](https://github.com/MISP/misp-objects/blob/main/objects/cs-beacon-config/definition.json) - Cobalt Strike Beacon Config. - [objects/cytomic-orion-file](https://github.com/MISP/misp-objects/blob/main/objects/cytomic-orion-file/definition.json) - Cytomic Orion File Detection. - [objects/cytomic-orion-machine](https://github.com/MISP/misp-objects/blob/main/objects/cytomic-orion-machine/definition.json) - Cytomic Orion File at Machine Detection. - [objects/dark-pattern-item](https://github.com/MISP/misp-objects/blob/main/objects/dark-pattern-item/definition.json) - An Item whose User Interface implements a dark pattern. - [objects/ddos](https://github.com/MISP/misp-objects/blob/main/objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy or using the type field. - [objects/device](https://github.com/MISP/misp-objects/blob/main/objects/device/definition.json) - An object to define a device. - [objects/diameter-attack](https://github.com/MISP/misp-objects/blob/main/objects/diameter-attack/definition.json) - Attack as seen on the diameter signaling protocol supporting LTE networks. +- [objects/diamond-event](https://github.com/MISP/misp-objects/blob/main/objects/diamond-event/definition.json) - A diamond model event object consisting of the four diamond features advesary, infrastructure, capability and victim, several meta-features and ioc attributes. - [objects/directory](https://github.com/MISP/misp-objects/blob/main/objects/directory/definition.json) - Directory object describing a directory with meta-information. - [objects/dkim](https://github.com/MISP/misp-objects/blob/main/objects/dkim/definition.json) - DomainKeys Identified Mail - DKIM. - [objects/dns-record](https://github.com/MISP/misp-objects/blob/main/objects/dns-record/definition.json) - A set of DNS records observed for a specific domain. @@ -165,8 +174,10 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/email](https://github.com/MISP/misp-objects/blob/main/objects/email/definition.json) - Email object describing an email with meta-information. - [objects/employee](https://github.com/MISP/misp-objects/blob/main/objects/employee/definition.json) - An employee and related data points. - [objects/error-message](https://github.com/MISP/misp-objects/blob/main/objects/error-message/definition.json) - An error message which can be related to the processing of data such as import, export scripts from the original MISP instance. +- [objects/event](https://github.com/MISP/misp-objects/blob/main/objects/event/definition.json) - Event object as described in STIX 2.1 Incident object extension. - [objects/exploit](https://github.com/MISP/misp-objects/blob/main/objects/exploit/definition.json) - Exploit object describes a program in binary or source code form used to abuse one or more vulnerabilities. - [objects/exploit-poc](https://github.com/MISP/misp-objects/blob/main/objects/exploit-poc/definition.json) - Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object. +- [objects/external-impact](https://github.com/MISP/misp-objects/blob/main/objects/external-impact/definition.json) - External Impact object as described in STIX 2.1 Incident object extension. - [objects/facebook-account](https://github.com/MISP/misp-objects/blob/main/objects/facebook-account/definition.json) - Facebook account. - [objects/facebook-group](https://github.com/MISP/misp-objects/blob/main/objects/facebook-group/definition.json) - Public or private facebook group. - [objects/facebook-page](https://github.com/MISP/misp-objects/blob/main/objects/facebook-page/definition.json) - Facebook page. @@ -236,9 +247,11 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/git-vuln-finder](https://github.com/MISP/misp-objects/blob/main/objects/git-vuln-finder/definition.json) - Export from git-vuln-finder. - [objects/github-user](https://github.com/MISP/misp-objects/blob/main/objects/github-user/definition.json) - GitHub user. - [objects/gitlab-user](https://github.com/MISP/misp-objects/blob/main/objects/gitlab-user/definition.json) - GitLab user. Gitlab.com user or self-hosted GitLab instance. +- [objects/google-safe-browsing](https://github.com/MISP/misp-objects/blob/main/objects/google-safe-browsing/definition.json) - Google Safe checks a URL against Google's constantly updated list of unsafe web resources. - [objects/greynoise-ip](https://github.com/MISP/misp-objects/blob/main/objects/greynoise-ip/definition.json) - GreyNoise IP Information. - [objects/gtp-attack](https://github.com/MISP/misp-objects/blob/main/objects/gtp-attack/definition.json) - GTP attack object as attack as seen on the GTP signaling protocol supporting GPRS/LTE networks. - [objects/hashlookup](https://github.com/MISP/misp-objects/blob/main/objects/hashlookup/definition.json) - hashlookup object as described on hashlookup services from circl.lu - https://www.circl.lu/services/hashlookup. +- [objects/hhhash](https://github.com/MISP/misp-objects/blob/main/objects/hhhash/definition.json) - An object describing a HHHash object with the hash value along with the crawling parameters. For more information: https://www.foo.be/2023/07/HTTP-Headers-Hashing_HHHash. - [objects/http-request](https://github.com/MISP/misp-objects/blob/main/objects/http-request/definition.json) - A single HTTP request header. - [objects/identity](https://github.com/MISP/misp-objects/blob/main/objects/identity/definition.json) - Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, systems or groups (e.g., the finance sector). The Identity SDO can capture basic identifying information, contact information, and the sectors that the Identity belongs to. Identity is used in STIX to represent, among other things, targets of attacks, information sources, object creators, and threat actor identities. (ref. STIX 2.1 - 4.5). - [objects/ilr-impact](https://github.com/MISP/misp-objects/blob/main/objects/ilr-impact/definition.json) - Institut Luxembourgeois de Regulation - Impact. @@ -246,9 +259,11 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/image](https://github.com/MISP/misp-objects/blob/main/objects/image/definition.json) - Object describing an image file. - [objects/impersonation](https://github.com/MISP/misp-objects/blob/main/objects/impersonation/definition.json) - Represent an impersonating account. - [objects/imsi-catcher](https://github.com/MISP/misp-objects/blob/main/objects/imsi-catcher/definition.json) - IMSI Catcher entry object based on the open source IMSI cather. +- [objects/incident](https://github.com/MISP/misp-objects/blob/main/objects/incident/definition.json) - Incident object template as described in STIX 2.1 Incident object and its core extension. - [objects/infrastructure](https://github.com/MISP/misp-objects/blob/main/objects/infrastructure/definition.json) - The Infrastructure object represents a type of TTP and describes any systems, software services and any associated physical or virtual resources intended to support some purpose (e.g., C2 servers used as part of an attack, device or server that are part of defense, database servers targeted by an attack, etc.). While elements of an attack can be represented by other objects, the Infrastructure object represents a named group of related data that constitutes the infrastructure. STIX 2.1 - 4.8. - [objects/instant-message](https://github.com/MISP/misp-objects/blob/main/objects/instant-message/definition.json) - Instant Message (IM) object template describing one or more IM message. - [objects/instant-message-group](https://github.com/MISP/misp-objects/blob/main/objects/instant-message-group/definition.json) - Instant Message (IM) group object template describing a public or private IM group, channel or conversation. +- [objects/integrity-impact](https://github.com/MISP/misp-objects/blob/main/objects/integrity-impact/definition.json) - Integrity Impact object as described in STIX 2.1 Incident object extension. - [objects/intel471-vulnerability-intelligence](https://github.com/MISP/misp-objects/blob/main/objects/intel471-vulnerability-intelligence/definition.json) - Intel 471 vulnerability intelligence object. - [objects/intelmq_event](https://github.com/MISP/misp-objects/blob/main/objects/intelmq_event/definition.json) - IntelMQ Event. - [objects/intelmq_report](https://github.com/MISP/misp-objects/blob/main/objects/intelmq_report/definition.json) - IntelMQ Report. @@ -271,11 +286,12 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/macho](https://github.com/MISP/misp-objects/blob/main/objects/macho/definition.json) - Object describing a file in Mach-O format. - [objects/macho-section](https://github.com/MISP/misp-objects/blob/main/objects/macho-section/definition.json) - Object describing a section of a file in Mach-O format. - [objects/mactime-timeline-analysis](https://github.com/MISP/misp-objects/blob/main/objects/mactime-timeline-analysis/definition.json) - Mactime template, used in forensic investigations to describe the timeline of a file activity. -- [objects/malware](https://github.com/MISP/misp-objects/blob/main/objects/malware/definition.json) - Malware object to describe a malware instance. From STIX 2.1, -- [objects/malware-analysis](https://github.com/MISP/misp-objects/blob/main/objects/malware-analysis/definition.json) - Malware analysis object to capture the metadata and results of a particular static or dynamic analysis performed on a malware instance or family. From STIX 2.1 +- [objects/malware](https://github.com/MISP/misp-objects/blob/main/objects/malware/definition.json) - Malware is a type of TTP that represents malicious code. +- [objects/malware-analysis](https://github.com/MISP/misp-objects/blob/main/objects/malware-analysis/definition.json) - Malware Analysis captures the metadata and results of a particular static or dynamic analysis performed on a malware instance or family. - [objects/malware-config](https://github.com/MISP/misp-objects/blob/main/objects/malware-config/definition.json) - Malware configuration recovered or extracted from a malicious binary. - [objects/meme-image](https://github.com/MISP/misp-objects/blob/main/objects/meme-image/definition.json) - Object describing a meme (image). - [objects/microblog](https://github.com/MISP/misp-objects/blob/main/objects/microblog/definition.json) - Microblog post like a Twitter tweet or a post on a Facebook wall. +- [objects/monetary-impact](https://github.com/MISP/misp-objects/blob/main/objects/monetary-impact/definition.json) - Monetary Impact object as described in STIX 2.1 Incident object extension. - [objects/mutex](https://github.com/MISP/misp-objects/blob/main/objects/mutex/definition.json) - Object to describe mutual exclusion locks (mutex) as seen in memory or computer program. - [objects/narrative](https://github.com/MISP/misp-objects/blob/main/objects/narrative/definition.json) - Object describing a narrative. - [objects/netflow](https://github.com/MISP/misp-objects/blob/main/objects/netflow/definition.json) - Netflow object describes an network object based on the Netflowv5/v9 minimal definition. @@ -305,6 +321,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/phishing](https://github.com/MISP/misp-objects/blob/main/objects/phishing/definition.json) - Phishing template to describe a phishing website and its analysis. - [objects/phishing-kit](https://github.com/MISP/misp-objects/blob/main/objects/phishing-kit/definition.json) - Object to describe a phishing-kit. - [objects/phone](https://github.com/MISP/misp-objects/blob/main/objects/phone/definition.json) - A phone or mobile phone object which describe a phone. +- [objects/physical-impact](https://github.com/MISP/misp-objects/blob/main/objects/physical-impact/definition.json) - Physical Impact object as described in STIX 2.1 Incident object extension. - [objects/postal-address](https://github.com/MISP/misp-objects/blob/main/objects/postal-address/definition.json) - A postal address. - [objects/probabilistic-data-structure](https://github.com/MISP/misp-objects/blob/main/objects/probabilistic-data-structure/definition.json) - Probabilistic data structure object describe a space-efficient data structure such as Bloom filter or similar structure. - [objects/process](https://github.com/MISP/misp-objects/blob/main/objects/process/definition.json) - Object describing a system process. @@ -343,6 +360,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/rtir](https://github.com/MISP/misp-objects/blob/main/objects/rtir/definition.json) - RTIR - Request Tracker for Incident Response. - [objects/sandbox-report](https://github.com/MISP/misp-objects/blob/main/objects/sandbox-report/definition.json) - Sandbox report. - [objects/sb-signature](https://github.com/MISP/misp-objects/blob/main/objects/sb-signature/definition.json) - Sandbox detection signature. +- [objects/scan-result](https://github.com/MISP/misp-objects/blob/main/objects/scan-result/definition.json) - Scan result object to add meta-data and the output of the scan result by itself. - [objects/scheduled-event](https://github.com/MISP/misp-objects/blob/main/objects/scheduled-event/definition.json) - Event object template describing a gathering of individuals in meatspace. - [objects/scheduled-task](https://github.com/MISP/misp-objects/blob/main/objects/scheduled-task/definition.json) - Windows scheduled task description. - [objects/scrippsco2-c13-daily](https://github.com/MISP/misp-objects/blob/main/objects/scrippsco2-c13-daily/definition.json) - Daily average C13 concentrations (ppm) derived from flask air samples. @@ -358,6 +376,9 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/short-message-service](https://github.com/MISP/misp-objects/blob/main/objects/short-message-service/definition.json) - Short Message Service (SMS) object template describing one or more SMS message. Restriction of the initial format 3GPP 23.038 GSM character set doesn't apply. - [objects/shortened-link](https://github.com/MISP/misp-objects/blob/main/objects/shortened-link/definition.json) - Shortened link and its redirect target. - [objects/sigma](https://github.com/MISP/misp-objects/blob/main/objects/sigma/definition.json) - An object describing a Sigma rule (or a Sigma rule name). +- [objects/sigmf-archive](https://github.com/MISP/misp-objects/blob/main/objects/sigmf-archive/definition.json) - An object representing an archive containing one or multiple recordings in the Signal Metadata Format Specification (SigMF). +- [objects/sigmf-expanded-recording](https://github.com/MISP/misp-objects/blob/main/objects/sigmf-expanded-recording/definition.json) - An object representing a single IQ/RF sample in the Signal Metadata Format Specification (SigMF). +- [objects/sigmf-recording](https://github.com/MISP/misp-objects/blob/main/objects/sigmf-recording/definition.json) - An object representing a single IQ/RF sample in the Signal Metadata Format Specification (SigMF). - [objects/social-media-group](https://github.com/MISP/misp-objects/blob/main/objects/social-media-group/definition.json) - Social media group object template describing a public or private group or channel. - [objects/software](https://github.com/MISP/misp-objects/blob/main/objects/software/definition.json) - The Software object represents high-level properties associated with software, including software products. STIX 2.1 - 6.14. - [objects/spearphishing-attachment](https://github.com/MISP/misp-objects/blob/main/objects/spearphishing-attachment/definition.json) - Spearphishing Attachment. @@ -370,6 +391,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/submarine](https://github.com/MISP/misp-objects/blob/main/objects/submarine/definition.json) - Submarine description. - [objects/suricata](https://github.com/MISP/misp-objects/blob/main/objects/suricata/definition.json) - An object describing one or more Suricata rule(s) along with version and contextual information. - [objects/target-system](https://github.com/MISP/misp-objects/blob/main/objects/target-system/definition.json) - Description about an targeted system, this could potentially be a compromissed internal system. +- [objects/task](https://github.com/MISP/misp-objects/blob/main/objects/task/definition.json) - Task object as described in STIX 2.1 Incident object extension. - [objects/tattoo](https://github.com/MISP/misp-objects/blob/main/objects/tattoo/definition.json) - Describes tattoos on a natural person's body. - [objects/telegram-account](https://github.com/MISP/misp-objects/blob/main/objects/telegram-account/definition.json) - Information related to a telegram account. - [objects/telegram-bot](https://github.com/MISP/misp-objects/blob/main/objects/telegram-bot/definition.json) - Information related to a telegram bot. @@ -382,6 +404,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/timestamp](https://github.com/MISP/misp-objects/blob/main/objects/timestamp/definition.json) - A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship. - [objects/tor-hiddenservice](https://github.com/MISP/misp-objects/blob/main/objects/tor-hiddenservice/definition.json) - Tor hidden service (onion service) object. - [objects/tor-node](https://github.com/MISP/misp-objects/blob/main/objects/tor-node/definition.json) - Tor node (which protects your privacy on the internet by hiding the connection between users Internet address and the services used by the users) description which are part of the Tor network at a time. +- [objects/traceability-impact](https://github.com/MISP/misp-objects/blob/main/objects/traceability-impact/definition.json) - Traceability Impact object as described in STIX 2.1 Incident object extension. - [objects/tracking-id](https://github.com/MISP/misp-objects/blob/main/objects/tracking-id/definition.json) - Analytics and tracking ID such as used in Google Analytics or other analytic platform. - [objects/transaction](https://github.com/MISP/misp-objects/blob/main/objects/transaction/definition.json) - An object to describe a financial transaction. - [objects/translation](https://github.com/MISP/misp-objects/blob/main/objects/translation/definition.json) - Used to keep a text and its translation. @@ -409,6 +432,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/weakness](https://github.com/MISP/misp-objects/blob/main/objects/weakness/definition.json) - Weakness object describing a common weakness enumeration which can describe usable, incomplete, draft or deprecated weakness for software, equipment of hardware. - [objects/whois](https://github.com/MISP/misp-objects/blob/main/objects/whois/definition.json) - Whois records information for a domain name or an IP address. - [objects/windows-service](https://github.com/MISP/misp-objects/blob/main/objects/windows-service/definition.json) - Windows service and detailed about a service running a Windows operating system. +- [objects/x-header](https://github.com/MISP/misp-objects/blob/main/objects/x-header/definition.json) - X header generic object for SMTP, HTTP or any other protocols using X headers. - [objects/x509](https://github.com/MISP/misp-objects/blob/main/objects/x509/definition.json) - x509 object describing a X.509 certificate. - [objects/yabin](https://github.com/MISP/misp-objects/blob/main/objects/yabin/definition.json) - yabin.py generates Yara rules from function prologs, for matching and hunting binaries. ref: https://github.com/AlienVault-OTX/yabin. - [objects/yara](https://github.com/MISP/misp-objects/blob/main/objects/yara/definition.json) - An object describing a YARA rule (or a YARA rule name) along with its version. From c18a240153cbe9ef68e46f05565d08653c2ad103 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 22 Nov 2023 09:20:56 +0100 Subject: [PATCH 06/24] new: [shadowserver-malware-url-report] first version Transposition of the `malware_url` from Shadowserver --- .../definition.json | 97 +++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 objects/shadowserver-malware-url-report/definition.json diff --git a/objects/shadowserver-malware-url-report/definition.json b/objects/shadowserver-malware-url-report/definition.json new file mode 100644 index 0000000..cbe7d12 --- /dev/null +++ b/objects/shadowserver-malware-url-report/definition.json @@ -0,0 +1,97 @@ +{ + "attributes": { + "application": { + "description": "Application layer protocol where occurrence of the URL was observed. Examples: http, https, ssh, telnet. ", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "asn": { + "description": "ASN where the IP resides", + "misp-attribute": "AS", + "ui-priority": 0 + }, + "city": { + "description": "City location of the IP in question", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "geo": { + "description": "Country location of the IP", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "host": { + "description": "Any of the capabilities identified for the malware instance or family.", + "misp-attribute": "hostname", + "multiple": true, + "ui-priority": 0 + }, + "ip": { + "description": "IP of the of the URL", + "misp-attribute": "ip-src", + "multiple": true, + "ui-priority": 0 + }, + "naics": { + "description": "North American Industry Classification System Code", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "region": { + "description": "Regional location of the IP in question", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "sector": { + "description": "Sector of the IP in question", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "sha256": { + "description": "SHA256 of associated (potentially malicious) payload, if downloaded from the URL", + "misp-attribute": "sha256", + "ui-priority": 0 + }, + "source": { + "description": "Source of information, if public", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "tag": { + "description": "Array of tags associated with the URL if any. In this report typically it will be a CVE entry, for example CVE-2021-44228. This allows for better understanding of the URL context observed (ie. usage associated with a particular CVE).", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "timestamp": { + "description": "Timestamp of when the URL was seen (in the last 24 hours)", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "url": { + "description": "URL that was extracted from an observed exploitation attempt, assumed to be carrying a malware payload", + "misp-attribute": "url", + "multiple": true, + "ui-priority": 0 + } + }, + "description": "This report identifies URLs that were observed in exploitation attempts in the last 24 hours. They are assumed to contain a malware payload or serve as C2 controllers. If a payload was successfully downloaded in the last 24 hours, it’s SHA256 hash will also be published. The data is primarily sourced from honeypots (in which case they will often be IoT related), but other sources are possible. As always, you only receive information on IPs found on your network/constituency or in the case of a National CSIRT, your country. Ref: https://www.shadowserver.org/what-we-do/network-reporting/malware-url-report/", + "meta-category": "misc", + "name": "shadowserver-malware-url-report", + "required": [ + "url" + ], + "uuid": "0211496c-dbcf-465b-a147-3d965da016cc", + "version": 1 +} \ No newline at end of file From d7007fe4561f7a2f3d2eca281dc0992df7b861ac Mon Sep 17 00:00:00 2001 From: Matthieu Faou Date: Tue, 5 Dec 2023 11:50:38 -0500 Subject: [PATCH 07/24] Added 5 sectors to the victim object --- objects/victim/definition.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/objects/victim/definition.json b/objects/victim/definition.json index e8a897a..194f1a7 100644 --- a/objects/victim/definition.json +++ b/objects/victim/definition.json @@ -77,12 +77,14 @@ "misp-attribute": "text", "multiple": true, "sane_default": [ + "academic research", "aerospace", "agriculture", "automotive", "communications", "construction", "defence", + "dissident", "education", "energy", "engineering", @@ -97,14 +99,17 @@ "information and cultural industries", "infrastructure", "insurance", + "international organization", "legal", "manufacturing", "mining", "non profit", "pharmaceuticals", + "political party", "retail", "technology", "telecommunications", + "think tank", "transportation", "utilities" ], @@ -127,4 +132,4 @@ ], "uuid": "a8806e40-39ad-435f-be02-ac2a13d6fc7d", "version": 8 -} \ No newline at end of file +} From 5a19c4649820414b77c2ef3918b43ee64683af56 Mon Sep 17 00:00:00 2001 From: Matthieu Faou Date: Tue, 5 Dec 2023 12:25:32 -0500 Subject: [PATCH 08/24] Changed academic research to academia - university to align with the sector cluster --- objects/victim/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/victim/definition.json b/objects/victim/definition.json index 194f1a7..a4aa5b4 100644 --- a/objects/victim/definition.json +++ b/objects/victim/definition.json @@ -77,7 +77,7 @@ "misp-attribute": "text", "multiple": true, "sane_default": [ - "academic research", + "academia - university", "aerospace", "agriculture", "automotive", From a240e70334f4d5cf9cf206fca52714be3f1c4570 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 5 Dec 2023 20:58:22 +0100 Subject: [PATCH 09/24] fix: [victim] object updated --- objects/victim/definition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/victim/definition.json b/objects/victim/definition.json index a4aa5b4..04665be 100644 --- a/objects/victim/definition.json +++ b/objects/victim/definition.json @@ -131,5 +131,5 @@ "sectors" ], "uuid": "a8806e40-39ad-435f-be02-ac2a13d6fc7d", - "version": 8 -} + "version": 9 +} \ No newline at end of file From c536f2f3180e9cb21f86250083b68923ccd9ee08 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 6 Dec 2023 08:45:51 +0100 Subject: [PATCH 10/24] fix: [shadowserver-malware-url-report] `port` field added --- objects/shadowserver-malware-url-report/definition.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/objects/shadowserver-malware-url-report/definition.json b/objects/shadowserver-malware-url-report/definition.json index cbe7d12..9b66bb3 100644 --- a/objects/shadowserver-malware-url-report/definition.json +++ b/objects/shadowserver-malware-url-report/definition.json @@ -42,6 +42,12 @@ "multiple": true, "ui-priority": 0 }, + "port": { + "description": "Port of the URL", + "misp-attribute": "port", + "multiple": true, + "ui-priority": 0 + }, "region": { "description": "Regional location of the IP in question", "disable_correlation": true, @@ -93,5 +99,5 @@ "url" ], "uuid": "0211496c-dbcf-465b-a147-3d965da016cc", - "version": 1 + "version": 2 } \ No newline at end of file From 08db16c162c930fb49535c5fec659a432226011c Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 6 Dec 2023 09:05:16 +0100 Subject: [PATCH 11/24] chg: [report] `title` field added to the report object template --- objects/report/definition.json | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/objects/report/definition.json b/objects/report/definition.json index 466fd92..e8e59c2 100644 --- a/objects/report/definition.json +++ b/objects/report/definition.json @@ -31,6 +31,12 @@ "multiple": true, "ui-priority": 100 }, + "title": { + "description:": "Title of the report", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 100 + }, "type": { "description": "Type of report", "disable_correlation": true, @@ -80,13 +86,14 @@ "ui-priority": 100 } }, - "description": "Metadata used to generate an executive level report", + "description": "Report object to describe a report along with its metadata.", "meta-category": "misc", "name": "report", "requiredOneOf": [ + "title", "summary", "link" ], "uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df", - "version": 7 + "version": 8 } \ No newline at end of file From 047d4423116fe3367e571eec377819a20e8348a7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 6 Dec 2023 09:32:13 +0100 Subject: [PATCH 12/24] fix: [report] typo fixed --- objects/report/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/report/definition.json b/objects/report/definition.json index e8e59c2..774dbee 100644 --- a/objects/report/definition.json +++ b/objects/report/definition.json @@ -32,7 +32,7 @@ "ui-priority": 100 }, "title": { - "description:": "Title of the report", + "description": "Title of the report", "misp-attribute": "text", "multiple": true, "ui-priority": 100 From 23e41b2262fcb947c9e0ebed38be1a69436b2e59 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 6 Dec 2023 09:46:08 +0100 Subject: [PATCH 13/24] chg: [shadowserver-malware-url-report] severity added --- objects/shadowserver-malware-url-report/definition.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/objects/shadowserver-malware-url-report/definition.json b/objects/shadowserver-malware-url-report/definition.json index 9b66bb3..d2f88d2 100644 --- a/objects/shadowserver-malware-url-report/definition.json +++ b/objects/shadowserver-malware-url-report/definition.json @@ -61,6 +61,12 @@ "multiple": true, "ui-priority": 0 }, + "severity": { + "description": "Severity of the report", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, "sha256": { "description": "SHA256 of associated (potentially malicious) payload, if downloaded from the URL", "misp-attribute": "sha256", @@ -99,5 +105,5 @@ "url" ], "uuid": "0211496c-dbcf-465b-a147-3d965da016cc", - "version": 2 + "version": 3 } \ No newline at end of file From f02af5072598aab3cd33d098aa76b7e99fdd0a5d Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 6 Dec 2023 09:50:54 +0100 Subject: [PATCH 14/24] chg: [shadowserver-malware-url-report] sane_default added --- objects/shadowserver-malware-url-report/definition.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/objects/shadowserver-malware-url-report/definition.json b/objects/shadowserver-malware-url-report/definition.json index d2f88d2..28c8a3b 100644 --- a/objects/shadowserver-malware-url-report/definition.json +++ b/objects/shadowserver-malware-url-report/definition.json @@ -4,6 +4,12 @@ "description": "Application layer protocol where occurrence of the URL was observed. Examples: http, https, ssh, telnet. ", "disable_correlation": true, "misp-attribute": "text", + "sane_default": [ + "http", + "https", + "ssh", + "telnet" + ], "ui-priority": 0 }, "asn": { @@ -105,5 +111,5 @@ "url" ], "uuid": "0211496c-dbcf-465b-a147-3d965da016cc", - "version": 3 + "version": 4 } \ No newline at end of file From 7f77dbe685a2e84493cb36c7eb2ef1aa3300842b Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 7 Dec 2023 08:50:15 +0100 Subject: [PATCH 15/24] chg: [shadowserver-malware-url-report] sane default added for severity Ref: https://github.com/The-Shadowserver-Foundation/report_schema/blob/main/severity.md --- objects/shadowserver-malware-url-report/definition.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/objects/shadowserver-malware-url-report/definition.json b/objects/shadowserver-malware-url-report/definition.json index 28c8a3b..e22c262 100644 --- a/objects/shadowserver-malware-url-report/definition.json +++ b/objects/shadowserver-malware-url-report/definition.json @@ -71,6 +71,13 @@ "description": "Severity of the report", "disable_correlation": true, "misp-attribute": "text", + "sane_default": [ + "critical", + "high", + "medium", + "low", + "info" + ], "ui-priority": 0 }, "sha256": { @@ -111,5 +118,5 @@ "url" ], "uuid": "0211496c-dbcf-465b-a147-3d965da016cc", - "version": 4 + "version": 5 } \ No newline at end of file From fcd2cf24450614f2a78d1a60dcbc47bfadcc72aa Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 7 Dec 2023 10:54:40 +0100 Subject: [PATCH 16/24] chg: [cs-beacon-config] updated to add details requested by ShadowServer --- objects/cs-beacon-config/definition.json | 34 +++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/objects/cs-beacon-config/definition.json b/objects/cs-beacon-config/definition.json index a2ebc87..bddffb6 100644 --- a/objects/cs-beacon-config/definition.json +++ b/objects/cs-beacon-config/definition.json @@ -1,5 +1,11 @@ { "attributes": { + "asn": { + "description": "Originating ASN for the CS Beacon Config", + "disable_correlation": true, + "misp-attribute": "AS", + "ui-priority": 0 + }, "c2": { "categories": [ "Network activity" @@ -9,6 +15,18 @@ "multiple": true, "ui-priority": 1 }, + "city": { + "description": "City location of the CS Beacon Config in question", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "geo": { + "description": "Country location of the CS Beacon Config", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, "ip": { "description": "IP of the C2", "misp-attribute": "ip-dst", @@ -36,6 +54,20 @@ "misp-attribute": "md5", "ui-priority": 1 }, + "naics": { + "description": "North American Industry Classification System Code", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, + "sector": { + "description": "Sector of for the CS Beacon Config in question", + "disable_correlation": true, + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, "sha1": { "categories": [ "Payload delivery" @@ -80,5 +112,5 @@ "watermark" ], "uuid": "d17355ef-ca1f-4b5a-86cd-65d877991f54", - "version": 2 + "version": 3 } \ No newline at end of file From 587b298e1e7f87426182d55d44aa045a1522dc98 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 8 Dec 2023 15:18:32 +0100 Subject: [PATCH 17/24] chg: [shadowserver-malware-url-report] resource path added to improve correlation aspects --- objects/shadowserver-malware-url-report/definition.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/objects/shadowserver-malware-url-report/definition.json b/objects/shadowserver-malware-url-report/definition.json index e22c262..28a1616 100644 --- a/objects/shadowserver-malware-url-report/definition.json +++ b/objects/shadowserver-malware-url-report/definition.json @@ -60,6 +60,12 @@ "misp-attribute": "text", "ui-priority": 1 }, + "resource_path": { + "description": "URL resource path extracted from the url", + "misp-attribute": "text", + "multiple": true, + "ui-priority": 0 + }, "sector": { "description": "Sector of the IP in question", "disable_correlation": true, @@ -118,5 +124,5 @@ "url" ], "uuid": "0211496c-dbcf-465b-a147-3d965da016cc", - "version": 5 + "version": 6 } \ No newline at end of file From b657128758e027fd6d42f4af47046c7df2a7cb03 Mon Sep 17 00:00:00 2001 From: David Cruciani Date: Thu, 14 Dec 2023 15:58:46 +0100 Subject: [PATCH 18/24] new: [object] flowintel-cm --- objects/flowintel-cm-case/definition.json | 77 +++++++++++++++++++++++ objects/flowintel-cm-task/definition.json | 72 +++++++++++++++++++++ 2 files changed, 149 insertions(+) create mode 100644 objects/flowintel-cm-case/definition.json create mode 100644 objects/flowintel-cm-task/definition.json diff --git a/objects/flowintel-cm-case/definition.json b/objects/flowintel-cm-case/definition.json new file mode 100644 index 0000000..c5a087b --- /dev/null +++ b/objects/flowintel-cm-case/definition.json @@ -0,0 +1,77 @@ +{ + "attributes": { + "case-owner-org-name": { + "description": "Name of the organisation that created the case.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "case-owner-org-uuid": { + "description": "UUID of the organisation that created the case.", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "creation-date": { + "description": "Creation date of the case", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "deadline": { + "description": "Deadline of the case", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "description": { + "description": "A description of the case", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "finish-date": { + "description": "Finish date of the case", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "recurring-type": { + "description": "Recurring type", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "once", + "weekly", + "daily", + "monthly" + ], + "ui-priority": 0 + }, + "status": { + "description": "Status of the case", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "created", + "on going", + "recurring", + "unavailable", + "rejected", + "finished" + ], + "ui-priority": 0 + }, + "title": { + "description": "Title of the case", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + } + }, + "description": "A case as defined by flowintel-cm.", + "meta-category": "misc", + "name": "flowintel-cm-case", + "uuid": "19df57c7-b315-4fd2-84e5-d81ab221425e", + "version": 1 +} \ No newline at end of file diff --git a/objects/flowintel-cm-task/definition.json b/objects/flowintel-cm-task/definition.json new file mode 100644 index 0000000..95104a0 --- /dev/null +++ b/objects/flowintel-cm-task/definition.json @@ -0,0 +1,72 @@ +{ + "attributes": { + "creation-date": { + "description": "Creation date of the task", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "deadline": { + "description": "Deadline of the task", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "description": { + "description": "A description of the task", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "file": { + "description": "File", + "disable_correlation": true, + "misp-attribute": "attachment", + "multiple": true, + "ui-priority": 0 + }, + "finish-date": { + "description": "Finish date of the task", + "disable_correlation": true, + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "notes": { + "description": "Notes of the task", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 0 + }, + "status": { + "description": "Status of the task", + "disable_correlation": true, + "misp-attribute": "text", + "sane_default": [ + "created", + "on going", + "recurring", + "unavailable", + "rejected", + "finished" + ], + "ui-priority": 0 + }, + "title": { + "description": "Title of the task", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, + "url": { + "description": "An url to an external tool", + "disable_correlation": true, + "misp-attribute": "url", + "ui-priority": 0 + } + }, + "description": "A task as defined by flowintel-cm.", + "meta-category": "misc", + "name": "flowintel-cm-task", + "uuid": "2f525f6e-d3f2-4cb9-9ca0-f1160d99397d", + "version": 1 +} \ No newline at end of file From 156fa7a07e809390ea24456309986a672a5eed47 Mon Sep 17 00:00:00 2001 From: David Cruciani Date: Thu, 14 Dec 2023 16:14:44 +0100 Subject: [PATCH 19/24] chg: [flowintel] typo + uuid+origin-url --- objects/flowintel-cm-case/definition.json | 14 +++++++++++++- objects/flowintel-cm-task/definition.json | 14 +++++++++++++- 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/objects/flowintel-cm-case/definition.json b/objects/flowintel-cm-case/definition.json index c5a087b..fc5f2b5 100644 --- a/objects/flowintel-cm-case/definition.json +++ b/objects/flowintel-cm-case/definition.json @@ -12,6 +12,12 @@ "misp-attribute": "text", "ui-priority": 0 }, + "case-uuid": { + "description": "UUID of the case", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, "creation-date": { "description": "Creation date of the case", "disable_correlation": true, @@ -36,6 +42,12 @@ "misp-attribute": "datetime", "ui-priority": 0 }, + "origin-url": { + "description": "Origin of the case", + "disable_correlation": true, + "misp-attribute": "url", + "ui-priority": 1 + }, "recurring-type": { "description": "Recurring type", "disable_correlation": true, @@ -54,7 +66,7 @@ "misp-attribute": "text", "sane_default": [ "created", - "on going", + "ongoing", "recurring", "unavailable", "rejected", diff --git a/objects/flowintel-cm-task/definition.json b/objects/flowintel-cm-task/definition.json index 95104a0..334d6cc 100644 --- a/objects/flowintel-cm-task/definition.json +++ b/objects/flowintel-cm-task/definition.json @@ -37,13 +37,19 @@ "misp-attribute": "text", "ui-priority": 0 }, + "origin-url": { + "description": "Origin of the task", + "disable_correlation": true, + "misp-attribute": "url", + "ui-priority": 1 + }, "status": { "description": "Status of the task", "disable_correlation": true, "misp-attribute": "text", "sane_default": [ "created", - "on going", + "ongoing", "recurring", "unavailable", "rejected", @@ -51,6 +57,12 @@ ], "ui-priority": 0 }, + "task-uuid": { + "description": "UUID of the task", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 1 + }, "title": { "description": "Title of the task", "disable_correlation": true, From 888e0dceda905076635ecc7d589ee3effe3c45d6 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 31 Dec 2023 08:49:01 +0100 Subject: [PATCH 20/24] chg: [doc] updated --- README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 62fdeb2..6834bde 100644 --- a/README.md +++ b/README.md @@ -187,6 +187,8 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/fail2ban](https://github.com/MISP/misp-objects/blob/main/objects/fail2ban/definition.json) - Fail2ban event. - [objects/favicon](https://github.com/MISP/misp-objects/blob/main/objects/favicon/definition.json) - A favicon, also known as a shortcut icon, website icon, tab icon, URL icon, or bookmark icon, is a file containing one or more small icons, associated with a particular website or web page. The object template can include the murmur3 hash of the favicon to facilitate correlation. - [objects/file](https://github.com/MISP/misp-objects/blob/main/objects/file/definition.json) - File object describing a file with meta-information. +- [objects/flowintel-cm-case](https://github.com/MISP/misp-objects/blob/main/objects/flowintel-cm-case/definition.json) - A case as defined by flowintel-cm. +- [objects/flowintel-cm-task](https://github.com/MISP/misp-objects/blob/main/objects/flowintel-cm-task/definition.json) - A task as defined by flowintel-cm. - [objects/forensic-case](https://github.com/MISP/misp-objects/blob/main/objects/forensic-case/definition.json) - An object template to describe a digital forensic case. - [objects/forensic-evidence](https://github.com/MISP/misp-objects/blob/main/objects/forensic-evidence/definition.json) - An object template to describe a digital forensic evidence. - [objects/forged-document](https://github.com/MISP/misp-objects/blob/main/objects/forged-document/definition.json) - Object describing a forged document. @@ -353,7 +355,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/regripper-system-hive-general-configuration](https://github.com/MISP/misp-objects/blob/main/objects/regripper-system-hive-general-configuration/definition.json) - Regripper Object template designed to present general system properties extracted from the system-hive. - [objects/regripper-system-hive-network-information](https://github.com/MISP/misp-objects/blob/main/objects/regripper-system-hive-network-information/definition.json) - Regripper object template designed to gather network information from the system-hive. - [objects/regripper-system-hive-services-drivers](https://github.com/MISP/misp-objects/blob/main/objects/regripper-system-hive-services-drivers/definition.json) - Regripper Object template designed to gather information regarding the services/drivers from the system-hive. -- [objects/report](https://github.com/MISP/misp-objects/blob/main/objects/report/definition.json) - Metadata used to generate an executive level report. +- [objects/report](https://github.com/MISP/misp-objects/blob/main/objects/report/definition.json) - Report object to describe a report along with its metadata. - [objects/research-scanner](https://github.com/MISP/misp-objects/blob/main/objects/research-scanner/definition.json) - Information related to known scanning activity (e.g. from research projects). - [objects/risk-assessment-report](https://github.com/MISP/misp-objects/blob/main/objects/risk-assessment-report/definition.json) - Risk assessment report object which includes the assessment report from a risk assessment platform such as MONARC. - [objects/rogue-dns](https://github.com/MISP/misp-objects/blob/main/objects/rogue-dns/definition.json) - Rogue DNS as defined by CERT.br. @@ -371,6 +373,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID - [objects/scrippsco2-o18-monthly](https://github.com/MISP/misp-objects/blob/main/objects/scrippsco2-o18-monthly/definition.json) - Monthly average O18 concentrations (ppm) derived from flask air samples. - [objects/script](https://github.com/MISP/misp-objects/blob/main/objects/script/definition.json) - Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts. - [objects/security-playbook](https://github.com/MISP/misp-objects/blob/main/objects/security-playbook/definition.json) - The security-playbook object provides meta-information and allows managing, storing, and sharing cybersecurity playbooks and orchestration workflows. +- [objects/shadowserver-malware-url-report](https://github.com/MISP/misp-objects/blob/main/objects/shadowserver-malware-url-report/definition.json) - This report identifies URLs that were observed in exploitation attempts in the last 24 hours. They are assumed to contain a malware payload or serve as C2 controllers. If a payload was successfully downloaded in the last 24 hours, it’s SHA256 hash will also be published. The data is primarily sourced from honeypots (in which case they will often be IoT related), but other sources are possible. As always, you only receive information on IPs found on your network/constituency or in the case of a National CSIRT, your country. Ref: https://www.shadowserver.org/what-we-do/network-reporting/malware-url-report/. - [objects/shell-commands](https://github.com/MISP/misp-objects/blob/main/objects/shell-commands/definition.json) - Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands. - [objects/shodan-report](https://github.com/MISP/misp-objects/blob/main/objects/shodan-report/definition.json) - Shodan Report for a given IP. - [objects/short-message-service](https://github.com/MISP/misp-objects/blob/main/objects/short-message-service/definition.json) - Short Message Service (SMS) object template describing one or more SMS message. Restriction of the initial format 3GPP 23.038 GSM character set doesn't apply. From b407a9d046c5608997ba6f2f15e71d2ed86c9177 Mon Sep 17 00:00:00 2001 From: David Cruciani Date: Wed, 10 Jan 2024 11:49:54 +0100 Subject: [PATCH 21/24] chg: [url] to_ids --- objects/flowintel-cm-case/definition.json | 1 + objects/flowintel-cm-task/definition.json | 6 ++++-- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/objects/flowintel-cm-case/definition.json b/objects/flowintel-cm-case/definition.json index fc5f2b5..899910d 100644 --- a/objects/flowintel-cm-case/definition.json +++ b/objects/flowintel-cm-case/definition.json @@ -45,6 +45,7 @@ "origin-url": { "description": "Origin of the case", "disable_correlation": true, + "to_ids": false, "misp-attribute": "url", "ui-priority": 1 }, diff --git a/objects/flowintel-cm-task/definition.json b/objects/flowintel-cm-task/definition.json index 334d6cc..6ac3660 100644 --- a/objects/flowintel-cm-task/definition.json +++ b/objects/flowintel-cm-task/definition.json @@ -41,7 +41,8 @@ "description": "Origin of the task", "disable_correlation": true, "misp-attribute": "url", - "ui-priority": 1 + "ui-priority": 1, + "to_ids": false }, "status": { "description": "Status of the task", @@ -73,7 +74,8 @@ "description": "An url to an external tool", "disable_correlation": true, "misp-attribute": "url", - "ui-priority": 0 + "ui-priority": 0, + "to_ids": false } }, "description": "A task as defined by flowintel-cm.", From 55917fe94c40245ac10bef50347342770bb3b94c Mon Sep 17 00:00:00 2001 From: David Cruciani Date: Wed, 10 Jan 2024 11:52:10 +0100 Subject: [PATCH 22/24] chg: [version] v2 --- objects/flowintel-cm-case/definition.json | 2 +- objects/flowintel-cm-task/definition.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/objects/flowintel-cm-case/definition.json b/objects/flowintel-cm-case/definition.json index 899910d..98e17a1 100644 --- a/objects/flowintel-cm-case/definition.json +++ b/objects/flowintel-cm-case/definition.json @@ -86,5 +86,5 @@ "meta-category": "misc", "name": "flowintel-cm-case", "uuid": "19df57c7-b315-4fd2-84e5-d81ab221425e", - "version": 1 + "version": 2 } \ No newline at end of file diff --git a/objects/flowintel-cm-task/definition.json b/objects/flowintel-cm-task/definition.json index 6ac3660..bdf7d26 100644 --- a/objects/flowintel-cm-task/definition.json +++ b/objects/flowintel-cm-task/definition.json @@ -82,5 +82,5 @@ "meta-category": "misc", "name": "flowintel-cm-task", "uuid": "2f525f6e-d3f2-4cb9-9ca0-f1160d99397d", - "version": 1 + "version": 2 } \ No newline at end of file From 248e7a95dcd81312f92328d645ab91101e11acdf Mon Sep 17 00:00:00 2001 From: David Cruciani Date: Wed, 10 Jan 2024 12:07:32 +0100 Subject: [PATCH 23/24] chg: [validation] jq all --- objects/flowintel-cm-case/definition.json | 2 +- objects/flowintel-cm-task/definition.json | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/objects/flowintel-cm-case/definition.json b/objects/flowintel-cm-case/definition.json index 98e17a1..d516bb2 100644 --- a/objects/flowintel-cm-case/definition.json +++ b/objects/flowintel-cm-case/definition.json @@ -45,8 +45,8 @@ "origin-url": { "description": "Origin of the case", "disable_correlation": true, - "to_ids": false, "misp-attribute": "url", + "to_ids": false, "ui-priority": 1 }, "recurring-type": { diff --git a/objects/flowintel-cm-task/definition.json b/objects/flowintel-cm-task/definition.json index bdf7d26..dfbb296 100644 --- a/objects/flowintel-cm-task/definition.json +++ b/objects/flowintel-cm-task/definition.json @@ -41,8 +41,8 @@ "description": "Origin of the task", "disable_correlation": true, "misp-attribute": "url", - "ui-priority": 1, - "to_ids": false + "to_ids": false, + "ui-priority": 1 }, "status": { "description": "Status of the task", @@ -74,8 +74,8 @@ "description": "An url to an external tool", "disable_correlation": true, "misp-attribute": "url", - "ui-priority": 0, - "to_ids": false + "to_ids": false, + "ui-priority": 0 } }, "description": "A task as defined by flowintel-cm.", From 401c34f6f3a3e954d995877e2cb0c02406b28b7f Mon Sep 17 00:00:00 2001 From: David Cruciani Date: Mon, 15 Jan 2024 09:11:00 +0100 Subject: [PATCH 24/24] chg: [flowintel-task] add case-uuid --- objects/flowintel-cm-task/definition.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/objects/flowintel-cm-task/definition.json b/objects/flowintel-cm-task/definition.json index dfbb296..fbd9f0d 100644 --- a/objects/flowintel-cm-task/definition.json +++ b/objects/flowintel-cm-task/definition.json @@ -1,5 +1,11 @@ { "attributes": { + "case-uuid": { + "description": "UUID of the parent case", + "disable_correlation": true, + "misp-attribute": "text", + "ui-priority": 2 + }, "creation-date": { "description": "Creation date of the task", "disable_correlation": true, @@ -82,5 +88,5 @@ "meta-category": "misc", "name": "flowintel-cm-task", "uuid": "2f525f6e-d3f2-4cb9-9ca0-f1160d99397d", - "version": 2 + "version": 3 } \ No newline at end of file