new: [ls20] Added first version of ls20 report objects

ls20-reports
mokaddem 2020-03-09 16:22:59 +01:00
parent b457df2a36
commit e0040eaa7e
2 changed files with 161 additions and 0 deletions

View File

@ -0,0 +1,49 @@
{
"required": [
"type"
],
"attributes": {
"monitor": {
"description": "Are IOCs in the report being monitored",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "boolean"
},
"type": {
"description": "Interpreted type",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text",
"sane_default": [
"ddos infrastructure",
"false positive",
"brute-force",
"phishing",
"malware url",
"defacement",
"c&c",
"malware configuration",
"backdoor",
"attack",
"mitm",
"need more information",
"artifact",
"exploit url",
"hijack",
"dropzone",
"scanner"
]
},
"comment": {
"description": "Additional comments",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
}
},
"version": 1,
"description": "LS20 Object meant for yellow teams to provide feedback on threat-reports to blue teams",
"meta-category": "locked-shield",
"uuid": "271475d3-e9d6-4055-8c47-217588355406",
"name": "ls20-threat-report-feedback"
}

View File

@ -0,0 +1,112 @@
{
"required": [
"description",
"zone"
],
"attributes": {
"description": {
"description": "A description of the threat",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"zone": {
"description": "The zone the threat is impacting",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"capability": {
"description": "The capability affected",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text",
"sane_default": [
"military port",
"shipping",
"water purification",
"power distribution",
"power generation",
"noc",
"military hq office"
]
},
"phase": {
"description": "The phase",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "counter",
"multiple": true
},
"ip": {
"description": "IP Address",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "ip-src",
"multiple": true
},
"url": {
"description": "URL",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "url",
"multiple": true
},
"domain": {
"description": "Domain name",
"categories": [
"Network activity",
"External analysis"
],
"ui-priority": 1,
"misp-attribute": "domain",
"multiple": true
},
"registry-key": {
"description": "Registry key",
"categories": [
"Persistence mechanism"
],
"ui-priority": 0,
"multiple": true,
"misp-attribute": "text"
},
"path": {
"description": "Path of the filename",
"disable_correlation": true,
"multiple": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"md5": {
"description": "MD5 hash (128 bits)",
"ui-priority": 1,
"multiple": true,
"misp-attribute": "md5"
},
"sha1": {
"description": "Secure Hash Algorithm 1 (160 bits)",
"ui-priority": 1,
"multiple": true,
"misp-attribute": "sha1"
},
"sha256": {
"description": "Secure Hash Algorithm 2 (256 bits)",
"ui-priority": 1,
"multiple": true,
"misp-attribute": "sha256"
}
},
"version": 1,
"description": "LS20 Object to inform the command center analysts about the adversary infrastructure and how it is being used to attack you",
"meta-category": "locked-shield",
"uuid": "359d4790-dd73-4d8c-bfb4-9e4039c8bf8c",
"name": "ls20-threat-report"
}