From e0040eaa7e7bb69ed8f47228f0659667616f9164 Mon Sep 17 00:00:00 2001
From: mokaddem <sami.mokaddem@circl.lu>
Date: Mon, 9 Mar 2020 16:22:59 +0100
Subject: [PATCH] new: [ls20] Added first version of ls20 report objects

---
 .../definition.json                           |  49 ++++++++
 objects/ls20-threat-report/definition.json    | 112 ++++++++++++++++++
 2 files changed, 161 insertions(+)
 create mode 100644 objects/ls20-threat-report-feedback/definition.json
 create mode 100644 objects/ls20-threat-report/definition.json

diff --git a/objects/ls20-threat-report-feedback/definition.json b/objects/ls20-threat-report-feedback/definition.json
new file mode 100644
index 0000000..fb33578
--- /dev/null
+++ b/objects/ls20-threat-report-feedback/definition.json
@@ -0,0 +1,49 @@
+{
+  "required": [
+    "type"
+  ],
+  "attributes": {
+    "monitor": {
+      "description": "Are IOCs in the report being monitored",
+      "disable_correlation": true,
+      "ui-priority": 0,
+      "misp-attribute": "boolean"
+    },
+    "type": {
+      "description": "Interpreted type",
+      "disable_correlation": true,
+      "ui-priority": 0,
+      "misp-attribute": "text",
+      "sane_default": [
+        "ddos infrastructure",
+        "false positive",
+        "brute-force",
+        "phishing",
+        "malware url",
+        "defacement",
+        "c&c",
+        "malware configuration",
+        "backdoor",
+        "attack",
+        "mitm",
+        "need more information",
+        "artifact",
+        "exploit url",
+        "hijack",
+        "dropzone",
+        "scanner"
+      ]
+    },
+    "comment": {
+      "description": "Additional comments",
+      "disable_correlation": true,
+      "ui-priority": 0,
+      "misp-attribute": "text"
+    }
+  },
+  "version": 1,
+  "description": "LS20 Object meant for yellow teams to provide feedback on threat-reports to blue teams",
+  "meta-category": "locked-shield",
+  "uuid": "271475d3-e9d6-4055-8c47-217588355406",
+  "name": "ls20-threat-report-feedback"
+}
diff --git a/objects/ls20-threat-report/definition.json b/objects/ls20-threat-report/definition.json
new file mode 100644
index 0000000..8d4c3e3
--- /dev/null
+++ b/objects/ls20-threat-report/definition.json
@@ -0,0 +1,112 @@
+{
+  "required": [
+    "description",
+    "zone"
+  ],
+  "attributes": {
+    "description": {
+      "description": "A description of the threat",
+      "disable_correlation": true,
+      "ui-priority": 0,
+      "misp-attribute": "text"
+    },
+    "zone": {
+      "description": "The zone the threat is impacting",
+      "disable_correlation": true,
+      "ui-priority": 0,
+      "misp-attribute": "text",
+      "multiple": true
+    },
+    "capability": {
+      "description": "The capability affected",
+      "disable_correlation": true,
+      "ui-priority": 0,
+      "misp-attribute": "text",
+      "sane_default": [
+        "military port",
+        "shipping",
+        "water purification",
+        "power distribution",
+        "power generation",
+        "noc",
+        "military hq office"
+      ]
+    },
+    "phase": {
+      "description": "The phase",
+      "disable_correlation": true,
+      "ui-priority": 0,
+      "misp-attribute": "counter",
+      "multiple": true
+    },
+    "ip": {
+      "description": "IP Address",
+      "categories": [
+        "Network activity",
+        "External analysis"
+      ],
+      "ui-priority": 1,
+      "misp-attribute": "ip-src",
+      "multiple": true
+    },
+    "url": {
+      "description": "URL",
+      "categories": [
+        "Network activity",
+        "External analysis"
+      ],
+      "ui-priority": 1,
+      "misp-attribute": "url",
+      "multiple": true
+    },
+    "domain": {
+      "description": "Domain name",
+      "categories": [
+        "Network activity",
+        "External analysis"
+      ],
+      "ui-priority": 1,
+      "misp-attribute": "domain",
+      "multiple": true
+    },
+    "registry-key": {
+      "description": "Registry key",
+      "categories": [
+        "Persistence mechanism"
+      ],
+      "ui-priority": 0,
+      "multiple": true,
+      "misp-attribute": "text"
+    },
+    "path": {
+      "description": "Path of the filename",
+      "disable_correlation": true,
+      "multiple": true,
+      "ui-priority": 0,
+      "misp-attribute": "text"
+    },
+    "md5": {
+      "description": "MD5 hash (128 bits)",
+      "ui-priority": 1,
+      "multiple": true,
+      "misp-attribute": "md5"
+    },
+    "sha1": {
+      "description": "Secure Hash Algorithm 1 (160 bits)",
+      "ui-priority": 1,
+      "multiple": true,
+      "misp-attribute": "sha1"
+    },
+    "sha256": {
+      "description": "Secure Hash Algorithm 2 (256 bits)",
+      "ui-priority": 1,
+      "multiple": true,
+      "misp-attribute": "sha256"
+    }
+  },
+  "version": 1,
+  "description": "LS20 Object to inform the command center analysts about the adversary infrastructure and how it is being used to attack you",
+  "meta-category": "locked-shield",
+  "uuid": "359d4790-dd73-4d8c-bfb4-9e4039c8bf8c",
+  "name": "ls20-threat-report"
+}