From 9918cc393dfcdc56fcef7405f0c916e1bba78adc Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 13 Jul 2018 17:07:35 +0200 Subject: [PATCH 01/17] chg: [coin-address] ETN symbol added --- objects/coin-address/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/coin-address/definition.json b/objects/coin-address/definition.json index 343f337..51876e7 100644 --- a/objects/coin-address/definition.json +++ b/objects/coin-address/definition.json @@ -44,7 +44,8 @@ "HSR", "STRAT", "WAVES", - "PPT" + "PPT", + "ETN" ] }, "last-seen": { @@ -67,7 +68,7 @@ "recommended": false } }, - "version": 3, + "version": 4, "description": "An address used in a cryptocurrency", "meta-category": "financial", "uuid": "d0e6997e-78da-4815-a6a1-cfc1c1cb8a46", From 0244bce6ef96c333e6e34bd0c1d3bf4e0920b7b2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rapha=C3=ABl=20Vinot?= Date: Mon, 16 Jul 2018 13:48:56 +0200 Subject: [PATCH 02/17] new: threatgrid-report object template --- objects/threatgrid-report/definition.json | 79 +++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 objects/threatgrid-report/definition.json diff --git a/objects/threatgrid-report/definition.json b/objects/threatgrid-report/definition.json new file mode 100644 index 0000000..e98da6b --- /dev/null +++ b/objects/threatgrid-report/definition.json @@ -0,0 +1,79 @@ +{ + "required": [ + "threat_score" + ], + "attributes": { + "threat_score": { + "description": "threat_score", + "disable_correlation": true, + "categories": [ + "External analysis" + ], + "ui-priority": 0, + "misp-attribute": "text" + }, + "heuristic_raw_score": { + "description": "heuristic_raw_score", + "disable_correlation": true, + "categories": [ + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "text" + }, + "heuristic_score": { + "description": "heuristic_score", + "categories": [ + "Other" + ], + "ui-priority": 0, + "misp-attribute": "text" + }, + "analysis_submitted_at": { + "description": "Submission date", + "categories": [ + "Other" + ], + "ui-priority": 0, + "misp-attribute": "text" + }, + "original_filename": { + "description": "Original filename", + "categories": [ + "Other" + ], + "ui-priority": 0, + "misp-attribute": "text" + }, + "permalink": { + "description": "permalink", + "categories": [ + "Other" + ], + "ui-priority": 0, + "misp-attribute": "text" + }, + "id": { + "description": "ThreatGrid ID", + "categories": [ + "Other" + ], + "ui-priority": 0, + "misp-attribute": "text" + }, + "iocs": { + "description": "iocs", + "categories": [ + "Other" + ], + "ui-priority": 0, + "multiple": true, + "misp-attribute": "text" + } + }, + "version": 6, + "description": "ThreatGrid report", + "meta-category": "misc", + "uuid": "23b3576b-2e68-4a86-a103-68820daef1d5", + "name": "threatgrid-report" +} From 319c2a3e9667544d3861496495ea1d9cf9ea15ed Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 17 Jul 2018 08:29:14 +0200 Subject: [PATCH 03/17] chg: [threadgrid-report] added in the list of objects --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 7e5424b..afb1b89 100644 --- a/README.md +++ b/README.md @@ -118,6 +118,7 @@ for a specific attribute. * [objects/stix2-pattern](objects/stix2-pattern/definition.json) - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern. * [objects/suricata](objects/suricata/definition.json) - Suricata rule with context. * [objects/target-system](objects/target-system/definition.json) - Description about an targeted system, this could potentially be a compromissed internal system. +* [objects/threatgrid-report](objects/threatgrid-report/definition.json) - A threatgrid report object. * [objects/timecode](objects/timecode/definition.json) - Timecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the video sequence. * [objects/timestamp](objects/timestamp/definition.json) - A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship. * [objects/tor-node](objects/tor-node/definition.json) - Tor node description which are part of the Tor network at a time. From 6bfa2797011a8d9888dc871c076a672619986a44 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 18 Jul 2018 09:52:31 +0200 Subject: [PATCH 04/17] new: [short-message-service] Short Message Service (SMS) object template describing one or more SMS message added --- README.md | 1 + objects/short-message-service/definition.json | 47 +++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 objects/short-message-service/definition.json diff --git a/README.md b/README.md index afb1b89..963e2f3 100644 --- a/README.md +++ b/README.md @@ -113,6 +113,7 @@ for a specific attribute. * [objects/sandbox-report](objects/sandbox-report/definition.json) - Sandbox report object. * [objects/sb-signature](objects/sb-signature/definition.json) - Sandbox detection signature object. * [objects/script](objects/script/definition.json) - Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts. +* [objects/short-message-service](objects/short-message-service/definition.json) - Short Message Service (SMS) object template describing one or more SMS message(s). * [objects/shortened-link](objects/shortened-link/definition.json) - Shortened link and its redirect target. * [objects/ss7-attack](objects/ss7-attack/definition.json) - SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging. * [objects/stix2-pattern](objects/stix2-pattern/definition.json) - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern. diff --git a/objects/short-message-service/definition.json b/objects/short-message-service/definition.json new file mode 100644 index 0000000..6ad1a92 --- /dev/null +++ b/objects/short-message-service/definition.json @@ -0,0 +1,47 @@ +{ + "requiredOneOf": [ + "body", + "from" + ], + "attributes": { + "body": { + "description": "Message body of the SMS", + "ui-priority": 1, + "misp-attribute": "text" + }, + "url-rfc5724": { + "description": "url representing SMS using RFC 5724 (not url contained in the SMS which should use an url object)", + "ui-priority": 6, + "misp-attribute": "url" + }, + "from": { + "description": "Phone number used to send the SMS", + "ui-priority": 1, + "misp-attribute": "phone-number", + "multiple": true + }, + "to": { + "description": "Phone number receiving the SMS", + "ui-priority": 1, + "misp-attribute": "phone-number", + "multiple": true + }, + "sent-date": { + "description": "Initial sent date of the SMS", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "received-date": { + "description": "Received date of the SMS", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + } + }, + "version": 1, + "description": "Short Message Service (SMS) object template describing one or more SMS message. Restriction of the initial format 3GPP 23.038 GSM character set doesn't apply.", + "meta-category": "misc", + "uuid": "4851a3dc-e1a6-43ac-9d97-f0d13a099fd2", + "name": "short-message-service" +} From 5af0d31c49092e67354b92a18432bc9dffe1b6f1 Mon Sep 17 00:00:00 2001 From: Andras Iklody Date: Fri, 20 Jul 2018 07:03:22 +0200 Subject: [PATCH 05/17] Allow multiple "pattern-in-file" in file object, fixes #109 --- objects/file/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index 4c65a73..5c268db 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -98,7 +98,8 @@ "External analysis" ], "ui-priority": 1, - "misp-attribute": "pattern-in-file" + "misp-attribute": "pattern-in-file", + "multiple": true }, "text": { "description": "Free text value to attach to the file", @@ -164,7 +165,7 @@ ] } }, - "version": 11, + "version": 12, "description": "File object describing a file with meta-information", "meta-category": "file", "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", From 9a72b539235f24577a7a597ff76ceeabd543fafc Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Fri, 20 Jul 2018 10:12:09 +0200 Subject: [PATCH 06/17] chg: allow multiple domains too fix #108 --- objects/domain-ip/definition.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/objects/domain-ip/definition.json b/objects/domain-ip/definition.json index 7cd4d8a..8e56f07 100644 --- a/objects/domain-ip/definition.json +++ b/objects/domain-ip/definition.json @@ -30,7 +30,8 @@ "External analysis" ], "ui-priority": 1, - "misp-attribute": "domain" + "misp-attribute": "domain", + "multiple": true }, "ip": { "description": "IP Address", @@ -43,7 +44,7 @@ "multiple": true } }, - "version": 5, + "version": 6, "description": "A domain and IP address seen as a tuple in a specific time frame.", "meta-category": "network", "uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734", From aae03a3db2ef70790a4ee369bb380c69dcc53083 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sun, 22 Jul 2018 08:04:26 +0200 Subject: [PATCH 07/17] chg: [misp-objects] multiple flag is now visible in asciidoctor output --- tools/adoc_objects.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/tools/adoc_objects.py b/tools/adoc_objects.py index de43cd2..c75e282 100755 --- a/tools/adoc_objects.py +++ b/tools/adoc_objects.py @@ -3,7 +3,7 @@ # # # A simple converter of MISP objects to asciidoctor format -# Copyright (C) 2017 Alexandre Dulaunoy +# Copyright (C) 2017-2018 Alexandre Dulaunoy # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as @@ -84,14 +84,18 @@ def asciidoc(content=False, adoc=None, t='title',title=''): #output = '\n{}\n'.format #output = '[cols=\",a\"]\n' output = output + '|===\n' - output = output + '|Object attribute | MISP attribute type | Description | Disable correlation\n' + output = output + '|Object attribute | MISP attribute type | Description | Disable correlation | Multiple\n' adoc = adoc + output for v in content['attributes']: disableCorrelation = 'icon:minus[] ' description = 'icon:minus[] ' + multiple = 'icon:minus[] ' if 'disable_correlation' in content['attributes'][v]: if content['attributes'][v]['disable_correlation']: disableCorrelation = 'icon:check[] ' + if 'multiple' in content['attributes'][v]: + if content['attributes'][v]['multiple']: + multiple = 'icon:check[] ' if 'description' in content['attributes'][v]: if content['attributes'][v]['description']: description = '{}'.format(content['attributes'][v]['description']) @@ -101,7 +105,7 @@ def asciidoc(content=False, adoc=None, t='title',title=''): if 'sane_default' in content['attributes'][v]: values = content['attributes'][v]['sane_default'] description = '{} {}'.format(content['attributes'][v]['description'],values) - output = '\n| {} | {} a| {} a| {}\n'.format(v, content['attributes'][v]['misp-attribute'], description ,disableCorrelation) + output = '\n| {} | {} a| {} a| {} a| {}\n'.format(v, content['attributes'][v]['misp-attribute'], description ,disableCorrelation, multiple) adoc = adoc + output output = '\n|===\n' adoc = adoc + output From 3aa3247b09f76e235fa4b94e216d5c879285c9d1 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Thu, 26 Jul 2018 14:06:39 +0200 Subject: [PATCH 08/17] chg: [paste object] add a link attribute when the paste reference is not malicious --- objects/paste/definition.json | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/objects/paste/definition.json b/objects/paste/definition.json index a7c31b0..09c5adf 100644 --- a/objects/paste/definition.json +++ b/objects/paste/definition.json @@ -19,7 +19,9 @@ "codepad.org", "safebin.net", "hastebin.com", - "ghostbin.com" + "ghostbin.com", + "paste.ee", + "0bin.net" ], "description": "Original source of the paste or post.", "ui-priority": 0, @@ -39,7 +41,12 @@ "url": { "misp-attribute": "url", "ui-priority": 0, - "description": "Link to the original source of the paste or post." + "description": "Link to the original source of the paste or post (when used maliciously)." + }, + "link": { + "misp-attribute": "link,", + "ui-priority": 0, + "description": "Link to the original source of the source or post (when used legitimately for OSINT source or alike)." }, "last-seen": { "description": "When the paste has been accessible or seen for the last time.", @@ -54,7 +61,7 @@ "misp-attribute": "datetime" } }, - "version": 3, + "version": 4, "description": "Paste or similar post from a website allowing to share privately or publicly posts.", "meta-category": "misc", "uuid": "cedc055c-78aa-49a4-bfd7-4cc30cecef12", From c1f5e7342bd7cc4257226f27c7191be6c23eb7c9 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 26 Jul 2018 15:49:44 +0200 Subject: [PATCH 09/17] url is not a field of email object, then not one of the requiredOneOf --- objects/email/definition.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/objects/email/definition.json b/objects/email/definition.json index 84c1465..a5099a6 100644 --- a/objects/email/definition.json +++ b/objects/email/definition.json @@ -3,7 +3,7 @@ "uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552", "meta-category": "network", "description": "Email object describing an email with meta-information", - "version": 11, + "version": 12, "attributes": { "reply-to": { "description": "Email address the reply will be sent to", @@ -179,7 +179,6 @@ "message-id", "reply-to", "send-date", - "url", "mime-boundary", "thread-index", "header", From 4e23159cb0c7c46e84b5ff2ac0e59a377112ff03 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 27 Jul 2018 15:15:47 +0200 Subject: [PATCH 10/17] fix RequiredOneOf list in fle object --- objects/file/definition.json | 2 -- 1 file changed, 2 deletions(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index 5c268db..972cf1a 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -4,8 +4,6 @@ "size-in-bytes", "authentihash", "ssdeep", - "imphash", - "pehash", "md5", "sha1", "sha224", From 60010ce556e580201e6302fd32188f7a170fa1e9 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Fri, 27 Jul 2018 15:19:15 +0200 Subject: [PATCH 11/17] fix file object version --- objects/file/definition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/objects/file/definition.json b/objects/file/definition.json index 972cf1a..49bbc28 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -163,7 +163,7 @@ ] } }, - "version": 12, + "version": 13, "description": "File object describing a file with meta-information", "meta-category": "file", "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", From 0b164141af255dd8b8e0c71c9a73b0a0dae2b6d7 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Sat, 4 Aug 2018 15:39:38 +0200 Subject: [PATCH 12/17] chg: [vehicle] Vehicle object template to describe a vehicle information and registration --- README.md | 3 +- objects/vehicle/definition.json | 52 +++++++++++++++++++++++++++++++++ 2 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 objects/vehicle/definition.json diff --git a/README.md b/README.md index 963e2f3..dd87bb5 100644 --- a/README.md +++ b/README.md @@ -118,7 +118,7 @@ for a specific attribute. * [objects/ss7-attack](objects/ss7-attack/definition.json) - SS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging. * [objects/stix2-pattern](objects/stix2-pattern/definition.json) - An object describing a STIX pattern. The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a STIX pattern. * [objects/suricata](objects/suricata/definition.json) - Suricata rule with context. -* [objects/target-system](objects/target-system/definition.json) - Description about an targeted system, this could potentially be a compromissed internal system. +* [objects/target-system](objects/target-system/definition.json) - Description about an targeted system, this could potentially be a compromised internal system. * [objects/threatgrid-report](objects/threatgrid-report/definition.json) - A threatgrid report object. * [objects/timecode](objects/timecode/definition.json) - Timecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the video sequence. * [objects/timestamp](objects/timestamp/definition.json) - A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship. @@ -127,6 +127,7 @@ for a specific attribute. * [objects/virustotal-report](objects/virustotal-report/definition.json) - VirusTotal report. * [objects/vulnerability](objects/vulnerability/definition.json) - Vulnerability object to describe software or hardware vulnerability as described in a CVE. * [objects/url](objects/url/definition.json) - url object describes an url along with its normalized field (e.g. using faup parsing library) and its metadata. +* [objects/vehicle](objects/vehicle/definition.json) - Vehicle object template to describe a vehicle information and registration. * [objects/victim](objects/victim/definition.json) - a victim object to describe the organisation being targeted or abused. * [objects/whois](objects/whois/definition.json) - Whois records information for a domain name. * [objects/x509](objects/x509/definition.json) - x509 object describing a X.509 certificate. diff --git a/objects/vehicle/definition.json b/objects/vehicle/definition.json new file mode 100644 index 0000000..cc302f0 --- /dev/null +++ b/objects/vehicle/definition.json @@ -0,0 +1,52 @@ +{ + "requiredOneOf": [ + "description", + "year", + "make", + "model", + "license-plate-number", + "vin" + ], + "attributes": { + "description": { + "description": "Description of the vehicle", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true + }, + "year": { + "description": "Year of manufacturing of the vehicle", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "make": { + "description": "Manufacturer of the vehicle", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "model": { + "description": "Model of the vehicle", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "vin": { + "description": "Vehicle identification number (VIN)", + "ui-priority": 0, + "misp-attribute": "text" + }, + "license-plate-number": { + "description": "License plate number", + "ui-priority": 0, + "misp-attribute": "text", + "multiple": true + } + }, + "version": 1, + "description": "Vehicle object template to describe a vehicle information and registration", + "meta-category": "misc", + "uuid": "683c076c-f695-4ff2-8efa-e98a418049f4", + "name": "vehicle" +} From 487ff53afee98ffc3360424312bc7c82588de879 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 15 Aug 2018 18:26:10 +0200 Subject: [PATCH 13/17] fix: [geolocation] to include accuracy-radius as described by maxmind geoip2 API --- objects/geolocation/definition.json | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/objects/geolocation/definition.json b/objects/geolocation/definition.json index 9a129c3..b2c0393 100644 --- a/objects/geolocation/definition.json +++ b/objects/geolocation/definition.json @@ -63,6 +63,12 @@ "misp-attribute": "text", "ui-priority": 1 }, + "accuracy-radius": { + "description": "The approximate accuracy radius, in kilometers, around the latitude and longitude for the geographical entity (country, subdivision, city or postal code) associated with the related object. (based on geoip2 accuracy of maxmind)", + "misp-attribute": "float", + "ui-priority": 1, + "disable_correlation": true + }, "country": { "description": "Country.", "misp-attribute": "text", @@ -84,7 +90,7 @@ ] } }, - "version": 3, + "version": 4, "description": "An object to describe a geographic location.", "meta-category": "misc", "uuid": "fdd30d5f-6752-45ed-bef2-25e8ce4d8a3", From ab58f01666ba7c2325ab7092db3d5e4aaee8e0ba Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 15 Aug 2018 18:34:35 +0200 Subject: [PATCH 14/17] chg: [geolocation] disable correlation on specific attributes --- objects/geolocation/definition.json | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/objects/geolocation/definition.json b/objects/geolocation/definition.json index b2c0393..1189994 100644 --- a/objects/geolocation/definition.json +++ b/objects/geolocation/definition.json @@ -41,7 +41,8 @@ "altitude": { "description": "The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.", "ui-priority": 0, - "misp-attribute": "float" + "misp-attribute": "float", + "disable_correlation": true }, "address": { "description": "Address.", @@ -77,7 +78,8 @@ "epsg": { "description": "EPSG Geodetic Parameter value. This is an integer value of the EPSG.", "misp-attribute": "text", - "ui-priority": 70 + "ui-priority": 70, + "disable_correlation": true }, "spacial-reference": { "description": "Default spacial or projection refence for this object.", @@ -90,7 +92,7 @@ ] } }, - "version": 4, + "version": 5, "description": "An object to describe a geographic location.", "meta-category": "misc", "uuid": "fdd30d5f-6752-45ed-bef2-25e8ce4d8a3", From a2384e90324958d7c5b37dbd531eea01c644404a Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 21 Aug 2018 10:22:42 +0200 Subject: [PATCH 15/17] added "signed-by" relationship fix #87 --- relationships/definition.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/relationships/definition.json b/relationships/definition.json index e67c836..0010098 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1,5 +1,5 @@ { - "version": 12, + "version": 13, "values": [ { "name": "derived-from", @@ -615,6 +615,13 @@ "format": [ "misp" ] + }, + { + "name": "signed-by", + "description": "This relationship describes an object signed by another object.", + "format": [ + "misp" + ] } ], "description": "Default type of relationships in MISP objects.", From e90b1ce4575c122d410f143d5205771614004d9f Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Tue, 28 Aug 2018 14:30:29 +0200 Subject: [PATCH 16/17] chg: [ja3] categories removed (default attributes categories will be used) Fix MISP/MISP/issues/3593 --- objects/ja3/definition.json | 22 +++------------------- 1 file changed, 3 insertions(+), 19 deletions(-) diff --git a/objects/ja3/definition.json b/objects/ja3/definition.json index fb60f1c..6dcee9f 100644 --- a/objects/ja3/definition.json +++ b/objects/ja3/definition.json @@ -2,43 +2,27 @@ "name": "ja3", "meta-category": "network", "description": "JA3 is a new technique for creating SSL client fingerprints that are easy to produce and can be easily shared for threat intelligence. Fingerprints are composed of Client Hello packet; SSL Version, Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. https://github.com/salesforce/ja3", - "version": 2, + "version": 3, "uuid": "09b45449-5d6e-492c-a68a-cb2e188cbfac", "attributes": { "ja3-fingerprint-md5": { "description": "Hash identifying source", "misp-attribute": "md5", - "ui-priority": 1, - "categories": [ - "Network activity", - "External analysis" - ] + "ui-priority": 1 }, "description": { "description": "Type of detected software ie software, malware", "misp-attribute": "text", - "ui-priority": 1, - "categories": [ - "Network activity", - "External analysis" - ] + "ui-priority": 1 }, "ip-src": { "description": "Source IP Address", "misp-attribute": "ip-src", - "categories": [ - "Network activity", - "External analysis" - ], "ui-priority": 1 }, "ip-dst": { "description": "Destination IP address", "misp-attribute": "ip-dst", - "categories": [ - "Network activity", - "External analysis" - ], "ui-priority": 1 }, "first-seen": { From 0c98a925f3db3184a9f44fdce7adcb3d3150806e Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Mon, 3 Sep 2018 13:54:59 +0200 Subject: [PATCH 17/17] chg: [forensic-case] object added based on the original one from @Aks6193 The idea is to separate the evidences from the case itself as you can have multiple acquisitions for a specific case. Another object template is required such as [forensic-evidence] to be able to link between the forensic-case object and one or more evidences. --- objects/forensic-case/definition.json | 47 +++++++++++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 objects/forensic-case/definition.json diff --git a/objects/forensic-case/definition.json b/objects/forensic-case/definition.json new file mode 100644 index 0000000..a15b7c2 --- /dev/null +++ b/objects/forensic-case/definition.json @@ -0,0 +1,47 @@ +{ + "requiredOneOf": [ + "case-number" + ], + "attributes": { + "case-number": { + "description": "Any unique number assigned to the case for unique identification.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "case-name": { + "description": "Name to address the case.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "name-of-the-analyst": { + "description": "Name(s) of the analyst assigned to the case.", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + }, + "references": { + "description": "External references", + "multiple": true, + "ui-priority": 0, + "misp-attribute": "link" + }, + "analysis-start-date": { + "description": "Date when the analysis began.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "additional-comments": { + "description": "Comments.", + "ui-priority": 0, + "misp-attribute": "text", + "disable_correlation": true + } + }, + "version": 1, + "description": "An object template to describe a digital forensic case.", + "meta-category": "misc", + "uuid": "3ea36022-ae93-455e-88b1-d43aca789cac", + "name": "forensic-case" +}