MISP
/
misp-objects
mirror of https://github.com/MISP/misp-objects
2
0
Fork 0
Code Issues Releases Wiki Activity

Merge remote-tracking branch 'upstream/master'

pull/193/head
kx1499 2019-03-14 21:42:12 -04:00
parent a5ca2e1189 59f8621fe2
commit e61344c981
14 changed files with 1004 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@ -62,7 +62,7 @@ allowing advanced users to show all the attributes depending of their configurat
shall be set to true if multiple elements of the same key can be used in the object. An optional **values_list**
where this list of value can be selected as a value for an attribute. An optional **sane_default** where this list of value recommend
potential a sane default for an attribute. An optional **disable_correlation** boolean field to suggest the disabling of correlation
for a specific attribute.
for a specific attribute. An optional **to_ids** boolean field to disable the IDS flag of an attribute.
## Existing MISP objects
@ -96,6 +96,7 @@ for a specific attribute.
* [objects/geolocation](objects/geolocation/definition.json) - A geolocation object to describe a location.
* [objects/gtp-attack](objects/gtp-attack/definition.json) - GTP attack object as seen on a GSM, UMTS or LTE network.
* [objects/http-request](objects/http-request/definition.json) - A single HTTP request header object.
* [objects/interpol-notice](objects/interpol-notice/definition.json) - Object used to represent an Interpol notice
* [objects/ip-api-address](objects/ip-api-address/definition.json) - Object describing IP Address information, as defined in [ip-api.com](http://ip-api.com).
* [objects/ip-port](objects/ip-port/definition.json) - An IP address and a port seen as a tuple (or as a triple) in a specific time frame.
* [objects/ja3](objects/ja3/definition.json) - A ja3 object which describes an SSL client fingerprint in an easy to produce and shareable way.

12
jq_all_the_things.sh
View File

@ -1,5 +1,17 @@
#!/bin/bash
# Seeds sponge, from moreutils
#Validate all Jsons first
for dir in `find . -name "*.json"`
do
echo validating ${dir}
# python3 -c "import json; f_in = open('${dir}'); data = json.load(f_in); f_in.close(); f_out = open('${dir}', 'w'); json.dump(data, f_out, indent=2, sort_keys=True, ensure_ascii=False); f_out.close();"
cat ${dir} | jq . >/dev/null
rc=$?
if [[ $rc != 0 ]]; then exit $rc; fi
done
set -e
set -x

198
objects/anonymisation/definition.json Normal file
View File

@ -0,0 +1,198 @@
{
"requiredOneOf": [
"description",
"method",
"key",
"keyed-hash-function",
"encryption-function",
"regexp",
"iv"
],
"attributes": {
"method": {
"description": "Anonymisation (or pseudo-anonymisation) method(s) used",
"ui-priority": 1,
"disable_correlation": true,
"sane_default": [
"hiding - Attribute is replaced with a constant value (typically 0) of the same size. Sometimes called 'black marker'.",
"hash - A hash function maps each attribute to a new (not necessarily unique) attribute.",
"permutation - Maps each original value to a unique new value.",
"prefix-preserving - Any two values that had the same n-bit prefix before anonymisation will still have the same n-bit prefix as each other after anonymization. (Would be more accurately called 'prefix-relationship-preserving', because the actual prefix values are not preserved.) ",
"shift - Adds a fixed offset to each value/attribute.",
"enumeration - Map each original value to a new value such that their ordering is preserved.",
"partitioning - Possible values are partitioned into meaningful sets; actual values are replaced with a fixed value from the same set. E.g., TCP port numbers 0 to 1023 are replaced with 0, and 1024 to 65535 replaced with 65535.",
"updated - Checksums are recalculated to reflect changes made to other fields.",
"truncation - Field is shortened, losing data at the end.",
"encryption - Attribute is encrypted."
],
"misp-attribute": "text",
"multiple": true
},
"key": {
"description": "Key (such as a PSK in a keyed-hash-function) used to anonymise the attribute",
"ui-priority": 1,
"disable_correlation": true,
"misp-attribute": "text"
},
"iv": {
"description": "Initialisation vector for the encryption function used to anonymise the attribute",
"ui-priority": 1,
"disable_correlation": true,
"misp-attribute": "text"
},
"keyed-hash-function": {
"description": "Keyed-hash function used to anonymise the attribute",
"ui-priority": 1,
"disable_correlation": true,
"sane_default": [
"hmac-sha1",
"hmac-md5",
"hmac-sha256",
"hmac-sha384",
"hmac-sha512"
],
"misp-attribute": "text"
},
"encryption-function": {
"description": "Encryption function or algorithm used to anonymise the attribute",
"ui-priority": 1,
"disable_correlation": true,
"sane_default": [
"aes128",
"aes-128-cbc",
"aes-128-cfb",
"aes-128-cfb1",
"aes-128-cfb8",
"aes-128-ctr",
"aes-128-ecb",
"aes-128-ofb",
"aes192",
"aes-192-cbc",
"aes-192-cfb",
"aes-192-cfb1",
"aes-192-cfb8",
"aes-192-ctr",
"aes-192-ecb",
"aes-192-ofb",
"aes-256-cfb",
"aes-256-cfb1",
"aes-256-cfb8",
"aes-256-ctr",
"aes-256-ecb",
"aes-256-ofb",
"bf",
"bf-cbc",
"bf-cfb",
"bf-ecb",
"bf-ofb",
"blowfish",
"camellia128",
"camellia-128-cbc",
"camellia-128-cfb",
"camellia-128-cfb1",
"camellia-128-cfb8",
"camellia-128-ctr",
"camellia-128-ecb",
"camellia-128-ofb",
"camellia192",
"camellia-192-cbc",
"camellia-192-cfb",
"camellia-192-cfb1",
"camellia-192-cfb8",
"camellia-192-ctr",
"camellia-192-ecb",
"camellia-192-ofb",
"camellia256",
"camellia-256-cbc",
"camellia-256-cfb",
"camellia-256-cfb1",
"camellia-256-cfb8",
"camellia-256-ctr",
"camellia-256-ecb",
"camellia-256-ofb",
"cast",
"cast5-cbc",
"cast5-cfb",
"cast5-ecb",
"cast5-ofb",
"cast-cbc",
"des",
"des3",
"des-cbc",
"des-cfb",
"des-ecb",
"des-ede",
"des-ede3",
"des-ede3-cbc",
"des-ede3-cfb",
"des-ede3-ofb",
"des-ede-cbc",
"des-ede-cfb",
"des-ede-ofb",
"des-ofb",
"desx",
"gost89",
"gost89-cnt",
"idea",
"idea-cbc",
"idea-cfb",
"idea-ecb",
"idea-ofb",
"rc2",
"rc2-40-cbc",
"rc2-64-cbc",
"rc2-cbc",
"rc2-cfb",
"rc2-ecb",
"rc2-ofb",
"rc4",
"rc4-40",
"rc4-64",
"rc5",
"rc5-cbc",
"rc5-cfb",
"rc5-ecb",
"rc5-ofb",
"seed",
"seed-cbc",
"seed-cfb",
"seed-ecb",
"seed-ofb",
"sm4",
"sm4-cbc",
"sm4-cfb",
"sm4-ctr",
"sm4-ecb",
"sm4-ofb"
],
"misp-attribute": "text"
},
"regexp": {
"description": "Regular expression to perfom the anonymisation (reversible or not)",
"ui-priority": 10,
"disable_correlation": true,
"misp-attribute": "text"
},
"description": {
"description": "Description of the anonymisation technique or tool used",
"ui-priority": 1,
"disable_correlation": true,
"misp-attribute": "text"
},
"level-of-knowledge": {
"description": "Level of knowledge of the organisation who created this object",
"ui-priority": 10,
"values_list": [
"Only the anonymised data is known",
"Deanonymised data is known"
],
"disable_correlation": true,
"misp-attribute": "text"
}
},
"version": 2,
"description": "Anonymisation object describing an anonymisation technique used to encode MISP attribute values. Reference: https://www.caida.org/tools/taxonomy/anonymization.xml",
"meta-category": "misc",
"uuid": "5867cffe-60ff-44f6-b097-e5f36b5de0ac",
"name": "anonymisation"
}

5
objects/elf/definition.json
View File

@ -22,7 +22,8 @@
"RELOCATABLE"
],
"ui-priority": 0,
"misp-attribute": "text"
"misp-attribute": "text",
"disable_correlation": true
},
"number-sections": {
"description": "Number of sections",
@ -250,7 +251,7 @@
"recommended": false
}
},
"version": 4,
"version": 5,
"description": "Object describing a Executable and Linkable Format",
"meta-category": "file",
"uuid": "fa6534ae-ad74-4ce0-8f23-15a66c82c7fa",

14
objects/email/definition.json
View File

@ -3,7 +3,7 @@
"uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552",
"meta-category": "network",
"description": "Email object describing an email with meta-information",
"version": 12,
"version": 13,
"attributes": {
"reply-to": {
"description": "Email address the reply will be sent to",
@ -77,6 +77,18 @@
],
"multiple": true
},
"received-header-ip": {
"description": "Extracted IP address from parsed headers",
"misp-attribute": "ip-src",
"ui-priority": 0,
"multiple": true
},
"received-header-hostname": {
"description": "Extracted hostname from parsed headers",
"misp-attribute": "hostname",
"ui-priority": 0,
"multiple": true
},
"x-mailer": {
"description": "X-Mailer generally tells the program that was used to draft and send the original email",
"misp-attribute": "email-x-mailer",

268
objects/file/definition.json
View File

@ -168,9 +168,275 @@
"Expired",
"Trusted"
]
},
"file-encoding": {
"misp-attribute": "text",
"ui-priority": 0,
"description": "Encoding format of the file",
"disable_correlation": true,
"sane_default": [
"Adobe-Standard-Encoding",
"Adobe-Symbol-Encoding",
"Amiga-1251",
"ANSI_X3.110-1983",
"ASMO_449",
"Big5",
"Big5-HKSCS",
"BOCU-1",
"BRF",
"BS_4730",
"BS_viewdata",
"CESU-8",
"CP50220",
"CP51932",
"CSA_Z243.4-1985-1",
"CSA_Z243.4-1985-2",
"CSA_Z243.4-1985-gr",
"CSN_369103",
"DEC-MCS",
"DIN_66003",
"dk-us",
"DS_2089",
"EBCDIC-AT-DE",
"EBCDIC-AT-DE-A",
"EBCDIC-CA-FR",
"EBCDIC-DK-NO",
"EBCDIC-DK-NO-A",
"EBCDIC-ES",
"EBCDIC-ES-A",
"EBCDIC-ES-S",
"EBCDIC-FI-SE",
"EBCDIC-FI-SE-A",
"EBCDIC-FR",
"EBCDIC-IT",
"EBCDIC-PT",
"EBCDIC-UK",
"EBCDIC-US",
"ECMA-cyrillic",
"ES",
"ES2",
"EUC-KR",
"Extended_UNIX_Code_Fixed_Width_for_Japanese",
"Extended_UNIX_Code_Packed_Format_for_Japanese",
"GB18030",
"GB_1988-80",
"GB2312",
"GB_2312-80",
"GBK",
"GOST_19768-74",
"greek7",
"greek7-old",
"greek-ccitt",
"HP-DeskTop",
"HP-Legal",
"HP-Math8",
"HP-Pi-font",
"hp-roman8",
"HZ-GB-2312",
"IBM00858",
"IBM00924",
"IBM01140",
"IBM01141",
"IBM01142",
"IBM01143",
"IBM01144",
"IBM01145",
"IBM01146",
"IBM01147",
"IBM01148",
"IBM01149",
"IBM037",
"IBM038",
"IBM1026",
"IBM1047",
"IBM273",
"IBM274",
"IBM275",
"IBM277",
"IBM278",
"IBM280",
"IBM281",
"IBM284",
"IBM285",
"IBM290",
"IBM297",
"IBM420",
"IBM423",
"IBM424",
"IBM437",
"IBM500",
"IBM775",
"IBM850",
"IBM851",
"IBM852",
"IBM855",
"IBM857",
"IBM860",
"IBM861",
"IBM862",
"IBM863",
"IBM864",
"IBM865",
"IBM866",
"IBM868",
"IBM869",
"IBM870",
"IBM871",
"IBM880",
"IBM891",
"IBM903",
"IBM904",
"IBM905",
"IBM918",
"IBM-Symbols",
"IBM-Thai",
"IEC_P27-1",
"INIS",
"INIS-8",
"INIS-cyrillic",
"INVARIANT",
"ISO_10367-box",
"ISO-10646-J-1",
"ISO-10646-UCS-2",
"ISO-10646-UCS-4",
"ISO-10646-UCS-Basic",
"ISO-10646-Unicode-Latin1",
"ISO-10646-UTF-1",
"ISO-11548-1",
"ISO-2022-CN",
"ISO-2022-CN-EXT",
"ISO-2022-JP",
"ISO-2022-JP-2",
"ISO-2022-KR",
"ISO_2033-1983",
"ISO_5427",
"ISO_5427:1981",
"ISO_5428:1980",
"ISO_646.basic:1983",
"ISO_646.irv:1983",
"ISO_6937-2-25",
"ISO_6937-2-add",
"ISO-8859-10",
"ISO_8859-1:1987",
"ISO-8859-13",
"ISO-8859-14",
"ISO-8859-15",
"ISO-8859-16",
"ISO-8859-1-Windows-3.0-Latin-1",
"ISO-8859-1-Windows-3.1-Latin-1",
"ISO_8859-2:1987",
"ISO-8859-2-Windows-Latin-2",
"ISO_8859-3:1988",
"ISO_8859-4:1988",
"ISO_8859-5:1988",
"ISO_8859-6:1987",
"ISO_8859-6-E",
"ISO_8859-6-I",
"ISO_8859-7:1987",
"ISO_8859-8:1988",
"ISO_8859-8-E",
"ISO_8859-8-I",
"ISO_8859-9:1989",
"ISO-8859-9-Windows-Latin-5",
"ISO_8859-supp",
"iso-ir-90",
"ISO-Unicode-IBM-1261",
"ISO-Unicode-IBM-1264",
"ISO-Unicode-IBM-1265",
"ISO-Unicode-IBM-1268",
"ISO-Unicode-IBM-1276",
"IT",
"JIS_C6220-1969-jp",
"JIS_C6220-1969-ro",
"JIS_C6226-1978",
"JIS_C6226-1983",
"JIS_C6229-1984-a",
"JIS_C6229-1984-b",
"JIS_C6229-1984-b-add",
"JIS_C6229-1984-hand",
"JIS_C6229-1984-hand-add",
"JIS_C6229-1984-kana",
"JIS_Encoding",
"JIS_X0201",
"JIS_X0212-1990",
"JUS_I.B1.002",
"JUS_I.B1.003-mac",
"JUS_I.B1.003-serb",
"KOI7-switched",
"KOI8-R",
"KOI8-U",
"KS_C_5601-1987",
"KSC5636",
"KZ-1048",
"latin-greek",
"Latin-greek-1",
"latin-lap",
"macintosh",
"Microsoft-Publishing",
"MNEM",
"MNEMONIC",
"MSZ_7795.3",
"Name",
"NATS-DANO",
"NATS-DANO-ADD",
"NATS-SEFI",
"NATS-SEFI-ADD",
"NC_NC00-10:81",
"NF_Z_62-010",
"NF_Z_62-010_(1973)",
"NS_4551-1",
"NS_4551-2",
"OSD_EBCDIC_DF03_IRV",
"OSD_EBCDIC_DF04_1",
"OSD_EBCDIC_DF04_15",
"PC8-Danish-Norwegian",
"PC8-Turkish",
"PT",
"PT2",
"PTCP154",
"SCSU",
"SEN_850200_B",
"SEN_850200_C",
"Shift_JIS",
"T.101-G2",
"T.61-7bit",
"T.61-8bit",
"TIS-620",
"TSCII",
"UNICODE-1-1",
"UNICODE-1-1-UTF-7",
"UNKNOWN-8BIT",
"US-ASCII",
"us-dk",
"UTF-16",
"UTF-16BE",
"UTF-16LE",
"UTF-32",
"UTF-32BE",
"UTF-32LE",
"UTF-7",
"UTF-8",
"Ventura-International",
"Ventura-Math",
"Ventura-US",
"videotex-suppl",
"VIQR",
"VISCII",
"windows-1250",
"windows-1251",
"windows-1252",
"windows-1253",
"windows-1254",
"windows-1255",
"windows-1256",
"windows-1257",
"windows-1258",
"Windows-31J",
"windows-874"
]
}
},
"version": 15,
"version": 16,
"description": "File object describing a file with meta-information",
"meta-category": "file",
"uuid": "688c46fb-5edb-40a3-8273-1af7923e2215",

43
objects/ilr-impact/definition.json Normal file
View File

@ -0,0 +1,43 @@
{
"required": [
"service"
],
"attributes": {
"service": {
"misp-attribute": "text",
"ui-priority": 0,
"description": "Service impacte par l'incident",
"disable_correlation": true,
"multiple": true,
"sane_default": [
"Telephonie fixe",
"Acces Internet fixe",
"Telephonie mobile",
"Acces Internet mobile"
]
},
"nombre-utilisateurs-touches": {
"description": "Nombre dutilisateurs touches par l'incident",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"pourcentage-utilisateurs-touches": {
"description": "Pourcentage d'utilisateurs du service touches par l'incident",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
},
"duree": {
"description": "Duree de l'incident en hh : mm",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text"
}
},
"version": 1,
"description": "Institut Luxembourgeois de Regulation - Impact",
"meta-category": "misc",
"uuid": "b995af48-39b2-11e9-b2ab-b77adfee75d1",
"name": "ilr-impact"
}

139
objects/ilr-notification-incident/definition.json Normal file
View File

@ -0,0 +1,139 @@
{
"attributes": {
"Nom entreprise": {
"description": "Nom de lentreprise notifiee",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"date-incident": {
"description": "Date/heure de la detection de lincident:",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "datetime"
},
"date-pre-notification": {
"description": "Date de la pre-notification",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"impact-servicesw-urgence": {
"description": "Services durgences impactes ?",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text",
"values_list": [
"Oui",
"Non"
]
},
"description-probleme-services-urgence": {
"description": "Description du probleme sur les services durgences impactes",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"delimitation-geographique": {
"description": "Delimitation geographique",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text",
"values_list": [
"Nationale",
"Regionale"
]
},
"zone-impactee": {
"description": "zones/communes/villes impactees ",
"disable_correlation": true,
"ui-priority": 0,
"multiple": true,
"misp-attribute": "text"
},
"details-service": {
"description": "Details relatifs au service concerne et a limpact de lincident",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"cause-initiale-incident": {
"description": "Cause initiale de l'incident",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text",
"values_list": [
"rreur humaine",
"Defaut systeme 'hardware', 'software', 'procedures'",
"Attaque malveillante",
"Defaut dune partie tierce ou externe",
"Catastrophe naturelle"
]
},
"autres-informations": {
"description": "Autres informations concernant la nature de lincident notamment la liste des actifs affectes et les causes subsequentes eventuelles, declenches par la cause initiale ",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"description-incident": {
"description": "Description generale de lincident",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"traitement-incident": {
"description": "Traitement de lincident et actions effectuees en ordre chronologique",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"actions-posterieur": {
"description": "Actions posterieures de lincident pour minimiser le risque ",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"interconnections-affectees": {
"description": "Interconnections nationales et/ou internationales affectees",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"actions-corrective": {
"description": "Actions correctives a long terme",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"remarques": {
"description": "Remarque(s), notamment les experiences gagnees et les leçons tirees de lincident",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"nom-contact-incident": {
"description": "Nom de la personne de contact en rapport avec lincident",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"telephone-contact-incident": {
"description": "Telephone de la personne de contact en rapport avec lincident",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
},
"email-contact-incident": {
"description": "Email de la personne de contact en rapport avec lincident",
"disable_correlation": true,
"ui-priority": 0,
"misp-attribute": "text"
}
},
"version": 1,
"description": "Institut Luxembourgeois de Regulation - Notification d'incident",
"meta-category": "misc",
"uuid": "b8ade604-39b2-11e9-b753-1fd28d3b612c",
"name": "ilr-notification-incident"
}

143
objects/interpol-notice/definition.json Normal file
View File

@ -0,0 +1,143 @@
{
"required": [
"notice-color"
],
"attributes": {
"notice-color": {
"description": "The color/type of the notice",
"misp-attribute": "text",
"ui-priority": 1,
"sane_default": [
"Red",
"Yellow",
"Blue",
"Black",
"Green",
"Orange",
"Purple"
]
},
"present-family-name": {
"description": "Last name of a natural person.",
"ui-priority": 0,
"misp-attribute": "last-name"
},
"forename": {
"description": "First name of a natural person.",
"ui-priority": 0,
"misp-attribute": "first-name",
"disable_correlation": true
},
"alias": {
"description": "Alias name or known as.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true
},
"father-s-family-name-&-forename": {
"description": "Father's family name & forename.",
"ui-priority": 0,
"misp-attribute": "text"
},
"mother-s-family-name-&-forename": {
"description": "Mother's family name & forename.",
"ui-priority": 0,
"misp-attribute": "text"
},
"date-of-birth": {
"description": "Date of birth of a natural person (in YYYY-MM-DD format).",
"ui-priority": 0,
"misp-attribute": "date-of-birth"
},
"place-of-birth": {
"description": "Place of birth of a natural person.",
"ui-priority": 0,
"misp-attribute": "place-of-birth",
"disable_correlation": true
},
"sex": {
"description": "The gender of a natural person.",
"ui-priority": 0,
"misp-attribute": "gender",
"values_list": [
"Male",
"Female",
"Other",
"Prefer not to say"
],
"disable_correlation": true
},
"nationality": {
"description": "The nationality of a natural person.",
"ui-priority": 0,
"misp-attribute": "nationality",
"multiple": true,
"disable_correlation": true
},
"language-spoken": {
"description": "Languages spoken by a person.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true,
"disable_correlation": true
},
"charges": {
"description": "Charges published as provided by requesting entity",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true,
"disable_correlation": true
},
"date-of-disappearance": {
"description": "Date of disappearance of a missing person.",
"ui-priority": 0,
"misp-attribute": "text"
},
"place-of-disappearance": {
"description": "Place of birth of a natural person.",
"ui-priority": 0,
"misp-attribute": "text"
},
"height": {
"description": "Height of a person.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"weight": {
"description": "weight of a person.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"colour-of-hair": {
"description": "Description of a person's colour of hair.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"colour-of-eyes": {
"description": "Description of a person's colour of eyes.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"distinguishing-marks-and-characteristics": {
"description": "Distinguishing marks and characteristics of a person.",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"portrait": {
"description": "Portrait of the person.",
"ui-priority": 10,
"misp-attribute": "attachment",
"multiple": true
}
},
"version": 1,
"description": "An object which describes a Interpol notice.",
"meta-category": "misc",
"uuid": "24927972-1e4a-11e9-857e-3b2306b99911",
"name": "interpol-notice"
}

18
objects/person/definition.json
View File

@ -151,9 +151,25 @@
"ui-priority": 10,
"misp-attribute": "attachment",
"multiple": true
},
"role": {
"description": "The role of a person.",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true,
"values_list": [
"Suspect",
"Victim",
"Defendent",
"Accused",
"Culprit",
"Accomplice",
"Witness"
],
"disable_correlation": true
}
},
"version": 7,
"version": 8,
"description": "An object which describes a person or an identity.",
"meta-category": "misc",
"uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248",

146
objects/phishing/definition.json
View File

@ -1,69 +1,117 @@
{
"requiredOneOf": [
"url"
],
"name": "phishing",
"uuid": "2dad6f9d-d425-4217-8fda-0b0a2d815307",
"meta-category": "network",
"description": "Phishing template to describe a phishing website and its analysis.",
"version": 5,
"attributes": {
"url": {
"description": "Original url of the phishing website",
"ui-priority": 1,
"misp-attribute": "url"
},
"phishtank-id": {
"description": "Phishtank ID of the reported phishing",
"ui-priority": 1,
"misp-attribute": "text"
},
"phishtank-detail-url": {
"description": "Phishtank detail URL to the reported phishing",
"misp-attribute": "link",
"ui-priority": 1
},
"submission-time": {
"description": "When the phishing was submitted and/or reported",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"verified": {
"description": "The phishing has been verified by the team handling the phishing",
"ui-priority": 0,
"values_list": [
"No",
"Yes"
"internal reference": {
"categories": [
"Internal reference"
],
"misp-attribute": "text",
"disable_correlation": true
"ui-priority": 1,
"description": "Internal reference such as ticket ID"
},
"verification-time": {
"description": "When the phishing was verified",
"screenshot": {
"multiple": true,
"categories": [
"External analysis"
],
"ui-priority": 1,
"disable_correlation": true,
"misp-attribute": "attachment",
"description": "Screenshot of phishing site"
},
"target": {
"multiple": true,
"misp-attribute": "text",
"ui-priority": 0,
"description": "Targeted organisation by the phishing"
},
"takedown-request-to": {
"to_ids": false,
"multiple": true,
"categories": [
"Other"
],
"ui-priority": 1,
"disable_correlation": true,
"misp-attribute": "text",
"description": "Destination email address for take-down request"
},
"takedown-request": {
"disable_correlation": true,
"misp-attribute": "datetime",
"disable_correlation": true
"ui-priority": 0,
"description": "When the phishing was requested to be taken down"
},
"takedown-time": {
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 0,
"description": "When the phishing was taken down"
},
"online": {
"description": "If the phishing is online and operational, by default is yes",
"ui-priority": 0,
"disable_correlation": true,
"misp-attribute": "text",
"values_list": [
"Yes",
"No"
],
"ui-priority": 0,
"description": "If the phishing is online and operational, by default is yes"
},
"url": {
"misp-attribute": "url",
"ui-priority": 1,
"description": "Original URL of the phishing website"
},
"url-redirect": {
"multiple": true,
"misp-attribute": "url",
"ui-priority": 1,
"description": "Redirect URL of the phishing website"
},
"hostname": {
"multiple": true,
"misp-attribute": "hostname",
"ui-priority": 1,
"description": "host of the phishing website"
},
"phishtank-id": {
"misp-attribute": "text",
"disable_correlation": true
"ui-priority": 1,
"description": "Phishtank ID of the reported phishing"
},
"takedown-time": {
"description": "When the phishing was taken down",
"ui-priority": 0,
"phishtank-detail-url": {
"ui-priority": 1,
"misp-attribute": "link",
"description": "Phishtank detail URL to the reported phishing"
},
"submission-time": {
"misp-attribute": "datetime",
"disable_correlation": true
},
"target": {
"description": "Targeted organisation by the phishing",
"ui-priority": 0,
"misp-attribute": "text"
"description": "When the phishing was submitted and/or reported"
},
"verified": {
"disable_correlation": true,
"misp-attribute": "text",
"values_list": [
"No",
"Yes"
],
"ui-priority": 0,
"description": "The phishing has been verified by the team handling the phishing"
},
"verification-time": {
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 0,
"description": "When the phishing was verified"
}
},
"version": 1,
"description": "Phishing template to describe a phishing website and its analysis.",
"meta-category": "network",
"uuid": "2dad6f9d-d425-4217-8fda-0b0a2d815307",
"name": "phishing"
"requiredOneOf": [
"url"
]
}

5
objects/script/definition.json
View File

@ -30,7 +30,8 @@
"Perl",
"Ruby",
"Winbatch",
"AutoIt"
"AutoIt",
"PHP"
]
},
"filename": {
@ -54,7 +55,7 @@
]
}
},
"version": 1,
"version": 2,
"description": "Object describing a computer program written to be run in a special run-time environment. The script or shell script can be used for malicious activities but also as support tools for threat analysts.",
"meta-category": "misc",
"uuid": "6bce7d01-dbec-4054-b3c2-3655a19382e2",

60
objects/splunk/definition.json Normal file
View File

@ -0,0 +1,60 @@
{
"version": 1,
"description": "Splunk / Splunk ES object",
"meta-category": "misc",
"uuid": "fd9b7bf8-df7b-4df9-bcd8-28591edcaab8",
"name": "splunk",
"required": [
"search"
],
"attributes": {
"search": {
"description": "Search / Correlation search",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"drill-down": {
"description": "Drilldown",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true,
"multiple": true
},
"response-action": {
"description": "Response action",
"ui-priority": 0,
"misp-attribute": "text",
"multiple": true,
"disable_correlation": true,
"sane_default": [
"notable",
"risk"
]
},
"schedule": {
"description": "Schedule",
"ui-priority": 0,
"misp-attribute": "other",
"disable_correlation": true
},
"earliest": {
"description": "Earliest time",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"latest": {
"description": "Latest time",
"ui-priority": 0,
"misp-attribute": "text",
"disable_correlation": true
},
"description": {
"description": "Description",
"ui-priority": 0,
"misp-attribute": "comment",
"disable_correlation": true
}
}
}

7
relationships/definition.json
View File

@ -222,6 +222,13 @@
"stix-2.0"
]
},
{
"name": "retrieved-from",
"description": "This relationship describes an object retrieved from the target object.",
"format": [
"misp"
]
},
{
"name": "authored-by",
"description": "This relationship describes the author of a specific object.",