From e6fbcf9d53e4957edf10d05149cc268daf31e5c2 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy <a@foo.be>
Date: Wed, 22 Mar 2017 06:54:11 +0100
Subject: [PATCH] information leak object as defined by the AIL Analysis
 Information Leak framework.

---
 objects/ail-leak/definition.json | 66 ++++++++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)
 create mode 100644 objects/ail-leak/definition.json

diff --git a/objects/ail-leak/definition.json b/objects/ail-leak/definition.json
new file mode 100644
index 0000000..f454e36
--- /dev/null
+++ b/objects/ail-leak/definition.json
@@ -0,0 +1,66 @@
+{
+  "name": "ail-leak",
+  "uuid": "dc6a8fa2-0a43-4a0c-a5aa-b1a5336ca80e",
+  "meta-category": "information leak",
+  "description": "An information leak as defined by the AIL Analysis Information Leak framework.",
+  "version": 1,
+  "attributes": {
+    "first-seen": {
+      "misp-attribute": "datetime",
+      "misp-usage-frequency": 0,
+      "disable_correlation": true,
+      "description": "When the leak has been accessible or seen for the first time."
+    },
+    "last-seen": {
+      "misp-attribute": "datetime",
+      "misp-usage-frequency": 0,
+      "disable_correlation": true,
+      "description": "When the leak has been accessible or seen for the last time."
+    },
+    "type": {
+      "misp-attribute": "text",
+      "misp-usage-frequency": 0,
+      "description": "Type of information leak as discovered and classified by an AIL module.",
+      "sane_default": [
+        "Credential",
+        "CreditCards",
+        "Mail",
+        "Onion",
+        "Phone",
+        "Keys"
+      ]
+    },
+    "original-date": {
+      "misp-attribute": "datetime",
+      "misp-usage-frequency": 0,
+      "disable_correlation": true,
+      "description": "When the information available in the leak was created. It's usually before the first-seen."
+    },
+    "text": {
+      "misp-attribute": "text",
+      "misp-usage-frequency": 1,
+      "disable_correlation": true,
+      "description": "A description of the leak which could include the potential victim(s) or description of the leak."
+    },
+    "origin": {
+      "misp-attribute": "url",
+      "misp-usage-frequency": 1,
+      "description": "The link where the leak is (or was) accessible at first-seen."
+    },
+    "sensor": {
+      "misp-attribute": "text",
+      "misp-usage-frequency": 0,
+      "description": "The AIL sensor uuid where the leak was processed and analysed."
+    }
+  },
+  "required": [
+    "type"
+  ],
+  "requiredOneOf": [
+    "type",
+    "text",
+    "first-seen",
+    "last-seen",
+    "origin"
+  ]
+}