diff --git a/objects/cookie/definition.json b/objects/cookie/definition.json index dab118f..450e605 100644 --- a/objects/cookie/definition.json +++ b/objects/cookie/definition.json @@ -18,6 +18,30 @@ "ui-priority": 0, "misp-attribute": "text" }, + "path": { + "description": "Path defined in the cookie", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "text" + }, + "expires": { + "description": "Expiration date/time of the cookie", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "datetime" + }, + "http-only": { + "description": "True if send only through HTTP", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "boolean" + }, + "secure": { + "description": "True if cookie is sent over TLS", + "ui-priority": 0, + "disable_correlation": true, + "misp-attribute": "boolean" + }, "text": { "description": "A description of the cookie.", "disable_correlation": true, @@ -38,7 +62,7 @@ "misp-attribute": "text" } }, - "version": 2, + "version": 3, "description": "An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol. (as defined by the Mozilla foundation.", "meta-category": "network", "uuid": "7755ad19-55c7-4da4-805e-197cf81bbcb8", diff --git a/objects/domain-crawled/definition.json b/objects/domain-crawled/definition.json new file mode 100644 index 0000000..4c89e6e --- /dev/null +++ b/objects/domain-crawled/definition.json @@ -0,0 +1,38 @@ +{ + "required": [ + "domain" + ], + "attributes": { + "text": { + "description": "A description of the tuple", + "disable_correlation": true, + "ui-priority": 1, + "misp-attribute": "text", + "recommended": false + }, + "domain": { + "description": "Domain name", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "domain" + }, + "url": { + "description": "domain url", + "categories": [ + "Network activity", + "External analysis" + ], + "ui-priority": 1, + "misp-attribute": "url", + "multiple": true + } + }, + "version": 2, + "description": "A domain crawled over time", + "meta-category": "network", + "uuid": "bad4888d-c44e-4612-b08f-3d97c1e0014a", + "name": "domain-crawled" +} diff --git a/objects/email/definition.json b/objects/email/definition.json index fe3553e..f984e0a 100644 --- a/objects/email/definition.json +++ b/objects/email/definition.json @@ -3,7 +3,7 @@ "uuid": "a0c666e0-fc65-4be8-b48f-3423d788b552", "meta-category": "network", "description": "Email object describing an email with meta-information", - "version": 13, + "version": 15, "attributes": { "reply-to": { "description": "Email address the reply will be sent to", @@ -57,7 +57,8 @@ "ui-priority": 1, "categories": [ "Payload delivery" - ] + ], + "multiple": true }, "screenshot": { "description": "Screenshot of email", @@ -141,7 +142,8 @@ "ui-priority": 1, "categories": [ "Payload delivery" - ] + ], + "multiple": true }, "return-path": { "description": "Message return path", @@ -157,7 +159,8 @@ "ui-priority": 1, "categories": [ "Payload delivery" - ] + ], + "multiple": true }, "email-body": { "description": "Body of the email", @@ -174,6 +177,12 @@ "ui-priority": 0, "disable_correlation": true }, + "ip-src": { + "description": "Source IP address of the email sender", + "misp-attribute": "ip-src", + "ui-priority": 0, + "multiple": true + }, "eml": { "description": "Full EML", "misp-attribute": "attachment", diff --git a/objects/file/definition.json b/objects/file/definition.json index 937d407..07897ae 100644 --- a/objects/file/definition.json +++ b/objects/file/definition.json @@ -441,18 +441,13 @@ "windows-874" ] }, - "imphash": { - "description": "Hash (md5) calculated from the import table", - "ui-priority": 0, - "misp-attribute": "imphash" - }, "compilation-timestamp": { "description": "Compilation timestamp", "ui-priority": 0, "misp-attribute": "datetime" } }, - "version": 19, + "version": 20, "description": "File object describing a file with meta-information", "meta-category": "file", "uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", diff --git a/objects/http-request/definition.json b/objects/http-request/definition.json index 04c4e6e..32c119d 100644 --- a/objects/http-request/definition.json +++ b/objects/http-request/definition.json @@ -40,7 +40,17 @@ ], "description": "An HTTP cookie previously sent by the server with Set-Cookie", "ui-priority": 1, - "misp-attribute": "text" + "misp-attribute": "text", + "multiple": true + }, + "header": { + "categories": [ + "Network activity" + ], + "description": "An HTTP header sent during HTTP request", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true }, "host": { "categories": [ @@ -120,7 +130,7 @@ "misp-attribute": "user-agent" } }, - "version": 3, + "version": 4, "description": "A single HTTP request header", "meta-category": "network", "uuid": "b4a8d163-8110-4239-bfcf-e08f3a9fdf7b", diff --git a/objects/instant-message-group/definition.json b/objects/instant-message-group/definition.json new file mode 100644 index 0000000..6232afb --- /dev/null +++ b/objects/instant-message-group/definition.json @@ -0,0 +1,80 @@ +{ + "requiredOneOf": [ + "group-name", + "group-alias", + "archive", + "attachment" + ], + "attributes": { + "group-name": { + "description": "The name of the group, channel or community.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "group-alias": { + "description": "Aliases of group, channel or community.", + "ui-priority": 1, + "multiple": true, + "misp-attribute": "text" + }, + "app-used": { + "description": "The IM application used to send the message.", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true, + "multiple": true, + "sane_default": [ + "WhatsApp", + "Google Hangouts", + "Facebook Messenger", + "Telegram", + "Signal", + "WeChat", + "BlackBerry Messenger", + "TeamSpeak", + "TorChat", + "RetroShare", + "Slack" + ] + }, + "username": { + "description": "A user account who is a member of the group.", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, + "person-name": { + "description": "A person who is a member of the group.", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, + "url": { + "description": "Original URL location of the group (potentially malicious).", + "ui-priority": 1, + "misp-attribute": "url" + }, + "link": { + "description": "Original link into the group (Supposed harmless).", + "ui-priority": 1, + "misp-attribute": "link" + }, + "archive": { + "description": "Archive of the original group (Internet Archive, Archive.is, etc).", + "ui-priority": 1, + "multiple": true, + "misp-attribute": "link" + }, + "attachment": { + "description": "A screen capture or exported list of contacts, group members, etc.", + "ui-priority": 1, + "multiple": true, + "misp-attribute": "attachment" + } + }, + "version": 1, + "description": "Instant Message (IM) group object template describing a public or private IM group, channel or conversation.", + "meta-category": "misc", + "uuid": "e26becca-2149-4bc0-b3fb-7090d43af28f", + "name": "instant-message-group" +} diff --git a/objects/instant-message/definition.json b/objects/instant-message/definition.json new file mode 100644 index 0000000..802b0a8 --- /dev/null +++ b/objects/instant-message/definition.json @@ -0,0 +1,112 @@ +{ + "requiredOneOf": [ + "body", + "from-user" + ], + "attributes": { + "body": { + "description": "Message body of the IM.", + "ui-priority": 1, + "misp-attribute": "text" + }, + "from-number": { + "description": "Phone number used to send the message.", + "ui-priority": 1, + "misp-attribute": "phone-number", + "multiple": true + }, + "to-number": { + "description": "Phone number receiving the message.", + "ui-priority": 1, + "misp-attribute": "phone-number", + "multiple": true + }, + "from-user": { + "description": "User account that sent the message.", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, + "to-user": { + "description": "User account that received the message.", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, + "from-name": { + "description": "Name of the person that sent the message.", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, + "to-name": { + "description": "Name of the person that received the message.", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, + "subject": { + "description": "Subject of the message if any.", + "ui-priority": 0, + "misp-attribute": "text" + }, + "app-used": { + "description": "The IM application used to send the message.", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "WhatsApp", + "Google Hangouts", + "Facebook Messenger", + "Telegram", + "Signal", + "WeChat", + "BlackBerry Messenger", + "TeamSpeak", + "TorChat", + "RetroShare", + "Slack" + ] + }, + "url": { + "description": "Original URL location of the message (potentially malicious).", + "ui-priority": 1, + "misp-attribute": "url" + }, + "link": { + "description": "Original link into the message (Supposed harmless).", + "ui-priority": 1, + "misp-attribute": "link" + }, + "archive": { + "description": "Archive of the original message (Internet Archive, Archive.is, etc).", + "ui-priority": 1, + "multiple": true, + "misp-attribute": "link" + }, + "attachment": { + "description": "The message file or screen capture.", + "ui-priority": 1, + "multiple": true, + "misp-attribute": "attachment" + }, + "sent-date": { + "description": "Initial sent date of the message.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + }, + "received-date": { + "description": "Received date of the message.", + "ui-priority": 0, + "misp-attribute": "datetime", + "disable_correlation": true + } + }, + "version": 1, + "description": "Instant Message (IM) object template describing one or more IM message.", + "meta-category": "misc", + "uuid": "5fa51a24-f40f-4696-a77e-d31e26bab5fc", + "name": "instant-message" +} diff --git a/objects/iot-device/definition.json b/objects/iot-device/definition.json new file mode 100644 index 0000000..0aac22f --- /dev/null +++ b/objects/iot-device/definition.json @@ -0,0 +1,171 @@ +{ + "requiredOneOf": [ + "model", + "vendor", + "architecture", + "boot-log", + "picture-pcb", + "picture-device" + ], + "attributes": { + "picture-pcb": { + "description": "Picture of the IoT device PCB", + "ui-priority": 10, + "misp-attribute": "attachment", + "multiple": true + }, + "picture-device": { + "description": "Picture of the IoT device", + "ui-priority": 10, + "misp-attribute": "attachment", + "multiple": true + }, + "fcc-id": { + "description": "FCC-ID of the IoT device", + "ui-priority": 10, + "misp-attribute": "text", + "multiple": true + }, + "boot-log": { + "description": "Boot log of the IoT device", + "ui-priority": 10, + "misp-attribute": "attachment", + "multiple": true + }, + "platform": { + "description": "Platform of of the IoT device", + "ui-priority": 10, + "misp-attribute": "text", + "sane_default": [ + "mach-aspeed", + "mach-at91", + "mach-bcm283x", + "mach-bcmstb", + "mach-cortina", + "mach-davinci", + "mach-exynos", + "mach-highbank", + "mach-imx", + "mach-integrator", + "mach-k3", + "mach-keystone", + "mach-kirkwood", + "mach-mediatek", + "mach-meson", + "mach-mvebu", + "mach-omap2", + "mach-orion5x", + "mach-owl", + "mach-qemu", + "mach-rmobile", + "mach-rockchip", + "mach-s5pc1xx", + "mach-snapdragon", + "mach-socfpga", + "mach-sti", + "mach-stm32", + "mach-stm32mp", + "mach-sunxi", + "mach-tegra", + "mach-u8500", + "mach-uniphier", + "mach-versal", + "mach-versatile", + "mach-zynq", + "mach-zynqmp", + "mach-zynqmp-r5", + "mcf5227x", + "mcf523x", + "mcf52x2", + "mcf530x", + "mcf532x", + "mcf5445x", + "mcf547x_8x", + "mach-ath79", + "mach-bmips", + "mach-jz47xx", + "mach-mscc", + "mach-mtmips", + "mach-pic32" + ] + }, + "architecture": { + "description": "architecture of the IoT device", + "ui-priority": 1, + "misp-attribute": "text", + "sane_default": [ + "ARC", + "ARM", + "M68000", + "MicroBlaze", + "MIPS", + "NSD32", + "Nios II", + "PowerPC", + "RISC-V", + "Sandbox", + "SH", + "x86", + "Xtensa" + ] + }, + "model": { + "description": "Model of the IoT device", + "ui-priority": 1, + "misp-attribute": "text", + "multiple": true + }, + "vendor": { + "description": "Vendor of the IoT device", + "ui-priority": 1, + "misp-attribute": "text" + }, + "reference": { + "description": "Reference of the IoT device", + "ui-priority": 1, + "misp-attribute": "link", + "multiple": true + }, + "spi-interface": { + "description": "SPI interface of the IoT device", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "Yes", + "No", + "Unknown", + "Disabled" + ] + }, + "serial-interface": { + "description": "Serial interface of the IoT device", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "Yes", + "No", + "Unknown", + "Disabled" + ] + }, + "jtag-interface": { + "description": "JTAG interface of the IoT device", + "ui-priority": 1, + "misp-attribute": "text", + "disable_correlation": true, + "sane_default": [ + "Yes", + "No", + "Unknown", + "Disabled" + ] + } + }, + "version": 3, + "description": "An IoT device.", + "meta-category": "iot", + "uuid": "3de3b92a-859b-431b-9c4f-1a81de1d9637", + "name": "iot-device" +} diff --git a/objects/iot-firmware/definition.json b/objects/iot-firmware/definition.json new file mode 100644 index 0000000..4ba6e67 --- /dev/null +++ b/objects/iot-firmware/definition.json @@ -0,0 +1,99 @@ +{ + "requiredOneOf": [ + "firmware", + "filename", + "binwalk-output" + ], + "attributes": { + "firmware": { + "description": "Firmware of the IoT device", + "ui-priority": 10, + "misp-attribute": "attachment", + "multiple": true + }, + "version": { + "description": "Version of the firmware", + "ui-priority": 10, + "misp-attribute": "text", + "multiple": true + }, + "filename": { + "description": "Filename of the firmware", + "ui-priority": 10, + "misp-attribute": "text" + }, + "boot-log": { + "description": "Boot log of the IoT device for this firmware", + "ui-priority": 10, + "misp-attribute": "attachment", + "multiple": true + }, + "binwalk-output": { + "description": "Binwalk output of the firmware image", + "ui-priority": 10, + "misp-attribute": "attachment" + }, + "format": { + "description": "Format of the firmware", + "ui-priority": 10, + "misp-attribute": "text", + "sane_default": [ + "raw", + "Intel hex", + "Motorola S-Record", + "Unknown" + ] + }, + "md5": { + "description": "[Insecure] MD5 hash (128 bits)", + "ui-priority": 1, + "misp-attribute": "md5", + "recommended": false + }, + "sha1": { + "description": "[Insecure] Secure Hash Algorithm 1 (160 bits)", + "ui-priority": 1, + "misp-attribute": "sha1", + "recommended": false + }, + "sha224": { + "description": "Secure Hash Algorithm 2 (224 bits)", + "ui-priority": 0, + "misp-attribute": "sha224", + "recommended": false + }, + "sha256": { + "description": "Secure Hash Algorithm 2 (256 bits)", + "ui-priority": 1, + "misp-attribute": "sha256" + }, + "sha384": { + "description": "Secure Hash Algorithm 2 (384 bits)", + "ui-priority": 0, + "misp-attribute": "sha384", + "recommended": false + }, + "sha512": { + "description": "Secure Hash Algorithm 2 (512 bits)", + "ui-priority": 1, + "misp-attribute": "sha512" + }, + "size-in-bytes": { + "description": "Size of the file, in bytes", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "size-in-bytes" + }, + "binwalk-entropy-graph": { + "description": "Entropy graph of the firmware", + "disable_correlation": true, + "ui-priority": 0, + "misp-attribute": "attachment" + } + }, + "version": 1, + "description": "A firmware for an IoT device.", + "meta-category": "iot", + "uuid": "8bafb8fc-d986-4a58-b22b-6b8c7c0e8b70", + "name": "iot-firmware" +} diff --git a/objects/pe/definition.json b/objects/pe/definition.json index 1188c48..5b0c0e4 100644 --- a/objects/pe/definition.json +++ b/objects/pe/definition.json @@ -4,7 +4,9 @@ "type", "original-filename", "internal-filename", - "entrypoint-address" + "entrypoint-address", + "imphash", + "impfuzzy" ], "attributes": { "pehash": { @@ -119,7 +121,7 @@ "misp-attribute": "text" } }, - "version": 4, + "version": 5, "description": "Object describing a Portable Executable", "meta-category": "file", "uuid": "cf7adecc-d4f0-4e88-9d90-f978ee151a07", diff --git a/objects/rtir/definition.json b/objects/rtir/definition.json index 900bd59..c705b47 100644 --- a/objects/rtir/definition.json +++ b/objects/rtir/definition.json @@ -47,7 +47,8 @@ "resolved", "rejected", "deleted" - ] + ], + "disable_correlation": true }, "ticket-number": { "description": "ticket-number of the RTIR ticket", @@ -55,7 +56,7 @@ "misp-attribute": "text" } }, - "version": 1, + "version": 2, "description": "RTIR - Request Tracker for Incident Response", "meta-category": "misc", "uuid": "7534ee19-0a1f-4f46-a197-e6e73e457943", diff --git a/objects/short-message-service/definition.json b/objects/short-message-service/definition.json index 6ad1a92..1475aa3 100644 --- a/objects/short-message-service/definition.json +++ b/objects/short-message-service/definition.json @@ -37,9 +37,19 @@ "ui-priority": 0, "misp-attribute": "datetime", "disable_correlation": true + }, + "smsc": { + "description": "SMS Message Center", + "ui-priority": 0, + "misp-attribute": "phone-number" + }, + "name": { + "description": "Sender name", + "ui-priority": 0, + "misp-attribute": "text" } }, - "version": 1, + "version": 3, "description": "Short Message Service (SMS) object template describing one or more SMS message. Restriction of the initial format 3GPP 23.038 GSM character set doesn't apply.", "meta-category": "misc", "uuid": "4851a3dc-e1a6-43ac-9d97-f0d13a099fd2", diff --git a/objects/vulnerability/definition.json b/objects/vulnerability/definition.json index bc5513e..d381ffd 100644 --- a/objects/vulnerability/definition.json +++ b/objects/vulnerability/definition.json @@ -3,7 +3,7 @@ "published", "modified", "references", - "vulnerable_configuration", + "vulnerable-configuration", "summary", "description", "id" @@ -25,7 +25,7 @@ "ui-priority": 0, "misp-attribute": "text" }, - "vulnerable_configuration": { + "vulnerable-configuration": { "description": "The vulnerable configuration is described in CPE format", "multiple": true, "ui-priority": 0, @@ -90,7 +90,7 @@ "multiple": true } }, - "version": 5, + "version": 6, "description": "Vulnerability object describing a common vulnerability enumeration which can describe published, unpublished, under review or embargo vulnerability for software, equipments or hardware.", "meta-category": "vulnerability", "uuid": "81650945-f186-437b-8945-9f31715d32da", diff --git a/relationships/definition.json b/relationships/definition.json index fae3795..763274f 100644 --- a/relationships/definition.json +++ b/relationships/definition.json @@ -1,5 +1,5 @@ { - "version": 17, + "version": 18, "values": [ { "name": "derived-from", @@ -991,6 +991,13 @@ "format": [ "misp" ] + }, + { + "name": "knows", + "description": "Represents an object having the knowledge of another object.", + "format": [ + "misp" + ] } ], "description": "Default type of relationships in MISP objects.", diff --git a/schema_objects.json b/schema_objects.json index 91d1d47..98da752 100644 --- a/schema_objects.json +++ b/schema_objects.json @@ -260,7 +260,8 @@ "misc", "internal", "vulnerability", - "climate" + "climate", + "iot" ], "type": "string" },