From 71cc235a5d466c8090e16d255e1acf44af250e79 Mon Sep 17 00:00:00 2001 From: Michael Trewen Date: Tue, 13 Jun 2023 10:47:28 +0200 Subject: [PATCH 1/4] new:added Diamond Object --- objects/diamond/definition.json | 106 ++++++++++++++++++++++++++++++++ 1 file changed, 106 insertions(+) create mode 100644 objects/diamond/definition.json diff --git a/objects/diamond/definition.json b/objects/diamond/definition.json new file mode 100644 index 0000000..23d66b9 --- /dev/null +++ b/objects/diamond/definition.json @@ -0,0 +1,106 @@ +{ + "required": [ + "EventID", + "Advesary", + "Capability", + "Infrastructure", + "Victim" + ], + "version": 1, + "description": "A diamond model event object consisting of the four diamond features advesary, infrastructure, capability and victim, several meta-features and ioc attributes.", + "meta-category": "internal", + "uuid": "a9618450-694d-4c73-9f76-35ea0150c19e", + "name": "diamond-event", + "attributes": { + "EventID": { + "description": "Id of the event", + "ui-priority": 0, + "misp-attribute": "counter" + }, + "Advesary": { + "description": "The advesary who attacks the victim", + "ui-priority": 0, + "misp-attribute": "text" + }, + "Capability": { + "description": "The capability used to attack the victim", + "ui-priority": 0, + "misp-attribute": "text" + }, + "Infrastructure": { + "description": "The infrastructure used in the attack", + "ui-priority": 0, + "misp-attribute": "text" + }, + "Victim": { + "description": "The attacked victim", + "ui-priority": 0, + "misp-attribute": "text" + }, + "Timestamp": { + "description": "Timestamp when the event happened", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "Phase": { + "description": "The event mapped to a phase of the killchain", + "ui-priority": 0, + "misp-attribute": "text", + "values_list": [ + "Reconnaissance", + "Weaponization", + "Delivery", + "Exploitation", + "Installation", + "C2", + "Action on Objectives" + ] + }, + "Result": { + "description": "The result of the event", + "ui-priority": 0, + "misp-attribute": "text" + }, + "Direction": { + "description": "The network-based direction of the event", + "ui-priority": 0, + "misp-attribute": "text", + "values_list": [ + "Victim-to-Infrastructure", + "Infrastructure-to-Victim", + "Infrastructure-to-Infrastructure", + "Adversary-to-Infrastructure", + "Infrastructure-to-Adversary", + "Bidirectional", + "Unknown" + ] + }, + "Methodology": { + "description": "Mitre-Attack mapping of the event", + "ui-priority": 0, + "misp-attribute": "text" + }, + "Resources": { + "description": "The resources the attacker needed for the event to succeed", + "ui-priority": 0, + "misp-attribute": "text" + }, + "Description": { + "description": "Further context to the event", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ioc": { + "description": "Generic IOC", + "ui-priority": 0, + "multiple": true, + "misp-attribute": "text" + }, + "textfield": { + "description": "Generic textfield", + "ui-priority": 0, + "multiple": true, + "misp-attribute": "text" + } + } + } \ No newline at end of file From 25e1790e748d5acf6017c86730b876911a119614 Mon Sep 17 00:00:00 2001 From: Michael Trewen Date: Tue, 13 Jun 2023 19:15:23 +0200 Subject: [PATCH 2/4] jq --- objects/diamond/definition.json | 208 ++++++++++++++++---------------- 1 file changed, 104 insertions(+), 104 deletions(-) diff --git a/objects/diamond/definition.json b/objects/diamond/definition.json index 23d66b9..5e88db1 100644 --- a/objects/diamond/definition.json +++ b/objects/diamond/definition.json @@ -1,106 +1,106 @@ { - "required": [ - "EventID", - "Advesary", - "Capability", - "Infrastructure", - "Victim" - ], - "version": 1, - "description": "A diamond model event object consisting of the four diamond features advesary, infrastructure, capability and victim, several meta-features and ioc attributes.", - "meta-category": "internal", - "uuid": "a9618450-694d-4c73-9f76-35ea0150c19e", - "name": "diamond-event", - "attributes": { - "EventID": { - "description": "Id of the event", - "ui-priority": 0, - "misp-attribute": "counter" - }, - "Advesary": { - "description": "The advesary who attacks the victim", - "ui-priority": 0, - "misp-attribute": "text" - }, - "Capability": { - "description": "The capability used to attack the victim", - "ui-priority": 0, - "misp-attribute": "text" - }, - "Infrastructure": { - "description": "The infrastructure used in the attack", - "ui-priority": 0, - "misp-attribute": "text" - }, - "Victim": { - "description": "The attacked victim", - "ui-priority": 0, - "misp-attribute": "text" - }, - "Timestamp": { - "description": "Timestamp when the event happened", - "ui-priority": 0, - "misp-attribute": "datetime" - }, - "Phase": { - "description": "The event mapped to a phase of the killchain", - "ui-priority": 0, - "misp-attribute": "text", - "values_list": [ - "Reconnaissance", - "Weaponization", - "Delivery", - "Exploitation", - "Installation", - "C2", - "Action on Objectives" - ] - }, - "Result": { - "description": "The result of the event", - "ui-priority": 0, - "misp-attribute": "text" - }, - "Direction": { - "description": "The network-based direction of the event", - "ui-priority": 0, - "misp-attribute": "text", - "values_list": [ - "Victim-to-Infrastructure", - "Infrastructure-to-Victim", - "Infrastructure-to-Infrastructure", - "Adversary-to-Infrastructure", - "Infrastructure-to-Adversary", - "Bidirectional", - "Unknown" - ] - }, - "Methodology": { - "description": "Mitre-Attack mapping of the event", - "ui-priority": 0, - "misp-attribute": "text" - }, - "Resources": { - "description": "The resources the attacker needed for the event to succeed", - "ui-priority": 0, - "misp-attribute": "text" - }, - "Description": { - "description": "Further context to the event", - "ui-priority": 0, - "misp-attribute": "text" - }, - "ioc": { - "description": "Generic IOC", - "ui-priority": 0, - "multiple": true, - "misp-attribute": "text" - }, - "textfield": { - "description": "Generic textfield", - "ui-priority": 0, - "multiple": true, - "misp-attribute": "text" - } + "required": [ + "EventID", + "Advesary", + "Capability", + "Infrastructure", + "Victim" + ], + "version": 1, + "description": "A diamond model event object consisting of the four diamond features advesary, infrastructure, capability and victim, several meta-features and ioc attributes.", + "meta-category": "internal", + "uuid": "a9618450-694d-4c73-9f76-35ea0150c19e", + "name": "diamond-event", + "attributes": { + "EventID": { + "description": "Id of the event", + "ui-priority": 0, + "misp-attribute": "counter" + }, + "Advesary": { + "description": "The advesary who attacks the victim", + "ui-priority": 0, + "misp-attribute": "text" + }, + "Capability": { + "description": "The capability used to attack the victim", + "ui-priority": 0, + "misp-attribute": "text" + }, + "Infrastructure": { + "description": "The infrastructure used in the attack", + "ui-priority": 0, + "misp-attribute": "text" + }, + "Victim": { + "description": "The attacked victim", + "ui-priority": 0, + "misp-attribute": "text" + }, + "Timestamp": { + "description": "Timestamp when the event happened", + "ui-priority": 0, + "misp-attribute": "datetime" + }, + "Phase": { + "description": "The event mapped to a phase of the killchain", + "ui-priority": 0, + "misp-attribute": "text", + "values_list": [ + "Reconnaissance", + "Weaponization", + "Delivery", + "Exploitation", + "Installation", + "C2", + "Action on Objectives" + ] + }, + "Result": { + "description": "The result of the event", + "ui-priority": 0, + "misp-attribute": "text" + }, + "Direction": { + "description": "The network-based direction of the event", + "ui-priority": 0, + "misp-attribute": "text", + "values_list": [ + "Victim-to-Infrastructure", + "Infrastructure-to-Victim", + "Infrastructure-to-Infrastructure", + "Adversary-to-Infrastructure", + "Infrastructure-to-Adversary", + "Bidirectional", + "Unknown" + ] + }, + "Methodology": { + "description": "Mitre-Attack mapping of the event", + "ui-priority": 0, + "misp-attribute": "text" + }, + "Resources": { + "description": "The resources the attacker needed for the event to succeed", + "ui-priority": 0, + "misp-attribute": "text" + }, + "Description": { + "description": "Further context to the event", + "ui-priority": 0, + "misp-attribute": "text" + }, + "ioc": { + "description": "Generic IOC", + "ui-priority": 0, + "multiple": true, + "misp-attribute": "text" + }, + "textfield": { + "description": "Generic textfield", + "ui-priority": 0, + "multiple": true, + "misp-attribute": "text" } - } \ No newline at end of file + } +} \ No newline at end of file From 241f4455ac573b512afc664a5d41944c7170126f Mon Sep 17 00:00:00 2001 From: Michael Trenker <74047317+MichaelTrenker@users.noreply.github.com> Date: Wed, 14 Jun 2023 11:54:46 +0000 Subject: [PATCH 3/4] ran jq_all_the_things.sh --- objects/diamond/definition.json | 134 ++++++++++++++++---------------- 1 file changed, 67 insertions(+), 67 deletions(-) diff --git a/objects/diamond/definition.json b/objects/diamond/definition.json index 5e88db1..0833e14 100644 --- a/objects/diamond/definition.json +++ b/objects/diamond/definition.json @@ -1,70 +1,24 @@ { - "required": [ - "EventID", - "Advesary", - "Capability", - "Infrastructure", - "Victim" - ], - "version": 1, - "description": "A diamond model event object consisting of the four diamond features advesary, infrastructure, capability and victim, several meta-features and ioc attributes.", - "meta-category": "internal", - "uuid": "a9618450-694d-4c73-9f76-35ea0150c19e", - "name": "diamond-event", "attributes": { - "EventID": { - "description": "Id of the event", - "ui-priority": 0, - "misp-attribute": "counter" - }, "Advesary": { "description": "The advesary who attacks the victim", - "ui-priority": 0, - "misp-attribute": "text" + "misp-attribute": "text", + "ui-priority": 0 }, "Capability": { "description": "The capability used to attack the victim", - "ui-priority": 0, - "misp-attribute": "text" - }, - "Infrastructure": { - "description": "The infrastructure used in the attack", - "ui-priority": 0, - "misp-attribute": "text" - }, - "Victim": { - "description": "The attacked victim", - "ui-priority": 0, - "misp-attribute": "text" - }, - "Timestamp": { - "description": "Timestamp when the event happened", - "ui-priority": 0, - "misp-attribute": "datetime" - }, - "Phase": { - "description": "The event mapped to a phase of the killchain", - "ui-priority": 0, "misp-attribute": "text", - "values_list": [ - "Reconnaissance", - "Weaponization", - "Delivery", - "Exploitation", - "Installation", - "C2", - "Action on Objectives" - ] + "ui-priority": 0 }, - "Result": { - "description": "The result of the event", - "ui-priority": 0, - "misp-attribute": "text" + "Description": { + "description": "Further context to the event", + "misp-attribute": "text", + "ui-priority": 0 }, "Direction": { "description": "The network-based direction of the event", - "ui-priority": 0, "misp-attribute": "text", + "ui-priority": 0, "values_list": [ "Victim-to-Infrastructure", "Infrastructure-to-Victim", @@ -75,32 +29,78 @@ "Unknown" ] }, + "EventID": { + "description": "Id of the event", + "misp-attribute": "counter", + "ui-priority": 0 + }, + "Infrastructure": { + "description": "The infrastructure used in the attack", + "misp-attribute": "text", + "ui-priority": 0 + }, "Methodology": { "description": "Mitre-Attack mapping of the event", + "misp-attribute": "text", + "ui-priority": 0 + }, + "Phase": { + "description": "The event mapped to a phase of the killchain", + "misp-attribute": "text", "ui-priority": 0, - "misp-attribute": "text" + "values_list": [ + "Reconnaissance", + "Weaponization", + "Delivery", + "Exploitation", + "Installation", + "C2", + "Action on Objectives" + ] }, "Resources": { - "description": "The resources the attacker needed for the event to succeed", - "ui-priority": 0, - "misp-attribute": "text" + "description": "The resources the attacker needed for the event to succeed", + "misp-attribute": "text", + "ui-priority": 0 }, - "Description": { - "description": "Further context to the event", - "ui-priority": 0, - "misp-attribute": "text" + "Result": { + "description": "The result of the event", + "misp-attribute": "text", + "ui-priority": 0 + }, + "Timestamp": { + "description": "Timestamp when the event happened", + "misp-attribute": "datetime", + "ui-priority": 0 + }, + "Victim": { + "description": "The attacked victim", + "misp-attribute": "text", + "ui-priority": 0 }, "ioc": { "description": "Generic IOC", - "ui-priority": 0, + "misp-attribute": "text", "multiple": true, - "misp-attribute": "text" + "ui-priority": 0 }, "textfield": { "description": "Generic textfield", - "ui-priority": 0, + "misp-attribute": "text", "multiple": true, - "misp-attribute": "text" + "ui-priority": 0 } - } + }, + "description": "A diamond model event object consisting of the four diamond features advesary, infrastructure, capability and victim, several meta-features and ioc attributes.", + "meta-category": "internal", + "name": "diamond-event", + "required": [ + "EventID", + "Advesary", + "Capability", + "Infrastructure", + "Victim" + ], + "uuid": "a9618450-694d-4c73-9f76-35ea0150c19e", + "version": 1 } \ No newline at end of file From 5d307f7c30d2244af5797f676ae4438d01ca0544 Mon Sep 17 00:00:00 2001 From: Alexandre Dulaunoy Date: Wed, 14 Jun 2023 17:36:22 +0200 Subject: [PATCH 4/4] chg: [cookie] cookie can be also only a key or a value This change is required for the AIL project export --- objects/cookie/definition.json | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/objects/cookie/definition.json b/objects/cookie/definition.json index 1b2fe09..1b3a5ed 100644 --- a/objects/cookie/definition.json +++ b/objects/cookie/definition.json @@ -71,8 +71,10 @@ "meta-category": "network", "name": "cookie", "required": [ - "cookie" + "cookie", + "cookie-name", + "cookie-value" ], "uuid": "7755ad19-55c7-4da4-805e-197cf81bbcb8", - "version": 5 + "version": 6 } \ No newline at end of file