Merge branch 'main' of github.com:MISP/misp-objects

pull/387/head
Christian Studer 2023-02-20 19:11:11 +01:00
commit fb7aad8eba
24 changed files with 779 additions and 44 deletions

41
.github/workflows/codeql.yml vendored Normal file
View File

@ -0,0 +1,41 @@
name: "CodeQL"
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
schedule:
- cron: "43 15 * * 4"
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ python ]
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
queries: +security-and-quality
- name: Autobuild
uses: github/codeql-action/autobuild@v2
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
category: "/language:${{ matrix.language }}"

View File

@ -12,7 +12,7 @@ jobs:
runs-on: ubuntu-latest
strategy:
matrix:
python-version: [3.6, 3.7, 3.8, 3.9]
python-version: ['3.8', '3.9', '3.10']
steps:

View File

@ -2,7 +2,7 @@
![Python application](https://github.com/MISP/misp-objects/workflows/Python%20application/badge.svg)
MISP objects used in MISP system and can be used by other information sharing tool. MISP objects
MISP objects used in MISP system and can be used by other information sharing tools. MISP objects
are in addition to MISP attributes to allow advanced combinations of attributes. The creation of these objects
and their associated attributes are based on real cyber security use-cases and existing practices in information sharing.
@ -83,27 +83,28 @@ Feel free to propose your own MISP objects template to be included in MISP. The
}
~~~~
A MISP object is described in a simple JSON file containing the following element.
A MISP object is described in a simple JSON file containing the following elements.
* **name** is the name of the your object.
* **meta-category** is the category where the object falls into. (such as file, network, financial, misc, internal...)
* **description** is a summary of the object description.
* **version** is the version number as a decimal value.
* **required** is an array containing the minimal required attributes to describe the object.
* **requiredOneOf** is an array containing the attributes where at least one need to be present to describe the object.
* **requiredOneOf** is an array containing the attributes where at least one needs to be present to describe the object.
* **attributes** contains another JSON object listing all the attributes composing the object.
Each attribute must contain a reference **misp-attribute** to reference an existing attribute definition in MISP (MISP attributes types are case-sensitive).
An array **categories** shall be used to described in which categories the attribute is. The **ui-priority**
An array **categories** shall be used to describe in which categories the attribute is. The **ui-priority**
describes the usage frequency of an attribute. This helps to only display the most frequently used attributes and
allowing advanced users to show all the attributes depending of their configuration. An optional **multiple** field
shall be set to true if multiple elements of the same key can be used in the object. An optional **values_list**
where this list of value can be selected as a value for an attribute. An optional **sane_default** where this list of value recommend
where this list of values can be selected as a value for an attribute. An optional **sane_default** where this list of value recommend
potential a sane default for an attribute. An optional **disable_correlation** boolean field to suggest the disabling of correlation
for a specific attribute. An optional **to_ids** boolean field to disable the IDS flag of an attribute.
## Existing MISP objects
- [objects/ADS](https://github.com/MISP/misp-objects/blob/main/objects/ADS/definition.json) - An object defining ADS - Alerting and Detection Strategy by PALANTIR. Can be used for detection engineering.
- [objects/ail-leak](https://github.com/MISP/misp-objects/blob/main/objects/ail-leak/definition.json) - An information leak as defined by the AIL Analysis Information Leak framework.
- [objects/ais-info](https://github.com/MISP/misp-objects/blob/main/objects/ais-info/definition.json) - Automated Indicator Sharing (AIS) Information Source Markings.
- [objects/android-app](https://github.com/MISP/misp-objects/blob/main/objects/android-app/definition.json) - Indicators related to an Android app.
@ -111,8 +112,8 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/annotation](https://github.com/MISP/misp-objects/blob/main/objects/annotation/definition.json) - An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes.
- [objects/anonymisation](https://github.com/MISP/misp-objects/blob/main/objects/anonymisation/definition.json) - Anonymisation object describing an anonymisation technique used to encode MISP attribute values. Reference: https://www.caida.org/tools/taxonomy/anonymization.xml.
- [objects/apivoid-email-verification](https://github.com/MISP/misp-objects/blob/main/objects/apivoid-email-verification/definition.json) - Apivoid email verification API result. Reference: https://www.apivoid.com/api/email-verify/.
- [objects/artifact](https://github.com/MISP/misp-objects/blob/main/objects/artifact/definition.json) - The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. from STIX 2.1 (6.1).
- [objects/asn](https://github.com/MISP/misp-objects/blob/main/objects/asn/definition.json) - Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.
- [objects/artifact](https://github.com/MISP/misp-objects/blob/main/objects/artifact/definition.json) - The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. From STIX 2.1 (6.1).
- [objects/asn](https://github.com/MISP/misp-objects/blob/main/objects/asn/definition.json) - Autonomous system object describing an autonomous system which can include one or more network operators managing an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.
- [objects/attack-pattern](https://github.com/MISP/misp-objects/blob/main/objects/attack-pattern/definition.json) - Attack pattern describing a common attack pattern enumeration and classification.
- [objects/attack-step](https://github.com/MISP/misp-objects/blob/main/objects/attack-step/definition.json) - An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks.
- [objects/authentication-failure-report](https://github.com/MISP/misp-objects/blob/main/objects/authentication-failure-report/definition.json) - Authentication Failure Report.
@ -124,7 +125,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/blog](https://github.com/MISP/misp-objects/blob/main/objects/blog/definition.json) - Blog post like Medium or WordPress.
- [objects/boleto](https://github.com/MISP/misp-objects/blob/main/objects/boleto/definition.json) - A common form of payment used in Brazil.
- [objects/btc-transaction](https://github.com/MISP/misp-objects/blob/main/objects/btc-transaction/definition.json) - An object to describe a Bitcoin transaction. Best to be used with bitcoin-wallet.
- [objects/btc-wallet](https://github.com/MISP/misp-objects/blob/main/objects/btc-wallet/definition.json) - An object to describe a Bitcoin wallet. Best to be used with bitcoin-transactions.
- [objects/btc-wallet](https://github.com/MISP/misp-objects/blob/main/objects/btc-wallet/definition.json) - An object to describe a Bitcoin wallet. Best to be used with bitcoin-transaction.
- [objects/cap-alert](https://github.com/MISP/misp-objects/blob/main/objects/cap-alert/definition.json) - Common Alerting Protocol Version (CAP) alert object.
- [objects/cap-info](https://github.com/MISP/misp-objects/blob/main/objects/cap-info/definition.json) - Common Alerting Protocol Version (CAP) info object.
- [objects/cap-resource](https://github.com/MISP/misp-objects/blob/main/objects/cap-resource/definition.json) - Common Alerting Protocol Version (CAP) resource object.
@ -133,9 +134,9 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/command](https://github.com/MISP/misp-objects/blob/main/objects/command/definition.json) - Command functionalities related to specific commands executed by a program, whether it is malicious or not. Command-line are attached to this object for the related commands.
- [objects/command-line](https://github.com/MISP/misp-objects/blob/main/objects/command-line/definition.json) - Command line and options related to a specific command executed by a program, whether it is malicious or not.
- [objects/concordia-mtmf-intrusion-set](https://github.com/MISP/misp-objects/blob/main/objects/concordia-mtmf-intrusion-set/definition.json) - Intrusion Set - Phase Description.
- [objects/cookie](https://github.com/MISP/misp-objects/blob/main/objects/cookie/definition.json) - An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol. (as defined by the Mozilla foundation.
- [objects/cortex](https://github.com/MISP/misp-objects/blob/main/objects/cortex/definition.json) - Cortex object describing a complete cortex analysis. Observables would be attribute with a relationship from this object.
- [objects/cortex-taxonomy](https://github.com/MISP/misp-objects/blob/main/objects/cortex-taxonomy/definition.json) - Cortex object describing an Cortex Taxonomy (or mini report).
- [objects/cookie](https://github.com/MISP/misp-objects/blob/main/objects/cookie/definition.json) - An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol. As defined by the Mozilla foundation.
- [objects/cortex](https://github.com/MISP/misp-objects/blob/main/objects/cortex/definition.json) - Cortex object describing a complete Cortex analysis. Observables would be attribute with a relationship from this object.
- [objects/cortex-taxonomy](https://github.com/MISP/misp-objects/blob/main/objects/cortex-taxonomy/definition.json) - Cortex object describing a Cortex Taxonomy (or mini report).
- [objects/course-of-action](https://github.com/MISP/misp-objects/blob/main/objects/course-of-action/definition.json) - An object describing a specific measure taken to prevent or respond to an attack.
- [objects/covid19-csse-daily-report](https://github.com/MISP/misp-objects/blob/main/objects/covid19-csse-daily-report/definition.json) - CSSE COVID-19 Daily report.
- [objects/covid19-dxy-live-city](https://github.com/MISP/misp-objects/blob/main/objects/covid19-dxy-live-city/definition.json) - COVID 19 from dxy.cn - Aggregation by city.
@ -161,11 +162,13 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/email](https://github.com/MISP/misp-objects/blob/main/objects/email/definition.json) - Email object describing an email with meta-information.
- [objects/employee](https://github.com/MISP/misp-objects/blob/main/objects/employee/definition.json) - An employee and related data points.
- [objects/error-message](https://github.com/MISP/misp-objects/blob/main/objects/error-message/definition.json) - An error message which can be related to the processing of data such as import, export scripts from the original MISP instance.
- [objects/exploit](https://github.com/MISP/misp-objects/blob/main/objects/exploit/definition.json) - Exploit object describes a program in binary or source code form used to abuse one or more vulnerabilities.
- [objects/exploit-poc](https://github.com/MISP/misp-objects/blob/main/objects/exploit-poc/definition.json) - Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object.
- [objects/facebook-account](https://github.com/MISP/misp-objects/blob/main/objects/facebook-account/definition.json) - Facebook account.
- [objects/facebook-group](https://github.com/MISP/misp-objects/blob/main/objects/facebook-group/definition.json) - Public or private facebook group.
- [objects/facebook-page](https://github.com/MISP/misp-objects/blob/main/objects/facebook-page/definition.json) - Facebook page.
- [objects/facebook-post](https://github.com/MISP/misp-objects/blob/main/objects/facebook-post/definition.json) - Post on a Facebook wall.
- [objects/facebook-reaction](https://github.com/MISP/misp-objects/blob/main/objects/facebook-reaction/definition.json) - Reaction to facebook posts.
- [objects/facial-composite](https://github.com/MISP/misp-objects/blob/main/objects/facial-composite/definition.json) - An object which describes a facial composite.
- [objects/fail2ban](https://github.com/MISP/misp-objects/blob/main/objects/fail2ban/definition.json) - Fail2ban event.
- [objects/favicon](https://github.com/MISP/misp-objects/blob/main/objects/favicon/definition.json) - A favicon, also known as a shortcut icon, website icon, tab icon, URL icon, or bookmark icon, is a file containing one or more small icons, associated with a particular website or web page. The object template can include the murmur3 hash of the favicon to facilitate correlation.
@ -247,6 +250,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/intelmq_report](https://github.com/MISP/misp-objects/blob/main/objects/intelmq_report/definition.json) - IntelMQ Report.
- [objects/internal-reference](https://github.com/MISP/misp-objects/blob/main/objects/internal-reference/definition.json) - Internal reference.
- [objects/interpol-notice](https://github.com/MISP/misp-objects/blob/main/objects/interpol-notice/definition.json) - An object which describes a Interpol notice.
- [objects/intrusion-set](https://github.com/MISP/misp-objects/blob/main/objects/intrusion-set/definition.json) - A object template describing an Intrusion Set as defined in STIX 2.1. An Intrusion Set is a grouped set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization. An Intrusion Set may capture multiple Campaigns or other activities that are all tied together by shared attributes indicating a commonly known or unknown Threat Actor. New activity can be attributed to an Intrusion Set even if the Threat Actors behind the attack are not known. Threat Actors can move from supporting one Intrusion Set to supporting another, or they may support multiple Intrusion Sets. Where a Campaign is a set of attacks over a period of time against a specific set of targets to achieve some objective, an Intrusion Set is the entire attack package and may be used over a very long period of time in multiple Campaigns to achieve potentially multiple purposes. While sometimes an Intrusion Set is not active, or changes focus, it is usually difficult to know if it has truly disappeared or ended. Analysts may have varying level of fidelity on attributing an Intrusion Set back to Threat Actors and may be able to only attribute it back to a nation state or perhaps back to an organization within that nation state.
- [objects/iot-device](https://github.com/MISP/misp-objects/blob/main/objects/iot-device/definition.json) - An IoT device.
- [objects/iot-firmware](https://github.com/MISP/misp-objects/blob/main/objects/iot-firmware/definition.json) - A firmware for an IoT device.
- [objects/ip-api-address](https://github.com/MISP/misp-objects/blob/main/objects/ip-api-address/definition.json) - IP Address information. Useful if you are pulling your ip information from ip-api.com.
@ -288,6 +292,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/pcap-metadata](https://github.com/MISP/misp-objects/blob/main/objects/pcap-metadata/definition.json) - Network packet capture metadata.
- [objects/pe](https://github.com/MISP/misp-objects/blob/main/objects/pe/definition.json) - Object describing a Portable Executable.
- [objects/pe-section](https://github.com/MISP/misp-objects/blob/main/objects/pe-section/definition.json) - Object describing a section of a Portable Executable.
- [objects/Deception PersNOna](https://github.com/MISP/misp-objects/blob/main/objects/Deception PersNOna/definition.json) - Fake persona with tasks.
- [objects/person](https://github.com/MISP/misp-objects/blob/main/objects/person/definition.json) - An object which describes a person or an identity.
- [objects/personification](https://github.com/MISP/misp-objects/blob/main/objects/personification/definition.json) - An object which describes a person or an identity.
- [objects/pgp-meta](https://github.com/MISP/misp-objects/blob/main/objects/pgp-meta/definition.json) - Metadata extracted from a PGP keyblock, message or signature.
@ -358,7 +363,9 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/target-system](https://github.com/MISP/misp-objects/blob/main/objects/target-system/definition.json) - Description about an targeted system, this could potentially be a compromissed internal system.
- [objects/tattoo](https://github.com/MISP/misp-objects/blob/main/objects/tattoo/definition.json) - Describes tattoos on a natural person's body.
- [objects/telegram-account](https://github.com/MISP/misp-objects/blob/main/objects/telegram-account/definition.json) - Information related to a telegram account.
- [objects/telegram-bot](https://github.com/MISP/misp-objects/blob/main/objects/telegram-bot/definition.json) - Information related to a telegram bot.
- [objects/temporal-event](https://github.com/MISP/misp-objects/blob/main/objects/temporal-event/definition.json) - A temporal event consists of some temporal and spacial boundaries. Spacial boundaries can be physical, virtual or hybrid.
- [objects/thaicert-group-cards](https://github.com/MISP/misp-objects/blob/main/objects/thaicert-group-cards/definition.json) - Adversary group cards inspired by ThaiCERT.
- [objects/threatgrid-report](https://github.com/MISP/misp-objects/blob/main/objects/threatgrid-report/definition.json) - ThreatGrid report.
- [objects/timecode](https://github.com/MISP/misp-objects/blob/main/objects/timecode/definition.json) - Timecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the video sequence.
- [objects/timesketch-timeline](https://github.com/MISP/misp-objects/blob/main/objects/timesketch-timeline/definition.json) - A timesketch timeline object based on mandatory field in timesketch to describe a log entry.
@ -379,6 +386,8 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
- [objects/twitter-account](https://github.com/MISP/misp-objects/blob/main/objects/twitter-account/definition.json) - Twitter account.
- [objects/twitter-list](https://github.com/MISP/misp-objects/blob/main/objects/twitter-list/definition.json) - Twitter list.
- [objects/twitter-post](https://github.com/MISP/misp-objects/blob/main/objects/twitter-post/definition.json) - Twitter post (tweet).
- [objects/typosquatting-finder](https://github.com/MISP/misp-objects/blob/main/objects/typosquatting-finder/definition.json) - Typosquatting info.
- [objects/typosquatting-finder-result](https://github.com/MISP/misp-objects/blob/main/objects/typosquatting-finder-result/definition.json) - Typosquatting result.
- [objects/url](https://github.com/MISP/misp-objects/blob/main/objects/url/definition.json) - url object describes an url along with its normalized field (like extracted using faup parsing library) and its metadata.
- [objects/user-account](https://github.com/MISP/misp-objects/blob/main/objects/user-account/definition.json) - User-account object, defining aspects of user identification, authentication, privileges and other relevant data points.
- [objects/vehicle](https://github.com/MISP/misp-objects/blob/main/objects/vehicle/definition.json) - Vehicle object template to describe a vehicle information and registration.
@ -407,9 +416,9 @@ The MISP object model is open and allows user to use their own relationships. MI
## How to contribute MISP objects?
Fork the project, create a new directory in the [objects directory](objects/) matching your object name. Objects must be composed
of existing MISP attributes. If you are missing a specific attributes, feel free to open an issue in the [MISP project](https://www.github.com/MISP/MISP).
of existing MISP attributes. If you are missing any specific attributes, feel free to open an issue in the [MISP project](https://www.github.com/MISP/MISP).
We recommend to add a **text** attribute in a object to allow users to add comments or correlating text.
We recommend to add a **text** attribute in an object to allow users to add comments or correlate text.
If the unparsed object can be included, a **raw-base64** attribute can be used in the object to import the whole object.
@ -419,7 +428,7 @@ When the object is created, the `validate_all.sh` and `jq_all_the_things.sh` is
### Best practices when creating MISP object templates
- Use lower-case name without underscore or special characters (except minus) for the field names
- Use lower-case names without underscore or special characters (except minus) for the field names
- Add a description in the object template explaining the scope and use-cases of your object templates
- If the object is the mapping of an existing format, add a reference into the description of the object template
- `first-seen` and `last-seen` are not required in a object template as an object has those fields by default. If you need additional temporal information, add new specific field(s).
@ -438,7 +447,7 @@ MISP objects are dynamically used objects that are contributed by users of MISP
The aim is to allow a dynamic update of objects definition in operational distributed sharing systems like MISP. Security threats and their related indicators are quite dynamic, standardized formats are quite static and new indicators require a significant time before being standardized.
The MISP objects model allows to add new combined indicators format based on their usage without changing the underlying code base of MISP or other threat sharing platform using it. The definition of the objects can be then propagated along with the indicators itself.
The MISP object model allows for adding new combined indicator formats based on their usage without changing the underlying code base of MISP or other threat sharing platform using it. The definition of the objects can then be propagated along with the indicators itself.
## License

View File

@ -10,6 +10,7 @@ do
cat ${dir} | jq . >/dev/null
rc=$?
if [[ $rc != 0 ]]; then exit $rc; fi
cat ${dir} | jq -r .uuid | uuidparse
done
set -e

View File

@ -0,0 +1,81 @@
{
"attributes": {
"acd-element": {
"description": "lists the steps required to generate a representative true positive event which triggers this alert.",
"misp-attribute": "text",
"ui-priority": 0
},
"additional_resources": {
"description": "Any other internal, external, or technical references that may be useful for understanding the ADS.",
"misp-attribute": "url",
"multiple": true,
"ui-priority": 2
},
"blind_spots_and_assumptions": {
"description": "Recognized issues, assumptions, and areas where an ADS may not fire.",
"misp-attribute": "text",
"ui-priority": 7
},
"categorization": {
"description": "Provides a mapping of the ADS to the relevant entry in the Att&CK.",
"misp-attribute": "text",
"multiple": true,
"ui-priority": 10
},
"date": {
"description": "Enter date, when ADS has been created or edited.",
"misp-attribute": "datetime",
"ui-priority": 12
},
"false_positives": {
"description": "Known instances of an ADS misfiring due to a misconfiguration, idiosyncrasy in the environment, or other non-malicious scenario.",
"misp-attribute": "text",
"ui-priority": 6
},
"goal": {
"description": "Short, plaintext description of the type of behavior the ADS is supposed to detect.",
"misp-attribute": "text",
"ui-priority": 11
},
"priority": {
"description": "Describes the various alerting levels that an ADS may be tagged with.",
"misp-attribute": "text",
"ui-priority": 4
},
"responses": {
"description": "General response steps in the event that this alert fired.",
"misp-attribute": "text",
"ui-priority": 3
},
"sigma_rule": {
"description": "Rule in SIGMA format.",
"misp-attribute": "sigma",
"ui-priority": 1
},
"strategy_abstract": {
"description": "High-level walkthrough of how the ADS functions.",
"misp-attribute": "text",
"ui-priority": 9
},
"technical_context": {
"description": "Detailed information and background needed for a responder to understand all components of the alert. ",
"misp-attribute": "text",
"ui-priority": 8
},
"validation": {
"description": "lists the steps required to generate a representative true positive event which triggers this alert.",
"misp-attribute": "text",
"ui-priority": 5
}
},
"description": "An object defining ADS - Alerting and Detection Strategy by PALANTIR. Can be used for detection engineering.",
"meta-category": "misc",
"name": "ADS",
"required": [
"date",
"goal",
"categorization"
],
"uuid": "07a7f4cf-e738-47ad-b045-34c3b382f3b4",
"version": 1
}

View File

@ -33,7 +33,7 @@
"ui-priority": 0
}
},
"description": "The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. from STIX 2.1 (6.1)",
"description": "The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. From STIX 2.1 (6.1)",
"meta-category": "file",
"name": "artifact",
"requiredOneOf": [
@ -41,5 +41,5 @@
"url"
],
"uuid": "0a46df3a-bd9b-472c-a1e7-6aede7094483",
"version": 1
"version": 2
}

View File

@ -58,12 +58,12 @@
"ui-priority": 0
}
},
"description": "Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.",
"description": "Autonomous system object describing an autonomous system which can include one or more network operators managing an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.",
"meta-category": "network",
"name": "asn",
"requiredOneOf": [
"asn"
],
"uuid": "4ec55cc6-9e49-4c64-b794-03c25c1a6587",
"version": 4
"version": 5
}

View File

@ -30,12 +30,12 @@
"ui-priority": 0
}
},
"description": "An object to describe a Bitcoin wallet. Best to be used with bitcoin-transactions.",
"description": "An object to describe a Bitcoin wallet. Best to be used with btc-transaction object.",
"meta-category": "financial",
"name": "btc-wallet",
"requiredOneOf": [
"wallet-address"
],
"uuid": "22910C83-DD0E-4ED2-9823-45F8CAD562A4",
"version": 2
"version": 3
}

View File

@ -67,12 +67,12 @@
"ui-priority": 0
}
},
"description": "An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol. (as defined by the Mozilla foundation.",
"description": "An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user's web browser. The browser may store it and send it back with the next request to the same server. Typically, it's used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol. As defined by the Mozilla foundation.",
"meta-category": "network",
"name": "cookie",
"required": [
"cookie"
],
"uuid": "7755ad19-55c7-4da4-805e-197cf81bbcb8",
"version": 4
"version": 5
}

View File

@ -53,7 +53,7 @@
"ui-priority": 2
}
},
"description": "Cortex object describing an Cortex Taxonomy (or mini report)",
"description": "Cortex object describing a Cortex Taxonomy (or mini report)",
"meta-category": "misc",
"name": "cortex-taxonomy",
"required": [
@ -63,5 +63,5 @@
"level"
],
"uuid": "bef7d23b-e796-4d46-803a-32e317896894",
"version": 5
"version": 6
}

View File

@ -41,12 +41,12 @@
"ui-priority": 0
}
},
"description": "Cortex object describing a complete cortex analysis. Observables would be attribute with a relationship from this object.",
"description": "Cortex object describing a complete Cortex analysis. Observables would be attribute with a relationship from this object.",
"meta-category": "misc",
"name": "cortex",
"requiredOneOf": [
"full"
],
"uuid": "144988f3-fa00-4374-8015-c1a32092f451",
"version": 2
"version": 3
}

View File

@ -35,6 +35,11 @@
"multiple": true,
"ui-priority": 0
},
"description": {
"description": "Description of the exploit.",
"misp-attribute": "text",
"ui-priority": 1
},
"exploit": {
"description": "Free text of the exploit.",
"misp-attribute": "text",
@ -76,6 +81,11 @@
"misp-attribute": "link",
"multiple": true,
"ui-priority": 0
},
"title": {
"description": "Title of the exploit.",
"misp-attribute": "text",
"ui-priority": 1
}
},
"description": "Exploit object describes a program in binary or source code form used to abuse one or more vulnerabilities.",

View File

@ -56,6 +56,6 @@
"processing-timestamp",
"attack-type"
],
"uuid": "8be2271-7326-41a5-a0dd-9b4bec88e1ba",
"version": 5
"uuid": "32f7ded6-e774-4401-81b0-79634e82f589",
"version": 6
}

View File

@ -51,6 +51,6 @@
"activityType",
"datetime"
],
"uuid": "9297982e-be62-4772-a665-c91f5a8d639",
"version": 3
"uuid": "58149b06-eabe-4937-9dac-01d63f504e14",
"version": 4
}

View File

@ -0,0 +1,103 @@
{
"attributes": {
"actions": {
"description": "Actions by this PersNOna or engagement with adversary or relateda party.",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 7
},
"alias": {
"description": "Aliases or Nicknames of fake PesNOna on differenet media.",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 1
},
"background": {
"description": "Background of operation, PersNOna or actions, which needs to be explain to other party in case of share of this profile.",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 2
},
"conversations": {
"description": "Conversations with targets",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 10
},
"critical_tasks": {
"description": "Critical Tasks or tasks which this PersNOna has to accomplish.",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 6
},
"goals": {
"description": "Goals of creating of this PersNOna.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 5
},
"location": {
"description": "Location, where PersNOna is right now at home, home town, county, country etc.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 3
},
"media": {
"description": "Media where is PersNOna active ie. facebook, telegram etc.",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 10
},
"name": {
"description": "Name - full name of PersNOna.",
"disable_correlation": false,
"misp-attribute": "full-name",
"multiple": true,
"ui-priority": 1
},
"oppportunities": {
"description": "Opportunities for another development, introducing another PersNOna etc.",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 9
},
"photo": {
"description": "Photo of PersNOna, url where is photo uploaded or website of fake profile as LinkedIn etc.",
"disable_correlation": false,
"misp-attribute": "url",
"multiple": false,
"ui-priority": 0
},
"questions": {
"description": "Questions, which have to be answered by this profile goal.",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 8
},
"responsi": {
"description": "Responsibilities of PersNOna, who this PersNOna communicates with, what should discuss and how far.",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 4
}
},
"description": "Fake persona with tasks",
"meta-category": "misc",
"name": "Deception PersNOna",
"required": [
"name"
],
"uuid": "a80828dc-07bf-4d5c-ab82-8160ee5bdd6d",
"version": 1
}

View File

@ -165,8 +165,14 @@
"misp-attribute": "passport-country",
"ui-priority": 0
},
"passport-creation": {
"description": "The creation date of the passport.",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 0
},
"passport-expiration": {
"description": "The expiration date of a passport.",
"description": "The expiration date of the passport.",
"disable_correlation": true,
"misp-attribute": "passport-expiration",
"ui-priority": 0
@ -249,5 +255,5 @@
"handle"
],
"uuid": "a15b0477-e9d1-4b9c-9546-abe78a4f4248",
"version": 18
"version": 19
}

View File

@ -0,0 +1,34 @@
{
"attributes": {
"date": {
"description": "Last update of the post as seen on the ransomware group blog. Different than the first/last seen from the crawling.",
"misp-attribute": "datetime",
"ui-priority": 0
},
"description": {
"description": "Raw post.",
"misp-attribute": "text",
"ui-priority": 1
},
"link": {
"description": "Original URL location of the post.",
"misp-attribute": "link",
"ui-priority": 1
},
"title": {
"description": "Title of blog post.",
"misp-attribute": "text",
"ui-priority": 1
}
},
"description": "Ransomware group post as monitored by ransomlook.io",
"meta-category": "misc",
"name": "ransomware-group-post",
"requiredOneOf": [
"title",
"description",
"link"
],
"uuid": "52a0e179-4942-41e6-90f5-7db856fd6f39",
"version": 1
}

View File

@ -0,0 +1,68 @@
{
"attributes": {
"country": {
"description": "Country of group - group location where it operates from.",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 1
},
"description": {
"description": "Description of group activities or TTP used for group actions.",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": false,
"ui-priority": 4
},
"more informations": {
"description": "List more informations by url - reports, group links etc..",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 7
},
"motivation": {
"description": "Motivation behind group ie. espionage, ransomware, other criminal activity, hacktivism . . .",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 3
},
"name": {
"description": "Names or nicknames for group.",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"observed": {
"description": "What sector is this group active at? Government, telecommunication etc and country of activity.",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 5
},
"sponsor": {
"description": "Sponsor of group ie. country, state, criminal ring, cartel etc..",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 2
},
"tools used": {
"description": "What known tools are used by group.",
"disable_correlation": false,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 6
}
},
"description": "Adversary group cards inspired by ThaiCERT",
"meta-category": "misc",
"name": "thaicert-group-cards",
"required": [
"name"
],
"uuid": "f42db88d-1889-4c2f-a903-971cf8e65174",
"version": 3
}

View File

@ -0,0 +1,107 @@
{
"attributes": {
"class": {
"description": "Class of the ticket",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"First",
"Second",
"Business",
"Flex",
"Economy"
],
"ui-priority": 0
},
"company": {
"description": "Street name",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"copy": {
"description": "Copy of the ticket such as a photography or a FAX",
"misp-attribute": "attachment",
"multiple": true,
"ui-priority": 10
},
"date-of-arrival": {
"description": "Date of arrival",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 1
},
"date-of-departure": {
"description": "Date of departure",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 1
},
"date-of-purchase": {
"description": "Date of purchase",
"disable_correlation": true,
"misp-attribute": "datetime",
"ui-priority": 1
},
"description": {
"description": "Description",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"destination": {
"description": "Destination",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 1
},
"origin": {
"description": "Origin",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"ticket-number": {
"description": "Ticket Number",
"disable_correlation": true,
"misp-attribute": "text",
"multiple": true,
"ui-priority": 0
},
"type-of-ticket": {
"description": "Type of ticket",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"Purchase ticket",
"Boarding pass",
"Other"
],
"ui-priority": 1
},
"type-of-transport": {
"description": "Type of transport",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
"Plane",
"Train",
"Bus",
"Metro",
"Taxi",
"Ferry",
"Other"
],
"ui-priority": 1
}
},
"description": "A transport ticket.",
"meta-category": "misc",
"name": "transport-ticket",
"requiredOneOf": [
"destination",
"origin"
],
"uuid": "8d6bd699-86f8-477c-aac3-a7f273c19266",
"version": 2
}

View File

@ -0,0 +1,89 @@
{
"attributes": {
"a-record": {
"categories": [
"Network activity",
"External analysis"
],
"description": "IPv4 address associated with A record",
"misp-attribute": "ip-dst",
"multiple": true,
"ui-priority": 1
},
"aaaa-record": {
"categories": [
"Network activity",
"External analysis"
],
"description": "IPv6 address associated with AAAA record",
"misp-attribute": "ip-dst",
"multiple": true,
"ui-priority": 1
},
"mx-record": {
"categories": [
"Network activity",
"External analysis"
],
"description": "Domain associated with MX record",
"misp-attribute": "domain",
"multiple": true,
"ui-priority": 1
},
"ns-record": {
"categories": [
"Network activity",
"External analysis"
],
"description": "Domain associated with NS record",
"misp-attribute": "domain",
"multiple": true,
"ui-priority": 1
},
"queried-domain": {
"categories": [
"Network activity",
"External analysis"
],
"description": "Domain name",
"misp-attribute": "domain",
"ui-priority": 1
},
"ratio-similarity": {
"description": "Similarity probability",
"disable_correlation": true,
"misp-attribute": "text",
"recommended": false,
"ui-priority": 1
},
"website-ressource-diff": {
"description": "Difference of website's ressources between both, research and current variations domain",
"disable_correlation": true,
"misp-attribute": "text",
"recommended": false,
"ui-priority": 1
},
"website-similarity": {
"description": "Similarity between website of both research and current variations domain",
"disable_correlation": true,
"misp-attribute": "text",
"recommended": false,
"ui-priority": 1
},
"website-title": {
"description": "Website's title of the current queried domain",
"disable_correlation": false,
"misp-attribute": "text",
"recommended": false,
"ui-priority": 1
}
},
"description": "Typosquatting result",
"meta-category": "network",
"name": "typosquatting-finder-result",
"required": [
"queried-domain"
],
"uuid": "22151d90-b39b-498c-86c7-126ddd2e1a55",
"version": 1
}

View File

@ -0,0 +1,37 @@
{
"attributes": {
"research-domain": {
"categories": [
"Network activity",
"External analysis"
],
"description": "Research domain name",
"disable_correlation": false,
"misp-attribute": "domain",
"recommended": false,
"ui-priority": 1
},
"variations-found-number": {
"description": "Number of variations for the research domain that some info is found.",
"disable_correlation": true,
"misp-attribute": "text",
"recommended": false,
"ui-priority": 1
},
"variations-number": {
"description": "Number of variations for the research domain.",
"disable_correlation": true,
"misp-attribute": "text",
"recommended": false,
"ui-priority": 1
}
},
"description": "Typosquatting info",
"meta-category": "network",
"name": "typosquatting-finder",
"required": [
"research-domain"
],
"uuid": "3414fbe7-6f8c-4ed5-bc51-9a11a3a29822",
"version": 1
}

View File

@ -19,7 +19,7 @@
"ui-priority": 0
},
"exterior-color": {
"description": "Exterior color of the vehicule",
"description": "Exterior color of the vehicle",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
@ -49,7 +49,7 @@
"ui-priority": 0
},
"interior-color": {
"description": "Interior color of the vehicule",
"description": "Interior color of the vehicle",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
@ -73,13 +73,13 @@
"ui-priority": 0
},
"state": {
"description": "State of the vehicule (stolen or recovered)",
"description": "State of the vehicle (stolen or recovered)",
"disable_correlation": true,
"misp-attribute": "text",
"ui-priority": 0
},
"type": {
"description": "Type of the vehicule",
"description": "Type of the vehicle",
"disable_correlation": true,
"misp-attribute": "text",
"sane_default": [
@ -125,5 +125,5 @@
"indicative-value"
],
"uuid": "683c076c-f695-4ff2-8efa-e98a418049f4",
"version": 3
"version": 4
}

View File

@ -77,8 +77,8 @@
"misp-attribute": "text",
"multiple": true,
"sane_default": [
"agriculture",
"aerospace",
"agriculture",
"automotive",
"communications",
"construction",
@ -88,14 +88,16 @@
"engineering",
"entertainment",
"financial services",
"government national",
"government regional",
"government local",
"government national",
"government public services",
"government regional",
"healthcare",
"hospitality leisure",
"information and cultural industries",
"infrastructure",
"insurance",
"legal",
"manufacturing",
"mining",
"non profit",
@ -124,5 +126,5 @@
"sectors"
],
"uuid": "a8806e40-39ad-435f-be02-ac2a13d6fc7d",
"version": 6
"version": 8
}

View File

@ -1352,7 +1352,154 @@
],
"name": "submitted-by",
"opposite": "submitted"
},
{
"description": "This relationship describes that the source object does not target the target object.",
"format": [
"misp"
],
"name": "does-not-target"
},
{
"description": "This relationship describes that the source object is targeted by the target object.",
"format": [
"misp"
],
"name": "is-targeted-by"
},
{
"description": "This relationship describes that the source object is not targeted by the target object.",
"format": [
"misp"
],
"name": "is-not-targeted-by"
},
{
"description": "The source object considers the target object as a friend. Is not necessarily symmetric.",
"format": [
"XFN"
],
"name": "Friend"
},
{
"description": "The source object considers the target object as a acquaintance. Is not necessarily symmetric.",
"format": [
"XFN"
],
"name": "Acquaintance"
},
{
"description": "The source object have information to contact and/or get in touch with the target object.",
"format": [
"XFN"
],
"name": "Contact"
},
{
"description": "The source object have physically met the target object.",
"format": [
"XFN"
],
"name": "Met"
},
{
"description": "The source object shares an employer with the target object. This relationship is not geographically limited.",
"format": [
"XFN"
],
"name": "Co-worker"
},
{
"description": "The source object regards the target object as a peer, someone who they feel is on their level and has skills and interests similar to their own. A colleague does not have to be a co-worker, although of course can be.",
"format": [
"XFN"
],
"name": "Colleague"
},
{
"description": "The source object is co-resident with the target object, which means they share a street address with the target object. Co-resident is symmetric.",
"format": [
"XFN"
],
"name": "Co-resident"
},
{
"description": "The source object is neighbor with the target object. This is not limited to next door neighbor.",
"format": [
"XFN"
],
"name": "Neighbor"
},
{
"description": "The target object is the child of the source object.",
"format": [
"XFN"
],
"name": "Child"
},
{
"description": "The target object is the parent of the source object.",
"format": [
"XFN"
],
"name": "Parent"
},
{
"description": "The source object share a parent with the target object. Brothers, sisters, half-brothers, and half-sisters are all examples of siblings.",
"format": [
"XFN"
],
"name": "Sibling"
},
{
"description": "The source object is -or feels themself to be- married, whether legally or not, to the target object.",
"format": [
"XFN"
],
"name": "Spouse"
},
{
"description": "The target object is a relative of the source object.",
"format": [
"XFN"
],
"name": "Kin"
},
{
"description": "The source object is inspired in some way by the target object.",
"format": [
"XFN"
],
"name": "Muse"
},
{
"description": "The source object is attracted -romantically speaking- to the target object.",
"format": [
"XFN"
],
"name": "Crush"
},
{
"description": "The source object is dating the target object.",
"format": [
"XFN"
],
"name": "Date"
},
{
"description": "The source object is intimate, whether physically or emotionally, with the target object.",
"format": [
"XFN"
],
"name": "Sweetheart"
},
{
"description": "The source object refers to the target object as themself or a representation of themself. Can be a profile on social-networking for example. This value is exclusive of all other XFN values.",
"format": [
"XFN"
],
"name": "Me"
}
],
"version": 34
"version": 35
}