Christian Studer
b877eb0815
add: [exploit] Added `description` and `title` attributes
2022-10-23 23:11:48 +02:00
Delta-Sierra
e7b9a8e7cf
add username field in telegram-bot object
2022-10-13 13:45:52 +02:00
Alexandre Dulaunoy
82c699cc5f
new: [telegram-bot] new object to describe Telegram bots
2022-10-13 10:32:58 +02:00
Alexandre Dulaunoy
06df368890
new: [intrusion-set] based on the STIX 2.1 definition
...
TODO - "Open Vocabularies" - value versus description.
2022-09-29 07:32:52 +02:00
Alexandre Dulaunoy
35df5bad01
new: [exploit] Exploit object template to describe code or program used
...
to exploit specific vulnerabilities. The objet can be linked to
`vulnerability` objects but also device, iot, firmware or alike.
2022-09-26 07:40:11 +02:00
Alexandre Dulaunoy
3cf9307b24
Merge branch 'main' of github.com:MISP/misp-objects into main
2022-09-09 07:26:37 +02:00
Alexandre Dulaunoy
fa26cdf15e
fix: [facebook-group] add an optional ID reference to the facebook id
2022-09-09 07:24:05 +02:00
Alexandre Dulaunoy
fc51889b42
new: [facebook-reaction] new object to link reaction with facebook posts or alike
2022-09-09 07:21:59 +02:00
Alexandre Dulaunoy
3abfb19982
Merge pull request #370 from goodlandsecurity/spearphishing-objects-v2
...
spearphishing-objects-v2
2022-08-26 08:53:49 +02:00
goodlandsecurity
b258786935
jq_all_the_things
2022-08-25 16:03:59 -05:00
goodlandsecurity
26c2767228
allow multiple of certain types. bump version
2022-08-25 15:56:36 -05:00
Alexandre Dulaunoy
ec351176f9
chg: [security-playbook] JSON fixed
2022-08-25 10:17:48 +02:00
Vasileios Mavroeidis
2771e2681f
Update definition.json
...
Found the issue and updated the playbook-id attribute. It is not required anymore. We should not dictate producers generating this property since it can be used to correlate playbooks. The use case is: If we have a cacao playbook attached then we could have the UUIDV4 extracted from the "attachment" and put at the MISP security-playbook object attribute "playbook-id". Correlation is enabled if another security playbook object follows the same process while attaching the same CACAO playbook. If the attached playbook is a png then there is no way to associate it again with another security playbook object that has the same png as an attachment as we cannot know that. That would be possible only if the attachment had a machine-readable identifier. Another use case is to generate a hash and attach it to a property, but let's leave that for the future and if it is never needed or appears as a use case. Long story short the pull request improves the semantics of the object and correlations of different security playbook objects :)
2022-08-24 18:44:11 +02:00
Alexandre Dulaunoy
9b9c838961
fix: [yara] add a reference link to the YARA object template
2022-08-03 11:46:30 +02:00
Alexandre Dulaunoy
734d85337d
new: [sigma] a sigma attribute exists in MISP but the object was
...
missing to add some additional meta information.
2022-08-03 11:44:37 +02:00
Alexandre Dulaunoy
50f61a03be
chg: [scheduled-task] disable_correlation + clarification
2022-07-08 15:03:27 +02:00
Delta-Sierra
73c2462448
Windows Scheduled Task Object - First draft
2022-07-07 15:17:34 +02:00
matthijsvp
8e024f4863
chg: Fixed typo in disable_correlation
2022-07-01 16:59:03 +02:00
matthijsvp
896fb72735
Merge from master
2022-07-01 16:47:23 +02:00
Matthijs van P
29d7467de9
Merge branch 'MISP:main' into main
2022-07-01 16:43:49 +02:00
matthijsvp
593d80abd1
initial commit
2022-07-01 16:43:22 +02:00
Alexandre Dulaunoy
db5033f385
fix: [ftm-*] Fixing missing description - #363
2022-06-30 17:43:44 +02:00
Alexandre Dulaunoy
85dd164dbb
fix: [ftm] missing description fix #363
2022-06-30 17:19:33 +02:00
Alexandre Dulaunoy
9b0a9cd9eb
chg: [ftm-Call] fixed missing description
2022-06-30 17:12:25 +02:00
Alexandre Dulaunoy
91e1c8bdcd
chg: [query] add Kusto Query Language (KQL)
...
Ref: https://twitter.com/castello_johnny/status/1540732973753847808
2022-06-25 19:20:13 +02:00
Alexandre Dulaunoy
fd58bdd7b7
chg: [query] add missing SPL language (Splunk) format
...
Thanks to https://twitter.com/nbareil/status/1540633706959863813 @nbareil
2022-06-25 11:56:15 +02:00
Alexandre Dulaunoy
07b6883c93
new: [query] query object to describe search queries on SIEM and other tools
...
MISP object template designed following requests and especially this twitter thread:
https://twitter.com/castello_johnny/status/1540610057263628289
I added a list of sane default based on the ones I have seen being used:
"sane_default": [
"event query language (eql)",
"keyword query language (kql)",
"Query DSL",
"Query (Elastic Search)",
"Sigma",
"Lucene query",
"Google search query",
"Ariel Query Language (qradar)",
"Grep",
"Devo LINQ"
],
Thanks to Gianni Castaldi and others for ideas.
The object can be expanded and improved over the time and the needs
to share new queries.
2022-06-25 11:37:41 +02:00
Alexandre Dulaunoy
8fd41924dd
chg: [stock] newline fixed
2022-06-18 17:00:13 +02:00
Alexandre Dulaunoy
7ea63899df
chg: [stock] UUID fixed
2022-06-18 16:58:49 +02:00
Alexandre Dulaunoy
421f5f9ccc
new: [stock] a first version of a stock market object to describe stock in MISP
2022-06-18 16:55:13 +02:00
Alexandre Dulaunoy
8215066c96
chg: [report] add Zotero item types in addition to the default type
2022-06-18 16:10:41 +02:00
Alexandre Dulaunoy
b56d3a980b
Merge branch 'main' of github.com:MISP/misp-objects into main
2022-06-17 10:27:22 +02:00
Alexandre Dulaunoy
cbfff75588
chg: [network-connection] add a counter following discussion with @chrisr3d
2022-06-17 10:05:09 +02:00
iglocska
b99a0e939d
chg: [domain-ip] added the multiple flag back to ports
...
- as discussed with @righel, if we allow multiple IPs we should also allow multiple ports
- we might revise this in the future if it causes issues, however, then we should also restrict the use of multiple IP addresses
2022-05-30 18:07:25 +02:00
Good Land Security
df5f9921df
Merge branch 'MISP:main' into spearphishing-objects
2022-05-20 20:20:10 -05:00
goodlandsecurity
2b19a8099e
formatting after jq_all_the_things
2022-05-20 14:24:40 -05:00
goodlandsecurity
1c3aff42c5
added date for tracking when e-mail was sent
2022-05-20 14:20:37 -05:00
goodlandsecurity
c62a113fec
add new objects for spearphishing-link and spearphishing-attachment intel
2022-05-20 11:49:15 -05:00
matthijsvp
f04caaa2c1
Added fields
2022-05-20 15:53:29 +02:00
matthijsvp
bffed035df
Merge branch 'main' of github.com:matthijsvp/misp-objects
2022-05-20 15:50:37 +02:00
matthijsvp
dac6d57e79
Added some field from feedback
2022-05-20 15:50:31 +02:00
Alexandre Dulaunoy
ccd239bf64
chg: [security-playbook] jq all the things
2022-05-18 22:00:41 +02:00
Vasileios Mavroeidis
0c54a39d37
Update definition.json
...
The PR updates the security playbook object with improved semantics based on feedback we have received.
The updated template has "one-to-one" mapping with the available STIX 2.1 ad-hoc extension for the COA SDO available here: https://github.com/fovea-research/stix2.1-coa-playbook-extension
This research (updated version 3) was partially supported by the research projects CyberHunt (Grant No. 303585 - funded by the Research Council of Norway) and JCOP (Grant No. INEA/CEF/ICT/A2020/2373266 - funded by the European Health and Digital Executive Agency through the Connected Europe Facility program).
2022-05-18 13:56:59 +02:00
Alexandre Dulaunoy
7c7d1fbe98
chg: [paloalto-threat-event] Hungary access to the git repository has been sanctioned
2022-05-11 15:38:24 +02:00
Andras Iklody
a5184c6746
chg: [paloalto-threat-event] version bump
...
For instances that ingested it before the disable_correlation changes, they didn't take and ended up pushing a lot of correlating noise. This should resolve it for the future.
2022-05-11 13:16:36 +02:00
matthijsvp
b8456cf80b
Ran validation
2022-05-07 08:00:38 +02:00
Matthijs van P
9e378c705f
Merge branch 'MISP:main' into main
2022-05-07 07:56:36 +02:00
Matthijs van P
109f78336b
Changed version to int.
2022-05-07 06:47:40 +02:00
Christian Studer
f762d5b2a4
add: [passive-ssh] Added `port` attribute
2022-05-06 17:01:13 +02:00
matthijsvp
3f90f65508
Fixed spelling mistakes
2022-05-06 14:09:50 +02:00
matthijsvp
bb686f24d4
Removed required field
2022-05-06 13:50:34 +02:00
matthijsvp
d04d453f47
Added sane defaults to all booleans
2022-05-06 13:48:12 +02:00
matthijsvp
dcf34a680f
bumped version number, fixed stray typo
2022-05-06 13:38:11 +02:00
matthijsvp
7480c51533
Added need/want for decryptor and data deletion
2022-05-06 13:25:31 +02:00
Christian Studer
de7792373c
add: [passive-ssh] Added `banner` & `hassh` attributes
2022-05-05 20:38:53 +02:00
matthijsvp
33458100e4
Fixed ui order, fixed screenshot type
2022-05-05 15:54:37 +02:00
matthijsvp
6ec02ff6d8
Added transcript and screenshot fields
2022-05-05 15:48:31 +02:00
matthijsvp
1c2513caf2
Fixed email attribute type, fixed typo
2022-05-05 15:38:19 +02:00
matthijsvp
38d22a425f
v1 of ransom-negotiation object
2022-05-05 15:18:22 +02:00
matthijsvp
25c318c3b3
Initial commit
2022-05-04 16:49:17 +02:00
3c7
314d72f948
Fixes wrong category and typo in value list
2022-04-26 15:05:05 +02:00
3c7
e57ab0f522
uploaded -> submitted; otherwise possible semantic collision with "uploads" relationship
2022-04-26 14:07:20 +02:00
3c7
dcb44bcc5a
Added VirusTotal Submission object and uploaded/uploaded-by relation
2022-04-26 14:02:43 +02:00
Alexandre Dulaunoy
ea23d59185
chg: [organization] NL fixed
2022-04-04 14:49:44 +02:00
Alexandre Dulaunoy
783ae64fa0
chg: [organization] typo fixed
2022-04-04 14:46:22 +02:00
Alexandre Dulaunoy
6e98779d1a
Merge branch 'main' of github.com:MISP/misp-objects into main
2022-04-04 14:08:34 +02:00
Alexandre Dulaunoy
46a4b67c35
chg: [organization] add registry number and format for date of registration
2022-04-04 14:07:55 +02:00
chrisr3d
60d2fc447f
add: [employee] Added a `full-name` object_relation for cases when we are not sure which name is the first and the last
2022-03-31 20:21:12 +02:00
Alexandre Dulaunoy
f1086328a1
chg: [personification] fixed
2022-03-24 15:42:35 +01:00
Alexandre Dulaunoy
05195859b1
Merge pull request #351 from 0wlyW00d/main
...
Add new objects to better describe a natural person
2022-03-22 21:58:37 +01:00
Alexandre De Oliveira
2a7d2de508
modified by ./jq_all_the_things.sh
2022-03-21 15:04:26 +01:00
Alexandre De Oliveira
a98ac163fb
Update object version to v5
2022-03-21 15:02:48 +01:00
0wlyW00d
c44272a069
test
2022-03-21 10:08:36 +00:00
0wlyW00d
3dd5c938fe
Objects add
2022-03-21 10:01:37 +00:00
0wlyW00d
d82287d35f
Add news objects to MISP
...
Creation of new object to better describe a natural perso
Add CLoth Object
Add Tattoo object
Add Personification Object
2022-03-20 17:13:31 +01:00
0wlyW00d
b6c6de5632
Add tattoo object definition
2022-03-19 11:56:48 +01:00
Alexandre De Oliveira
e54cfa0e4c
modified by ./jq_all_the_things.sh
2022-03-18 12:17:41 +01:00
Alexandre De Oliveira
e2da981c94
Update definition.json
2022-03-18 12:15:58 +01:00
Alexandre De Oliveira
df2b900c75
Run the ./jq_all_the_things.sh
2022-03-18 12:12:04 +01:00
Alexandre De Oliveira
da1d90ab8a
Add fields related to GT
2022-03-18 12:08:13 +01:00
Alexandre Dulaunoy
5bfe1f2d66
chg: [person] add new potential direct message chat application
2022-03-17 15:56:16 +01:00
Alexandre Dulaunoy
cc2587d733
chg: [person] handle added as requested by @gallypette
2022-03-17 15:14:32 +01:00
Alexandre Dulaunoy
9515ae332e
chg: [instant-message] Jabber and Twitter added + updated required fields
2022-03-17 09:14:39 +01:00
enes-usta
3c7ee6214e
added cheat types and minor changes
2022-03-15 03:37:26 +01:00
enes
5eea5eae14
Add game-cheat Object
2022-03-14 16:07:09 +01:00
Alexandre Dulaunoy
a3bec8e748
fix: [ip-port] jq all the things
2022-03-11 10:21:09 +01:00
mhpcchaves
d4cad4db46
Include protocol, AS, and country code
...
Include protocol, AS and country code to add more context to the tuple.
2022-03-10 09:34:52 -03:00
Alexandre Dulaunoy
6405b3f114
chg: [ddos] because newline
2022-03-09 11:06:19 +01:00
Alexandre Dulaunoy
e0d30596f6
chg: [ddos] The minimum amount of backscatter received in 5 minutes /
...
day added in the object as backscatter-threshold.
2022-03-09 10:48:47 +01:00
Alexandre Dulaunoy
ae2814bb99
new: [error-message] new template to create error-message from MISP processing scripts
2022-02-17 16:47:08 +01:00
Alexandre Dulaunoy
b741142e2c
chg: [ddos] Updated DDoS object template to include more details and clarification
...
- Clarify that the field of pps/bps are peak values;
- New fields for total number of packets or bytes;
- Type of DDoS added in the object;
- How the capture of the DDoS evidences were collected;
2022-02-17 07:38:35 +01:00
Alexandre Dulaunoy
363f90f789
new: [language-content] New object template language-content based on
...
7.1 (STIX 2.1)
2022-02-15 07:21:58 +01:00
Alexandre Dulaunoy
7dffebe9b6
new: [infrastructure] infrastructure object added (STIX 2.1 - 4.8)
2022-02-14 11:30:09 +01:00
Alexandre Dulaunoy
2ca2606252
new: [software] software template object added based 6.14 (STIX 2.1)
2022-02-14 11:06:53 +01:00
Jeroen Pinoy
1ee36b4426
new: Add apivoid email verification API result object
2022-02-07 17:54:31 +01:00
Alexandre Dulaunoy
a6d51a91b9
chg: [objects] jq all the things
2022-02-04 08:52:33 +01:00
Alexandre Dulaunoy
dfc090f19e
chg: [person] typo fixed
2022-02-04 08:50:36 +01:00
Alexandre Dulaunoy
b67cda2d51
chg: [instant-messaging] add new sane default
2022-02-04 08:49:32 +01:00
Alexandre Dulaunoy
d6dbeaa574
chg: [person] add the ability to set the instant-messaging apps used by the person
2022-02-04 08:47:56 +01:00
Alexandre Dulaunoy
30c53a61eb
fix: [JSON] updated
2022-02-03 17:44:17 +01:00
Alexandre Dulaunoy
1d32596600
chg: [ss7/gtp/diameter] used description updated in the README
2022-02-03 17:43:28 +01:00
Alexandre De Oliveira
6859121d16
Modification after running ./jq_all_the_things.sh
2022-02-03 12:58:56 +01:00
Alexandre De Oliveira
c5d084b930
Remove a duplicated gprsLocationUpdate
2022-02-03 12:54:09 +01:00
Alexandre De Oliveira
df81204b24
Modification avec the jq_all_the_things.sh
2022-02-03 10:42:35 +01:00
Alexandre De Oliveira
98df3423cd
Merge branch 'MISP:main' into master
2022-02-03 10:03:36 +01:00
Alexandre De Oliveira
f1fea67b58
Add FowardSM for "old" SMS
2022-02-01 17:26:22 +01:00
Alexandre Dulaunoy
8cd68cdfd6
new: [artifact] The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload.
...
ref: STIX 2.1 - 6.1
Open point: relationships for the related hashes
2022-02-01 16:25:24 +01:00
Alexandre Dulaunoy
430df1cf48
new: [identity] from STIX 2.1 - 4.5 - new object template
...
Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, systems or groups (e.g., the finance sector).
Ref: 4.5 Identity
2022-01-31 07:45:38 +01:00
Alexandre De Oliveira
41d52f67b9
Cleanup ApplicationContext List + Removed versions
...
Versions are managed via the MAP Version field
2022-01-19 18:05:40 +01:00
Alexandre De Oliveira
7c88589d6d
Merge branch 'MISP:main' into master
2022-01-19 17:57:48 +01:00
Alexandre Dulaunoy
b2638ebae3
chg: [instan-message-*] add Tox as potential chat application
...
Ref: https://wiki.tox.chat
2022-01-16 16:39:06 +01:00
Alexandre Dulaunoy
398dd04dae
chg: [stix2-pattern] add STIX 2.1
2022-01-14 16:43:01 +01:00
Alexandre De Oliveira
e7622d92b3
Add list of MAP Opcodes (text + number)
2022-01-11 09:49:30 +01:00
Alexandre De Oliveira
aa00bd384c
Add MAP application context list, without version
2022-01-11 09:43:03 +01:00
Alexandre Dulaunoy
48a486b044
fix: [template] missing newlines
2022-01-06 16:52:43 +01:00
Alexandre Dulaunoy
87a40ae57d
chg: [ftm-Company/github] update template version
2022-01-06 16:50:29 +01:00
Alexandre Dulaunoy
e9dfbc54c4
chg: [ftm-Company] new line
2022-01-06 16:49:16 +01:00
Alexandre Dulaunoy
74c6943bab
Merge branch 'patch-1' of https://github.com/dreyergustav/misp-objects into dreyergustav-patch-1
2022-01-06 16:48:09 +01:00
chrisr3d
b32b7f84fc
add: [github-user] Added the `id` object relation for the GitHub user id
2022-01-06 14:11:57 +01:00
dreyergustav
f90a06ce95
Add description to ftm-Company object template
...
The empty string value in the description key caused an error when new objects were added to events.
2022-01-06 13:01:18 +01:00
Alexandre Dulaunoy
0e5fa57d82
chg: [probabilistic-data-structure] updated followng JL feedback
2021-12-29 16:27:26 +01:00
Alexandre Dulaunoy
5a4f7efbc8
new: [probabilistic-data-structure] Probabilistic data structure object describe a space-efficient data structure such as Bloom filter or similar structure.
2021-12-29 15:09:38 +01:00
Alexandre Dulaunoy
b75be5cb19
chg: [person] occupation added
2021-12-22 10:25:13 +01:00
Alexandre Dulaunoy
734bfee82f
fix: [temporal-event] newline issue
2021-12-21 08:15:06 +01:00
Alexandre Dulaunoy
6e5db86325
chg: [temporal-event] fix typo in template name
2021-12-21 08:12:21 +01:00
Lucas Magalhães
27fce9e7ec
Add sane default for boolean objects
2021-12-20 20:02:29 +00:00
Jeroen Pinoy
b63b645635
chg: add requiredOneOf for postal-address
2021-12-20 14:15:10 +01:00
Raphaël Vinot
1c3882581e
fix: incorrect entry in CMTMF_ATCKID
2021-12-20 13:17:46 +01:00
Alexandre Dulaunoy
1d93c1ae63
fix: [concordia] new-lines
2021-12-20 11:36:44 +01:00
Alexandre Dulaunoy
3221dc0ed7
new: [concordia-mtmf-intrusion-set] New object intrusion-set for mobile attacks
2021-12-20 11:31:41 +01:00
Alexandre Dulaunoy
b3b24473f2
chg: [person/organization] add new role values such as Source, Originator, Informant, Emitter
...
Fix #338
Emitter has been added for cases in SIGINT and MASINT where emitter
terminology can be used.
2021-12-14 17:24:00 +01:00
Alexandre Dulaunoy
9dc7e3578f
new: [temporal-event] temporal event added
2021-12-07 15:26:23 +01:00
Alexandre Dulaunoy
282048b18f
chg: [user-account] fixing the Hungarian leader GitHub edit perversion
2021-11-30 10:34:35 +01:00
Andras Iklody
a153553df1
fix: [user-account] added description to avoid issues in MISP
2021-11-30 10:24:06 +01:00
Alexandre Dulaunoy
9ee8f2912d
chg: [person] optional function field added
...
Credits: feedback from student at University of Lorraine
2021-11-27 11:56:39 +01:00
Sami Tainio
56f09c4431
Ran jq_all_the_things_.sh
2021-11-26 15:37:32 +02:00
Sami Tainio
9178943a75
add: [email] Added display name attribute for reply-to
2021-11-26 15:26:40 +02:00
Alexandre Dulaunoy
d2606f6688
chg: [ja3s] updated
2021-11-14 22:38:47 +01:00
Alexandre Dulaunoy
b9ea4e1278
new: [ja3s] JA3 server object template added Fix #296
2021-11-14 22:33:58 +01:00
iglocska
3ed8f7ae6e
chg: [submarine] fixes and list of types added
2021-11-12 08:39:35 +01:00
iglocska
66c037177e
fix: [naval] meta category fixed
2021-11-12 08:36:00 +01:00
iglocska
dba92cbd53
chg: jq all the things
2021-11-12 08:33:24 +01:00
iglocska
6a970c03a4
new: submarine object template added
2021-11-12 08:31:54 +01:00
iglocska
44c7a7fc56
Revert "new: added submarine"
...
This reverts commit d1401437cb
.
2021-11-12 08:29:47 +01:00
iglocska
d1401437cb
new: added submarine
2021-11-12 08:28:53 +01:00
Jeroen Pinoy
e1a809ed2c
new: postal address object
2021-11-03 22:00:49 +01:00
Alexandre Dulaunoy
ae6a527bcb
chg: [report] disable correlation on report type
2021-11-02 09:06:18 +01:00
Alexandre Dulaunoy
1cd5a3e9f0
chg: [passive-ssh] newlines disaster
2021-10-26 14:03:24 +02:00
Jean-Louis Huynen
fa397128bf
chg: [passive-ssh] change fingerprint type
2021-10-26 11:50:23 +02:00
Alexandre Dulaunoy
95a23d219e
chg: [device] ui-priority added
2021-10-25 16:05:04 +02:00
Alexandre Dulaunoy
570a5c18b6
chg: [devices] fixed missing ui-priority
2021-10-25 15:56:50 +02:00
Alexandre Dulaunoy
3e491aa83b
Merge branch 'main' of github.com:MISP/misp-objects into main
2021-10-25 15:53:12 +02:00
Alexandre Dulaunoy
dcc9e4c8be
chg: [device] added hits, status and infection_type (from ShadowServer)
...
- request for VarIOT project
2021-10-25 15:52:34 +02:00
Alexandre Dulaunoy
c380279dca
Merge pull request #332 from gallypette/master
...
add: [passive-ssh] new object
2021-10-25 15:36:58 +02:00
Alexandre Dulaunoy
960a03be22
chg: [geolocation] countrycode added as requested for the VarIOT.
2021-10-25 15:35:23 +02:00
misp
dac24a50c9
add: [passive-ssh] new object
2021-10-25 12:29:52 +02:00
chrisr3d
b0eb0779df
fix: [report] Removed parenthesis from the object relation `report-file`
2021-10-25 12:02:25 +02:00
chrisr3d
eb0af71d60
add: [email] Added display name attribute for CC and BCC
2021-10-25 12:00:25 +02:00
Sami Tainio
48e6ff2567
Ran jq_all_the_things_.sh
2021-10-23 10:58:55 +03:00
Sami Tainio
aa2aa0814a
chg: [email] add a `bcc` field, `reply-to` can be multiple
...
Fix #329
2021-10-22 23:29:35 +03:00
Quentin JEROME
2394885553
Ran jq_all_the_things.sh
2021-10-06 20:13:39 +02:00
qjerome
ce1aea0e14
Update descriptions of edr-report
2021-10-06 19:42:34 +02:00
Quentin JEROME
38303b282f
Added edr-report MISP Object definition
2021-10-06 19:42:45 +02:00
Alexandre Dulaunoy
6ad5f18831
chg: [security-playbook] updated
2021-10-05 15:28:26 +02:00
Vasileios Mavroeidis
ef16c5fe9a
Update definition.json
...
Improved the descriptions of the properties to aid their usability and resolve numerous ambiguities.
2021-10-02 13:01:11 +02:00
Alexandre Dulaunoy
3d52773e9d
fix: [playbook] it's always a newline story ;-)
2021-09-29 17:08:40 +02:00
Vasileios Mavroeidis
1b3447ffba
Update definition.json
...
person-role is not included in the attributes
2021-09-29 17:03:10 +02:00
Alexandre Dulaunoy
02e00959c4
fix: [security-playbook] newline issue
2021-09-28 14:49:28 +02:00
Alexandre Dulaunoy
4fed830b87
fix: [security-playbook] Categories are case sensitive
2021-09-28 14:48:27 +02:00
Pavel Eis
ee9b978c5e
new: [security-playbook] security-playbook added
2021-09-28 10:31:45 +02:00
Alexandre Dulaunoy
c8cd002a3b
chg: [hashlookup] add KnownMalicious field in hashlookup record
2021-09-24 15:33:53 +02:00
Alexandre Dulaunoy
0ba346f194
chg: [hashlookup] add source, TLSH, SSDEEP fields in the object template
2021-09-24 15:23:04 +02:00
Alexandre Dulaunoy
ffa6ed7963
chg: [process] remove ambiguity between user-creator and current user running the process
...
Following CISA/DHS feedback
Fix #322
2021-09-14 08:35:02 +02:00
Alexandre Dulaunoy
3f6a653b0d
fix: [user-account] replace the unclear text in description
...
Feedback from CISA/DHS - fix #323
2021-09-14 08:31:01 +02:00
Alexandre Dulaunoy
8c86f26e78
chg: [domain-ip] newline fix
2021-09-11 07:53:21 +02:00
Andras Iklody
12612abdcb
remove multiple from ip field
2021-09-10 15:24:50 +02:00
Alexandre Dulaunoy
b42a9d8fe0
chg: [ss7-attack] order and newline
2021-09-04 10:19:25 +02:00
Alexandre De Oliveira
9f2f46faa7
Added few fields for GT Leasing - v3
2021-09-02 13:57:40 +02:00
chrisr3d
d2b93f5aa6
chg: [hashlookup] Using the `filename` type for the FileName attribute instead of `text`
2021-08-26 15:13:14 +02:00
Alexandre Dulaunoy
633a84df03
chg: [hashlookup] newline because you know
2021-08-25 12:02:17 +02:00
Alexandre Dulaunoy
7e849963f1
chg: [hashlookup] filename changed
2021-08-25 12:00:11 +02:00
Alexandre Dulaunoy
1e4f39f728
new: [hashlookup] new hashlookup.circl.lu object
2021-08-25 11:55:57 +02:00
Alexandre Dulaunoy
8ecdd68eb8
chg: [tsk-web-search-query] jq all the things
2021-07-25 09:11:42 +02:00
Alexandre Dulaunoy
7d7cea0459
Fix incorrect type for domain
2021-07-25 09:09:53 +02:00
Alexandre Dulaunoy
d37c575ee0
chg: [email] add a from-domain field to add domain when full email is not known or a wild card
...
Fix #318
Feedback from Eurocontrol training
2021-06-22 15:23:41 +02:00
Alexandre Dulaunoy
b6366988f4
chg: [paloalto-threat-event] fix newline
2021-05-28 23:07:49 +02:00
phmazzoni
df58f2b29f
Disabling some field correlations
...
Disabling some field correlations to avoid excessive number of events
2021-05-27 17:24:58 -03:00
Alexandre Dulaunoy
212e410258
chg: [ddos] fix newline
2021-05-27 16:25:52 +02:00
Alexandre Dulaunoy
a31f7d0f26
Multiple fields for port, ip-src,dst-port following feedback from CONCORDIA
...
Multiple fields for port, ip-src,dst-port following feedback from CONCORDIA
2021-05-27 16:19:12 +02:00
Alexandre Dulaunoy
195f0fe46a
fix: [passive-dns-dnsdbflex] newline
2021-05-26 14:12:10 +02:00
aaronkaplan
094d61a51a
dnsdbflex object
2021-05-26 12:34:34 +02:00
Alexandre Dulaunoy
93b99230e3
chg: [jq] all the things
2021-05-25 23:15:59 +02:00
Alexandre Dulaunoy
265f8d3fc7
chg: [geolocation] fix UUID to be valid UUIDv4
2021-05-25 23:11:01 +02:00
Alexandre Dulaunoy
d89296b542
new: [open-data-security] new object template based on open data
...
security definition
To be used in VARIoT project. https://www.variot.eu/
2021-05-17 15:55:23 +02:00
Alexandre Dulaunoy
5d986dc25e
chg: [phishing] newline
2021-05-11 15:44:35 +02:00
Alexandre Dulaunoy
8bb8a1d22c
Merge branch 'main' of github.com:MISP/misp-objects into main
2021-05-11 15:01:53 +02:00
Alexandre Dulaunoy
d8340c3f67
chg: [phishing] version bump
2021-05-11 15:01:31 +02:00
chrisr3d
3a2e44c442
fix: [network-socket] Typo
2021-05-06 15:42:03 +02:00
chrisr3d
5028d5d99f
add: [network-socket] Added Socket type attribute
2021-05-06 15:17:52 +02:00
Alexandre Dulaunoy
7a476ec4ef
chg: [passive-dns] jq
2021-05-03 07:20:51 +02:00
aaronkaplan
b728ed3e29
Re-Do the definition.json, according to the results of the discussion in
...
https://github.com/MISP/misp-objects/pull/314
Removing *_ip and *_domain
Keeping bailiwick a domain type
2021-05-03 00:57:14 +02:00
aaronkaplan
bcd133527e
Merge branch 'main' of https://github.com/MISP/misp-objects
2021-05-02 16:03:35 +02:00
aaronkaplan
7b4c9cd6df
As discussed with @rafiot, we can't simply add rdata and rrname as
...
text only into MISP objects. Why? Because otherwise we can't use MISP's
correlation engine to correlate attributes (rrname, rdata) inside these
MISP objects with other events. Because "text" would not correlate with
other "ip-src" or "domain" types in other objects/attributes.
Kind of sucks to duplicate the rrname and rdata entries, but that's the
only solution we came up with.
The COF2MISP module will populate both the rrname,rdata as well as the
rrname_{domain,ip} and rdata_{domain,ip} attributes.
Checked with jq_all_the_things.sh.
Thanks for your consideration.
2021-05-02 15:57:54 +02:00
Alexandre Dulaunoy
4b88a52cf4
chg: [passive-dns] fix
2021-04-27 18:26:23 +02:00
Alexandre Dulaunoy
ab84bd837f
fix: [passive-dns] fix the JSON and the version
2021-04-27 18:13:05 +02:00
AaronK
df8604a8ca
Update definition.json
...
Added time_first_ms, time_last_ms. Clarified a few things in the descriptions.
2021-04-27 15:37:51 +02:00
Alexandre Dulaunoy
7c21a969d1
fix: [stix2-pattern] disable correlation on version
...
Thanks to the new feature in MISP 2.4.142 to find top correlations ;-)
2021-04-27 05:57:52 +02:00
Alexandre Dulaunoy
5e6f887fa1
Merge branch 'main' of github.com:MISP/misp-objects into main
2021-04-14 09:20:52 +02:00
Alexandre Dulaunoy
6f002cd4c6
chg: [report] add a report type
2021-04-14 09:20:25 +02:00
Raphaël Vinot
067ae49498
fix: Typo
2021-03-05 18:23:11 +01:00
Raphaël Vinot
321a952a66
chg: make jq validation happy
2021-03-05 18:16:46 +01:00
phmazzoni
16a3bed253
Create definition.json
2021-03-05 14:05:39 -03:00
phmazzoni
a16d689085
Delete objects/panorama directory
2021-03-05 14:03:37 -03:00
Raphaël Vinot
3fb441b8a0
chg: Make jq validation happy
2021-03-05 15:57:41 +01:00
phmazzoni
b3096262f5
Create definition.json
...
Create Palo Alto Threat Log Object Template.
2021-03-05 11:30:00 -03:00
Alexandre Dulaunoy
e1f01f674f
chg: [person] full-name attribute type added + expanding object person with full-name
2021-03-03 07:41:16 +01:00
Alexandre Dulaunoy
4c62d6091a
fix: [dkim] clean-up
2021-02-25 07:25:09 +01:00
Alexandre Dulaunoy
df6784859e
new: [dkim] DomainKeys Identified Mail - DKIM object template
2021-02-25 07:24:19 +01:00
Alexandre Dulaunoy
703b53fc3b
chg: [network-element] jq
2021-02-24 06:48:10 +01:00
Alexandre Dulaunoy
1fe9649205
chg: [network-profile] AS updated
2021-02-24 06:47:04 +01:00
Alexandre Dulaunoy
d87ce65cb9
chg: [network-profile] add jarm-fingerprint
2021-02-24 06:38:49 +01:00
Carlos Borges
85dc07a1f4
Creation of Network Profile MISP Object
...
The idea behind this object is to provide a unique form to identify network artifacts.
It's a mix of different including whois, URL and domain.
The need for a consolidated object comes to group correlated elements.
Beyond that, I'm introducing the idea to use the correlation feature in more generic ways.
Example:
The value of "threat-actor-infrastructure-value" is the unique value observed on a network resource that identify it. A practical and tested example is this resources from Kaspesky.
https://securelist.com/the-tetrade-brazilian-banking-malware/97779/
On this article they mention a trojan family called Javali. They recover the C2 server abusing Google Docs services. The mentioned field "threat-actor-infrastructure-value" would register the values available on this image. This item should be hard to correlate with other similar items, as this can change frequently.
A way to change it is also to register a more general pattern of the data with the "threat-actor-infrastructure-pattern". I.E
inicio{
"host":"<variable>",
"porta":"<variable>"
}fim
With other investigations and registry of it on MISP, is possible to correlate this data, facilitate identification of patterns used for tracking purposes and facilitate analysis.
2021-02-23 20:39:22 -03:00
Alexandre Dulaunoy
e902af130c
chg: [report] make link or summary as non-required field
2021-02-22 18:21:45 +01:00
Alexandre Dulaunoy
4e011f2478
chg: [regexp] fixed
2021-02-19 21:56:35 +01:00
Alexandre Dulaunoy
016f9e58af
chg: [regexp] added Farsight Compatible Regular Expressions (FCRE) added
...
Ref: https://docs.dnsdb.info/dnsdb-fcre-reference-guide/#farsight-compatible-regular-expressions-fcre
2021-02-19 18:03:23 +01:00
Alexandre Dulaunoy
36994fda1e
fix: [splunk] fixed
2021-02-15 15:10:20 +01:00
Alexandre Dulaunoy
cb73cfaf49
chg: [splunk] object updated
2021-02-15 14:43:44 +01:00
marcnil815
f3830e044a
Update definition.json
...
Added possibility for multiple searches in same object to accomodate using raw searches and datamodel searches.
2021-02-15 14:13:17 +01:00
Alexandre Dulaunoy
84df20e51f
new: [windows-service] windows-service object added
2021-02-13 17:01:44 +01:00
Alexandre Dulaunoy
2b1c3532dc
chg: [report] add a link field to the report object template
2021-02-04 11:03:01 +01:00
Raphaël Vinot
3d3d40e6c0
fix: keys order in VT object
2021-02-02 15:31:00 +01:00
Raphaël Vinot
625684684a
chg: Disable correlation in VT objects
2021-02-02 15:25:13 +01:00
Alexandre Dulaunoy
160c39d91e
chg: [url] jq all the things
2021-02-02 11:57:41 +01:00
Raphaël Vinot
82c217781f
chg: allow multiple IPs in URL object
2021-02-02 11:39:37 +01:00
Terrtia
4f50074ba7
chg: [telegram-account] required attributes
2021-01-26 11:39:22 +01:00
Alexandre Dulaunoy
eedcc2d5af
chg: [telegram-account] fixes
2021-01-26 10:30:30 +01:00
Alexandre Dulaunoy
ca247d8c2a
new: [telegram-user] basic telegram user
...
Ref: https://core.telegram.org/constructor/user
More could be added in the future
2021-01-26 10:27:35 +01:00
Raphaël Vinot
1e14201fc0
chg: Update objects to match lief output for authenticode
2021-01-19 15:38:31 +01:00
Alexandre Dulaunoy
fd7c05d74b
chg: [jarm] jq all the things
2021-01-05 14:49:34 +01:00
Alexandre Dulaunoy
8d08dc52d0
chg: [jarm] jarm type is jarm-fingerprint
2021-01-05 14:48:06 +01:00
Alexandre Dulaunoy
8753de0e1e
new: [jarm] new jarm object to describe TLS/SSL implementation matching
...
a jarm fingerprint
2021-01-05 14:44:46 +01:00
Alexandre Dulaunoy
2cb16e7be0
chg: [trustar_report] Updated to add "THREAT_ACTOR"
...
Fixing #273
2021-01-05 09:30:28 +01:00
Alexandre Dulaunoy
d6d515d3d8
chg: [yara] disable correlations on some fields
2020-12-30 14:46:04 +01:00
Alexandre Dulaunoy
4d1c42e491
chg: [crypto-material] add a public field for public cryptographic materials
2020-12-30 14:21:37 +01:00
Alexandre Dulaunoy
3650498630
chg: [favicon] jq all the things
2020-12-27 16:21:09 +01:00
Alexandre Dulaunoy
179bd48bec
chg: [favicon] A favicon, also known as a shortcut icon, website icon, tab icon, URL icon, or bookmark icon, is a file containing one or more small icons, associated with a particular web
...
site or web page. The object template can include the murmur3 hash of the favicon to facilitate correlation.
2020-12-27 16:19:04 +01:00
Alexandre Dulaunoy
b71e7c3458
chg: [twitter-post] jq
2020-12-20 10:52:40 +01:00
Alexandre Dulaunoy
8eae725e49
fix: [twitter-post] underscore - minus are difficult to choose from ;-)
2020-12-20 10:41:39 +01:00
Alexandre Dulaunoy
ed1ceebdf4
chg: [jq] all the things
2020-12-20 10:37:14 +01:00
Alexandre Dulaunoy
85e37b360e
Merge pull request #302 from ater49/main
...
Adding fields in twitter-post and paste
2020-12-20 10:34:11 +01:00
Alexandre Dulaunoy
413a2618b6
Merge pull request #303 from seamustuohy/pymisp-pr/631
...
Updated for support for msg format.
2020-12-20 10:30:04 +01:00
seamus tuohy
7e65e5dfaf
Updated for support for msg format.
...
Adding first class support for Emails in .msg format to the email definition.
This includes making the attribute support multiple bodies. Msg formats
nearly always have at least 2, if not 3, versions of the body (plain text, rtf, html).
2020-12-19 17:03:26 -05:00
ater49
a410c7c7a6
Typo and version number correction + adding a field in twitter-post
...
Adding created-at field in twitter-post
2020-12-14 23:01:12 +01:00
ater49
a47ba8c5b8
Add media in twitter-post in order to store attached medias in a tweet
...
Add pastebin.fr in source of paste and paste_file for storing whole
paste file.
2020-12-14 22:25:58 +01:00
Alexandre Dulaunoy
f517d6691c
Merge branch 'main' of github.com:MISP/misp-objects into main
2020-12-10 19:13:07 +01:00
Alexandre Dulaunoy
499392ca0a
chg: [domain-ip] hostname added as an attribute
2020-12-10 19:12:33 +01:00
Beaujeant
a65aa06859
chg: can have mutliple text attributes
2020-11-25 16:17:54 +01:00
Alexandre Dulaunoy
9185d69d14
chg: [jq] all the [things]
2020-11-24 11:48:22 +01:00
Steve Clement
506116f0ac
chg: [json] sort
2020-11-24 14:58:19 +09:00
Steve Clement
dd6ebe5385
new: [sh] Added process state
2020-11-24 14:55:47 +09:00
Steve Clement
4997dc575c
Merge remote-tracking branch 'upstream/main' into process
2020-11-24 14:45:04 +09:00
chrisr3d
0a3e94839c
add: [passive-dns] Added a raw_rdata object relation
2020-11-13 20:09:46 +01:00
chrisr3d
903935c1fe
chg: Using the actual attribute type for cpe and weakness instead of text
2020-10-22 22:11:50 +02:00
Alexandre Dulaunoy
27a554ab12
chg: [cpe-asset] updated
2020-10-16 12:31:44 +02:00
Alexandre Dulaunoy
89f4f6dbc1
new: [cpe-asset] an asset as defined with a CPE value
...
This object was created to support the use-case of pisax.org for the
following use-case:
- They define well-known assets which are used by IXPs and GRXs via
their CPEs;
- The assets are defined in a set of fixed/master MISP events;
- Those events are used to query NVD/CVE database via cve-search
(https://github.com/cve-search/cve-search ) using a PyMISP script
- Then the CVEs matching the CPE are added in MISP and dispatched to the
sharing community of users as specific MISP events.
Ref: PISAX - pan-European Information Sharing and Analysis Center (ISAC) to IXPs and GRXs
Ref: https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf ((NIST Interagency Report 7695))
2020-10-16 09:21:40 +02:00
Alexandre Dulaunoy
141a8d2e2f
chg: [vulnerability] fixed
2020-10-15 22:49:29 +02:00
Alexandre Dulaunoy
25c888cecb
chg: [vulnerability] vulnerable_configuration are now cpe type
2020-10-15 22:40:50 +02:00
Alexandre Dulaunoy
5c935172ea
chg: [file] because sorted is always better
2020-10-13 22:47:10 +02:00
Alexandre Dulaunoy
0196285c0f
chg: [file] imphash and telfhash added
2020-10-13 22:46:24 +02:00
Alexandre Dulaunoy
8ee7728e84
chg: [gitlab-user] because -r is important
2020-10-07 09:20:54 +02:00
Alexandre Dulaunoy
b4d21455fd
new: [gitlab-user] GitLab user. Gitlab.com user or self-hosted GitLab instance object template
2020-10-07 09:13:29 +02:00
Richard Hallick
f6f419cadc
Addition of Intel 471 vulnerability intelligence object
...
Intel 471 object to contain structured vulnerability related data.
2020-09-23 13:20:33 +01:00
Richard Hallick
f116494ac9
Addition of intel471-vulnerability-intelligence object
...
Intel 471 object to contain structured vulnerability related data.
2020-09-23 13:02:02 +01:00
Alexandre Dulaunoy
bd6aad0cd9
Merge branch 'main' of github.com:MISP/misp-objects into main
2020-09-17 08:19:03 +02:00
Alexandre Dulaunoy
4828fea3b7
chg: [github-user] reflect the API fields
2020-09-17 07:24:30 +02:00
Raphaël Vinot
e009365d61
chg: Sort json
2020-09-16 15:17:43 +02:00
Alexandre Dulaunoy
794f9e7c43
chg: [keybase] be consistent with keybase API
2020-09-16 14:49:08 +02:00
Alexandre Dulaunoy
9cc343781f
chg: [keybase-account] at least username is required
2020-09-16 14:45:37 +02:00
chrisr3d
054899d28b
fix: JSON Validation
2020-09-09 10:36:20 +02:00
chrisr3d
3fce227f39
Merge branch 'main' of github.com:MISP/misp-objects into main
2020-09-09 10:11:58 +02:00
chrisr3d
cadaa5d8c9
fix: Disabling correlation for all the bgp-ranking object attributes
2020-09-09 10:09:07 +02:00
Alexandre Dulaunoy
bb26860669
Merge branch 'main' of github.com:MISP/misp-objects into main
2020-09-09 08:12:55 +02:00
Alexandre Dulaunoy
ca7ed9b396
new: [github-user] a GitHub user object template
...
Based on the information seen on the web interface.
TODO: Check the GitHub API and review the information available.
2020-09-09 07:40:03 +02:00
Alexandre Dulaunoy
31586921b2
chg: [twitter-account] incorrect description fixed
2020-09-09 07:24:03 +02:00
chrisr3d
2671039cec
fix: JSON validation
2020-09-08 12:11:50 +02:00
chrisr3d
77fc1e0d97
Merge branch 'main' of github.com:MISP/misp-objects into chrisr3d_patch
2020-09-08 11:53:41 +02:00
chrisr3d
33cf33dc24
add: Added an IP address family attribute to describe the address family concerned by the BGP ranking
2020-09-08 11:52:39 +02:00
Raphaël Vinot
6c98bf536f
fix: Incorrect relationships in requiredoneof field
2020-09-08 11:17:57 +02:00
chrisr3d
0ba4909549
add: First version of a BGP ranking object to represent the ranking of an ASN at a specific point of time
...
- We can then associate as many bgp-ranking
objects as we need to the corresponding ASN
object, each one of them being the ranking of
the ASN for a given day
2020-09-07 23:56:10 +02:00
chrisr3d
e2f062e477
fix: Validation issue fixed
2020-09-03 14:21:06 +02:00
chrisr3d
e743d7d013
fix: Normalised object relations of the ilr objects
...
- Using dash as separator instead of space
2020-09-03 14:14:01 +02:00
chrisr3d
2c64f6e04a
fix: Normalised object relations of the vehicle object
...
- Using dash as separator instead of space
2020-09-03 14:12:59 +02:00
chrisr3d
3a7eb020e6
fix: Normalised object relations of the phishing objects
...
- Using dash as separator instead of space
2020-09-03 14:12:05 +02:00
chrisr3d
73ced3e75c
fix: Normalised object relations of the ip-api-address object
...
- Using dash as separator instead of space
2020-09-03 14:10:02 +02:00
chrisr3d
7865f4110d
chg: Making source port attribute multiple in the ip-port object
2020-09-03 14:08:36 +02:00
Alexandre Dulaunoy
7fe39ca8f6
chg: [keybase] newline issue
2020-09-03 12:23:13 +02:00
Alexandre Dulaunoy
3d530764b5
chg: [keybase-account] meta category updated
2020-09-03 12:19:36 +02:00
Alexandre Dulaunoy
bc59103f84
chg: [jq] all the things
2020-09-03 12:11:20 +02:00
Alexandre Dulaunoy
46b6f79cfd
chg: [keybase] description updated
2020-09-03 12:08:13 +02:00
Alexandre Dulaunoy
ae3158e3fa
chg: [keybase] updated
2020-09-03 12:02:37 +02:00