MISP
/
misp-objects
mirror of https://github.com/MISP/misp-objects
2
0
Fork 0
Code Issues Releases Wiki Activity
1,392 Commits
6 Branches
44 Tags
11 MiB
Commit Graph

969 Commits (41d52f67b98bd2aa68c1a0a7803f358994e97c9f)

Author SHA1 Message Date
Sami Tainio 48e6ff2567 Ran jq_all_the_things_.sh 2021-10-23 10:58:55 +03:00
Sami Tainio aa2aa0814a
chg: [email] add a `bcc` field, `reply-to` can be multiple 
Fix #329
 2021-10-22 23:29:35 +03:00
Quentin JEROME 2394885553 Ran jq_all_the_things.sh 2021-10-06 20:13:39 +02:00
qjerome ce1aea0e14
Update descriptions of edr-report 2021-10-06 19:42:34 +02:00
Quentin JEROME 38303b282f Added edr-report MISP Object definition 2021-10-06 19:42:45 +02:00
Alexandre Dulaunoy 6ad5f18831
chg: [security-playbook] updated 2021-10-05 15:28:26 +02:00
Vasileios Mavroeidis ef16c5fe9a
Update definition.json 
Improved the descriptions of the properties to aid their usability and resolve numerous ambiguities.
 2021-10-02 13:01:11 +02:00
Alexandre Dulaunoy 3d52773e9d
fix: [playbook] it's always a newline story ;-) 2021-09-29 17:08:40 +02:00
Vasileios Mavroeidis 1b3447ffba
Update definition.json 
person-role is not included in the attributes
 2021-09-29 17:03:10 +02:00
Alexandre Dulaunoy 02e00959c4
fix: [security-playbook] newline issue 2021-09-28 14:49:28 +02:00
Alexandre Dulaunoy 4fed830b87
fix: [security-playbook] Categories are case sensitive 2021-09-28 14:48:27 +02:00
Pavel Eis ee9b978c5e new: [security-playbook] security-playbook added 2021-09-28 10:31:45 +02:00
Alexandre Dulaunoy c8cd002a3b
chg: [hashlookup] add KnownMalicious field in hashlookup record 2021-09-24 15:33:53 +02:00
Alexandre Dulaunoy 0ba346f194
chg: [hashlookup] add source, TLSH, SSDEEP fields in the object template 2021-09-24 15:23:04 +02:00
Alexandre Dulaunoy ffa6ed7963
chg: [process] remove ambiguity between user-creator and current user running the process 
Following CISA/DHS feedback

Fix #322
 2021-09-14 08:35:02 +02:00
Alexandre Dulaunoy 3f6a653b0d
fix: [user-account] replace the unclear text in description 
Feedback from CISA/DHS - fix #323
 2021-09-14 08:31:01 +02:00
Alexandre Dulaunoy 8c86f26e78
chg: [domain-ip] newline fix 2021-09-11 07:53:21 +02:00
Andras Iklody 12612abdcb
remove multiple from ip field 2021-09-10 15:24:50 +02:00
Alexandre Dulaunoy b42a9d8fe0
chg: [ss7-attack] order and newline 2021-09-04 10:19:25 +02:00
Alexandre De Oliveira 9f2f46faa7
Added few fields for GT Leasing - v3 2021-09-02 13:57:40 +02:00
chrisr3d d2b93f5aa6
chg: [hashlookup] Using the `filename` type for the FileName attribute instead of `text` 2021-08-26 15:13:14 +02:00
Alexandre Dulaunoy 633a84df03
chg: [hashlookup] newline because you know 2021-08-25 12:02:17 +02:00
Alexandre Dulaunoy 7e849963f1
chg: [hashlookup] filename changed 2021-08-25 12:00:11 +02:00
Alexandre Dulaunoy 1e4f39f728
new: [hashlookup] new hashlookup.circl.lu object 2021-08-25 11:55:57 +02:00
Alexandre Dulaunoy 8ecdd68eb8
chg: [tsk-web-search-query] jq all the things 2021-07-25 09:11:42 +02:00
Alexandre Dulaunoy 7d7cea0459
Fix incorrect type for domain 2021-07-25 09:09:53 +02:00
Alexandre Dulaunoy d37c575ee0
chg: [email] add a from-domain field to add domain when full email is not known or a wild card 
Fix #318

Feedback from Eurocontrol training
 2021-06-22 15:23:41 +02:00
Alexandre Dulaunoy b6366988f4
chg: [paloalto-threat-event] fix newline 2021-05-28 23:07:49 +02:00
phmazzoni df58f2b29f
Disabling some field correlations 
Disabling some field correlations to avoid excessive number of events
 2021-05-27 17:24:58 -03:00
Alexandre Dulaunoy 212e410258
chg: [ddos] fix newline 2021-05-27 16:25:52 +02:00
Alexandre Dulaunoy a31f7d0f26
Multiple fields for port, ip-src,dst-port following feedback from CONCORDIA 
Multiple fields for port, ip-src,dst-port following feedback from CONCORDIA
 2021-05-27 16:19:12 +02:00
Alexandre Dulaunoy 195f0fe46a
fix: [passive-dns-dnsdbflex] newline 2021-05-26 14:12:10 +02:00
aaronkaplan 094d61a51a
dnsdbflex object 2021-05-26 12:34:34 +02:00
Alexandre Dulaunoy 93b99230e3
chg: [jq] all the things 2021-05-25 23:15:59 +02:00
Alexandre Dulaunoy 265f8d3fc7
chg: [geolocation] fix UUID to be valid UUIDv4 2021-05-25 23:11:01 +02:00
Alexandre Dulaunoy d89296b542
new: [open-data-security] new object template based on open data 
security definition

To be used in VARIoT project. https://www.variot.eu/
 2021-05-17 15:55:23 +02:00
Alexandre Dulaunoy 5d986dc25e
chg: [phishing] newline 2021-05-11 15:44:35 +02:00
Alexandre Dulaunoy 8bb8a1d22c
Merge branch 'main' of github.com:MISP/misp-objects into main 2021-05-11 15:01:53 +02:00
Alexandre Dulaunoy d8340c3f67
chg: [phishing] version bump 2021-05-11 15:01:31 +02:00
chrisr3d 3a2e44c442
fix: [network-socket] Typo 2021-05-06 15:42:03 +02:00
chrisr3d 5028d5d99f
add: [network-socket] Added Socket type attribute 2021-05-06 15:17:52 +02:00
Alexandre Dulaunoy 7a476ec4ef
chg: [passive-dns] jq 2021-05-03 07:20:51 +02:00
aaronkaplan b728ed3e29
Re-Do the definition.json, according to the results of the discussion in 
https://github.com/MISP/misp-objects/pull/314

Removing *_ip and *_domain
Keeping bailiwick a domain type
 2021-05-03 00:57:14 +02:00
aaronkaplan bcd133527e
Merge branch 'main' of https://github.com/MISP/misp-objects 2021-05-02 16:03:35 +02:00
aaronkaplan 7b4c9cd6df
As discussed with @rafiot, we can't simply add rdata and rrname as 
text only into MISP objects. Why? Because otherwise we can't use MISP's
correlation engine to correlate attributes (rrname, rdata) inside these
MISP objects with other events. Because "text" would not correlate with
other "ip-src" or "domain" types in other objects/attributes.

Kind of sucks to duplicate the rrname and rdata entries, but that's the
only solution we came up with.

The COF2MISP module will populate both the rrname,rdata as well as the
rrname_{domain,ip} and rdata_{domain,ip} attributes.

Checked with jq_all_the_things.sh.
Thanks for your consideration.
 2021-05-02 15:57:54 +02:00
Alexandre Dulaunoy 4b88a52cf4
chg: [passive-dns] fix 2021-04-27 18:26:23 +02:00
Alexandre Dulaunoy ab84bd837f
fix: [passive-dns] fix the JSON and the version 2021-04-27 18:13:05 +02:00
AaronK df8604a8ca
Update definition.json 
Added time_first_ms, time_last_ms. Clarified a few things in the descriptions.
 2021-04-27 15:37:51 +02:00
Alexandre Dulaunoy 7c21a969d1
fix: [stix2-pattern] disable correlation on version 
Thanks to the new feature in MISP 2.4.142 to find top correlations ;-)
 2021-04-27 05:57:52 +02:00
Alexandre Dulaunoy 5e6f887fa1
Merge branch 'main' of github.com:MISP/misp-objects into main 2021-04-14 09:20:52 +02:00
Alexandre Dulaunoy 6f002cd4c6
chg: [report] add a report type 2021-04-14 09:20:25 +02:00
Raphaël Vinot 067ae49498 fix: Typo 2021-03-05 18:23:11 +01:00
Raphaël Vinot 321a952a66 chg: make jq validation happy 2021-03-05 18:16:46 +01:00
phmazzoni 16a3bed253
Create definition.json 2021-03-05 14:05:39 -03:00
phmazzoni a16d689085
Delete objects/panorama directory 2021-03-05 14:03:37 -03:00
Raphaël Vinot 3fb441b8a0 chg: Make jq validation happy 2021-03-05 15:57:41 +01:00
phmazzoni b3096262f5
Create definition.json 
Create Palo Alto Threat Log Object Template.
 2021-03-05 11:30:00 -03:00
Alexandre Dulaunoy e1f01f674f
chg: [person] full-name attribute type added + expanding object person with full-name 2021-03-03 07:41:16 +01:00
Alexandre Dulaunoy 4c62d6091a
fix: [dkim] clean-up 2021-02-25 07:25:09 +01:00
Alexandre Dulaunoy df6784859e
new: [dkim] DomainKeys Identified Mail - DKIM object template 2021-02-25 07:24:19 +01:00
Alexandre Dulaunoy 703b53fc3b
chg: [network-element] jq 2021-02-24 06:48:10 +01:00
Alexandre Dulaunoy 1fe9649205
chg: [network-profile] AS updated 2021-02-24 06:47:04 +01:00
Alexandre Dulaunoy d87ce65cb9
chg: [network-profile] add jarm-fingerprint 2021-02-24 06:38:49 +01:00
Carlos Borges 85dc07a1f4
Creation of Network Profile MISP Object 
The idea behind this object is to provide a unique form to identify network artifacts.
It's a mix of different including whois, URL and domain.

The need for a consolidated object comes to group correlated elements.

Beyond that, I'm introducing the idea to use the correlation feature in more generic ways.
Example:

The value of "threat-actor-infrastructure-value" is the unique value observed on a network resource that identify it. A practical and tested example is this resources from Kaspesky.

https://securelist.com/the-tetrade-brazilian-banking-malware/97779/

On this article they mention a trojan family called Javali. They recover the C2 server abusing Google Docs services. The mentioned field "threat-actor-infrastructure-value" would register the values available on this image. This item should be hard to correlate with other similar items, as this can change frequently.

A way to change it is also to register a more general pattern of the data with the "threat-actor-infrastructure-pattern". I.E

inicio{
"host":"<variable>",
"porta":"<variable>"
}fim

With other investigations and registry of it on MISP, is possible to correlate this data, facilitate identification of patterns used for tracking purposes and facilitate analysis.
 2021-02-23 20:39:22 -03:00
Alexandre Dulaunoy e902af130c
chg: [report] make link or summary as non-required field 2021-02-22 18:21:45 +01:00
Alexandre Dulaunoy 4e011f2478
chg: [regexp] fixed 2021-02-19 21:56:35 +01:00
Alexandre Dulaunoy 016f9e58af
chg: [regexp] added Farsight Compatible Regular Expressions (FCRE) added 
Ref: https://docs.dnsdb.info/dnsdb-fcre-reference-guide/#farsight-compatible-regular-expressions-fcre
 2021-02-19 18:03:23 +01:00
Alexandre Dulaunoy 36994fda1e
fix: [splunk] fixed 2021-02-15 15:10:20 +01:00
Alexandre Dulaunoy cb73cfaf49
chg: [splunk] object updated 2021-02-15 14:43:44 +01:00
marcnil815 f3830e044a
Update definition.json 
Added possibility for multiple searches in same object to accomodate using raw searches and datamodel searches.
 2021-02-15 14:13:17 +01:00
Alexandre Dulaunoy 84df20e51f
new: [windows-service] windows-service object added 2021-02-13 17:01:44 +01:00
Alexandre Dulaunoy 2b1c3532dc
chg: [report] add a link field to the report object template 2021-02-04 11:03:01 +01:00
Raphaël Vinot 3d3d40e6c0 fix: keys order in VT object 2021-02-02 15:31:00 +01:00
Raphaël Vinot 625684684a chg: Disable correlation in VT objects 2021-02-02 15:25:13 +01:00
Alexandre Dulaunoy 160c39d91e
chg: [url] jq all the things 2021-02-02 11:57:41 +01:00
Raphaël Vinot 82c217781f chg: allow multiple IPs in URL object 2021-02-02 11:39:37 +01:00
Terrtia 4f50074ba7
chg: [telegram-account] required attributes 2021-01-26 11:39:22 +01:00
Alexandre Dulaunoy eedcc2d5af
chg: [telegram-account] fixes 2021-01-26 10:30:30 +01:00
Alexandre Dulaunoy ca247d8c2a
new: [telegram-user] basic telegram user 
Ref: https://core.telegram.org/constructor/user

More could be added in the future
 2021-01-26 10:27:35 +01:00
Raphaël Vinot 1e14201fc0 chg: Update objects to match lief output for authenticode 2021-01-19 15:38:31 +01:00
Alexandre Dulaunoy fd7c05d74b
chg: [jarm] jq all the things 2021-01-05 14:49:34 +01:00
Alexandre Dulaunoy 8d08dc52d0
chg: [jarm] jarm type is jarm-fingerprint 2021-01-05 14:48:06 +01:00
Alexandre Dulaunoy 8753de0e1e
new: [jarm] new jarm object to describe TLS/SSL implementation matching 
a jarm fingerprint
 2021-01-05 14:44:46 +01:00
Alexandre Dulaunoy 2cb16e7be0
chg: [trustar_report] Updated to add "THREAT_ACTOR" 
Fixing #273
 2021-01-05 09:30:28 +01:00
Alexandre Dulaunoy d6d515d3d8
chg: [yara] disable correlations on some fields 2020-12-30 14:46:04 +01:00
Alexandre Dulaunoy 4d1c42e491
chg: [crypto-material] add a public field for public cryptographic materials 2020-12-30 14:21:37 +01:00
Alexandre Dulaunoy 3650498630
chg: [favicon] jq all the things 2020-12-27 16:21:09 +01:00
Alexandre Dulaunoy 179bd48bec
chg: [favicon] A favicon, also known as a shortcut icon, website icon, tab icon, URL icon, or bookmark icon, is a file containing one or more small icons, associated with a particular web 
site or web page. The object template can include the murmur3 hash of the favicon to facilitate correlation.
 2020-12-27 16:19:04 +01:00
Alexandre Dulaunoy b71e7c3458
chg: [twitter-post] jq 2020-12-20 10:52:40 +01:00
Alexandre Dulaunoy 8eae725e49
fix: [twitter-post] underscore - minus are difficult to choose from ;-) 2020-12-20 10:41:39 +01:00
Alexandre Dulaunoy ed1ceebdf4
chg: [jq] all the things 2020-12-20 10:37:14 +01:00
Alexandre Dulaunoy 85e37b360e
Merge pull request #302 from ater49/main 
Adding fields in twitter-post and paste
 2020-12-20 10:34:11 +01:00
Alexandre Dulaunoy 413a2618b6
Merge pull request #303 from seamustuohy/pymisp-pr/631 
Updated for support for msg format.
 2020-12-20 10:30:04 +01:00
seamus tuohy 7e65e5dfaf Updated for support for msg format. 
Adding first class support for Emails in .msg format to the email definition.
This includes making the  attribute support multiple bodies. Msg formats
nearly always have at least 2, if not 3, versions of the body (plain text, rtf, html).
 2020-12-19 17:03:26 -05:00
ater49 a410c7c7a6 Typo and version number correction + adding a field in twitter-post 
Adding created-at field in twitter-post
 2020-12-14 23:01:12 +01:00
ater49 a47ba8c5b8 Add media in twitter-post in order to store attached medias in a tweet 
Add pastebin.fr in source of paste and paste_file for storing whole
paste file.
 2020-12-14 22:25:58 +01:00
Alexandre Dulaunoy f517d6691c
Merge branch 'main' of github.com:MISP/misp-objects into main 2020-12-10 19:13:07 +01:00
Alexandre Dulaunoy 499392ca0a
chg: [domain-ip] hostname added as an attribute 2020-12-10 19:12:33 +01:00
Beaujeant a65aa06859 chg: can have mutliple text attributes 2020-11-25 16:17:54 +01:00
Alexandre Dulaunoy 9185d69d14
chg: [jq] all the [things] 2020-11-24 11:48:22 +01:00