Commit Graph

1788 Commits (7a395b02ea8c2094eee821f7847a52580051f1b3)

Author SHA1 Message Date
th3r3d 5ff1dff7b0
Create definition in groups
Inspired by threat actor group cards
2022-12-12 19:02:23 +01:00
th3r3d 262e2bee90
Created definition for ADS
For ADS framework - create
2022-12-12 19:01:23 +01:00
Alexandre Dulaunoy 9025138b97
Merge pull request #374 from lgtm-migrator/codeql
Add CodeQL workflow for GitHub code scanning
2022-12-11 13:16:01 +01:00
Alexandre Dulaunoy a40c08cf2c
chg: [jq_all_the_things] display if an UUID is invalid 2022-12-11 13:04:30 +01:00
Alexandre Dulaunoy 858e485263
fix: [mactim-timeline-analysis] invalid UUID fixed 2022-12-11 13:03:18 +01:00
Alexandre Dulaunoy d491cde4b1
fix: [fail2ban] incorrect UUID fixed 2022-12-11 12:54:24 +01:00
Alexandre Dulaunoy 2787dc45d7
fix: [person] add a missing passport-creation date field. 2022-11-19 12:21:16 +01:00
LGTM Migrator cb645abb54
Add CodeQL workflow for GitHub code scanning 2022-11-10 11:18:21 +00:00
Alexandre Dulaunoy 34ed3309e0
Merge pull request #373 from MISP/chrisr3d_patch
Updated the `exploit` template
2022-10-25 10:22:29 +02:00
Christian Studer b877eb0815
add: [exploit] Added `description` and `title` attributes 2022-10-23 23:11:48 +02:00
Christian Studer 0ddd22c4f7 Merge branch 'main' of github.com:MISP/misp-objects into chrisr3d_patch 2022-10-23 22:56:27 +02:00
Christian Studer b3882354b0 Merge branch 'main' of github.com:MISP/misp-objects 2022-10-23 22:55:23 +02:00
Alexandre Dulaunoy 5bd1cb80a7
Merge pull request #372 from Delta-Sierra/master
add username field in telegram-bot object
2022-10-13 21:25:58 +02:00
Delta-Sierra e7b9a8e7cf add username field in telegram-bot object 2022-10-13 13:45:52 +02:00
Alexandre Dulaunoy 82c699cc5f
new: [telegram-bot] new object to describe Telegram bots 2022-10-13 10:32:58 +02:00
Alexandre Dulaunoy 06df368890
new: [intrusion-set] based on the STIX 2.1 definition
TODO - "Open Vocabularies" - value versus description.
2022-09-29 07:32:52 +02:00
Alexandre Dulaunoy 35df5bad01
new: [exploit] Exploit object template to describe code or program used
to exploit specific vulnerabilities. The objet can be linked to
`vulnerability` objects but also device, iot, firmware or alike.
2022-09-26 07:40:11 +02:00
Alexandre Dulaunoy 3cf9307b24
Merge branch 'main' of github.com:MISP/misp-objects into main 2022-09-09 07:26:37 +02:00
Alexandre Dulaunoy fa26cdf15e
fix: [facebook-group] add an optional ID reference to the facebook id 2022-09-09 07:24:05 +02:00
Alexandre Dulaunoy fc51889b42
new: [facebook-reaction] new object to link reaction with facebook posts or alike 2022-09-09 07:21:59 +02:00
Alexandre Dulaunoy 3abfb19982
Merge pull request #370 from goodlandsecurity/spearphishing-objects-v2
spearphishing-objects-v2
2022-08-26 08:53:49 +02:00
goodlandsecurity b258786935 jq_all_the_things 2022-08-25 16:03:59 -05:00
goodlandsecurity 26c2767228 allow multiple of certain types. bump version 2022-08-25 15:56:36 -05:00
Alexandre Dulaunoy 5e2b455123
Merge branch 'Vasileios-Mavroeidis-patch-4' into main 2022-08-25 10:18:33 +02:00
Alexandre Dulaunoy ec351176f9
chg: [security-playbook] JSON fixed 2022-08-25 10:17:48 +02:00
Vasileios Mavroeidis 2771e2681f
Update definition.json
Found the issue and updated the playbook-id attribute. It is not required anymore. We should not dictate producers generating this property since it can be used to correlate playbooks. The use case is: If we have a cacao playbook attached then we could have the UUIDV4 extracted from the "attachment" and put at the MISP security-playbook object attribute "playbook-id". Correlation is enabled if another security playbook object follows the same process while attaching the same CACAO playbook. If the attached playbook is a png then there is no way to associate it again with another security playbook object that has the same png as an attachment as we cannot know that. That would be possible only if the attachment had a machine-readable identifier. Another use case is to generate a hash and attach it to a property, but let's leave that for the future and if it is never needed or appears as a use case. Long story short the pull request improves the semantics of the object and correlations of different security playbook objects :)
2022-08-24 18:44:11 +02:00
Alexandre Dulaunoy 66a9b8eee7
chg: [doc] list of MISP object template updated 2022-08-03 11:48:05 +02:00
Alexandre Dulaunoy 9b9c838961
fix: [yara] add a reference link to the YARA object template 2022-08-03 11:46:30 +02:00
Alexandre Dulaunoy 39df304924
Merge branch 'main' of github.com:MISP/misp-objects into main 2022-08-03 11:45:06 +02:00
Alexandre Dulaunoy 734d85337d
new: [sigma] a sigma attribute exists in MISP but the object was
missing to add some additional meta information.
2022-08-03 11:44:37 +02:00
Alexandre Dulaunoy ec00217098
Best practices when creating MISP object templates 2022-07-28 18:50:16 +02:00
Alexandre Dulaunoy 50f61a03be
chg: [scheduled-task] disable_correlation + clarification 2022-07-08 15:03:27 +02:00
Delta-Sierra 73c2462448 Windows Scheduled Task Object - First draft 2022-07-07 15:17:34 +02:00
Alexandre Dulaunoy 58ef1729f2
Merge pull request #364 from matthijsvp/main
New attack-step object.
2022-07-02 20:21:10 +01:00
matthijsvp 8e024f4863 chg: Fixed typo in disable_correlation 2022-07-01 16:59:03 +02:00
matthijsvp 896fb72735 Merge from master 2022-07-01 16:47:23 +02:00
Matthijs van P 29d7467de9
Merge branch 'MISP:main' into main 2022-07-01 16:43:49 +02:00
matthijsvp 593d80abd1 initial commit 2022-07-01 16:43:22 +02:00
Alexandre Dulaunoy db5033f385
fix: [ftm-*] Fixing missing description - #363 2022-06-30 17:43:44 +02:00
Alexandre Dulaunoy 85dd164dbb
fix: [ftm] missing description fix #363 2022-06-30 17:19:33 +02:00
Alexandre Dulaunoy 9b0a9cd9eb
chg: [ftm-Call] fixed missing description 2022-06-30 17:12:25 +02:00
Alexandre Dulaunoy 91e1c8bdcd
chg: [query] add Kusto Query Language (KQL)
Ref: https://twitter.com/castello_johnny/status/1540732973753847808
2022-06-25 19:20:13 +02:00
Alexandre Dulaunoy fd58bdd7b7
chg: [query] add missing SPL language (Splunk) format
Thanks to https://twitter.com/nbareil/status/1540633706959863813 @nbareil
2022-06-25 11:56:15 +02:00
Alexandre Dulaunoy 07b6883c93
new: [query] query object to describe search queries on SIEM and other tools
MISP object template designed following requests and especially this twitter thread:

https://twitter.com/castello_johnny/status/1540610057263628289

I added a list of sane default based on the ones I have seen being used:

      "sane_default": [
        "event query language (eql)",
        "keyword query language (kql)",
        "Query DSL",
        "Query (Elastic Search)",
        "Sigma",
        "Lucene query",
        "Google search query",
        "Ariel Query Language (qradar)",
        "Grep",
        "Devo LINQ"
      ],

Thanks to Gianni Castaldi and others for ideas.

The object can be expanded and improved over the time and the needs
to share new queries.
2022-06-25 11:37:41 +02:00
Alexandre Dulaunoy 4badc17a84
chg: [doc] list of objects updated 2022-06-18 20:57:14 +02:00
Alexandre Dulaunoy 8fd41924dd
chg: [stock] newline fixed 2022-06-18 17:00:13 +02:00
Alexandre Dulaunoy 7ea63899df
chg: [stock] UUID fixed 2022-06-18 16:58:49 +02:00
Alexandre Dulaunoy 421f5f9ccc
new: [stock] a first version of a stock market object to describe stock in MISP 2022-06-18 16:55:13 +02:00
Alexandre Dulaunoy 8215066c96
chg: [report] add Zotero item types in addition to the default type 2022-06-18 16:10:41 +02:00
Alexandre Dulaunoy b56d3a980b
Merge branch 'main' of github.com:MISP/misp-objects into main 2022-06-17 10:27:22 +02:00