Commit Graph

1744 Commits (b657128758e027fd6d42f4af47046c7df2a7cb03)

Author SHA1 Message Date
phmazzoni b3096262f5
Create definition.json
Create Palo Alto Threat Log Object Template.
2021-03-05 11:30:00 -03:00
Alexandre Dulaunoy e1f01f674f
chg: [person] full-name attribute type added + expanding object person with full-name 2021-03-03 07:41:16 +01:00
Alexandre Dulaunoy e764ed6983
chg: [schema] dkim and dkim signature added 2021-02-25 07:37:36 +01:00
Alexandre Dulaunoy 4c62d6091a
fix: [dkim] clean-up 2021-02-25 07:25:09 +01:00
Alexandre Dulaunoy df6784859e
new: [dkim] DomainKeys Identified Mail - DKIM object template 2021-02-25 07:24:19 +01:00
Alexandre Dulaunoy 703b53fc3b
chg: [network-element] jq 2021-02-24 06:48:10 +01:00
Alexandre Dulaunoy 1fe9649205
chg: [network-profile] AS updated 2021-02-24 06:47:04 +01:00
Alexandre Dulaunoy d87ce65cb9
chg: [network-profile] add jarm-fingerprint 2021-02-24 06:38:49 +01:00
Alexandre Dulaunoy 41375621f7
Merge pull request #307 from hackunagi/main
Creation of Network Profile MISP Object
2021-02-24 06:37:22 +01:00
Carlos Borges 85dc07a1f4
Creation of Network Profile MISP Object
The idea behind this object is to provide a unique form to identify network artifacts.
It's a mix of different including whois, URL and domain.

The need for a consolidated object comes to group correlated elements.

Beyond that, I'm introducing the idea to use the correlation feature in more generic ways.
Example:

The value of "threat-actor-infrastructure-value" is the unique value observed on a network resource that identify it. A practical and tested example is this resources from Kaspesky.

https://securelist.com/the-tetrade-brazilian-banking-malware/97779/

On this article they mention a trojan family called Javali. They recover the C2 server abusing Google Docs services. The mentioned field "threat-actor-infrastructure-value" would register the values available on this image. This item should be hard to correlate with other similar items, as this can change frequently.

A way to change it is also to register a more general pattern of the data with the "threat-actor-infrastructure-pattern". I.E

inicio{
"host":"<variable>",
"porta":"<variable>"
}fim

With other investigations and registry of it on MISP, is possible to correlate this data, facilitate identification of patterns used for tracking purposes and facilitate analysis.
2021-02-23 20:39:22 -03:00
Alexandre Dulaunoy 67d364a97b
chg: [relationships] jq all the things 2021-02-22 18:23:08 +01:00
Alexandre Dulaunoy 0db27fedd0
Merge branch 'main' of github.com:MISP/misp-objects into main 2021-02-22 18:22:37 +01:00
Alexandre Dulaunoy e902af130c
chg: [report] make link or summary as non-required field 2021-02-22 18:21:45 +01:00
Alexandre Dulaunoy e48e797901
Merge pull request #306 from theobarrague/main
Ajout des relations opposées dans relationships/definition.json
2021-02-22 13:27:06 +01:00
Théo BARRAGUÉ 1bf9f93b83
Merge branch 'main' into main 2021-02-22 11:46:56 +01:00
Théo BARRAGUÉ 159be29a66
add: check if opposite key is valid in relationships 2021-02-22 11:28:24 +01:00
Théo BARRAGUÉ df7cf6bffb
chg: update json schema for relationships to include opposite key 2021-02-22 11:21:11 +01:00
Théo BARRAGUÉ ebfcf6a169
add: tool to validate if declared opposites exist 2021-02-22 11:19:31 +01:00
Théo BARRAGUÉ c2149bee81
fix: commas were sometimes doubled 2021-02-22 11:05:56 +01:00
Alexandre Dulaunoy 4e011f2478
chg: [regexp] fixed 2021-02-19 21:56:35 +01:00
Alexandre Dulaunoy 016f9e58af
chg: [regexp] added Farsight Compatible Regular Expressions (FCRE) added
Ref: https://docs.dnsdb.info/dnsdb-fcre-reference-guide/#farsight-compatible-regular-expressions-fcre
2021-02-19 18:03:23 +01:00
Alexandre Dulaunoy 36994fda1e
fix: [splunk] fixed 2021-02-15 15:10:20 +01:00
Alexandre Dulaunoy cb73cfaf49
chg: [splunk] object updated 2021-02-15 14:43:44 +01:00
Alexandre Dulaunoy b425b17a37
Merge pull request #305 from marcnil815/patch-1
Update definition.json
2021-02-15 14:23:02 +01:00
marcnil815 f3830e044a
Update definition.json
Added possibility for multiple searches in same object to accomodate using raw searches and datamodel searches.
2021-02-15 14:13:17 +01:00
Alexandre Dulaunoy 84df20e51f
new: [windows-service] windows-service object added 2021-02-13 17:01:44 +01:00
Alexandre Dulaunoy 2b1c3532dc
chg: [report] add a link field to the report object template 2021-02-04 11:03:01 +01:00
Raphaël Vinot 3d3d40e6c0 fix: keys order in VT object 2021-02-02 15:31:00 +01:00
Raphaël Vinot 625684684a chg: Disable correlation in VT objects 2021-02-02 15:25:13 +01:00
Alexandre Dulaunoy 4b9f12c644
chg: [relationships] updated 2021-02-02 12:29:31 +01:00
Alexandre Dulaunoy 0756f2d43f
chg: [relationships] writes added 2021-02-02 12:26:08 +01:00
Alexandre Dulaunoy 160c39d91e
chg: [url] jq all the things 2021-02-02 11:57:41 +01:00
Raphaël Vinot 82c217781f chg: allow multiple IPs in URL object 2021-02-02 11:39:37 +01:00
Alexandre Dulaunoy 39eb3695a0
Merge pull request #304 from Terrtia/master
chg: [telegram-account] required attributes
2021-01-26 11:52:54 +01:00
Terrtia 4f50074ba7
chg: [telegram-account] required attributes 2021-01-26 11:39:22 +01:00
Alexandre Dulaunoy eedcc2d5af
chg: [telegram-account] fixes 2021-01-26 10:30:30 +01:00
Alexandre Dulaunoy ca247d8c2a
new: [telegram-user] basic telegram user
Ref: https://core.telegram.org/constructor/user

More could be added in the future
2021-01-26 10:27:35 +01:00
Raphaël Vinot 1e14201fc0 chg: Update objects to match lief output for authenticode 2021-01-19 15:38:31 +01:00
Théo BARRAGUÉ 5c197e99c3
add: opposite of 26 relationships 2021-01-12 18:53:50 +01:00
Alexandre Dulaunoy fd7c05d74b
chg: [jarm] jq all the things 2021-01-05 14:49:34 +01:00
Alexandre Dulaunoy 811b52fa6f
fix: [tool] link to object template fixed 2021-01-05 14:48:29 +01:00
Alexandre Dulaunoy 8d08dc52d0
chg: [jarm] jarm type is jarm-fingerprint 2021-01-05 14:48:06 +01:00
Alexandre Dulaunoy 8753de0e1e
new: [jarm] new jarm object to describe TLS/SSL implementation matching
a jarm fingerprint
2021-01-05 14:44:46 +01:00
Alexandre Dulaunoy d5b837390c
chg: [doc] fixed 2021-01-05 09:33:42 +01:00
Alexandre Dulaunoy 2cb16e7be0
chg: [trustar_report] Updated to add "THREAT_ACTOR"
Fixing #273
2021-01-05 09:30:28 +01:00
Alexandre Dulaunoy d6d515d3d8
chg: [yara] disable correlations on some fields 2020-12-30 14:46:04 +01:00
Alexandre Dulaunoy 4d1c42e491
chg: [crypto-material] add a public field for public cryptographic materials 2020-12-30 14:21:37 +01:00
Alexandre Dulaunoy 3650498630
chg: [favicon] jq all the things 2020-12-27 16:21:09 +01:00
Alexandre Dulaunoy 179bd48bec
chg: [favicon] A favicon, also known as a shortcut icon, website icon, tab icon, URL icon, or bookmark icon, is a file containing one or more small icons, associated with a particular web
site or web page. The object template can include the murmur3 hash of the favicon to facilitate correlation.
2020-12-27 16:19:04 +01:00
Alexandre Dulaunoy 8921a0c8a2
chg: [type] favicon-mmh3 is the murmur3 hash of a favicon as used in Shodan. 2020-12-24 12:00:45 +01:00