Commit Graph

1263 Commits (bcd133527e218db539cc861a4725d729f41e42da)

Author SHA1 Message Date
aaronkaplan bcd133527e
Merge branch 'main' of https://github.com/MISP/misp-objects 2021-05-02 16:03:35 +02:00
aaronkaplan 7b4c9cd6df
As discussed with @rafiot, we can't simply add rdata and rrname as
text only into MISP objects. Why? Because otherwise we can't use MISP's
correlation engine to correlate attributes (rrname, rdata) inside these
MISP objects with other events. Because "text" would not correlate with
other "ip-src" or "domain" types in other objects/attributes.

Kind of sucks to duplicate the rrname and rdata entries, but that's the
only solution we came up with.

The COF2MISP module will populate both the rrname,rdata as well as the
rrname_{domain,ip} and rdata_{domain,ip} attributes.

Checked with jq_all_the_things.sh.
Thanks for your consideration.
2021-05-02 15:57:54 +02:00
Alexandre Dulaunoy 4b88a52cf4
chg: [passive-dns] fix 2021-04-27 18:26:23 +02:00
Alexandre Dulaunoy f9f0e94781
Merge branch 'aaronkaplan-patch-1' into main 2021-04-27 18:24:33 +02:00
Alexandre Dulaunoy ab84bd837f
fix: [passive-dns] fix the JSON and the version 2021-04-27 18:13:05 +02:00
AaronK df8604a8ca
Update definition.json
Added time_first_ms, time_last_ms. Clarified a few things in the descriptions.
2021-04-27 15:37:51 +02:00
Alexandre Dulaunoy e72cf95275
chg: [doc] list of objects updated 2021-04-27 06:04:06 +02:00
Alexandre Dulaunoy 34a8807b15
new: [doc] gitchangelog.rc added 2021-04-27 06:01:57 +02:00
Alexandre Dulaunoy 7c21a969d1
fix: [stix2-pattern] disable correlation on version
Thanks to the new feature in MISP 2.4.142 to find top correlations ;-)
2021-04-27 05:57:52 +02:00
Alexandre Dulaunoy 5e6f887fa1
Merge branch 'main' of github.com:MISP/misp-objects into main 2021-04-14 09:20:52 +02:00
Alexandre Dulaunoy 6f002cd4c6
chg: [report] add a report type 2021-04-14 09:20:25 +02:00
Raphaël Vinot 067ae49498 fix: Typo 2021-03-05 18:23:11 +01:00
Raphaël Vinot 52fe647e33 Merge branch 'phmazzoni-patch-3' into main 2021-03-05 18:16:57 +01:00
Raphaël Vinot 321a952a66 chg: make jq validation happy 2021-03-05 18:16:46 +01:00
phmazzoni 16a3bed253
Create definition.json 2021-03-05 14:05:39 -03:00
phmazzoni a16d689085
Delete objects/panorama directory 2021-03-05 14:03:37 -03:00
Raphaël Vinot 3fb441b8a0 chg: Make jq validation happy 2021-03-05 15:57:41 +01:00
Raphaël Vinot 04331becf0 chg: Add PR to GH actions 2021-03-05 15:56:43 +01:00
Raphaël Vinot f724130616
Merge pull request #308 from phmazzoni/main
Create Palo Alto Threat Log Object Template.
2021-03-05 15:50:33 +01:00
phmazzoni b3096262f5
Create definition.json
Create Palo Alto Threat Log Object Template.
2021-03-05 11:30:00 -03:00
Alexandre Dulaunoy e1f01f674f
chg: [person] full-name attribute type added + expanding object person with full-name 2021-03-03 07:41:16 +01:00
Alexandre Dulaunoy e764ed6983
chg: [schema] dkim and dkim signature added 2021-02-25 07:37:36 +01:00
Alexandre Dulaunoy 4c62d6091a
fix: [dkim] clean-up 2021-02-25 07:25:09 +01:00
Alexandre Dulaunoy df6784859e
new: [dkim] DomainKeys Identified Mail - DKIM object template 2021-02-25 07:24:19 +01:00
Alexandre Dulaunoy 703b53fc3b
chg: [network-element] jq 2021-02-24 06:48:10 +01:00
Alexandre Dulaunoy 1fe9649205
chg: [network-profile] AS updated 2021-02-24 06:47:04 +01:00
Alexandre Dulaunoy d87ce65cb9
chg: [network-profile] add jarm-fingerprint 2021-02-24 06:38:49 +01:00
Alexandre Dulaunoy 41375621f7
Merge pull request #307 from hackunagi/main
Creation of Network Profile MISP Object
2021-02-24 06:37:22 +01:00
Carlos Borges 85dc07a1f4
Creation of Network Profile MISP Object
The idea behind this object is to provide a unique form to identify network artifacts.
It's a mix of different including whois, URL and domain.

The need for a consolidated object comes to group correlated elements.

Beyond that, I'm introducing the idea to use the correlation feature in more generic ways.
Example:

The value of "threat-actor-infrastructure-value" is the unique value observed on a network resource that identify it. A practical and tested example is this resources from Kaspesky.

https://securelist.com/the-tetrade-brazilian-banking-malware/97779/

On this article they mention a trojan family called Javali. They recover the C2 server abusing Google Docs services. The mentioned field "threat-actor-infrastructure-value" would register the values available on this image. This item should be hard to correlate with other similar items, as this can change frequently.

A way to change it is also to register a more general pattern of the data with the "threat-actor-infrastructure-pattern". I.E

inicio{
"host":"<variable>",
"porta":"<variable>"
}fim

With other investigations and registry of it on MISP, is possible to correlate this data, facilitate identification of patterns used for tracking purposes and facilitate analysis.
2021-02-23 20:39:22 -03:00
Alexandre Dulaunoy 67d364a97b
chg: [relationships] jq all the things 2021-02-22 18:23:08 +01:00
Alexandre Dulaunoy 0db27fedd0
Merge branch 'main' of github.com:MISP/misp-objects into main 2021-02-22 18:22:37 +01:00
Alexandre Dulaunoy e902af130c
chg: [report] make link or summary as non-required field 2021-02-22 18:21:45 +01:00
Alexandre Dulaunoy e48e797901
Merge pull request #306 from theobarrague/main
Ajout des relations opposées dans relationships/definition.json
2021-02-22 13:27:06 +01:00
Théo BARRAGUÉ 1bf9f93b83
Merge branch 'main' into main 2021-02-22 11:46:56 +01:00
Théo BARRAGUÉ 159be29a66
add: check if opposite key is valid in relationships 2021-02-22 11:28:24 +01:00
Théo BARRAGUÉ df7cf6bffb
chg: update json schema for relationships to include opposite key 2021-02-22 11:21:11 +01:00
Théo BARRAGUÉ ebfcf6a169
add: tool to validate if declared opposites exist 2021-02-22 11:19:31 +01:00
Théo BARRAGUÉ c2149bee81
fix: commas were sometimes doubled 2021-02-22 11:05:56 +01:00
Alexandre Dulaunoy 4e011f2478
chg: [regexp] fixed 2021-02-19 21:56:35 +01:00
Alexandre Dulaunoy 016f9e58af
chg: [regexp] added Farsight Compatible Regular Expressions (FCRE) added
Ref: https://docs.dnsdb.info/dnsdb-fcre-reference-guide/#farsight-compatible-regular-expressions-fcre
2021-02-19 18:03:23 +01:00
Alexandre Dulaunoy 36994fda1e
fix: [splunk] fixed 2021-02-15 15:10:20 +01:00
Alexandre Dulaunoy cb73cfaf49
chg: [splunk] object updated 2021-02-15 14:43:44 +01:00
Alexandre Dulaunoy b425b17a37
Merge pull request #305 from marcnil815/patch-1
Update definition.json
2021-02-15 14:23:02 +01:00
marcnil815 f3830e044a
Update definition.json
Added possibility for multiple searches in same object to accomodate using raw searches and datamodel searches.
2021-02-15 14:13:17 +01:00
Alexandre Dulaunoy 84df20e51f
new: [windows-service] windows-service object added 2021-02-13 17:01:44 +01:00
Alexandre Dulaunoy 2b1c3532dc
chg: [report] add a link field to the report object template 2021-02-04 11:03:01 +01:00
Raphaël Vinot 3d3d40e6c0 fix: keys order in VT object 2021-02-02 15:31:00 +01:00
Raphaël Vinot 625684684a chg: Disable correlation in VT objects 2021-02-02 15:25:13 +01:00
Alexandre Dulaunoy 4b9f12c644
chg: [relationships] updated 2021-02-02 12:29:31 +01:00
Alexandre Dulaunoy 0756f2d43f
chg: [relationships] writes added 2021-02-02 12:26:08 +01:00