Go to file
Christian Studer 4b5faf196b
add: [registry-key-value] New template to describe registry key values
- The `registry-key` object template includes
  already the `data`, `data-type` & `name` fields
  of a registry key value, but there is a
  limitation in the case of multiple registry key
  values
- In order to describe multiple registry key
  values, instead of adding a simple `multiple`
  field to the related and above mentioned fields,
  it is better to use the `registry-key-value`
  template so we know which data, data type and
  name values are related to a given registry key
  value
- It is then possible to have a reference between
  the registry key object and the related values
2023-03-01 20:50:30 +01:00
.github/workflows fix: [github workflow] version are not float but str 2022-12-15 14:47:08 +01:00
docs
objects add: [registry-key-value] New template to describe registry key values 2023-03-01 20:50:30 +01:00
relationships Add relationships based on XFN format 2023-02-14 12:08:50 +01:00
tools new: [software] software template object added based 6.14 (STIX 2.1) 2022-02-14 11:06:53 +01:00
.gitchangelog.rc
.travis.yml
LICENSE-software-only.md
LICENSE.md
README.md add: [registry-key-value] New template to describe registry key values 2023-03-01 20:50:30 +01:00
jq_all_the_things.sh chg: [jq_all_the_things] display if an UUID is invalid 2022-12-11 13:04:30 +01:00
schema_objects.json chg: [schema] updated attribute types 2023-02-25 20:26:44 +08:00
schema_relationships.json
unique_uuid.py
validate_all.sh

README.md

misp-objects

Python application

MISP objects used in MISP system and can be used by other information sharing tools. MISP objects are in addition to MISP attributes to allow advanced combinations of attributes. The creation of these objects and their associated attributes are based on real cyber security use-cases and existing practices in information sharing.

Feel free to propose your own MISP objects template to be included in MISP. The system is similar to the misp-taxonomies where anyone can contribute their own objects to be included in MISP without modifying software.

Format of MISP object template

An example with 'domain-ip' of MISP object template

{
  "attributes": {
    "domain": {
      "categories": [
        "Network activity",
        "External analysis"
      ],
      "description": "Domain name",
      "misp-attribute": "domain",
      "multiple": true,
      "ui-priority": 1
    },
    "first-seen": {
      "description": "First time the tuple has been seen",
      "disable_correlation": true,
      "misp-attribute": "datetime",
      "ui-priority": 0
    },
    "ip": {
      "categories": [
        "Network activity",
        "External analysis"
      ],
      "description": "IP Address",
      "misp-attribute": "ip-dst",
      "multiple": true,
      "ui-priority": 1
    },
    "last-seen": {
      "description": "Last time the tuple has been seen",
      "disable_correlation": true,
      "misp-attribute": "datetime",
      "ui-priority": 0
    },
    "port": {
      "categories": [
        "Network activity",
        "External analysis"
      ],
      "description": "Associated TCP port with the domain",
      "misp-attribute": "port",
      "multiple": true,
      "ui-priority": 1
    },
    "registration-date": {
      "description": "Registration date of domain",
      "disable_correlation": false,
      "misp-attribute": "datetime",
      "ui-priority": 0
    },
    "text": {
      "description": "A description of the tuple",
      "disable_correlation": true,
      "misp-attribute": "text",
      "recommended": false,
      "ui-priority": 1
    }
  },
  "description": "A domain and IP address seen as a tuple in a specific time frame.",
  "meta-category": "network",
  "name": "domain-ip",
  "required": [
    "ip",
    "domain"
  ],
  "uuid": "43b3b146-77eb-4931-b4cc-b66c60f28734",
  "version": 8
}

A MISP object is described in a simple JSON file containing the following elements.

  • name is the name of the your object.
  • meta-category is the category where the object falls into. (such as file, network, financial, misc, internal...)
  • description is a summary of the object description.
  • version is the version number as a decimal value.
  • required is an array containing the minimal required attributes to describe the object.
  • requiredOneOf is an array containing the attributes where at least one needs to be present to describe the object.
  • attributes contains another JSON object listing all the attributes composing the object.

Each attribute must contain a reference misp-attribute to reference an existing attribute definition in MISP (MISP attributes types are case-sensitive). An array categories shall be used to describe in which categories the attribute is. The ui-priority describes the usage frequency of an attribute. This helps to only display the most frequently used attributes and allowing advanced users to show all the attributes depending of their configuration. An optional multiple field shall be set to true if multiple elements of the same key can be used in the object. An optional values_list where this list of values can be selected as a value for an attribute. An optional sane_default where this list of value recommend potential a sane default for an attribute. An optional disable_correlation boolean field to suggest the disabling of correlation for a specific attribute. An optional to_ids boolean field to disable the IDS flag of an attribute.

Existing MISP objects

MISP objects relationships

The MISP object model is open and allows user to use their own relationships. MISP provides a list of default relationships that can be used if you plan to share your events with other MISP communities.

  • relationships - list of predefined default relationships which can be used to link MISP objects together and explain the context of the relationship.

How to contribute MISP objects?

Fork the project, create a new directory in the objects directory matching your object name. Objects must be composed of existing MISP attributes. If you are missing any specific attributes, feel free to open an issue in the MISP project.

We recommend to add a text attribute in an object to allow users to add comments or correlate text.

If the unparsed object can be included, a raw-base64 attribute can be used in the object to import the whole object.

Every object needs a uuid which can be created using uuidgen -r on a linux command line.

When the object is created, the validate_all.sh and jq_all_the_things.sh is run for validation, pull a request on this project. We usually merge the objects if it fits existing use-cases.

Best practices when creating MISP object templates

  • Use lower-case names without underscore or special characters (except minus) for the field names
  • Add a description in the object template explaining the scope and use-cases of your object templates
  • If the object is the mapping of an existing format, add a reference into the description of the object template
  • first-seen and last-seen are not required in a object template as an object has those fields by default. If you need additional temporal information, add new specific field(s).
  • Be lax on the number of fields required by default (e.g. use requiredOneOf).
  • Review existing object templates before creating a new one. When doing a pull-request, don't hesitate to add the logic why a new template is required.

MISP objects documentation

The MISP objects are documented at the following location in HTML and PDF.

The documentation is automatically generated from the MISP objects template expressed in JSON.

What are the advantages of MISP objects versus existing standards?

MISP objects are dynamically used objects that are contributed by users of MISP (the threat sharing platform) or other information sharing platforms.

The aim is to allow a dynamic update of objects definition in operational distributed sharing systems like MISP. Security threats and their related indicators are quite dynamic, standardized formats are quite static and new indicators require a significant time before being standardized.

The MISP object model allows for adding new combined indicator formats based on their usage without changing the underlying code base of MISP or other threat sharing platform using it. The definition of the objects can then be propagated along with the indicators itself.

License

MISP Object JSON files

The MISP objects (JSON files) are dual-licensed under:

or

 Copyright (c) 2016-2021 Alexandre Dulaunoy - a@foo.be
 Copyright (c) 2016-2021 CIRCL - Computer Incident Response Center Luxembourg
 Copyright (c) 2016-2021 Andras Iklody
 Copyright (c) 2016-2021 Raphael Vinot
 Copyright (c) 2016-2021 Various contributors to MISP Project

 Redistribution and use in source and binary forms, with or without modification,
 are permitted provided that the following conditions are met:

    1. Redistributions of source code must retain the above copyright notice,
       this list of conditions and the following disclaimer.
    2. Redistributions in binary form must reproduce the above copyright notice,
       this list of conditions and the following disclaimer in the documentation
       and/or other materials provided with the distribution.

 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
 ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
 WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
 INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
 BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
 OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 OF THE POSSIBILITY OF SUCH DAMAGE.

If a specific author of a taxonomy wants to license it under a different license, a pull request can be requested.

Software


Copyright (C) 2016-2021 Andras Iklody
Copyright (C) 2016-2021 Alexandre Dulaunoy
Copyright (C) 2016-2021 CIRCL - Computer Incident Response Center Luxembourg

This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU Affero General Public License for more details.

You should have received a copy of the GNU Affero General Public License
along with this program.  If not, see <http://www.gnu.org/licenses/>.