* [scan-results] JSON and trailing comma ;-) [Alexandre Dulaunoy]
* Jq all the things. [Luciano Righetti]
* Minor fixes. [Luciano Righetti]
* Jq all the things. [Luciano Righetti]
### Other
* Merge pull request #404 from MISP/chrisr3d_patch. [Alexandre Dulaunoy]
Artifact object update
* Merge branch 'main' of github.com:MISP/misp-objects into chrisr3d_patch. [Christian Studer]
* Merge pull request #403 from MISP/chrisr3d_patch. [Alexandre Dulaunoy]
Malware & Malware Analysis objects
* Add: [readme] Added `malware` and `malware-analysis` to the list of available object templates, with a small description for each. [Christian Studer]
* Merge branch 'main' of github.com:MISP/misp-objects into chrisr3d_patch. [Christian Studer]
* Merge branch 'mFaou-main' into main. [Alexandre Dulaunoy]
* Merge branch 'main' of https://github.com/mFaou/misp-objects into mFaou-main. [Alexandre Dulaunoy]
* Added requiredOneOf to scan-result object definition. [Matthieu Faou]
* Removed the scan-result field requirement in the scan-result object. [Matthieu Faou]
* Merge pull request #398 from righel/add-sigmf-templates. [Luciano Righetti]
new: add basic SigMF templates
* Add: [malware] New object template to describe a malware. [Christian Studer]
* Add: [malware-analysis] New object template to describe a static or dynamic analysis performed on a malware instance or family. [Christian Studer]
* Merge branch 'main' of github.com:MISP/misp-objects into chrisr3d_patch. [Christian Studer]
* [hhhassh object] An object describing a HHHash object with the hash value along with the crawling parameters. For more information: https://www.foo.be/2023/07/HTTP-Headers-Hashing_HHHash. [Alexandre Dulaunoy]
* Merge branch 'main' of github.com:MISP/misp-objects. [Christian Studer]
* Merge branch 'main' of github.com:MISP/misp-objects. [Christian Studer]
* Merge pull request #385 from Delta-Sierra/master. [Alexandre Dulaunoy]
Add relationships based on XFN format
* Add relationships based on XFN format. [Delta-Sierra]
* Merge pull request #383 from nyx0/main. [Alexandre Dulaunoy]
[victim] add information and cultural industries sector
* Merge pull request #384 from rickhenderson/main. [Alexandre Dulaunoy]
Correct basic grammar in a few areas.
* Correct basic grammar in a few areas. [Rick Henderson]
I tried not to be too academic, but to me as a native English (Canadian) speaker and writer I have made some suggestions that include simple grammar corrections. Mostly I just added 's' where it needs to be.
* Merge pull request #382 from Delta-Sierra/master. [Alexandre Dulaunoy]
* [telegram-bot] new object to describe Telegram bots. [Alexandre Dulaunoy]
* [intrusion-set] based on the STIX 2.1 definition. [Alexandre Dulaunoy]
TODO - "Open Vocabularies" - value versus description.
### Other
* Merge pull request #373 from MISP/chrisr3d_patch. [Alexandre Dulaunoy]
Updated the `exploit` template
* Add: [exploit] Added `description` and `title` attributes. [Christian Studer]
* Merge branch 'main' of github.com:MISP/misp-objects into chrisr3d_patch. [Christian Studer]
* Merge pull request #372 from Delta-Sierra/master. [Alexandre Dulaunoy]
add username field in telegram-bot object
* Add username field in telegram-bot object. [Delta-Sierra]
## v2.4.163 (2022-09-26)
### New
* [exploit] Exploit object template to describe code or program used to exploit specific vulnerabilities. The objet can be linked to `vulnerability` objects but also device, iot, firmware or alike. [Alexandre Dulaunoy]
* [facebook-group] add an optional ID reference to the facebook id. [Alexandre Dulaunoy]
### Other
* Merge branch 'main' of github.com:MISP/misp-objects into main. [Alexandre Dulaunoy]
* Merge pull request #370 from goodlandsecurity/spearphishing-objects-v2. [Alexandre Dulaunoy]
spearphishing-objects-v2
* Jq_all_the_things. [goodlandsecurity]
* Allow multiple of certain types. bump version. [goodlandsecurity]
* Merge branch 'Vasileios-Mavroeidis-patch-4' into main. [Alexandre Dulaunoy]
* Update definition.json. [Vasileios Mavroeidis]
Found the issue and updated the playbook-id attribute. It is not required anymore. We should not dictate producers generating this property since it can be used to correlate playbooks. The use case is: If we have a cacao playbook attached then we could have the UUIDV4 extracted from the "attachment" and put at the MISP security-playbook object attribute "playbook-id". Correlation is enabled if another security playbook object follows the same process while attaching the same CACAO playbook. If the attached playbook is a png then there is no way to associate it again with another security playbook object that has the same png as an attachment as we cannot know that. That would be possible only if the attachment had a machine-readable identifier. Another use case is to generate a hash and attach it to a property, but let's leave that for the future and if it is never needed or appears as a use case. Long story short the pull request improves the semantics of the object and correlations of different security playbook objects :)
* [security-playbook] jq all the things. [Alexandre Dulaunoy]
* [paloalto-threat-event] Hungary access to the git repository has been sanctioned. [Alexandre Dulaunoy]
* [paloalto-threat-event] version bump. [Andras Iklody]
For instances that ingested it before the disable_correlation changes, they didn't take and ended up pushing a lot of correlating noise. This should resolve it for the future.
### Other
* Merge pull request #360 from goodlandsecurity/spearphishing-objects. [Alexandre Dulaunoy]
Spearphishing objects
* Merge branch 'MISP:main' into spearphishing-objects. [Good Land Security]
* Merge pull request #359 from matthijsvp/main. [Alexandre Dulaunoy]
Processed feedback for ransom-negotiation object.
* Added fields. [matthijsvp]
* Merge branch 'main' of github.com:matthijsvp/misp-objects. [matthijsvp]
* Added some field from feedback. [matthijsvp]
* Formatting after jq_all_the_things. [goodlandsecurity]
* Added date for tracking when e-mail was sent. [goodlandsecurity]
* Add new objects for spearphishing-link and spearphishing-attachment intel. [goodlandsecurity]
* Merge branch 'Vasileios-Mavroeidis-patch-1' into main. [Alexandre Dulaunoy]
* Update definition.json. [Vasileios Mavroeidis]
The PR updates the security playbook object with improved semantics based on feedback we have received.
The updated template has "one-to-one" mapping with the available STIX 2.1 ad-hoc extension for the COA SDO available here: https://github.com/fovea-research/stix2.1-coa-playbook-extension
This research (updated version 3) was partially supported by the research projects CyberHunt (Grant No. 303585 - funded by the Research Council of Norway) and JCOP (Grant No. INEA/CEF/ICT/A2020/2373266 - funded by the European Health and Digital Executive Agency through the Connected Europe Facility program).
* Merge pull request #355 from matthijsvp/main. [Alexandre Dulaunoy]
New object template: Ransom negotations
* Ran validation. [matthijsvp]
* Merge branch 'MISP:main' into main. [Matthijs van P]
ref: A module for defining relationships in FOAF (ref. Eric Vitiello Jr.)
* [artifact] The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. [Alexandre Dulaunoy]
ref: STIX 2.1 - 6.1
Open point: relationships for the related hashes
* [identity] from STIX 2.1 - 4.5 - new object template. [Alexandre Dulaunoy]
Identities can represent actual individuals, organizations, or groups (e.g., ACME, Inc.) as well as classes of individuals, organizations, systems or groups (e.g., the finance sector).
* [probabilistic-data-structure] Probabilistic data structure object describe a space-efficient data structure such as Bloom filter or similar structure. [Alexandre Dulaunoy]
### Changes
* [objects] jq all the things. [Alexandre Dulaunoy]
* [person] typo fixed. [Alexandre Dulaunoy]
* [instant-messaging] add new sane default. [Alexandre Dulaunoy]
* [person] add the ability to set the instant-messaging apps used by the person. [Alexandre Dulaunoy]
* [ss7/gtp/diameter] used description updated in the README. [Alexandre Dulaunoy]
* [instan-message-*] add Tox as potential chat application. [Alexandre Dulaunoy]
* [passive-dns] fix the JSON and the version. [Alexandre Dulaunoy]
### Other
* Merge branch 'phmazzoni-patch-4' into main. [Alexandre Dulaunoy]
* Disabling some field correlations. [phmazzoni]
Disabling some field correlations to avoid excessive number of events
* Multiple fields for port, ip-src,dst-port following feedback from CONCORDIA. [Alexandre Dulaunoy]
Multiple fields for port, ip-src,dst-port following feedback from CONCORDIA
* Merge branch 'aaronkaplan-cof2misp-dnsdbflex' into main. [Alexandre Dulaunoy]
* Dnsdbflex object. [aaronkaplan]
* Merge branch 'main' of github.com:MISP/misp-objects into main. [Alexandre Dulaunoy]
* Add: [network-socket] Added Socket type attribute. [chrisr3d]
* Merge branch 'aaronkaplan-main' into main. [Alexandre Dulaunoy]
* Re-Do the definition.json, according to the results of the discussion in https://github.com/MISP/misp-objects/pull/314. [aaronkaplan]
Removing *_ip and *_domain
Keeping bailiwick a domain type
* Merge branch 'main' of https://github.com/MISP/misp-objects. [aaronkaplan]
* Merge branch 'aaronkaplan-patch-1' into main. [Alexandre Dulaunoy]
* Update definition.json. [AaronK]
Added time_first_ms, time_last_ms. Clarified a few things in the descriptions.
* As discussed with @rafiot, we can't simply add rdata and rrname as text only into MISP objects. Why? Because otherwise we can't use MISP's correlation engine to correlate attributes (rrname, rdata) inside these MISP objects with other events. Because "text" would not correlate with other "ip-src" or "domain" types in other objects/attributes. [aaronkaplan]
Kind of sucks to duplicate the rrname and rdata entries, but that's the
only solution we came up with.
The COF2MISP module will populate both the rrname,rdata as well as the
rrname_{domain,ip} and rdata_{domain,ip} attributes.
Based on the discussion with VT, virustotal-graph object has been added which will
be used with the expansion modules and also to trigger the specific
quick-tab in MISP to display the VT graph result in an iframe if this
object is present.
* Weakness & attack-pattern objects to describe CWE & CAPEC related to a CVE. [chrisr3d]
- The attack-pattern object is using a new
attribute type called weakness to describe CWE
id, which will link to its own information as
described in https://cve.circl.lu
* Add "includes" relationship. [Raphaël Vinot]
* Objects for Scripps CO2. [Raphaël Vinot]
* New object describing user accounts. [chrisr3d]
* [imsi-catcher] object based on the output format of IMSI-catcher open source tools. [Alexandre Dulaunoy]
The object has been created to show the flexibility of the object
template during the PassTheSalt 2019 conference and the D4 presentation.
* [shell-commands] Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands. [Alexandre Dulaunoy]
* Add offset, virtual_address and virtual_size to the pe section object. [Raphaël Vinot]
Related to https://github.com/MISP/PyMISP/issues/388
* Internal reference object. [Raphaël Vinot]
* Add Alfred relationships (CCCS) [Raphaël Vinot]
* New Object describing original files usedd to import data in MISP. [chrisr3d]
* [tracking-id] Analytics and tracking ID such as used in Google Analytics or other analytic platform. [Alexandre Dulaunoy]
* [short-message-service] Short Message Service (SMS) object template describing one or more SMS message added. [Alexandre Dulaunoy]
* Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object. [Alexandre Dulaunoy]
* Add EML to the email template. [Raphaël Vinot]
* Attach logfile to fail2ban. [Raphaël Vinot]
* Fail2ban object. [Raphaël Vinot]
### Changes
* [doc] list of objects updated. [Alexandre Dulaunoy]
* Make jq validation happy. [Raphaël Vinot]
* Make jq validation happy. [Raphaël Vinot]
* Add PR to GH actions. [Raphaël Vinot]
* [report] add a report type. [Alexandre Dulaunoy]
* [person] full-name attribute type added + expanding object person with full-name. [Alexandre Dulaunoy]
* [schema] dkim and dkim signature added. [Alexandre Dulaunoy]
* [network-element] jq. [Alexandre Dulaunoy]
* [network-profile] AS updated. [Alexandre Dulaunoy]
* Update objects to match lief output for authenticode. [Raphaël Vinot]
* [jarm] jq all the things. [Alexandre Dulaunoy]
* [jarm] jarm type is jarm-fingerprint. [Alexandre Dulaunoy]
* [doc] fixed. [Alexandre Dulaunoy]
* [trustar_report] Updated to add "THREAT_ACTOR" [Alexandre Dulaunoy]
Fixing #273
* [yara] disable correlations on some fields. [Alexandre Dulaunoy]
* [crypto-material] add a public field for public cryptographic materials. [Alexandre Dulaunoy]
* [favicon] jq all the things. [Alexandre Dulaunoy]
* [favicon] A favicon, also known as a shortcut icon, website icon, tab icon, URL icon, or bookmark icon, is a file containing one or more small icons, associated with a particular web site or web page. The object template can include the murmur3 hash of the favicon to facilitate correlation. [Alexandre Dulaunoy]
* [type] favicon-mmh3 is the murmur3 hash of a favicon as used in Shodan. [Alexandre Dulaunoy]
* [doc] MISP objects list updated. [Alexandre Dulaunoy]
* [twitter-post] jq. [Alexandre Dulaunoy]
* [jq] all the things. [Alexandre Dulaunoy]
* [doc] travis removed. [Alexandre Dulaunoy]
* Can have mutliple text attributes. [Beaujeant]
* [domain-ip] hostname added as an attribute. [Alexandre Dulaunoy]
* [phone] add brand and model. [Alexandre Dulaunoy]
* [new object pgp-meta] Metadata extracted from a PGP keyblock, message or signature. [Terrtia]
* [object fields] allow additional requiredOneOf fields in blog, microblog, meme-image objects. add attachment field to blog object. add username to news-media. [VVX7]
* [object field] add profile picture to user-account. [VVX7]
* [object field] enable multiple URL/link in microblog. [VVX7]
* [object field] add title to microblog. [VVX7]
* [object field] add link for user-account page. [VVX7]
* [microblog] allow multiple attachments per the enhancement request. [VVX7]
* [microblog] add attachment field for issue #186. [VVX7]
* [misinfosec objects] add archive (Internet Archive, Archive.is, etc) fields, change blog post title description. [VVX7]
* [blog] add title field to object. [VVX7]
* [meme-image] uuid and name duplicate. [VVX7]
* [domain-ip] port added (required by AIL crawling) [Alexandre Dulaunoy]
* [microblog] disable correlation for the verified-username state. [Alexandre Dulaunoy]
* [annotation] 'full report' type added. [Alexandre Dulaunoy]
* [organization] VAT - TAX-ID added in the template. [Alexandre Dulaunoy]
* [relationships] mentions relationship has been added. [Alexandre Dulaunoy]
Fix #214
* [microblog] add the ability to have non-malicious links. [Alexandre Dulaunoy]
Fix #215
* [dark-pattern] typos. [Jean-Louis Huynen]
* [types] updated. [Alexandre Dulaunoy]
* [script] attachment field added. [Alexandre Dulaunoy]
* Update crypto-material and url. [Raphaël Vinot]
* [microblog] verified field added to add the state of the username. [Alexandre Dulaunoy]
* [x509, crypto-material] several changes: - enables correlation on n, p, q; - allows for only providing modulus for crypto material; - specifies the expected data format of several fields. [Jean-Louis Huynen]
* [crypto-material] new object to described key materials (public and private) [Alexandre Dulaunoy]
* [x509] to map with D4 project snakeoil database. [Alexandre Dulaunoy]
* [cowrie] to add HASSH of the client SSH session following Salesforce algorithm. [Alexandre Dulaunoy]
* Tld type not existing in MISP. [Alexandre Dulaunoy]
### Other
* Merge branch 'main' of github.com:MISP/misp-objects into main. [Alexandre Dulaunoy]
* Merge branch 'phmazzoni-patch-3' into main. [Raphaël Vinot]
* Create definition.json. [phmazzoni]
* Delete objects/panorama directory. [phmazzoni]
* Merge pull request #308 from phmazzoni/main. [Raphaël Vinot]
Create Palo Alto Threat Log Object Template.
* Create definition.json. [phmazzoni]
Create Palo Alto Threat Log Object Template.
* Merge pull request #307 from hackunagi/main. [Alexandre Dulaunoy]
Creation of Network Profile MISP Object
* Creation of Network Profile MISP Object. [Carlos Borges]
The idea behind this object is to provide a unique form to identify network artifacts.
It's a mix of different including whois, URL and domain.
The need for a consolidated object comes to group correlated elements.
Beyond that, I'm introducing the idea to use the correlation feature in more generic ways.
Example:
The value of "threat-actor-infrastructure-value" is the unique value observed on a network resource that identify it. A practical and tested example is this resources from Kaspesky.
On this article they mention a trojan family called Javali. They recover the C2 server abusing Google Docs services. The mentioned field "threat-actor-infrastructure-value" would register the values available on this image. This item should be hard to correlate with other similar items, as this can change frequently.
A way to change it is also to register a more general pattern of the data with the "threat-actor-infrastructure-pattern". I.E
inicio{
"host":"<variable>",
"porta":"<variable>"
}fim
With other investigations and registry of it on MISP, is possible to correlate this data, facilitate identification of patterns used for tracking purposes and facilitate analysis.
* Merge branch 'main' of github.com:MISP/misp-objects into main. [Alexandre Dulaunoy]
* Merge pull request #306 from theobarrague/main. [Alexandre Dulaunoy]
Ajout des relations opposées dans relationships/definition.json
* Merge branch 'main' into main. [Théo BARRAGUÉ]
* Add: check if opposite key is valid in relationships. [Théo BARRAGUÉ]
* Add: tool to validate if declared opposites exist. [Théo BARRAGUÉ]
* Add: opposite of 26 relationships. [Théo BARRAGUÉ]
* Merge pull request #305 from marcnil815/patch-1. [Alexandre Dulaunoy]
Update definition.json
* Update definition.json. [marcnil815]
Added possibility for multiple searches in same object to accomodate using raw searches and datamodel searches.
* Merge pull request #304 from Terrtia/master. [Alexandre Dulaunoy]
chg: [telegram-account] required attributes
* Merge pull request #302 from ater49/main. [Alexandre Dulaunoy]
Adding fields in twitter-post and paste
* Typo and version number correction + adding a field in twitter-post. [ater49]
Adding created-at field in twitter-post
* Add media in twitter-post in order to store attached medias in a tweet. [ater49]
Add pastebin.fr in source of paste and paste_file for storing whole
paste file.
* Merge pull request #303 from seamustuohy/pymisp-pr/631. [Alexandre Dulaunoy]
Updated for support for msg format.
* Updated for support for msg format. [seamus tuohy]
Adding first class support for Emails in .msg format to the email definition.
This includes making the attribute support multiple bodies. Msg formats
nearly always have at least 2, if not 3, versions of the body (plain text, rtf, html).
* Merge branch 'main' of github.com:MISP/misp-objects into main. [Alexandre Dulaunoy]
* Merge pull request #299 from beaujeant/main. [Alexandre Dulaunoy]
chg: can have mutliple text attributes
* Merge branch 'main' of github.com:MISP/misp-objects into main. [Alexandre Dulaunoy]
* Merge branch 'SteveClement-process' into main. [Alexandre Dulaunoy]
* Merge branch 'process' of https://github.com/SteveClement/misp-objects into SteveClement-process. [Alexandre Dulaunoy]
* Merge remote-tracking branch 'upstream/main' into process. [Steve Clement]
* Merge remote-tracking branch 'upstream/master' into process. [Steve Clement]
* Add: [passive-dns] Added a raw_rdata object relation. [chrisr3d]
* Merge pull request #297 from MISP/chrisr3d_patch. [Alexandre Dulaunoy]
Using the actual attribute type for cpe and weakness instead of text
* Merge pull request #295 from rhallick/intel471-1. [Raphaël Vinot]
Addition of intel471-vulnerability-intelligence object
* .DS_Store file removed. [Richard Hallick]
.DS_Store file removed.
* Addition of Intel 471 vulnerability intelligence object. [Richard Hallick]
Intel 471 object to contain structured vulnerability related data.
* Addition of intel471-vulnerability-intelligence object. [Richard Hallick]
Intel 471 object to contain structured vulnerability related data.
* Merge branch 'main' of github.com:MISP/misp-objects into main. [Alexandre Dulaunoy]
* Merge branch 'main' of github.com:MISP/misp-objects into main. [chrisr3d]
* Merge branch 'main' of github.com:MISP/misp-objects into main. [Alexandre Dulaunoy]
* Add: Description of the bgp-ranking new object added to the list of objects. [chrisr3d]
* Merge pull request #293 from MISP/chrisr3d_patch. [Alexandre Dulaunoy]
BGP Ranking object & relationships
* Add: Added specific relationship between an asn object and the recently added bgp-ranking object. [chrisr3d]
* Add: Added some relationships introduced recently in misp modules. [chrisr3d]
* Merge branch 'main' of github.com:MISP/misp-objects into chrisr3d_patch. [chrisr3d]
* Add: Added an IP address family attribute to describe the address family concerned by the BGP ranking. [chrisr3d]
* Add: First version of a BGP ranking object to represent the ranking of an ASN at a specific point of time. [chrisr3d]
- We can then associate as many bgp-ranking
objects as we need to the corresponding ASN
object, each one of them being the ranking of
the ASN for a given day
* Merge pull request #291 from MISP/chrisr3d_patch. [Alexandre Dulaunoy]
Normalisation of the object relations for some object + small change on an attribute of the ip-port object
* Merge branch 'C00kie--main' into main. [Alexandre Dulaunoy]
* Merge branch 'main' of https://github.com/C00kie-/misp-objects into C00kie--main. [Alexandre Dulaunoy]
* Revert "added description field in attributes" [Pauline Bourmeau]
This reverts commit 3224f78d4ff6b40bd34fe25f4f7f6b2d2d12eed6.
* Merge branch 'main' of https://github.com/C00kie-/misp-objects into C00kie--main. [Alexandre Dulaunoy]
* Jq-ed file. [Pauline Bourmeau]
* Added description field in attributes. [Pauline Bourmeau]
* Fixed comments. [Pauline Bourmeau]
* First addition of keybase object. [Pauline Bourmeau]
* Merge pull request #284 from C00kie-/patch-5. [Alexandre Dulaunoy]
added json multiple objects twitter-following and twitter-followers
* Update definition.json. [Pauline Bourmeau]
* Merge pull request #283 from C00kie-/patch-3. [Alexandre Dulaunoy]
added multiple json object for following and followers
* Update definition.json. [Pauline Bourmeau]
* Merge pull request #282 from C00kie-/patch-1. [Alexandre Dulaunoy]
Update definition.json
* Update definition.json. [Pauline Bourmeau]
* Merge branch 'C00kie--main' into main. [Alexandre Dulaunoy]
* Merge branch 'main' of https://github.com/C00kie-/misp-objects into C00kie--main. [Alexandre Dulaunoy]
* Update definition.json. [Pauline Bourmeau]
* Update definition.json. [Pauline Bourmeau]
* Update definition.json. [Pauline Bourmeau]
* Merge branch 'main' of github.com:MISP/misp-objects into main. [Alexandre Dulaunoy]
* Merge pull request #276 from rmkml/main. [Alexandre Dulaunoy]
add SHA3 Hash on definition.json
* Add SHA3 Hash on definition.json. [rmkml]
* Merge branch 'rmkml-main' into main. [Alexandre Dulaunoy]
* UUID must be the same. [Alexandre Dulaunoy]
* Add vhash (VirusTotal Hash) on definition.json. [rmkml]
* Merge pull request #269 from emilhf/additional-dns-records. [Alexandre Dulaunoy]
Add more rrtypes to dns-record
* Add more rrtypes to dns-record. [Emil Henry Flakk]
* Merge pull request #265 from VVX7/master. [Andras Iklody]
chg: [dev] add Parler app objects
* Merge pull request #264 from mback2k/patch-1. [Alexandre Dulaunoy]
chg: [cortex-taxonomy] sort attributes
* Merge pull request #262 from gallypette/master. [Alexandre Dulaunoy]
* Merge branch 'master' of https://github.com/misp/misp-objects. [VVX7]
* Merge pull request #245 from VVX7/master. [Alexandre Dulaunoy]
chg: [narrative] add disproof property
* Merge branch 'master' of https://github.com/misp/misp-objects. [VVX7]
* Merge pull request #244 from Golbark/x509_enhancements. [Christophe Vandeplas]
chg: [x509] using built-in types wherever possible
* Merge pull request #243 from VVX7/master. [Alexandre Dulaunoy]
chg: [narrative] update narrative object
* Merge branch 'master' of https://github.com/misp/misp-objects. [VVX7]
* Merge pull request #242 from VVX7/master. [Alexandre Dulaunoy]
new: [object] add narrative.
* Merge branch 'master' of github.com:MISP/misp-objects. [Raphaël Vinot]
* Merge pull request #241 from MISP/chrisr3d_patch. [Alexandre Dulaunoy]
External references attribute for attack-pattern object
* Add: External references attribute for attack-pattern object. [chrisr3d]
* Merge branch 'master' into chrisr3d_patch. [chrisr3d]
* Merge pull request #240 from cudeso/master. [Alexandre Dulaunoy]
Objects for data coming from the Cytomic Orion API
* JQ-all-the-things. [Koen Van Impe]
* Update object definition with first-|last- seen. [Koen Van Impe]
* Remove -x from JSON files. [Koen Van Impe]
* Fix with jq_all_the_things. [Koen Van Impe]
* Objects for data coming from the Cytomic Orion API. [Koen Van Impe]
* Merge pull request #239 from cbboggs/cbboggs-http-request. [Alexandre Dulaunoy]
Adding optional ip-src to http-request
* Adding optional ip-src to http-request. [cbboggs]
modified existing "ip" attribute to "ip-dst", and added attribute for ip-src. This allows http-request to be used in scenarios where observed connections are source specific, not destination specific.
* Merge pull request #238 from pettai/intelmq_event. [Alexandre Dulaunoy]
More explicit misp-attribute types
* Update definition.json. [frpet]
bump version
* Use more explicit misp-attribute types. [frpet]
Use the apropriate misp-attribute type for *local_hostname, *fqdn, *.md5|*.sha*
* Merge branch 'master' of github.com:MISP/misp-objects. [Raphaël Vinot]
* Merge pull request #235 from MISP/gen_sym_key. [Alexandre Dulaunoy]
new: [crypto-material] add generic-symmetric-key
* Merge branch 'master' of github.com:MISP/misp-objects. [Raphaël Vinot]
* Add: [iot-firmware] new object template to describe IoT firmware. [Alexandre Dulaunoy]
The relationship will be often between iot-device and iot-firmware.
* Merge pull request #233 from Terrtia/master. [Alexandre Dulaunoy]
chg: [domain-crawled] domain shouldn't be a multiple
* Merge pull request #232 from Terrtia/master. [Alexandre Dulaunoy]
domain-crawled object
* Merge pull request #231 from Delta-Sierra/master. [Alexandre Dulaunoy]
allow several subjects or sender for email objects
* Update version. [Deborah Servili]
* Allow several subjects or sender for email objects. [Deborah Servili]
* Merge pull request #229 from ater49/master. [Alexandre Dulaunoy]
Adding compatibility with some HAR fields
* Adding some parts from HAR format description (http://www.softwareishard.com/blog/har-12-spec/) (More to come) [ater49]
* Merge pull request #228 from VVX7/master. [Alexandre Dulaunoy]
new: [objects] instant message objects
* Merge branch 'master' of github.com:MISP/misp-objects. [Alexandre Dulaunoy]
* Merge pull request #227 from Terrtia/master. [Alexandre Dulaunoy]
chg: [new object pgp-meta]
* Merge pull request #226 from VVX7/master. [Alexandre Dulaunoy]
* Merge pull request #185 from ater49/master. [Alexandre Dulaunoy]
Adding IIN and bank_name in objects
* Adding IIN and bank_name. [ater49]
* Merge pull request #2 from MISP/master. [ater49]
update
* Add: [ssh-authorized-keys] object to add elements from SSH authorized keys (and do correlation for fun-and-profit(tm)) [Alexandre Dulaunoy]
* Merge pull request #181 from ater49/master. [Alexandre Dulaunoy]
Adding registration-date in domain-ip
* Correcting "_" to "-" in fields name. [ater49]
* Adding registration-date to domain-ip. [ater49]
* Merge pull request #1 from MISP/master. [ater49]
merge
* Merge pull request #179 from mtday/fix-empty-misp-attribute. [Alexandre Dulaunoy]
Attribute Fixes
* Update the misp-attribute to specify a valid value instead of an empty string. [mday]
* Merge pull request #178 from mtday/fix-missing-required-attribute. [Alexandre Dulaunoy]
Fix Missing Required Attributes
* Update the definition files of various object types so that the `required` and `requiredOneOf` lists no longer specify attributes that do not exist in the objects. [mday]
* Add: [irc] IRC object to describe an IRC server with associated IRC channels. [Alexandre Dulaunoy]
* Merge branch 'master' of github.com:MISP/misp-objects. [Raphaël Vinot]
* Merge pull request #177 from haxpak/haxpak/update-device. [Andras Iklody]
Haxpak/update device
* Changed device type drop down from category to sane_default. [haxpak]
* Merge pull request #174 from haxpak/haxpak/relationship-executes. [Andras Iklody]
Haxpak/relationship executes
* [added] relationship 'executes' : Describes a an object that executes another object. [haxpak]
* Added relationship "executes" [haxpak]
* Merge pull request #173 from haxpak/master. [Andras Iklody]
added option "Further Analysis Required" to attribute stage of object course-of-action
* Added option "Further Analysis Required" to attribute stage. [haxpak]
* Merge pull request #172 from haxpak/haxpak/#24. [Andras Iklody]
updated device object
* Merge branch 'master' into haxpak/#24. [Andras Iklody]
* Merge pull request #170 from haxpak/haxpak-objects. [Andras Iklody]
Haxpak objects
* Meta category for organization changed back to misc since schema_objects.json does not recognize organization as a meta category. [haxpak]
* Added MAC address to device meta category of organization changed to organization meta category of person object changed to organization new object phishing-kit. [haxpak]
* Merge pull request #166 from haxpak/haxpak-objects. [Alexandre Dulaunoy]
Added new objects
* Changed organization meta category to misc. [haxpak]
* Merge pull request #163 from haxpak/master. [Alexandre Dulaunoy]
add : relationship "creates"
* Added attribute DNS name to device object changed MAC address misp attribute to mac-address. [haxpak]
* Added OS, version, dns-name attribute to device changed misp-attribute of mac-address from text to mac-address. [haxpak]
* Reverted device to misc category. [haxpak]
* Added requiredOneOf to device definition. [haxpak]
* Fixed typos and ran jq_all_things. [haxpak]
* - added : attachment attribute to annotation - added : new object type device. [haxpak]
* Modified : person object "changed UI priority of the attributes" modified : report object "added attachment to report" [haxpak]
* New-object : Organization "Defines an organization" [haxpak]
* Add : relationship "creates" [haxpak]
* Add: [tor-hiddenservice] a simple object template to describe Tor Onion Service. [Alexandre Dulaunoy]
* Merge pull request #161 from geekscrapy/geekscrapy-patch-1. [Alexandre Dulaunoy]
Username is often utilised alongside a credential
* Username is often utilised alongside a credential. [molley]
Username can often identify malicious behavior, and is usually part of the credential tuple - it can also be used to highlight common user accounts without password/api key
* Merge pull request #159 from geekscrapy/patch-1. [Alexandre Dulaunoy]
Added current-directory to required field
* Added current-directory to required field. [molley]
This field will often indicate where a malicious binary is started from, therefore a good candidate for solo use
* Merge pull request #158 from geekscrapy/patch-2. [Alexandre Dulaunoy]
Added issuer as one of the required fields
* Added issuer as one of the required fields. [molley]
This is often a field used on it's own to identify a malicious cert
* Add: New relationship "retrieved-from" [chrisr3d]
* Merge pull request #155 from Delta-Sierra/master. [Alexandre Dulaunoy]
remove accent from ilr objects
* Merge pull request #154 from Delta-Sierra/master. [Alexandre Dulaunoy]
add ilr-notification-incident object
* Merge pull request #153 from Delta-Sierra/master. [Alexandre Dulaunoy]
fix ilr-impact attributes names
* Merge pull request #152 from Delta-Sierra/master. [Alexandre Dulaunoy]
add ilr-impact object
* Add injects-into and injected-into relationships. [Deborah Servili]
* Remove accent from ilr objects - bis. [Deborah Servili]
* Remove accent from ilrobjects. [Deborah Servili]
* Merge branch 'master' of github.com:MISP/misp-objects. [chrisr3d]
* Merge pull request #74 from chrisr3d/master. [Alexandre Dulaunoy]
Updated person & geolocation objects
* First version of the legal-entity object. [chrisr3d]
* Description typo. [chrisr3d]
* Merge pull request #73 from d-lord/master. [Alexandre Dulaunoy]
Add email-body to the email object definition
* Add email-body to the email object definition. [David Lord]
* Add: bank-account added in the list. [Alexandre Dulaunoy]
* Add: an object describing bank account information based on account description from goAML 4.0. [Alexandre Dulaunoy]
A generic bank account partially based on the goAML 4.0 standard.
The bank account alone can convey information regarding the type
of transactions seen or suspected which allow to use the object alone
without the need to describe the full list of transactions.
Additional objects could be created like report, transactions and like
to fully support AML.
The existing person in MISP objects was previously updated to include
the field missing from AML.
A potential evolution is based on the transaction status which can
be described as a simple relationship between MISP objects like:
Bought, Sold, Let, Hired, Exchanged, Donated, Destroyed and Other
* Merge branch 'LDO-CERT-master' [Raphaël Vinot]
* Sandbox-signature. [garanews]
Added object sb-signature
* Add: Object to describe mutual exclusion locks (mutex) as seen in memory or computer program. [Alexandre Dulaunoy]
* Remove registry hive because registry-key is enough. [Alexandre Dulaunoy]
* Add: registry-hive object describing a Windows registry hive including key, subkey and value (and associated data if any) [Alexandre Dulaunoy]
* Merge pull request #68 from yodresh/patch-1. [Alexandre Dulaunoy]
Update SS7-attack definition.json
* Update definition.json. [Alexandre De Oliveira]
Adding the multiple possibility for SMSC GT to cover SMS Spaming case. Also text field for multiple details if needed.
Adding "MapSmsText" attribute to help matching malicious URL, keywords or MSISDN inside SMS.
* Merge pull request #66 from c-goes/sandbox_report_object. [Alexandre Dulaunoy]
added sandbox-report object
* Added sandbox-report object. [c-goes]
* Add: An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes. [Alexandre Dulaunoy]
* Add: ss7-attack object for the attack against GSM/UMTS networks seen in SS7 logging. [Alexandre Dulaunoy]
* Merge pull request #53 from c-goes/filenames_multiple. [Alexandre Dulaunoy]
allow multiple filenames for file
* Allow multiple filenames. [c-goes]
* Raw data is now an attachment. [Alexandre Dulaunoy]
* Being lax on origin to avoid rebuilding url path for unknown services. [Alexandre Dulaunoy]
* AIL leak template updated to include duplicate of leaks. [Alexandre Dulaunoy]
* Add: "followed-by" - "preceding-by" added as relationship type when the time is not known. [Alexandre Dulaunoy]
* Asn added in the default objects. [Alexandre Dulaunoy]
* Added: Autonomous system object describing an autonomous system which can include one or more network operators management an entity (e.g. ISP) along with their routing policy, routing prefixes o r alike. [Alexandre Dulaunoy]
Fix #50
* Merge branch 'master' of github.com:MISP/misp-objects. [Raphaël Vinot]
* Merge pull request #49 from c-goes/master. [Alexandre Dulaunoy]
Added file attribute screenshot to email object
* Added file attribute screenshot to email object. [c-goes]
* Merge pull request #48 from Delta-Sierra/master. [Andras Iklody]
allow multiple ips in domain|ip object
* Allow multiple ips in domain|ip object. [Deborah Servili]
* Merge pull request #46 from Delta-Sierra/master. [Alexandre Dulaunoy]
* Jq all and fix the space ;-) [Alexandre Dulaunoy]
* Attributes username-quoted added. [ater49]
Added Attributes: "username-quoted"
Added types: LinkedIn, Reddit, Google+, Instagram
* Add: Microblog post object like a Twitter tweet or a post on a Facebook wall. [Alexandre Dulaunoy]
* Carbon copy field added. [Alexandre Dulaunoy]
* Documentation links added. [Alexandre Dulaunoy]
* Return-path added in email object. [Alexandre Dulaunoy]
* Fixed the release version. [Alexandre Dulaunoy]
* Sane_default added in the documentation. [Alexandre Dulaunoy]
* Victim object added to the list. [Alexandre Dulaunoy]
* Victim object added mainly based on the STIX 2.0 victim proposal. [Alexandre Dulaunoy]
* Ja3 and person added in the list. [Alexandre Dulaunoy]
* First version of the ja3 object based on the proposal from @delbs. [Alexandre Dulaunoy]
* Fixing typo in the credit-card object. [Alexandre Dulaunoy]
* 2.4.80 released. [Alexandre Dulaunoy]
* Whois template fixed. [Alexandre Dulaunoy]
* Fix #22. [Alexandre Dulaunoy]
* Values_list added in the documentation. [Alexandre Dulaunoy]
* An object describing a regular expression (regex or regexp). The object can be linked via a relationship to other attributes or objects to describe how it can be represented as a regular expression. [Alexandre Dulaunoy]
* Add: first version of a person object (partially based on the PNR types) [Alexandre Dulaunoy]
* Link fixed. [Alexandre Dulaunoy]
* Url fixed. [Alexandre Dulaunoy]
* Add: first version of the credit-card object. [Alexandre Dulaunoy]
* Port type instead of text. [Alexandre Dulaunoy]
* Disable some correlations. [Raphaël Vinot]
* Be consistent and use hyphen everywhere (not more underscore). [Alexandre Dulaunoy]
Thanks to Terry MacDonald
* Feedback from David added (two new relationships - triggers and detected_as) [Alexandre Dulaunoy]
* Updated following Andras feedback. [Alexandre Dulaunoy]
* Yabin updated following Andras feedback. [Alexandre Dulaunoy]
* First version of a yabin object. [Alexandre Dulaunoy]
* Relationships added to the documentation export. [Alexandre Dulaunoy]
* Typo fixed. [Alexandre Dulaunoy]
* Add descriptions in all the objects. [Raphaël Vinot]
* Merge branch 'master' of github.com:MISP/misp-objects. [Raphaël Vinot]
* First version of a documentation generator tool. [Alexandre Dulaunoy]
* Merge branch 'master' of github.com:MISP/misp-objects. [Raphaël Vinot]
* Phone object added. [Alexandre Dulaunoy]
* Remove pipe from PE object def. [Raphaël Vinot]
* Update definitions of binaries. [Raphaël Vinot]
* Allow multiple entries of type flag in the ELFSection object. [Raphaël Vinot]
* Phone defintion fixed. [Alexandre Dulaunoy]
* Typo fixed. [Alexandre Dulaunoy]
* First version of a mobile phone object. [Alexandre Dulaunoy]
* Calls relationship type added. [Alexandre Dulaunoy]
* Mach object file format added. [Alexandre Dulaunoy]
* Merge branch 'master' of github.com:MISP/misp-objects. [Raphaël Vinot]
* New relationship types added. [Alexandre Dulaunoy]
* Some more relationship type. [Alexandre Dulaunoy]