Merge https://github.com/MISP/misp-objects

MISP · Feb 16, 2024 · 1ab371f · 1ab371f
2 parents 51e131d + 3ac5099
commit 1ab371f
Show file tree

Hide file tree

Showing 14 changed files with 531 additions and 9 deletions.
diff --git a/README.md b/README.md
diff --git a/objects/artifact/definition.json b/objects/artifact/definition.json
@@ -24,7 +24,7 @@
     },
     "payload_bin": {
       "description": "Specifies the binary data contained in the artifact as a base64-encoded string.",
-      "misp-attribute": "text",
+      "misp-attribute": "attachment",
       "ui-priority": 0
     },
     "sha1": {

diff --git a/objects/attack-step/definition.json b/objects/attack-step/definition.json
@@ -26,11 +26,13 @@
       "description": "IP destination of the attack step, if any.",
       "disable_correlation": true,
       "misp-attribute": "ip-dst",
+      "multiple": true,
       "ui-priority": 1
     },
     "dst-misc": {
-      "description": "Other type of source of the attack step, if any. This can be e.g. localhost.",
+      "description": "Other type of destination of the attack step, if any. This can be e.g. localhost.",
       "misp-attribute": "text",
+      "multiple": true,
       "ui-priority": 1
     },
     "expected-response": {
@@ -50,16 +52,19 @@
     "source-domain": {
       "description": "Domain source of the attack step, if any.",
       "misp-attribute": "domain",
+      "multiple": true,
       "ui-priority": 1
     },
     "source-ip": {
       "description": "IP source of the attack step, if any.",
       "misp-attribute": "ip-src",
+      "multiple": true,
       "ui-priority": 1
     },
     "source-misc": {
       "description": "Other type of source of the attack step, if any. This can be e.g. rotating ip from cloud providers such as AWS, or localhost.",
       "misp-attribute": "text",
+      "multiple": true,
       "ui-priority": 1
     },
     "succesful": {

diff --git a/objects/c2-list/definition.json b/objects/c2-list/definition.json
@@ -0,0 +1,50 @@
+{
+  "attributes": {
+    "c2-ip": {
+      "categories": [
+        "Network activity"
+      ],
+      "description": "IP of C2 server with unknown port",
+      "misp-attribute": "ip-src",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "c2-ipport": {
+      "categories": [
+        "Network activity"
+      ],
+      "description": "IP:Port of C2 server",
+      "misp-attribute": "ip-src|port",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "report-url": {
+      "description": "URL of source of information, e.g. blog post, ransomware analysis",
+      "disable_correlation": true,
+      "misp-attribute": "link",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "threat": {
+      "categories": [
+        "Attribution",
+        "Payload type"
+      ],
+      "description": "threat actor or malware",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    }
+  },
+  "description": "List of C2-servers with common ground, e.g. extracted from a blog post or ransomware analysis",
+  "meta-category": "network",
+  "name": "c2-list",
+  "required": [
+    "threat"
+  ],
+  "requiredOneOf": [
+    "c2-ipport",
+    "c2-ip"
+  ],
+  "uuid": "12456351-ceb7-4d43-9a7e-d2275d8b5785",
+  "version": 20230919
+}
diff --git a/objects/crowdstrike-report/definition.json b/objects/crowdstrike-report/definition.json
@@ -0,0 +1,53 @@
+{
+  "attributes": {
+    "command": {
+      "description": "Commandline triggering the detection",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "file-hash": {
+      "description": "Unique file hash",
+      "misp-attribute": "sha256",
+      "ui-priority": 1
+    },
+    "filename": {
+      "description": "Filename on disk",
+      "disable_correlation": true,
+      "misp-attribute": "filename",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "fullpath": {
+      "description": "Complete path of the filename including the filename",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "ip": {
+      "description": "Source IP address",
+      "misp-attribute": "ip-src",
+      "ui-priority": 1
+    },
+    "parent-command": {
+      "description": "Commandline of the parent process",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "process-name": {
+      "description": "Name of the process trigerring the detection",
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 1
+    }
+  },
+  "description": "An Object Template to encode an Crowdstrike detection report",
+  "meta-category": "misc",
+  "name": "crowdstrike-report",
+  "uuid": "805b327c-8f1b-4d76-a3ba-c8bc4964e740",
+  "version": 1
+}
diff --git a/objects/cs-beacon-config/definition.json b/objects/cs-beacon-config/definition.json
@@ -1,5 +1,11 @@
 {
   "attributes": {
+    "asn": {
+      "description": "Originating ASN for the CS Beacon Config",
+      "disable_correlation": true,
+      "misp-attribute": "AS",
+      "ui-priority": 0
+    },
     "c2": {
       "categories": [
         "Network activity"
@@ -9,6 +15,24 @@
       "multiple": true,
       "ui-priority": 1
     },
+    "city": {
+      "description": "City location of the CS Beacon Config in question",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "geo": {
+      "description": "Country location of the CS Beacon Config",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "ip": {
+      "description": "IP of the C2",
+      "misp-attribute": "ip-dst",
+      "multiple": true,
+      "ui-priority": 1
+    },
     "jar-md5": {
       "categories": [
         "External analysis"
@@ -17,6 +41,11 @@
       "misp-attribute": "md5",
       "ui-priority": 0
     },
+    "license-id": {
+      "description": "License ID of the Colbalt Strike",
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
     "md5": {
       "categories": [
         "Payload delivery"
@@ -25,6 +54,20 @@
       "misp-attribute": "md5",
       "ui-priority": 1
     },
+    "naics": {
+      "description": "North American Industry Classification System Code",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "sector": {
+      "description": "Sector of for the CS Beacon Config in question",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
     "sha1": {
       "categories": [
         "Payload delivery"
@@ -69,5 +112,5 @@
     "watermark"
   ],
   "uuid": "d17355ef-ca1f-4b5a-86cd-65d877991f54",
-  "version": 1
+  "version": 3
 }
diff --git a/objects/flowintel-cm-case/definition.json b/objects/flowintel-cm-case/definition.json
@@ -0,0 +1,90 @@
+{
+  "attributes": {
+    "case-owner-org-name": {
+      "description": "Name of the organisation that created the case.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "case-owner-org-uuid": {
+      "description": "UUID of the organisation that created the case.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "case-uuid": {
+      "description": "UUID of the case",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "creation-date": {
+      "description": "Creation date of the case",
+      "disable_correlation": true,
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    },
+    "deadline": {
+      "description": "Deadline of the case",
+      "disable_correlation": true,
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    },
+    "description": {
+      "description": "A description of the case",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "finish-date": {
+      "description": "Finish date of the case",
+      "disable_correlation": true,
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    },
+    "origin-url": {
+      "description": "Origin of the case",
+      "disable_correlation": true,
+      "misp-attribute": "url",
+      "to_ids": false,
+      "ui-priority": 1
+    },
+    "recurring-type": {
+      "description": "Recurring type",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "once",
+        "weekly",
+        "daily",
+        "monthly"
+      ],
+      "ui-priority": 0
+    },
+    "status": {
+      "description": "Status of the case",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "created",
+        "ongoing",
+        "recurring",
+        "unavailable",
+        "rejected",
+        "finished"
+      ],
+      "ui-priority": 0
+    },
+    "title": {
+      "description": "Title of the case",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 1
+    }
+  },
+  "description": "A case as defined by flowintel-cm.",
+  "meta-category": "misc",
+  "name": "flowintel-cm-case",
+  "uuid": "19df57c7-b315-4fd2-84e5-d81ab221425e",
+  "version": 2
+}