-
Notifications
You must be signed in to change notification settings - Fork 122
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Showing
14 changed files
with
531 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
{ | ||
"attributes": { | ||
"c2-ip": { | ||
"categories": [ | ||
"Network activity" | ||
], | ||
"description": "IP of C2 server with unknown port", | ||
"misp-attribute": "ip-src", | ||
"multiple": true, | ||
"ui-priority": 1 | ||
}, | ||
"c2-ipport": { | ||
"categories": [ | ||
"Network activity" | ||
], | ||
"description": "IP:Port of C2 server", | ||
"misp-attribute": "ip-src|port", | ||
"multiple": true, | ||
"ui-priority": 1 | ||
}, | ||
"report-url": { | ||
"description": "URL of source of information, e.g. blog post, ransomware analysis", | ||
"disable_correlation": true, | ||
"misp-attribute": "link", | ||
"multiple": true, | ||
"ui-priority": 1 | ||
}, | ||
"threat": { | ||
"categories": [ | ||
"Attribution", | ||
"Payload type" | ||
], | ||
"description": "threat actor or malware", | ||
"misp-attribute": "text", | ||
"ui-priority": 1 | ||
} | ||
}, | ||
"description": "List of C2-servers with common ground, e.g. extracted from a blog post or ransomware analysis", | ||
"meta-category": "network", | ||
"name": "c2-list", | ||
"required": [ | ||
"threat" | ||
], | ||
"requiredOneOf": [ | ||
"c2-ipport", | ||
"c2-ip" | ||
], | ||
"uuid": "12456351-ceb7-4d43-9a7e-d2275d8b5785", | ||
"version": 20230919 | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
{ | ||
"attributes": { | ||
"command": { | ||
"description": "Commandline triggering the detection", | ||
"disable_correlation": true, | ||
"misp-attribute": "text", | ||
"multiple": true, | ||
"ui-priority": 1 | ||
}, | ||
"file-hash": { | ||
"description": "Unique file hash", | ||
"misp-attribute": "sha256", | ||
"ui-priority": 1 | ||
}, | ||
"filename": { | ||
"description": "Filename on disk", | ||
"disable_correlation": true, | ||
"misp-attribute": "filename", | ||
"multiple": true, | ||
"ui-priority": 1 | ||
}, | ||
"fullpath": { | ||
"description": "Complete path of the filename including the filename", | ||
"disable_correlation": true, | ||
"misp-attribute": "text", | ||
"multiple": true, | ||
"ui-priority": 0 | ||
}, | ||
"ip": { | ||
"description": "Source IP address", | ||
"misp-attribute": "ip-src", | ||
"ui-priority": 1 | ||
}, | ||
"parent-command": { | ||
"description": "Commandline of the parent process", | ||
"disable_correlation": true, | ||
"misp-attribute": "text", | ||
"multiple": true, | ||
"ui-priority": 1 | ||
}, | ||
"process-name": { | ||
"description": "Name of the process trigerring the detection", | ||
"misp-attribute": "text", | ||
"multiple": true, | ||
"ui-priority": 1 | ||
} | ||
}, | ||
"description": "An Object Template to encode an Crowdstrike detection report", | ||
"meta-category": "misc", | ||
"name": "crowdstrike-report", | ||
"uuid": "805b327c-8f1b-4d76-a3ba-c8bc4964e740", | ||
"version": 1 | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,90 @@ | ||
{ | ||
"attributes": { | ||
"case-owner-org-name": { | ||
"description": "Name of the organisation that created the case.", | ||
"disable_correlation": true, | ||
"misp-attribute": "text", | ||
"ui-priority": 0 | ||
}, | ||
"case-owner-org-uuid": { | ||
"description": "UUID of the organisation that created the case.", | ||
"disable_correlation": true, | ||
"misp-attribute": "text", | ||
"ui-priority": 0 | ||
}, | ||
"case-uuid": { | ||
"description": "UUID of the case", | ||
"disable_correlation": true, | ||
"misp-attribute": "text", | ||
"ui-priority": 1 | ||
}, | ||
"creation-date": { | ||
"description": "Creation date of the case", | ||
"disable_correlation": true, | ||
"misp-attribute": "datetime", | ||
"ui-priority": 0 | ||
}, | ||
"deadline": { | ||
"description": "Deadline of the case", | ||
"disable_correlation": true, | ||
"misp-attribute": "datetime", | ||
"ui-priority": 0 | ||
}, | ||
"description": { | ||
"description": "A description of the case", | ||
"disable_correlation": true, | ||
"misp-attribute": "text", | ||
"ui-priority": 0 | ||
}, | ||
"finish-date": { | ||
"description": "Finish date of the case", | ||
"disable_correlation": true, | ||
"misp-attribute": "datetime", | ||
"ui-priority": 0 | ||
}, | ||
"origin-url": { | ||
"description": "Origin of the case", | ||
"disable_correlation": true, | ||
"misp-attribute": "url", | ||
"to_ids": false, | ||
"ui-priority": 1 | ||
}, | ||
"recurring-type": { | ||
"description": "Recurring type", | ||
"disable_correlation": true, | ||
"misp-attribute": "text", | ||
"sane_default": [ | ||
"once", | ||
"weekly", | ||
"daily", | ||
"monthly" | ||
], | ||
"ui-priority": 0 | ||
}, | ||
"status": { | ||
"description": "Status of the case", | ||
"disable_correlation": true, | ||
"misp-attribute": "text", | ||
"sane_default": [ | ||
"created", | ||
"ongoing", | ||
"recurring", | ||
"unavailable", | ||
"rejected", | ||
"finished" | ||
], | ||
"ui-priority": 0 | ||
}, | ||
"title": { | ||
"description": "Title of the case", | ||
"disable_correlation": true, | ||
"misp-attribute": "text", | ||
"ui-priority": 1 | ||
} | ||
}, | ||
"description": "A case as defined by flowintel-cm.", | ||
"meta-category": "misc", | ||
"name": "flowintel-cm-case", | ||
"uuid": "19df57c7-b315-4fd2-84e5-d81ab221425e", | ||
"version": 2 | ||
} |
Oops, something went wrong.