Releases: MISP/misp-objects
MISP objects 2.4.142 released (to be inline with MISP core software release)
v2.4.142 (2021-04-27)
New
-
[doc] gitchangelog.rc added. [Alexandre Dulaunoy]
-
[dkim] DomainKeys Identified Mail - DKIM object template. [Alexandre Dulaunoy]
-
[windows-service] windows-service object added. [Alexandre Dulaunoy]
-
[telegram-user] basic telegram user. [Alexandre Dulaunoy]
-
[jarm] new jarm object to describe TLS/SSL implementation matching a jarm fingerprint. [Alexandre Dulaunoy]
-
GH workflow. [Raphaël Vinot]
-
[sh] Added process state. [Steve Clement]
-
[cpe-asset] an asset as defined with a CPE value. [Alexandre Dulaunoy]
This object was created to support the use-case of pisax.org for the
following use-case:- They define well-known assets which are used by IXPs and GRXs via
their CPEs; - The assets are defined in a set of fixed/master MISP events;
- Those events are used to query NVD/CVE database via cve-search
(https://github.com/cve-search/cve-search) using a PyMISP script - Then the CVEs matching the CPE are added in MISP and dispatched to the
sharing community of users as specific MISP events.
- They define well-known assets which are used by IXPs and GRXs via
-
[gitlab-user] GitLab user. Gitlab.com user or self-hosted GitLab instance object template. [Alexandre Dulaunoy]
-
[github-user] a GitHub user object template. [Alexandre Dulaunoy]
Based on the information seen on the web interface.
-
Android-app object template. [Raphaël Vinot]
-
[dev] add Twitter objects: twitter-account, twitter-list, twitter-post. add YouTube objects: youtube-channel, youtube-comment, youtube-playlist, youtube-video. add object: image. [VVX7]
-
[dev] add Reddit objects: reddit-account, reddit-post, reddit-comment, reddit-subreddit. [VVX7]
-
[dev] add facebook-account. [VVX7]
-
[dev] add facebook-post object. [VVX7]
-
[dev] add facebook-page object. [VVX7]
-
[dev] add facebook-group object. [VVX7]
-
Preliminary version of git-vuln-finder object template. [Raphaël Vinot]
-
Objects and relations for FollowTheMoney. [Raphaël Vinot]
-
[publication] jq'd the object. [VVX7]
-
[publication] add object to describe academic journals, books, etc. [VVX7]
-
Category FollowTheMoney. [Raphaël Vinot]
To represent objects described there:
https://docs.alephdata.org/developers/FollowTheMoney -
[object] add scheduled-event, add social-media-group. [VVX7]
-
[object] add narrative. [VVX7]
-
Add covid19 dxy live object. [Raphaël Vinot]
-
Health object meta type. [Raphaël Vinot]
-
[crypto-material] add generic-symmetric-key. [Raphaël Vinot]
-
CSSE COVID-19 Dataset - Daily report. [Raphaël Vinot]
Source:
https://github.com/CSSEGISandData/COVID-19/tree/master/csse_covid_19_data -
[iot] a first version of the IoT object. [Alexandre Dulaunoy]
Ref: based on the workshop discussion in https://github.com/C00kie-/workshop-materials
The idea is to have this root object when a new IoT device is documented
and further objects will be connected such as firmware or even file object -
[objects] add instant-message object. add instant-message-group object. [VVX7]
-
[objects] news-agency, news-media. [VVX7]
-
TruStar report object. [Raphaël Vinot]
-
[attributes] chrome-extension-id added. [Alexandre Dulaunoy]
-
[objects] blog, forged-document, leaked-document, meme-image. [VVX7]
-
[attribute type] kusto-query attribute type. [Alexandre Dulaunoy]
Kusto query is the query language for the Kusto services in Azure used
to search large dataset. It's used in Windows Defender ATP Hunting-Queries
and also Azure Sentinel (Cloud-native SIEM). -
IntelQM objects. [Raphaël Vinot]
-
[virustotal-graph] VirusTotal graph object added. [Alexandre Dulaunoy]
Based on the discussion with VT, virustotal-graph object has been added which will
be used with the expansion modules and also to trigger the specific
quick-tab in MISP to display the VT graph result in an iframe if this
object is present. -
Weakness & attack-pattern objects to describe CWE & CAPEC related to a CVE. [chrisr3d]
- The attack-pattern object is using a new
attribute type called weakness to describe CWE
id, which will link to its own information as
described in https://cve.circl.lu
- The attack-pattern object is using a new
-
Add "includes" relationship. [Raphaël Vinot]
-
Objects for Scripps CO2. [Raphaël Vinot]
-
New object describing user accounts. [chrisr3d]
-
[imsi-catcher] object based on the output format of IMSI-catcher open source tools. [Alexandre Dulaunoy]
The object has been created to show the flexibility of the object
template during the PassTheSalt 2019 conference and the D4 presentation. -
[shell-commands] Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands. [Alexandre Dulaunoy]
-
Add offset, virtual_address and virtual_size to the pe section object. [Raphaël Vinot]
Related to MISP/PyMISP#388
-
Internal reference object. [Raphaël Vinot]
-
Add Alfred relationships (CCCS) [Raphaël Vinot]
-
New Object describing original files usedd to import data in MISP. [chrisr3d]
-
[tracking-id] Analytics and tracking ID such as used in Google Analytics or other analytic platform. [Alexandre Dulaunoy]
-
[short-message-service] Short Message Service (SMS) object template describing one or more SMS message added. [Alexandre Dulaunoy]
-
Threatgrid-report object template. [Raphaël Vinot]
-
Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object. [Alexandre Dulaunoy]
-
Add EML to the email template. [Raphaël Vinot]
-
Attach logfile to fail2ban. [Raphaël Vinot]
-
Fail2ban object. [Raphaël Vinot]
Changes
-
[doc] list of objects updated. [Alexandre Dulaunoy]
-
Make jq validation happy. [Raphaël Vinot]
-
Make jq validation happy. [Raphaël Vinot]
-
Add PR to GH actions. [Raphaël Vinot]
-
[report] add a report type. [Alexandre Dulaunoy]
-
[person] full-name attribute type added + expanding object person with full-name. [Alexandre Dulaunoy]
-
[schema] dkim and dkim signature added. [Alexandre Dulaunoy]
-
[network-element] jq. [Alexandre Dulaunoy]
-
[network-profile] AS updated. [Alexandre Dulaunoy]
-
[network-profile] add jarm-fingerprint. [Alexandre Dulaunoy]
-
[relationships] jq all the things. [Alexandre Dulaunoy]
-
Update json schema for relationships to include opposite key. [Théo BARRAGUÉ]
-
[report] make link or summary as non-required field. [Alexandre Dulaunoy]
-
[regexp] fixed. [Alexandre Dulaunoy]
-
[regexp] added Farsight Compatible Regular Expressions (FCRE) added. [Alexandre Dulaunoy]
-
[splunk] object updated. [Alexandre Dulaunoy]
-
[report] add a link field to the report object template. [Alexandre Dulaunoy]
-
Disable correlation in VT objects. [Raphaël Vinot]
-
[relationships] updated. [Alexandre Dulaunoy]
-
[relationships] writes added. [Alexandre Dulaunoy]
-
[url] jq all the things. [Alexandre Dulaunoy]
-
Allow multiple IPs in URL object. [Raphaël Vinot]
-
[telegram-account] required attributes. [Terrtia]
-
[telegram-account] fixes. [Alexandre Dulaunoy]
-
Update objects to match lief output for authenticode. [Raphaël Vinot]
-
[jarm] jq all the things. [Alexandre Dulaunoy]
-
[jarm] jarm type is jarm-fingerprint. [Alexandre Dulaunoy]
-
[doc] fixed. [Alexandre Dulaunoy]
-
[trustar_report] Updated to add "THREAT_ACTOR" [Alexandre Dulaunoy]
Fixing #273
-
[yara] disable correlations on some fields. [Alexandre Dulaunoy]
-
[crypto-material] add a public field for public cryptographic materials. [Alexandre Dulaunoy]
-
[favicon] jq all the things. [Alexandre Dulaunoy]
-
[favicon] A favicon, also known as a shortcut icon, website icon, tab icon, URL icon, or bookmark icon, is a file containing one or more small icons, associated with a particular web site or web page. The object template can include the murmur3 hash of the favicon to facilitate correlation. [Alexandre Dulaunoy]
-
[type] favicon-mmh3 is the murmur3 hash of a favicon as used in Shodan. [Alexandre Dulaunoy]
-
[doc] MISP objects list updated. [Alexandre Dulaunoy]
-
[twitter-post] jq. [Alexandre Dulaunoy]
-
[jq] all the things. [Alexandre Dulaunoy]
-
[doc] travis removed. [Alexandre Dulaunoy]
-
Can have mutliple text attributes. [Beaujeant]
-
[domain-ip] hostname added as an attribute. [Alexandre Dulaunoy]
-
Add type in schema. [Raphaël Vinot]
-
[schema] process-state updated. [Alexandre Dulaunoy]
-
[jq] all the [things] [Alexandre Dulaunoy]
-
[json] sort. [Steve Clement]
-
[process] revert back to single char in light of the new process-attribute. [Steve Clement]
-
[process] Added sane defaults. [Steve Clement]
-
[process] Updated process object. [Steve Clement]
-
[types] jarm-fingerprint added. [Alexandre Dulaunoy]
-
Using the actual attribute type for cpe and weakness instead of text. [chrisr3d]
-
[cpe-asset] updated. [Alexandre Dulaunoy]
-
[vulnerability] fixed. [Alexandre Dulaunoy]
-
[vulnerability] vulnerable_configuration are now cpe type. [Alexandre Dulaunoy]
-
[file] because sorted is always better. [Alexandre Dulaunoy]
-
[file] imphash and telfhash added. [Alexandre Dulaunoy]
-
[attribute type] new telfhash added. [Alexandre Dulaunoy]
-
[gitlab-user] because -r is important. [Alexandre Dulaunoy]
-
[type] new type added. [Alexandre Dulaunoy]
-
[doc] object lists updated. [Alexandre Dulaunoy]
-
Sort json. [Raphaël Vinot]
-
[github-user] reflect the API fields. [Alexandre Dulaunoy]
-
[keybase] be consistent with keybase API. [Alexandre Dulaunoy]
-
[keybase-account] at least username is required. [Alexandre Dulaunoy]
-
[twitter-account] incorrect description fixed. [Alexandre Dulaunoy]
-
[relationships] leaks, leaked-by d...