MISP
diff --git a/‎README.md‎
Lines changed: 6 additions & 2 deletions b/‎README.md‎
Lines changed: 6 additions & 2 deletions
diff --git a/‎objects/cs-beacon-config/definition.json‎
Lines changed: 89 additions & 2 deletions b/‎objects/cs-beacon-config/definition.json‎
Lines changed: 89 additions & 2 deletions
diff --git a/‎objects/ddos-claim/definition.json‎
Lines changed: 51 additions & 0 deletions b/‎objects/ddos-claim/definition.json‎
Lines changed: 51 additions & 0 deletions
diff --git a/‎objects/flowintel-cm-case/definition.json‎
Lines changed: 7 additions & 1 deletion b/‎objects/flowintel-cm-case/definition.json‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎objects/flowintel-cm-task-note/definition.json‎
Lines changed: 35 additions & 0 deletions b/‎objects/flowintel-cm-task-note/definition.json‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎objects/flowintel-cm-task/definition.json‎
Lines changed: 1 addition & 7 deletions b/‎objects/flowintel-cm-task/definition.json‎
Lines changed: 1 addition & 7 deletions
@@ -161,6 +161,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
 - [objects/cytomic-orion-machine](https://github.com/MISP/misp-objects/blob/main/objects/cytomic-orion-machine/definition.json) - Cytomic Orion File at Machine Detection.
 - [objects/dark-pattern-item](https://github.com/MISP/misp-objects/blob/main/objects/dark-pattern-item/definition.json) - An Item whose User Interface implements a dark pattern.
 - [objects/ddos](https://github.com/MISP/misp-objects/blob/main/objects/ddos/definition.json) - DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy or using the type field.
+- [objects/ddos-claim](https://github.com/MISP/misp-objects/blob/main/objects/ddos-claim/definition.json) - DDoS-claim object describes a current claim of DDoS activity.
 - [objects/device](https://github.com/MISP/misp-objects/blob/main/objects/device/definition.json) - An object to define a device.
 - [objects/diameter-attack](https://github.com/MISP/misp-objects/blob/main/objects/diameter-attack/definition.json) - Attack as seen on the diameter signaling protocol supporting LTE networks.
 - [objects/diamond-event](https://github.com/MISP/misp-objects/blob/main/objects/diamond-event/definition.json) - A diamond model event object consisting of the four diamond features advesary, infrastructure, capability and victim, several meta-features and ioc attributes.
@@ -190,6 +191,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
 - [objects/file](https://github.com/MISP/misp-objects/blob/main/objects/file/definition.json) - File object describing a file with meta-information.
 - [objects/flowintel-cm-case](https://github.com/MISP/misp-objects/blob/main/objects/flowintel-cm-case/definition.json) - A case as defined by flowintel-cm.
 - [objects/flowintel-cm-task](https://github.com/MISP/misp-objects/blob/main/objects/flowintel-cm-task/definition.json) - A task as defined by flowintel-cm.
+- [objects/flowintel-cm-task-note](https://github.com/MISP/misp-objects/blob/main/objects/flowintel-cm-task-note/definition.json) - A task's note as defined by flowintel-cm.
 - [objects/forensic-case](https://github.com/MISP/misp-objects/blob/main/objects/forensic-case/definition.json) - An object template to describe a digital forensic case.
 - [objects/forensic-evidence](https://github.com/MISP/misp-objects/blob/main/objects/forensic-evidence/definition.json) - An object template to describe a digital forensic evidence.
 - [objects/forged-document](https://github.com/MISP/misp-objects/blob/main/objects/forged-document/definition.json) - Object describing a forged document.
@@ -246,6 +248,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
 - [objects/ftm-Video](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Video/definition.json) - Video.
 - [objects/ftm-Workbook](https://github.com/MISP/misp-objects/blob/main/objects/ftm-Workbook/definition.json) - Workbook.
 - [objects/game-cheat](https://github.com/MISP/misp-objects/blob/main/objects/game-cheat/definition.json) - Describes a game cheat or a cheatware.
+- [objects/Generalizing Persuasion Framework](https://github.com/MISP/misp-objects/blob/main/objects/Generalizing Persuasion Framework/definition.json) - By placing their work within the GP Framework, scholars will help the field resolve inconsistencies, identify and address open questions, and ensure collective progress. The GP Framework is not meant to compete with other theories (such as the ELM) but rather to fill in two gaps. First, it allows one to consider how individual persuasion studies connect to one another and why studies may arrive at contradictory conclusions. Second, it highlights the sources of variations that should be studied. (James N. Druckman).
 - [objects/geolocation](https://github.com/MISP/misp-objects/blob/main/objects/geolocation/definition.json) - An object to describe a geographic location.
 - [objects/git-vuln-finder](https://github.com/MISP/misp-objects/blob/main/objects/git-vuln-finder/definition.json) - Export from git-vuln-finder.
 - [objects/github-user](https://github.com/MISP/misp-objects/blob/main/objects/github-user/definition.json) - GitHub user.
@@ -326,6 +329,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
 - [objects/phishing](https://github.com/MISP/misp-objects/blob/main/objects/phishing/definition.json) - Phishing template to describe a phishing website and its analysis.
 - [objects/phishing-kit](https://github.com/MISP/misp-objects/blob/main/objects/phishing-kit/definition.json) - Object to describe a phishing-kit.
 - [objects/phone](https://github.com/MISP/misp-objects/blob/main/objects/phone/definition.json) - A phone or mobile phone object which describe a phone.
+- [objects/phone-number](https://github.com/MISP/misp-objects/blob/main/objects/phone-number/definition.json) - Phone number based on the E.164 international public telecommunication numbering plan.
 - [objects/physical-impact](https://github.com/MISP/misp-objects/blob/main/objects/physical-impact/definition.json) - Physical Impact object as described in STIX 2.1 Incident object extension.
 - [objects/postal-address](https://github.com/MISP/misp-objects/blob/main/objects/postal-address/definition.json) - A postal address.
 - [objects/probabilistic-data-structure](https://github.com/MISP/misp-objects/blob/main/objects/probabilistic-data-structure/definition.json) - Probabilistic data structure object describe a space-efficient data structure such as Bloom filter or similar structure.
@@ -335,7 +339,7 @@ for a specific attribute. An optional **to_ids** boolean field to disable the ID
 - [objects/query](https://github.com/MISP/misp-objects/blob/main/objects/query/definition.json) - An object describing a query, along with its format.
 - [objects/r2graphity](https://github.com/MISP/misp-objects/blob/main/objects/r2graphity/definition.json) - Indicators extracted from files using radare2 and graphml.
 - [objects/ransom-negotiation](https://github.com/MISP/misp-objects/blob/main/objects/ransom-negotiation/definition.json) - An object to describe ransom negotiations, as seen in ransomware incidents.
-- [objects/ransomware-group-post](https://github.com/MISP/misp-objects/blob/main/objects/ransomware-group-post/definition.json) - Ransomware group post as monitored by ransomlook.io.
+- [objects/ransomware-group-post](https://github.com/MISP/misp-objects/blob/main/objects/ransomware-group-post/definition.json) - Ransomware group post as monitored by ransomlook.io or others.
 - [objects/reddit-account](https://github.com/MISP/misp-objects/blob/main/objects/reddit-account/definition.json) - Reddit account.
 - [objects/reddit-comment](https://github.com/MISP/misp-objects/blob/main/objects/reddit-comment/definition.json) - A Reddit post comment.
 - [objects/reddit-post](https://github.com/MISP/misp-objects/blob/main/objects/reddit-post/definition.json) - A Reddit post.
@@ -473,7 +477,7 @@ When the object is created, the `validate_all.sh` and `jq_all_the_things.sh` is
 - Add a description in the object template explaining the scope and use-cases of your object templates
 - If the object is the mapping of an existing format, add a reference into the description of the object template
 - `first-seen` and `last-seen` are not required in a object template as an object has those fields by default. If you need additional temporal information, add new specific field(s).
-- Be lax on the number of fields required by default (e.g. use `requiredOneOf`). 
+- Be lax on the number of fields required by default (e.g. use `requiredOneOf`).
 - Review existing object templates before creating a new one. When doing a pull-request, don't hesitate to add the logic why a new template is required.
 
 ## MISP objects documentation
 
@@ -1,11 +1,43 @@
 {
   "attributes": {
+    "architecture": {
+      "description": "Hardware architecture of the sample",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
     "asn": {
       "description": "Originating ASN for the CS Beacon Config",
       "disable_correlation": true,
       "misp-attribute": "AS",
       "ui-priority": 0
     },
+    "beacon-host": {
+      "description": "Beacon host IP",
+      "misp-attribute": "ip-dst",
+      "ui-priority": 0
+    },
+    "beacon-type": {
+      "description": "Beacon type used",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "binary-md5": {
+      "description": "MD5 of the binary delivered",
+      "misp-attribute": "md5",
+      "ui-priority": 0
+    },
+    "binary-sha1": {
+      "description": "SHA1 of the binary delivered",
+      "misp-attribute": "sha1",
+      "ui-priority": 0
+    },
+    "binary-sha256": {
+      "description": "SHA256 of the binary delivered",
+      "misp-attribute": "sha256",
+      "ui-priority": 0
+    },
     "c2": {
       "categories": [
         "Network activity"
@@ -21,12 +53,67 @@
       "misp-attribute": "text",
       "ui-priority": 0
     },
+    "config-md5": {
+      "description": "MD5 of the configuration",
+      "misp-attribute": "md5",
+      "ui-priority": 0
+    },
+    "config-sha1": {
+      "description": "SHA1 of the configuration",
+      "misp-attribute": "sha1",
+      "ui-priority": 0
+    },
+    "config-sha256": {
+      "description": "SHA256 of the configuration",
+      "misp-attribute": "sha256",
+      "ui-priority": 0
+    },
+    "content-length": {
+      "description": "Content length of the payload",
+      "disable_correlation": true,
+      "misp-attribute": "size-in-bytes",
+      "ui-priority": 0
+    },
+    "content-type": {
+      "description": "Content/type received",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "encoded-data": {
+      "description": "Encoded payload data in Base64 as file attachment",
+      "misp-attribute": "attachment",
+      "ui-priority": 0
+    },
+    "encoded-length": {
+      "description": "Length of the encoded data",
+      "disable_correlation": true,
+      "misp-attribute": "size-in-bytes",
+      "ui-priority": 0
+    },
     "geo": {
       "description": "Country location of the CS Beacon Config",
       "disable_correlation": true,
       "misp-attribute": "text",
       "ui-priority": 0
     },
+    "http": {
+      "description": "HTTP protocol used",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "http-code": {
+      "description": "HTTP return code",
+      "disable_correlation": true,
+      "misp-attribute": "integer",
+      "ui-priority": 0
+    },
+    "http-url": {
+      "description": "HTTP url path of the beacon",
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
     "ip": {
       "description": "IP of the C2",
       "misp-attribute": "ip-dst",
@@ -55,7 +142,7 @@
       "ui-priority": 1
     },
     "naics": {
-      "description": "North American Industry Classification System Code",
+      "description": "North American Industry Classification System Code (NAICS)",
       "disable_correlation": true,
       "misp-attribute": "text",
       "multiple": true,
@@ -112,5 +199,5 @@
     "watermark"
   ],
   "uuid": "d17355ef-ca1f-4b5a-86cd-65d877991f54",
-  "version": 4
+  "version": 7
 }
@@ -0,0 +1,51 @@
+{
+  "attributes": {
+    "claim-validity": {
+      "description": "Validity of the claim. Valid means, a trusted entity having the technical capabilities to perform analysis confirmed the detection of DDoS activities.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "Unknown",
+        "Valid",
+        "Invalid"
+      ],
+      "ui-priority": 0
+    },
+    "proof": {
+      "description": "The claim in text format.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "proof-screenshot": {
+      "description": "Screenshot of the claim.",
+      "misp-attribute": "attachment",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "reference": {
+      "description": "Reference to the DDoS claim.",
+      "disable_correlation": true,
+      "misp-attribute": "link",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "target": {
+      "description": "Target of the DDoS claim.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    }
+  },
+  "description": "DDoS-claim object describes a current claim of DDoS activity.",
+  "meta-category": "network",
+  "name": "ddos-claim",
+  "requiredOneOf": [
+    "target",
+    "proof",
+    "reference"
+  ],
+  "uuid": "2722ac76-1f1f-43b7-bc68-ba5465ec5c04",
+  "version": 2
+}
@@ -42,6 +42,12 @@
       "misp-attribute": "datetime",
       "ui-priority": 0
     },
+    "notes": {
+      "description": "Notes of the case",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
     "origin-url": {
       "description": "Origin of the case",
       "disable_correlation": true,
@@ -86,5 +92,5 @@
   "meta-category": "misc",
   "name": "flowintel-cm-case",
   "uuid": "19df57c7-b315-4fd2-84e5-d81ab221425e",
-  "version": 2
+  "version": 3
 }
@@ -0,0 +1,35 @@
+{
+  "attributes": {
+    "note": {
+      "description": "Notes of the task",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "note-uuid": {
+      "description": "UUID of the note",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 2
+    },
+    "origin-url": {
+      "description": "Origin of the task",
+      "disable_correlation": true,
+      "misp-attribute": "url",
+      "to_ids": false,
+      "ui-priority": 1
+    },
+    "task-uuid": {
+      "description": "UUID of the parent task",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 2
+    }
+  },
+  "description": "A task's note as defined by flowintel-cm.",
+  "meta-category": "misc",
+  "name": "flowintel-cm-task-note",
+  "uuid": "2c6f6aba-48b6-482f-a810-81934d29be9a",
+  "version": 1
+}
@@ -37,12 +37,6 @@
       "misp-attribute": "datetime",
       "ui-priority": 0
     },
-    "notes": {
-      "description": "Notes of the task",
-      "disable_correlation": true,
-      "misp-attribute": "text",
-      "ui-priority": 0
-    },
     "origin-url": {
       "description": "Origin of the task",
       "disable_correlation": true,
@@ -88,5 +82,5 @@
   "meta-category": "misc",
   "name": "flowintel-cm-task",
   "uuid": "2f525f6e-d3f2-4cb9-9ca0-f1160d99397d",
-  "version": 3
+  "version": 4
 }