Merge branch 'main' of github.com:MISP/misp-objects

Author: chrisr3d

README.md

@@ -26,11 +26,13 @@
       "description": "IP destination of the attack step, if any.",
       "disable_correlation": true,
       "misp-attribute": "ip-dst",
+      "multiple": true,
       "ui-priority": 1
     },
     "dst-misc": {
-      "description": "Other type of source of the attack step, if any. This can be e.g. localhost.",
+      "description": "Other type of destination of the attack step, if any. This can be e.g. localhost.",
       "misp-attribute": "text",
+      "multiple": true,
       "ui-priority": 1
     },
     "expected-response": {
@@ -50,16 +52,19 @@
     "source-domain": {
       "description": "Domain source of the attack step, if any.",
       "misp-attribute": "domain",
+      "multiple": true,
       "ui-priority": 1
     },
     "source-ip": {
       "description": "IP source of the attack step, if any.",
       "misp-attribute": "ip-src",
+      "multiple": true,
       "ui-priority": 1
     },
     "source-misc": {
       "description": "Other type of source of the attack step, if any. This can be e.g. rotating ip from cloud providers such as AWS, or localhost.",
       "misp-attribute": "text",
+      "multiple": true,
       "ui-priority": 1
     },
     "succesful": {

objects/attack-step/definition.json

@@ -0,0 +1,53 @@
+{
+  "attributes": {
+    "command": {
+      "description": "Commandline triggering the detection",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "file-hash": {
+      "description": "Unique file hash",
+      "misp-attribute": "sha256",
+      "ui-priority": 1
+    },
+    "filename": {
+      "description": "Filename on disk",
+      "disable_correlation": true,
+      "misp-attribute": "filename",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "fullpath": {
+      "description": "Complete path of the filename including the filename",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "ip": {
+      "description": "Source IP address",
+      "misp-attribute": "ip-src",
+      "ui-priority": 1
+    },
+    "parent-command": {
+      "description": "Commandline of the parent process",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 1
+    },
+    "process-name": {
+      "description": "Name of the process trigerring the detection",
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 1
+    }
+  },
+  "description": "An Object Template to encode an Crowdstrike detection report",
+  "meta-category": "misc",
+  "name": "crowdstrike-report",
+  "uuid": "805b327c-8f1b-4d76-a3ba-c8bc4964e740",
+  "version": 1
+}

objects/crowdstrike-report/definition.json

@@ -1,5 +1,11 @@
 {
   "attributes": {
+    "asn": {
+      "description": "Originating ASN for the CS Beacon Config",
+      "disable_correlation": true,
+      "misp-attribute": "AS",
+      "ui-priority": 0
+    },
     "c2": {
       "categories": [
         "Network activity"
@@ -9,6 +15,18 @@
       "multiple": true,
       "ui-priority": 1
     },
+    "city": {
+      "description": "City location of the CS Beacon Config in question",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "geo": {
+      "description": "Country location of the CS Beacon Config",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
     "ip": {
       "description": "IP of the C2",
       "misp-attribute": "ip-dst",
@@ -36,6 +54,20 @@
       "misp-attribute": "md5",
       "ui-priority": 1
     },
+    "naics": {
+      "description": "North American Industry Classification System Code",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "sector": {
+      "description": "Sector of for the CS Beacon Config in question",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 0
+    },
     "sha1": {
       "categories": [
         "Payload delivery"
@@ -80,5 +112,5 @@
     "watermark"
   ],
   "uuid": "d17355ef-ca1f-4b5a-86cd-65d877991f54",
-  "version": 2
+  "version": 3
 }

objects/cs-beacon-config/definition.json

@@ -0,0 +1,90 @@
+{
+  "attributes": {
+    "case-owner-org-name": {
+      "description": "Name of the organisation that created the case.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "case-owner-org-uuid": {
+      "description": "UUID of the organisation that created the case.",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "case-uuid": {
+      "description": "UUID of the case",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "creation-date": {
+      "description": "Creation date of the case",
+      "disable_correlation": true,
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    },
+    "deadline": {
+      "description": "Deadline of the case",
+      "disable_correlation": true,
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    },
+    "description": {
+      "description": "A description of the case",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "finish-date": {
+      "description": "Finish date of the case",
+      "disable_correlation": true,
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    },
+    "origin-url": {
+      "description": "Origin of the case",
+      "disable_correlation": true,
+      "misp-attribute": "url",
+      "to_ids": false,
+      "ui-priority": 1
+    },
+    "recurring-type": {
+      "description": "Recurring type",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "once",
+        "weekly",
+        "daily",
+        "monthly"
+      ],
+      "ui-priority": 0
+    },
+    "status": {
+      "description": "Status of the case",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "created",
+        "ongoing",
+        "recurring",
+        "unavailable",
+        "rejected",
+        "finished"
+      ],
+      "ui-priority": 0
+    },
+    "title": {
+      "description": "Title of the case",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 1
+    }
+  },
+  "description": "A case as defined by flowintel-cm.",
+  "meta-category": "misc",
+  "name": "flowintel-cm-case",
+  "uuid": "19df57c7-b315-4fd2-84e5-d81ab221425e",
+  "version": 2
+}

objects/flowintel-cm-case/definition.json

@@ -0,0 +1,92 @@
+{
+  "attributes": {
+    "case-uuid": {
+      "description": "UUID of the parent case",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 2
+    },
+    "creation-date": {
+      "description": "Creation date of the task",
+      "disable_correlation": true,
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    },
+    "deadline": {
+      "description": "Deadline of the task",
+      "disable_correlation": true,
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    },
+    "description": {
+      "description": "A description of the task",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "file": {
+      "description": "File",
+      "disable_correlation": true,
+      "misp-attribute": "attachment",
+      "multiple": true,
+      "ui-priority": 0
+    },
+    "finish-date": {
+      "description": "Finish date of the task",
+      "disable_correlation": true,
+      "misp-attribute": "datetime",
+      "ui-priority": 0
+    },
+    "notes": {
+      "description": "Notes of the task",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 0
+    },
+    "origin-url": {
+      "description": "Origin of the task",
+      "disable_correlation": true,
+      "misp-attribute": "url",
+      "to_ids": false,
+      "ui-priority": 1
+    },
+    "status": {
+      "description": "Status of the task",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "sane_default": [
+        "created",
+        "ongoing",
+        "recurring",
+        "unavailable",
+        "rejected",
+        "finished"
+      ],
+      "ui-priority": 0
+    },
+    "task-uuid": {
+      "description": "UUID of the task",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "title": {
+      "description": "Title of the task",
+      "disable_correlation": true,
+      "misp-attribute": "text",
+      "ui-priority": 1
+    },
+    "url": {
+      "description": "An url to an external tool",
+      "disable_correlation": true,
+      "misp-attribute": "url",
+      "to_ids": false,
+      "ui-priority": 0
+    }
+  },
+  "description": "A task as defined by flowintel-cm.",
+  "meta-category": "misc",
+  "name": "flowintel-cm-task",
+  "uuid": "2f525f6e-d3f2-4cb9-9ca0-f1160d99397d",
+  "version": 3
+}

objects/flowintel-cm-task/definition.json

@@ -31,6 +31,12 @@
       "multiple": true,
       "ui-priority": 100
     },
+    "title": {
+      "description": "Title of the report",
+      "misp-attribute": "text",
+      "multiple": true,
+      "ui-priority": 100
+    },
     "type": {
       "description": "Type of report",
       "disable_correlation": true,
@@ -80,13 +86,14 @@
       "ui-priority": 100
     }
   },
-  "description": "Metadata used to generate an executive level report",
+  "description": "Report object to describe a report along with its metadata.",
   "meta-category": "misc",
   "name": "report",
   "requiredOneOf": [
+    "title",
     "summary",
     "link"
   ],
   "uuid": "70a68471-df22-4e3f-aa1a-5a3be19f82df",
-  "version": 7
+  "version": 8
 }