Skip to content

Releases: MISP/misp-objects

MISP objects release 2024111100

11 Nov 10:44
@adulau adulau
2024111100
This tag was signed with the committer’s verified signature.
adulau Alexandre Dulaunoy
GPG key ID: 09E2CD4944E6CBCD
Learn about vigilant mode.
553b502
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.
Compare
Choose a tag to compare
MISP objects release 2024111100 Latest
Latest

Release Notes for MISP Objects Templats

New Additions and Enhancements

  • Addition of ip-src to the Person Object
    • The Person object template has been updated to include the ip-src attribute, allowing for better tracking and correlation of source IP addresses related to a person. This enhancement improves the contextual data representation and expands the analytical capabilities within MISP.

Key Changes

  • Updated Relationships
    • Enhancements made to existing relationships include adding a new releasable-to relationship, enhancing data sharing clarity.

Fixes

  • JSON and Schema Adjustments
    • Applied jq fixes and adjustments across various templates for consistency and validation improvements.

Technical Details

  • The commit merged changes from a pull request that introduced ip-src to the Person object (commit a9ec8556860e90ea2ce24d1ee2bf5abb8d9de150).
  • Version bumps and minor template fixes (commit 1baaa6e3f1232332aac38e20d1ac92b3e370fb2e, commit f9c0c963019737cdfe4c1cda08cd340c673d0566).
  • Integration and adjustments for JSON formatting using jq to maintain data structure consistency (commit f9c0c963019737cdfe4c1cda08cd340c673d0566, commit 38b852132adf0881062978880b262797e13153b3).

Contributors

  • Special thanks to Michael Davis for contributing the ip-src addition to the Person object and ensuring schema improvements.
  • Core updates and merges performed by Alexandre Dulaunoy, with additional support from Christian Studer and Leviathan for template and object enhancements.

Notes about the release

Starting with this release, misp-objects will be tagged using the %Y%m%d00 format for each new version. This change enables users to easily verify whether they are using the latest release. The versioning is now independent of the MISP core software, as the project is also utilized as a standalone tool in various other applications.

Assets 2
Loading

MISP objects 2.4.142 released (to be inline with MISP core software release)

27 Apr 04:14
@adulau adulau
v2.4.142
This tag was signed with the committer’s verified signature.
adulau Alexandre Dulaunoy
GPG key ID: 09E2CD4944E6CBCD
Learn about vigilant mode.
e72cf95
This commit was signed with the committer’s verified signature.
adulau Alexandre Dulaunoy
GPG key ID: 09E2CD4944E6CBCD
Learn about vigilant mode.
Compare
Choose a tag to compare
MISP objects 2.4.142 released (to be inline with MISP core software release)

v2.4.142 (2021-04-27)

New

  • [doc] gitchangelog.rc added. [Alexandre Dulaunoy]

  • [dkim] DomainKeys Identified Mail - DKIM object template. [Alexandre Dulaunoy]

  • [windows-service] windows-service object added. [Alexandre Dulaunoy]

  • [telegram-user] basic telegram user. [Alexandre Dulaunoy]

  • [jarm] new jarm object to describe TLS/SSL implementation matching a jarm fingerprint. [Alexandre Dulaunoy]

  • GH workflow. [Raphaël Vinot]

  • [sh] Added process state. [Steve Clement]

  • [cpe-asset] an asset as defined with a CPE value. [Alexandre Dulaunoy]

    This object was created to support the use-case of pisax.org for the
    following use-case:

    • They define well-known assets which are used by IXPs and GRXs via
      their CPEs;
    • The assets are defined in a set of fixed/master MISP events;
    • Those events are used to query NVD/CVE database via cve-search
      (https://github.com/cve-search/cve-search) using a PyMISP script
    • Then the CVEs matching the CPE are added in MISP and dispatched to the
      sharing community of users as specific MISP events.

  • [gitlab-user] GitLab user. Gitlab.com user or self-hosted GitLab instance object template. [Alexandre Dulaunoy]

  • [github-user] a GitHub user object template. [Alexandre Dulaunoy]

    Based on the information seen on the web interface.

  • Android-app object template. [Raphaël Vinot]

  • [dev] add Twitter objects: twitter-account, twitter-list, twitter-post. add YouTube objects: youtube-channel, youtube-comment, youtube-playlist, youtube-video. add object: image. [VVX7]

  • [dev] add Reddit objects: reddit-account, reddit-post, reddit-comment, reddit-subreddit. [VVX7]

  • [dev] add facebook-account. [VVX7]

  • [dev] add facebook-post object. [VVX7]

  • [dev] add facebook-page object. [VVX7]

  • [dev] add facebook-group object. [VVX7]

  • Preliminary version of git-vuln-finder object template. [Raphaël Vinot]

  • Objects and relations for FollowTheMoney. [Raphaël Vinot]

  • [publication] jq'd the object. [VVX7]

  • [publication] add object to describe academic journals, books, etc. [VVX7]

  • Category FollowTheMoney. [Raphaël Vinot]

    To represent objects described there:
    https://docs.alephdata.org/developers/FollowTheMoney

  • [object] add scheduled-event, add social-media-group. [VVX7]

  • [object] add narrative. [VVX7]

  • Add covid19 dxy live object. [Raphaël Vinot]

  • Health object meta type. [Raphaël Vinot]

  • [crypto-material] add generic-symmetric-key. [Raphaël Vinot]

  • CSSE COVID-19 Dataset - Daily report. [Raphaël Vinot]

    Source:
    https://github.com/CSSEGISandData/COVID-19/tree/master/csse_covid_19_data

  • [iot] a first version of the IoT object. [Alexandre Dulaunoy]

    Ref: based on the workshop discussion in https://github.com/C00kie-/workshop-materials

    The idea is to have this root object when a new IoT device is documented
    and further objects will be connected such as firmware or even file object

  • [objects] add instant-message object. add instant-message-group object. [VVX7]

  • [objects] news-agency, news-media. [VVX7]

  • TruStar report object. [Raphaël Vinot]

  • [attributes] chrome-extension-id added. [Alexandre Dulaunoy]

  • [objects] blog, forged-document, leaked-document, meme-image. [VVX7]

  • [attribute type] kusto-query attribute type. [Alexandre Dulaunoy]

    Kusto query is the query language for the Kusto services in Azure used
    to search large dataset. It's used in Windows Defender ATP Hunting-Queries
    and also Azure Sentinel (Cloud-native SIEM).

  • IntelQM objects. [Raphaël Vinot]

  • [virustotal-graph] VirusTotal graph object added. [Alexandre Dulaunoy]

    Based on the discussion with VT, virustotal-graph object has been added which will
    be used with the expansion modules and also to trigger the specific
    quick-tab in MISP to display the VT graph result in an iframe if this
    object is present.

  • Weakness & attack-pattern objects to describe CWE & CAPEC related to a CVE. [chrisr3d]

    • The attack-pattern object is using a new
      attribute type called weakness to describe CWE
      id, which will link to its own information as
      described in https://cve.circl.lu

  • Add "includes" relationship. [Raphaël Vinot]

  • Objects for Scripps CO2. [Raphaël Vinot]

  • New object describing user accounts. [chrisr3d]

  • [imsi-catcher] object based on the output format of IMSI-catcher open source tools. [Alexandre Dulaunoy]

    The object has been created to show the flexibility of the object
    template during the PassTheSalt 2019 conference and the D4 presentation.

  • [shell-commands] Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands. [Alexandre Dulaunoy]

  • Add offset, virtual_address and virtual_size to the pe section object. [Raphaël Vinot]

    Related to MISP/PyMISP#388

  • Internal reference object. [Raphaël Vinot]

  • Add Alfred relationships (CCCS) [Raphaël Vinot]

  • New Object describing original files usedd to import data in MISP. [chrisr3d]

  • [tracking-id] Analytics and tracking ID such as used in Google Analytics or other analytic platform. [Alexandre Dulaunoy]

  • [short-message-service] Short Message Service (SMS) object template describing one or more SMS message added. [Alexandre Dulaunoy]

  • Threatgrid-report object template. [Raphaël Vinot]

  • Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object. [Alexandre Dulaunoy]

  • Add EML to the email template. [Raphaël Vinot]

  • Attach logfile to fail2ban. [Raphaël Vinot]

  • Fail2ban object. [Raphaël Vinot]

Changes

  • [doc] list of objects updated. [Alexandre Dulaunoy]

  • Make jq validation happy. [Raphaël Vinot]

  • Make jq validation happy. [Raphaël Vinot]

  • Add PR to GH actions. [Raphaël Vinot]

  • [report] add a report type. [Alexandre Dulaunoy]

  • [person] full-name attribute type added + expanding object person with full-name. [Alexandre Dulaunoy]

  • [schema] dkim and dkim signature added. [Alexandre Dulaunoy]

  • [network-element] jq. [Alexandre Dulaunoy]

  • [network-profile] AS updated. [Alexandre Dulaunoy]

  • [network-profile] add jarm-fingerprint. [Alexandre Dulaunoy]

  • [relationships] jq all the things. [Alexandre Dulaunoy]

  • Update json schema for relationships to include opposite key. [Théo BARRAGUÉ]

  • [report] make link or summary as non-required field. [Alexandre Dulaunoy]

  • [regexp] fixed. [Alexandre Dulaunoy]

  • [regexp] added Farsight Compatible Regular Expressions (FCRE) added. [Alexandre Dulaunoy]

  • [splunk] object updated. [Alexandre Dulaunoy]

  • [report] add a link field to the report object template. [Alexandre Dulaunoy]

  • Disable correlation in VT objects. [Raphaël Vinot]

  • [relationships] updated. [Alexandre Dulaunoy]

  • [relationships] writes added. [Alexandre Dulaunoy]

  • [url] jq all the things. [Alexandre Dulaunoy]

  • Allow multiple IPs in URL object. [Raphaël Vinot]

  • [telegram-account] required attributes. [Terrtia]

  • [telegram-account] fixes. [Alexandre Dulaunoy]

  • Update objects to match lief output for authenticode. [Raphaël Vinot]

  • [jarm] jq all the things. [Alexandre Dulaunoy]

  • [jarm] jarm type is jarm-fingerprint. [Alexandre Dulaunoy]

  • [doc] fixed. [Alexandre Dulaunoy]

  • [trustar_report] Updated to add "THREAT_ACTOR" [Alexandre Dulaunoy]

    Fixing #273

  • [yara] disable correlations on some fields. [Alexandre Dulaunoy]

  • [crypto-material] add a public field for public cryptographic materials. [Alexandre Dulaunoy]

  • [favicon] jq all the things. [Alexandre Dulaunoy]

  • [favicon] A favicon, also known as a shortcut icon, website icon, tab icon, URL icon, or bookmark icon, is a file containing one or more small icons, associated with a particular web site or web page. The object template can include the murmur3 hash of the favicon to facilitate correlation. [Alexandre Dulaunoy]

  • [type] favicon-mmh3 is the murmur3 hash of a favicon as used in Shodan. [Alexandre Dulaunoy]

  • [doc] MISP objects list updated. [Alexandre Dulaunoy]

  • [twitter-post] jq. [Alexandre Dulaunoy]

  • [jq] all the things. [Alexandre Dulaunoy]

  • [doc] travis removed. [Alexandre Dulaunoy]

  • Can have mutliple text attributes. [Beaujeant]

  • [domain-ip] hostname added as an attribute. [Alexandre Dulaunoy]

  • Add type in schema. [Raphaël Vinot]

  • [schema] process-state updated. [Alexandre Dulaunoy]

  • [jq] all the [things] [Alexandre Dulaunoy]

  • [json] sort. [Steve Clement]

  • [process] revert back to single char in light of the new process-attribute. [Steve Clement]

  • [process] Added sane defaults. [Steve Clement]

  • [process] Updated process object. [Steve Clement]

  • [types] jarm-fingerprint added. [Alexandre Dulaunoy]

  • Using the actual attribute type for cpe and weakness instead of text. [chrisr3d]

  • [cpe-asset] updated. [Alexandre Dulaunoy]

  • [vulnerability] fixed. [Alexandre Dulaunoy]

  • [vulnerability] vulnerable_configuration are now cpe type. [Alexandre Dulaunoy]

  • [file] because sorted is always better. [Alexandre Dulaunoy]

  • [file] imphash and telfhash added. [Alexandre Dulaunoy]

  • [attribute type] new telfhash added. [Alexandre Dulaunoy]

  • [gitlab-user] because -r is important. [Alexandre Dulaunoy]

  • [type] new type added. [Alexandre Dulaunoy]

  • [doc] object lists updated. [Alexandre Dulaunoy]

  • Sort json. [Raphaël Vinot]

  • [github-user] reflect the API fields. [Alexandre Dulaunoy]

  • [keybase] be consistent with keybase API. [Alexandre Dulaunoy]

  • [keybase-account] at least username is required. [Alexandre Dulaunoy]

  • [twitter-account] incorrect description fixed. [Alexandre Dulaunoy]

  • [relationships] leaks, leaked-by d...

Read more
Assets 2
Loading