MISP objects 2.4.142 released (to be inline with MISP core software release)

v2.4.142 (2021-04-27)

New

• [doc] gitchangelog.rc added. [Alexandre Dulaunoy]

• [dkim] DomainKeys Identified Mail - DKIM object template. [Alexandre Dulaunoy]

• [windows-service] windows-service object added. [Alexandre Dulaunoy]

• [telegram-user] basic telegram user. [Alexandre Dulaunoy]

• [jarm] new jarm object to describe TLS/SSL implementation matching a jarm fingerprint. [Alexandre Dulaunoy]

• GH workflow. [Raphaël Vinot]

• [sh] Added process state. [Steve Clement]

• [cpe-asset] an asset as defined with a CPE value. [Alexandre Dulaunoy]

  This object was created to support the use-case of pisax.org for the
  following use-case:

  • They define well-known assets which are used by IXPs and GRXs via
    their CPEs;
  • The assets are defined in a set of fixed/master MISP events;
  • Those events are used to query NVD/CVE database via cve-search
    (https://github.com/cve-search/cve-search) using a PyMISP script
  • Then the CVEs matching the CPE are added in MISP and dispatched to the
    sharing community of users as specific MISP events.

• [gitlab-user] GitLab user. Gitlab.com user or self-hosted GitLab instance object template. [Alexandre Dulaunoy]

• [github-user] a GitHub user object template. [Alexandre Dulaunoy]

  Based on the information seen on the web interface.

• Android-app object template. [Raphaël Vinot]

• [dev] add Twitter objects: twitter-account, twitter-list, twitter-post. add YouTube objects: youtube-channel, youtube-comment, youtube-playlist, youtube-video. add object: image. [VVX7]

• [dev] add Reddit objects: reddit-account, reddit-post, reddit-comment, reddit-subreddit. [VVX7]

• [dev] add facebook-account. [VVX7]

• [dev] add facebook-post object. [VVX7]

• [dev] add facebook-page object. [VVX7]

• [dev] add facebook-group object. [VVX7]

• Preliminary version of git-vuln-finder object template. [Raphaël Vinot]

• Objects and relations for FollowTheMoney. [Raphaël Vinot]

• [publication] jq'd the object. [VVX7]

• [publication] add object to describe academic journals, books, etc. [VVX7]

• Category FollowTheMoney. [Raphaël Vinot]

  To represent objects described there:
  https://docs.alephdata.org/developers/FollowTheMoney

• [object] add scheduled-event, add social-media-group. [VVX7]

• [object] add narrative. [VVX7]

• Add covid19 dxy live object. [Raphaël Vinot]

• Health object meta type. [Raphaël Vinot]

• [crypto-material] add generic-symmetric-key. [Raphaël Vinot]

• CSSE COVID-19 Dataset - Daily report. [Raphaël Vinot]

  Source:
  https://github.com/CSSEGISandData/COVID-19/tree/master/csse_covid_19_data

• [iot] a first version of the IoT object. [Alexandre Dulaunoy]

  Ref: based on the workshop discussion in https://github.com/C00kie-/workshop-materials

  The idea is to have this root object when a new IoT device is documented
  and further objects will be connected such as firmware or even file object

• [objects] add instant-message object. add instant-message-group object. [VVX7]

• [objects] news-agency, news-media. [VVX7]

• TruStar report object. [Raphaël Vinot]

• [attributes] chrome-extension-id added. [Alexandre Dulaunoy]

• [objects] blog, forged-document, leaked-document, meme-image. [VVX7]

• [attribute type] kusto-query attribute type. [Alexandre Dulaunoy]

  Kusto query is the query language for the Kusto services in Azure used
  to search large dataset. It's used in Windows Defender ATP Hunting-Queries
  and also Azure Sentinel (Cloud-native SIEM).

• IntelQM objects. [Raphaël Vinot]

• [virustotal-graph] VirusTotal graph object added. [Alexandre Dulaunoy]

  Based on the discussion with VT, virustotal-graph object has been added which will
  be used with the expansion modules and also to trigger the specific
  quick-tab in MISP to display the VT graph result in an iframe if this
  object is present.

• Weakness & attack-pattern objects to describe CWE & CAPEC related to a CVE. [chrisr3d]

  • The attack-pattern object is using a new
    attribute type called weakness to describe CWE
    id, which will link to its own information as
    described in https://cve.circl.lu

• Add "includes" relationship. [Raphaël Vinot]

• Objects for Scripps CO2. [Raphaël Vinot]

• New object describing user accounts. [chrisr3d]

• [imsi-catcher] object based on the output format of IMSI-catcher open source tools. [Alexandre Dulaunoy]

  The object has been created to show the flexibility of the object
  template during the PassTheSalt 2019 conference and the D4 presentation.

• [shell-commands] Object describing a series of shell commands executed. This object can be linked with malicious files in order to describe a specific execution of shell commands. [Alexandre Dulaunoy]

• Add offset, virtual_address and virtual_size to the pe section object. [Raphaël Vinot]

  Related to MISP/PyMISP#388

• Internal reference object. [Raphaël Vinot]

• Add Alfred relationships (CCCS) [Raphaël Vinot]

• New Object describing original files usedd to import data in MISP. [chrisr3d]

• [tracking-id] Analytics and tracking ID such as used in Google Analytics or other analytic platform. [Alexandre Dulaunoy]

• [short-message-service] Short Message Service (SMS) object template describing one or more SMS message added. [Alexandre Dulaunoy]

• Threatgrid-report object template. [Raphaël Vinot]

• Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object. [Alexandre Dulaunoy]

• Add EML to the email template. [Raphaël Vinot]

• Attach logfile to fail2ban. [Raphaël Vinot]

• Fail2ban object. [Raphaël Vinot]

Changes

• [doc] list of objects updated. [Alexandre Dulaunoy]

• Make jq validation happy. [Raphaël Vinot]

• Make jq validation happy. [Raphaël Vinot]

• Add PR to GH actions. [Raphaël Vinot]

• [report] add a report type. [Alexandre Dulaunoy]

• [person] full-name attribute type added + expanding object person with full-name. [Alexandre Dulaunoy]

• [schema] dkim and dkim signature added. [Alexandre Dulaunoy]

• [network-element] jq. [Alexandre Dulaunoy]

• [network-profile] AS updated. [Alexandre Dulaunoy]

• [network-profile] add jarm-fingerprint. [Alexandre Dulaunoy]

• [relationships] jq all the things. [Alexandre Dulaunoy]

• Update json schema for relationships to include opposite key. [Théo BARRAGUÉ]

• [report] make link or summary as non-required field. [Alexandre Dulaunoy]

• [regexp] fixed. [Alexandre Dulaunoy]

• [regexp] added Farsight Compatible Regular Expressions (FCRE) added. [Alexandre Dulaunoy]

• [splunk] object updated. [Alexandre Dulaunoy]

• [report] add a link field to the report object template. [Alexandre Dulaunoy]

• Disable correlation in VT objects. [Raphaël Vinot]

• [relationships] updated. [Alexandre Dulaunoy]

• [relationships] writes added. [Alexandre Dulaunoy]

• [url] jq all the things. [Alexandre Dulaunoy]

• Allow multiple IPs in URL object. [Raphaël Vinot]

• [telegram-account] required attributes. [Terrtia]

• [telegram-account] fixes. [Alexandre Dulaunoy]

• Update objects to match lief output for authenticode. [Raphaël Vinot]

• [jarm] jq all the things. [Alexandre Dulaunoy]

• [jarm] jarm type is jarm-fingerprint. [Alexandre Dulaunoy]

• [doc] fixed. [Alexandre Dulaunoy]

• [trustar_report] Updated to add "THREAT_ACTOR" [Alexandre Dulaunoy]

  Fixing #273

• [yara] disable correlations on some fields. [Alexandre Dulaunoy]

• [crypto-material] add a public field for public cryptographic materials. [Alexandre Dulaunoy]

• [favicon] jq all the things. [Alexandre Dulaunoy]

• [favicon] A favicon, also known as a shortcut icon, website icon, tab icon, URL icon, or bookmark icon, is a file containing one or more small icons, associated with a particular web site or web page. The object template can include the murmur3 hash of the favicon to facilitate correlation. [Alexandre Dulaunoy]

• [type] favicon-mmh3 is the murmur3 hash of a favicon as used in Shodan. [Alexandre Dulaunoy]

• [doc] MISP objects list updated. [Alexandre Dulaunoy]

• [twitter-post] jq. [Alexandre Dulaunoy]

• [jq] all the things. [Alexandre Dulaunoy]

• [doc] travis removed. [Alexandre Dulaunoy]

• Can have mutliple text attributes. [Beaujeant]

• [domain-ip] hostname added as an attribute. [Alexandre Dulaunoy]

• Add type in schema. [Raphaël Vinot]

• [schema] process-state updated. [Alexandre Dulaunoy]

• [jq] all the [things] [Alexandre Dulaunoy]

• [json] sort. [Steve Clement]

• [process] revert back to single char in light of the new process-attribute. [Steve Clement]

• [process] Added sane defaults. [Steve Clement]

• [process] Updated process object. [Steve Clement]

• [types] jarm-fingerprint added. [Alexandre Dulaunoy]

• Using the actual attribute type for cpe and weakness instead of text. [chrisr3d]

• [cpe-asset] updated. [Alexandre Dulaunoy]

• [vulnerability] fixed. [Alexandre Dulaunoy]

• [vulnerability] vulnerable_configuration are now cpe type. [Alexandre Dulaunoy]

• [file] because sorted is always better. [Alexandre Dulaunoy]

• [file] imphash and telfhash added. [Alexandre Dulaunoy]

• [attribute type] new telfhash added. [Alexandre Dulaunoy]

• [gitlab-user] because -r is important. [Alexandre Dulaunoy]

• [type] new type added. [Alexandre Dulaunoy]

• [doc] object lists updated. [Alexandre Dulaunoy]

• Sort json. [Raphaël Vinot]

• [github-user] reflect the API fields. [Alexandre Dulaunoy]

• [keybase] be consistent with keybase API. [Alexandre Dulaunoy]

• [keybase-account] at least username is required. [Alexandre Dulaunoy]

• [twitter-account] incorrect description fixed. [Alexandre Dulaunoy]

• [relationships] leaks, leaked-by d...