slight modification to lnk object for additional usecases

[mgreen27]

Im not sure the protocol but I changed the GUID on the object, happy to change back if the usual protocol is to keep it when updating an object.

Allowing multiple text fields allows for additional data such as base64 decoded cli and other summary data we use as needed.

Added a 2 more fields:
lnk-mft-object - LinkTargetIDList MFT entry. Name:MFTID|SeqID|<BTimestamp>
lnk-propertystore-sid - SID reference in ExtraData.PropertyStore

[adulau]

Thanks a lot for the proposal.

I'll update it a bit to keep the original UUID (keep UUID for object template). For the original data in Base64, should we have a new field ? is it something standard which could be reused by others ?

[mgreen27]

No worries - I ended up comiting the original UUID as I noticed the test failed.
We use the text attribute field for base64 and for an attribute summary so making it a multiple was the main use for us.
If you think a specific b64cli field is more valuable we can add that too, but im happy with just making the text field multi capable as that fits our needs.

[adulau]

All good. I merged it and made a quick fix to the JSON version. We can expand it later if we see more digital forensic analysts adding data to shared objects.

Thanks a lot for the contribution. If you see other object templates to updates, don't hesitate.

It will be by default in the next version of MISP.