PyMISP/pymisp/data/describeTypes.json

1469 lines
34 KiB
JSON

{
"result": {
"categories": [
"Antivirus detection",
"Artifacts dropped",
"Attribution",
"External analysis",
"Financial fraud",
"Internal reference",
"Network activity",
"Other",
"Payload delivery",
"Payload installation",
"Payload type",
"Persistence mechanism",
"Person",
"Social network",
"Support Tool",
"Targeting data"
],
"category_type_mappings": {
"Antivirus detection": [
"anonymised",
"attachment",
"comment",
"hex",
"link",
"other",
"text"
],
"Artifacts dropped": [
"anonymised",
"attachment",
"authentihash",
"cdhash",
"comment",
"cookie",
"filename",
"filename-pattern",
"filename|authentihash",
"filename|impfuzzy",
"filename|imphash",
"filename|md5",
"filename|pehash",
"filename|sha1",
"filename|sha224",
"filename|sha256",
"filename|sha3-224",
"filename|sha3-256",
"filename|sha3-384",
"filename|sha3-512",
"filename|sha384",
"filename|sha512",
"filename|sha512/224",
"filename|sha512/256",
"filename|ssdeep",
"filename|tlsh",
"filename|vhash",
"gene",
"hex",
"impfuzzy",
"imphash",
"kusto-query",
"malware-sample",
"md5",
"mime-type",
"mutex",
"named pipe",
"other",
"pattern-in-file",
"pattern-in-memory",
"pdb",
"pgp-private-key",
"pgp-public-key",
"process-state",
"regkey",
"regkey|value",
"sha1",
"sha224",
"sha256",
"sha3-224",
"sha3-256",
"sha3-384",
"sha3-512",
"sha384",
"sha512",
"sha512/224",
"sha512/256",
"sigma",
"ssdeep",
"stix2-pattern",
"telfhash",
"text",
"vhash",
"windows-scheduled-task",
"windows-service-displayname",
"windows-service-name",
"x509-fingerprint-md5",
"x509-fingerprint-sha1",
"x509-fingerprint-sha256",
"yara"
],
"Attribution": [
"anonymised",
"campaign-id",
"campaign-name",
"comment",
"dns-soa-email",
"email",
"other",
"text",
"threat-actor",
"whois-creation-date",
"whois-registrant-email",
"whois-registrant-name",
"whois-registrant-org",
"whois-registrant-phone",
"whois-registrar",
"x509-fingerprint-md5",
"x509-fingerprint-sha1",
"x509-fingerprint-sha256"
],
"External analysis": [
"AS",
"anonymised",
"attachment",
"bro",
"comment",
"community-id",
"cortex",
"cpe",
"domain",
"domain|ip",
"filename",
"filename-pattern",
"filename|md5",
"filename|sha1",
"filename|sha256",
"filename|sha3-224",
"filename|sha3-256",
"filename|sha3-384",
"filename|sha3-512",
"github-repository",
"hassh-md5",
"hasshserver-md5",
"hostname",
"ip-dst",
"ip-dst|port",
"ip-src",
"ip-src|port",
"ja3-fingerprint-md5",
"jarm-fingerprint",
"link",
"mac-address",
"mac-eui-64",
"malware-sample",
"md5",
"other",
"pattern-in-file",
"pattern-in-memory",
"pattern-in-traffic",
"regkey",
"regkey|value",
"sha1",
"sha256",
"sha3-224",
"sha3-256",
"sha3-384",
"sha3-512",
"snort",
"text",
"url",
"user-agent",
"vulnerability",
"weakness",
"x509-fingerprint-md5",
"x509-fingerprint-sha1",
"x509-fingerprint-sha256",
"zeek"
],
"Financial fraud": [
"aba-rtn",
"anonymised",
"bank-account-nr",
"bic",
"bin",
"btc",
"cc-number",
"comment",
"dash",
"hex",
"iban",
"other",
"phone-number",
"prtn",
"text",
"xmr"
],
"Internal reference": [
"anonymised",
"comment",
"git-commit-id",
"hex",
"link",
"other",
"text"
],
"Network activity": [
"AS",
"anonymised",
"attachment",
"bro",
"comment",
"community-id",
"cookie",
"dkim",
"dkim-signature",
"domain",
"domain|ip",
"email",
"email-dst",
"email-src",
"email-subject",
"eppn",
"favicon-mmh3",
"filename-pattern",
"hassh-md5",
"hasshserver-md5",
"hex",
"hostname",
"hostname|port",
"http-method",
"ip-dst",
"ip-dst|port",
"ip-src",
"ip-src|port",
"ja3-fingerprint-md5",
"jarm-fingerprint",
"mac-address",
"mac-eui-64",
"other",
"pattern-in-file",
"pattern-in-traffic",
"port",
"snort",
"ssh-fingerprint",
"stix2-pattern",
"text",
"uri",
"url",
"user-agent",
"x509-fingerprint-md5",
"x509-fingerprint-sha1",
"x509-fingerprint-sha256",
"zeek"
],
"Other": [
"anonymised",
"boolean",
"comment",
"counter",
"cpe",
"datetime",
"float",
"hex",
"other",
"pgp-private-key",
"pgp-public-key",
"phone-number",
"port",
"size-in-bytes",
"text"
],
"Payload delivery": [
"AS",
"anonymised",
"attachment",
"authentihash",
"cdhash",
"chrome-extension-id",
"comment",
"cpe",
"domain",
"email",
"email-attachment",
"email-body",
"email-dst",
"email-dst-display-name",
"email-header",
"email-message-id",
"email-mime-boundary",
"email-reply-to",
"email-src",
"email-src-display-name",
"email-subject",
"email-thread-index",
"email-x-mailer",
"filename",
"filename-pattern",
"filename|authentihash",
"filename|impfuzzy",
"filename|imphash",
"filename|md5",
"filename|pehash",
"filename|sha1",
"filename|sha224",
"filename|sha256",
"filename|sha3-224",
"filename|sha3-256",
"filename|sha3-384",
"filename|sha3-512",
"filename|sha384",
"filename|sha512",
"filename|sha512/224",
"filename|sha512/256",
"filename|ssdeep",
"filename|tlsh",
"filename|vhash",
"hassh-md5",
"hasshserver-md5",
"hex",
"hostname",
"hostname|port",
"impfuzzy",
"imphash",
"ip-dst",
"ip-dst|port",
"ip-src",
"ip-src|port",
"ja3-fingerprint-md5",
"jarm-fingerprint",
"link",
"mac-address",
"mac-eui-64",
"malware-sample",
"malware-type",
"md5",
"mime-type",
"mobile-application-id",
"other",
"pattern-in-file",
"pattern-in-traffic",
"pehash",
"sha1",
"sha224",
"sha256",
"sha3-224",
"sha3-256",
"sha3-384",
"sha3-512",
"sha384",
"sha512",
"sha512/224",
"sha512/256",
"sigma",
"ssdeep",
"stix2-pattern",
"telfhash",
"text",
"tlsh",
"url",
"user-agent",
"vhash",
"vulnerability",
"weakness",
"whois-registrant-email",
"x509-fingerprint-md5",
"x509-fingerprint-sha1",
"x509-fingerprint-sha256",
"yara"
],
"Payload installation": [
"anonymised",
"attachment",
"authentihash",
"cdhash",
"chrome-extension-id",
"comment",
"cpe",
"filename",
"filename-pattern",
"filename|authentihash",
"filename|impfuzzy",
"filename|imphash",
"filename|md5",
"filename|pehash",
"filename|sha1",
"filename|sha224",
"filename|sha256",
"filename|sha3-224",
"filename|sha3-256",
"filename|sha3-384",
"filename|sha3-512",
"filename|sha384",
"filename|sha512",
"filename|sha512/224",
"filename|sha512/256",
"filename|ssdeep",
"filename|tlsh",
"filename|vhash",
"hex",
"impfuzzy",
"imphash",
"malware-sample",
"malware-type",
"md5",
"mime-type",
"mobile-application-id",
"other",
"pattern-in-file",
"pattern-in-memory",
"pattern-in-traffic",
"pehash",
"sha1",
"sha224",
"sha256",
"sha3-224",
"sha3-256",
"sha3-384",
"sha3-512",
"sha384",
"sha512",
"sha512/224",
"sha512/256",
"sigma",
"ssdeep",
"stix2-pattern",
"telfhash",
"text",
"tlsh",
"vhash",
"vulnerability",
"weakness",
"x509-fingerprint-md5",
"x509-fingerprint-sha1",
"x509-fingerprint-sha256",
"yara"
],
"Payload type": [
"anonymised",
"comment",
"other",
"text"
],
"Persistence mechanism": [
"anonymised",
"comment",
"filename",
"hex",
"other",
"regkey",
"regkey|value",
"text"
],
"Person": [
"anonymised",
"comment",
"country-of-residence",
"date-of-birth",
"email",
"first-name",
"frequent-flyer-number",
"full-name",
"gender",
"identity-card-number",
"issue-date-of-the-visa",
"last-name",
"middle-name",
"nationality",
"other",
"passenger-name-record-locator-number",
"passport-country",
"passport-expiration",
"passport-number",
"payment-details",
"pgp-private-key",
"pgp-public-key",
"phone-number",
"place-of-birth",
"place-port-of-clearance",
"place-port-of-onward-foreign-destination",
"place-port-of-original-embarkation",
"primary-residence",
"redress-number",
"special-service-request",
"text",
"travel-details",
"visa-number"
],
"Social network": [
"anonymised",
"comment",
"email",
"email-dst",
"email-src",
"eppn",
"github-organisation",
"github-repository",
"github-username",
"jabber-id",
"other",
"pgp-private-key",
"pgp-public-key",
"text",
"twitter-id",
"whois-registrant-email"
],
"Support Tool": [
"anonymised",
"attachment",
"comment",
"hex",
"link",
"other",
"text"
],
"Targeting data": [
"anonymised",
"comment",
"target-email",
"target-external",
"target-location",
"target-machine",
"target-org",
"target-user"
]
},
"sane_defaults": {
"AS": {
"default_category": "Network activity",
"to_ids": 0
},
"aba-rtn": {
"default_category": "Financial fraud",
"to_ids": 1
},
"anonymised": {
"default_category": "Other",
"to_ids": 0
},
"attachment": {
"default_category": "External analysis",
"to_ids": 0
},
"authentihash": {
"default_category": "Payload delivery",
"to_ids": 1
},
"bank-account-nr": {
"default_category": "Financial fraud",
"to_ids": 1
},
"bic": {
"default_category": "Financial fraud",
"to_ids": 1
},
"bin": {
"default_category": "Financial fraud",
"to_ids": 1
},
"boolean": {
"default_category": "Other",
"to_ids": 0
},
"bro": {
"default_category": "Network activity",
"to_ids": 1
},
"btc": {
"default_category": "Financial fraud",
"to_ids": 1
},
"campaign-id": {
"default_category": "Attribution",
"to_ids": 0
},
"campaign-name": {
"default_category": "Attribution",
"to_ids": 0
},
"cc-number": {
"default_category": "Financial fraud",
"to_ids": 1
},
"cdhash": {
"default_category": "Payload delivery",
"to_ids": 1
},
"chrome-extension-id": {
"default_category": "Payload delivery",
"to_ids": 1
},
"comment": {
"default_category": "Other",
"to_ids": 0
},
"community-id": {
"default_category": "Network activity",
"to_ids": 1
},
"cookie": {
"default_category": "Network activity",
"to_ids": 0
},
"cortex": {
"default_category": "External analysis",
"to_ids": 0
},
"counter": {
"default_category": "Other",
"to_ids": 0
},
"country-of-residence": {
"default_category": "Person",
"to_ids": 0
},
"cpe": {
"default_category": "External analysis",
"to_ids": 0
},
"dash": {
"default_category": "Financial fraud",
"to_ids": 1
},
"date-of-birth": {
"default_category": "Person",
"to_ids": 0
},
"datetime": {
"default_category": "Other",
"to_ids": 0
},
"dkim": {
"default_category": "Network activity",
"to_ids": 0
},
"dkim-signature": {
"default_category": "Network activity",
"to_ids": 0
},
"dns-soa-email": {
"default_category": "Attribution",
"to_ids": 0
},
"domain": {
"default_category": "Network activity",
"to_ids": 1
},
"domain|ip": {
"default_category": "Network activity",
"to_ids": 1
},
"email": {
"default_category": "Social network",
"to_ids": 1
},
"email-attachment": {
"default_category": "Payload delivery",
"to_ids": 1
},
"email-body": {
"default_category": "Payload delivery",
"to_ids": 0
},
"email-dst": {
"default_category": "Network activity",
"to_ids": 1
},
"email-dst-display-name": {
"default_category": "Payload delivery",
"to_ids": 0
},
"email-header": {
"default_category": "Payload delivery",
"to_ids": 0
},
"email-message-id": {
"default_category": "Payload delivery",
"to_ids": 0
},
"email-mime-boundary": {
"default_category": "Payload delivery",
"to_ids": 0
},
"email-reply-to": {
"default_category": "Payload delivery",
"to_ids": 0
},
"email-src": {
"default_category": "Payload delivery",
"to_ids": 1
},
"email-src-display-name": {
"default_category": "Payload delivery",
"to_ids": 0
},
"email-subject": {
"default_category": "Payload delivery",
"to_ids": 0
},
"email-thread-index": {
"default_category": "Payload delivery",
"to_ids": 0
},
"email-x-mailer": {
"default_category": "Payload delivery",
"to_ids": 0
},
"eppn": {
"default_category": "Network activity",
"to_ids": 1
},
"favicon-mmh3": {
"default_category": "Network activity",
"to_ids": 1
},
"filename": {
"default_category": "Payload delivery",
"to_ids": 1
},
"filename-pattern": {
"default_category": "Payload installation",
"to_ids": 1
},
"filename|authentihash": {
"default_category": "Payload delivery",
"to_ids": 1
},
"filename|impfuzzy": {
"default_category": "Payload delivery",
"to_ids": 1
},
"filename|imphash": {
"default_category": "Payload delivery",
"to_ids": 1
},
"filename|md5": {
"default_category": "Payload delivery",
"to_ids": 1
},
"filename|pehash": {
"default_category": "Payload delivery",
"to_ids": 1
},
"filename|sha1": {
"default_category": "Payload delivery",
"to_ids": 1
},
"filename|sha224": {
"default_category": "Payload delivery",
"to_ids": 1
},
"filename|sha256": {
"default_category": "Payload delivery",
"to_ids": 1
},
"filename|sha3-224": {
"default_category": "Payload delivery",
"to_ids": 1
},
"filename|sha3-256": {
"default_category": "Payload delivery",
"to_ids": 1
},
"filename|sha3-384": {
"default_category": "Payload delivery",
"to_ids": 1
},
"filename|sha3-512": {
"default_category": "Payload delivery",
"to_ids": 1
},
"filename|sha384": {
"default_category": "Payload delivery",
"to_ids": 1
},
"filename|sha512": {
"default_category": "Payload delivery",
"to_ids": 1
},
"filename|sha512/224": {
"default_category": "Payload delivery",
"to_ids": 1
},
"filename|sha512/256": {
"default_category": "Payload delivery",
"to_ids": 1
},
"filename|ssdeep": {
"default_category": "Payload delivery",
"to_ids": 1
},
"filename|tlsh": {
"default_category": "Payload delivery",
"to_ids": 1
},
"filename|vhash": {
"default_category": "Payload delivery",
"to_ids": 1
},
"first-name": {
"default_category": "Person",
"to_ids": 0
},
"float": {
"default_category": "Other",
"to_ids": 0
},
"frequent-flyer-number": {
"default_category": "Person",
"to_ids": 0
},
"full-name": {
"default_category": "Person",
"to_ids": 0
},
"gender": {
"default_category": "Person",
"to_ids": 0
},
"gene": {
"default_category": "Artifacts dropped",
"to_ids": 0
},
"git-commit-id": {
"default_category": "Internal reference",
"to_ids": 0
},
"github-organisation": {
"default_category": "Social network",
"to_ids": 0
},
"github-repository": {
"default_category": "Social network",
"to_ids": 0
},
"github-username": {
"default_category": "Social network",
"to_ids": 0
},
"hassh-md5": {
"default_category": "Network activity",
"to_ids": 1
},
"hasshserver-md5": {
"default_category": "Network activity",
"to_ids": 1
},
"hex": {
"default_category": "Other",
"to_ids": 0
},
"hostname": {
"default_category": "Network activity",
"to_ids": 1
},
"hostname|port": {
"default_category": "Network activity",
"to_ids": 1
},
"http-method": {
"default_category": "Network activity",
"to_ids": 0
},
"iban": {
"default_category": "Financial fraud",
"to_ids": 1
},
"identity-card-number": {
"default_category": "Person",
"to_ids": 0
},
"impfuzzy": {
"default_category": "Payload delivery",
"to_ids": 1
},
"imphash": {
"default_category": "Payload delivery",
"to_ids": 1
},
"ip-dst": {
"default_category": "Network activity",
"to_ids": 1
},
"ip-dst|port": {
"default_category": "Network activity",
"to_ids": 1
},
"ip-src": {
"default_category": "Network activity",
"to_ids": 1
},
"ip-src|port": {
"default_category": "Network activity",
"to_ids": 1
},
"issue-date-of-the-visa": {
"default_category": "Person",
"to_ids": 0
},
"ja3-fingerprint-md5": {
"default_category": "Network activity",
"to_ids": 1
},
"jabber-id": {
"default_category": "Social network",
"to_ids": 0
},
"jarm-fingerprint": {
"default_category": "Network activity",
"to_ids": 1
},
"kusto-query": {
"default_category": "Artifacts dropped",
"to_ids": 0
},
"last-name": {
"default_category": "Person",
"to_ids": 0
},
"link": {
"default_category": "External analysis",
"to_ids": 0
},
"mac-address": {
"default_category": "Network activity",
"to_ids": 0
},
"mac-eui-64": {
"default_category": "Network activity",
"to_ids": 0
},
"malware-sample": {
"default_category": "Payload delivery",
"to_ids": 1
},
"malware-type": {
"default_category": "Payload delivery",
"to_ids": 0
},
"md5": {
"default_category": "Payload delivery",
"to_ids": 1
},
"middle-name": {
"default_category": "Person",
"to_ids": 0
},
"mime-type": {
"default_category": "Artifacts dropped",
"to_ids": 0
},
"mobile-application-id": {
"default_category": "Payload delivery",
"to_ids": 1
},
"mutex": {
"default_category": "Artifacts dropped",
"to_ids": 1
},
"named pipe": {
"default_category": "Artifacts dropped",
"to_ids": 0
},
"nationality": {
"default_category": "Person",
"to_ids": 0
},
"other": {
"default_category": "Other",
"to_ids": 0
},
"passenger-name-record-locator-number": {
"default_category": "Person",
"to_ids": 0
},
"passport-country": {
"default_category": "Person",
"to_ids": 0
},
"passport-expiration": {
"default_category": "Person",
"to_ids": 0
},
"passport-number": {
"default_category": "Person",
"to_ids": 0
},
"pattern-in-file": {
"default_category": "Payload installation",
"to_ids": 1
},
"pattern-in-memory": {
"default_category": "Payload installation",
"to_ids": 1
},
"pattern-in-traffic": {
"default_category": "Network activity",
"to_ids": 1
},
"payment-details": {
"default_category": "Person",
"to_ids": 0
},
"pdb": {
"default_category": "Artifacts dropped",
"to_ids": 0
},
"pehash": {
"default_category": "Payload delivery",
"to_ids": 1
},
"pgp-private-key": {
"default_category": "Person",
"to_ids": 0
},
"pgp-public-key": {
"default_category": "Person",
"to_ids": 0
},
"phone-number": {
"default_category": "Person",
"to_ids": 0
},
"place-of-birth": {
"default_category": "Person",
"to_ids": 0
},
"place-port-of-clearance": {
"default_category": "Person",
"to_ids": 0
},
"place-port-of-onward-foreign-destination": {
"default_category": "Person",
"to_ids": 0
},
"place-port-of-original-embarkation": {
"default_category": "Person",
"to_ids": 0
},
"port": {
"default_category": "Network activity",
"to_ids": 0
},
"primary-residence": {
"default_category": "Person",
"to_ids": 0
},
"process-state": {
"default_category": "Artifacts dropped",
"to_ids": 0
},
"prtn": {
"default_category": "Financial fraud",
"to_ids": 1
},
"redress-number": {
"default_category": "Person",
"to_ids": 0
},
"regkey": {
"default_category": "Persistence mechanism",
"to_ids": 1
},
"regkey|value": {
"default_category": "Persistence mechanism",
"to_ids": 1
},
"sha1": {
"default_category": "Payload delivery",
"to_ids": 1
},
"sha224": {
"default_category": "Payload delivery",
"to_ids": 1
},
"sha256": {
"default_category": "Payload delivery",
"to_ids": 1
},
"sha3-224": {
"default_category": "Payload delivery",
"to_ids": 1
},
"sha3-256": {
"default_category": "Payload delivery",
"to_ids": 1
},
"sha3-384": {
"default_category": "Payload delivery",
"to_ids": 1
},
"sha3-512": {
"default_category": "Payload delivery",
"to_ids": 1
},
"sha384": {
"default_category": "Payload delivery",
"to_ids": 1
},
"sha512": {
"default_category": "Payload delivery",
"to_ids": 1
},
"sha512/224": {
"default_category": "Payload delivery",
"to_ids": 1
},
"sha512/256": {
"default_category": "Payload delivery",
"to_ids": 1
},
"sigma": {
"default_category": "Payload installation",
"to_ids": 1
},
"size-in-bytes": {
"default_category": "Other",
"to_ids": 0
},
"snort": {
"default_category": "Network activity",
"to_ids": 1
},
"special-service-request": {
"default_category": "Person",
"to_ids": 0
},
"ssdeep": {
"default_category": "Payload delivery",
"to_ids": 1
},
"ssh-fingerprint": {
"default_category": "Network activity",
"to_ids": 0
},
"stix2-pattern": {
"default_category": "Payload installation",
"to_ids": 1
},
"target-email": {
"default_category": "Targeting data",
"to_ids": 0
},
"target-external": {
"default_category": "Targeting data",
"to_ids": 0
},
"target-location": {
"default_category": "Targeting data",
"to_ids": 0
},
"target-machine": {
"default_category": "Targeting data",
"to_ids": 0
},
"target-org": {
"default_category": "Targeting data",
"to_ids": 0
},
"target-user": {
"default_category": "Targeting data",
"to_ids": 0
},
"telfhash": {
"default_category": "Payload delivery",
"to_ids": 1
},
"text": {
"default_category": "Other",
"to_ids": 0
},
"threat-actor": {
"default_category": "Attribution",
"to_ids": 0
},
"tlsh": {
"default_category": "Payload delivery",
"to_ids": 1
},
"travel-details": {
"default_category": "Person",
"to_ids": 0
},
"twitter-id": {
"default_category": "Social network",
"to_ids": 0
},
"uri": {
"default_category": "Network activity",
"to_ids": 1
},
"url": {
"default_category": "Network activity",
"to_ids": 1
},
"user-agent": {
"default_category": "Network activity",
"to_ids": 0
},
"vhash": {
"default_category": "Payload delivery",
"to_ids": 1
},
"visa-number": {
"default_category": "Person",
"to_ids": 0
},
"vulnerability": {
"default_category": "External analysis",
"to_ids": 0
},
"weakness": {
"default_category": "External analysis",
"to_ids": 0
},
"whois-creation-date": {
"default_category": "Attribution",
"to_ids": 0
},
"whois-registrant-email": {
"default_category": "Attribution",
"to_ids": 0
},
"whois-registrant-name": {
"default_category": "Attribution",
"to_ids": 0
},
"whois-registrant-org": {
"default_category": "Attribution",
"to_ids": 0
},
"whois-registrant-phone": {
"default_category": "Attribution",
"to_ids": 0
},
"whois-registrar": {
"default_category": "Attribution",
"to_ids": 0
},
"windows-scheduled-task": {
"default_category": "Artifacts dropped",
"to_ids": 0
},
"windows-service-displayname": {
"default_category": "Artifacts dropped",
"to_ids": 0
},
"windows-service-name": {
"default_category": "Artifacts dropped",
"to_ids": 0
},
"x509-fingerprint-md5": {
"default_category": "Network activity",
"to_ids": 1
},
"x509-fingerprint-sha1": {
"default_category": "Network activity",
"to_ids": 1
},
"x509-fingerprint-sha256": {
"default_category": "Network activity",
"to_ids": 1
},
"xmr": {
"default_category": "Financial fraud",
"to_ids": 1
},
"yara": {
"default_category": "Payload installation",
"to_ids": 1
},
"zeek": {
"default_category": "Network activity",
"to_ids": 1
}
},
"types": [
"AS",
"aba-rtn",
"anonymised",
"attachment",
"authentihash",
"bank-account-nr",
"bic",
"bin",
"boolean",
"bro",
"btc",
"campaign-id",
"campaign-name",
"cc-number",
"cdhash",
"chrome-extension-id",
"comment",
"community-id",
"cookie",
"cortex",
"counter",
"country-of-residence",
"cpe",
"dash",
"date-of-birth",
"datetime",
"dkim",
"dkim-signature",
"dns-soa-email",
"domain",
"domain|ip",
"email",
"email-attachment",
"email-body",
"email-dst",
"email-dst-display-name",
"email-header",
"email-message-id",
"email-mime-boundary",
"email-reply-to",
"email-src",
"email-src-display-name",
"email-subject",
"email-thread-index",
"email-x-mailer",
"eppn",
"favicon-mmh3",
"filename",
"filename-pattern",
"filename|authentihash",
"filename|impfuzzy",
"filename|imphash",
"filename|md5",
"filename|pehash",
"filename|sha1",
"filename|sha224",
"filename|sha256",
"filename|sha3-224",
"filename|sha3-256",
"filename|sha3-384",
"filename|sha3-512",
"filename|sha384",
"filename|sha512",
"filename|sha512/224",
"filename|sha512/256",
"filename|ssdeep",
"filename|tlsh",
"filename|vhash",
"first-name",
"float",
"frequent-flyer-number",
"full-name",
"gender",
"gene",
"git-commit-id",
"github-organisation",
"github-repository",
"github-username",
"hassh-md5",
"hasshserver-md5",
"hex",
"hostname",
"hostname|port",
"http-method",
"iban",
"identity-card-number",
"impfuzzy",
"imphash",
"ip-dst",
"ip-dst|port",
"ip-src",
"ip-src|port",
"issue-date-of-the-visa",
"ja3-fingerprint-md5",
"jabber-id",
"jarm-fingerprint",
"kusto-query",
"last-name",
"link",
"mac-address",
"mac-eui-64",
"malware-sample",
"malware-type",
"md5",
"middle-name",
"mime-type",
"mobile-application-id",
"mutex",
"named pipe",
"nationality",
"other",
"passenger-name-record-locator-number",
"passport-country",
"passport-expiration",
"passport-number",
"pattern-in-file",
"pattern-in-memory",
"pattern-in-traffic",
"payment-details",
"pdb",
"pehash",
"pgp-private-key",
"pgp-public-key",
"phone-number",
"place-of-birth",
"place-port-of-clearance",
"place-port-of-onward-foreign-destination",
"place-port-of-original-embarkation",
"port",
"primary-residence",
"process-state",
"prtn",
"redress-number",
"regkey",
"regkey|value",
"sha1",
"sha224",
"sha256",
"sha3-224",
"sha3-256",
"sha3-384",
"sha3-512",
"sha384",
"sha512",
"sha512/224",
"sha512/256",
"sigma",
"size-in-bytes",
"snort",
"special-service-request",
"ssdeep",
"ssh-fingerprint",
"stix2-pattern",
"target-email",
"target-external",
"target-location",
"target-machine",
"target-org",
"target-user",
"telfhash",
"text",
"threat-actor",
"tlsh",
"travel-details",
"twitter-id",
"uri",
"url",
"user-agent",
"vhash",
"visa-number",
"vulnerability",
"weakness",
"whois-creation-date",
"whois-registrant-email",
"whois-registrant-name",
"whois-registrant-org",
"whois-registrant-phone",
"whois-registrar",
"windows-scheduled-task",
"windows-service-displayname",
"windows-service-name",
"x509-fingerprint-md5",
"x509-fingerprint-sha1",
"x509-fingerprint-sha256",
"xmr",
"yara",
"zeek"
]
}
}