MISP
/
misp-rfc
mirror of https://github.com/MISP/misp-rfc
2
0
Fork 0
Code Issues Releases Wiki Activity
misp-rfc/misp-object-template-format/raw.md.txt

1793 lines
77 KiB
Plaintext
Executable File
Raw Blame History

This file contains invisible Unicode characters!

This file contains invisible Unicode characters that may be processed differently from what appears below. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to reveal hidden characters.

Network Working Group A. Dulaunoy
Internet-Draft A. Iklody
Intended status: Informational CIRCL
Expires: 19 August 2022 15 February 2022
MISP object template format
draft-00
Abstract
This document describes the MISP object template format which
describes a simple JSON format to represent the various templates
used to construct MISP objects. A public directory of common
vocabularies MISP object templates [MISP-O] is available and relies
on the MISP object reference format.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 19 August 2022.
Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Dulaunoy & Iklody Expires 19 August 2022 [Page 1]
Internet-Draft MISP object template format February 2022
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Conventions and Terminology . . . . . . . . . . . . . . . 2
2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1.1. Object Template . . . . . . . . . . . . . . . . . . . 3
2.1.2. attributes . . . . . . . . . . . . . . . . . . . . . 4
2.1.3. Sample Object Template object . . . . . . . . . . . . 6
2.1.4. Object Relationships . . . . . . . . . . . . . . . . 9
3. Directory . . . . . . . . . . . . . . . . . . . . . . . . . . 10
3.1. Existing and public MISP object templates . . . . . . . . 10
4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 31
5. Normative References . . . . . . . . . . . . . . . . . . . . 31
6. Informative References . . . . . . . . . . . . . . . . . . . 32
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 32
1. Introduction
Due to the increased maturity of threat information sharing, the need
arose for more complex and exhaustive data-points to be shared across
the various sharing communities. MISP's information sharing in
general relied on a flat structure of attributes contained within an
event, where attributes served as atomic secluded data-points with
some commonalities as defined by the encapsulating event. However,
this flat structure restricted the use of more diverse and complex
data-points described by a list of atomic values, a problem solved by
the MISP object structure.
MISP objects combine a list of attributes to represent a singular
object with various facets. In order to bootstrap the object
creation process and to maintain uniformity among objects describing
similar data-points, the MISP object template format serves as a
reusable and share-able blueprint format.
MISP object templates also include a vocabulary to describe the
various inter object and object to attribute relationships and are
leveraged by MISP object references.
1.1. Conventions and Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
Dulaunoy & Iklody Expires 19 August 2022 [Page 2]
Internet-Draft MISP object template format February 2022
2. Format
MISP object templates are composed of the MISP object template (MUST)
structure itself and a list of MISP object template elements (SHOULD)
describing the list of possible attributes belonging to the resulting
object, along with their context and settings.
MISP object templates themselves consist of a name (MUST), a meta-
category (MUST) and a description (SHOULD). They are identified by a
uuid (MUST) and a version (MUST). For any updates or transfer of the
same object reference. UUID version 4 is RECOMMENDED when assigning
it to a new object reference. The list of requirements when it comes
to the contained MISP object template elements is defined in the
requirements field (OPTIONAL).
MISP object template elements consist of an object_relation (MUST), a
type (MUST), an object_template_id (SHOULD), a ui_priority (SHOULD),
a list of categories (MAY), a list of sane_default values (MAY) or a
values_list (MAY).
2.1. Overview
The MISP object template format uses the JSON [RFC8259] format. Each
template is represented as a JSON object with meta information
including the following fields: uuid, requiredOneOf, description,
version, meta-category, name.
2.1.1. Object Template
2.1.1.1. uuid
uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of
the object template. The uuid MUST be preserved for to keep
consistency of the templates across instances. UUID version 4 is
RECOMMENDED when assigning it to a new object template.
uuid is represented as a JSON string. uuid MUST be present.
2.1.1.2. requiredOneOf
requiredOneOf is represented as a JSON list and contains a list of
attribute relationships of which one must be present in the object to
be created based on the given template. The requiredOneOf field MAY
be present.
Dulaunoy & Iklody Expires 19 August 2022 [Page 3]
Internet-Draft MISP object template format February 2022
2.1.1.3. required
required is represented as a JSON list and contains a list of
attribute relationships of which all must be present in the object to
be created based on the given template. The required field MAY be
present.
2.1.1.4. description
description is represented as a JSON string and contains the assigned
meaning given to objects created using this template. The
description field MUST be present.
2.1.1.5. version
version represents a numeric incrementing version of the object
template. It is used to associate the object to the correct version
of the template and together with the uuid field forms an association
to the correct template type and version.
version is represented as a JSON string. version MUST be present.
2.1.1.6. meta-category
meta-category represents the sub-category of objects that the given
object template belongs to. meta-categories are not tied to a fixed
list of options but can be created on the fly.
meta-category is represented as a JSON string. meta-category MUST be
present.
2.1.1.7. name
name represents the human-readable name of the objects created using
the given template, describing the intent of the object package.
name is represented as a JSON string. name MUST be present
2.1.2. attributes
attributes is represented as a JSON list and contains a list of
template elements used as a template for creating the individual
attributes within the object that is to be created with the object.
attributes is represented as a JSON list. attributes MUST be present.
Dulaunoy & Iklody Expires 19 August 2022 [Page 4]
Internet-Draft MISP object template format February 2022
2.1.2.1. description
description is represented as a JSON string and contains the
description of the given attribute in the context of the object with
the given relationship. The description field MUST be present.
2.1.2.2. ui-priority
ui-priority is represented by a numeric values in JSON string format
and is meant to provide a priority for the given element in the
object template visualisation. The ui-priority MAY be present.
2.1.2.3. misp-attribute
misp-attribute is represented by a JSON string or a JSON object with
a list of values. The value(s) are taken from the pool of types
defined by the MISP core format's Attribute Object's type list. type
can contain a JSON object with a list of suggested value alternatives
encapsulated in a list within a sane_default key or a list of
enforced value alternatives encapsulated in a list_values key.
The misp-attribute field MUST be present.
2.1.2.4. disable_correlation
disable_correlation is represented by a JSON boolean. The
disable_correlation field flags the attribute(s) created by the given
object template element to be marked as non correlating.
The misp-attribute field MAY be present.
2.1.2.5. categories
categories is represented by a JSON list containing one or several
valid options from the list of verbs valid for the category field in
the Attribute object within the MISP core format.
The categories field MAY be present.
2.1.2.6. multiple
multiple is represented by a JSON boolean value. It marks the MISP
object template element as a multiple input field, allowing for
several attributes to be created by the element within the same
object.
The multiple field MAY be present.
Dulaunoy & Iklody Expires 19 August 2022 [Page 5]
Internet-Draft MISP object template format February 2022
2.1.2.7. sane_default
sane_default is represented by a JSON list containing one or several
recommended/sane values for an attribute. sane_default is mutually
exclusive with values_list.
The sane_default field MAY be present.
2.1.2.8. values_list
values_list is represented by a JSON List containing one or several
of fixed values for an attribute. values_list is mutually exclusive
with sane_default.
The value_list field MAY be present.
2.1.3. Sample Object Template object
The MISP object template directory is publicly available [MISP-O] in
a git repository and contains more than 60 object templates. As
illustration, two sample objects templates are included.
2.1.3.1. credit-card object template
Dulaunoy & Iklody Expires 19 August 2022 [Page 6]
Internet-Draft MISP object template format February 2022
{
"requiredOneOf": [
"cc-number"
],
"attributes": {
"version": {
"description": "Version of the card.",
"ui-priority": 0,
"misp-attribute": "text"
},
"comment": {
"description": "A description of the card.",
"ui-priority": 0,
"misp-attribute": "comment"
},
"card-security-code": {
"description": "Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card.",
"ui-priority": 0,
"misp-attribute": "text"
},
"name": {
"description": "Name of the card owner.",
"ui-priority": 0,
"misp-attribute": "text"
},
"issued": {
"description": "Initial date of validity or issued date.",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"expiration": {
"description": "Maximum date of validity",
"ui-priority": 0,
"misp-attribute": "datetime"
},
"cc-number": {
"description": "credit-card number as encoded on the card.",
"ui-priority": 0,
"misp-attribute": "cc-number"
}
},
"version": 2,
"description": "A payment card like credit card, debit card or any similar cards which can be used for financial transactions.",
"meta-category": "financial",
"uuid": "2b9c57aa-daba-4330-a738-56f18743b0c7",
"name": "credit-card"
}
Dulaunoy & Iklody Expires 19 August 2022 [Page 7]
Internet-Draft MISP object template format February 2022
2.1.3.2. credential object template
{
"requiredOneOf": [
"password"
],
"attributes": {
"text": {
"description": "A description of the credential(s)",
"disable_correlation": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"username": {
"description": "Username related to the password(s)",
"ui-priority": 1,
"misp-attribute": "text"
},
"password": {
"description": "Password",
"multiple": true,
"ui-priority": 1,
"misp-attribute": "text"
},
"type": {
"description": "Type of password(s)",
"ui-priority": 1,
"misp-attribute": "text",
"values_list": [
"password",
"api-key",
"encryption-key",
"unknown"
]
},
"origin": {
"description": "Origin of the credential(s)",
"ui-priority": 1,
"misp-attribute": "text",
"sane_default": [
"bruteforce-scanning",
"malware-analysis",
"memory-analysis",
"network-analysis",
"leak",
"unknown"
]
},
Dulaunoy & Iklody Expires 19 August 2022 [Page 8]
Internet-Draft MISP object template format February 2022
"format": {
"description": "Format of the password(s)",
"ui-priority": 1,
"misp-attribute": "text",
"values_list": [
"clear-text",
"hashed",
"encrypted",
"unknown"
]
},
"notification": {
"description": "Mention of any notification(s) towards the potential owner(s) of the credential(s)",
"ui-priority": 1,
"misp-attribute": "text",
"multiple": true,
"values_list": [
"victim-notified",
"service-notified",
"none"
]
}
},
"version": 2,
"description": "Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).",
"meta-category": "misc",
"uuid": "a27e98c9-9b0e-414c-8076-d201e039ca09",
"name": "credential"
}
2.1.4. Object Relationships
2.1.4.1. name
name represents the human-readable relationship type which can be
used when creating MISP object relations.
name is represented as a JSON string. name MUST be present.
2.1.4.2. description
description is represented as a JSON string and contains the
description of the object relationship type. The description field
MUST be present.
Dulaunoy & Iklody Expires 19 August 2022 [Page 9]
Internet-Draft MISP object template format February 2022
2.1.4.3. format
format is represented by a JSON list containing a list of formats
that the relationship type is valid for and can be mapped to. The
format field MUST be present.
3. Directory
The MISP object template directory is publicly available [MISP-O] in
a git repository. The repository contains an objects directory,
which contains a directory per object type, containing a file named
definition.json which contains the definition of the object template
in the above described format.
A relationships directory is also included, containing a
definition.json file which contains a list of MISP object relation
definitions. There are more than 125 existing templates object
documented in [MISP-O-DOC].
3.1. Existing and public MISP object templates
* objects/ail-leak (https://github.com/MISP/misp-
objects/blob/main/objects/ail-leak/definition.json) - An
information leak as defined by the AIL Analysis Information Leak
framework.
* objects/ais-info (https://github.com/MISP/misp-
objects/blob/main/objects/ais-info/definition.json) - Automated
Indicator Sharing (AIS) Information Source Markings.
* objects/android-app (https://github.com/MISP/misp-
objects/blob/main/objects/android-app/definition.json) -
Indicators related to an Android app.
* objects/android-permission (https://github.com/MISP/misp-
objects/blob/main/objects/android-permission/definition.json) - A
set of android permissions - one or more permission(s) which can
be linked to other objects (e.g. malware, app).
* objects/annotation (https://github.com/MISP/misp-
objects/blob/main/objects/annotation/definition.json) - An
annotation object allowing analysts to add annotations, comments,
executive summary to a MISP event, objects or attributes.
* objects/anonymisation (https://github.com/MISP/misp-
objects/blob/main/objects/anonymisation/definition.json) -
Anonymisation object describing an anonymisation technique used to
encode MISP attribute values. Reference:
https://www.caida.org/tools/taxonomy/anonymization.xml
(https://www.caida.org/tools/taxonomy/anonymization.xml).
Dulaunoy & Iklody Expires 19 August 2022 [Page 10]
Internet-Draft MISP object template format February 2022
* objects/apivoid-email-verification (https://github.com/MISP/misp-
objects/blob/main/objects/apivoid-email-verification/
definition.json) - Apivoid email verification API result.
Reference: https://www.apivoid.com/api/email-verify/
(https://www.apivoid.com/api/email-verify/).
* objects/artifact (https://github.com/MISP/misp-
objects/blob/main/objects/artifact/definition.json) - The Artifact
object permits capturing an array of bytes (8-bits), as a
base64-encoded string, or linking to a file-like payload. from
STIX 2.1 (6.1).
* objects/asn (https://github.com/MISP/misp-
objects/blob/main/objects/asn/definition.json) - Autonomous system
object describing an autonomous system which can include one or
more network operators management an entity (e.g. ISP) along with
their routing policy, routing prefixes or alike.
* objects/attack-pattern (https://github.com/MISP/misp-
objects/blob/main/objects/attack-pattern/definition.json) - Attack
pattern describing a common attack pattern enumeration and
classification.
* objects/authentication-failure-report (https://github.com/MISP/
misp-objects/blob/main/objects/authentication-failure-report/
definition.json) - Authentication Failure Report.
* objects/authenticode-signerinfo (https://github.com/MISP/misp-
objects/blob/main/objects/authenticode-signerinfo/definition.json)
- Authenticode Signer Info.
* objects/av-signature (https://github.com/MISP/misp-
objects/blob/main/objects/av-signature/definition.json) -
Antivirus detection signature.
* objects/bank-account (https://github.com/MISP/misp-
objects/blob/main/objects/bank-account/definition.json) - An
object describing bank account information based on account
description from goAML 4.0.
* objects/bgp-hijack (https://github.com/MISP/misp-
objects/blob/main/objects/bgp-hijack/definition.json) - Object
encapsulating BGP Hijack description as specified, for example, by
bgpstream.com.
* objects/bgp-ranking (https://github.com/MISP/misp-
objects/blob/main/objects/bgp-ranking/definition.json) - BGP
Ranking object describing the ranking of an ASN for a given day,
along with its position, 1 being the most malicious ASN of the
day, with the highest ranking. This object is meant to have a
relationship with the corresponding ASN object and represents its
ranking for a specific date.
* objects/blog (https://github.com/MISP/misp-
objects/blob/main/objects/blog/definition.json) - Blog post like
Medium or WordPress.
Dulaunoy & Iklody Expires 19 August 2022 [Page 11]
Internet-Draft MISP object template format February 2022
* objects/boleto (https://github.com/MISP/misp-
objects/blob/main/objects/boleto/definition.json) - A common form
of payment used in Brazil.
* objects/btc-transaction (https://github.com/MISP/misp-
objects/blob/main/objects/btc-transaction/definition.json) - An
object to describe a Bitcoin transaction. Best to be used with
bitcoin-wallet.
* objects/btc-wallet (https://github.com/MISP/misp-
objects/blob/main/objects/btc-wallet/definition.json) - An object
to describe a Bitcoin wallet. Best to be used with bitcoin-
transactions.
* objects/cap-alert (https://github.com/MISP/misp-
objects/blob/main/objects/cap-alert/definition.json) - Common
Alerting Protocol Version (CAP) alert object.
* objects/cap-info (https://github.com/MISP/misp-
objects/blob/main/objects/cap-info/definition.json) - Common
Alerting Protocol Version (CAP) info object.
* objects/cap-resource (https://github.com/MISP/misp-
objects/blob/main/objects/cap-resource/definition.json) - Common
Alerting Protocol Version (CAP) resource object.
* objects/coin-address (https://github.com/MISP/misp-
objects/blob/main/objects/coin-address/definition.json) - An
address used in a cryptocurrency.
* objects/command (https://github.com/MISP/misp-
objects/blob/main/objects/command/definition.json) - Command
functionalities related to specific commands executed by a
program, whether it is malicious or not. Command-line are
attached to this object for the related commands.
* objects/command-line (https://github.com/MISP/misp-
objects/blob/main/objects/command-line/definition.json) - Command
line and options related to a specific command executed by a
program, whether it is malicious or not.
* objects/concordia-mtmf-intrusion-set (https://github.com/MISP/
misp-objects/blob/main/objects/concordia-mtmf-intrusion-set/
definition.json) - Intrusion Set - Phase Description.
* objects/cookie (https://github.com/MISP/misp-
objects/blob/main/objects/cookie/definition.json) - An HTTP cookie
(web cookie, browser cookie) is a small piece of data that a
server sends to the user's web browser. The browser may store it
and send it back with the next request to the same server.
Typically, it's used to tell if two requests came from the same
browser — (U+2014) keeping a user logged-in, for example. It
remembers stateful information for the stateless HTTP protocol.
(as defined by the Mozilla foundation.
* objects/cortex (https://github.com/MISP/misp-
objects/blob/main/objects/cortex/definition.json) - Cortex object
describing a complete cortex analysis. Observables would be
attribute with a relationship from this object.
Dulaunoy & Iklody Expires 19 August 2022 [Page 12]
Internet-Draft MISP object template format February 2022
* objects/cortex-taxonomy (https://github.com/MISP/misp-
objects/blob/main/objects/cortex-taxonomy/definition.json) -
Cortex object describing an Cortex Taxonomy (or mini report).
* objects/course-of-action (https://github.com/MISP/misp-
objects/blob/main/objects/course-of-action/definition.json) - An
object describing a specific measure taken to prevent or respond
to an attack.
* objects/covid19-csse-daily-report (https://github.com/MISP/misp-
objects/blob/main/objects/covid19-csse-daily-report/
definition.json) - CSSE COVID-19 Daily report.
* objects/covid19-dxy-live-city (https://github.com/MISP/misp-
objects/blob/main/objects/covid19-dxy-live-city/definition.json) -
COVID 19 from dxy.cn - Aggregation by city.
* objects/covid19-dxy-live-province (https://github.com/MISP/misp-
objects/blob/main/objects/covid19-dxy-live-province/
definition.json) - COVID 19 from dxy.cn - Aggregation by province.
* objects/cowrie (https://github.com/MISP/misp-
objects/blob/main/objects/cowrie/definition.json) - Cowrie
honeypot object template.
* objects/cpe-asset (https://github.com/MISP/misp-
objects/blob/main/objects/cpe-asset/definition.json) - An asset
which can be defined by a CPE. This can be a generic asset. CPE
is a structured naming scheme for information technology systems,
software, and packages.
* objects/credential (https://github.com/MISP/misp-
objects/blob/main/objects/credential/definition.json) - Credential
describes one or more credential(s) including password(s), api
key(s) or decryption key(s).
* objects/credit-card (https://github.com/MISP/misp-
objects/blob/main/objects/credit-card/definition.json) - A payment
card like credit card, debit card or any similar cards which can
be used for financial transactions.
* objects/crypto-material (https://github.com/MISP/misp-
objects/blob/main/objects/crypto-material/definition.json) -
Cryptographic materials such as public or/and private keys.
* objects/cytomic-orion-file (https://github.com/MISP/misp-
objects/blob/main/objects/cytomic-orion-file/definition.json) -
Cytomic Orion File Detection.
* objects/cytomic-orion-machine (https://github.com/MISP/misp-
objects/blob/main/objects/cytomic-orion-machine/definition.json) -
Cytomic Orion File at Machine Detection.
* objects/dark-pattern-item (https://github.com/MISP/misp-
objects/blob/main/objects/dark-pattern-item/definition.json) - An
Item whose User Interface implements a dark pattern.
Dulaunoy & Iklody Expires 19 August 2022 [Page 13]
Internet-Draft MISP object template format February 2022
* objects/ddos (https://github.com/MISP/misp-
objects/blob/main/objects/ddos/definition.json) - DDoS object
describes a current DDoS activity from a specific or/and to a
specific target. Type of DDoS can be attached to the object as a
taxonomy.
* objects/device (https://github.com/MISP/misp-
objects/blob/main/objects/device/definition.json) - An object to
define a device.
* objects/diameter-attack (https://github.com/MISP/misp-
objects/blob/main/objects/diameter-attack/definition.json) -
Attack as seen on the diameter signaling protocol supporting LTE
networks.
* objects/dkim (https://github.com/MISP/misp-
objects/blob/main/objects/dkim/definition.json) - DomainKeys
Identified Mail - DKIM.
* objects/dns-record (https://github.com/MISP/misp-
objects/blob/main/objects/dns-record/definition.json) - A set of
DNS records observed for a specific domain.
* objects/domain-crawled (https://github.com/MISP/misp-
objects/blob/main/objects/domain-crawled/definition.json) - A
domain crawled over time.
* objects/domain-ip (https://github.com/MISP/misp-
objects/blob/main/objects/domain-ip/definition.json) - A domain/
hostname and IP address seen as a tuple in a specific time frame.
* objects/edr-report (https://github.com/MISP/misp-
objects/blob/main/objects/edr-report/definition.json) - An Object
Template to encode an EDR (U+00A0)detection report.
* objects/elf (https://github.com/MISP/misp-
objects/blob/main/objects/elf/definition.json) - Object describing
a Executable and Linkable Format.
* objects/elf-section (https://github.com/MISP/misp-
objects/blob/main/objects/elf-section/definition.json) - Object
describing a section of an Executable and Linkable Format.
* objects/email (https://github.com/MISP/misp-
objects/blob/main/objects/email/definition.json) - Email object
describing an email with meta-information.
* objects/employee (https://github.com/MISP/misp-
objects/blob/main/objects/employee/definition.json) - An employee
and related data points.
* objects/exploit-poc (https://github.com/MISP/misp-
objects/blob/main/objects/exploit-poc/definition.json) - Exploit-
poc object describing a proof of concept or exploit of a
vulnerability. This object has often a relationship with a
vulnerability object.
* objects/facebook-account (https://github.com/MISP/misp-
objects/blob/main/objects/facebook-account/definition.json) -
Facebook account.
Dulaunoy & Iklody Expires 19 August 2022 [Page 14]
Internet-Draft MISP object template format February 2022
* objects/facebook-group (https://github.com/MISP/misp-
objects/blob/main/objects/facebook-group/definition.json) - Public
or private facebook group.
* objects/facebook-page (https://github.com/MISP/misp-
objects/blob/main/objects/facebook-page/definition.json) -
Facebook page.
* objects/facebook-post (https://github.com/MISP/misp-
objects/blob/main/objects/facebook-post/definition.json) - Post on
a Facebook wall.
* objects/facial-composite (https://github.com/MISP/misp-
objects/blob/main/objects/facial-composite/definition.json) - An
object which describes a facial composite.
* objects/fail2ban (https://github.com/MISP/misp-
objects/blob/main/objects/fail2ban/definition.json) - Fail2ban
event.
* objects/favicon (https://github.com/MISP/misp-
objects/blob/main/objects/favicon/definition.json) - A favicon,
also known as a shortcut icon, website icon, tab icon, URL icon,
or bookmark icon, is a file containing one or more small icons,
associated with a particular website or web page. The object
template can include the murmur3 hash of the favicon to facilitate
correlation.
* objects/file (https://github.com/MISP/misp-
objects/blob/main/objects/file/definition.json) - File object
describing a file with meta-information.
* objects/forensic-case (https://github.com/MISP/misp-
objects/blob/main/objects/forensic-case/definition.json) - An
object template to describe a digital forensic case.
* objects/forensic-evidence (https://github.com/MISP/misp-
objects/blob/main/objects/forensic-evidence/definition.json) - An
object template to describe a digital forensic evidence.
* objects/forged-document (https://github.com/MISP/misp-
objects/blob/main/objects/forged-document/definition.json) -
Object describing a forged document.
* objects/ftm-Airplane (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Airplane/definition.json) - .
* objects/ftm-Assessment (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Assessment/definition.json) - .
* objects/ftm-Asset (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Asset/definition.json) - .
* objects/ftm-Associate (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Associate/definition.json) - Non-
family association between two people.
* objects/ftm-Audio (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Audio/definition.json) - .
* objects/ftm-BankAccount (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-BankAccount/definition.json) - .
Dulaunoy & Iklody Expires 19 August 2022 [Page 15]
Internet-Draft MISP object template format February 2022
* objects/ftm-Call (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Call/definition.json) - .
* objects/ftm-Company (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Company/definition.json) - A legal
entity representing an association of people, whether natural,
legal or a mixture of both, with a specific objective.
* objects/ftm-Contract (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Contract/definition.json) - An
contract or contract lot issued by an authority. Multiple lots
may be awarded to different suppliers (see ContractAward). .
* objects/ftm-ContractAward (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-ContractAward/definition.json) - A
contract or contract lot as awarded to a supplier.
* objects/ftm-CourtCase (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-CourtCase/definition.json) - .
* objects/ftm-CourtCaseParty (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-CourtCaseParty/definition.json) - .
* objects/ftm-Debt (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Debt/definition.json) - A monetary
debt between two parties.
* objects/ftm-Directorship (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Directorship/definition.json) - .
* objects/ftm-Document (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Document/definition.json) - .
* objects/ftm-Documentation (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Documentation/definition.json) - .
* objects/ftm-EconomicActivity (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-EconomicActivity/definition.json) -
A foreign economic activity.
* objects/ftm-Email (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Email/definition.json) - .
* objects/ftm-Event (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Event/definition.json) - .
* objects/ftm-Family (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Family/definition.json) - Family
relationship between two people.
* objects/ftm-Folder (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Folder/definition.json) - .
* objects/ftm-HyperText (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-HyperText/definition.json) - .
* objects/ftm-Image (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Image/definition.json) - .
* objects/ftm-Land (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Land/definition.json) - .
* objects/ftm-LegalEntity (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-LegalEntity/definition.json) - A
legal entity may be a person or a company.
Dulaunoy & Iklody Expires 19 August 2022 [Page 16]
Internet-Draft MISP object template format February 2022
* objects/ftm-License (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-License/definition.json) - A grant
of land, rights or property. A type of Contract.
* objects/ftm-Membership (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Membership/definition.json) - .
* objects/ftm-Message (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Message/definition.json) - .
* objects/ftm-Organization (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Organization/definition.json) - .
* objects/ftm-Ownership (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Ownership/definition.json) - .
* objects/ftm-Package (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Package/definition.json) - .
* objects/ftm-Page (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Page/definition.json) - .
* objects/ftm-Pages (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Pages/definition.json) - .
* objects/ftm-Passport (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Passport/definition.json) -
Passport.
* objects/ftm-Payment (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Payment/definition.json) - A
monetary payment between two parties.
* objects/ftm-Person (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Person/definition.json) - An
individual.
* objects/ftm-PlainText (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-PlainText/definition.json) - .
* objects/ftm-PublicBody (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-PublicBody/definition.json) - A
public body, such as a ministry, department or state company.
* objects/ftm-RealEstate (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-RealEstate/definition.json) - A
piece of land or property.
* objects/ftm-Representation (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Representation/definition.json) - A
mediatory, intermediary, middleman, or broker acting on behalf of
a legal entity.
* objects/ftm-Row (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Row/definition.json) - .
* objects/ftm-Sanction (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Sanction/definition.json) - A
sanction designation.
* objects/ftm-Succession (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Succession/definition.json) - Two
entities that legally succeed each other.
* objects/ftm-Table (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Table/definition.json) - .
Dulaunoy & Iklody Expires 19 August 2022 [Page 17]
Internet-Draft MISP object template format February 2022
* objects/ftm-TaxRoll (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-TaxRoll/definition.json) - A tax
declaration of an individual.
* objects/ftm-UnknownLink (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-UnknownLink/definition.json) - .
* objects/ftm-UserAccount (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-UserAccount/definition.json) - .
* objects/ftm-Vehicle (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Vehicle/definition.json) - .
* objects/ftm-Vessel (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Vessel/definition.json) - A boat or
ship.
* objects/ftm-Video (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Video/definition.json) - .
* objects/ftm-Workbook (https://github.com/MISP/misp-
objects/blob/main/objects/ftm-Workbook/definition.json) - .
* objects/geolocation (https://github.com/MISP/misp-
objects/blob/main/objects/geolocation/definition.json) - An object
to describe a geographic location.
* objects/git-vuln-finder (https://github.com/MISP/misp-
objects/blob/main/objects/git-vuln-finder/definition.json) -
Export from git-vuln-finder.
* objects/github-user (https://github.com/MISP/misp-
objects/blob/main/objects/github-user/definition.json) - GitHub
user.
* objects/gitlab-user (https://github.com/MISP/misp-
objects/blob/main/objects/gitlab-user/definition.json) - GitLab
user. Gitlab.com user or self-hosted GitLab instance.
* objects/gtp-attack (https://github.com/MISP/misp-
objects/blob/main/objects/gtp-attack/definition.json) - GTP attack
object as attack as seen on the GTP signaling protocol supporting
GPRS/LTE networks.
* objects/hashlookup (https://github.com/MISP/misp-
objects/blob/main/objects/hashlookup/definition.json) - hashlookup
object as described on hashlookup services from circl.lu -
https://www.circl.lu/services/hashlookup
(https://www.circl.lu/services/hashlookup).
* objects/http-request (https://github.com/MISP/misp-
objects/blob/main/objects/http-request/definition.json) - A single
HTTP request header.
Dulaunoy & Iklody Expires 19 August 2022 [Page 18]
Internet-Draft MISP object template format February 2022
* objects/identity (https://github.com/MISP/misp-
objects/blob/main/objects/identity/definition.json) - Identities
can represent actual individuals, organizations, or groups (e.g.,
ACME, Inc.) as well as classes of individuals, organizations,
systems or groups (e.g., the finance sector). The Identity SDO
can capture basic identifying information, contact information,
and the sectors that the Identity belongs to. Identity is used in
STIX to represent, among other things, targets of attacks,
information sources, object creators, and threat actor identities.
(ref. STIX 2.1 - 4.5).
* objects/ilr-impact (https://github.com/MISP/misp-
objects/blob/main/objects/ilr-impact/definition.json) - Institut
Luxembourgeois de Regulation - Impact.
* objects/ilr-notification-incident (https://github.com/MISP/misp-
objects/blob/main/objects/ilr-notification-incident/
definition.json) - Institut Luxembourgeois de Regulation -
Notification d'incident.
* objects/image (https://github.com/MISP/misp-
objects/blob/main/objects/image/definition.json) - Object
describing an image file.
* objects/impersonation (https://github.com/MISP/misp-
objects/blob/main/objects/impersonation/definition.json) -
Represent an impersonating account.
* objects/imsi-catcher (https://github.com/MISP/misp-
objects/blob/main/objects/imsi-catcher/definition.json) - IMSI
Catcher entry object based on the open source IMSI cather.
* objects/infrastructure (https://github.com/MISP/misp-
objects/blob/main/objects/infrastructure/definition.json) - The
Infrastructure object represents a type of TTP and describes any
systems, software services and any associated physical or virtual
resources intended to support some purpose (e.g., C2 servers used
as part of an attack, device or server that are part of defense,
database servers targeted by an attack, etc.). While elements of
an attack can be represented by other objects, the Infrastructure
object represents a named group of related data that constitutes
the infrastructure. STIX 2.1 - 4.8.
* objects/instant-message (https://github.com/MISP/misp-
objects/blob/main/objects/instant-message/definition.json) -
Instant Message (IM) object template describing one or more IM
message.
* objects/instant-message-group (https://github.com/MISP/misp-
objects/blob/main/objects/instant-message-group/definition.json) -
Instant Message (IM) group object template describing a public or
private IM group, channel or conversation.
* objects/intel471-vulnerability-intelligence
(https://github.com/MISP/misp-objects/blob/main/objects/intel471-
vulnerability-intelligence/definition.json) - Intel 471
vulnerability intelligence object.
Dulaunoy & Iklody Expires 19 August 2022 [Page 19]
Internet-Draft MISP object template format February 2022
* objects/intelmq_event (https://github.com/MISP/misp-
objects/blob/main/objects/intelmq_event/definition.json) - IntelMQ
Event.
* objects/intelmq_report (https://github.com/MISP/misp-
objects/blob/main/objects/intelmq_report/definition.json) -
IntelMQ Report.
* objects/internal-reference (https://github.com/MISP/misp-
objects/blob/main/objects/internal-reference/definition.json) -
Internal reference.
* objects/interpol-notice (https://github.com/MISP/misp-
objects/blob/main/objects/interpol-notice/definition.json) - An
object which describes a Interpol notice.
* objects/iot-device (https://github.com/MISP/misp-
objects/blob/main/objects/iot-device/definition.json) - An IoT
device.
* objects/iot-firmware (https://github.com/MISP/misp-
objects/blob/main/objects/iot-firmware/definition.json) - A
firmware for an IoT device.
* objects/ip-api-address (https://github.com/MISP/misp-
objects/blob/main/objects/ip-api-address/definition.json) - IP
Address information. Useful if you are pulling your ip
information from ip-api.com.
* objects/ip-port (https://github.com/MISP/misp-
objects/blob/main/objects/ip-port/definition.json) - An IP address
(or domain or hostname) and a port seen as a tuple (or as a
triple) in a specific time frame.
* objects/irc (https://github.com/MISP/misp-
objects/blob/main/objects/irc/definition.json) - An IRC object to
describe an IRC server and the associated channels.
* objects/ja3 (https://github.com/MISP/misp-
objects/blob/main/objects/ja3/definition.json) - JA3 is a new
technique for creating SSL client fingerprints that are easy to
produce and can be easily shared for threat intelligence.
Fingerprints are composed of Client Hello packet; SSL Version,
Accepted Ciphers, List of Extensions, Elliptic Curves, and
Elliptic Curve Formats. https://github.com/salesforce/ja3
(https://github.com/salesforce/ja3).
* objects/ja3s (https://github.com/MISP/misp-
objects/blob/main/objects/ja3s/definition.json) - JA3S is JA3 for
the Server side of the SSL/TLS communication and fingerprints how
servers respond to particular clients. JA3S fingerprints are
composed of Server Hello packet; SSL Version, Cipher,
SSLExtensions. https://github.com/salesforce/ja3
(https://github.com/salesforce/ja3).
* objects/jarm (https://github.com/MISP/misp-
objects/blob/main/objects/jarm/definition.json) - Jarm object to
describe an TLS/SSL implementation used for malicious or
legitimate use-case.
Dulaunoy & Iklody Expires 19 August 2022 [Page 20]
Internet-Draft MISP object template format February 2022
* objects/keybase-account (https://github.com/MISP/misp-
objects/blob/main/objects/keybase-account/definition.json) -
Information related to a keybase account, from API Users Object.
* objects/language-content (https://github.com/MISP/misp-
objects/blob/main/objects/language-content/definition.json) - The
Language Content object represents text content for objects
represented in languages other than that of the original object.
Language content may be a translation of the original object by a
third-party, a first-source translation by the original publisher,
or additional official language content provided at the time of
creation. STIX 2.1 ref 7.1.
* objects/leaked-document (https://github.com/MISP/misp-
objects/blob/main/objects/leaked-document/definition.json) -
Object describing a leaked document.
* objects/legal-entity (https://github.com/MISP/misp-
objects/blob/main/objects/legal-entity/definition.json) - An
object to describe a legal entity.
* objects/lnk (https://github.com/MISP/misp-
objects/blob/main/objects/lnk/definition.json) - LNK object
describing a Windows LNK binary file (aka Windows shortcut).
* objects/macho (https://github.com/MISP/misp-
objects/blob/main/objects/macho/definition.json) - Object
describing a file in Mach-O format.
* objects/macho-section (https://github.com/MISP/misp-
objects/blob/main/objects/macho-section/definition.json) - Object
describing a section of a file in Mach-O format.
* objects/mactime-timeline-analysis (https://github.com/MISP/misp-
objects/blob/main/objects/mactime-timeline-analysis/
definition.json) - Mactime template, used in forensic
investigations to describe the timeline of a file activity.
* objects/malware-config (https://github.com/MISP/misp-
objects/blob/main/objects/malware-config/definition.json) -
Malware configuration recovered or extracted from a malicious
binary.
* objects/meme-image (https://github.com/MISP/misp-
objects/blob/main/objects/meme-image/definition.json) - Object
describing a meme (image).
* objects/microblog (https://github.com/MISP/misp-
objects/blob/main/objects/microblog/definition.json) - Microblog
post like a Twitter tweet or a post on a Facebook wall.
* objects/mutex (https://github.com/MISP/misp-
objects/blob/main/objects/mutex/definition.json) - Object to
describe mutual exclusion locks (mutex) as seen in memory or
computer program.
* objects/narrative (https://github.com/MISP/misp-
objects/blob/main/objects/narrative/definition.json) - Object
describing a narrative.
Dulaunoy & Iklody Expires 19 August 2022 [Page 21]
Internet-Draft MISP object template format February 2022
* objects/netflow (https://github.com/MISP/misp-
objects/blob/main/objects/netflow/definition.json) - Netflow
object describes an network object based on the Netflowv5/v9
minimal definition.
* objects/network-connection (https://github.com/MISP/misp-
objects/blob/main/objects/network-connection/definition.json) - A
local or remote network connection.
* objects/network-profile (https://github.com/MISP/misp-
objects/blob/main/objects/network-profile/definition.json) -
Elements that can be used to profile, pivot or identify a network
infrastructure, including domains, ip and urls.
* objects/network-socket (https://github.com/MISP/misp-
objects/blob/main/objects/network-socket/definition.json) -
Network socket object describes a local or remote network
connections based on the socket data structure.
* objects/news-agency (https://github.com/MISP/misp-
objects/blob/main/objects/news-agency/definition.json) - News
agencies compile news and disseminate news in bulk.
* objects/news-media (https://github.com/MISP/misp-
objects/blob/main/objects/news-media/definition.json) - News media
are forms of mass media delivering news to the general public.
* objects/open-data-security (https://github.com/MISP/misp-
objects/blob/main/objects/open-data-security/definition.json) - An
object describing an open dataset available and described under
the open data security model. ref. https://github.com/CIRCL/open-
data-security (https://github.com/CIRCL/open-data-security).
* objects/organization (https://github.com/MISP/misp-
objects/blob/main/objects/organization/definition.json) - An
object which describes an organization.
* objects/original-imported-file (https://github.com/MISP/misp-
objects/blob/main/objects/original-imported-file/definition.json)
- Object describing the original file used to import data in MISP.
* objects/paloalto-threat-event (https://github.com/MISP/misp-
objects/blob/main/objects/paloalto-threat-event/definition.json) -
Palo Alto Threat Log Event.
* objects/parler-account (https://github.com/MISP/misp-
objects/blob/main/objects/parler-account/definition.json) - Parler
account.
* objects/parler-comment (https://github.com/MISP/misp-
objects/blob/main/objects/parler-comment/definition.json) - Parler
comment.
* objects/parler-post (https://github.com/MISP/misp-
objects/blob/main/objects/parler-post/definition.json) - Parler
post (parley).
Dulaunoy & Iklody Expires 19 August 2022 [Page 22]
Internet-Draft MISP object template format February 2022
* objects/passive-dns (https://github.com/MISP/misp-
objects/blob/main/objects/passive-dns/definition.json) - Passive
DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-
07. See https://tools.ietf.org/id/draft-dulaunoy-dnsop-passive-
dns-cof-07.html (https://tools.ietf.org/id/draft-dulaunoy-dnsop-
passive-dns-cof-07.html).
* objects/passive-dns-dnsdbflex (https://github.com/MISP/misp-
objects/blob/main/objects/passive-dns-dnsdbflex/definition.json) -
DNSDBFLEX object. This object is used at farsight security.
Roughly based on Passive DNS records as expressed in draft-
dulaunoy-dnsop-passive-dns-cof-07. See https://tools.ietf.org/id/
draft-dulaunoy-dnsop-passive-dns-cof-07.html
(https://tools.ietf.org/id/draft-dulaunoy-dnsop-passive-dns-cof-
07.html).
* objects/passive-ssh (https://github.com/MISP/misp-
objects/blob/main/objects/passive-ssh/definition.json) - Passive-
ssh object as described on passive-ssh services from circl.lu -
https://github.com/D4-project/passive-ssh (https://github.com/D4-
project/passive-ssh).
* objects/paste (https://github.com/MISP/misp-
objects/blob/main/objects/paste/definition.json) - Paste or
similar post from a website allowing to share privately or
publicly posts.
* objects/pcap-metadata (https://github.com/MISP/misp-
objects/blob/main/objects/pcap-metadata/definition.json) - Network
packet capture metadata.
* objects/pe (https://github.com/MISP/misp-
objects/blob/main/objects/pe/definition.json) - Object describing
a Portable Executable.
* objects/pe-section (https://github.com/MISP/misp-
objects/blob/main/objects/pe-section/definition.json) - Object
describing a section of a Portable Executable.
* objects/person (https://github.com/MISP/misp-
objects/blob/main/objects/person/definition.json) - An object
which describes a person or an identity.
* objects/pgp-meta (https://github.com/MISP/misp-
objects/blob/main/objects/pgp-meta/definition.json) - Metadata
extracted from a PGP keyblock, message or signature.
* objects/phishing (https://github.com/MISP/misp-
objects/blob/main/objects/phishing/definition.json) - Phishing
template to describe a phishing website and its analysis.
* objects/phishing-kit (https://github.com/MISP/misp-
objects/blob/main/objects/phishing-kit/definition.json) - Object
to describe a phishing-kit.
* objects/phone (https://github.com/MISP/misp-
objects/blob/main/objects/phone/definition.json) - A phone or
mobile phone object which describe a phone.
Dulaunoy & Iklody Expires 19 August 2022 [Page 23]
Internet-Draft MISP object template format February 2022
* objects/postal-address (https://github.com/MISP/misp-
objects/blob/main/objects/postal-address/definition.json) - A
postal address.
* objects/probabilistic-data-structure (https://github.com/MISP/
misp-objects/blob/main/objects/probabilistic-data-structure/
definition.json) - Probabilistic data structure object describe a
space-efficient data structure such as Bloom filter or similar
structure.
* objects/process (https://github.com/MISP/misp-
objects/blob/main/objects/process/definition.json) - Object
describing a system process.
* objects/publication (https://github.com/MISP/misp-
objects/blob/main/objects/publication/definition.json) - An object
to describe a book, journal, or academic publication.
* objects/python-etvx-event-log (https://github.com/MISP/misp-
objects/blob/main/objects/python-etvx-event-log/definition.json) -
Event log object template to share information of the activities
conducted on a system. .
* objects/r2graphity (https://github.com/MISP/misp-
objects/blob/main/objects/r2graphity/definition.json) - Indicators
extracted from files using radare2 and graphml.
* objects/reddit-account (https://github.com/MISP/misp-
objects/blob/main/objects/reddit-account/definition.json) - Reddit
account.
* objects/reddit-comment (https://github.com/MISP/misp-
objects/blob/main/objects/reddit-comment/definition.json) - A
Reddit post comment.
* objects/reddit-post (https://github.com/MISP/misp-
objects/blob/main/objects/reddit-post/definition.json) - A Reddit
post.
* objects/reddit-subreddit (https://github.com/MISP/misp-
objects/blob/main/objects/reddit-subreddit/definition.json) -
Public or private subreddit.
* objects/regexp (https://github.com/MISP/misp-
objects/blob/main/objects/regexp/definition.json) - An object
describing a regular expression (regex or regexp). The object can
be linked via a relationship to other attributes or objects to
describe how it can be represented as a regular expression.
* objects/registry-key (https://github.com/MISP/misp-
objects/blob/main/objects/registry-key/definition.json) - Registry
key object describing a Windows registry key with value and last-
modified timestamp.
* objects/regripper-NTUser (https://github.com/MISP/misp-
objects/blob/main/objects/regripper-NTUser/definition.json) -
Regripper Object template designed to present user specific
configuration details extracted from the NTUSER.dat hive.
Dulaunoy & Iklody Expires 19 August 2022 [Page 24]
Internet-Draft MISP object template format February 2022
* objects/regripper-sam-hive-single-user (https://github.com/MISP/
misp-objects/blob/main/objects/regripper-sam-hive-single-user/
definition.json) - Regripper Object template designed to present
user profile details extracted from the SAM hive.
* objects/regripper-sam-hive-user-group (https://github.com/MISP/
misp-objects/blob/main/objects/regripper-sam-hive-user-group/
definition.json) - Regripper Object template designed to present
group profile details extracted from the SAM hive.
* objects/regripper-software-hive-BHO (https://github.com/MISP/misp-
objects/blob/main/objects/regripper-software-hive-BHO/
definition.json) - Regripper Object template designed to gather
information of the browser helper objects installed on the system.
* objects/regripper-software-hive-appInit-DLLS
(https://github.com/MISP/misp-objects/blob/main/objects/regripper-
software-hive-appInit-DLLS/definition.json) - Regripper Object
template designed to gather information of the DLL files installed
on the system.
* objects/regripper-software-hive-application-paths
(https://github.com/MISP/misp-objects/blob/main/objects/regripper-
software-hive-application-paths/definition.json) - Regripper
Object template designed to gather information of the application
paths.
* objects/regripper-software-hive-applications-installed
(https://github.com/MISP/misp-objects/blob/main/objects/regripper-
software-hive-applications-installed/definition.json) - Regripper
Object template designed to gather information of the applications
installed on the system.
* objects/regripper-software-hive-command-shell
(https://github.com/MISP/misp-objects/blob/main/objects/regripper-
software-hive-command-shell/definition.json) - Regripper Object
template designed to gather information of the shell commands
executed on the system.
* objects/regripper-software-hive-software-run
(https://github.com/MISP/misp-objects/blob/main/objects/regripper-
software-hive-software-run/definition.json) - Regripper Object
template designed to gather information of the applications set to
run on the system.
* objects/regripper-software-hive-userprofile-winlogon
(https://github.com/MISP/misp-objects/blob/main/objects/regripper-
software-hive-userprofile-winlogon/definition.json) - Regripper
Object template designed to gather user profile information when
the user logs onto the system, gathered from the software hive.
* objects/regripper-software-hive-windows-general-info
(https://github.com/MISP/misp-objects/blob/main/objects/regripper-
software-hive-windows-general-info/definition.json) - Regripper
Object template designed to gather general windows information
extracted from the software-hive.
Dulaunoy & Iklody Expires 19 August 2022 [Page 25]
Internet-Draft MISP object template format February 2022
* objects/regripper-system-hive-firewall-configuration
(https://github.com/MISP/misp-objects/blob/main/objects/regripper-
system-hive-firewall-configuration/definition.json) - Regripper
Object template designed to present firewall configuration
information extracted from the system-hive.
* objects/regripper-system-hive-general-configuration
(https://github.com/MISP/misp-objects/blob/main/objects/regripper-
system-hive-general-configuration/definition.json) - Regripper
Object template designed to present general system properties
extracted from the system-hive.
* objects/regripper-system-hive-network-information
(https://github.com/MISP/misp-objects/blob/main/objects/regripper-
system-hive-network-information/definition.json) - Regripper
object template designed to gather network information from the
system-hive.
* objects/regripper-system-hive-services-drivers
(https://github.com/MISP/misp-objects/blob/main/objects/regripper-
system-hive-services-drivers/definition.json) - Regripper Object
template designed to gather information regarding the services/
drivers from the system-hive.
* objects/report (https://github.com/MISP/misp-
objects/blob/main/objects/report/definition.json) - Metadata used
to generate an executive level report.
* objects/research-scanner (https://github.com/MISP/misp-
objects/blob/main/objects/research-scanner/definition.json) -
Information related to known scanning activity (e.g. from research
projects).
* objects/rogue-dns (https://github.com/MISP/misp-
objects/blob/main/objects/rogue-dns/definition.json) - Rogue DNS
as defined by CERT.br.
* objects/rtir (https://github.com/MISP/misp-
objects/blob/main/objects/rtir/definition.json) - RTIR - Request
Tracker for Incident Response.
* objects/sandbox-report (https://github.com/MISP/misp-
objects/blob/main/objects/sandbox-report/definition.json) -
Sandbox report.
* objects/sb-signature (https://github.com/MISP/misp-
objects/blob/main/objects/sb-signature/definition.json) - Sandbox
detection signature.
* objects/scheduled-event (https://github.com/MISP/misp-
objects/blob/main/objects/scheduled-event/definition.json) - Event
object template describing a gathering of individuals in
meatspace.
* objects/scrippsco2-c13-daily (https://github.com/MISP/misp-
objects/blob/main/objects/scrippsco2-c13-daily/definition.json) -
Daily average C13 concentrations (ppm) derived from flask air
samples.
Dulaunoy & Iklody Expires 19 August 2022 [Page 26]
Internet-Draft MISP object template format February 2022
* objects/scrippsco2-c13-monthly (https://github.com/MISP/misp-
objects/blob/main/objects/scrippsco2-c13-monthly/definition.json)
- Monthly average C13 concentrations (ppm) derived from flask air
samples.
* objects/scrippsco2-co2-daily (https://github.com/MISP/misp-
objects/blob/main/objects/scrippsco2-co2-daily/definition.json) -
Daily average CO2 concentrations (ppm) derived from flask air
samples.
* objects/scrippsco2-co2-monthly (https://github.com/MISP/misp-
objects/blob/main/objects/scrippsco2-co2-monthly/definition.json)
- Monthly average CO2 concentrations (ppm) derived from flask air
samples.
* objects/scrippsco2-o18-daily (https://github.com/MISP/misp-
objects/blob/main/objects/scrippsco2-o18-daily/definition.json) -
Daily average O18 concentrations (ppm) derived from flask air
samples.
* objects/scrippsco2-o18-monthly (https://github.com/MISP/misp-
objects/blob/main/objects/scrippsco2-o18-monthly/definition.json)
- Monthly average O18 concentrations (ppm) derived from flask air
samples.
* objects/script (https://github.com/MISP/misp-
objects/blob/main/objects/script/definition.json) - Object
describing a computer program written to be run in a special run-
time environment. The script or shell script can be used for
malicious activities but also as support tools for threat
analysts.
* objects/security-playbook (https://github.com/MISP/misp-
objects/blob/main/objects/security-playbook/definition.json) - An
object to manage, represent, and share course of action playbooks
(security playbooks) for cyberspace defense.
* objects/shell-commands (https://github.com/MISP/misp-
objects/blob/main/objects/shell-commands/definition.json) - Object
describing a series of shell commands executed. This object can
be linked with malicious files in order to describe a specific
execution of shell commands.
* objects/shodan-report (https://github.com/MISP/misp-
objects/blob/main/objects/shodan-report/definition.json) - Shodan
Report for a given IP.
* objects/short-message-service (https://github.com/MISP/misp-
objects/blob/main/objects/short-message-service/definition.json) -
Short Message Service (SMS) object template describing one or more
SMS message. Restriction of the initial format 3GPP 23.038 GSM
character set doesn't apply.
* objects/shortened-link (https://github.com/MISP/misp-
objects/blob/main/objects/shortened-link/definition.json) -
Shortened link and its redirect target.
Dulaunoy & Iklody Expires 19 August 2022 [Page 27]
Internet-Draft MISP object template format February 2022
* objects/social-media-group (https://github.com/MISP/misp-
objects/blob/main/objects/social-media-group/definition.json) -
Social media group object template describing a public or private
group or channel.
* objects/software (https://github.com/MISP/misp-
objects/blob/main/objects/software/definition.json) - The Software
object represents high-level properties associated with software,
including software products. STIX 2.1 - 6.14.
* objects/splunk (https://github.com/MISP/misp-
objects/blob/main/objects/splunk/definition.json) - Splunk /
Splunk ES object.
* objects/ss7-attack (https://github.com/MISP/misp-
objects/blob/main/objects/ss7-attack/definition.json) - SS7 object
of an attack as seen on the SS7 signaling protocol supporting
GSM/GPRS/UMTS networks.
* objects/ssh-authorized-keys (https://github.com/MISP/misp-
objects/blob/main/objects/ssh-authorized-keys/definition.json) -
An object to store ssh authorized keys file.
* objects/stix2-pattern (https://github.com/MISP/misp-
objects/blob/main/objects/stix2-pattern/definition.json) - An
object describing a STIX pattern. The object can be linked via a
relationship to other attributes or objects to describe how it can
be represented as a STIX pattern.
* objects/submarine (https://github.com/MISP/misp-
objects/blob/main/objects/submarine/definition.json) - Submarine
description.
* objects/suricata (https://github.com/MISP/misp-
objects/blob/main/objects/suricata/definition.json) - An object
describing one or more Suricata rule(s) along with version and
contextual information.
* objects/target-system (https://github.com/MISP/misp-
objects/blob/main/objects/target-system/definition.json) -
Description about an targeted system, this could potentially be a
compromissed internal system.
* objects/telegram-account (https://github.com/MISP/misp-
objects/blob/main/objects/telegram-account/definition.json) -
Information related to a telegram account.
* objects/temporal-event (https://github.com/MISP/misp-
objects/blob/main/objects/temporal-event/definition.json) - A
temporal event consists of some temporal and spacial boundaries.
Spacial boundaries can be physical, virtual or hybrid.
* objects/threatgrid-report (https://github.com/MISP/misp-
objects/blob/main/objects/threatgrid-report/definition.json) -
ThreatGrid report.
* objects/timecode (https://github.com/MISP/misp-
objects/blob/main/objects/timecode/definition.json) - Timecode
object to describe a start of video sequence (e.g. CCTV evidence)
and the end of the video sequence.
Dulaunoy & Iklody Expires 19 August 2022 [Page 28]
Internet-Draft MISP object template format February 2022
* objects/timesketch-timeline (https://github.com/MISP/misp-
objects/blob/main/objects/timesketch-timeline/definition.json) - A
timesketch timeline object based on mandatory field in timesketch
to describe a log entry.
* objects/timesketch_message (https://github.com/MISP/misp-
objects/blob/main/objects/timesketch_message/definition.json) - A
timesketch message entry.
* objects/timestamp (https://github.com/MISP/misp-
objects/blob/main/objects/timestamp/definition.json) - A generic
timestamp object to represent time including first time and last
time seen. Relationship will then define the kind of time
relationship.
* objects/tor-hiddenservice (https://github.com/MISP/misp-
objects/blob/main/objects/tor-hiddenservice/definition.json) - Tor
hidden service (onion service) object.
* objects/tor-node (https://github.com/MISP/misp-
objects/blob/main/objects/tor-node/definition.json) - Tor node
(which protects your privacy on the internet by hiding the
connection between users Internet address and the services used by
the users) description which are part of the Tor network at a
time.
* objects/tracking-id (https://github.com/MISP/misp-
objects/blob/main/objects/tracking-id/definition.json) - Analytics
and tracking ID such as used in Google Analytics or other analytic
platform.
* objects/transaction (https://github.com/MISP/misp-
objects/blob/main/objects/transaction/definition.json) - An object
to describe a financial transaction.
* objects/translation (https://github.com/MISP/misp-
objects/blob/main/objects/translation/definition.json) - Used to
keep a text and its translation.
* objects/trustar_report (https://github.com/MISP/misp-
objects/blob/main/objects/trustar_report/definition.json) -
TruStar Report.
* objects/tsk-chats (https://github.com/MISP/misp-
objects/blob/main/objects/tsk-chats/definition.json) - An Object
Template to gather information from evidential or interesting
exchange of messages identified during a digital forensic
investigation.
* objects/tsk-web-bookmark (https://github.com/MISP/misp-
objects/blob/main/objects/tsk-web-bookmark/definition.json) - An
Object Template to add evidential bookmarks identified during a
digital forensic investigation.
* objects/tsk-web-cookie (https://github.com/MISP/misp-
objects/blob/main/objects/tsk-web-cookie/definition.json) - An
TSK-Autopsy Object Template to represent cookies identified during
a forensic investigation.
Dulaunoy & Iklody Expires 19 August 2022 [Page 29]
Internet-Draft MISP object template format February 2022
* objects/tsk-web-downloads (https://github.com/MISP/misp-
objects/blob/main/objects/tsk-web-downloads/definition.json) - An
Object Template to add web-downloads.
* objects/tsk-web-history (https://github.com/MISP/misp-
objects/blob/main/objects/tsk-web-history/definition.json) - An
Object Template to share web history information.
* objects/tsk-web-search-query (https://github.com/MISP/misp-
objects/blob/main/objects/tsk-web-search-query/definition.json) -
An Object Template to share web search query information.
* objects/twitter-account (https://github.com/MISP/misp-
objects/blob/main/objects/twitter-account/definition.json) -
Twitter account.
* objects/twitter-list (https://github.com/MISP/misp-
objects/blob/main/objects/twitter-list/definition.json) - Twitter
list.
* objects/twitter-post (https://github.com/MISP/misp-
objects/blob/main/objects/twitter-post/definition.json) - Twitter
post (tweet).
* objects/url (https://github.com/MISP/misp-
objects/blob/main/objects/url/definition.json) - url object
describes an url along with its normalized field (like extracted
using faup parsing library) and its metadata.
* objects/user-account (https://github.com/MISP/misp-
objects/blob/main/objects/user-account/definition.json) - User-
account object, defining aspects of user identification,
authentication, privileges and other relevant data points.
* objects/vehicle (https://github.com/MISP/misp-
objects/blob/main/objects/vehicle/definition.json) - Vehicle
object template to describe a vehicle information and
registration.
* objects/victim (https://github.com/MISP/misp-
objects/blob/main/objects/victim/definition.json) - Victim object
describes the target of an attack or abuse.
* objects/virustotal-graph (https://github.com/MISP/misp-
objects/blob/main/objects/virustotal-graph/definition.json) -
VirusTotal graph.
* objects/virustotal-report (https://github.com/MISP/misp-
objects/blob/main/objects/virustotal-report/definition.json) -
VirusTotal report.
* objects/vulnerability (https://github.com/MISP/misp-
objects/blob/main/objects/vulnerability/definition.json) -
Vulnerability object describing a common vulnerability enumeration
which can describe published, unpublished, under review or embargo
vulnerability for software, equipments or hardware.
Dulaunoy & Iklody Expires 19 August 2022 [Page 30]
Internet-Draft MISP object template format February 2022
* objects/weakness (https://github.com/MISP/misp-
objects/blob/main/objects/weakness/definition.json) - Weakness
object describing a common weakness enumeration which can describe
usable, incomplete, draft or deprecated weakness for software,
equipment of hardware.
* objects/whois (https://github.com/MISP/misp-
objects/blob/main/objects/whois/definition.json) - Whois records
information for a domain name or an IP address.
* objects/windows-service (https://github.com/MISP/misp-
objects/blob/main/objects/windows-service/definition.json) -
Windows service and detailed about a service running a Windows
operating system.
* objects/x509 (https://github.com/MISP/misp-
objects/blob/main/objects/x509/definition.json) - x509 object
describing a X.509 certificate.
* objects/yabin (https://github.com/MISP/misp-
objects/blob/main/objects/yabin/definition.json) - yabin.py
generates Yara rules from function prologs, for matching and
hunting binaries. ref: https://github.com/AlienVault-OTX/yabin
(https://github.com/AlienVault-OTX/yabin).
* objects/yara (https://github.com/MISP/misp-
objects/blob/main/objects/yara/definition.json) - An object
describing a YARA rule (or a YARA rule name) along with its
version.
* objects/youtube-channel (https://github.com/MISP/misp-
objects/blob/main/objects/youtube-channel/definition.json) - A
YouTube channel.
* objects/youtube-comment (https://github.com/MISP/misp-
objects/blob/main/objects/youtube-comment/definition.json) - A
YouTube video comment.
* objects/youtube-playlist (https://github.com/MISP/misp-
objects/blob/main/objects/youtube-playlist/definition.json) - A
YouTube playlist.
* objects/youtube-video (https://github.com/MISP/misp-
objects/blob/main/objects/youtube-video/definition.json) - A
YouTube video.
4. Acknowledgements
The authors wish to thank all the MISP community who are supporting
the creation of open standards in threat intelligence sharing.
5. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
Dulaunoy & Iklody Expires 19 August 2022 [Page 31]
Internet-Draft MISP object template format February 2022
[RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally
Unique IDentifier (UUID) URN Namespace", RFC 4122,
DOI 10.17487/RFC4122, July 2005,
<https://www.rfc-editor.org/info/rfc4122>.
[RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data
Interchange Format", STD 90, RFC 8259,
DOI 10.17487/RFC8259, December 2017,
<https://www.rfc-editor.org/info/rfc8259>.
6. Informative References
[MISP-O] Community, M., "MISP Objects - shared and common object
templates", <https://github.com/MISP/misp-objects>.
[MISP-O-DOC]
community, M., "MISP objects directory", 2018,
<https://www.misp-project.org/objects.html>.
Authors' Addresses
Alexandre Dulaunoy
Computer Incident Response Center Luxembourg
16, bd d'Avranches
L-L-1611 Luxembourg
Luxembourg
Phone: +352 247 88444
Email: alexandre.dulaunoy@circl.lu
Andras Iklody
Computer Incident Response Center Luxembourg
16, bd d'Avranches
L-L-1611 Luxembourg
Luxembourg
Phone: +352 247 88444
Email: andras.iklody@circl.lu
Dulaunoy & Iklody Expires 19 August 2022 [Page 32]
Reference in New Issue View Git Blame Copy Permalink