diff --git a/objects.html b/objects.html index 4d1eed3..5b78642 100755 --- a/objects.html +++ b/objects.html @@ -440,6 +440,7 @@ body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-b
sensor
+text
The AIL sensor uuid where the leak was processed and analysed.
++
text
text
A description of the leak which could include the potential victim(s) or description of the leak.
++
original-date
datetime
When the information available in the leak was created. It’s usually before the first-seen.
++
type
text
sensor
text
raw-data
attachment
The AIL sensor uuid where the leak was processed and analysed.
+Raw data as received by the AIL sensor compressed and encoded in Base64.
+
origin
+text
The link where the leak is (or was) accessible at first-seen.
++
duplicate
text
A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. malware, app)..
+text |
-text |
++ + | ++android-permission is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. + | +
Object attribute | +MISP attribute type | +Description | +Disable correlation | +|||||||
---|---|---|---|---|---|---|---|---|---|---|
comment |
+comment |
- A description of the leak which could include the potential victim(s) or description of the leak. +Comment about the set of android permission(s) |
- +
|
|||||||
raw-data |
-attachment |
-
- Raw data as received by the AIL sensor compressed and encoded in Base64. - |
-
- - |
-|||||||
original-date |
-datetime |
-
- When the information available in the leak was created. It’s usually before the first-seen. - |
-
- - |
-|||||||
origin |
+permission |
text |
- The link where the leak is (or was) accessible at first-seen. +Android permission ['ACCESS_CHECKIN_PROPERTIES', 'ACCESS_COARSE_LOCATION', 'ACCESS_FINE_LOCATION', 'ACCESS_LOCATION_EXTRA_COMMANDS', 'ACCESS_NETWORK_STATE', 'ACCESS_NOTIFICATION_POLICY', 'ACCESS_WIFI_STATE', 'ACCOUNT_MANAGER', 'ADD_VOICEMAIL', 'ANSWER_PHONE_CALLS', 'BATTERY_STATS', 'BIND_ACCESSIBILITY_SERVICE', 'BIND_APPWIDGET', 'BIND_AUTOFILL_SERVICE', 'BIND_CARRIER_MESSAGING_SERVICE', 'BIND_CHOOSER_TARGET_SERVICE', 'BIND_CONDITION_PROVIDER_SERVICE', 'BIND_DEVICE_ADMIN', 'BIND_DREAM_SERVICE', 'BIND_INCALL_SERVICE', 'BIND_INPUT_METHOD', 'BIND_MIDI_DEVICE_SERVICE', 'BIND_NFC_SERVICE', 'BIND_NOTIFICATION_LISTENER_SERVICE', 'BIND_PRINT_SERVICE', 'BIND_QUICK_SETTINGS_TILE', 'BIND_REMOTEVIEWS', 'BIND_SCREENING_SERVICE', 'BIND_TELECOM_CONNECTION_SERVICE', 'BIND_TEXT_SERVICE', 'BIND_TV_INPUT', 'BIND_VISUAL_VOICEMAIL_SERVICE', 'BIND_VOICE_INTERACTION', 'BIND_VPN_SERVICE', 'BIND_VR_LISTENER_SERVICE', 'BIND_WALLPAPER', 'BLUETOOTH', 'BLUETOOTH_ADMIN', 'BLUETOOTH_PRIVILEGED', 'BODY_SENSORS', 'BROADCAST_PACKAGE_REMOVED', 'BROADCAST_SMS', 'BROADCAST_STICKY', 'BROADCAST_WAP_PUSH', 'CALL_PHONE', 'CALL_PRIVILEGED', 'CAMERA', 'CAPTURE_AUDIO_OUTPUT', 'CAPTURE_SECURE_VIDEO_OUTPUT', 'CAPTURE_VIDEO_OUTPUT', 'CHANGE_COMPONENT_ENABLED_STATE', 'CHANGE_CONFIGURATION', 'CHANGE_NETWORK_STATE', 'CHANGE_WIFI_MULTICAST_STATE', 'CHANGE_WIFI_STATE', 'CLEAR_APP_CACHE', 'CONTROL_LOCATION_UPDATES', 'DELETE_CACHE_FILES', 'DELETE_PACKAGES', 'DIAGNOSTIC', 'DISABLE_KEYGUARD', 'DUMP', 'EXPAND_STATUS_BAR', 'FACTORY_TEST', 'GET_ACCOUNTS', 'GET_ACCOUNTS_PRIVILEGED', 'GET_PACKAGE_SIZE', 'GET_TASKS', 'GLOBAL_SEARCH', 'INSTALL_LOCATION_PROVIDER', 'INSTALL_PACKAGES', 'INSTALL_SHORTCUT', 'INSTANT_APP_FOREGROUND_SERVICE', 'INTERNET', 'KILL_BACKGROUND_PROCESSES', 'LOCATION_HARDWARE', 'MANAGE_DOCUMENTS', 'MANAGE_OWN_CALLS', 'MASTER_CLEAR', 'MEDIA_CONTENT_CONTROL', 'MODIFY_AUDIO_SETTINGS', 'MODIFY_PHONE_STATE', 'MOUNT_FORMAT_FILESYSTEMS', 'MOUNT_UNMOUNT_FILESYSTEMS', 'NFC', 'PACKAGE_USAGE_STATS', 'PERSISTENT_ACTIVITY', 'PROCESS_OUTGOING_CALLS', 'READ_CALENDAR', 'READ_CALL_LOG', 'READ_CONTACTS', 'READ_EXTERNAL_STORAGE', 'READ_FRAME_BUFFER', 'READ_INPUT_STATE', 'READ_LOGS', 'READ_PHONE_NUMBERS', 'READ_PHONE_STATE', 'READ_SMS', 'READ_SYNC_SETTINGS', 'READ_SYNC_STATS', 'READ_VOICEMAIL', 'REBOOT', 'RECEIVE_BOOT_COMPLETED', 'RECEIVE_MMS', 'RECEIVE_SMS', 'RECEIVE_WAP_PUSH', 'RECORD_AUDIO', 'REORDER_TASKS', 'REQUEST_COMPANION_RUN_IN_BACKGROUND', 'REQUEST_COMPANION_USE_DATA_IN_BACKGROUND', 'REQUEST_DELETE_PACKAGES', 'REQUEST_IGNORE_BATTERY_OPTIMIZATIONS', 'REQUEST_INSTALL_PACKAGES', 'RESTART_PACKAGES', 'SEND_RESPOND_VIA_MESSAGE', 'SEND_SMS', 'SET_ALARM', 'SET_ALWAYS_FINISH', 'SET_ANIMATION_SCALE', 'SET_DEBUG_APP', 'SET_PREFERRED_APPLICATIONS', 'SET_PROCESS_LIMIT', 'SET_TIME', 'SET_TIME_ZONE', 'SET_WALLPAPER', 'SET_WALLPAPER_HINTS', 'SIGNAL_PERSISTENT_PROCESSES', 'STATUS_BAR', 'SYSTEM_ALERT_WINDOW', 'TRANSMIT_IR', 'UNINSTALL_SHORTCUT', 'UPDATE_DEVICE_STATS', 'USE_FINGERPRINT', 'USE_SIP', 'VIBRATE', 'WAKE_LOCK', 'WRITE_APN_SETTINGS', 'WRITE_CALENDAR', 'WRITE_CALL_LOG', 'WRITE_CONTACTS', 'WRITE_EXTERNAL_STORAGE', 'WRITE_GSERVICES', 'WRITE_SECURE_SETTINGS', 'WRITE_SETTINGS', 'WRITE_SYNC_SETTINGS', 'WRITE_VOICEMAIL'] |
@@ -694,36 +753,6 @@ asn is a MISP object available in JSON format at description |
-text |
-
- Description of the autonomous system - |
-
- - |
-|||
export |
-text |
-
- The outbound routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format - |
-
- - |
-|||||||
subnet-announced |
-ip-src |
-
- Subnet announced - |
-
- - |
-|||||||
country |
text |
@@ -734,16 +763,6 @@ asn is a MISP object available in JSON format at mp-export |
-text |
-
- This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format - |
-
- - |
-|||||
last-seen |
datetime |
@@ -754,20 +773,20 @@ asn is a MISP object available in JSON format at asn |
-AS |
+subnet-announced |
+ip-src |
- Autonomous System Number +Subnet announced |
|
|||
mp-import |
-text |
+first-seen |
+datetime |
- The inbound IPv4 or IPv6 routing policy of the AS in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format +First time the ASN was seen |
@@ -784,10 +803,50 @@ asn is a MISP object available in JSON format at first-seen |
-datetime |
+description |
+text |
- First time the ASN was seen +Description of the autonomous system + |
+
+ + |
+
mp-export |
+text |
+
+ This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format + |
+
+ + |
+|||||||
mp-import |
+text |
+
+ The inbound IPv4 or IPv6 routing policy of the AS in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format + |
+
+ + |
+|||||||
asn |
+AS |
+
+ Autonomous System Number + |
+
+ + |
+|||||||
export |
+text |
+
+ The outbound routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format |
@@ -832,6 +891,16 @@ av-signature is a MISP object available in JSON format at signature |
+text |
+
+ Name of detection signature + |
+
+ + |
+||||
software |
text |
@@ -852,16 +921,6 @@ av-signature is a MISP object available in JSON format at signature |
-text |
-
- Name of detection signature - |
-
- - |
-|||||
text |
text |
@@ -910,16 +969,6 @@ cookie is a MISP object available in JSON format at type |
-text |
-
- Type of cookie and how it’s used in this specific object. ['Session management', 'Personalization', 'Tracking', 'Exfiltration', 'Malicious Payload', 'Beaconing'] - |
-
- - |
-|||||
cookie |
cookie |
@@ -930,16 +979,6 @@ cookie is a MISP object available in JSON format at text |
-text |
-
- A description of the cookie. - |
-
- - |
-|||||
cookie-name |
text |
@@ -950,6 +989,16 @@ cookie is a MISP object available in JSON format at type |
+text |
+
+ Type of cookie and how it’s used in this specific object. ['Session management', 'Personalization', 'Tracking', 'Exfiltration', 'Malicious Payload', 'Beaconing'] + |
+
+ + |
+|||||
cookie-value |
text |
|||||||||
text |
+text |
+
+ A description of the cookie. + |
+
+ + |
+
type
+text
text
Type of password(s) ['password', 'api-key', 'encryption-key', 'unknown']
+A description of the credential(s)
++
password
text
Password
++
notification
text
Mention of any notification(s) towards the potential owner(s) of the credential(s) ['victim-notified', 'service-notified', 'none']
@@ -1018,40 +1097,10 @@ credential is a MISP object available in JSON format at
password
type
text
Password
--
format
text
Format of the password(s) ['clear-text', 'hashed', 'encrypted', 'unknown']
--
text
text
A description of the credential(s)
--
notification
text
Mention of any notification(s) towards the potential owner(s) of the credential(s) ['victim-notified', 'service-notified', 'none']
+Type of password(s) ['password', 'api-key', 'encryption-key', 'unknown']
format
text
Format of the password(s) ['clear-text', 'hashed', 'encrypted', 'unknown']
++
comment
-comment
A description of the card.
--
issued
datetime
Initial date of validity or issued date.
--
card-security-code
text
Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card.
--
version
text
comment
comment
A description of the card.
++
name
text
card-security-code
text
Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card.
++
expiration
datetime
issued
datetime
Initial date of validity or issued date.
++
ip-dst
+ip-dst
Destination IP (victim)
++
total-bps
counter
domain-dst
domain
dst-port
port
Destination domain (victim)
--
protocol
text
Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']
--
total-pps
counter
Packets per second
--
ip-src
ip-src
IP address originating the attack
+Destination port of the attack
@@ -1274,10 +1313,30 @@ ddos is a MISP object available in JSON format at
ip-dst
ip-dst
protocol
text
Destination IP (victim)
+Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']
++
ip-src
ip-src
IP address originating the attack
++
src-port
port
Port originating the attack
@@ -1304,20 +1363,20 @@ ddos is a MISP object available in JSON format at
dst-port
port
domain-dst
domain
Destination port of the attack
+Destination domain (victim)
src-port
port
total-pps
counter
Port originating the attack
+Packets per second
@@ -1362,6 +1421,16 @@ domain-ip is a MISP object available in JSON format at
text
text
A description of the tuple
++
ip
ip-dst
text
text
A description of the tuple
--
last-seen
datetime
arch
text
text
Architecture of the ELF file ['None', 'M32', 'SPARC', 'i386', 'ARCH_68K', 'ARCH_88K', 'IAMCU', 'ARCH_860', 'MIPS', 'S370', 'MIPS_RS3_LE', 'PARISC', 'VPP500', 'SPARC32PLUS', 'ARCH_960', 'PPC', 'PPC64', 'S390', 'SPU', 'V800', 'FR20', 'RH32', 'RCE', 'ARM', 'ALPHA', 'SH', 'SPARCV9', 'TRICORE', 'ARC', 'H8_300', 'H8_300H', 'H8S', 'H8_500', 'IA_64', 'MIPS_X', 'COLDFIRE', 'ARCH_68HC12', 'MMA', 'PCP', 'NCPU', 'NDR1', 'STARCORE', 'ME16', 'ST100', 'TINYJ', 'x86_64', 'PDSP', 'PDP10', 'PDP11', 'FX66', 'ST9PLUS', 'ST7', 'ARCH_68HC16', 'ARCH_68HC11', 'ARCH_68HC08', 'ARCH_68HC05', 'SVX', 'ST19', 'VAX', 'CRIS', 'JAVELIN', 'FIREPATH', 'ZSP', 'MMIX', 'HUANY', 'PRISM', 'AVR', 'FR30', 'D10V', 'D30V', 'V850', 'M32R', 'MN10300', 'MN10200', 'PJ', 'OPENRISC', 'ARC_COMPACT', 'XTENSA', 'VIDEOCORE', 'TMM_GPP', 'NS32K', 'TPC', 'SNP1K', 'ST200', 'IP2K', 'MAX', 'CR', 'F2MC16', 'MSP430', 'BLACKFIN', 'SE_C33', 'SEP', 'ARCA', 'UNICORE', 'EXCESS', 'DXP', 'ALTERA_NIOS2', 'CRX', 'XGATE', 'C166', 'M16C', 'DSPIC30F', 'CE', 'M32C', 'TSK3000', 'RS08', 'SHARC', 'ECOG2', 'SCORE7', 'DSP24', 'VIDEOCORE3', 'LATTICEMICO32', 'SE_C17', 'TI_C6000', 'TI_C2000', 'TI_C5500', 'MMDSP_PLUS', 'CYPRESS_M8C', 'R32C', 'TRIMEDIA', 'HEXAGON', 'ARCH_8051', 'STXP7X', 'NDS32', 'ECOG1', 'ECOG1X', 'MAXQ30', 'XIMO16', 'MANIK', 'CRAYNV2', 'RX', 'METAG', 'MCST_ELBRUS', 'ECOG16', 'CR16', 'ETPU', 'SLE9X', 'L10M', 'K10M', 'AARCH64', 'AVR32', 'STM8', 'TILE64', 'TILEPRO', 'CUDA', 'TILEGX', 'CLOUDSHIELD', 'COREA_1ST', 'COREA_2ND', 'ARC_COMPACT2', 'OPEN8', 'RL78', 'VIDEOCORE5', 'ARCH_78KOR', 'ARCH_56800EX', 'BA1', 'BA2', 'XCORE', 'MCHP_PIC', 'INTEL205', 'INTEL206', 'INTEL207', 'INTEL208', 'INTEL209', 'KM32', 'KMX32', 'KMX16', 'KMX8', 'KVARC', 'CDP', 'COGE', 'COOL', 'NORC', 'CSR_KALIMBA', 'AMDGPU']
+Free text value to attach to the ELF
++
os_abi
text
Header operating system application binary interface (ABI) ['AIX', 'ARM', 'AROS', 'C6000_ELFABI', 'C6000_LINUX', 'CLOUDABI', 'FENIXOS', 'FREEBSD', 'GNU', 'HPUX', 'HURD', 'IRIX', 'MODESTO', 'NETBSD', 'NSK', 'OPENBSD', 'OPENVMS', 'SOLARIS', 'STANDALONE', 'SYSTEMV', 'TRU64']
@@ -1480,16 +1549,6 @@ elf is a MISP object available in JSON format at
os_abi
text
Header operating system application binary interface (ABI) ['AIX', 'ARM', 'AROS', 'C6000_ELFABI', 'C6000_LINUX', 'CLOUDABI', 'FENIXOS', 'FREEBSD', 'GNU', 'HPUX', 'HURD', 'IRIX', 'MODESTO', 'NETBSD', 'NSK', 'OPENBSD', 'OPENVMS', 'SOLARIS', 'STANDALONE', 'SYSTEMV', 'TRU64']
--
entrypoint-address
text
text
arch
text
Free text value to attach to the ELF
+Architecture of the ELF file ['None', 'M32', 'SPARC', 'i386', 'ARCH_68K', 'ARCH_88K', 'IAMCU', 'ARCH_860', 'MIPS', 'S370', 'MIPS_RS3_LE', 'PARISC', 'VPP500', 'SPARC32PLUS', 'ARCH_960', 'PPC', 'PPC64', 'S390', 'SPU', 'V800', 'FR20', 'RH32', 'RCE', 'ARM', 'ALPHA', 'SH', 'SPARCV9', 'TRICORE', 'ARC', 'H8_300', 'H8_300H', 'H8S', 'H8_500', 'IA_64', 'MIPS_X', 'COLDFIRE', 'ARCH_68HC12', 'MMA', 'PCP', 'NCPU', 'NDR1', 'STARCORE', 'ME16', 'ST100', 'TINYJ', 'x86_64', 'PDSP', 'PDP10', 'PDP11', 'FX66', 'ST9PLUS', 'ST7', 'ARCH_68HC16', 'ARCH_68HC11', 'ARCH_68HC08', 'ARCH_68HC05', 'SVX', 'ST19', 'VAX', 'CRIS', 'JAVELIN', 'FIREPATH', 'ZSP', 'MMIX', 'HUANY', 'PRISM', 'AVR', 'FR30', 'D10V', 'D30V', 'V850', 'M32R', 'MN10300', 'MN10200', 'PJ', 'OPENRISC', 'ARC_COMPACT', 'XTENSA', 'VIDEOCORE', 'TMM_GPP', 'NS32K', 'TPC', 'SNP1K', 'ST200', 'IP2K', 'MAX', 'CR', 'F2MC16', 'MSP430', 'BLACKFIN', 'SE_C33', 'SEP', 'ARCA', 'UNICORE', 'EXCESS', 'DXP', 'ALTERA_NIOS2', 'CRX', 'XGATE', 'C166', 'M16C', 'DSPIC30F', 'CE', 'M32C', 'TSK3000', 'RS08', 'SHARC', 'ECOG2', 'SCORE7', 'DSP24', 'VIDEOCORE3', 'LATTICEMICO32', 'SE_C17', 'TI_C6000', 'TI_C2000', 'TI_C5500', 'MMDSP_PLUS', 'CYPRESS_M8C', 'R32C', 'TRIMEDIA', 'HEXAGON', 'ARCH_8051', 'STXP7X', 'NDS32', 'ECOG1', 'ECOG1X', 'MAXQ30', 'XIMO16', 'MANIK', 'CRAYNV2', 'RX', 'METAG', 'MCST_ELBRUS', 'ECOG16', 'CR16', 'ETPU', 'SLE9X', 'L10M', 'K10M', 'AARCH64', 'AVR32', 'STM8', 'TILE64', 'TILEPRO', 'CUDA', 'TILEGX', 'CLOUDSHIELD', 'COREA_1ST', 'COREA_2ND', 'ARC_COMPACT2', 'OPEN8', 'RL78', 'VIDEOCORE5', 'ARCH_78KOR', 'ARCH_56800EX', 'BA1', 'BA2', 'XCORE', 'MCHP_PIC', 'INTEL205', 'INTEL206', 'INTEL207', 'INTEL208', 'INTEL209', 'KM32', 'KMX32', 'KMX16', 'KMX8', 'KVARC', 'CDP', 'COGE', 'COOL', 'NORC', 'CSR_KALIMBA', 'AMDGPU']
+
sha256
-sha256
Secure Hash Algorithm 2 (256 bits)
--
md5
md5
[Insecure] MD5 hash (128 bits)
--
name
text
text
Name of the section
+Free text value to attach to the section
@@ -1588,6 +1627,56 @@ elf-section is a MISP object available in JSON format at
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
type
text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
++
sha512
sha512
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
entropy
float
md5
md5
[Insecure] MD5 hash (128 bits)
++
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
name
text
Name of the section
++
flag
text
type
text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
--
text
text
Free text value to attach to the section
--
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
size-in-bytes
size-in-bytes
sha224
sha224
sha512/256
sha512/256
Secure Hash Algorithm 2 (224 bits)
--
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
+Secure Hash Algorithm 2 (256 bits)
@@ -1736,36 +1795,6 @@ email is a MISP object available in JSON format at
send-date
datetime
Date the email has been sent
--
header
email-header
Full headers
--
attachment
email-attachment
Attachment
--
thread-index
email-thread-index
to
email-dst
header
email-header
Destination email address
--
subject
email-subject
Subject
+Full headers
@@ -1806,26 +1825,6 @@ email is a MISP object available in JSON format at
reply-to
email-reply-to
Email address the reply will be sent to
--
from
email-src
Sender email address
--
message-id
email-message-id
cc
email-dst
Carbon copy
--
from-display-name
email-src-display-name
to-display-name
email-dst-display-name
cc
email-dst
Display name of the receiver
+Carbon copy
screenshot
attachment
to
email-dst
Screenshot of email
+Destination email address
++
x-mailer
email-x-mailer
X-Mailer generally tells the program that was used to draft and send the original email
++
attachment
email-attachment
Attachment
@@ -1886,10 +1895,60 @@ email is a MISP object available in JSON format at
x-mailer
email-x-mailer
send-date
datetime
X-Mailer generally tells the program that was used to draft and send the original email
+Date the email has been sent
++
reply-to
email-reply-to
Email address the reply will be sent to
++
to-display-name
email-dst-display-name
Display name of the receiver
++
from
email-src
Sender email address
++
screenshot
attachment
Screenshot of email
++
subject
email-subject
Subject
@@ -1934,40 +1993,20 @@ file is a MISP object available in JSON format at
size-in-bytes
size-in-bytes
text
text
Size of the file, in bytes
+Free text value to attach to the file
md5
md5
sha1
sha1
[Insecure] MD5 hash (128 bits)
--
malware-sample
malware-sample
The file itself (binary)
--
tlsh
tlsh
Fuzzy hash by Trend Micro: Locality Sensitive Hash
+[Insecure] Secure Hash Algorithm 1 (160 bits)
@@ -1984,20 +2023,60 @@ file is a MISP object available in JSON format at
sha1
sha1
tlsh
tlsh
[Insecure] Secure Hash Algorithm 1 (160 bits)
+Fuzzy hash by Trend Micro: Locality Sensitive Hash
filename
filename
sha512/224
sha512/224
Filename on disk
+Secure Hash Algorithm 2 (224 bits)
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
mimetype
text
Mime type
++
authentihash
authentihash
Authenticode executable signature hash
@@ -2014,26 +2093,6 @@ file is a MISP object available in JSON format at
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
entropy
float
mimetype
text
md5
md5
Mime type
--
text
text
Free text value to attach to the file
--
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
authentihash
authentihash
Authenticode executable signature hash
+[Insecure] MD5 hash (128 bits)
@@ -2114,6 +2123,56 @@ file is a MISP object available in JSON format at
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
malware-sample
malware-sample
The file itself (binary)
++
size-in-bytes
size-in-bytes
Size of the file, in bytes
++
filename
filename
Filename on disk
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
state
text
altitude
float
The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.
--
longitude
float
The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference
--
country
text
altitude
float
The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.
++
city
text
City.
++
first-seen
datetime
longitude
float
The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference
++
region
text
text
text
latitude
float
A generic description of the location.
+The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.
city
text
text
City.
--
latitude
float
The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.
+A generic description of the location.
@@ -2290,36 +2349,6 @@ http-request is a MISP object available in JSON format at
proxy-user
text
HTTP Proxy Username
--
method
http-method
HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)
--
host
hostname
The domain name of the server
--
text
text
basicauth-user
text
host
hostname
HTTP Basic Authentication Username
+The domain name of the server
@@ -2370,6 +2399,16 @@ http-request is a MISP object available in JSON format at
proxy-password
text
HTTP Proxy Password
++
uri
uri
basicauth-user
text
HTTP Basic Authentication Username
++
url
url
proxy-user
text
HTTP Proxy Username
++
cookie
text
proxy-password
text
method
http-method
HTTP Proxy Password
+HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)
+
ip
-ip-dst
IP Address
--
last-seen
datetime
Last time the tuple has been seen
--
text
text
first-seen
datetime
First time the tuple has been seen
--
dst-port
port
first-seen
datetime
First time the tuple has been seen
++
last-seen
datetime
Last time the tuple has been seen
++
src-port
port
ip
ip-dst
IP Address
++
description
-text
ip-dst
ip-dst
Type of detected software ie software, malware
--
last-seen
datetime
Last seen of the SSL/TLS handshake
+Destination IP address
@@ -2586,10 +2635,10 @@ ja3 is a MISP object available in JSON format at
ip-dst
ip-dst
last-seen
datetime
Destination IP address
+Last seen of the SSL/TLS handshake
description
text
Type of detected software ie software, malware
++
entrypoint-address
+text
Address of the entry point
++
number-sections
counter
text
text
Free text value to attach to the Mach-O file
++
name
text
text
text
Free text value to attach to the Mach-O file
--
entrypoint-address
text
Address of the entry point
--
sha256
-sha256
Secure Hash Algorithm 2 (256 bits)
--
md5
md5
[Insecure] MD5 hash (128 bits)
--
name
text
text
Name of the section
+Free text value to attach to the section
@@ -2782,6 +2821,46 @@ macho-section is a MISP object available in JSON format at
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
sha512
sha512
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
entropy
float
text
text
md5
md5
Free text value to attach to the section
--
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
+[Insecure] MD5 hash (128 bits)
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
name
text
Name of the section
++
size-in-bytes
size-in-bytes
sha224
sha224
sha512/256
sha512/256
Secure Hash Algorithm 2 (224 bits)
--
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
+Secure Hash Algorithm 2 (256 bits)
@@ -2920,6 +2979,16 @@ microblog is a MISP object available in JSON format at
username
text
Username who posted the microblog post
++
type
text
modification-date
datetime
Last update of the microblog post
--
username
text
Username who posted the microblog post
--
url
url
removal-date
modification-date
datetime
When the microblog post was removed
+Last update of the microblog post
removal-date
datetime
When the microblog post was removed
++
ip-protocol-number
-size-in-bytes
ip-src
ip-src
IP protocol number of this flow
--
protocol
text
Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']
--
last-packet-seen
datetime
Last packet seen in this flow
--
tcp-flags
text
TCP flags of the flow
--
dst-as
AS
Destination AS number for this flow
--
byte-count
counter
Bytes counted in this flow
--
src-as
AS
Source AS number for this flow
+IP address source of the netflow
@@ -3118,6 +3117,36 @@ netflow is a MISP object available in JSON format at
protocol
text
Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']
++
flow-count
counter
Flows counted in this flow
++
ip-protocol-number
size-in-bytes
IP protocol number of this flow
++
icmp-type
text
first-packet-seen
datetime
First packet seen in this flow
++
src-as
AS
Source AS number for this flow
++
ip-dst
ip-dst
IP address destination of the netflow
++
src-port
port
first-packet-seen
datetime
dst-as
AS
First packet seen in this flow
+Destination AS number for this flow
packet-count
counter
last-packet-seen
datetime
Packets counted in this flow
+Last packet seen in this flow
+
ip-src
-ip-src
IP address source of the netflow
--
ip-dst
ip-dst
IP address destination of the netflow
--
flow-count
byte-count
counter
Flows counted in this flow
+Bytes counted in this flow
++
tcp-flags
text
TCP flags of the flow
++
packet-count
counter
Packets counted in this flow
@@ -3246,46 +3305,6 @@ passive-dns is a MISP object available in JSON format at
zone_time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
--
time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS
--
rrname
text
Resource Record name of the queried resource
--
rrtype
text
Resource Record type as seen by the passive DNS ['A', 'AAAA', 'CNAME', 'PTR', 'SOA', 'TXT', 'DNAME', 'NS', 'SRV', 'RP', 'NAPTR', 'HINFO', 'A6']
--
count
counter
sensor_id
text
zone_time_last
datetime
Sensor information where the record was seen
+Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
rdata
origin
text
Resource records of the queried resource
+Origin of the Passive DNS response
@@ -3336,10 +3355,50 @@ passive-dns is a MISP object available in JSON format at
zone_time_last
zone_time_first
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
+First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
++
time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS
++
rrtype
text
Resource Record type as seen by the passive DNS ['A', 'AAAA', 'CNAME', 'PTR', 'SOA', 'TXT', 'DNAME', 'NS', 'SRV', 'RP', 'NAPTR', 'HINFO', 'A6']
++
rdata
text
Resource records of the queried resource
++
rrname
text
Resource Record name of the queried resource
@@ -3356,10 +3415,10 @@ passive-dns is a MISP object available in JSON format at
origin
sensor_id
text
Origin of the Passive DNS response
+Sensor information where the record was seen
@@ -3424,16 +3483,6 @@ paste is a MISP object available in JSON format at
last-seen
datetime
When the paste has been accessible or seen for the last time.
--
url
url
paste
text
Raw text of the paste or post
--
first-seen
datetime
last-seen
datetime
When the paste has been accessible or seen for the last time.
++
paste
text
Raw text of the paste or post
++
legal-copyright
+lang-id
text
LegalCopyright in the resources
--
company-name
text
CompanyName in the resources
--
file-description
text
FileDescription in the resources
--
entrypoint-address
text
Address of the entry point
--
internal-filename
filename
InternalFilename in the resources
--
entrypoint-section-at-position
text
Name of the section and position of the section in the PE
--
product-version
text
ProductVersion in the resources
+Lang ID in the resources
@@ -3582,13 +3581,13 @@ pe is a MISP object available in JSON format at
file-version
text
pehash
pehash
FileVersion in the resources
+Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
+
number-sections
-counter
file-description
text
Number of sections
+FileDescription in the resources
product-name
file-version
text
ProductName in the resources
+FileVersion in the resources
@@ -3642,6 +3641,56 @@ pe is a MISP object available in JSON format at
product-version
text
ProductVersion in the resources
++
entrypoint-section-at-position
text
Name of the section and position of the section in the PE
++
number-sections
counter
Number of sections
++
legal-copyright
text
LegalCopyright in the resources
++
company-name
text
CompanyName in the resources
++
compilation-timestamp
datetime
pehash
pehash
Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
--
impfuzzy
impfuzzy
lang-id
entrypoint-address
text
Lang ID in the resources
+Address of the entry point
++
internal-filename
filename
InternalFilename in the resources
++
product-name
text
ProductName in the resources
@@ -3720,40 +3779,10 @@ pe-section is a MISP object available in JSON format at
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
md5
md5
[Insecure] MD5 hash (128 bits)
--
characteristic
text
text
Characteristic of the section ['read', 'write', 'executable']
--
name
text
Name of the section ['.rsrc', '.reloc', '.rdata', '.data', '.text']
+Free text value to attach to the section
@@ -3770,6 +3799,56 @@ pe-section is a MISP object available in JSON format at
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
characteristic
text
Characteristic of the section ['read', 'write', 'executable']
++
sha512
sha512
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
entropy
float
text
text
md5
md5
Free text value to attach to the section
--
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
+[Insecure] MD5 hash (128 bits)
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
name
text
Name of the section ['.rsrc', '.reloc', '.rdata', '.data', '.text']
++
size-in-bytes
size-in-bytes
sha224
sha224
sha512/256
sha512/256
Secure Hash Algorithm 2 (224 bits)
--
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
+Secure Hash Algorithm 2 (256 bits)
@@ -3898,20 +3957,10 @@ person is a MISP object available in JSON format at
redress-number
redress-number
date-of-birth
date-of-birth
The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.
--
first-name
first-name
First name of a natural person.
+Date of birth of a natural person (in YYYY-MM-DD format).
@@ -3928,40 +3977,10 @@ person is a MISP object available in JSON format at
date-of-birth
date-of-birth
passport-number
passport-number
Date of birth of a natural person (in YYYY-MM-DD format).
--
passport-country
passport-country
The country in which the passport was issued.
--
nationality
nationality
The nationality of a natural person.
--
middle-name
middle-name
Middle name of a natural person
+The passport number of a natural person.
@@ -3988,20 +4007,10 @@ person is a MISP object available in JSON format at
last-name
last-name
nationality
nationality
Last name of a natural person.
--
passport-number
passport-number
The passport number of a natural person.
+The nationality of a natural person.
first-name
first-name
First name of a natural person.
++
passport-country
passport-country
The country in which the passport was issued.
++
middle-name
middle-name
Middle name of a natural person
++
redress-number
redress-number
The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.
++
last-name
last-name
Last name of a natural person.
++
imei
+gummei
text
International Mobile Equipment Identity (IMEI) is a number, usually unique, to identify 3GPP and iDEN mobile phones, as well as some satellite phones.
--
msisdn
text
MSISDN (pronounced as /'em es ai es di en/ or misden) is a number uniquely identifying a subscription in a GSM or a UMTS mobile network. Simply put, it is the mapping of the telephone number to the SIM card in a mobile/cellular phone. This abbreviation has a several interpretations, the most common one being Mobile Station International Subscriber Directory Number.
+Globally Unique MME Identifier (GUMMEI) is composed from MCC, MNC and MME Identifier (MMEI).
@@ -4086,26 +4135,6 @@ phone is a MISP object available in JSON format at
serial-number
text
Serial Number.
--
text
text
A description of the phone.
--
imsi
text
last-seen
datetime
When the phone has been accessible or seen for the last time.
--
tmsi
text
Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated.
--
first-seen
datetime
gummei
tmsi
text
Globally Unique MME Identifier (GUMMEI) is composed from MCC, MNC and MME Identifier (MMEI).
+Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated.
imei
text
International Mobile Equipment Identity (IMEI) is a number, usually unique, to identify 3GPP and iDEN mobile phones, as well as some satellite phones.
++
last-seen
datetime
When the phone has been accessible or seen for the last time.
++
serial-number
text
Serial Number.
++
msisdn
text
MSISDN (pronounced as /'em es ai es di en/ or misden) is a number uniquely identifying a subscription in a GSM or a UMTS mobile network. Simply put, it is the mapping of the telephone number to the SIM card in a mobile/cellular phone. This abbreviation has a several interpretations, the most common one being Mobile Station International Subscriber Directory Number.
++
text
text
A description of the phone.
++
memory-allocations
-counter
Amount of memory allocations
--
ratio-api
float
Ratio: amount of API calls per kilobyte of code section
--
callback-largest
counter
Largest callback
--
r2-commit-version
text
Radare2 commit ID used to generate this object
--
text
text
shortest-path-to-create-thread
counter
Shortest path to the first time the binary calls CreateThread
--
referenced-strings
counter
total-functions
dangling-strings
counter
Total amount of functions in the file.
--
get-proc-address
counter
Amount of calls to GetProcAddress
--
miss-api
counter
Amount of API call reference that does not resolve to a function offset
--
not-referenced-strings
counter
Amount of not referenced strings
--
refsglobalvar
counter
Amount of API calls outside of code section (glob var, dynamic API)
+Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)
@@ -4324,30 +4293,10 @@ r2graphity is a MISP object available in JSON format at
ratio-string
float
callback-largest
counter
Ratio: amount of referenced strings per kilobyte of code section
--
gml
attachment
Graph export in G>raph Modelling Language format
--
ratio-functions
float
Ratio: amount of functions per kilobyte of code section
+Largest callback
@@ -4364,10 +4313,70 @@ r2graphity is a MISP object available in JSON format at
dangling-strings
ratio-api
float
Ratio: amount of API calls per kilobyte of code section
++
r2-commit-version
text
Radare2 commit ID used to generate this object
++
memory-allocations
counter
Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)
+Amount of memory allocations
++
not-referenced-strings
counter
Amount of not referenced strings
++
total-functions
counter
Total amount of functions in the file.
++
ratio-string
float
Ratio: amount of referenced strings per kilobyte of code section
++
ratio-functions
float
Ratio: amount of functions per kilobyte of code section
@@ -4384,10 +4393,10 @@ r2graphity is a MISP object available in JSON format at
unknown-references
miss-api
counter
Amount of API calls not ending in a function (Radare2 bug, probalby)
+Amount of API call reference that does not resolve to a function offset
@@ -4404,6 +4413,36 @@ r2graphity is a MISP object available in JSON format at
gml
attachment
Graph export in G>raph Modelling Language format
++
refsglobalvar
counter
Amount of API calls outside of code section (glob var, dynamic API)
++
shortest-path-to-create-thread
counter
Shortest path to the first time the binary calls CreateThread
++
callbacks
counter
unknown-references
counter
Amount of API calls not ending in a function (Radare2 bug, probalby)
++
get-proc-address
counter
Amount of calls to GetProcAddress
++
data-type
-reg-datatype
data
reg-data
Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
+Data stored in the registry key
@@ -4550,10 +4609,10 @@ registry-key is a MISP object available in JSON format at
last-modified
datetime
data-type
reg-datatype
Last time the registry key has been modified
+Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
@@ -4570,10 +4629,10 @@ registry-key is a MISP object available in JSON format at
data
reg-data
last-modified
datetime
Data stored in the registry key
+Last time the registry key has been modified
@@ -4618,20 +4677,20 @@ report is a MISP object available in JSON format at
summary
case-number
text
Free text summary of the report
+Case number
case-number
summary
text
Case number
+Free text summary of the report
@@ -4676,26 +4735,6 @@ rtir is a MISP object available in JSON format at
ip
ip-dst
IPs automatically extracted from the RTIR ticket
--
status
text
Status of the RTIR ticket ['new', 'open', 'stalled', 'resolved', 'rejected', 'deleted']
--
ticket-number
text
queue
text
Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
++
classification
text
queue
ip
ip-dst
IPs automatically extracted from the RTIR ticket
++
status
text
Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
+Status of the RTIR ticket ['new', 'open', 'stalled', 'resolved', 'rejected', 'deleted']
@@ -4784,46 +4843,36 @@ tor-node is a MISP object available in JSON format at
fingerprint
text
text
router’s fingerprint.
--
description
text
Tor node description.
+Tor node comment.
published
address
ip-src
IP address of the Tor node seen.
++
first-seen
datetime
router’s publication time. This can be different from first-seen and last-seen.
+When the Tor node designed by the IP address has been seen for the first time.
version_line
text
versioning information reported by the node.
--
last-seen
datetime
text
flags
text
Tor node comment.
+list of flag associated with the node.
++
version_line
text
versioning information reported by the node.
++
published
datetime
router’s publication time. This can be different from first-seen and last-seen.
flags
version
text
list of flag associated with the node.
+parsed version of tor, this is None if the relay’s using a new versioning scheme.
@@ -4874,30 +4943,20 @@ tor-node is a MISP object available in JSON format at
version
description
text
parsed version of tor, this is None if the relay’s using a new versioning scheme.
--
first-seen
datetime
When the Tor node designed by the IP address has been seen for the first time.
+Tor node description.
address
ip-src
fingerprint
text
IP address of the Tor node seen.
+router’s fingerprint.
@@ -4942,30 +5001,10 @@ url is a MISP object available in JSON format at
scheme
credential
text
Scheme ['http', 'https', 'ftp', 'gopher', 'sip']
--
domain_without_tld
text
Domain without Top-Level Domain
--
last-seen
datetime
Last time this URL has been seen
+Credential (username, password)
@@ -4982,50 +5021,10 @@ url is a MISP object available in JSON format at
query_string
text
first-seen
datetime
Query (after path, preceded by '?')
--
tld
text
Top-Level Domain
--
domain
domain
Full domain
--
port
port
Port number
--
credential
text
Credential (username, password)
+First time this URL has been seen
@@ -5042,20 +5041,10 @@ url is a MISP object available in JSON format at
url
url
last-seen
datetime
Full URL
--
host
hostname
Full hostname
+Last time this URL has been seen
@@ -5072,16 +5061,26 @@ url is a MISP object available in JSON format at
first-seen
datetime
host
hostname
First time this URL has been seen
+Full hostname
scheme
text
Scheme ['http', 'https', 'ftp', 'gopher', 'sip']
++
subdomain
text
tld
text
Top-Level Domain
++
port
port
Port number
++
url
url
Full URL
++
domain_without_tld
text
Domain without Top-Level Domain
++
domain
domain
Full domain
++
query_string
text
Query (after path, preceded by '?')
++
roles
-text
The list of roles targeted within the victim.
--
description
text
Description of the victim
--
sectors
text
classification
roles
text
The type of entity being targeted. ['individual', 'group', 'organization', 'class', 'unknown']
+The list of roles targeted within the victim.
description
text
Description of the victim
++
classification
text
The type of entity being targeted. ['individual', 'group', 'organization', 'class', 'unknown']
++
last-submission
-datetime
Last Submission
--
community-score
text
Community Score
--
first-submission
datetime
community-score
text
Community Score
++
detection-ratio
text
last-submission
datetime
Last Submission
++
references
-link
id
vulnerability
External references
--
summary
text
Summary of the vulnerability
--
vulnerable_configuration
text
The vulnerable configuration is described in CPE format
--
published
datetime
Initial publication date
+Vulnerability ID (generally CVE, but not necessarely)
@@ -5366,6 +5395,16 @@ vulnerability is a MISP object available in JSON format at
references
link
External references
++
modified
datetime
id
vulnerability
published
datetime
Vulnerability ID (generally CVE, but not necessarely)
+Initial publication date
++
vulnerable_configuration
text
The vulnerable configuration is described in CPE format
++
summary
text
Summary of the vulnerability
@@ -5424,30 +5483,10 @@ whois is a MISP object available in JSON format at
registar
whois-registrar
text
text
Registrar of the whois entry
--
domain
domain
Domain of the whois entry
--
registrant-phone
whois-registrant-phone
Registrant phone number
+Full whois entry
@@ -5464,30 +5503,10 @@ whois is a MISP object available in JSON format at
creation-date
datetime
registrant-name
whois-registrant-name
Initial creation of the whois entry
--
registrant-email
whois-registrant-email
Registrant email address
--
text
text
Full whois entry
+Registrant name
@@ -5504,10 +5523,50 @@ whois is a MISP object available in JSON format at
registrant-name
whois-registrant-name
registrant-phone
whois-registrant-phone
Registrant name
+Registrant phone number
++
registrant-email
whois-registrant-email
Registrant email address
++
creation-date
datetime
Initial creation of the whois entry
++
registar
whois-registrar
Registrar of the whois entry
++
domain
domain
Domain of the whois entry
@@ -5552,36 +5611,6 @@ x509 is a MISP object available in JSON format at
validity-not-after
datetime
Certificate invalid after that date
--
x509-fingerprint-md5
md5
[Insecure] MD5 hash (128 bits)
--
serial-number
text
Serial number of the certificate
--
text
text
subject
pubkey-info-algorithm
text
Subject of the certificate
--
issuer
text
Issuer of the certificate
--
validity-not-before
datetime
Certificate invalid before that date
--
pubkey-info-modulus
text
Modulus of the public key
--
x509-fingerprint-sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
x509-fingerprint-sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
pubkey-info-exponent
text
Exponent of the public key
--
raw-base64
text
Raw certificate base64 encoded
+Algorithm of the public key
@@ -5682,6 +5641,46 @@ x509 is a MISP object available in JSON format at
raw-base64
text
Raw certificate base64 encoded
++
x509-fingerprint-md5
md5
[Insecure] MD5 hash (128 bits)
++
issuer
text
Issuer of the certificate
++
pubkey-info-exponent
text
Exponent of the public key
++
pubkey-info-size
text
pubkey-info-algorithm
pubkey-info-modulus
text
Algorithm of the public key
+Modulus of the public key
++
serial-number
text
Serial number of the certificate
++
x509-fingerprint-sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
x509-fingerprint-sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
validity-not-before
datetime
Certificate invalid before that date
++
validity-not-after
datetime
Certificate invalid after that date
++
subject
text
Subject of the certificate
@@ -5760,13 +5819,13 @@ yabin is a MISP object available in JSON format at
whitelist
comment
yara
yara
Whitelist name used to generate the rules.
+Yara rule generated from -y.
+
yara
-yara
whitelist
comment
Yara rule generated from -y.
+Whitelist name used to generate the rules.
+