From 1a7960abbd543bf6f482048e495158c7562bf349 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Sun, 19 Nov 2017 17:02:03 +0100
Subject: [PATCH] MISP objects updated
---
objects.html | 3308 +-
objects.pdf | 143870 ++++++++++++++++++++++++------------------------
2 files changed, 73857 insertions(+), 73321 deletions(-)
diff --git a/objects.html b/objects.html
index 3190667..8a7aefd 100755
--- a/objects.html
+++ b/objects.html
@@ -556,10 +556,10 @@ ail-leak is a MISP object available in JSON format at raw-data
text
text
Raw data as received by the AIL sensor compressed and encoded in Base64.
+A description of the leak which could include the potential victim(s) or description of the leak.
@@ -576,26 +576,6 @@ ail-leak is a MISP object available in JSON format at
first-seen
datetime
When the leak has been accessible or seen for the first time.
--
last-seen
datetime
When the leak has been accessible or seen for the last time.
--
sensor
text
last-seen
datetime
When the leak has been accessible or seen for the last time.
++
origin
link
text
first-seen
datetime
When the leak has been accessible or seen for the first time.
++
raw-data
text
A description of the leak which could include the potential victim(s) or description of the leak.
+Raw data as received by the AIL sensor compressed and encoded in Base64.
@@ -674,16 +674,6 @@ asn is a MISP object available in JSON format at
mp-export
text
This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
--
import
text
asn
as
export
text
Autonomous System Number
+The outbound routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
first-seen
datetime
mp-export
text
First time the ASN was seen
+This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
@@ -724,6 +714,26 @@ asn is a MISP object available in JSON format at
asn
AS
Autonomous System Number
++
description
text
Description of the autonomous system
++
last-seen
datetime
first-seen
datetime
First time the ASN was seen
++
mp-import
text
export
text
The outbound routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
--
description
text
Description of the autonomous system
--
cookie
+cookie
Full cookie
++
text
text
A description of the cookie.
++
cookie-name
text
cookie
cookie
Full cookie
--
text
text
A description of the cookie.
--
origin
-text
Origin of the credential(s) ['bruteforce-scanning', 'malware-analysis', 'memory-analysis', 'network-analysis', 'leak', 'unknown']
--
username
text
Username related to the password(s)
--
notification
text
format
text
Format of the password(s) ['clear-text', 'hashed', 'encrypted', 'unknown']
--
type
text
Type of password(s) ['password', 'api-key', 'encryption-key', 'unknown']
--
text
text
type
text
Type of password(s) ['password', 'api-key', 'encryption-key', 'unknown']
++
password
text
username
text
Username related to the password(s)
++
origin
text
Origin of the credential(s) ['bruteforce-scanning', 'malware-analysis', 'memory-analysis', 'network-analysis', 'leak', 'unknown']
++
format
text
Format of the password(s) ['clear-text', 'hashed', 'encrypted', 'unknown']
++
issued
-datetime
cc-number
cc-number
Initial date of validity or issued date.
+credit-card number as encoded on the card.
@@ -1106,30 +1106,10 @@ credit-card is a MISP object available in JSON format at
comment
comment
A description of the card.
--
card-security-code
name
text
Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card.
--
cc-number
cc-number
credit-card number as encoded on the card.
+Name of the card owner.
@@ -1146,10 +1126,30 @@ credit-card is a MISP object available in JSON format at
name
comment
comment
A description of the card.
++
issued
datetime
Initial date of validity or issued date.
++
card-security-code
text
Name of the card owner.
+Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card.
@@ -1204,26 +1204,6 @@ ddos is a MISP object available in JSON format at
ip-dst
ip-dst
Destination ID (victim)
--
total-bps
counter
Bits per second
--
ip-src
ip-src
last-seen
datetime
End of the attack
--
first-seen
datetime
Beginning of the attack
--
total-pps
counter
Packets per second
--
src-port
port
Port originating the attack
--
text
text
src-port
port
Port originating the attack
++
protocol
text
total-bps
counter
Bits per second
++
total-pps
counter
Packets per second
++
last-seen
datetime
End of the attack
++
ip-dst
ip-dst
Destination ID (victim)
++
first-seen
datetime
Beginning of the attack
++
first-seen
-datetime
First time the tuple has been seen
--
text
text
first-seen
datetime
First time the tuple has been seen
++
number-sections
-counter
Number of sections
--
entrypoint-address
text
arch
text
text
Architecture of the ELF file ['None', 'M32', 'SPARC', 'i386', 'ARCH_68K', 'ARCH_88K', 'IAMCU', 'ARCH_860', 'MIPS', 'S370', 'MIPS_RS3_LE', 'PARISC', 'VPP500', 'SPARC32PLUS', 'ARCH_960', 'PPC', 'PPC64', 'S390', 'SPU', 'V800', 'FR20', 'RH32', 'RCE', 'ARM', 'ALPHA', 'SH', 'SPARCV9', 'TRICORE', 'ARC', 'H8_300', 'H8_300H', 'H8S', 'H8_500', 'IA_64', 'MIPS_X', 'COLDFIRE', 'ARCH_68HC12', 'MMA', 'PCP', 'NCPU', 'NDR1', 'STARCORE', 'ME16', 'ST100', 'TINYJ', 'x86_64', 'PDSP', 'PDP10', 'PDP11', 'FX66', 'ST9PLUS', 'ST7', 'ARCH_68HC16', 'ARCH_68HC11', 'ARCH_68HC08', 'ARCH_68HC05', 'SVX', 'ST19', 'VAX', 'CRIS', 'JAVELIN', 'FIREPATH', 'ZSP', 'MMIX', 'HUANY', 'PRISM', 'AVR', 'FR30', 'D10V', 'D30V', 'V850', 'M32R', 'MN10300', 'MN10200', 'PJ', 'OPENRISC', 'ARC_COMPACT', 'XTENSA', 'VIDEOCORE', 'TMM_GPP', 'NS32K', 'TPC', 'SNP1K', 'ST200', 'IP2K', 'MAX', 'CR', 'F2MC16', 'MSP430', 'BLACKFIN', 'SE_C33', 'SEP', 'ARCA', 'UNICORE', 'EXCESS', 'DXP', 'ALTERA_NIOS2', 'CRX', 'XGATE', 'C166', 'M16C', 'DSPIC30F', 'CE', 'M32C', 'TSK3000', 'RS08', 'SHARC', 'ECOG2', 'SCORE7', 'DSP24', 'VIDEOCORE3', 'LATTICEMICO32', 'SE_C17', 'TI_C6000', 'TI_C2000', 'TI_C5500', 'MMDSP_PLUS', 'CYPRESS_M8C', 'R32C', 'TRIMEDIA', 'HEXAGON', 'ARCH_8051', 'STXP7X', 'NDS32', 'ECOG1', 'ECOG1X', 'MAXQ30', 'XIMO16', 'MANIK', 'CRAYNV2', 'RX', 'METAG', 'MCST_ELBRUS', 'ECOG16', 'CR16', 'ETPU', 'SLE9X', 'L10M', 'K10M', 'AARCH64', 'AVR32', 'STM8', 'TILE64', 'TILEPRO', 'CUDA', 'TILEGX', 'CLOUDSHIELD', 'COREA_1ST', 'COREA_2ND', 'ARC_COMPACT2', 'OPEN8', 'RL78', 'VIDEOCORE5', 'ARCH_78KOR', 'ARCH_56800EX', 'BA1', 'BA2', 'XCORE', 'MCHP_PIC', 'INTEL205', 'INTEL206', 'INTEL207', 'INTEL208', 'INTEL209', 'KM32', 'KMX32', 'KMX16', 'KMX8', 'KVARC', 'CDP', 'COGE', 'COOL', 'NORC', 'CSR_KALIMBA', 'AMDGPU']
+Free text value to attach to the ELF
+
text
+arch
text
Free text value to attach to the ELF
+Architecture of the ELF file ['None', 'M32', 'SPARC', 'i386', 'ARCH_68K', 'ARCH_88K', 'IAMCU', 'ARCH_860', 'MIPS', 'S370', 'MIPS_RS3_LE', 'PARISC', 'VPP500', 'SPARC32PLUS', 'ARCH_960', 'PPC', 'PPC64', 'S390', 'SPU', 'V800', 'FR20', 'RH32', 'RCE', 'ARM', 'ALPHA', 'SH', 'SPARCV9', 'TRICORE', 'ARC', 'H8_300', 'H8_300H', 'H8S', 'H8_500', 'IA_64', 'MIPS_X', 'COLDFIRE', 'ARCH_68HC12', 'MMA', 'PCP', 'NCPU', 'NDR1', 'STARCORE', 'ME16', 'ST100', 'TINYJ', 'x86_64', 'PDSP', 'PDP10', 'PDP11', 'FX66', 'ST9PLUS', 'ST7', 'ARCH_68HC16', 'ARCH_68HC11', 'ARCH_68HC08', 'ARCH_68HC05', 'SVX', 'ST19', 'VAX', 'CRIS', 'JAVELIN', 'FIREPATH', 'ZSP', 'MMIX', 'HUANY', 'PRISM', 'AVR', 'FR30', 'D10V', 'D30V', 'V850', 'M32R', 'MN10300', 'MN10200', 'PJ', 'OPENRISC', 'ARC_COMPACT', 'XTENSA', 'VIDEOCORE', 'TMM_GPP', 'NS32K', 'TPC', 'SNP1K', 'ST200', 'IP2K', 'MAX', 'CR', 'F2MC16', 'MSP430', 'BLACKFIN', 'SE_C33', 'SEP', 'ARCA', 'UNICORE', 'EXCESS', 'DXP', 'ALTERA_NIOS2', 'CRX', 'XGATE', 'C166', 'M16C', 'DSPIC30F', 'CE', 'M32C', 'TSK3000', 'RS08', 'SHARC', 'ECOG2', 'SCORE7', 'DSP24', 'VIDEOCORE3', 'LATTICEMICO32', 'SE_C17', 'TI_C6000', 'TI_C2000', 'TI_C5500', 'MMDSP_PLUS', 'CYPRESS_M8C', 'R32C', 'TRIMEDIA', 'HEXAGON', 'ARCH_8051', 'STXP7X', 'NDS32', 'ECOG1', 'ECOG1X', 'MAXQ30', 'XIMO16', 'MANIK', 'CRAYNV2', 'RX', 'METAG', 'MCST_ELBRUS', 'ECOG16', 'CR16', 'ETPU', 'SLE9X', 'L10M', 'K10M', 'AARCH64', 'AVR32', 'STM8', 'TILE64', 'TILEPRO', 'CUDA', 'TILEGX', 'CLOUDSHIELD', 'COREA_1ST', 'COREA_2ND', 'ARC_COMPACT2', 'OPEN8', 'RL78', 'VIDEOCORE5', 'ARCH_78KOR', 'ARCH_56800EX', 'BA1', 'BA2', 'XCORE', 'MCHP_PIC', 'INTEL205', 'INTEL206', 'INTEL207', 'INTEL208', 'INTEL209', 'KM32', 'KMX32', 'KMX16', 'KMX8', 'KVARC', 'CDP', 'COGE', 'COOL', 'NORC', 'CSR_KALIMBA', 'AMDGPU']
++
number-sections
counter
Number of sections
@@ -1518,30 +1518,40 @@ elf-section is a MISP object available in JSON format at
text
text
sha384
sha384
Free text value to attach to the section
--
md5
md5
[Insecure] MD5 hash (128 bits)
+Secure Hash Algorithm 2 (384 bits)
type
entropy
float
Entropy of the whole section
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
name
text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
+Name of the section
@@ -1558,20 +1568,50 @@ elf-section is a MISP object available in JSON format at
flag
text
sha1
sha1
Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']
+[Insecure] Secure Hash Algorithm 1 (160 bits)
++
size-in-bytes
size-in-bytes
Size of the section, in bytes
name
md5
md5
[Insecure] MD5 hash (128 bits)
++
text
text
Name of the section
+Free text value to attach to the section
++
type
text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
@@ -1598,26 +1638,6 @@ elf-section is a MISP object available in JSON format at
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
--
sha224
sha224
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
ssdeep
ssdeep
entropy
float
flag
text
Entropy of the whole section
+Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']
@@ -1706,60 +1706,20 @@ email is a MISP object available in JSON format at
cc
email-dst
send-date
datetime
Carbon copy
+Date the email has been sent
+
to-display-name
email-dst-display-name
mime-boundary
email-mime-boundary
Display name of the receiver
--
to
email-dst
Destination email address
--
message-id
email-message-id
Message ID
--
screenshot
attachment
Screenshot of email
--
header
email-header
Full headers
+MIME Boundary
@@ -1776,70 +1736,30 @@ email is a MISP object available in JSON format at
mime-boundary
email-mime-boundary
to-display-name
email-dst-display-name
MIME Boundary
+Display name of the receiver
x-mailer
email-x-mailer
from-display-name
email-src-display-name
X-Mailer generally tells the program that was used to draft and send the original email
+Display name of the sender
reply-to
email-reply-to
cc
email-dst
Email address the reply will be sent to
--
send-date
datetime
Date the email has been sent
--
from
email-src
Sender email address
--
attachment
email-attachment
Attachment
--
thread-index
email-thread-index
Identifies a particular conversation thread
+Carbon copy
@@ -1856,10 +1776,90 @@ email is a MISP object available in JSON format at
from-display-name
email-src-display-name
to
email-dst
Display name of the sender
+Destination email address
++
thread-index
email-thread-index
Identifies a particular conversation thread
++
header
email-header
Full headers
++
attachment
email-attachment
Attachment
++
message-id
email-message-id
Message ID
++
reply-to
email-reply-to
Email address the reply will be sent to
++
from
email-src
Sender email address
++
screenshot
attachment
Screenshot of email
++
x-mailer
email-x-mailer
X-Mailer generally tells the program that was used to draft and send the original email
@@ -1904,33 +1904,43 @@ file is a MISP object available in JSON format at
malware-sample
malware-sample
sha384
sha384
The file itself (binary)
+Secure Hash Algorithm 2 (384 bits)
ssdeep
ssdeep
entropy
float
Fuzzy hash using context triggered piecewise hashes (CTPH)
+Entropy of the whole file
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
md5
md5
mimetype
text
[Insecure] MD5 hash (128 bits)
+Mime type
+
authentihash
+authentihash
Authenticode executable signature hash
++
state
text
State of the file ['Harmless', 'Signed', 'Revoked', 'Expired', 'Trusted']
++
tlsh
tlsh
Fuzzy hash by Trend Micro: Locality Sensitive Hash
++
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
size-in-bytes
size-in-bytes
Size of the file, in bytes
++
filename
filename
Filename on disk
++
pattern-in-file
pattern-in-file
mimetype
text
md5
md5
Mime type
+[Insecure] MD5 hash (128 bits)
+
state
-text
State of the file ['Harmless', 'Signed', 'Revoked', 'Expired', 'Trusted']
--
sha512
sha512
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
--
size-in-bytes
size-in-bytes
Size of the file, in bytes
--
tlsh
tlsh
Fuzzy hash by Trend Micro: Locality Sensitive Hash
--
filename
filename
Filename on disk
--
sha224
sha224
sha512/224
sha512/224
ssdeep
ssdeep
Secure Hash Algorithm 2 (224 bits)
+Fuzzy hash using context triggered piecewise hashes (CTPH)
sha1
sha1
malware-sample
malware-sample
[Insecure] Secure Hash Algorithm 1 (160 bits)
+The file itself (binary)
authentihash
authentihash
Authenticode executable signature hash
--
entropy
float
Entropy of the whole file
--
city
+country
text
City.
+Country.
altitude
float
The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.
++
text
text
A generic description of the location.
++
first-seen
datetime
altitude
float
region
text
The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.
+Region.
++
city
text
City.
@@ -2172,26 +2202,6 @@ geolocation is a MISP object available in JSON format at
longitude
float
The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference
--
country
text
Country.
--
latitude
float
text
text
longitude
float
A generic description of the location.
+The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference
region
text
Region.
--
cookie
-text
url
url
An HTTP cookie previously sent by the server with Set-Cookie
+Full HTTP Request URL
url
url
basicauth-password
text
Full HTTP Request URL
+HTTP Basic Authentication Password
++
proxy-user
text
HTTP Proxy Username
@@ -2290,6 +2300,26 @@ http-request is a MISP object available in JSON format at
user-agent
user-agent
The user agent string of the user agent
++
referer
referer
This is the address of the previous web page from which a link to the currently requested page was followed
++
uri
uri
text
text
HTTP Request comment
++
method
http-method
HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)
++
cookie
text
An HTTP cookie previously sent by the server with Set-Cookie
++
host
hostname
method
http-method
HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)
--
user-agent
user-agent
The user agent string of the user agent
--
referer
referer
This is the address of the previous web page from which a link to the currently requested page was followed
--
proxy-user
text
HTTP Proxy Username
--
basicauth-user
text
basicauth-password
text
HTTP Basic Authentication Password
--
text
text
HTTP Request comment
--
first-seen
-datetime
text
text
First time the tuple has been seen
--
last-seen
datetime
Last time the tuple has been seen
+Description of the tuple
@@ -2478,10 +2468,20 @@ ip-port is a MISP object available in JSON format at
text
text
last-seen
datetime
Description of the tuple
+Last time the tuple has been seen
++
first-seen
datetime
First time the tuple has been seen
@@ -2526,20 +2526,10 @@ ja3 is a MISP object available in JSON format at
ip-dst
ip-dst
ja3-fingerprint-md5
md5
Destination IP address
--
first-seen
datetime
First seen of the SSL/TLS handshake
+Hash identifying source
@@ -2556,6 +2546,16 @@ ja3 is a MISP object available in JSON format at
description
text
Type of detected software ie software, malware
++
last-seen
datetime
ja3-fingerprint-md5
md5
ip-dst
ip-dst
Hash identifying source
+Destination IP address
description
text
first-seen
datetime
Type of detected software ie software, malware
+First seen of the SSL/TLS handshake
@@ -2624,16 +2624,6 @@ macho is a MISP object available in JSON format at
type
text
Type of Mach-O ['BUNDLE', 'CORE', 'DSYM', 'DYLIB', 'DYLIB_STUB', 'DYLINKER', 'EXECUTE', 'FVMLIB', 'KEXT_BUNDLE', 'OBJECT', 'PRELOAD']
--
entrypoint-address
text
name
text
Binary’s name
--
number-sections
counter
type
text
Type of Mach-O ['BUNDLE', 'CORE', 'DSYM', 'DYLIB', 'DYLIB_STUB', 'DYLINKER', 'EXECUTE', 'FVMLIB', 'KEXT_BUNDLE', 'OBJECT', 'PRELOAD']
++
name
text
Binary’s name
++
text
+sha384
sha384
Secure Hash Algorithm 2 (384 bits)
++
entropy
float
Entropy of the whole section
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
name
text
Free text value to attach to the section
+Name of the section
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
size-in-bytes
size-in-bytes
Size of the section, in bytes
@@ -2732,20 +2792,10 @@ macho-section is a MISP object available in JSON format at
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
name
text
text
Name of the section
+Free text value to attach to the section
@@ -2772,26 +2822,6 @@ macho-section is a MISP object available in JSON format at
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
--
sha224
sha224
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
ssdeep
ssdeep
entropy
float
Entropy of the whole section
--
modification-date
+creation-date
datetime
Last update of the microblog post
+Initial creation of the microblog post
++
removal-date
datetime
When the microblog post was removed
++
type
text
Type of the microblog post ['Twitter', 'Facebook', 'LinkedIn', 'Reddit', 'Google+', 'Instagram', 'Forum', 'Other']
++
url
url
Original URL location of the microblog post
@@ -2910,36 +2940,6 @@ microblog is a MISP object available in JSON format at
url
url
Original URL location of the microblog post
--
creation-date
datetime
Initial creation of the microblog post
--
link
url
Link into the microblog post
--
username-quoted
text
type
text
modification-date
datetime
Type of the microblog post ['Twitter', 'Facebook', 'LinkedIn', 'Reddit', 'Google+', 'Instagram', 'Forum', 'Other']
+Last update of the microblog post
removal-date
datetime
link
url
When the microblog post was removed
+Link into the microblog post
@@ -3008,10 +3008,10 @@ netflow is a MISP object available in JSON format at
direction
text
ip_version
counter
Direction of this flow ['Ingress', 'Egress']
+IP version of this flow
@@ -3038,50 +3038,20 @@ netflow is a MISP object available in JSON format at
byte-count
flow-count
counter
Bytes counted in this flow
+Flows counted in this flow
ip_version
counter
first-packet-seen
datetime
IP version of this flow
--
src-port
port
Source port of the netflow
--
icmp-type
text
ICMP type of the flow (if the traffic is ICMP)
--
ip-dst
ip-dst
IP address destination of the netflow
+First packet seen in this flow
@@ -3098,30 +3068,20 @@ netflow is a MISP object available in JSON format at
packet-count
counter
src-as
AS
Packets counted in this flow
+Source AS number for this flow
+
ip-protocol-number
size-in-bytes
ip-dst
ip-dst
IP protocol number of this flow
--
ip-src
ip-src
IP address source of the netflow
+IP address destination of the netflow
@@ -3138,20 +3098,50 @@ netflow is a MISP object available in JSON format at
src-as
AS
ip-src
ip-src
Source AS number for this flow
+IP address source of the netflow
flow-count
direction
text
Direction of this flow ['Ingress', 'Egress']
++
ip-protocol-number
size-in-bytes
IP protocol number of this flow
++
src-port
port
Source port of the netflow
++
packet-count
counter
Flows counted in this flow
+Packets counted in this flow
@@ -3168,13 +3158,23 @@ netflow is a MISP object available in JSON format at
first-packet-seen
datetime
byte-count
counter
First packet seen in this flow
+Bytes counted in this flow
+
+
icmp-type
text
ICMP type of the flow (if the traffic is ICMP)
+
rdata
+sensor_id
text
Resource records of the queried resource
--
bailiwick
text
Best estimate of the apex of the zone where this data is authoritative
+Sensor information where the record was seen
@@ -3246,6 +3236,16 @@ passive-dns is a MISP object available in JSON format at
rrname
text
Resource Record name of the queried resource
++
rrtype
text
rdata
text
Resource records of the queried resource
++
origin
text
rrname
text
zone_time_first
datetime
Resource Record name of the queried resource
+First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
@@ -3286,6 +3296,16 @@ passive-dns is a MISP object available in JSON format at
text
text
+
+
count
counter
text
bailiwick
text
-
-
sensor_id
text
Sensor information where the record was seen
--
zone_time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
+Best estimate of the apex of the zone where this data is authoritative
@@ -3374,6 +3374,16 @@ paste is a MISP object available in JSON format at
title
text
Title of the paste or post.
++
paste
text
first-seen
datetime
When the paste has been accessible or seen for the first time.
--
url
url
title
text
Title of the paste or post.
--
last-seen
datetime
first-seen
datetime
When the paste has been accessible or seen for the first time.
++
legal-copyright
-text
LegalCopyright in the resources
--
lang-id
text
Lang ID in the resources
--
number-sections
counter
Number of sections
--
entrypoint-address
text
compilation-timestamp
datetime
pehash
pehash
Compilation timestamp defined in the PE header
--
company-name
text
CompanyName in the resources
--
internal-filename
filename
InternalFilename in the resources
+Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
@@ -3552,56 +3502,6 @@ pe is a MISP object available in JSON format at
product-version
text
ProductVersion in the resources
--
imphash
imphash
Hash (md5) calculated from the import table
--
original-filename
filename
OriginalFilename in the resources
--
pehash
pehash
Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
--
file-description
text
FileDescription in the resources
--
product-name
text
file-version
product-version
text
FileVersion in the resources
+ProductVersion in the resources
++
lang-id
text
Lang ID in the resources
@@ -3632,10 +3542,40 @@ pe is a MISP object available in JSON format at
type
internal-filename
filename
InternalFilename in the resources
++
compilation-timestamp
datetime
Compilation timestamp defined in the PE header
++
file-version
text
Type of PE ['exe', 'dll', 'driver', 'unknown']
+FileVersion in the resources
++
legal-copyright
text
LegalCopyright in the resources
type
text
Type of PE ['exe', 'dll', 'driver', 'unknown']
++
file-description
text
FileDescription in the resources
++
original-filename
filename
OriginalFilename in the resources
++
number-sections
counter
Number of sections
++
company-name
text
CompanyName in the resources
++
imphash
imphash
Hash (md5) calculated from the import table
++
text
+sha384
sha384
Secure Hash Algorithm 2 (384 bits)
++
entropy
float
Entropy of the whole section
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
name
text
Free text value to attach to the section
+Name of the section ['.rsrc', '.reloc', '.rdata', '.data', '.text']
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
size-in-bytes
size-in-bytes
Size of the section, in bytes
@@ -3710,6 +3770,16 @@ pe-section is a MISP object available in JSON format at
text
text
Free text value to attach to the section
++
characteristic
text
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
name
text
Name of the section ['.rsrc', '.reloc', '.rdata', '.data', '.text']
--
sha256
sha256
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
--
sha224
sha224
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
ssdeep
ssdeep
entropy
float
Entropy of the whole section
--
last-name
-last-name
nationality
nationality
Last name of a natural person.
--
passport-expiration
passport-expiration
The expiration date of a passport.
--
redress-number
redress-number
The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.
--
first-name
first-name
First name of a natural person.
+The nationality of a natural person.
@@ -3918,20 +3888,10 @@ person is a MISP object available in JSON format at
middle-name
middle-name
last-name
last-name
Middle name of a natural person
--
passport-country
passport-country
The country in which the passport was issued.
+Last name of a natural person.
@@ -3948,6 +3908,26 @@ person is a MISP object available in JSON format at
passport-country
passport-country
The country in which the passport was issued.
++
passport-expiration
passport-expiration
The expiration date of a passport.
++
passport-number
passport-number
nationality
nationality
first-name
first-name
The nationality of a natural person.
+First name of a natural person.
++
text
text
A description of the person or identity.
++
redress-number
redress-number
The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.
@@ -3978,13 +3978,13 @@ person is a MISP object available in JSON format at
text
text
middle-name
middle-name
A description of the person or identity.
+Middle name of a natural person
+
text
-text
A description of the phone.
--
imsi
text
A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.
--
first-seen
datetime
When the phone has been accessible or seen for the first time.
--
last-seen
datetime
When the phone has been accessible or seen for the last time.
--
msisdn
text
MSISDN (pronounced as /'em es ai es di en/ or misden) is a number uniquely identifying a subscription in a GSM or a UMTS mobile network. Simply put, it is the mapping of the telephone number to the SIM card in a mobile/cellular phone. This abbreviation has a several interpretations, the most common one being Mobile Station International Subscriber Directory Number.
--
guti
text
imei
text
International Mobile Equipment Identity (IMEI) is a number, usually unique, to identify 3GPP and iDEN mobile phones, as well as some satellite phones.
--
gummei
text
Globally Unique MME Identifier (GUMMEI) is composed from MCC, MNC and MME Identifier (MMEI).
--
serial-number
text
text
text
A description of the phone.
++
imei
text
International Mobile Equipment Identity (IMEI) is a number, usually unique, to identify 3GPP and iDEN mobile phones, as well as some satellite phones.
++
msisdn
text
MSISDN (pronounced as /'em es ai es di en/ or misden) is a number uniquely identifying a subscription in a GSM or a UMTS mobile network. Simply put, it is the mapping of the telephone number to the SIM card in a mobile/cellular phone. This abbreviation has a several interpretations, the most common one being Mobile Station International Subscriber Directory Number.
++
imsi
text
A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.
++
last-seen
datetime
When the phone has been accessible or seen for the last time.
++
tmsi
text
first-seen
datetime
When the phone has been accessible or seen for the first time.
++
gummei
text
Globally Unique MME Identifier (GUMMEI) is composed from MCC, MNC and MME Identifier (MMEI).
++
total-functions
+memory-allocations
counter
Total amount of functions in the file.
+Amount of memory allocations
++
gml
attachment
Graph export in G>raph Modelling Language format
++
local-references
counter
Amount of API calls inside a code section
@@ -4184,20 +4204,30 @@ r2graphity is a MISP object available in JSON format at
callback-average
callbacks
counter
Average size of a callback
+Amount of callbacks (functions started as thread)
dangling-strings
shortest-path-to-create-thread
counter
Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)
+Shortest path to the first time the binary calls CreateThread
++
text
text
Description of the r2graphity object
@@ -4224,10 +4254,50 @@ r2graphity is a MISP object available in JSON format at
callbacks
referenced-strings
counter
Amount of callbacks (functions started as thread)
+Amount of referenced strings
++
miss-api
counter
Amount of API call reference that does not resolve to a function offset
++
unknown-references
counter
Amount of API calls not ending in a function (Radare2 bug, probalby)
++
dangling-strings
counter
Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)
++
callback-largest
counter
Largest callback
@@ -4244,10 +4314,10 @@ r2graphity is a MISP object available in JSON format at
unknown-references
counter
ratio-string
float
Amount of API calls not ending in a function (Radare2 bug, probalby)
+Ratio: amount of referenced strings per kilobyte of code section
@@ -4274,20 +4344,20 @@ r2graphity is a MISP object available in JSON format at
miss-api
counter
ratio-functions
float
Amount of API call reference that does not resolve to a function offset
+Ratio: amount of functions per kilobyte of code section
ratio-string
float
callback-average
counter
Ratio: amount of referenced strings per kilobyte of code section
+Average size of a callback
@@ -4304,80 +4374,10 @@ r2graphity is a MISP object available in JSON format at
local-references
total-functions
counter
Amount of API calls inside a code section
--
gml
attachment
Graph export in G>raph Modelling Language format
--
text
text
Description of the r2graphity object
--
ratio-functions
float
Ratio: amount of functions per kilobyte of code section
--
referenced-strings
counter
Amount of referenced strings
--
memory-allocations
counter
Amount of memory allocations
--
callback-largest
counter
Largest callback
--
shortest-path-to-create-thread
counter
Shortest path to the first time the binary calls CreateThread
+Total amount of functions in the file.
@@ -4422,13 +4422,13 @@ regexp is a MISP object available in JSON format at
regexp-type
regexp
text
Type of the regular expression syntax. ['PCRE', 'PCRE2', 'POSIX BRE', 'POSIX ERE']
+regexp
+
regexp
+regexp-type
text
regexp
+Type of the regular expression syntax. ['PCRE', 'PCRE2', 'POSIX BRE', 'POSIX ERE']
+
data-type
-reg-datatype
Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
--
hive
reg-hive
data
reg-data
Data stored in the registry key
--
key
reg-key
Full key path
--
name
reg-name
key
reg-key
Full key path
++
last-modified
datetime
data-type
reg-datatype
Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
++
data
reg-data
Data stored in the registry key
++
constituency
+text
Constituency of the RTIR ticket
++
ip
ip-dst
IPs automatically extracted from the RTIR ticket
++
queue
text
Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
++
status
text
ip
ip-dst
IPs automatically extracted from the RTIR ticket
--
subject
text
constituency
text
Constituency of the RTIR ticket
--
queue
text
Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
--
document
-text
Raw document from the consensus.
--
address
ip-src
IP address of the Tor node seen.
--
first-seen
datetime
When the Tor node designed by the IP address has been seen for the first time.
--
version
text
parsed version of tor, this is None if the relay’s using a new versioning scheme.
--
published
datetime
router’s publication time. This can be different from first-seen and last-seen.
--
fingerprint
text
router’s fingerprint.
--
version_line
text
versioning information reported by the node.
--
description
text
last-seen
datetime
When the Tor node designed by the IP address has been seen for the last time.
--
flags
text
nickname
text
router’s nickname.
++
address
ip-src
IP address of the Tor node seen.
++
fingerprint
text
router’s fingerprint.
++
first-seen
datetime
When the Tor node designed by the IP address has been seen for the first time.
++
version_line
text
versioning information reported by the node.
++
text
text
nickname
published
datetime
router’s publication time. This can be different from first-seen and last-seen.
++
last-seen
datetime
When the Tor node designed by the IP address has been seen for the last time.
++
document
text
router’s nickname.
+Raw document from the consensus.
++
version
text
parsed version of tor, this is None if the relay’s using a new versioning scheme.
@@ -4912,6 +4912,36 @@ url is a MISP object available in JSON format at
query_string
text
Query (after path, preceded by '?')
++
host
hostname
Full hostname
++
last-seen
datetime
Last time this URL has been seen
++
domain
domain
query_string
resource_path
text
Query (after path, preceded by '?')
+Path (between hostname:port and query)
++
domain_without_tld
text
Domain without Top-Level Domain
@@ -4942,10 +4982,10 @@ url is a MISP object available in JSON format at
url
url
fragment
text
Full URL
+Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.
@@ -4982,6 +5022,16 @@ url is a MISP object available in JSON format at
url
url
Full URL
++
scheme
text
fragment
text
Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.
--
host
hostname
Full hostname
--
credential
text
Credential (username, password)
--
domain_without_tld
text
Domain without Top-Level Domain
--
last-seen
datetime
Last time this URL has been seen
--
text
text
resource_path
credential
text
Path (between hostname:port and query)
+Credential (username, password)
@@ -5100,16 +5100,6 @@ victim is a MISP object available in JSON format at
regions
text
The list of regions or locations from the victim targeted. ISO 3166 should be used.
--
classification
text
regions
text
The list of regions or locations from the victim targeted. ISO 3166 should be used.
++
roles
text
permalink
link
Permalink Reference
++
first-submission
datetime
community-score
text
Community Score
--
detection-ratio
text
permalink
link
community-score
text
Permalink Reference
+Community Score
+
id
-vulnerability
Vulnerability ID (generally CVE, but not necessarely)
--
summary
text
published
datetime
Initial publication date
--
references
link
External references
--
vulnerable_configuration
text
The vulnerable configuration is described in CPE format
--
text
text
published
datetime
Initial publication date
++
modified
datetime
references
link
External references
++
id
vulnerability
Vulnerability ID (generally CVE, but not necessarely)
++
vulnerable_configuration
text
The vulnerable configuration is described in CPE format
++
creation-date
+datetime
Initial creation of the whois entry
++
registrant-name
whois-registrant-name
Registrant name
++
domain
domain
modification-date
datetime
Last update of the whois entry
--
registar
whois-registrar
Registrar of the whois entry
--
registrant-email
whois-registrant-email
creation-date
datetime
Initial creation of the whois entry
--
registrant-phone
whois-registrant-phone
registrant-name
whois-registrant-name
registar
whois-registrar
Registrant name
+Registrar of the whois entry
++
modification-date
datetime
Last update of the whois entry
@@ -5522,26 +5522,6 @@ x509 is a MISP object available in JSON format at
version
text
Version of the certificate
--
subject
text
Subject of the certificate
--
raw-base64
text
x509-fingerprint-sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
issuer
text
Issuer of the certificate
--
pubkey-info-modulus
text
Modulus of the public key
--
serial-number
text
x509-fingerprint-sha256
sha256
version
text
Secure Hash Algorithm 2 (256 bits)
--
x509-fingerprint-md5
md5
[Insecure] MD5 hash (128 bits)
--
validity-not-after
datetime
Certificate invalid after that date
+Version of the certificate
@@ -5632,10 +5562,40 @@ x509 is a MISP object available in JSON format at
pubkey-info-size
pubkey-info-modulus
text
Length of the public key (in bits)
+Modulus of the public key
++
x509-fingerprint-md5
md5
[Insecure] MD5 hash (128 bits)
++
issuer
text
Issuer of the certificate
++
subject
text
Subject of the certificate
@@ -5652,6 +5612,16 @@ x509 is a MISP object available in JSON format at
validity-not-after
datetime
Certificate invalid after that date
++
text
text
x509-fingerprint-sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
x509-fingerprint-sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
pubkey-info-size
text
Length of the public key (in bits)
++
validity-not-before
datetime
whitelist
comment
Whitelist name used to generate the rules.
--
yara-hunt
yara
yara
Wide yara rule generated from -yh.
+Yara rule generated from -y.
@@ -5750,15 +5740,25 @@ yabin is a MISP object available in JSON format at
yara
yara-hunt
yara
Yara rule generated from -y.
+Wide yara rule generated from -yh.
whitelist
comment
Whitelist name used to generate the rules.
++
['misp']
followed-by
This relationship describes an object which is followed by another object. This can be used when a time reference is missing but a sequence is known.
['misp']
preceding-by
This relationship describes an object which is preceded by another object. This can be used when a time reference is missing but a sequence is known.
['misp']
triggers
This relationship describes an object which triggers another object.
['misp']