diff --git a/objects.html b/objects.html index 695dfa2..ce3d5dc 100755 --- a/objects.html +++ b/objects.html @@ -433,6 +433,7 @@ body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-b
original-date
-datetime
type
text
Type of information leak as discovered and classified by an AIL module. ['Credential', 'CreditCards', 'Mail', 'Onion', 'Phone', 'Keys']
++
text
text
text
-text
-
-
last-seen
datetime
-
-
type
text
Type of information leak as discovered and classified by an AIL module. ['Credential', 'CreditCards', 'Mail', 'Onion', 'Phone', 'Keys']
--
first-seen
datetime
original-date
datetime
+
+
last-seen
datetime
+
+
Antivirus detection signature.
++ + | ++av-signature is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. + | +
Object attribute | +MISP attribute type | +Description | +Disable correlation | +
---|---|---|---|
text |
+text |
+
+ + |
+
+ + |
+
software |
+text |
+
+ + |
+
+ + |
+
signature |
+text |
+
+ + |
+
+ + |
+
datetime |
+datetime |
+
+ + |
+
+ + |
+
cookie-value
+cookie-name
text
@@ -649,16 +729,6 @@ cookie is a MISP object available in JSON format at
cookie-name
text
-
-
cookie
cookie
cookie-value
text
+
+
issued
-datetime
cc-number
cc-number
+
+
card-security-code
text
comment
-comment
issued
datetime
cc-number
-cc-number
-
-
card-security-code
text
comment
comment
total-pps
-counter
-
-
src-port
port
-
-
last-seen
datetime
protocol
text
Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']
--
dst-port
port
-
-
ip-dst
ip-dst
-
-
ip-src
ip-src
-
-
text
text
-
-
total-bps
counter
protocol
text
Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']
++
src-port
port
+
+
first-seen
datetime
total-pps
counter
+
+
dst-port
port
+
+
text
text
+
+
ip-src
ip-src
+
+
ip-dst
ip-dst
+
+
domain
-domain
first-seen
datetime
text
-text
domain
domain
ip
-ip-dst
text
text
first-seen
-datetime
ip
ip-dst
entrypoint-address
+type
text
Type of ELF ['CORE', 'DYNAMIC', 'EXECUTABLE', 'HIPROC', 'LOPROC', 'NONE', 'RELOCATABLE']
++
text
text
@@ -1071,6 +1161,16 @@ elf is a MISP object available in JSON format at
entrypoint-address
text
+
+
os_abi
text
text
text
-
-
type
text
Type of ELF ['CORE', 'DYNAMIC', 'EXECUTABLE', 'HIPROC', 'LOPROC', 'NONE', 'RELOCATABLE']
--
flag
+md5
md5
+
+
text
text
Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']
--
sha256
sha256
-
-
sha512/224
sha512/224
-
-
entropy
float
text
-text
-
-
name
text
-
-
sha384
sha384
-
-
sha512/256
sha512/256
md5
md5
-
-
ssdeep
ssdeep
-
-
sha512
sha512
-
-
size-in-bytes
size-in-bytes
-
-
type
text
sha512/224
sha512/224
+
+
flag
text
Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']
++
sha1
sha1
sha384
sha384
+
+
size-in-bytes
size-in-bytes
+
+
entropy
float
+
+
sha256
sha256
+
+
ssdeep
ssdeep
+
+
name
text
+
+
sha512
sha512
+
+
send-date
-datetime
-
-
subject
email-subject
-
-
header
email-header
-
-
to-display-name
email-dst-display-name
-
-
reply-to
email-reply-to
from
email-src
send-date
datetime
+
thread-index
email-thread-index
-
-
to
email-dst
-
-
mime-boundary
email-mime-boundary
-
-
return-path
text
from-display-name
email-src-display-name
x-mailer
-email-x-mailer
thread-index
email-thread-index
from-display-name
-email-src-display-name
message-id
email-message-id
+
+
from
email-src
+
+
to-display-name
email-dst-display-name
+
+
subject
email-subject
+
+
return-path
text
+
+
header
email-header
+
+
mime-boundary
email-mime-boundary
message-id
-email-message-id
to
email-dst
+
+
x-mailer
email-x-mailer
filename
-filename
sha512
sha512
sha256
-sha256
tlsh
tlsh
pattern-in-file
-pattern-in-file
-
-
sha512/224
sha512/224
-
-
entropy
float
-
-
sha224
sha224
text
text
-
-
sha384
sha384
malware-sample
malware-sample
md5
-md5
authentihash
authentihash
ssdeep
-ssdeep
sha512/224
sha512/224
+
+
filename
filename
+
+
sha1
sha1
+
+
pattern-in-file
pattern-in-file
tlsh
-tlsh
sha384
sha384
authentihash
-authentihash
entropy
float
+
sha512
sha512
text
text
+
malware-sample
-malware-sample
ssdeep
ssdeep
sha1
-sha1
md5
md5
+
+
sha256
sha256
latitude
+float
+
+
last-seen
datetime
+
+
text
text
+
+
region
text
+
+
longitude
float
+
+
first-seen
datetime
+
+
city
text
latitude
float
-
-
longitude
float
-
-
text
text
-
-
last-seen
datetime
-
-
first-seen
datetime
-
-
region
text
-
-
user-agent
-user-agent
-
-
proxy-user
text
-
-
cookie
text
-
referer
referer
-
-
uri
uri
-
-
content-type
other
-
-
method
http-method
-
content-type
+other
+
+
cookie
text
+
+
user-agent
user-agent
+
+
method
http-method
+
+
host
hostname
basicauth-user
text
uri
uri
text
+basicauth-user
text
+
+
proxy-user
text
+
+
referer
referer
+
src-port
-port
-
-
dst-port
port
-
-
text
text
-
-
last-seen
datetime
text
text
+
+
ip
ip-dst
src-port
port
+
+
first-seen
datetime
dst-port
port
+
+
ja3-fingerprint-md5
-md5
last-seen
datetime
ip-dst
-ip-dst
-
-
ip-src
ip-src
-
-
last-seen
datetime
-
-
first-seen
datetime
ja3-fingerprint-md5
md5
+
+
ip-src
ip-src
+
+
ip-dst
ip-dst
+
+
entrypoint-address
+number-sections
counter
+
+
type
text
Type of Mach-O ['BUNDLE', 'CORE', 'DSYM', 'DYLIB', 'DYLIB_STUB', 'DYLINKER', 'EXECUTE', 'FVMLIB', 'KEXT_BUNDLE', 'OBJECT', 'PRELOAD']
++
text
text
@@ -2245,7 +2345,7 @@ macho is a MISP object available in JSON format at
text
entrypoint-address
text
type
text
Type of Mach-O ['BUNDLE', 'CORE', 'DSYM', 'DYLIB', 'DYLIB_STUB', 'DYLINKER', 'EXECUTE', 'FVMLIB', 'KEXT_BUNDLE', 'OBJECT', 'PRELOAD']
--
number-sections
counter
-
-
sha256
-sha256
md5
md5
+
+
text
text
+
+
sha224
sha224
+
+
sha512/256
sha512/256
sha1
+sha1
+
+
sha384
sha384
+
+
size-in-bytes
size-in-bytes
+
+
entropy
float
sha224
sha224
sha256
sha256
text
-text
ssdeep
ssdeep
+
sha384
-sha384
-
-
sha512/256
sha512/256
-
-
md5
md5
-
-
ssdeep
ssdeep
-
-
sha512
sha512
size-in-bytes
size-in-bytes
-
-
sha1
sha1
-
-
link
-url
-
-
removal-date
datetime
-
-
url
url
-
-
modification-date
datetime
-
-
username-quoted
text
creation-date
datetime
-
-
post
text
-
-
type
text
link
url
+
+
username
text
modification-date
datetime
+
+
url
url
+
+
post
text
+
+
creation-date
datetime
+
+
removal-date
datetime
+
+
src-port
-port
dst-as
AS
+
+
packet-count
counter
+
+
src-as
AS
protocol
-text
Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']
--
dst-port
port
-
-
src-as
AS
-
-
ip-src
ip-src
-
-
dst-as
AS
-
-
flow-count
counter
ip-protocol-number
size-in-bytes
tcp-flags
+icmp-type
text
@@ -2719,8 +2769,28 @@ netflow is a MISP object available in JSON format at
ip-protocol-number
size-in-bytes
ip-src
ip-src
+
+
ip-dst
ip-dst
+
+
byte-count
counter
byte-count
+flow-count
counter
@@ -2739,6 +2809,36 @@ netflow is a MISP object available in JSON format at
src-port
port
+
+
protocol
text
Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']
++
direction
text
Direction of this flow ['Ingress', 'Egress']
++
ip_version
counter
direction
text
Direction of this flow ['Ingress', 'Egress']
--
packet-count
counter
-
-
ip-dst
ip-dst
dst-port
port
icmp-type
+tcp-flags
text
@@ -2827,16 +2907,6 @@ passive-dns is a MISP object available in JSON format at
bailiwick
text
-
-
count
counter
time_first
datetime
-
-
text
text
rdata
text
-
-
origin
bailiwick
text
@@ -2897,6 +2947,46 @@ passive-dns is a MISP object available in JSON format at
origin
text
+
+
time_first
datetime
+
+
rdata
text
+
+
zone_time_last
datetime
+
+
time_last
datetime
rrtype
text
Resource Record type as seen by the passive DNS ['A', 'AAAA', 'CNAME', 'PTR', 'SOA', 'TXT', 'DNAME', 'NS', 'SRV', 'RP', 'NAPTR', 'HINFO', 'A6']
--
zone_time_last
zone_time_first
datetime
@@ -2937,10 +3017,10 @@ passive-dns is a MISP object available in JSON format at
zone_time_first
datetime
rrtype
text
+
Resource Record type as seen by the passive DNS ['A', 'AAAA', 'CNAME', 'PTR', 'SOA', 'TXT', 'DNAME', 'NS', 'SRV', 'RP', 'NAPTR', 'HINFO', 'A6']
@@ -2985,8 +3065,8 @@ paste is a MISP object available in JSON format at
url
url
title
text
title
-text
-
-
paste
text
url
url
paste
+text
+
+
origin
text
compilation-timestamp
datetime
-
-
entrypoint-address
text
-
-
company-name
text
-
-
impfuzzy
impfuzzy
product-name
text
imphash
imphash
+
number-sections
-counter
text
text
text
+pehash
pehash
+
+
entrypoint-address
text
@@ -3173,57 +3233,7 @@ pe is a MISP object available in JSON format at
original-filename
filename
-
-
imphash
imphash
-
-
legal-copyright
text
-
-
pehash
pehash
-
-
product-version
text
-
-
lang-id
file-description
text
@@ -3243,7 +3253,7 @@ pe is a MISP object available in JSON format at
file-description
product-version
text
@@ -3253,6 +3263,66 @@ pe is a MISP object available in JSON format at
legal-copyright
text
+
+
compilation-timestamp
datetime
+
+
original-filename
filename
+
+
company-name
text
+
+
product-name
text
+
+
number-sections
counter
+
+
file-version
text
lang-id
text
+
+
md5
+md5
+
+
text
text
+
+
sha224
sha224
+
+
characteristic
text
sha256
sha256
sha512/256
sha512/256
sha1
+sha1
+
+
sha384
sha384
+
+
size-in-bytes
size-in-bytes
+
+
entropy
float
sha224
sha224
sha256
sha256
text
-text
ssdeep
ssdeep
+
sha384
-sha384
-
-
sha512/256
sha512/256
-
-
md5
md5
-
-
ssdeep
ssdeep
-
-
sha512
sha512
size-in-bytes
size-in-bytes
-
-
sha1
sha1
-
-
nationality
-nationality
redress-number
redress-number
passport-expiration
-passport-expiration
passport-country
passport-country
middle-name
-middle-name
-
-
passport-number
passport-number
-
-
redress-number
redress-number
-
-
gender
gender
first-name
first-name
-
-
passport-country
passport-country
-
-
last-name
last-name
first-name
first-name
+
+
date-of-birth
date-of-birth
middle-name
middle-name
+
+
passport-number
passport-number
+
+
nationality
nationality
+
+
passport-expiration
passport-expiration
+
+
imei
-text
-
-
tmsi
text
-
-
imsi
text
-
-
guti
text
-
-
msisdn
text
imei
text
+
+
text
text
last-seen
datetime
-
-
gummei
guti
text
imsi
text
+
+
gummei
text
+
+
last-seen
datetime
+
+
tmsi
text
+
+
memory-allocations
-counter
-
-
local-references
counter
-
-
r2-commit-version
text
-
-
gml
attachment
-
-
unknown-references
counter
-
-
text
text
total-functions
counter
-
-
ratio-string
float
-
-
miss-api
counter
-
-
not-referenced-strings
counter
-
-
callback-average
counter
total-api
counter
-
-
dangling-strings
counter
-
-
get-proc-address
counter
-
-
shortest-path-to-create-thread
counter
-
-
ratio-api
float
-
-
callback-largest
counter
-
-
refsglobalvar
counter
-
-
referenced-strings
counter
-
-
ratio-functions
float
gml
attachment
+
+
callback-largest
counter
+
+
dangling-strings
counter
+
+
create-thread
counter
shortest-path-to-create-thread
counter
+
+
referenced-strings
counter
+
+
miss-api
counter
+
+
callbacks
counter
total-functions
counter
+
+
total-api
counter
+
+
ratio-string
float
+
+
not-referenced-strings
counter
+
+
r2-commit-version
text
+
+
local-references
counter
+
+
refsglobalvar
counter
+
+
memory-allocations
counter
+
+
get-proc-address
counter
+
+
ratio-api
float
+
+
unknown-references
counter
+
+
regexp-type
+text
Type of the regular expression syntax. ['PCRE', 'PCRE2', 'POSIX BRE', 'POSIX ERE']
++
regexp
text
regexp-type
text
Type of the regular expression syntax. ['PCRE', 'PCRE2', 'POSIX BRE', 'POSIX ERE']
--
hive
-reg-hive
-
-
name
reg-name
-
-
key
reg-key
hive
reg-hive
+
+
name
reg-name
+
+
constituency
+queue
text
+
Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
@@ -4219,36 +4299,6 @@ rtir is a MISP object available in JSON format at
ticket-number
text
-
-
status
text
Status of the RTIR ticket ['new', 'open', 'stalled', 'resolved', 'rejected', 'deleted']
--
classification
text
-
-
ip
ip-dst
queue
constituency
text
Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
++
+
ticket-number
text
+
+
classification
text
+
+
status
text
Status of the RTIR ticket ['new', 'open', 'stalled', 'resolved', 'rejected', 'deleted']
@@ -4307,27 +4387,7 @@ tor-node is a MISP object available in JSON format at
description
text
-
-
fingerprint
text
-
-
published
last-seen
datetime
@@ -4337,14 +4397,24 @@ tor-node is a MISP object available in JSON format at
version
text
text
+
first-seen
datetime
+
version_line
text
+nickname
text
+
first-seen
+address
ip-src
+
+
published
datetime
@@ -4397,8 +4477,18 @@ tor-node is a MISP object available in JSON format at
last-seen
datetime
fingerprint
text
+
+
description
text
address
-ip-src
-
-
nickname
version
text
@@ -4465,7 +4545,27 @@ url is a MISP object available in JSON format at
subdomain
domain
domain
+
+
last-seen
datetime
+
+
text
text
@@ -4485,7 +4585,47 @@ url is a MISP object available in JSON format at
fragment
host
hostname
+
+
query_string
text
+
+
first-seen
datetime
+
+
tld
text
+
+
credential
text
@@ -4505,17 +4645,7 @@ url is a MISP object available in JSON format at
domain
domain
-
-
text
fragment
text
@@ -4525,8 +4655,8 @@ url is a MISP object available in JSON format at
last-seen
datetime
port
port
tld
+subdomain
text
@@ -4555,46 +4685,6 @@ url is a MISP object available in JSON format at
port
port
-
-
credential
text
-
-
host
hostname
-
-
first-seen
datetime
-
-
domain_without_tld
text
query_string
text
-
-
description
+sectors
text
The list of sectors that the victim belong to ['agriculture', 'aerospace', 'automotive', 'communications', 'construction', 'defence', 'education', 'energy', 'engineering', 'entertainment', 'financial\xadservices', 'government\xadnational', 'government\xadregional', 'government\xadlocal', 'government\xadpublic\xadservices', 'healthcare', 'hospitality\xadleisure', 'infrastructure', 'insurance', 'manufacturing', 'mining', 'non\xadprofit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities']
++
classification
text
The type of entity being targeted. ['individual', 'group', 'organization', 'class', 'unknown']
++
roles
text
@@ -4663,7 +4763,7 @@ victim is a MISP object available in JSON format at
regions
description
text
@@ -4683,7 +4783,7 @@ victim is a MISP object available in JSON format at
roles
regions
text
VirusTotal report.
+sectors |
-text |
++ + | ++virustotal-report is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. + | +
Object attribute | +MISP attribute type | +Description | +Disable correlation | +|||
---|---|---|---|---|---|---|
last-submission |
+datetime |
- The list of sectors that the victim belong to ['agriculture', 'aerospace', 'automotive', 'communications', 'construction', 'defence', 'education', 'energy', 'engineering', 'entertainment', 'financial\xadservices', 'government\xadnational', 'government\xadregional', 'government\xadlocal', 'government\xadpublic\xadservices', 'healthcare', 'hospitality\xadleisure', 'infrastructure', 'insurance', 'manufacturing', 'mining', 'non\xadprofit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities'] +
|
|
|||
classification |
+detection-ratio |
text |
- The type of entity being targeted. ['individual', 'group', 'organization', 'class', 'unknown'] ++ |
+
+ + |
+||
community-score |
+text |
+
+ + |
+
+ + |
+|||
permalink |
+link |
+
+ + |
+
+ + |
+|||
first-submission |
+datetime |
+
+
|
@@ -4751,6 +4919,16 @@ vulnerability is a MISP object available in JSON format at text |
+text |
+
+ + |
+
+ + |
+
references |
link |
@@ -4771,16 +4949,6 @@ vulnerability is a MISP object available in JSON format at summary |
-text |
-
- - |
-
- - |
-|
id |
vulnerability |
@@ -4791,7 +4959,17 @@ vulnerability is a MISP object available in JSON format at summary |
text |
+
+ + |
+
+ + |
+|
vulnerable_configuration |
text |
|||||
vulnerable_configuration |
-text |
-
- - |
-
- - |
-
text
+text
+
+
registrant-email
whois-registrant-email
modification-date
datetime
+
+
registrant-name
whois-registrant-name
expiration-date
datetime
-
-
domain
domain
text
text
-
-
registrant-phone
whois-registrant-phone
modification-date
expiration-date
datetime
@@ -4987,37 +5155,7 @@ x509 is a MISP object available in JSON format at
pubkey-info-exponent
text
-
-
subject
text
-
-
version
text
-
-
raw-base64
text
@@ -5037,37 +5175,7 @@ x509 is a MISP object available in JSON format at
text
text
-
-
validity-not-after
datetime
-
-
serial-number
text
-
-
pubkey-info-modulus
version
text
@@ -5087,7 +5195,37 @@ x509 is a MISP object available in JSON format at
pubkey-info-algorithm
pubkey-info-modulus
text
+
+
subject
text
+
+
raw-base64
text
+
+
serial-number
text
@@ -5107,6 +5245,26 @@ x509 is a MISP object available in JSON format at
pubkey-info-size
text
+
+
validity-not-after
datetime
+
+
x509-fingerprint-md5
md5
pubkey-info-size
pubkey-info-exponent
text
pubkey-info-algorithm
text
+
+
whitelist
-comment
-
-
comment
comment
-
-
version
comment
whitelist
comment
+
+
comment
comment
+
+
yara-hunt
yara