diff --git a/objects.html b/objects.html index 212d197..695dfa2 100755 --- a/objects.html +++ b/objects.html @@ -436,18 +436,19 @@ body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-b
type
-text
Type of information leak as discovered and classified by an AIL module. ['Credential', 'CreditCards', 'Mail', 'Onion', 'Phone', 'Keys']
--
text
text
original-date
datetime
original-date
-datetime
text
text
type
+text
Type of information leak as discovered and classified by an AIL module. ['Credential', 'CreditCards', 'Mail', 'Onion', 'Phone', 'Keys']
++
first-seen
datetime
type
cookie-value
text
Type of cookie and how it’s used in this specific object. ['Session management', 'Personalization', 'Tracking', 'Exfiltration', 'Malicious Payload', 'Beaconing']
--
cookie
cookie
cookie-value
text
cookie
cookie
type
text
Type of cookie and how it’s used in this specific object. ['Session management', 'Personalization', 'Tracking', 'Exfiltration', 'Malicious Payload', 'Beaconing']
++
version
-text
-
-
comment
comment
-
-
cc-number
cc-number
-
-
name
text
issued
datetime
issued
-datetime
comment
comment
+
+
version
text
+
+
name
text
+
+
cc-number
cc-number
total-pps
+counter
+
+
src-port
port
last-seen
datetime
+
+
protocol
text
Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']
++
dst-port
port
text
text
-
-
first-seen
datetime
-
-
ip-src
ip-src
last-seen
datetime
text
text
total-pps
-counter
first-seen
datetime
protocol
text
Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']
--
A domain and IP address seen as a tuple in a specific time frame..
@@ -940,7 +941,7 @@ ddos is a MISP object available in JSON format atdomain
+domain
+
+
text
text
+
+
last-seen
datetime
text
text
ip
ip-dst
domain
domain
-
-
ip
ip-dst
-
-
type
+entrypoint-address
text
Type of ELF ['CORE', 'DYNAMIC', 'EXECUTABLE', 'HIPROC', 'LOPROC', 'NONE', 'RELOCATABLE']
+
+
text
-text
-
-
entrypoint-address
text
-
-
os_abi
text
text
text
+
+
type
text
Type of ELF ['CORE', 'DYNAMIC', 'EXECUTABLE', 'HIPROC', 'LOPROC', 'NONE', 'RELOCATABLE']
++
type
+flag
text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
+Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']
sha384
sha384
sha256
sha256
sha224
-sha224
sha512/224
sha512/224
flag
-text
Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']
--
sha1
sha1
sha224
sha224
sha512
-sha512
-
-
size-in-bytes
size-in-bytes
-
-
text
text
sha512/224
sha512/224
-
-
sha512/256
sha512/256
-
-
name
text
sha384
sha384
+
+
sha512/256
sha512/256
+
+
md5
md5
sha256
sha256
sha512
sha512
+
+
size-in-bytes
size-in-bytes
+
+
type
text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
++
sha1
sha1
from-display-name
-email-src-display-name
send-date
datetime
-
cc
email-dst
-
-
thread-index
email-thread-index
-
-
return-path
text
-
-
message-id
email-message-id
-
-
to-display-name
email-dst-display-name
-
+
mime-boundary
-email-mime-boundary
-
-
to
email-dst
-
-
send-date
datetime
-
-
x-mailer
email-x-mailer
-
-
attachment
email-attachment
-
-
header
email-header
to-display-name
email-dst-display-name
+
+
reply-to
email-reply-to
thread-index
email-thread-index
+
+
to
email-dst
+
+
mime-boundary
email-mime-boundary
+
+
return-path
text
+
+
attachment
email-attachment
+
+
x-mailer
email-x-mailer
+
+
from-display-name
email-src-display-name
+
+
cc
email-dst
+
+
message-id
email-message-id
+
+
authentihash
-authentihash
filename
filename
sha384
-sha384
sha256
sha256
sha224
-sha224
pattern-in-file
pattern-in-file
+
+
sha512/224
sha512/224
sha224
+sha224
+
+
text
text
+
+
sha384
sha384
+
+
sha512/256
sha512/256
+
+
md5
md5
+
+
ssdeep
ssdeep
+
+
mimetype
text
filename
filename
-
-
pattern-in-file
pattern-in-file
-
-
malware-sample
malware-sample
-
-
tlsh
tlsh
sha1
sha1
authentihash
authentihash
text
-text
-
-
sha512/224
sha512/224
-
-
sha512/256
sha512/256
-
-
md5
md5
-
-
sha256
sha256
-
-
ssdeep
ssdeep
-
-
size-in-bytes
size-in-bytes
malware-sample
malware-sample
+
+
sha1
sha1
+
+
longitude
+city
text
+
+
altitude
float
+
latitude
+float
+
+
longitude
float
+
+
text
text
last-seen
datetime
+
+
first-seen
datetime
altitude
float
-
-
last-seen
datetime
-
-
latitude
float
-
-
region
text
city
text
-
-
content-type
-other
-
-
referer
referer
-
-
basicauth-password
text
-
-
basicauth-user
text
-
-
proxy-user
text
url
url
-
-
cookie
text
host
hostname
referer
referer
text
-text
uri
uri
+
proxy-password
text
content-type
other
uri
-uri
url
url
host
hostname
+
+
basicauth-user
text
+
+
proxy-password
text
+
+
basicauth-password
text
+
+
text
text
+
+
An IP address and a port seen as a tuple (or as a triple) in a specific time frame..
@@ -2016,7 +2017,7 @@ http-request is a MISP object available in JSON format atfirst-seen
-datetime
-
-
last-seen
datetime
first-seen
datetime
+
+
ip-dst
-ip-dst
-
-
first-seen
datetime
-
-
ip-src
ip-src
ja3-fingerprint-md5
md5
ip-dst
+ip-dst
+
+
ip-src
ip-src
+
+
last-seen
datetime
ja3-fingerprint-md5
md5
first-seen
datetime
type
+entrypoint-address
text
Type of Mach-O ['BUNDLE', 'CORE', 'DSYM', 'DYLIB', 'DYLIB_STUB', 'DYLINKER', 'EXECUTE', 'FVMLIB', 'KEXT_BUNDLE', 'OBJECT', 'PRELOAD']
+
+
text
text
+
name
type
+text
Type of Mach-O ['BUNDLE', 'CORE', 'DSYM', 'DYLIB', 'DYLIB_STUB', 'DYLINKER', 'EXECUTE', 'FVMLIB', 'KEXT_BUNDLE', 'OBJECT', 'PRELOAD']
++
number-sections
counter
text
text
-
-
entrypoint-address
text
-
-
sha384
-sha384
sha256
sha256
sha224
-sha224
sha512/224
sha512/224
sha1
-sha1
sha224
sha224
sha512
-sha512
-
-
size-in-bytes
size-in-bytes
-
-
text
text
sha512/224
sha512/224
-
-
sha512/256
sha512/256
-
-
name
text
sha384
sha384
+
+
sha512/256
sha512/256
+
+
md5
md5
sha256
sha256
sha512
sha512
+
+
size-in-bytes
size-in-bytes
+
+
sha1
sha1
type
-text
link
url
Type of the microblog post ['Twitter', 'Facebook', 'LinkedIn', 'Reddit', 'Google+', 'Instagram', 'Forum', 'Other']
+
creation-date
removal-date
datetime
@@ -2520,16 +2521,6 @@ microblog is a MISP object available in JSON format at
link
url
-
-
modification-date
datetime
removal-date
datetime
username-quoted
text
username
-text
creation-date
datetime
username-quoted
+type
text
Type of the microblog post ['Twitter', 'Facebook', 'LinkedIn', 'Reddit', 'Google+', 'Instagram', 'Forum', 'Other']
++
username
text
@@ -2584,6 +2585,214 @@ microblog is a MISP object available in JSON format at +
Netflow object describes an network object based on the Netflowv5/v9 minimal definition.
++ + | ++netflow is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. + | +
Object attribute | +MISP attribute type | +Description | +Disable correlation | +
---|---|---|---|
src-port |
+port |
+
+ + |
+
+ + |
+
last-packet-seen |
+datetime |
+
+ + |
+
+ + |
+
protocol |
+text |
+
+ Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP'] + |
+
+ + |
+
dst-port |
+port |
+
+ + |
+
+ + |
+
src-as |
+AS |
+
+ + |
+
+ + |
+
ip-src |
+ip-src |
+
+ + |
+
+ + |
+
dst-as |
+AS |
+
+ + |
+
+ + |
+
flow-count |
+counter |
+
+ + |
+
+ + |
+
first-packet-seen |
+datetime |
+
+ + |
+
+ + |
+
tcp-flags |
+text |
+
+ + |
+
+ + |
+
ip-protocol-number |
+size-in-bytes |
+
+ + |
+
+ + |
+
byte-count |
+counter |
+
+ + |
+
+ + |
+
ip_version |
+counter |
+
+ + |
+
+ + |
+
direction |
+text |
+
+ Direction of this flow ['Ingress', 'Egress'] + |
+
+ + |
+
packet-count |
+counter |
+
+ + |
+
+ + |
+
ip-dst |
+ip-dst |
+
+ + |
+
+ + |
+
icmp-type |
+text |
+
+ + |
+
+ + |
+
sensor_id
text
-
-
rdata
text
-
-
rrname
bailiwick
text
@@ -2678,7 +2867,7 @@ passive-dns is a MISP object available in JSON format at
bailiwick
rdata
text
@@ -2688,7 +2877,27 @@ passive-dns is a MISP object available in JSON format at
zone_time_first
origin
text
+
+
rrname
text
+
+
time_last
datetime
@@ -2718,8 +2927,8 @@ passive-dns is a MISP object available in JSON format at
time_last
datetime
sensor_id
text
origin
-text
zone_time_first
datetime
first-seen
+url
url
+
+
last-seen
datetime
@@ -2806,7 +3025,7 @@ paste is a MISP object available in JSON format at
last-seen
first-seen
datetime
@@ -2816,16 +3035,6 @@ paste is a MISP object available in JSON format at
url
url
-
-
origin
text
original-filename
filename
compilation-timestamp
datetime
type
-text
Type of PE ['exe', 'dll', 'driver', 'unknown']
--
entrypoint-address
text
legal-copyright
text
-
-
file-version
text
-
-
internal-filename
filename
-
-
lang-id
text
-
-
company-name
text
pehash
pehash
impfuzzy
impfuzzy
impfuzzy
-impfuzzy
product-name
text
+
+
internal-filename
filename
number-sections
+counter
+
+
text
text
compilation-timestamp
datetime
original-filename
filename
product-name
+imphash
imphash
+
+
legal-copyright
text
@@ -3014,18 +3203,8 @@ pe is a MISP object available in JSON format at
number-sections
counter
-
-
imphash
imphash
pehash
pehash
lang-id
+text
+
+
type
text
Type of PE ['exe', 'dll', 'driver', 'unknown']
++
file-description
text
file-version
text
+
+
sha384
-sha384
characteristic
text
Characteristic of the section ['read', 'write', 'executable']
++
sha256
sha256
sha224
-sha224
sha512/224
sha512/224
sha1
-sha1
sha224
sha224
sha512
-sha512
-
-
size-in-bytes
size-in-bytes
-
-
text
text
sha512/224
sha512/224
-
-
sha512/256
sha512/256
-
-
name
text
sha384
sha384
+
+
sha512/256
sha512/256
+
+
md5
md5
characteristic
text
sha512
sha512
Characteristic of the section ['read', 'write', 'executable']
+
sha256
sha256
size-in-bytes
size-in-bytes
+
+
sha1
sha1
date-of-birth
-date-of-birth
passport-expiration
passport-expiration
first-name
-first-name
text
text
+
+
middle-name
middle-name
place-of-birth
-place-of-birth
passport-number
passport-number
last-name
-last-name
-
-
gender
gender
text
text
place-of-birth
place-of-birth
+
passport-expiration
passport-expiration
first-name
first-name
passport-number
-passport-number
last-name
last-name
middle-name
-middle-name
date-of-birth
date-of-birth
first-seen
-datetime
-
-
gummei
text
-
-
text
text
-
-
serial-number
imei
text
@@ -3478,13 +3657,13 @@ phone is a MISP object available in JSON format at
last-seen
datetime
imsi
text
+
imsi
-text
-
-
imei
text
-
-
msisdn
text
text
text
+
+
last-seen
datetime
+
+
gummei
text
+
+
first-seen
datetime
+
+
serial-number
text
+
+
shortest-path-to-create-thread
+memory-allocations
counter
@@ -3576,76 +3785,6 @@ r2graphity is a MISP object available in JSON format at
create-thread
counter
-
-
referenced-strings
counter
-
-
unknown-references
counter
-
-
gml
attachment
-
-
dangling-strings
counter
-
-
total-functions
counter
-
-
ratio-api
float
-
-
local-references
counter
miss-api
counter
-
-
callbacks
counter
-
-
callback-average
counter
-
-
ratio-functions
float
-
-
callback-largest
counter
-
-
r2-commit-version
text
get-proc-address
gml
attachment
+
+
unknown-references
counter
@@ -3736,17 +3835,7 @@ r2graphity is a MISP object available in JSON format at
memory-allocations
counter
-
-
total-api
total-functions
counter
@@ -3766,6 +3855,16 @@ r2graphity is a MISP object available in JSON format at
miss-api
counter
+
+
not-referenced-strings
counter
callback-average
counter
+
+
total-api
counter
+
+
dangling-strings
counter
+
+
get-proc-address
counter
+
+
shortest-path-to-create-thread
counter
+
+
ratio-api
float
+
+
callback-largest
counter
+
+
refsglobalvar
counter
referenced-strings
counter
+
+
ratio-functions
float
+
+
create-thread
counter
+
+
callbacks
counter
+
+
regexp
+text
+
+
comment
comment
regexp
text
-
-
last-modified
-datetime
data
reg-data
+
+
hive
reg-hive
data
-reg-data
-
-
hive
reg-hive
last-modified
datetime
queue
-text
Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
--
classification
text
-
-
status
text
Status of the RTIR ticket ['new', 'open', 'stalled', 'resolved', 'rejected', 'deleted']
--
constituency
text
ticket-number
text
-
-
subject
text
ticket-number
text
+
+
status
text
Status of the RTIR ticket ['new', 'open', 'stalled', 'resolved', 'rejected', 'deleted']
++
classification
text
+
+
ip
ip-dst
queue
text
Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
++
version
+description
text
+
+
fingerprint
text
@@ -4118,7 +4337,7 @@ tor-node is a MISP object available in JSON format at
nickname
version
text
@@ -4128,26 +4347,6 @@ tor-node is a MISP object available in JSON format at
document
text
-
-
address
ip-src
-
-
version_line
text
text
text
+
+
flags
text
fingerprint
text
-
-
description
text
-
-
text
document
text
address
ip-src
+
+
nickname
text
+
+
tld
+subdomain
text
@@ -4266,18 +4475,8 @@ url is a MISP object available in JSON format at
domain
domain
-
-
query_string
text
url
url
resource_path
-text
-
-
scheme
text
host
hostname
-
-
domain_without_tld
text
-
-
url
url
domain
domain
first-seen
-datetime
-
-
subdomain
text
-
-
last-seen
datetime
resource_path
text
+
+
tld
text
+
+
port
port
host
hostname
+
+
first-seen
datetime
+
+
domain_without_tld
text
+
+
query_string
text
+
+
name
+description
text
@@ -4464,17 +4673,7 @@ victim is a MISP object available in JSON format at
classification
text
The type of entity being targeted. ['individual', 'group', 'organization', 'class', 'unknown']
--
description
name
text
classification
text
The type of entity being targeted. ['individual', 'group', 'organization', 'class', 'unknown']
++
vulnerable_configuration
-text
-
-
text
text
references
link
text
+text
+
+
published
datetime
references
link
vulnerable_configuration
text
creation-date
+datetime
+
+
registrant-email
whois-registrant-email
text
text
-
-
domain
domain
-
-
modification-date
datetime
-
-
registrant-phone
whois-registrant-phone
-
-
expiration-date
datetime
-
-
registrant-name
whois-registrant-name
creation-date
expiration-date
datetime
+
+
domain
domain
+
+
text
text
+
+
registrant-phone
whois-registrant-phone
+
+
modification-date
datetime
@@ -4778,6 +4987,26 @@ x509 is a MISP object available in JSON format at
pubkey-info-exponent
text
+
+
subject
text
+
+
version
text
raw-base64
text
+
+
x509-fingerprint-sha1
sha1
+
+
text
text
+
+
validity-not-after
datetime
+
+
serial-number
text
+
+
pubkey-info-modulus
text
pubkey-info-exponent
pubkey-info-algorithm
text
@@ -4828,86 +5107,6 @@ x509 is a MISP object available in JSON format at
pubkey-info-algorithm
text
-
-
raw-base64
text
-
-
validity-not-after
datetime
-
-
text
text
-
-
serial-number
text
-
-
x509-fingerprint-sha1
sha1
-
-
subject
text
-
-
x509-fingerprint-sha256
sha256
-
-
x509-fingerprint-md5
md5
x509-fingerprint-sha256
sha256
+
+
version
+whitelist
comment
@@ -4986,6 +5195,16 @@ yabin is a MISP object available in JSON format at
version
comment
+
+
yara
yara
whitelist
comment
-
-
yara-hunt
yara