diff --git a/objects.html b/objects.html index da9da3d..189bf15 100755 --- a/objects.html +++ b/objects.html @@ -459,6 +459,7 @@ body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-b
text
-text
A description of the leak which could include the potential victim(s) or description of the leak.
--
raw-data
attachment
Raw data as received by the AIL sensor compressed and encoded in Base64.
--
first-seen
datetime
type
text
text
Type of information leak as discovered and classified by an AIL module. ['Credential', 'CreditCards', 'Mail', 'Onion', 'Phone', 'Keys']
--
duplicate
text
Duplicate of the existing leaks.
--
sensor
text
The AIL sensor uuid where the leak was processed and analysed.
--
last-seen
datetime
When the leak has been accessible or seen for the last time.
+A description of the leak which could include the potential victim(s) or description of the leak.
@@ -654,6 +606,46 @@ ail-leak is a MISP object available in JSON format at
raw-data
attachment
Raw data as received by the AIL sensor compressed and encoded in Base64.
++
origin
text
The link where the leak is (or was) accessible at first-seen.
++
duplicate
text
Duplicate of the existing leaks.
++
last-seen
datetime
When the leak has been accessible or seen for the last time.
++
duplicate_number
counter
origin
type
text
The link where the leak is (or was) accessible at first-seen.
+Type of information leak as discovered and classified by an AIL module. ['Credential', 'CreditCards', 'Mail', 'Onion', 'Phone', 'Keys']
++
sensor
text
The AIL sensor uuid where the leak was processed and analysed.
@@ -712,20 +714,20 @@ android-permission is a MISP object available in JSON format at
permission
text
comment
comment
Android permission ['ACCESS_CHECKIN_PROPERTIES', 'ACCESS_COARSE_LOCATION', 'ACCESS_FINE_LOCATION', 'ACCESS_LOCATION_EXTRA_COMMANDS', 'ACCESS_NETWORK_STATE', 'ACCESS_NOTIFICATION_POLICY', 'ACCESS_WIFI_STATE', 'ACCOUNT_MANAGER', 'ADD_VOICEMAIL', 'ANSWER_PHONE_CALLS', 'BATTERY_STATS', 'BIND_ACCESSIBILITY_SERVICE', 'BIND_APPWIDGET', 'BIND_AUTOFILL_SERVICE', 'BIND_CARRIER_MESSAGING_SERVICE', 'BIND_CHOOSER_TARGET_SERVICE', 'BIND_CONDITION_PROVIDER_SERVICE', 'BIND_DEVICE_ADMIN', 'BIND_DREAM_SERVICE', 'BIND_INCALL_SERVICE', 'BIND_INPUT_METHOD', 'BIND_MIDI_DEVICE_SERVICE', 'BIND_NFC_SERVICE', 'BIND_NOTIFICATION_LISTENER_SERVICE', 'BIND_PRINT_SERVICE', 'BIND_QUICK_SETTINGS_TILE', 'BIND_REMOTEVIEWS', 'BIND_SCREENING_SERVICE', 'BIND_TELECOM_CONNECTION_SERVICE', 'BIND_TEXT_SERVICE', 'BIND_TV_INPUT', 'BIND_VISUAL_VOICEMAIL_SERVICE', 'BIND_VOICE_INTERACTION', 'BIND_VPN_SERVICE', 'BIND_VR_LISTENER_SERVICE', 'BIND_WALLPAPER', 'BLUETOOTH', 'BLUETOOTH_ADMIN', 'BLUETOOTH_PRIVILEGED', 'BODY_SENSORS', 'BROADCAST_PACKAGE_REMOVED', 'BROADCAST_SMS', 'BROADCAST_STICKY', 'BROADCAST_WAP_PUSH', 'CALL_PHONE', 'CALL_PRIVILEGED', 'CAMERA', 'CAPTURE_AUDIO_OUTPUT', 'CAPTURE_SECURE_VIDEO_OUTPUT', 'CAPTURE_VIDEO_OUTPUT', 'CHANGE_COMPONENT_ENABLED_STATE', 'CHANGE_CONFIGURATION', 'CHANGE_NETWORK_STATE', 'CHANGE_WIFI_MULTICAST_STATE', 'CHANGE_WIFI_STATE', 'CLEAR_APP_CACHE', 'CONTROL_LOCATION_UPDATES', 'DELETE_CACHE_FILES', 'DELETE_PACKAGES', 'DIAGNOSTIC', 'DISABLE_KEYGUARD', 'DUMP', 'EXPAND_STATUS_BAR', 'FACTORY_TEST', 'GET_ACCOUNTS', 'GET_ACCOUNTS_PRIVILEGED', 'GET_PACKAGE_SIZE', 'GET_TASKS', 'GLOBAL_SEARCH', 'INSTALL_LOCATION_PROVIDER', 'INSTALL_PACKAGES', 'INSTALL_SHORTCUT', 'INSTANT_APP_FOREGROUND_SERVICE', 'INTERNET', 'KILL_BACKGROUND_PROCESSES', 'LOCATION_HARDWARE', 'MANAGE_DOCUMENTS', 'MANAGE_OWN_CALLS', 'MASTER_CLEAR', 'MEDIA_CONTENT_CONTROL', 'MODIFY_AUDIO_SETTINGS', 'MODIFY_PHONE_STATE', 'MOUNT_FORMAT_FILESYSTEMS', 'MOUNT_UNMOUNT_FILESYSTEMS', 'NFC', 'PACKAGE_USAGE_STATS', 'PERSISTENT_ACTIVITY', 'PROCESS_OUTGOING_CALLS', 'READ_CALENDAR', 'READ_CALL_LOG', 'READ_CONTACTS', 'READ_EXTERNAL_STORAGE', 'READ_FRAME_BUFFER', 'READ_INPUT_STATE', 'READ_LOGS', 'READ_PHONE_NUMBERS', 'READ_PHONE_STATE', 'READ_SMS', 'READ_SYNC_SETTINGS', 'READ_SYNC_STATS', 'READ_VOICEMAIL', 'REBOOT', 'RECEIVE_BOOT_COMPLETED', 'RECEIVE_MMS', 'RECEIVE_SMS', 'RECEIVE_WAP_PUSH', 'RECORD_AUDIO', 'REORDER_TASKS', 'REQUEST_COMPANION_RUN_IN_BACKGROUND', 'REQUEST_COMPANION_USE_DATA_IN_BACKGROUND', 'REQUEST_DELETE_PACKAGES', 'REQUEST_IGNORE_BATTERY_OPTIMIZATIONS', 'REQUEST_INSTALL_PACKAGES', 'RESTART_PACKAGES', 'SEND_RESPOND_VIA_MESSAGE', 'SEND_SMS', 'SET_ALARM', 'SET_ALWAYS_FINISH', 'SET_ANIMATION_SCALE', 'SET_DEBUG_APP', 'SET_PREFERRED_APPLICATIONS', 'SET_PROCESS_LIMIT', 'SET_TIME', 'SET_TIME_ZONE', 'SET_WALLPAPER', 'SET_WALLPAPER_HINTS', 'SIGNAL_PERSISTENT_PROCESSES', 'STATUS_BAR', 'SYSTEM_ALERT_WINDOW', 'TRANSMIT_IR', 'UNINSTALL_SHORTCUT', 'UPDATE_DEVICE_STATS', 'USE_FINGERPRINT', 'USE_SIP', 'VIBRATE', 'WAKE_LOCK', 'WRITE_APN_SETTINGS', 'WRITE_CALENDAR', 'WRITE_CALL_LOG', 'WRITE_CONTACTS', 'WRITE_EXTERNAL_STORAGE', 'WRITE_GSERVICES', 'WRITE_SECURE_SETTINGS', 'WRITE_SETTINGS', 'WRITE_SYNC_SETTINGS', 'WRITE_VOICEMAIL']
+Comment about the set of android permission(s)
comment
comment
permission
text
Comment about the set of android permission(s)
+Android permission ['ACCESS_CHECKIN_PROPERTIES', 'ACCESS_COARSE_LOCATION', 'ACCESS_FINE_LOCATION', 'ACCESS_LOCATION_EXTRA_COMMANDS', 'ACCESS_NETWORK_STATE', 'ACCESS_NOTIFICATION_POLICY', 'ACCESS_WIFI_STATE', 'ACCOUNT_MANAGER', 'ADD_VOICEMAIL', 'ANSWER_PHONE_CALLS', 'BATTERY_STATS', 'BIND_ACCESSIBILITY_SERVICE', 'BIND_APPWIDGET', 'BIND_AUTOFILL_SERVICE', 'BIND_CARRIER_MESSAGING_SERVICE', 'BIND_CHOOSER_TARGET_SERVICE', 'BIND_CONDITION_PROVIDER_SERVICE', 'BIND_DEVICE_ADMIN', 'BIND_DREAM_SERVICE', 'BIND_INCALL_SERVICE', 'BIND_INPUT_METHOD', 'BIND_MIDI_DEVICE_SERVICE', 'BIND_NFC_SERVICE', 'BIND_NOTIFICATION_LISTENER_SERVICE', 'BIND_PRINT_SERVICE', 'BIND_QUICK_SETTINGS_TILE', 'BIND_REMOTEVIEWS', 'BIND_SCREENING_SERVICE', 'BIND_TELECOM_CONNECTION_SERVICE', 'BIND_TEXT_SERVICE', 'BIND_TV_INPUT', 'BIND_VISUAL_VOICEMAIL_SERVICE', 'BIND_VOICE_INTERACTION', 'BIND_VPN_SERVICE', 'BIND_VR_LISTENER_SERVICE', 'BIND_WALLPAPER', 'BLUETOOTH', 'BLUETOOTH_ADMIN', 'BLUETOOTH_PRIVILEGED', 'BODY_SENSORS', 'BROADCAST_PACKAGE_REMOVED', 'BROADCAST_SMS', 'BROADCAST_STICKY', 'BROADCAST_WAP_PUSH', 'CALL_PHONE', 'CALL_PRIVILEGED', 'CAMERA', 'CAPTURE_AUDIO_OUTPUT', 'CAPTURE_SECURE_VIDEO_OUTPUT', 'CAPTURE_VIDEO_OUTPUT', 'CHANGE_COMPONENT_ENABLED_STATE', 'CHANGE_CONFIGURATION', 'CHANGE_NETWORK_STATE', 'CHANGE_WIFI_MULTICAST_STATE', 'CHANGE_WIFI_STATE', 'CLEAR_APP_CACHE', 'CONTROL_LOCATION_UPDATES', 'DELETE_CACHE_FILES', 'DELETE_PACKAGES', 'DIAGNOSTIC', 'DISABLE_KEYGUARD', 'DUMP', 'EXPAND_STATUS_BAR', 'FACTORY_TEST', 'GET_ACCOUNTS', 'GET_ACCOUNTS_PRIVILEGED', 'GET_PACKAGE_SIZE', 'GET_TASKS', 'GLOBAL_SEARCH', 'INSTALL_LOCATION_PROVIDER', 'INSTALL_PACKAGES', 'INSTALL_SHORTCUT', 'INSTANT_APP_FOREGROUND_SERVICE', 'INTERNET', 'KILL_BACKGROUND_PROCESSES', 'LOCATION_HARDWARE', 'MANAGE_DOCUMENTS', 'MANAGE_OWN_CALLS', 'MASTER_CLEAR', 'MEDIA_CONTENT_CONTROL', 'MODIFY_AUDIO_SETTINGS', 'MODIFY_PHONE_STATE', 'MOUNT_FORMAT_FILESYSTEMS', 'MOUNT_UNMOUNT_FILESYSTEMS', 'NFC', 'PACKAGE_USAGE_STATS', 'PERSISTENT_ACTIVITY', 'PROCESS_OUTGOING_CALLS', 'READ_CALENDAR', 'READ_CALL_LOG', 'READ_CONTACTS', 'READ_EXTERNAL_STORAGE', 'READ_FRAME_BUFFER', 'READ_INPUT_STATE', 'READ_LOGS', 'READ_PHONE_NUMBERS', 'READ_PHONE_STATE', 'READ_SMS', 'READ_SYNC_SETTINGS', 'READ_SYNC_STATS', 'READ_VOICEMAIL', 'REBOOT', 'RECEIVE_BOOT_COMPLETED', 'RECEIVE_MMS', 'RECEIVE_SMS', 'RECEIVE_WAP_PUSH', 'RECORD_AUDIO', 'REORDER_TASKS', 'REQUEST_COMPANION_RUN_IN_BACKGROUND', 'REQUEST_COMPANION_USE_DATA_IN_BACKGROUND', 'REQUEST_DELETE_PACKAGES', 'REQUEST_IGNORE_BATTERY_OPTIMIZATIONS', 'REQUEST_INSTALL_PACKAGES', 'RESTART_PACKAGES', 'SEND_RESPOND_VIA_MESSAGE', 'SEND_SMS', 'SET_ALARM', 'SET_ALWAYS_FINISH', 'SET_ANIMATION_SCALE', 'SET_DEBUG_APP', 'SET_PREFERRED_APPLICATIONS', 'SET_PROCESS_LIMIT', 'SET_TIME', 'SET_TIME_ZONE', 'SET_WALLPAPER', 'SET_WALLPAPER_HINTS', 'SIGNAL_PERSISTENT_PROCESSES', 'STATUS_BAR', 'SYSTEM_ALERT_WINDOW', 'TRANSMIT_IR', 'UNINSTALL_SHORTCUT', 'UPDATE_DEVICE_STATS', 'USE_FINGERPRINT', 'USE_SIP', 'VIBRATE', 'WAKE_LOCK', 'WRITE_APN_SETTINGS', 'WRITE_CALENDAR', 'WRITE_CALL_LOG', 'WRITE_CONTACTS', 'WRITE_EXTERNAL_STORAGE', 'WRITE_GSERVICES', 'WRITE_SECURE_SETTINGS', 'WRITE_SETTINGS', 'WRITE_SYNC_SETTINGS', 'WRITE_VOICEMAIL']
@@ -770,16 +772,6 @@ annotation is a MISP object available in JSON format at
text
text
Raw text of the annotation
--
creation-date
datetime
type
text
text
Type of the annotation ['Annotation', 'Executive Summary', 'Introduction', 'Conclusion', 'Disclaimer', 'Keywords', 'Acknowledgement', 'Other', 'Copyright', 'Authors', 'Logo']
--
modification-date
datetime
Last update of the annotation
+Raw text of the annotation
@@ -820,6 +802,26 @@ annotation is a MISP object available in JSON format at
modification-date
datetime
Last update of the annotation
++
type
text
Type of the annotation ['Annotation', 'Executive Summary', 'Introduction', 'Conclusion', 'Disclaimer', 'Keywords', 'Acknowledgement', 'Other', 'Copyright', 'Authors', 'Logo']
++
format
text
asn
AS
Autonomous System Number
--
first-seen
datetime
First time the ASN was seen
--
mp-import
import
text
The inbound IPv4 or IPv6 routing policy of the AS in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
--
last-seen
datetime
Last time the ASN was seen
--
description
text
Description of the autonomous system
+The inbound IPv4 routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
@@ -928,26 +890,6 @@ asn is a MISP object available in JSON format at
subnet-announced
ip-src
Subnet announced
--
import
text
The inbound IPv4 routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
--
country
text
mp-import
text
The inbound IPv4 or IPv6 routing policy of the AS in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
++
mp-export
text
description
text
Description of the autonomous system
++
last-seen
datetime
Last time the ASN was seen
++
subnet-announced
ip-src
Subnet announced
++
first-seen
datetime
First time the ASN was seen
++
asn
AS
Autonomous System Number
++
signature
+software
text
Name of detection signature
+Name of antivirus software
+
software
+signature
text
Name of antivirus software
+Name of detection signature
+
closed
-datetime
When the account was closed.
--
report-code
text
Report code of the bank account. ['CTR Cash Transaction Report', 'STR Suspicious Transaction Report', 'EFT Electronic Funds Transfer', 'IFT International Funds Transfer', 'TFR Terror Financing Report', 'BCR Border Cash Report', 'UTR Unusual Transaction Report', 'AIF Additional Information File – Can be used for example to get full disclosure of transactions of an account for a period of time without reporting it as a CTR.', 'IRI Incoming Request for Information – International', 'ORI Outgoing Request for Information – International', 'IRD Incoming Request for Information – Domestic', 'ORD Outgoing Request for Information – Domestic']
--
account
bank-account-nr
Account number
--
institution-name
text
Name of the bank or financial organisation.
--
client-number
text
Client number as seen by the bank.
--
account-name
text
A field to freely describe the bank account details.
--
institution-code
text
Institution code of the bank.
--
iban
iban
IBAN of the bank account.
--
personal-account-type
text
Account type. ['A - Business', 'B - Personal Current', 'C - Savings', 'D - Trust Account', 'E - Trading Account', 'O - Other']
--
aba-rtn
aba-rtn
ABA routing transit number
--
non-banking-institution
boolean
balance
text
The balance of the account after the suspicious transaction was processed.
--
beneficiary
text
Final beneficiary of the bank account.
--
currency-code
text
comments
client-number
text
Comments about the bank account.
+Client number as seen by the bank.
+
date-balance
datetime
account
bank-account-nr
When the balance was reported.
+Account number
+
text
beneficiary-comment
text
A description of the bank account.
--
opened
datetime
When the account was opened.
+Comment about the final beneficiary.
@@ -1274,20 +1146,80 @@ bank-account is a MISP object available in JSON format at
beneficiary-comment
text
swift
bic
Comment about the final beneficiary.
+SWIFT or BIC as defined in ISO 9362.
swift
bic
report-code
text
SWIFT or BIC as defined in ISO 9362.
+Report code of the bank account. ['CTR Cash Transaction Report', 'STR Suspicious Transaction Report', 'EFT Electronic Funds Transfer', 'IFT International Funds Transfer', 'TFR Terror Financing Report', 'BCR Border Cash Report', 'UTR Unusual Transaction Report', 'AIF Additional Information File – Can be used for example to get full disclosure of transactions of an account for a period of time without reporting it as a CTR.', 'IRI Incoming Request for Information – International', 'ORI Outgoing Request for Information – International', 'IRD Incoming Request for Information – Domestic', 'ORD Outgoing Request for Information – Domestic']
++
beneficiary
text
Final beneficiary of the bank account.
++
closed
datetime
When the account was closed.
++
opened
datetime
When the account was opened.
++
text
text
A description of the bank account.
++
date-balance
datetime
When the balance was reported.
++
balance
text
The balance of the account after the suspicious transaction was processed.
personal-account-type
text
Account type. ['A - Business', 'B - Personal Current', 'C - Savings', 'D - Trust Account', 'E - Trading Account', 'O - Other']
++
iban
iban
IBAN of the bank account.
++
comments
text
Comments about the bank account.
++
institution-name
text
Name of the bank or financial organisation.
++
institution-code
text
Institution code of the bank.
++
account-name
text
A field to freely describe the bank account details.
++
aba-rtn
aba-rtn
ABA routing transit number
++
restriction
-text
The text describing the rule for limiting distribution of the restricted alert message.
--
incident
text
The group listing naming the referent incident(s) of the alert message. (1) Used to collate multiple messages referring to different aspects of the same incident. (2) If multiple incident identifiers are referenced, they SHALL be separated by whitespace. Incident names including whitespace SHALL be surrounded by double-quotes.
--
addresses
text
The group listing of intended recipients of the alert message. (1) Required when <scope> is “Private”, optional when <scope> is “Public” or “Restricted”. (2) Each recipient SHALL be identified by an identifier or an address. (3) Multiple space-delimited addresses MAY be included. Addresses including whitespace MUST be enclosed in double-quotes.
--
status
text
The code denoting the appropriate handling of the alert message. ['Actual', 'Exercise', 'System', 'Test', 'Draft']
--
sent
datetime
The time and date of the origination of the alert message.
--
note
text
The text describing the purpose or significance of the alert message.
--
references
text
The group listing identifying earlier message(s) referenced by the alert message. (1) The extended message identifier(s) (in the form sender,identifier,sent) of an earlier CAP message or messages referenced by this one. (2) If multiple messages are referenced, they SHALL be separated by whitespace.
--
code
text
The code denoting the special handling of the alert message.
--
sender
text
identifier
text
The identifier of the alert message in a number or string uniquely identifying this message, assigned by the sender.
--
msgType
text
The code denoting the nature of the alert message. ['Alert', 'Update', 'Cancel', 'Ack', 'Error']
--
scope
text
references
text
The group listing identifying earlier message(s) referenced by the alert message. (1) The extended message identifier(s) (in the form sender,identifier,sent) of an earlier CAP message or messages referenced by this one. (2) If multiple messages are referenced, they SHALL be separated by whitespace.
++
status
text
The code denoting the appropriate handling of the alert message. ['Actual', 'Exercise', 'System', 'Test', 'Draft']
++
incident
text
The group listing naming the referent incident(s) of the alert message. (1) Used to collate multiple messages referring to different aspects of the same incident. (2) If multiple incident identifiers are referenced, they SHALL be separated by whitespace. Incident names including whitespace SHALL be surrounded by double-quotes.
++
code
text
The code denoting the special handling of the alert message.
++
source
text
sent
datetime
The time and date of the origination of the alert message.
++
restriction
text
The text describing the rule for limiting distribution of the restricted alert message.
++
note
text
The text describing the purpose or significance of the alert message.
++
identifier
text
The identifier of the alert message in a number or string uniquely identifying this message, assigned by the sender.
++
addresses
text
The group listing of intended recipients of the alert message. (1) Required when <scope> is “Private”, optional when <scope> is “Public” or “Restricted”. (2) Each recipient SHALL be identified by an identifier or an address. (3) Multiple space-delimited addresses MAY be included. Addresses including whitespace MUST be enclosed in double-quotes.
++
msgType
text
The code denoting the nature of the alert message. ['Alert', 'Update', 'Cancel', 'Ack', 'Error']
++
senderName
+parameter
text
The text naming the originator of the alert message.
+A system-specific additional parameter associated with the alert message.
@@ -1530,50 +1532,10 @@ cap-info is a MISP object available in JSON format at
instruction
senderName
text
The text describing the recommended action to be taken by recipients of the alert message.
--
effective
datetime
The effective time of the information of the alert message.
--
certainty
text
The code denoting the certainty of the subject event of the alert message. For backward compatibility with CAP 1.0, the deprecated value of “Very Likely” SHOULD be treated as equivalent to “Likely”. ['Likely', 'Possible', 'Unlikely', 'Unknown']
--
urgency
text
The code denoting the urgency of the subject event of the alert message. ['Immediate', 'Expected', 'Future', 'Past', 'Unknown']
--
expires
datetime
The expiry time of the information of the alert message.
+The text naming the originator of the alert message.
@@ -1590,60 +1552,10 @@ cap-info is a MISP object available in JSON format at
web
link
expires
datetime
The identifier of the hyperlink associating additional information with the alert message.
--
audience
text
The text describing the intended audience of the alert message.
--
language
text
The code denoting the language of the info sub-element of the alert message.
--
severity
text
The code denoting the severity of the subject event of the alert message. ['Extreme', 'Severe', 'Moderate', 'Minor', 'Unknown']
--
responseType
text
The code denoting the type of action recommended for the target audience. ['Shelter', 'Evacuate', 'Prepare', 'Execute', 'Avoid', 'Monitor', 'Assess', 'AllClear', 'None']
--
headline
text
The text headline of the alert message.
+The expiry time of the information of the alert message.
@@ -1660,6 +1572,26 @@ cap-info is a MISP object available in JSON format at
certainty
text
The code denoting the certainty of the subject event of the alert message. For backward compatibility with CAP 1.0, the deprecated value of “Very Likely” SHOULD be treated as equivalent to “Likely”. ['Likely', 'Possible', 'Unlikely', 'Unknown']
++
audience
text
The text describing the intended audience of the alert message.
++
event
text
parameter
instruction
text
A system-specific additional parameter associated with the alert message.
+The text describing the recommended action to be taken by recipients of the alert message.
++
responseType
text
The code denoting the type of action recommended for the target audience. ['Shelter', 'Evacuate', 'Prepare', 'Execute', 'Avoid', 'Monitor', 'Assess', 'AllClear', 'None']
++
language
text
The code denoting the language of the info sub-element of the alert message.
++
urgency
text
The code denoting the urgency of the subject event of the alert message. ['Immediate', 'Expected', 'Future', 'Past', 'Unknown']
++
effective
datetime
The effective time of the information of the alert message.
++
severity
text
The code denoting the severity of the subject event of the alert message. ['Extreme', 'Severe', 'Moderate', 'Minor', 'Unknown']
++
web
link
The identifier of the hyperlink associating additional information with the alert message.
@@ -1690,6 +1682,16 @@ cap-info is a MISP object available in JSON format at
headline
text
The text headline of the alert message.
++
onset
datetime
size
text
The integer indicating the size of the resource file.
--
derefUri
attachment
The base-64 encoded data content of the resource file.
--
uri
link
resourceDesc
text
The text describing the type and content of the resource file.
--
digest
sha1
size
text
The integer indicating the size of the resource file.
++
resourceDesc
text
The text describing the type and content of the resource file.
++
derefUri
attachment
The base-64 encoded data content of the resource file.
++
text
-text
Free text value
--
symbol
text
The (uppercase) symbol of the cryptocurrency used. Symbol should be from https://coinmarketcap.com/all/views/all/ ['BTC', 'ETH', 'BCH', 'XRP', 'MIOTA', 'DASH', 'BTG', 'LTC', 'ADA', 'XMR', 'ETC', 'NEO', 'NEM', 'EOS', 'XLM', 'BCC', 'LSK', 'OMG', 'QTUM', 'ZEC', 'USDT', 'HSR', 'STRAT', 'WAVES', 'PPT']
--
first-seen
datetime
text
text
Free text value
++
symbol
text
The (uppercase) symbol of the cryptocurrency used. Symbol should be from https://coinmarketcap.com/all/views/all/ ['BTC', 'ETH', 'BCH', 'XRP', 'MIOTA', 'DASH', 'BTG', 'LTC', 'ADA', 'XMR', 'ETC', 'NEO', 'NEM', 'EOS', 'XLM', 'BCC', 'LSK', 'OMG', 'QTUM', 'ZEC', 'USDT', 'HSR', 'STRAT', 'WAVES', 'PPT']
++
text
+cookie-name
text
A description of the cookie.
+Name of the cookie (if splitted)
+
+
cookie
cookie
Full cookie
+
cookie-name
+text
text
Name of the cookie (if splitted)
+A description of the cookie.
+
cookie
cookie
Full cookie
--
message
-text
dst_ip
ip-dst
Message of the cowrie honeypot
--
username
text
Username related to the password(s)
--
protocol
text
Protocol used in the cowrie honeypot
+Destination IP address of the session
@@ -2052,30 +2034,10 @@ cowrie is a MISP object available in JSON format at
eventid
password
text
Eventid of the session in the cowrie honeypot
--
dst_ip
ip-dst
Destination IP address of the session
--
session
text
Session id
+Password
@@ -2092,6 +2054,16 @@ cowrie is a MISP object available in JSON format at
macCS
text
SSH MAC supported in the sesssion
++
src_port
port
sensor
input
text
Cowrie sensor name
--
passsword
text
Password
+Input of the session
protocol
text
Protocol used in the cowrie honeypot
++
isError
text
encCS
text
SSH symmetric encryption algorithm supported in the session
++
sensor
text
Cowrie sensor name
++
dst_port
port
message
text
Message of the cowrie honeypot
++
keyAlgs
text
SSH public-key algorithm supported in the session
++
username
text
Username related to the password(s)
++
eventid
text
Eventid of the session in the cowrie honeypot
++
session
text
Session id
++
compCS
text
SSH compression algorithm supported in the session
++
password
+text
Password
++
text
text
type
origin
text
Type of password(s) ['password', 'api-key', 'encryption-key', 'unknown']
--
username
text
Username related to the password(s)
--
password
text
Password
+Origin of the credential(s) ['bruteforce-scanning', 'malware-analysis', 'memory-analysis', 'network-analysis', 'leak', 'unknown']
@@ -2250,10 +2292,20 @@ credential is a MISP object available in JSON format at
origin
type
text
Origin of the credential(s) ['bruteforce-scanning', 'malware-analysis', 'memory-analysis', 'network-analysis', 'leak', 'unknown']
+Type of password(s) ['password', 'api-key', 'encryption-key', 'unknown']
++
username
text
Username related to the password(s)
@@ -2298,16 +2350,6 @@ credit-card is a MISP object available in JSON format at
card-security-code
text
Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card.
--
version
text
expiration
issued
datetime
Maximum date of validity
+Initial date of validity or issued date.
@@ -2338,6 +2380,16 @@ credit-card is a MISP object available in JSON format at
expiration
datetime
Maximum date of validity
++
name
text
issued
datetime
card-security-code
text
Initial date of validity or issued date.
+Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card.
@@ -2406,16 +2458,6 @@ ddos is a MISP object available in JSON format at
text
text
Description of the DDoS
--
first-seen
datetime
src-port
port
text
text
Port originating the attack
+Description of the DDoS
+
dst-port
-port
ip-src
ip-src
Destination port of the attack
+IP address originating the attack
++
ip-dst
ip-dst
Destination IP (victim)
@@ -2496,20 +2548,20 @@ ddos is a MISP object available in JSON format at
ip-src
ip-src
dst-port
port
IP address originating the attack
+Destination port of the attack
ip-dst
ip-dst
src-port
port
Destination IP (victim)
+Port originating the attack
@@ -2554,6 +2606,16 @@ diameter-attack is a MISP object available in JSON format at
ApplicationId
text
Application-ID is used to identify for which Diameter application the message is applicable. Application-ID is a decimal representation.
++
SessionId
text
IdrFlags
text
IDR-Flags.
++
text
text
A description of the attack seen.
++
CmdCode
text
A decimal representation of the diameter Command Code.
++
Origin-Host
text
Origin-Host.
++
Username
text
IdrFlags
first-seen
datetime
When the attack has been seen for the first time.
++
Destination-Host
text
IDR-Flags.
+Destination-Host.
++
category
text
Category. ['Cat0', 'Cat1', 'Cat2', 'Cat3', 'CatSMS']
CmdCode
text
A decimal representation of the diameter Command Code.
--
text
text
A description of the attack seen.
--
Origin-Host
text
Origin-Host.
--
ApplicationId
text
Application-ID is used to identify for which Diameter application the message is applicable. Application-ID is a decimal representation.
--
Destination-Host
text
Destination-Host.
--
first-seen
datetime
When the attack has been seen for the first time.
--
category
text
Category. ['Cat0', 'Cat1', 'Cat2', 'Cat3', 'CatSMS']
--
text
-text
first-seen
datetime
A description of the tuple
+First time the tuple has been seen
ip
ip-dst
IP Address
++
last-seen
datetime
first-seen
datetime
text
text
First time the tuple has been seen
+A description of the tuple
ip
ip-dst
IP Address
--
entrypoint-address
+os_abi
text
Address of the entry point
+Header operating system application binary interface (ABI) ['AIX', 'ARM', 'AROS', 'C6000_ELFABI', 'C6000_LINUX', 'CLOUDABI', 'FENIXOS', 'FREEBSD', 'GNU', 'HPUX', 'HURD', 'IRIX', 'MODESTO', 'NETBSD', 'NSK', 'OPENBSD', 'OPENVMS', 'SOLARIS', 'STANDALONE', 'SYSTEMV', 'TRU64']
@@ -2820,16 +2872,6 @@ elf is a MISP object available in JSON format at
type
text
Type of ELF ['CORE', 'DYNAMIC', 'EXECUTABLE', 'HIPROC', 'LOPROC', 'NONE', 'RELOCATABLE']
--
number-sections
counter
os_abi
arch
text
Header operating system application binary interface (ABI) ['AIX', 'ARM', 'AROS', 'C6000_ELFABI', 'C6000_LINUX', 'CLOUDABI', 'FENIXOS', 'FREEBSD', 'GNU', 'HPUX', 'HURD', 'IRIX', 'MODESTO', 'NETBSD', 'NSK', 'OPENBSD', 'OPENVMS', 'SOLARIS', 'STANDALONE', 'SYSTEMV', 'TRU64']
+Architecture of the ELF file ['None', 'M32', 'SPARC', 'i386', 'ARCH_68K', 'ARCH_88K', 'IAMCU', 'ARCH_860', 'MIPS', 'S370', 'MIPS_RS3_LE', 'PARISC', 'VPP500', 'SPARC32PLUS', 'ARCH_960', 'PPC', 'PPC64', 'S390', 'SPU', 'V800', 'FR20', 'RH32', 'RCE', 'ARM', 'ALPHA', 'SH', 'SPARCV9', 'TRICORE', 'ARC', 'H8_300', 'H8_300H', 'H8S', 'H8_500', 'IA_64', 'MIPS_X', 'COLDFIRE', 'ARCH_68HC12', 'MMA', 'PCP', 'NCPU', 'NDR1', 'STARCORE', 'ME16', 'ST100', 'TINYJ', 'x86_64', 'PDSP', 'PDP10', 'PDP11', 'FX66', 'ST9PLUS', 'ST7', 'ARCH_68HC16', 'ARCH_68HC11', 'ARCH_68HC08', 'ARCH_68HC05', 'SVX', 'ST19', 'VAX', 'CRIS', 'JAVELIN', 'FIREPATH', 'ZSP', 'MMIX', 'HUANY', 'PRISM', 'AVR', 'FR30', 'D10V', 'D30V', 'V850', 'M32R', 'MN10300', 'MN10200', 'PJ', 'OPENRISC', 'ARC_COMPACT', 'XTENSA', 'VIDEOCORE', 'TMM_GPP', 'NS32K', 'TPC', 'SNP1K', 'ST200', 'IP2K', 'MAX', 'CR', 'F2MC16', 'MSP430', 'BLACKFIN', 'SE_C33', 'SEP', 'ARCA', 'UNICORE', 'EXCESS', 'DXP', 'ALTERA_NIOS2', 'CRX', 'XGATE', 'C166', 'M16C', 'DSPIC30F', 'CE', 'M32C', 'TSK3000', 'RS08', 'SHARC', 'ECOG2', 'SCORE7', 'DSP24', 'VIDEOCORE3', 'LATTICEMICO32', 'SE_C17', 'TI_C6000', 'TI_C2000', 'TI_C5500', 'MMDSP_PLUS', 'CYPRESS_M8C', 'R32C', 'TRIMEDIA', 'HEXAGON', 'ARCH_8051', 'STXP7X', 'NDS32', 'ECOG1', 'ECOG1X', 'MAXQ30', 'XIMO16', 'MANIK', 'CRAYNV2', 'RX', 'METAG', 'MCST_ELBRUS', 'ECOG16', 'CR16', 'ETPU', 'SLE9X', 'L10M', 'K10M', 'AARCH64', 'AVR32', 'STM8', 'TILE64', 'TILEPRO', 'CUDA', 'TILEGX', 'CLOUDSHIELD', 'COREA_1ST', 'COREA_2ND', 'ARC_COMPACT2', 'OPEN8', 'RL78', 'VIDEOCORE5', 'ARCH_78KOR', 'ARCH_56800EX', 'BA1', 'BA2', 'XCORE', 'MCHP_PIC', 'INTEL205', 'INTEL206', 'INTEL207', 'INTEL208', 'INTEL209', 'KM32', 'KMX32', 'KMX16', 'KMX8', 'KVARC', 'CDP', 'COGE', 'COOL', 'NORC', 'CSR_KALIMBA', 'AMDGPU']
arch
type
text
Architecture of the ELF file ['None', 'M32', 'SPARC', 'i386', 'ARCH_68K', 'ARCH_88K', 'IAMCU', 'ARCH_860', 'MIPS', 'S370', 'MIPS_RS3_LE', 'PARISC', 'VPP500', 'SPARC32PLUS', 'ARCH_960', 'PPC', 'PPC64', 'S390', 'SPU', 'V800', 'FR20', 'RH32', 'RCE', 'ARM', 'ALPHA', 'SH', 'SPARCV9', 'TRICORE', 'ARC', 'H8_300', 'H8_300H', 'H8S', 'H8_500', 'IA_64', 'MIPS_X', 'COLDFIRE', 'ARCH_68HC12', 'MMA', 'PCP', 'NCPU', 'NDR1', 'STARCORE', 'ME16', 'ST100', 'TINYJ', 'x86_64', 'PDSP', 'PDP10', 'PDP11', 'FX66', 'ST9PLUS', 'ST7', 'ARCH_68HC16', 'ARCH_68HC11', 'ARCH_68HC08', 'ARCH_68HC05', 'SVX', 'ST19', 'VAX', 'CRIS', 'JAVELIN', 'FIREPATH', 'ZSP', 'MMIX', 'HUANY', 'PRISM', 'AVR', 'FR30', 'D10V', 'D30V', 'V850', 'M32R', 'MN10300', 'MN10200', 'PJ', 'OPENRISC', 'ARC_COMPACT', 'XTENSA', 'VIDEOCORE', 'TMM_GPP', 'NS32K', 'TPC', 'SNP1K', 'ST200', 'IP2K', 'MAX', 'CR', 'F2MC16', 'MSP430', 'BLACKFIN', 'SE_C33', 'SEP', 'ARCA', 'UNICORE', 'EXCESS', 'DXP', 'ALTERA_NIOS2', 'CRX', 'XGATE', 'C166', 'M16C', 'DSPIC30F', 'CE', 'M32C', 'TSK3000', 'RS08', 'SHARC', 'ECOG2', 'SCORE7', 'DSP24', 'VIDEOCORE3', 'LATTICEMICO32', 'SE_C17', 'TI_C6000', 'TI_C2000', 'TI_C5500', 'MMDSP_PLUS', 'CYPRESS_M8C', 'R32C', 'TRIMEDIA', 'HEXAGON', 'ARCH_8051', 'STXP7X', 'NDS32', 'ECOG1', 'ECOG1X', 'MAXQ30', 'XIMO16', 'MANIK', 'CRAYNV2', 'RX', 'METAG', 'MCST_ELBRUS', 'ECOG16', 'CR16', 'ETPU', 'SLE9X', 'L10M', 'K10M', 'AARCH64', 'AVR32', 'STM8', 'TILE64', 'TILEPRO', 'CUDA', 'TILEGX', 'CLOUDSHIELD', 'COREA_1ST', 'COREA_2ND', 'ARC_COMPACT2', 'OPEN8', 'RL78', 'VIDEOCORE5', 'ARCH_78KOR', 'ARCH_56800EX', 'BA1', 'BA2', 'XCORE', 'MCHP_PIC', 'INTEL205', 'INTEL206', 'INTEL207', 'INTEL208', 'INTEL209', 'KM32', 'KMX32', 'KMX16', 'KMX8', 'KVARC', 'CDP', 'COGE', 'COOL', 'NORC', 'CSR_KALIMBA', 'AMDGPU']
+Type of ELF ['CORE', 'DYNAMIC', 'EXECUTABLE', 'HIPROC', 'LOPROC', 'NONE', 'RELOCATABLE']
++
entrypoint-address
text
Address of the entry point
@@ -2898,6 +2950,76 @@ elf-section is a MISP object available in JSON format at
name
text
Name of the section
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
flag
text
Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
text
text
Free text value to attach to the section
++
type
text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
++
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
sha1
sha1
sha224
sha224
entropy
float
Secure Hash Algorithm 2 (224 bits)
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
+Entropy of the whole section
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
text
text
Free text value to attach to the section
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
sha384
sha384
type
text
sha224
sha224
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
+Secure Hash Algorithm 2 (224 bits)
-
entropy
float
Entropy of the whole section
--
flag
text
Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']
-+
name
-text
sha512
sha512
Name of the section
+Secure Hash Algorithm 2 (512 bits)
++
size-in-bytes
size-in-bytes
Size of the section, in bytes
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
from
-email-src
Sender email address
--
return-path
text
Message return path
--
header
email-header
Full headers
--
subject
email-subject
Subject
--
to
email-dst
Destination email address
--
message-id
email-message-id
reply-to
email-reply-to
Email address the reply will be sent to
--
to-display-name
email-dst-display-name
Display name of the receiver
--
email-body
email-body
Body of the email
--
attachment
email-attachment
Attachment
--
screenshot
attachment
Screenshot of email
--
cc
email-dst
Carbon copy
--
x-mailer
email-x-mailer
X-Mailer generally tells the program that was used to draft and send the original email
--
from-display-name
email-src-display-name
Display name of the sender
--
mime-boundary
email-mime-boundary
MIME Boundary
--
send-date
datetime
x-mailer
email-x-mailer
X-Mailer generally tells the program that was used to draft and send the original email
++
attachment
email-attachment
Attachment
++
to-display-name
email-dst-display-name
Display name of the receiver
++
header
email-header
Full headers
++
from-display-name
email-src-display-name
Display name of the sender
++
reply-to
email-reply-to
Email address the reply will be sent to
++
to
email-dst
Destination email address
++
screenshot
attachment
Screenshot of email
++
thread-index
email-thread-index
cc
email-dst
Carbon copy
++
return-path
text
Message return path
++
mime-boundary
email-mime-boundary
MIME Boundary
++
email-body
email-body
Body of the email
++
from
email-src
Sender email address
++
subject
email-subject
Subject
++
Fail2ban event.
++ + | ++fail2ban is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. + | +
Object attribute | +MISP attribute type | +Description | +Disable correlation | +
---|---|---|---|
banned-ip |
+ip-src |
+
+ IP Address banned by fail2ban + |
+
+ + |
+
victim |
+text |
+
+ Identifier of the victim + |
+
+ + |
+
failures |
+counter |
+
+ Amount of failures that lead to the ban. + |
+
+ + |
+
attack-type |
+text |
+
+ Type of the attack + |
+
+ + |
+
logline |
+text |
+
+ Example log line that caused the ban. + |
+
+ + |
+
processing-timestamp |
+datetime |
+
+ Timestamp of the report + |
+
+ + |
+
sensor |
+text |
+
+ Identifier of the sensor + |
+
+ + |
+
sha1
-sha1
pattern-in-file
pattern-in-file
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
certificate
x509-fingerprint-sha1
Certificate value if the binary is signed with another authentication scheme than authenticode
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
tlsh
tlsh
Fuzzy hash by Trend Micro: Locality Sensitive Hash
--
malware-sample
malware-sample
The file itself (binary)
--
filename
filename
Filename on disk
--
text
text
Free text value to attach to the file
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
mimetype
mime-type
Mime type
--
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
+Pattern that can be found in the file
@@ -3424,10 +3474,10 @@ file is a MISP object available in JSON format at
pattern-in-file
pattern-in-file
sha512/256
sha512/256
Pattern that can be found in the file
+Secure Hash Algorithm 2 (256 bits)
@@ -3444,26 +3494,66 @@ file is a MISP object available in JSON format at
md5
md5
text
text
[Insecure] MD5 hash (128 bits)
+Free text value to attach to the file
++
filename
filename
Filename on disk
++
malware-sample
malware-sample
The file itself (binary)
size-in-bytes
size-in-bytes
tlsh
tlsh
Size of the file, in bytes
+Fuzzy hash by Trend Micro: Locality Sensitive Hash
++
mimetype
mime-type
Mime type
certificate
x509-fingerprint-sha1
Certificate value if the binary is signed with another authentication scheme than authenticode
++
state
text
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
sha512/224
sha512/224
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
md5
md5
[Insecure] MD5 hash (128 bits)
++
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
++
size-in-bytes
size-in-bytes
Size of the file, in bytes
++
text
-text
A generic description of the location.
--
latitude
float
The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.
--
city
text
country
text
Country.
--
zipcode
text
Zip Code.
--
region
text
Region.
--
last-seen
datetime
When the location was seen for the last time.
--
altitude
float
The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.
--
first-seen
datetime
address
text
Address.
++
zipcode
text
Zip Code.
++
text
text
A generic description of the location.
++
longitude
float
address
latitude
float
The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.
++
last-seen
datetime
When the location was seen for the last time.
++
country
text
Address.
+Country.
++
altitude
float
The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.
++
region
text
Region.
@@ -3680,10 +3840,10 @@ gtp-attack is a MISP object available in JSON format at
ipDest
ip-dst
ipSrc
ip-src
IP destination address.
+IP source address.
@@ -3700,56 +3860,16 @@ gtp-attack is a MISP object available in JSON format at
ipSrc
ip-src
ipDest
ip-dst
IP source address.
+IP destination address.
GtpVersion
text
GTP version ['0', '1', '2']
--
GtpImsi
text
GTP IMSI (International mobile subscriber identity).
--
GtpMsisdn
text
GTP MSISDN.
--
GtpServingNetwork
text
GTP Serving Network.
--
text
text
GtpInterface
GtpVersion
text
GTP interface. ['S5', 'S11', 'S10', 'S8', 'Gn', 'Gp']
+GTP version ['0', '1', '2']
@@ -3790,6 +3910,26 @@ gtp-attack is a MISP object available in JSON format at
GtpInterface
text
GTP interface. ['S5', 'S11', 'S10', 'S8', 'Gn', 'Gp']
++
GtpServingNetwork
text
GTP Serving Network.
++
PortDest
text
GtpMsisdn
text
GTP MSISDN.
++
GtpImsi
text
GTP IMSI (International mobile subscriber identity).
++
GtpMessageType
text
user-agent
user-agent
The user agent string of the user agent
--
uri
uri
basicauth-password
text
HTTP Basic Authentication Password
--
method
http-method
HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)
--
content-type
other
The MIME type of the body of the request
--
cookie
text
An HTTP cookie previously sent by the server with Set-Cookie
--
proxy-password
text
referer
content-type
other
This is the address of the previous web page from which a link to the currently requested page was followed
+The MIME type of the body of the request
@@ -3948,16 +4058,6 @@ http-request is a MISP object available in JSON format at
basicauth-user
text
HTTP Basic Authentication Username
--
url
url
basicauth-password
text
HTTP Basic Authentication Password
++
referer
other
This is the address of the previous web page from which a link to the currently requested page was followed
++
basicauth-user
text
HTTP Basic Authentication Username
++
method
http-method
HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)
++
user-agent
user-agent
The user agent string of the user agent
++
cookie
text
An HTTP cookie previously sent by the server with Set-Cookie
++
first-seen
+datetime
First time the tuple has been seen
++
text
text
dst-port
src-port
port
Destination port
+Source port
first-seen
datetime
First time the tuple has been seen
--
src-port
dst-port
port
Source port
+Destination port
@@ -4124,10 +4284,10 @@ ja3 is a MISP object available in JSON format at
last-seen
first-seen
datetime
Last seen of the SSL/TLS handshake
+First seen of the SSL/TLS handshake
@@ -4144,6 +4304,16 @@ ja3 is a MISP object available in JSON format at
last-seen
datetime
Last seen of the SSL/TLS handshake
++
description
text
first-seen
datetime
First seen of the SSL/TLS handshake
--
ip-src
ip-src
legal-form
text
Legal form of an entity.
++
name
text
Name of an entity.
++
phone-number
phone-number
Phone number of an entity.
++
registration-number
text
Registration number of an entity in the relevant authority.
++
text
text
registration-number
text
Registration number of an entity in the relevant authority.
--
name
text
Name of an entity.
--
legal-form
text
Legal form of an entity.
--
business
text
phone-number
phone-number
Phone number of an entity.
--
entrypoint-address
-text
Address of the entry point
--
text
text
number-sections
counter
Number of sections
--
name
text
entrypoint-address
text
Address of the entry point
++
type
text
number-sections
counter
Number of sections
++
name
+text
Name of the section
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
text
text
Free text value to attach to the section
++
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
sha1
sha1
sha224
sha224
entropy
float
Secure Hash Algorithm 2 (224 bits)
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
+Entropy of the whole section
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
text
text
Free text value to attach to the section
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
sha384
sha384
entropy
float
sha224
sha224
Entropy of the whole section
+Secure Hash Algorithm 2 (224 bits)
+
name
-text
sha512
sha512
Name of the section
+Secure Hash Algorithm 2 (512 bits)
++
size-in-bytes
size-in-bytes
Size of the section, in bytes
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
removal-date
-datetime
username-quoted
text
When the microblog post was removed
+Username who are quoted into the microblog post
@@ -4606,26 +4766,6 @@ microblog is a MISP object available in JSON format at
post
text
Raw post
--
type
text
Type of the microblog post ['Twitter', 'Facebook', 'LinkedIn', 'Reddit', 'Google+', 'Instagram', 'Forum', 'Other']
--
username
text
username-quoted
text
Username who are quoted into the microblog post
--
url
url
removal-date
datetime
When the microblog post was removed
++
link
url
type
text
Type of the microblog post ['Twitter', 'Facebook', 'LinkedIn', 'Reddit', 'Google+', 'Instagram', 'Forum', 'Other']
++
post
text
Raw post
++
name
+text
name of the mutex
++
description
text
name
text
name of the mutex
--
last-packet-seen
-datetime
tcp-flags
text
Last packet seen in this flow
+TCP flags of the flow
++
protocol
text
Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']
++
dst-as
AS
Destination AS number for this flow
++
src-as
AS
Source AS number for this flow
++
src-port
port
Source port of the netflow
@@ -4802,6 +5002,36 @@ netflow is a MISP object available in JSON format at
last-packet-seen
datetime
Last packet seen in this flow
++
direction
text
Direction of this flow ['Ingress', 'Egress']
++
ip_version
counter
IP version of this flow
++
icmp-type
text
protocol
text
byte-count
counter
Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']
+Bytes counted in this flow
++
ip-protocol-number
size-in-bytes
IP protocol number of this flow
++
first-packet-seen
datetime
First packet seen in this flow
++
ip-dst
ip-dst
IP address destination of the netflow
++
ip-src
ip-src
IP address source of the netflow
ip-src
ip-src
IP address source of the netflow
--
ip-dst
ip-dst
IP address destination of the netflow
--
dst-as
AS
Destination AS number for this flow
--
direction
text
Direction of this flow ['Ingress', 'Egress']
--
ip-protocol-number
size-in-bytes
IP protocol number of this flow
--
src-port
port
Source port of the netflow
--
src-as
AS
Source AS number for this flow
--
first-packet-seen
datetime
First packet seen in this flow
--
tcp-flags
text
TCP flags of the flow
--
byte-count
counter
Bytes counted in this flow
--
ip_version
counter
IP version of this flow
--
count
-counter
How many authoritative DNS answers were received at the Passive DNS Server’s collectors with exactly the given set of values as answers.
--
zone_time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import.
--
rrname
text
sensor_id
text
count
counter
Sensor information where the record was seen
--
zone_time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
--
time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS
+How many authoritative DNS answers were received at the Passive DNS Server’s collectors with exactly the given set of values as answers.
@@ -5070,6 +5190,16 @@ passive-dns is a MISP object available in JSON format at
origin
text
Origin of the Passive DNS response
++
time_first
datetime
bailiwick
zone_time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import.
++
sensor_id
text
Best estimate of the apex of the zone where this data is authoritative
+Sensor information where the record was seen
@@ -5100,10 +5240,30 @@ passive-dns is a MISP object available in JSON format at
origin
zone_time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
++
time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS
++
bailiwick
text
Origin of the Passive DNS response
+Best estimate of the apex of the zone where this data is authoritative
@@ -5148,36 +5308,6 @@ paste is a MISP object available in JSON format at
first-seen
datetime
When the paste has been accessible or seen for the first time.
--
last-seen
datetime
When the paste has been accessible or seen for the last time.
--
paste
text
Raw text of the paste or post
--
url
url
first-seen
datetime
When the paste has been accessible or seen for the first time.
++
title
text
paste
text
Raw text of the paste or post
++
last-seen
datetime
When the paste has been accessible or seen for the last time.
++
entrypoint-address
+entrypoint-section-at-position
text
Address of the entry point
+Name of the section and position of the section in the PE
text
text
compilation-timestamp
datetime
Free text value to attach to the PE
--
impfuzzy
impfuzzy
Fuzzy Hash (ssdeep) calculated from the import table
+Compilation timestamp defined in the PE header
legal-copyright
text
LegalCopyright in the resources
++
file-description
text
FileDescription in the resources
++
file-version
text
FileVersion in the resources
++
original-filename
filename
OriginalFilename in the resources
++
lang-id
text
Lang ID in the resources
++
internal-filename
filename
product-version
type
text
ProductVersion in the resources
--
number-sections
counter
Number of sections
--
company-name
text
CompanyName in the resources
--
entrypoint-section-at-position
text
Name of the section and position of the section in the PE
--
lang-id
text
Lang ID in the resources
+Type of PE ['exe', 'dll', 'driver', 'unknown']
@@ -5356,50 +5516,30 @@ pe is a MISP object available in JSON format at
compilation-timestamp
datetime
number-sections
counter
Compilation timestamp defined in the PE header
+Number of sections
++
impfuzzy
impfuzzy
Fuzzy Hash (ssdeep) calculated from the import table
type
product-version
text
Type of PE ['exe', 'dll', 'driver', 'unknown']
--
legal-copyright
text
LegalCopyright in the resources
--
original-filename
filename
OriginalFilename in the resources
--
file-description
text
FileDescription in the resources
+ProductVersion in the resources
@@ -5416,10 +5556,30 @@ pe is a MISP object available in JSON format at
file-version
entrypoint-address
text
FileVersion in the resources
+Address of the entry point
++
company-name
text
CompanyName in the resources
++
text
text
Free text value to attach to the PE
@@ -5464,6 +5624,66 @@ pe-section is a MISP object available in JSON format at
name
text
Name of the section ['.rsrc', '.reloc', '.rdata', '.data', '.text']
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
text
text
Free text value to attach to the section
++
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
characteristic
text
Characteristic of the section ['read', 'write', 'executable']
++
sha1
sha1
sha224
sha224
entropy
float
Secure Hash Algorithm 2 (224 bits)
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
+Entropy of the whole section
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
characteristic
text
Characteristic of the section ['read', 'write', 'executable']
--
text
text
Free text value to attach to the section
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
sha384
sha384
entropy
float
sha224
sha224
Entropy of the whole section
+Secure Hash Algorithm 2 (224 bits)
+
name
-text
sha512
sha512
Name of the section ['.rsrc', '.reloc', '.rdata', '.data', '.text']
+Secure Hash Algorithm 2 (512 bits)
++
size-in-bytes
size-in-bytes
Size of the section, in bytes
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
first-name
-first-name
First name of a natural person.
--
redress-number
redress-number
passport-country
passport-country
The country in which the passport was issued.
--
identity-card-number
identity-card-number
The identity card number of a natural person.
--
social-security-number
text
Social security number
--
last-name
last-name
Last name of a natural person.
--
passport-number
passport-number
The passport number of a natural person.
--
nationality
nationality
alias
text
passport-expiration
passport-expiration
Alias name or known as.
+The expiration date of a passport.
+
passport-expiration
-passport-expiration
The expiration date of a passport.
--
mothers-name
text
Mother name, father, second name or other names following country’s regulation.
--
middle-name
middle-name
date-of-birth
date-of-birth
identity-card-number
identity-card-number
Date of birth of a natural person (in YYYY-MM-DD format).
+The identity card number of a natural person.
@@ -5792,10 +5872,20 @@ person is a MISP object available in JSON format at
title
text
date-of-birth
date-of-birth
Title of the natural person such as Dr. or equivalent.
+Date of birth of a natural person (in YYYY-MM-DD format).
++
first-name
first-name
First name of a natural person.
passport-number
passport-number
The passport number of a natural person.
++
social-security-number
text
Social security number
++
passport-country
passport-country
The country in which the passport was issued.
++
mothers-name
text
Mother name, father, second name or other names following country’s regulation.
++
last-name
last-name
Last name of a natural person.
++
alias
text
Alias name or known as.
++
title
text
Title of the natural person such as Dr. or equivalent.
++
text
+msisdn
text
A description of the phone.
--
tmsi
text
Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated.
+MSISDN (pronounced as /'em es ai es di en/ or misden) is a number uniquely identifying a subscription in a GSM or a UMTS mobile network. Simply put, it is the mapping of the telephone number to the SIM card in a mobile/cellular phone. This abbreviation has a several interpretations, the most common one being Mobile Station International Subscriber Directory Number.
first-seen
datetime
gummei
text
When the phone has been accessible or seen for the first time.
+Globally Unique MME Identifier (GUMMEI) is composed from MCC, MNC and MME Identifier (MMEI).
++
text
text
A description of the phone.
@@ -5890,6 +6050,16 @@ phone is a MISP object available in JSON format at
tmsi
text
Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated.
++
guti
text
imsi
text
A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.
++
serial-number
text
imsi
text
first-seen
datetime
A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.
+When the phone has been accessible or seen for the first time.
-
gummei
text
Globally Unique MME Identifier (GUMMEI) is composed from MCC, MNC and MME Identifier (MMEI).
--
msisdn
text
MSISDN (pronounced as /'em es ai es di en/ or misden) is a number uniquely identifying a subscription in a GSM or a UMTS mobile network. Simply put, it is the mapping of the telephone number to the SIM card in a mobile/cellular phone. This abbreviation has a several interpretations, the most common one being Mobile Station International Subscriber Directory Number.
-+
callback-average
+total-functions
counter
Average size of a callback
--
r2-commit-version
text
Radare2 commit ID used to generate this object
--
total-api
counter
Total amount of API calls
--
callbacks
counter
Amount of callbacks (functions started as thread)
--
create-thread
counter
Amount of calls to CreateThread
--
miss-api
counter
Amount of API call reference that does not resolve to a function offset
--
ratio-string
float
Ratio: amount of referenced strings per kilobyte of code section
--
referenced-strings
counter
Amount of referenced strings
--
callback-largest
counter
Largest callback
+Total amount of functions in the file.
@@ -6088,60 +6168,10 @@ r2graphity is a MISP object available in JSON format at
get-proc-address
miss-api
counter
Amount of calls to GetProcAddress
--
refsglobalvar
counter
Amount of API calls outside of code section (glob var, dynamic API)
--
unknown-references
counter
Amount of API calls not ending in a function (Radare2 bug, probalby)
--
total-functions
counter
Total amount of functions in the file.
--
text
text
Description of the r2graphity object
--
not-referenced-strings
counter
Amount of not referenced strings
+Amount of API call reference that does not resolve to a function offset
@@ -6158,20 +6188,10 @@ r2graphity is a MISP object available in JSON format at
ratio-api
float
Ratio: amount of API calls per kilobyte of code section
--
shortest-path-to-create-thread
local-references
counter
Shortest path to the first time the binary calls CreateThread
+Amount of API calls inside a code section
@@ -6188,10 +6208,140 @@ r2graphity is a MISP object available in JSON format at
local-references
referenced-strings
counter
Amount of API calls inside a code section
+Amount of referenced strings
++
callback-average
counter
Average size of a callback
++
text
text
Description of the r2graphity object
++
callback-largest
counter
Largest callback
++
shortest-path-to-create-thread
counter
Shortest path to the first time the binary calls CreateThread
++
get-proc-address
counter
Amount of calls to GetProcAddress
++
ratio-api
float
Ratio: amount of API calls per kilobyte of code section
++
ratio-string
float
Ratio: amount of referenced strings per kilobyte of code section
++
not-referenced-strings
counter
Amount of not referenced strings
++
unknown-references
counter
Amount of API calls not ending in a function (Radare2 bug, probalby)
++
create-thread
counter
Amount of calls to CreateThread
++
callbacks
counter
Amount of callbacks (functions started as thread)
++
refsglobalvar
counter
Amount of API calls outside of code section (glob var, dynamic API)
++
total-api
counter
Total amount of API calls
r2-commit-version
text
Radare2 commit ID used to generate this object
++
regexp-type
-text
Type of the regular expression syntax. ['PCRE', 'PCRE2', 'POSIX BRE', 'POSIX ERE']
--
regexp
text
regexp-type
text
Type of the regular expression syntax. ['PCRE', 'PCRE2', 'POSIX BRE', 'POSIX ERE']
++
type
text
name
text
Name of the registry key
++
hive
text
data-type
text
Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
--
last-modified
datetime
name
root-keys
text
Name of the registry key
+Root key of the Windows registry (extracted from the key) ['HKCC', 'HKCR', 'HKCU', 'HKDD', 'HKEY_CLASSES_ROOT', 'HKEY_CURRENT_CONFIG', 'HKEY_CURRENT_USER', 'HKEY_DYN_DATA', 'HKEY_LOCAL_MACHINE', 'HKEY_PERFORMANCE_DATA', 'HKEY_USERS', 'HKLM', 'HKPD', 'HKU']
+
root-keys
+data-type
text
Root key of the Windows registry (extracted from the key) ['HKCC', 'HKCR', 'HKCU', 'HKDD', 'HKEY_CLASSES_ROOT', 'HKEY_CURRENT_CONFIG', 'HKEY_CURRENT_USER', 'HKEY_DYN_DATA', 'HKEY_LOCAL_MACHINE', 'HKEY_PERFORMANCE_DATA', 'HKEY_USERS', 'HKLM', 'HKPD', 'HKU']
+Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
@@ -6490,10 +6650,20 @@ rtir is a MISP object available in JSON format at
ticket-number
queue
text
ticket-number of the RTIR ticket
+Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
++
ip
ip-dst
IPs automatically extracted from the RTIR ticket
@@ -6520,16 +6690,6 @@ rtir is a MISP object available in JSON format at
queue
text
Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
--
constituency
text
ip
ip-dst
ticket-number
text
IPs automatically extracted from the RTIR ticket
+ticket-number of the RTIR ticket
@@ -6598,30 +6758,10 @@ sandbox-report is a MISP object available in JSON format at
sandbox-type
raw-report
text
The type of sandbox used ['on-premise', 'web', 'saas']
--
permalink
link
Permalink reference
--
on-premise-sandbox
text
The on-premise sandbox used ['cuckoo', 'symantec-cas-on-premise', 'bluecoat-maa', 'trendmicro-deep-discovery-analyzer', 'fireeye-ax', 'vmray', 'joe-sandbox-on-premise']
+Raw report from sandbox
@@ -6638,20 +6778,10 @@ sandbox-report is a MISP object available in JSON format at
raw-report
web-sandbox
text
Raw report from sandbox
--
score
text
Score
+A web sandbox where results are publicly available via an URL ['malwr', 'hybrid-analysis']
@@ -6668,10 +6798,40 @@ sandbox-report is a MISP object available in JSON format at
web-sandbox
permalink
link
Permalink reference
++
score
text
A web sandbox where results are publicly available via an URL ['malwr', 'hybrid-analysis']
+Score
++
sandbox-type
text
The type of sandbox used ['on-premise', 'web', 'saas']
++
on-premise-sandbox
text
The on-premise sandbox used ['cuckoo', 'symantec-cas-on-premise', 'bluecoat-maa', 'trendmicro-deep-discovery-analyzer', 'fireeye-ax', 'vmray', 'joe-sandbox-on-premise']
@@ -6716,13 +6876,13 @@ sb-signature is a MISP object available in JSON format at
signature
software
text
Name of detection signature - set the description of the detection signature as a comment
+Name of Sandbox software
+
software
+signature
text
Name of Sandbox software
+Name of detection signature - set the description of the detection signature as a comment
+
SccpCgSSN
+MapSmsTypeNumber
text
Signaling Connection Control Part (SCCP) - Decimal value between 0-255.
--
SccpCdGT
text
Signaling Connection Control Part (SCCP) CdGT - Phone number.
--
SccpCdPC
text
Signaling Connection Control Part (SCCP) CdPC - Phone number.
--
MapApplicationContext
text
MAP application context in OID format.
--
MapSmsTP-PID
text
MAP SMS TP-PID.
--
MapVlrGT
text
MAP VLR GT. Phone number.
--
SccpCgPC
text
Signaling Connection Control Part (SCCP) CgPC - Phone number.
--
MapMscGT
text
MAP MSC GT. Phone number.
--
MapUssdCoding
text
MAP USSD Content.
--
Category
text
Category ['Cat0', 'Cat1', 'Cat2.1', 'Cat2.2', 'Cat3.1', 'Cat3.2', 'Cat3.3', 'CatSMS', 'CatSpoofing']
--
MapOpCode
text
MAP operation codes - Decimal value between 0-99.
--
SccpCgGT
text
Signaling Connection Control Part (SCCP) CgGT - Phone number.
--
SccpCdSSN
text
Signaling Connection Control Part (SCCP) - Decimal value between 0-255.
--
first-seen
datetime
When the attack has been seen for the first time.
--
MapGmlc
text
MAP GMLC. Phone number.
--
MapMsisdn
text
MAP MSISDN. Phone number.
--
MapUssdContent
text
MAP USSD Content.
--
text
text
A description of the attack seen via SS7 logging.
+MAP SMS TypeNumber.
@@ -6984,20 +6974,30 @@ ss7-attack is a MISP object available in JSON format at
MapImsi
MapGsmscfGT
text
MAP IMSI. Phone number starting with MCC/MNC.
+MAP GSMSCF GT. Phone number.
MapSmsText
SccpCdSSN
text
MAP SMS Text. Important indicators in SMS text.
+Signaling Connection Control Part (SCCP) - Decimal value between 0-255.
++
MapVlrGT
text
MAP VLR GT. Phone number.
@@ -7014,10 +7014,130 @@ ss7-attack is a MISP object available in JSON format at
MapSmsTypeNumber
MapMsisdn
text
MAP SMS TypeNumber.
+MAP MSISDN. Phone number.
++
SccpCgPC
text
Signaling Connection Control Part (SCCP) CgPC - Phone number.
++
SccpCgGT
text
Signaling Connection Control Part (SCCP) CgGT - Phone number.
++
text
text
A description of the attack seen via SS7 logging.
++
Category
text
Category ['Cat0', 'Cat1', 'Cat2.1', 'Cat2.2', 'Cat3.1', 'Cat3.2', 'Cat3.3', 'CatSMS', 'CatSpoofing']
++
MapUssdContent
text
MAP USSD Content.
++
first-seen
datetime
When the attack has been seen for the first time.
++
MapImsi
text
MAP IMSI. Phone number starting with MCC/MNC.
++
SccpCdGT
text
Signaling Connection Control Part (SCCP) CdGT - Phone number.
++
SccpCgSSN
text
Signaling Connection Control Part (SCCP) - Decimal value between 0-255.
++
MapSmsText
text
MAP SMS Text. Important indicators in SMS text.
++
SccpCdPC
text
Signaling Connection Control Part (SCCP) CdPC - Phone number.
++
MapOpCode
text
MAP operation codes - Decimal value between 0-99.
@@ -7044,15 +7164,55 @@ ss7-attack is a MISP object available in JSON format at
MapGsmscfGT
MapGmlc
text
MAP GSMSCF GT. Phone number.
+MAP GMLC. Phone number.
MapUssdCoding
text
MAP USSD Content.
++
MapMscGT
text
MAP MSC GT. Phone number.
++
MapSmsTP-PID
text
MAP SMS TP-PID.
++
MapApplicationContext
text
MAP application context in OID format.
++
version
+text
Version of STIX 2 pattern. ['stix 2.0']
++
stix2-pattern
stix2-pattern
datetime
datetime
timestamp
timestamp-microsec
When the log entry was seen
+When the log entry was seen in microseconds since Unix epoch
@@ -7180,10 +7350,10 @@ timesketch-timeline is a MISP object available in JSON format at
timestamp
timestamp-microsec
datetime
datetime
When the log entry was seen in microseconds since Unix epoch
+When the log entry was seen
@@ -7228,6 +7398,66 @@ tor-node is a MISP object available in JSON format at
version
text
parsed version of tor, this is None if the relay’s using a new versioning scheme.
++
first-seen
datetime
When the Tor node designed by the IP address has been seen for the first time.
++
address
ip-src
IP address of the Tor node seen.
++
text
text
Tor node comment.
++
version_line
text
versioning information reported by the node.
++
description
text
Tor node description.
++
published
datetime
fingerprint
text
router’s fingerprint.
--
nickname
text
version_line
fingerprint
text
versioning information reported by the node.
--
version
text
parsed version of tor, this is None if the relay’s using a new versioning scheme.
--
text
text
Tor node comment.
--
flags
text
list of flag associated with the node.
+router’s fingerprint.
@@ -7318,30 +7508,10 @@ tor-node is a MISP object available in JSON format at
description
flags
text
Tor node description.
--
first-seen
datetime
When the Tor node designed by the IP address has been seen for the first time.
--
address
ip-src
IP address of the Tor node seen.
+list of flag associated with the node.
@@ -7386,33 +7556,13 @@ transaction is a MISP object available in JSON format at
authorized
text
text
Person who autorized the transaction.
+A description of the transaction.
-
transaction-number
text
A unique number identifying a transaction.
--
from-country
text
Origin country of a transaction.
-+
transmode-comment
+to-country
text
Comment describing transmode-code, if needed.
+Target country of a transaction.
from-funds-code
text
Type of funds used to initiate a transaction. ['A Deposit', 'C Currency exchange', 'D Casino chips', 'E Bank draft', 'F Money order', 'G Traveler’s cheques', 'H Life insurance policy', 'I Real estate', 'J Securities', 'K Cash', 'O Other', 'P Cheque']
--
date-posting
datetime
Date of posting, if different from date of transaction.
--
text
text
A description of the transaction.
--
amount
text
The value of the transaction in local currency.
--
to-funds-code
text
Type of funds used to finalize a transaction. ['A Deposit', 'C Currency exchange', 'D Casino chips', 'E Bank draft', 'F Money order', 'G Traveler’s cheques', 'H Life insurance policy', 'I Real estate', 'J Securities', 'K Cash', 'O Other', 'P Cheque']
--
transmode-code
text
amount
text
The value of the transaction in local currency.
++
transmode-comment
text
Comment describing transmode-code, if needed.
++
authorized
text
Person who autorized the transaction.
++
transaction-number
text
A unique number identifying a transaction.
++
from-funds-code
text
Type of funds used to initiate a transaction. ['A Deposit', 'C Currency exchange', 'D Casino chips', 'E Bank draft', 'F Money order', 'G Traveler’s cheques', 'H Life insurance policy', 'I Real estate', 'J Securities', 'K Cash', 'O Other', 'P Cheque']
++
date
datetime
to-country
from-country
text
Target country of a transaction.
+Origin country of a transaction.
++
to-funds-code
text
Type of funds used to finalize a transaction. ['A Deposit', 'C Currency exchange', 'D Casino chips', 'E Bank draft', 'F Money order', 'G Traveler’s cheques', 'H Life insurance policy', 'I Real estate', 'J Securities', 'K Cash', 'O Other', 'P Cheque']
++
date-posting
datetime
Date of posting, if different from date of transaction.
@@ -7564,6 +7734,36 @@ url is a MISP object available in JSON format at
resource_path
text
Path (between hostname:port and query)
++
query_string
text
Query (after path, preceded by '?')
++
first-seen
datetime
First time this URL has been seen
++
domain_without_tld
text
port
port
text
text
Port number
+Description of the URL
++
subdomain
text
Subdomain
first-seen
url
url
Full URL
++
scheme
text
Scheme ['http', 'https', 'ftp', 'gopher', 'sip']
++
host
hostname
Full hostname
++
last-seen
datetime
First time this URL has been seen
+Last time this URL has been seen
++
tld
text
Top-Level Domain
@@ -7614,96 +7864,6 @@ url is a MISP object available in JSON format at
tld
text
Top-Level Domain
--
subdomain
text
Subdomain
--
text
text
Description of the URL
--
query_string
text
Query (after path, preceded by '?')
--
last-seen
datetime
Last time this URL has been seen
--
host
hostname
Full hostname
--
scheme
text
Scheme ['http', 'https', 'ftp', 'gopher', 'sip']
--
url
url
Full URL
--
resource_path
text
Path (between hostname:port and query)
--
domain
domain
port
port
Port number
++
node
-target-machine
Name(s) of node that was targeted.
--
target-email
The email address(es) of the user targeted.
--
classification
sectors
text
The type of entity being targeted. ['individual', 'group', 'organization', 'class', 'unknown']
--
regions
target-location
The list of regions or locations from the victim targeted. ISO 3166 should be used.
--
roles
text
The list of roles targeted within the victim.
--
user
target-user
The username(s) of the user targeted.
--
description
text
Description of the victim
--
external
target-external
External target organisations affected by this attack.
+The list of sectors that the victim belong to ['agriculture', 'aerospace', 'automotive', 'communications', 'construction', 'defence', 'education', 'energy', 'engineering', 'entertainment', 'financial services', 'government national', 'government regional', 'government local', 'government public services', 'healthcare', 'hospitality leisure', 'infrastructure', 'insurance', 'manufacturing', 'mining', 'non profit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities']
@@ -7842,10 +7942,60 @@ victim is a MISP object available in JSON format at
sectors
node
target-machine
Name(s) of node that was targeted.
++
regions
target-location
The list of regions or locations from the victim targeted. ISO 3166 should be used.
++
classification
text
The list of sectors that the victim belong to ['agriculture', 'aerospace', 'automotive', 'communications', 'construction', 'defence', 'education', 'energy', 'engineering', 'entertainment', 'financial services', 'government national', 'government regional', 'government local', 'government public services', 'healthcare', 'hospitality leisure', 'infrastructure', 'insurance', 'manufacturing', 'mining', 'non profit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities']
+The type of entity being targeted. ['individual', 'group', 'organization', 'class', 'unknown']
++
target-email
The email address(es) of the user targeted.
++
external
target-external
External target organisations affected by this attack.
++
roles
text
The list of roles targeted within the victim.
description
text
Description of the victim
++
user
target-user
The username(s) of the user targeted.
++
first-submission
-datetime
First Submission
--
detection-ratio
text
last-submission
datetime
Last Submission
++
permalink
link
last-submission
first-submission
datetime
Last Submission
+First Submission
@@ -7988,50 +8158,10 @@ vulnerability is a MISP object available in JSON format at
text
vulnerable_configuration
text
Description of the vulnerability
--
references
link
External references
--
published
datetime
Initial publication date
--
state
text
State of the vulnerability. A vulnerability can have multiple states depending of the current actions performed. ['Published', 'Embargo', 'Reviewed', 'Vulnerability ID Assigned', 'Reported', 'Fixed']
--
summary
text
Summary of the vulnerability
+The vulnerable configuration is described in CPE format
@@ -8058,16 +8188,46 @@ vulnerability is a MISP object available in JSON format at
vulnerable_configuration
text
references
link
The vulnerable configuration is described in CPE format
+External references
text
text
Description of the vulnerability
++
published
datetime
Initial publication date
++
state
text
State of the vulnerability. A vulnerability can have multiple states depending of the current actions performed. ['Published', 'Embargo', 'Reviewed', 'Vulnerability ID Assigned', 'Reported', 'Fixed']
++
id
vulnerability
summary
text
Summary of the vulnerability
++
Whois records information for a domain name..
+Whois records information for a domain name or an IP address..
text |
-
- Full whois entry - |
-
- - |
-
-||||||
expiration-date |
-datetime |
-
- Expiration of the whois entry - |
-
- - |
-|||||
creation-date |
-datetime |
-
- Initial creation of the whois entry - |
-
- - |
-|||||
registrant-email |
whois-registrant-email |
@@ -8156,30 +8296,20 @@ whois is a MISP object available in JSON format at nameserver |
-hostname |
+ip-address |
+ip-src |
- Nameserver - |
-
- - |
-|
registrant-org |
-whois-registrant-org |
-
- Registrant organisation +IP address of the whois entry |
|
|||||
modification-date |
-datetime |
+text |
+text |
- Last update of the whois entry +Full whois entry |
@@ -8216,6 +8346,16 @@ whois is a MISP object available in JSON format at expiration-date |
+datetime |
+
+ Expiration of the whois entry + |
+
+ + |
+
registrant-name |
whois-registrant-name |
|||||||
creation-date |
+datetime |
+
+ Initial creation of the whois entry + |
+
+ + |
+|||||
comment |
+text |
+
+ Comment of the whois entry + |
+
+ + |
+|||||
nameserver |
+hostname |
+
+ Nameserver + |
+
+ + |
+|||||
registrant-org |
+whois-registrant-org |
+
+ Registrant organisation + |
+
+ + |
+|||||
modification-date |
+datetime |
+
+ Last update of the whois entry + |
+
+ + |
+
text
-text
Free text description of hte certificate
--
subject
text
Subject of the certificate
--
raw-base64
text
x509-fingerprint-sha1
x509-fingerprint-sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
x509-fingerprint-md5
x509-fingerprint-md5
[Insecure] MD5 hash (128 bits)
--
pubkey-info-algorithm
serial-number
text
Algorithm of the public key
--
x509-fingerprint-sha256
x509-fingerprint-sha256
Secure Hash Algorithm 2 (256 bits)
--
pubkey-info-size
text
Length of the public key (in bits)
--
version
text
Version of the certificate
--
pubkey-info-exponent
text
Exponent of the public key
+Serial number of the certificate
@@ -8384,6 +8494,16 @@ x509 is a MISP object available in JSON format at
pubkey-info-exponent
text
Exponent of the public key
++
validity-not-after
datetime
subject
text
Subject of the certificate
++
x509-fingerprint-md5
x509-fingerprint-md5
[Insecure] MD5 hash (128 bits)
++
pubkey-info-algorithm
text
Algorithm of the public key
++
x509-fingerprint-sha1
x509-fingerprint-sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
pubkey-info-size
text
Length of the public key (in bits)
++
version
text
Version of the certificate
++
pubkey-info-modulus
text
serial-number
x509-fingerprint-sha256
x509-fingerprint-sha256
Secure Hash Algorithm 2 (256 bits)
++
text
text
Serial number of the certificate
+Free text description of hte certificate
@@ -8452,6 +8642,16 @@ yabin is a MISP object available in JSON format at
version
comment
yabin.py and regex.txt version used for the generation of the yara rules.
++
yara
yara
comment
comment
A description of Yara rule generated.
--
whitelist
comment
Whitelist name used to generate the rules.
--
yara-hunt
yara
version
whitelist
comment
yabin.py and regex.txt version used for the generation of the yara rules.
+Whitelist name used to generate the rules.
++
comment
comment
A description of Yara rule generated.
++
An object describing a YARA rule along with its version..
++ + | ++misc is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. + | +
Object attribute | +MISP attribute type | +Description | +Disable correlation | +
---|---|---|---|
version |
+text |
+
+ Version of the YARA rule depending where the yara rule is known to work as expected. ['3.7.1'] + |
+
+ + |
+
yara |
+yara |
+
+ YARA rule. + |
+
+ + |
+
comment |
+comment |
+
+ A description of the YARA rule. |
@@ -8544,6 +8802,11 @@ yabin is a MISP object available in JSON format at ['misp', 'stix-2.0'] |
connected-to |
+The referenced source is connected to the target object. |
+['misp', 'stix-1.1'] |
+|
attributed-to |
This referenced source is attributed to the target object. |
['misp', 'stix-2.0'] |
@@ -8865,7 +9128,7 @@ yabin is a MISP object available in JSON format at