diff --git a/objects.html b/objects.html index e2d3fc1..af90fbd 100755 --- a/objects.html +++ b/objects.html @@ -473,12 +473,15 @@ body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-b
sensor
+text
The AIL sensor uuid where the leak was processed and analysed.
++
duplicate
text
Duplicate of the existing leaks.
++
raw-data
attachment
Raw data as received by the AIL sensor compressed and encoded in Base64.
++
original-date
datetime
sensor
text
last-seen
datetime
The AIL sensor uuid where the leak was processed and analysed.
+When the leak has been accessible or seen for the last time.
+
raw-data
attachment
text
text
Raw data as received by the AIL sensor compressed and encoded in Base64.
+A description of the leak which could include the potential victim(s) or description of the leak.
@@ -640,26 +673,6 @@ ail-leak is a MISP object available in JSON format at
text
text
A description of the leak which could include the potential victim(s) or description of the leak.
--
last-seen
datetime
When the leak has been accessible or seen for the last time.
--
first-seen
datetime
duplicate
text
Duplicate of the existing leaks.
--
permission
-text
comment
comment
Android permission ['ACCESS_CHECKIN_PROPERTIES', 'ACCESS_COARSE_LOCATION', 'ACCESS_FINE_LOCATION', 'ACCESS_LOCATION_EXTRA_COMMANDS', 'ACCESS_NETWORK_STATE', 'ACCESS_NOTIFICATION_POLICY', 'ACCESS_WIFI_STATE', 'ACCOUNT_MANAGER', 'ADD_VOICEMAIL', 'ANSWER_PHONE_CALLS', 'BATTERY_STATS', 'BIND_ACCESSIBILITY_SERVICE', 'BIND_APPWIDGET', 'BIND_AUTOFILL_SERVICE', 'BIND_CARRIER_MESSAGING_SERVICE', 'BIND_CHOOSER_TARGET_SERVICE', 'BIND_CONDITION_PROVIDER_SERVICE', 'BIND_DEVICE_ADMIN', 'BIND_DREAM_SERVICE', 'BIND_INCALL_SERVICE', 'BIND_INPUT_METHOD', 'BIND_MIDI_DEVICE_SERVICE', 'BIND_NFC_SERVICE', 'BIND_NOTIFICATION_LISTENER_SERVICE', 'BIND_PRINT_SERVICE', 'BIND_QUICK_SETTINGS_TILE', 'BIND_REMOTEVIEWS', 'BIND_SCREENING_SERVICE', 'BIND_TELECOM_CONNECTION_SERVICE', 'BIND_TEXT_SERVICE', 'BIND_TV_INPUT', 'BIND_VISUAL_VOICEMAIL_SERVICE', 'BIND_VOICE_INTERACTION', 'BIND_VPN_SERVICE', 'BIND_VR_LISTENER_SERVICE', 'BIND_WALLPAPER', 'BLUETOOTH', 'BLUETOOTH_ADMIN', 'BLUETOOTH_PRIVILEGED', 'BODY_SENSORS', 'BROADCAST_PACKAGE_REMOVED', 'BROADCAST_SMS', 'BROADCAST_STICKY', 'BROADCAST_WAP_PUSH', 'CALL_PHONE', 'CALL_PRIVILEGED', 'CAMERA', 'CAPTURE_AUDIO_OUTPUT', 'CAPTURE_SECURE_VIDEO_OUTPUT', 'CAPTURE_VIDEO_OUTPUT', 'CHANGE_COMPONENT_ENABLED_STATE', 'CHANGE_CONFIGURATION', 'CHANGE_NETWORK_STATE', 'CHANGE_WIFI_MULTICAST_STATE', 'CHANGE_WIFI_STATE', 'CLEAR_APP_CACHE', 'CONTROL_LOCATION_UPDATES', 'DELETE_CACHE_FILES', 'DELETE_PACKAGES', 'DIAGNOSTIC', 'DISABLE_KEYGUARD', 'DUMP', 'EXPAND_STATUS_BAR', 'FACTORY_TEST', 'GET_ACCOUNTS', 'GET_ACCOUNTS_PRIVILEGED', 'GET_PACKAGE_SIZE', 'GET_TASKS', 'GLOBAL_SEARCH', 'INSTALL_LOCATION_PROVIDER', 'INSTALL_PACKAGES', 'INSTALL_SHORTCUT', 'INSTANT_APP_FOREGROUND_SERVICE', 'INTERNET', 'KILL_BACKGROUND_PROCESSES', 'LOCATION_HARDWARE', 'MANAGE_DOCUMENTS', 'MANAGE_OWN_CALLS', 'MASTER_CLEAR', 'MEDIA_CONTENT_CONTROL', 'MODIFY_AUDIO_SETTINGS', 'MODIFY_PHONE_STATE', 'MOUNT_FORMAT_FILESYSTEMS', 'MOUNT_UNMOUNT_FILESYSTEMS', 'NFC', 'PACKAGE_USAGE_STATS', 'PERSISTENT_ACTIVITY', 'PROCESS_OUTGOING_CALLS', 'READ_CALENDAR', 'READ_CALL_LOG', 'READ_CONTACTS', 'READ_EXTERNAL_STORAGE', 'READ_FRAME_BUFFER', 'READ_INPUT_STATE', 'READ_LOGS', 'READ_PHONE_NUMBERS', 'READ_PHONE_STATE', 'READ_SMS', 'READ_SYNC_SETTINGS', 'READ_SYNC_STATS', 'READ_VOICEMAIL', 'REBOOT', 'RECEIVE_BOOT_COMPLETED', 'RECEIVE_MMS', 'RECEIVE_SMS', 'RECEIVE_WAP_PUSH', 'RECORD_AUDIO', 'REORDER_TASKS', 'REQUEST_COMPANION_RUN_IN_BACKGROUND', 'REQUEST_COMPANION_USE_DATA_IN_BACKGROUND', 'REQUEST_DELETE_PACKAGES', 'REQUEST_IGNORE_BATTERY_OPTIMIZATIONS', 'REQUEST_INSTALL_PACKAGES', 'RESTART_PACKAGES', 'SEND_RESPOND_VIA_MESSAGE', 'SEND_SMS', 'SET_ALARM', 'SET_ALWAYS_FINISH', 'SET_ANIMATION_SCALE', 'SET_DEBUG_APP', 'SET_PREFERRED_APPLICATIONS', 'SET_PROCESS_LIMIT', 'SET_TIME', 'SET_TIME_ZONE', 'SET_WALLPAPER', 'SET_WALLPAPER_HINTS', 'SIGNAL_PERSISTENT_PROCESSES', 'STATUS_BAR', 'SYSTEM_ALERT_WINDOW', 'TRANSMIT_IR', 'UNINSTALL_SHORTCUT', 'UPDATE_DEVICE_STATS', 'USE_FINGERPRINT', 'USE_SIP', 'VIBRATE', 'WAKE_LOCK', 'WRITE_APN_SETTINGS', 'WRITE_CALENDAR', 'WRITE_CALL_LOG', 'WRITE_CONTACTS', 'WRITE_EXTERNAL_STORAGE', 'WRITE_GSERVICES', 'WRITE_SECURE_SETTINGS', 'WRITE_SETTINGS', 'WRITE_SYNC_SETTINGS', 'WRITE_VOICEMAIL']
+Comment about the set of android permission(s)
comment
comment
permission
text
Comment about the set of android permission(s)
+Android permission ['ACCESS_CHECKIN_PROPERTIES', 'ACCESS_COARSE_LOCATION', 'ACCESS_FINE_LOCATION', 'ACCESS_LOCATION_EXTRA_COMMANDS', 'ACCESS_NETWORK_STATE', 'ACCESS_NOTIFICATION_POLICY', 'ACCESS_WIFI_STATE', 'ACCOUNT_MANAGER', 'ADD_VOICEMAIL', 'ANSWER_PHONE_CALLS', 'BATTERY_STATS', 'BIND_ACCESSIBILITY_SERVICE', 'BIND_APPWIDGET', 'BIND_AUTOFILL_SERVICE', 'BIND_CARRIER_MESSAGING_SERVICE', 'BIND_CHOOSER_TARGET_SERVICE', 'BIND_CONDITION_PROVIDER_SERVICE', 'BIND_DEVICE_ADMIN', 'BIND_DREAM_SERVICE', 'BIND_INCALL_SERVICE', 'BIND_INPUT_METHOD', 'BIND_MIDI_DEVICE_SERVICE', 'BIND_NFC_SERVICE', 'BIND_NOTIFICATION_LISTENER_SERVICE', 'BIND_PRINT_SERVICE', 'BIND_QUICK_SETTINGS_TILE', 'BIND_REMOTEVIEWS', 'BIND_SCREENING_SERVICE', 'BIND_TELECOM_CONNECTION_SERVICE', 'BIND_TEXT_SERVICE', 'BIND_TV_INPUT', 'BIND_VISUAL_VOICEMAIL_SERVICE', 'BIND_VOICE_INTERACTION', 'BIND_VPN_SERVICE', 'BIND_VR_LISTENER_SERVICE', 'BIND_WALLPAPER', 'BLUETOOTH', 'BLUETOOTH_ADMIN', 'BLUETOOTH_PRIVILEGED', 'BODY_SENSORS', 'BROADCAST_PACKAGE_REMOVED', 'BROADCAST_SMS', 'BROADCAST_STICKY', 'BROADCAST_WAP_PUSH', 'CALL_PHONE', 'CALL_PRIVILEGED', 'CAMERA', 'CAPTURE_AUDIO_OUTPUT', 'CAPTURE_SECURE_VIDEO_OUTPUT', 'CAPTURE_VIDEO_OUTPUT', 'CHANGE_COMPONENT_ENABLED_STATE', 'CHANGE_CONFIGURATION', 'CHANGE_NETWORK_STATE', 'CHANGE_WIFI_MULTICAST_STATE', 'CHANGE_WIFI_STATE', 'CLEAR_APP_CACHE', 'CONTROL_LOCATION_UPDATES', 'DELETE_CACHE_FILES', 'DELETE_PACKAGES', 'DIAGNOSTIC', 'DISABLE_KEYGUARD', 'DUMP', 'EXPAND_STATUS_BAR', 'FACTORY_TEST', 'GET_ACCOUNTS', 'GET_ACCOUNTS_PRIVILEGED', 'GET_PACKAGE_SIZE', 'GET_TASKS', 'GLOBAL_SEARCH', 'INSTALL_LOCATION_PROVIDER', 'INSTALL_PACKAGES', 'INSTALL_SHORTCUT', 'INSTANT_APP_FOREGROUND_SERVICE', 'INTERNET', 'KILL_BACKGROUND_PROCESSES', 'LOCATION_HARDWARE', 'MANAGE_DOCUMENTS', 'MANAGE_OWN_CALLS', 'MASTER_CLEAR', 'MEDIA_CONTENT_CONTROL', 'MODIFY_AUDIO_SETTINGS', 'MODIFY_PHONE_STATE', 'MOUNT_FORMAT_FILESYSTEMS', 'MOUNT_UNMOUNT_FILESYSTEMS', 'NFC', 'PACKAGE_USAGE_STATS', 'PERSISTENT_ACTIVITY', 'PROCESS_OUTGOING_CALLS', 'READ_CALENDAR', 'READ_CALL_LOG', 'READ_CONTACTS', 'READ_EXTERNAL_STORAGE', 'READ_FRAME_BUFFER', 'READ_INPUT_STATE', 'READ_LOGS', 'READ_PHONE_NUMBERS', 'READ_PHONE_STATE', 'READ_SMS', 'READ_SYNC_SETTINGS', 'READ_SYNC_STATS', 'READ_VOICEMAIL', 'REBOOT', 'RECEIVE_BOOT_COMPLETED', 'RECEIVE_MMS', 'RECEIVE_SMS', 'RECEIVE_WAP_PUSH', 'RECORD_AUDIO', 'REORDER_TASKS', 'REQUEST_COMPANION_RUN_IN_BACKGROUND', 'REQUEST_COMPANION_USE_DATA_IN_BACKGROUND', 'REQUEST_DELETE_PACKAGES', 'REQUEST_IGNORE_BATTERY_OPTIMIZATIONS', 'REQUEST_INSTALL_PACKAGES', 'RESTART_PACKAGES', 'SEND_RESPOND_VIA_MESSAGE', 'SEND_SMS', 'SET_ALARM', 'SET_ALWAYS_FINISH', 'SET_ANIMATION_SCALE', 'SET_DEBUG_APP', 'SET_PREFERRED_APPLICATIONS', 'SET_PROCESS_LIMIT', 'SET_TIME', 'SET_TIME_ZONE', 'SET_WALLPAPER', 'SET_WALLPAPER_HINTS', 'SIGNAL_PERSISTENT_PROCESSES', 'STATUS_BAR', 'SYSTEM_ALERT_WINDOW', 'TRANSMIT_IR', 'UNINSTALL_SHORTCUT', 'UPDATE_DEVICE_STATS', 'USE_FINGERPRINT', 'USE_SIP', 'VIBRATE', 'WAKE_LOCK', 'WRITE_APN_SETTINGS', 'WRITE_CALENDAR', 'WRITE_CALL_LOG', 'WRITE_CONTACTS', 'WRITE_EXTERNAL_STORAGE', 'WRITE_GSERVICES', 'WRITE_SECURE_SETTINGS', 'WRITE_SETTINGS', 'WRITE_SYNC_SETTINGS', 'WRITE_VOICEMAIL']
@@ -776,20 +779,20 @@ annotation is a MISP object available in JSON format at
modification-date
datetime
text
text
Last update of the annotation
+Raw text of the annotation
creation-date
datetime
ref
link
Initial creation of the annotation
+Reference(s) to the annotation
@@ -806,10 +809,10 @@ annotation is a MISP object available in JSON format at
ref
link
creation-date
datetime
Reference(s) to the annotation
+Initial creation of the annotation
@@ -826,10 +829,10 @@ annotation is a MISP object available in JSON format at
text
text
modification-date
datetime
Raw text of the annotation
+Last update of the annotation
@@ -874,16 +877,36 @@ asn is a MISP object available in JSON format at
asn
AS
mp-import
text
Autonomous System Number
+The inbound IPv4 or IPv6 routing policy of the AS in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
last-seen
datetime
Last time the ASN was seen
++
first-seen
datetime
First time the ASN was seen
++
import
text
mp-import
country
text
The inbound IPv4 or IPv6 routing policy of the AS in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
+Country code of the main location of the autonomous system
++
asn
AS
Autonomous System Number
++
mp-export
text
This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
++
description
text
Description of the autonomous system
mp-export
text
This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
--
last-seen
datetime
Last time the ASN was seen
--
description
text
Description of the autonomous system
--
first-seen
datetime
First time the ASN was seen
--
country
text
Country code of the main location of the autonomous system
--
signature
-text
datetime
datetime
Name of detection signature
--
software
text
Name of antivirus software
+Datetime
@@ -1042,10 +1035,20 @@ av-signature is a MISP object available in JSON format at
datetime
datetime
signature
text
Datetime
+Name of detection signature
++
software
text
Name of antivirus software
@@ -1100,16 +1103,126 @@ bank-account is a MISP object available in JSON format at
beneficiary-comment
text
text
Comment about the final beneficiary.
+A description of the bank account.
report-code
text
Report code of the bank account. ['CTR Cash Transaction Report', 'STR Suspicious Transaction Report', 'EFT Electronic Funds Transfer', 'IFT International Funds Transfer', 'TFR Terror Financing Report', 'BCR Border Cash Report', 'UTR Unusual Transaction Report', 'AIF Additional Information File – Can be used for example to get full disclosure of transactions of an account for a period of time without reporting it as a CTR.', 'IRI Incoming Request for Information – International', 'ORI Outgoing Request for Information – International', 'IRD Incoming Request for Information – Domestic', 'ORD Outgoing Request for Information – Domestic']
++
client-number
text
Client number as seen by the bank.
++
opened
datetime
When the account was opened.
++
currency-code
text
Currency of the account. ['USD', 'EUR']
++
balance
text
The balance of the account after the suspicious transaction was processed.
++
status-code
text
Account status at the time of the transaction processed. ['A - Active', 'B - Inactive', 'C - Dormant']
++
beneficiary
text
Final beneficiary of the bank account.
++
iban
iban
IBAN of the bank account.
++
account
bank-account-nr
Account number
++
personal-account-type
text
Account type. ['A - Business', 'B - Personal Current', 'C - Savings', 'D - Trust Account', 'E - Trading Account', 'O - Other']
++
aba-rtn
aba-rtn
ABA routing transit number
++
swift
bic
iban
iban
IBAN of the bank account.
--
personal-account-type
branch
text
Account type. ['A - Business', 'B - Personal Current', 'C - Savings', 'D - Trust Account', 'E - Trading Account', 'O - Other']
--
client-number
text
Client number as seen by the bank.
--
aba-rtn
aba-rtn
ABA routing transit number
--
comments
text
Comments about the bank account.
+Branch code or name
@@ -1190,26 +1263,6 @@ bank-account is a MISP object available in JSON format at
account-name
text
A field to freely describe the bank account details.
--
currency-code
text
Currency of the account. ['USD', 'EUR']
--
non-banking-institution
boolean
branch
comments
text
Branch code or name
+Comments about the bank account.
opened
datetime
When the account was opened.
--
text
account-name
text
A description of the bank account.
+A field to freely describe the bank account details.
-
balance
text
The balance of the account after the suspicious transaction was processed.
-+
report-code
+beneficiary-comment
text
Report code of the bank account. ['CTR Cash Transaction Report', 'STR Suspicious Transaction Report', 'EFT Electronic Funds Transfer', 'IFT International Funds Transfer', 'TFR Terror Financing Report', 'BCR Border Cash Report', 'UTR Unusual Transaction Report', 'AIF Additional Information File – Can be used for example to get full disclosure of transactions of an account for a period of time without reporting it as a CTR.', 'IRI Incoming Request for Information – International', 'ORI Outgoing Request for Information – International', 'IRD Incoming Request for Information – Domestic', 'ORD Outgoing Request for Information – Domestic']
--
account
bank-account-nr
Account number
--
beneficiary
text
Final beneficiary of the bank account.
--
status-code
text
Account status at the time of the transaction processed. ['A - Active', 'B - Inactive', 'C - Dormant']
+Comment about the final beneficiary.
@@ -1348,26 +1351,6 @@ cap-alert is a MISP object available in JSON format at
note
text
The text describing the purpose or significance of the alert message.
--
status
text
The code denoting the appropriate handling of the alert message. ['Actual', 'Exercise', 'System', 'Test', 'Draft']
--
incident
text
sent
datetime
The time and date of the origination of the alert message.
--
identifier
text
The identifier of the alert message in a number or string uniquely identifying this message, assigned by the sender.
--
addresses
text
The group listing of intended recipients of the alert message. (1) Required when <scope> is “Private”, optional when <scope> is “Public” or “Restricted”. (2) Each recipient SHALL be identified by an identifier or an address. (3) Multiple space-delimited addresses MAY be included. Addresses including whitespace MUST be enclosed in double-quotes.
--
scope
text
The code denoting the intended distribution of the alert message. ['Public', 'Restricted', 'Private']
--
references
text
The group listing identifying earlier message(s) referenced by the alert message. (1) The extended message identifier(s) (in the form sender,identifier,sent) of an earlier CAP message or messages referenced by this one. (2) If multiple messages are referenced, they SHALL be separated by whitespace.
--
source
text
msgType
text
sent
datetime
The code denoting the nature of the alert message. ['Alert', 'Update', 'Cancel', 'Ack', 'Error']
+The time and date of the origination of the alert message.
restriction
references
text
The text describing the rule for limiting distribution of the restricted alert message.
+The group listing identifying earlier message(s) referenced by the alert message. (1) The extended message identifier(s) (in the form sender,identifier,sent) of an earlier CAP message or messages referenced by this one. (2) If multiple messages are referenced, they SHALL be separated by whitespace.
restriction
text
The text describing the rule for limiting distribution of the restricted alert message.
++
status
text
The code denoting the appropriate handling of the alert message. ['Actual', 'Exercise', 'System', 'Test', 'Draft']
++
msgType
text
The code denoting the nature of the alert message. ['Alert', 'Update', 'Cancel', 'Ack', 'Error']
++
note
text
The text describing the purpose or significance of the alert message.
++
addresses
text
The group listing of intended recipients of the alert message. (1) Required when <scope> is “Private”, optional when <scope> is “Public” or “Restricted”. (2) Each recipient SHALL be identified by an identifier or an address. (3) Multiple space-delimited addresses MAY be included. Addresses including whitespace MUST be enclosed in double-quotes.
++
identifier
text
The identifier of the alert message in a number or string uniquely identifying this message, assigned by the sender.
++
scope
text
The code denoting the intended distribution of the alert message. ['Public', 'Restricted', 'Private']
++
senderName
+contact
text
The text naming the originator of the alert message.
+The text describing the contact for follow-up and confirmation of the alert message.
description
text
onset
datetime
The text describing the subject event of the alert message.
--
eventCode
text
A system-specific code identifying the event type of the alert message.
--
responseType
text
The code denoting the type of action recommended for the target audience. ['Shelter', 'Evacuate', 'Prepare', 'Execute', 'Avoid', 'Monitor', 'Assess', 'AllClear', 'None']
--
language
text
The code denoting the language of the info sub-element of the alert message.
--
web
link
The identifier of the hyperlink associating additional information with the alert message.
--
severity
text
The code denoting the severity of the subject event of the alert message. ['Extreme', 'Severe', 'Moderate', 'Minor', 'Unknown']
--
category
text
The code denoting the category of the subject event of the alert message. ['Geo', 'Met', 'Safety', 'Security', 'Rescue', 'Fire', 'Health', 'Env', 'Transport', 'Infra', 'CBRNE', 'Other']
+The expected time of the beginning of the subject event of the alert message.
@@ -1606,10 +1549,40 @@ cap-info is a MISP object available in JSON format at
certainty
senderName
text
The code denoting the certainty of the subject event of the alert message. For backward compatibility with CAP 1.0, the deprecated value of “Very Likely” SHOULD be treated as equivalent to “Likely”. ['Likely', 'Possible', 'Unlikely', 'Unknown']
+The text naming the originator of the alert message.
++
eventCode
text
A system-specific code identifying the event type of the alert message.
++
description
text
The text describing the subject event of the alert message.
++
language
text
The code denoting the language of the info sub-element of the alert message.
@@ -1626,6 +1599,46 @@ cap-info is a MISP object available in JSON format at
category
text
The code denoting the category of the subject event of the alert message. ['Geo', 'Met', 'Safety', 'Security', 'Rescue', 'Fire', 'Health', 'Env', 'Transport', 'Infra', 'CBRNE', 'Other']
++
headline
text
The text headline of the alert message.
++
effective
datetime
The effective time of the information of the alert message.
++
responseType
text
The code denoting the type of action recommended for the target audience. ['Shelter', 'Evacuate', 'Prepare', 'Execute', 'Avoid', 'Monitor', 'Assess', 'AllClear', 'None']
++
instruction
text
effective
datetime
web
link
The effective time of the information of the alert message.
+The identifier of the hyperlink associating additional information with the alert message.
++
certainty
text
The code denoting the certainty of the subject event of the alert message. For backward compatibility with CAP 1.0, the deprecated value of “Very Likely” SHOULD be treated as equivalent to “Likely”. ['Likely', 'Possible', 'Unlikely', 'Unknown']
++
severity
text
The code denoting the severity of the subject event of the alert message. ['Extreme', 'Severe', 'Moderate', 'Minor', 'Unknown']
onset
datetime
The expected time of the beginning of the subject event of the alert message.
--
headline
text
The text headline of the alert message.
--
contact
text
The text describing the contact for follow-up and confirmation of the alert message.
--
size
+text
The integer indicating the size of the resource file.
++
derefUri
attachment
size
text
mimeType
mime-type
The integer indicating the size of the resource file.
+The identifier of the MIME content type and sub-type describing the resource file.
mimeType
mime-type
The identifier of the MIME content type and sub-type describing the resource file.
--
address
-btc
Address used as a payment destination in a cryptocurrency
--
last-seen
datetime
address
btc
Address used as a payment destination in a cryptocurrency
++
symbol
text
cookie-value
cookie-name
text
Value of the cookie (if splitted)
+Name of the cookie (if splitted)
type
cookie-value
text
Type of cookie and how it’s used in this specific object. ['Session management', 'Personalization', 'Tracking', 'Exfiltration', 'Malicious Payload', 'Beaconing']
+Value of the cookie (if splitted)
@@ -1960,20 +1963,20 @@ cookie is a MISP object available in JSON format at
cookie
cookie
type
text
Full cookie
+Type of cookie and how it’s used in this specific object. ['Session management', 'Personalization', 'Tracking', 'Exfiltration', 'Malicious Payload', 'Beaconing']
cookie-name
text
cookie
cookie
Name of the cookie (if splitted)
+Full cookie
@@ -2028,20 +2031,10 @@ course-of-action is a MISP object available in JSON format at
stage
impact
text
The stage of the threat management lifecycle that the course of action is applicable to. ['Remedy', 'Response']
--
name
text
The name used to identify the course of action.
+The estimated impact of applying the course of action. ['High', 'Medium', 'Low', 'None', 'Unknown']
@@ -2058,20 +2051,30 @@ course-of-action is a MISP object available in JSON format at
type
objective
text
The type of the course of action. ['Perimeter Blocking', 'Internal Blocking', 'Redirection', 'Redirection (Honey Pot)', 'Hardening', 'Patching', 'Eradication', 'Rebuilding', 'Training', 'Monitoring', 'Physical Access Restrictions', 'Logical Access Restrictions', 'Public Disclosure', 'Diplomatic Actions', 'Policy Actions', 'Other']
+The objective of the course of action.
impact
name
text
The estimated impact of applying the course of action. ['High', 'Medium', 'Low', 'None', 'Unknown']
+The name used to identify the course of action.
++
stage
text
The stage of the threat management lifecycle that the course of action is applicable to. ['Remedy', 'Response']
@@ -2088,10 +2091,10 @@ course-of-action is a MISP object available in JSON format at
objective
type
text
The objective of the course of action.
+The type of the course of action. ['Perimeter Blocking', 'Internal Blocking', 'Redirection', 'Redirection (Honey Pot)', 'Hardening', 'Patching', 'Eradication', 'Rebuilding', 'Training', 'Monitoring', 'Physical Access Restrictions', 'Logical Access Restrictions', 'Public Disclosure', 'Diplomatic Actions', 'Policy Actions', 'Other']
@@ -2136,140 +2139,10 @@ cowrie is a MISP object available in JSON format at
password
text
timestamp
datetime
Password
--
input
text
Input of the session
--
username
text
Username related to the password(s)
--
sensor
text
Cowrie sensor name
--
isError
text
isError
--
macCS
text
SSH MAC supported in the sesssion
--
message
text
Message of the cowrie honeypot
--
src_ip
ip-src
Source IP address of the session
--
eventid
text
Eventid of the session in the cowrie honeypot
--
dst_ip
ip-dst
Destination IP address of the session
--
session
text
Session id
--
encCS
text
SSH symmetric encryption algorithm supported in the session
--
src_port
port
Source port of the session
--
keyAlgs
text
SSH public-key algorithm supported in the session
+When the event happened
@@ -2296,6 +2169,116 @@ cowrie is a MISP object available in JSON format at
session
text
Session id
++
dst_ip
ip-dst
Destination IP address of the session
++
macCS
text
SSH MAC supported in the sesssion
++
input
text
Input of the session
++
protocol
text
Protocol used in the cowrie honeypot
++
password
text
Password
++
encCS
text
SSH symmetric encryption algorithm supported in the session
++
sensor
text
Cowrie sensor name
++
isError
text
isError
++
src_ip
ip-src
Source IP address of the session
++
keyAlgs
text
SSH public-key algorithm supported in the session
++
compCS
text
timestamp
datetime
username
text
When the event happened
+Username related to the password(s)
++
eventid
text
Eventid of the session in the cowrie honeypot
protocol
message
text
Protocol used in the cowrie honeypot
+Message of the cowrie honeypot
++
src_port
port
Source port of the session
@@ -2374,10 +2377,20 @@ credential is a MISP object available in JSON format at
username
text
text
Username related to the password(s)
+A description of the credential(s)
++
notification
text
Mention of any notification(s) towards the potential owner(s) of the credential(s) ['victim-notified', 'service-notified', 'none']
@@ -2394,10 +2407,20 @@ credential is a MISP object available in JSON format at
notification
origin
text
Mention of any notification(s) towards the potential owner(s) of the credential(s) ['victim-notified', 'service-notified', 'none']
+Origin of the credential(s) ['bruteforce-scanning', 'malware-analysis', 'memory-analysis', 'network-analysis', 'leak', 'unknown']
++
username
text
Username related to the password(s)
text
text
A description of the credential(s)
--
origin
text
Origin of the credential(s) ['bruteforce-scanning', 'malware-analysis', 'memory-analysis', 'network-analysis', 'leak', 'unknown']
--
expiration
-datetime
Maximum date of validity
--
issued
datetime
Initial date of validity or issued date.
--
name
card-security-code
text
Name of the card owner.
+Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card.
++
version
text
Version of the card.
@@ -2512,10 +2505,30 @@ credit-card is a MISP object available in JSON format at
card-security-code
expiration
datetime
Maximum date of validity
++
name
text
Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card.
+Name of the card owner.
++
issued
datetime
Initial date of validity or issued date.
version
text
Version of the card.
--
protocol
+text
text
Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']
--
ip-src
ip-src
IP address originating the attack
--
last-seen
datetime
End of the attack
+Description of the DDoS
dst-port
port
first-seen
datetime
Destination port of the attack
+Beginning of the attack
+
domain-dst
-domain
Destination domain (victim)
--
text
text
Description of the DDoS
--
first-seen
last-seen
datetime
Beginning of the attack
+End of the attack
ip-src
ip-src
IP address originating the attack
++
dst-port
port
Destination port of the attack
++
protocol
text
Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']
++
domain-dst
domain
Destination domain (victim)
++
SessionId
-text
Session-ID.
--
Destination-Realm
text
IdrFlags
text
IDR-Flags.
--
category
text
Category. ['Cat0', 'Cat1', 'Cat2', 'Cat3', 'CatSMS']
--
text
text
first-seen
datetime
When the attack has been seen for the first time.
--
Origin-Host
ApplicationId
text
Origin-Host.
+Application-ID is used to identify for which Diameter application the message is applicable. Application-ID is a decimal representation.
Destination-Host
Origin-Realm
text
Destination-Host.
+Origin-Realm.
@@ -2828,25 +2791,65 @@ diameter-attack is a MISP object available in JSON format at
Origin-Realm
category
text
Origin-Realm.
+Category. ['Cat0', 'Cat1', 'Cat2', 'Cat3', 'CatSMS']
++
Destination-Host
text
Destination-Host.
ApplicationId
SessionId
text
Application-ID is used to identify for which Diameter application the message is applicable. Application-ID is a decimal representation.
+Session-ID.
first-seen
datetime
When the attack has been seen for the first time.
++
Origin-Host
text
Origin-Host.
++
IdrFlags
text
IDR-Flags.
++
last-seen
-datetime
text
text
Last time the tuple has been seen
+A description of the tuple
text
text
last-seen
datetime
A description of the tuple
+Last time the tuple has been seen
@@ -2974,10 +2977,10 @@ elf is a MISP object available in JSON format at
os_abi
arch
text
Header operating system application binary interface (ABI) ['AIX', 'ARM', 'AROS', 'C6000_ELFABI', 'C6000_LINUX', 'CLOUDABI', 'FENIXOS', 'FREEBSD', 'GNU', 'HPUX', 'HURD', 'IRIX', 'MODESTO', 'NETBSD', 'NSK', 'OPENBSD', 'OPENVMS', 'SOLARIS', 'STANDALONE', 'SYSTEMV', 'TRU64']
+Architecture of the ELF file ['None', 'M32', 'SPARC', 'i386', 'ARCH_68K', 'ARCH_88K', 'IAMCU', 'ARCH_860', 'MIPS', 'S370', 'MIPS_RS3_LE', 'PARISC', 'VPP500', 'SPARC32PLUS', 'ARCH_960', 'PPC', 'PPC64', 'S390', 'SPU', 'V800', 'FR20', 'RH32', 'RCE', 'ARM', 'ALPHA', 'SH', 'SPARCV9', 'TRICORE', 'ARC', 'H8_300', 'H8_300H', 'H8S', 'H8_500', 'IA_64', 'MIPS_X', 'COLDFIRE', 'ARCH_68HC12', 'MMA', 'PCP', 'NCPU', 'NDR1', 'STARCORE', 'ME16', 'ST100', 'TINYJ', 'x86_64', 'PDSP', 'PDP10', 'PDP11', 'FX66', 'ST9PLUS', 'ST7', 'ARCH_68HC16', 'ARCH_68HC11', 'ARCH_68HC08', 'ARCH_68HC05', 'SVX', 'ST19', 'VAX', 'CRIS', 'JAVELIN', 'FIREPATH', 'ZSP', 'MMIX', 'HUANY', 'PRISM', 'AVR', 'FR30', 'D10V', 'D30V', 'V850', 'M32R', 'MN10300', 'MN10200', 'PJ', 'OPENRISC', 'ARC_COMPACT', 'XTENSA', 'VIDEOCORE', 'TMM_GPP', 'NS32K', 'TPC', 'SNP1K', 'ST200', 'IP2K', 'MAX', 'CR', 'F2MC16', 'MSP430', 'BLACKFIN', 'SE_C33', 'SEP', 'ARCA', 'UNICORE', 'EXCESS', 'DXP', 'ALTERA_NIOS2', 'CRX', 'XGATE', 'C166', 'M16C', 'DSPIC30F', 'CE', 'M32C', 'TSK3000', 'RS08', 'SHARC', 'ECOG2', 'SCORE7', 'DSP24', 'VIDEOCORE3', 'LATTICEMICO32', 'SE_C17', 'TI_C6000', 'TI_C2000', 'TI_C5500', 'MMDSP_PLUS', 'CYPRESS_M8C', 'R32C', 'TRIMEDIA', 'HEXAGON', 'ARCH_8051', 'STXP7X', 'NDS32', 'ECOG1', 'ECOG1X', 'MAXQ30', 'XIMO16', 'MANIK', 'CRAYNV2', 'RX', 'METAG', 'MCST_ELBRUS', 'ECOG16', 'CR16', 'ETPU', 'SLE9X', 'L10M', 'K10M', 'AARCH64', 'AVR32', 'STM8', 'TILE64', 'TILEPRO', 'CUDA', 'TILEGX', 'CLOUDSHIELD', 'COREA_1ST', 'COREA_2ND', 'ARC_COMPACT2', 'OPEN8', 'RL78', 'VIDEOCORE5', 'ARCH_78KOR', 'ARCH_56800EX', 'BA1', 'BA2', 'XCORE', 'MCHP_PIC', 'INTEL205', 'INTEL206', 'INTEL207', 'INTEL208', 'INTEL209', 'KM32', 'KMX32', 'KMX16', 'KMX8', 'KVARC', 'CDP', 'COGE', 'COOL', 'NORC', 'CSR_KALIMBA', 'AMDGPU']
@@ -2994,23 +2997,23 @@ elf is a MISP object available in JSON format at
arch
text
number-sections
counter
Architecture of the ELF file ['None', 'M32', 'SPARC', 'i386', 'ARCH_68K', 'ARCH_88K', 'IAMCU', 'ARCH_860', 'MIPS', 'S370', 'MIPS_RS3_LE', 'PARISC', 'VPP500', 'SPARC32PLUS', 'ARCH_960', 'PPC', 'PPC64', 'S390', 'SPU', 'V800', 'FR20', 'RH32', 'RCE', 'ARM', 'ALPHA', 'SH', 'SPARCV9', 'TRICORE', 'ARC', 'H8_300', 'H8_300H', 'H8S', 'H8_500', 'IA_64', 'MIPS_X', 'COLDFIRE', 'ARCH_68HC12', 'MMA', 'PCP', 'NCPU', 'NDR1', 'STARCORE', 'ME16', 'ST100', 'TINYJ', 'x86_64', 'PDSP', 'PDP10', 'PDP11', 'FX66', 'ST9PLUS', 'ST7', 'ARCH_68HC16', 'ARCH_68HC11', 'ARCH_68HC08', 'ARCH_68HC05', 'SVX', 'ST19', 'VAX', 'CRIS', 'JAVELIN', 'FIREPATH', 'ZSP', 'MMIX', 'HUANY', 'PRISM', 'AVR', 'FR30', 'D10V', 'D30V', 'V850', 'M32R', 'MN10300', 'MN10200', 'PJ', 'OPENRISC', 'ARC_COMPACT', 'XTENSA', 'VIDEOCORE', 'TMM_GPP', 'NS32K', 'TPC', 'SNP1K', 'ST200', 'IP2K', 'MAX', 'CR', 'F2MC16', 'MSP430', 'BLACKFIN', 'SE_C33', 'SEP', 'ARCA', 'UNICORE', 'EXCESS', 'DXP', 'ALTERA_NIOS2', 'CRX', 'XGATE', 'C166', 'M16C', 'DSPIC30F', 'CE', 'M32C', 'TSK3000', 'RS08', 'SHARC', 'ECOG2', 'SCORE7', 'DSP24', 'VIDEOCORE3', 'LATTICEMICO32', 'SE_C17', 'TI_C6000', 'TI_C2000', 'TI_C5500', 'MMDSP_PLUS', 'CYPRESS_M8C', 'R32C', 'TRIMEDIA', 'HEXAGON', 'ARCH_8051', 'STXP7X', 'NDS32', 'ECOG1', 'ECOG1X', 'MAXQ30', 'XIMO16', 'MANIK', 'CRAYNV2', 'RX', 'METAG', 'MCST_ELBRUS', 'ECOG16', 'CR16', 'ETPU', 'SLE9X', 'L10M', 'K10M', 'AARCH64', 'AVR32', 'STM8', 'TILE64', 'TILEPRO', 'CUDA', 'TILEGX', 'CLOUDSHIELD', 'COREA_1ST', 'COREA_2ND', 'ARC_COMPACT2', 'OPEN8', 'RL78', 'VIDEOCORE5', 'ARCH_78KOR', 'ARCH_56800EX', 'BA1', 'BA2', 'XCORE', 'MCHP_PIC', 'INTEL205', 'INTEL206', 'INTEL207', 'INTEL208', 'INTEL209', 'KM32', 'KMX32', 'KMX16', 'KMX8', 'KVARC', 'CDP', 'COGE', 'COOL', 'NORC', 'CSR_KALIMBA', 'AMDGPU']
+Number of sections
type
os_abi
text
Type of ELF ['CORE', 'DYNAMIC', 'EXECUTABLE', 'HIPROC', 'LOPROC', 'NONE', 'RELOCATABLE']
+Header operating system application binary interface (ABI) ['AIX', 'ARM', 'AROS', 'C6000_ELFABI', 'C6000_LINUX', 'CLOUDABI', 'FENIXOS', 'FREEBSD', 'GNU', 'HPUX', 'HURD', 'IRIX', 'MODESTO', 'NETBSD', 'NSK', 'OPENBSD', 'OPENVMS', 'SOLARIS', 'STANDALONE', 'SYSTEMV', 'TRU64']
+
number-sections
-counter
type
text
Number of sections
+Type of ELF ['CORE', 'DYNAMIC', 'EXECUTABLE', 'HIPROC', 'LOPROC', 'NONE', 'RELOCATABLE']
+
text
+text
Free text value to attach to the section
++
md5
md5
[Insecure] MD5 hash (128 bits)
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
++
name
text
Name of the section
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
sha512/224
sha512/224
name
text
size-in-bytes
size-in-bytes
Name of the section
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
--
text
text
Free text value to attach to the section
+Size of the section, in bytes
@@ -3162,26 +3195,6 @@ elf-section is a MISP object available in JSON format at
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
--
flag
text
ssdeep
ssdeep
sha512
sha512
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
md5
md5
[Insecure] MD5 hash (128 bits)
+Secure Hash Algorithm 2 (512 bits)
@@ -3260,10 +3263,10 @@ email is a MISP object available in JSON format at
from
email-src
subject
email-subject
Sender email address
+Subject
@@ -3280,73 +3283,23 @@ email is a MISP object available in JSON format at
from-display-name
email-src-display-name
screenshot
attachment
Display name of the sender
--
mime-boundary
email-mime-boundary
MIME Boundary
--
return-path
text
Message return path
--
send-date
datetime
Date the email has been sent
+Screenshot of email
to
email-dst
Destination email address
--
header
email-header
Full headers
-
message-id
email-message-id
Message ID
-+
screenshot
-attachment
Screenshot of email
--
eml
attachment
Full EML
--
cc
email-dst
Carbon copy
+
to
email-dst
Destination email address
++
mime-boundary
email-mime-boundary
MIME Boundary
++
from
email-src
Sender email address
+
+
x-mailer
email-x-mailer
return-path
email-src
X-Mailer generally tells the program that was used to draft and send the original email
+Message return path
subject
email-subject
send-date
datetime
Subject
+Date the email has been sent
+
+
user-agent
text
User Agent of the sender
++
eml
attachment
Full EML
++
from-display-name
email-src-display-name
Display name of the sender
+
message-id
email-message-id
Message ID
++
x-mailer
email-x-mailer
X-Mailer generally tells the program that was used to draft and send the original email
++
attack-type
-text
processing-timestamp
datetime
Type of the attack
--
failures
counter
Amount of failures that lead to the ban.
--
logfile
attachment
Full logfile related to the attack.
+Timestamp of the report
@@ -3518,10 +3511,40 @@ fail2ban is a MISP object available in JSON format at
processing-timestamp
datetime
failures
counter
Timestamp of the report
+Amount of failures that lead to the ban.
++
logline
text
Example log line that caused the ban.
++
logfile
attachment
Full logfile related to the attack.
++
attack-type
text
Type of the attack
logline
text
Example log line that caused the ban.
--
pattern-in-file
+pattern-in-file
Pattern that can be found in the file
++
text
text
Free text value to attach to the file
++
md5
md5
[Insecure] MD5 hash (128 bits)
++
size-in-bytes
size-in-bytes
Size of the file, in bytes
++
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
malware-sample
malware-sample
The file itself (binary)
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
++
sha512/224
sha512/224
entropy
float
mimetype
mime-type
Entropy of the whole file
+Mime type
sha512
sha512
path
text
Secure Hash Algorithm 2 (512 bits)
+Path of the filename complete or partial
++
authentihash
authentihash
Authenticode executable signature hash
@@ -3646,6 +3749,16 @@ file is a MISP object available in JSON format at
entropy
float
Entropy of the whole file
++
sha512/256
sha512/256
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
--
text
text
Free text value to attach to the file
--
filename
filename
Filename on disk
--
authentihash
authentihash
Authenticode executable signature hash
--
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
certificate
x509-fingerprint-sha1
sha224
sha224
sha1
sha1
Secure Hash Algorithm 2 (224 bits)
+[Insecure] Secure Hash Algorithm 1 (160 bits)
mimetype
mime-type
filename
filename
Mime type
--
malware-sample
malware-sample
The file itself (binary)
--
size-in-bytes
size-in-bytes
Size of the file, in bytes
--
path
text
Path of the filename complete or partial
+Filename on disk
@@ -3776,30 +3809,10 @@ file is a MISP object available in JSON format at
pattern-in-file
pattern-in-file
sha512
sha512
Pattern that can be found in the file
--
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
md5
md5
[Insecure] MD5 hash (128 bits)
+Secure Hash Algorithm 2 (512 bits)
@@ -3844,6 +3857,46 @@ geolocation is a MISP object available in JSON format at
latitude
float
The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.
++
last-seen
datetime
When the location was seen for the last time.
++
first-seen
datetime
When the location was seen for the first time.
++
zipcode
text
Zip Code.
++
country
text
latitude
float
city
text
The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.
+City.
+
+
region
text
Region.
+
zipcode
+text
text
Zip Code.
+A generic description of the location.
+
region
text
Region.
--
last-seen
datetime
When the location was seen for the last time.
--
text
text
A generic description of the location.
--
first-seen
datetime
When the location was seen for the first time.
--
city
text
City.
--
GtpInterface
+text
text
GTP interface. ['S5', 'S11', 'S10', 'S8', 'Gn', 'Gp']
--
GtpImei
text
GTP IMEI (International Mobile Equipment Identity).
--
PortSrc
port
Source port.
+A description of the GTP attack.
@@ -4032,30 +4025,10 @@ gtp-attack is a MISP object available in JSON format at
text
GtpMessageType
text
A description of the GTP attack.
--
GtpMsisdn
text
GTP MSISDN.
--
first-seen
datetime
When the attack has been seen for the first time.
+GTP defines a set of messages between two associated GSNs or an SGSN and an RNC. Message type is described as a decimal value.
@@ -4072,20 +4045,10 @@ gtp-attack is a MISP object available in JSON format at
GtpVersion
GtpImei
text
GTP version ['0', '1', '2']
--
ipSrc
ip-src
IP source address.
+GTP IMEI (International Mobile Equipment Identity).
@@ -4102,16 +4065,6 @@ gtp-attack is a MISP object available in JSON format at
GtpMessageType
text
GTP defines a set of messages between two associated GSNs or an SGSN and an RNC. Message type is described as a decimal value.
--
ipDest
ip-dst
first-seen
datetime
When the attack has been seen for the first time.
++
GtpInterface
text
GTP interface. ['S5', 'S11', 'S10', 'S8', 'Gn', 'Gp']
++
GtpMsisdn
text
GTP MSISDN.
++
ipSrc
ip-src
IP source address.
++
PortSrc
port
Source port.
++
GtpVersion
text
GTP version ['0', '1', '2']
++
proxy-password
+text
HTTP Proxy Password
++
uri
uri
Request URI
++
text
text
HTTP Request comment
++
basicauth-user
text
HTTP Basic Authentication Username
++
host
hostname
The domain name of the server
++
cookie
text
An HTTP cookie previously sent by the server with Set-Cookie
++
user-agent
user-agent
The user agent string of the user agent
++
basicauth-password
text
content-type
other
The MIME type of the body of the request
++
proxy-user
text
HTTP Proxy Username
++
method
http-method
uri
uri
Request URI
--
user-agent
user-agent
The user agent string of the user agent
--
text
text
HTTP Request comment
--
content-type
other
The MIME type of the body of the request
--
cookie
text
An HTTP cookie previously sent by the server with Set-Cookie
--
proxy-password
text
HTTP Proxy Password
--
referer
other
host
hostname
The domain name of the server
--
proxy-user
text
HTTP Proxy Username
--
basicauth-user
text
HTTP Basic Authentication Username
--
domain
-domain
text
text
Domain
+Description of the tuple
+
src-port
-port
first-seen
datetime
Source port
+First time the tuple has been seen
-
hostname
hostname
Hostname
-+
text
-text
hostname
hostname
Description of the tuple
+Hostname
-
first-seen
datetime
First time the tuple has been seen
-+
domain
domain
Domain
++
src-port
port
Source port
++
ip-src
-ip-src
Source IP Address
--
last-seen
datetime
first-seen
datetime
First seen of the SSL/TLS handshake
++
ja3-fingerprint-md5
md5
first-seen
datetime
ip-src
ip-src
First seen of the SSL/TLS handshake
+Source IP Address
+
text
+text
A description of the entity.
++
phone-number
phone-number
Phone number of an entity.
++
name
text
phone-number
phone-number
business
text
Phone number of an entity.
+Business area of an entity.
@@ -4584,16 +4617,6 @@ legal-entity is a MISP object available in JSON format at
text
text
A description of the entity.
--
commercial-name
text
business
text
Business area of an entity.
--
text
+entrypoint-address
text
Free text value to attach to the Mach-O file
+Address of the entry point
type
name
text
Type of Mach-O ['BUNDLE', 'CORE', 'DSYM', 'DYLIB', 'DYLIB_STUB', 'DYLINKER', 'EXECUTE', 'FVMLIB', 'KEXT_BUNDLE', 'OBJECT', 'PRELOAD']
+Binary’s name
entrypoint-address
text
text
Address of the entry point
+Free text value to attach to the Mach-O file
@@ -4692,10 +4705,10 @@ macho is a MISP object available in JSON format at
name
type
text
Binary’s name
+Type of Mach-O ['BUNDLE', 'CORE', 'DSYM', 'DYLIB', 'DYLIB_STUB', 'DYLINKER', 'EXECUTE', 'FVMLIB', 'KEXT_BUNDLE', 'OBJECT', 'PRELOAD']
@@ -4740,6 +4753,86 @@ macho-section is a MISP object available in JSON format at
text
text
Free text value to attach to the section
++
md5
md5
[Insecure] MD5 hash (128 bits)
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
++
name
text
Name of the section
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
sha512/224
sha512/224
name
text
size-in-bytes
size-in-bytes
Name of the section
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
--
text
text
Free text value to attach to the section
+Size of the section, in bytes
@@ -4830,40 +4873,10 @@ macho-section is a MISP object available in JSON format at
sha224
sha224
sha512
sha512
Secure Hash Algorithm 2 (224 bits)
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
--
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
md5
md5
[Insecure] MD5 hash (128 bits)
+Secure Hash Algorithm 2 (512 bits)
@@ -4908,30 +4921,20 @@ microblog is a MISP object available in JSON format at
url
link
url
Original URL location of the microblog post
+Link into the microblog post
username
username-quoted
text
Username who posted the microblog post
--
modification-date
datetime
Last update of the microblog post
+Username who are quoted into the microblog post
@@ -4958,20 +4961,30 @@ microblog is a MISP object available in JSON format at
creation-date
datetime
username
text
Initial creation of the microblog post
+Username who posted the microblog post
username-quoted
text
url
url
Username who are quoted into the microblog post
+Original URL location of the microblog post
++
creation-date
datetime
Initial creation of the microblog post
@@ -4988,10 +5001,10 @@ microblog is a MISP object available in JSON format at
link
url
modification-date
datetime
Link into the microblog post
+Last update of the microblog post
@@ -5036,10 +5049,10 @@ mutex is a MISP object available in JSON format at
operating-system
name
text
Operating system where the mutex has been seen ['Windows', 'Unix']
+name of the mutex
@@ -5056,10 +5069,10 @@ mutex is a MISP object available in JSON format at
name
operating-system
text
name of the mutex
+Operating system where the mutex has been seen ['Windows', 'Unix']
@@ -5104,10 +5117,40 @@ netflow is a MISP object available in JSON format at
ip-protocol-number
size-in-bytes
src-as
AS
IP protocol number of this flow
+Source AS number for this flow
++
ip-dst
ip-dst
IP address destination of the netflow
++
packet-count
counter
Packets counted in this flow
++
flow-count
counter
Flows counted in this flow
@@ -5124,16 +5167,36 @@ netflow is a MISP object available in JSON format at
icmp-type
tcp-flags
text
ICMP type of the flow (if the traffic is ICMP)
+TCP flags of the flow
direction
text
Direction of this flow ['Ingress', 'Egress']
++
ip-src
ip-src
IP address source of the netflow
++
src-port
port
dst-as
AS
protocol
text
Destination AS number for this flow
--
flow-count
counter
Flows counted in this flow
--
ip-dst
ip-dst
IP address destination of the netflow
+Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']
@@ -5184,70 +5227,30 @@ netflow is a MISP object available in JSON format at
ip-src
ip-src
ip-protocol-number
size-in-bytes
IP address source of the netflow
--
dst-port
port
Destination port of the netflow
--
byte-count
counter
Bytes counted in this flow
+IP protocol number of this flow
packet-count
counter
Packets counted in this flow
--
src-as
dst-as
AS
Source AS number for this flow
+Destination AS number for this flow
direction
icmp-type
text
Direction of this flow ['Ingress', 'Egress']
--
tcp-flags
text
TCP flags of the flow
+ICMP type of the flow (if the traffic is ICMP)
@@ -5264,10 +5267,226 @@ netflow is a MISP object available in JSON format at
protocol
byte-count
counter
Bytes counted in this flow
++
dst-port
port
Destination port of the netflow
++
A local or remote network connection..
++ + | ++network-connection is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. + | +
Object attribute | +MISP attribute type | +Description | +Disable correlation | +
---|---|---|---|
ip-dst |
+ip-dst |
+
+ Destination IP address of the nework connection. + |
+
+ + |
+
layer3-protocol |
text |
- Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP'] +Layer 3 protocol of the network connection. ['IP', 'ICMP', 'ARP'] + |
+
+ + |
+
layer4-protocol |
+text |
+
+ Layer 4 protocol of the network connection. ['TCP', 'UDP'] + |
+
+ + |
+
first-packet-seen |
+datetime |
+
+ Datetime of the first packet seen. + |
+
+ + |
+
layer7-protocol |
+text |
+
+ Layer 7 protocol of the network connection. ['HTTP', 'HTTPS', 'FTP'] + |
+
+ + |
+
ip-src |
+ip-src |
+
+ Source IP address of the nework connection. + |
+
+ + |
+
src-port |
+port |
+
+ Source port of the nework connection. + |
+
+ + |
+
dst-port |
+port |
+
+ Destination port of the nework connection. + |
+
+ + |
+
Network socket object describes a local or remote network connections based on the socket data structure..
++ + | ++network-socket is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. + | +
Object attribute | +MISP attribute type | +Description | +Disable correlation | +||||
---|---|---|---|---|---|---|---|
ip-dst |
+ip-dst |
+
+ Destination IP address of the network socket connection. + |
+
+ + |
+||||
first-packet-seen |
+datetime |
+
+ Datetime of the first packet seen. + |
+
+ + |
+||||
ip-src |
+ip-src |
+
+ Source (local) IP address of the network socket connection. + |
+
+ + |
+||||
src-port |
+port |
+
+ Source (local) port of the network socket connection. + |
+
+ + |
+||||
dst-port |
+port |
+
+ Destination port of the network socket connection. |
@@ -5312,36 +5531,6 @@ passive-dns is a MISP object available in JSON format at time_first |
-datetime |
-
- First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS - |
-
- - |
-|
zone_time_first |
-datetime |
-
- First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import - |
-
- - |
-||||
rrtype |
-text |
-
- Resource Record type as seen by the passive DNS. ['A', 'AAAA', 'CNAME', 'PTR', 'SOA', 'TXT', 'DNAME', 'NS', 'SRV', 'RP', 'NAPTR', 'HINFO', 'A6'] - |
-
- - |
-||||
text |
text |
@@ -5362,10 +5551,20 @@ passive-dns is a MISP object available in JSON format at time_last |
-datetime |
+count |
+counter |
- Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS +How many authoritative DNS answers were received at the Passive DNS Server’s collectors with exactly the given set of values as answers. + |
+
+ + |
+
rrtype |
+text |
+
+ Resource Record type as seen by the passive DNS. ['A', 'AAAA', 'CNAME', 'PTR', 'SOA', 'TXT', 'DNAME', 'NS', 'SRV', 'RP', 'NAPTR', 'HINFO', 'A6'] |
@@ -5382,6 +5581,46 @@ passive-dns is a MISP object available in JSON format at rrname |
+text |
+
+ Resource Record name of the queried resource. + |
+
+ + |
+|
zone_time_first |
+datetime |
+
+ First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import + |
+
+ + |
+||||
time_last |
+datetime |
+
+ Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS + |
+
+ + |
+||||
time_first |
+datetime |
+
+ First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS + |
+
+ + |
+||||
zone_time_last |
datetime |
@@ -5392,10 +5631,10 @@ passive-dns is a MISP object available in JSON format at count |
-counter |
+bailiwick |
+text |
- How many authoritative DNS answers were received at the Passive DNS Server’s collectors with exactly the given set of values as answers. +Best estimate of the apex of the zone where this data is authoritative |
|
rrname |
-text |
-
- Resource Record name of the queried resource. - |
-
- - |
-||||
bailiwick |
-text |
-
- Best estimate of the apex of the zone where this data is authoritative - |
-
- - |
-
url
-url
Link to the original source of the paste or post.
--
origin
text
Original source of the paste or post. ['pastebin.com', 'pastebin.com_pro', 'pastie.org', 'slexy.org', 'gist.github.com', 'codepad.org', 'safebin.net', 'hastebin.com', 'ghostbin.com']
--
last-seen
datetime
first-seen
datetime
When the paste has been accessible or seen for the first time.
++
paste
text
origin
text
Original source of the paste or post. ['pastebin.com', 'pastebin.com_pro', 'pastie.org', 'slexy.org', 'gist.github.com', 'codepad.org', 'safebin.net', 'hastebin.com', 'ghostbin.com']
++
title
text
first-seen
datetime
url
url
When the paste has been accessible or seen for the first time.
+Link to the original source of the paste or post.
+
pehash
-pehash
original-filename
filename
Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
+OriginalFilename in the resources
+
file-description
+entrypoint-address
text
FileDescription in the resources
+Address of the entry point
impfuzzy
impfuzzy
Fuzzy Hash (ssdeep) calculated from the import table
++
product-name
text
lang-id
text
compilation-timestamp
datetime
Lang ID in the resources
+Compilation timestamp defined in the PE header
+
legal-copyright
+text
LegalCopyright in the resources
++
imphash
imphash
company-name
lang-id
text
CompanyName in the resources
+Lang ID in the resources
file-version
file-description
text
FileVersion in the resources
--
impfuzzy
impfuzzy
Fuzzy Hash (ssdeep) calculated from the import table
--
internal-filename
filename
InternalFilename in the resources
--
type
text
Type of PE ['exe', 'dll', 'driver', 'unknown']
--
compilation-timestamp
datetime
Compilation timestamp defined in the PE header
--
entrypoint-address
text
Address of the entry point
+FileDescription in the resources
@@ -5728,25 +5917,55 @@ pe is a MISP object available in JSON format at
original-filename
filename
file-version
text
OriginalFilename in the resources
+FileVersion in the resources
legal-copyright
text
internal-filename
filename
LegalCopyright in the resources
+InternalFilename in the resources
company-name
text
CompanyName in the resources
++
type
text
Type of PE ['exe', 'dll', 'driver', 'unknown']
++
pehash
pehash
Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
++
text
+text
Free text value to attach to the section
++
md5
md5
[Insecure] MD5 hash (128 bits)
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
++
name
text
Name of the section ['.rsrc', '.reloc', '.rdata', '.data', '.text']
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
sha512/224
sha512/224
name
text
size-in-bytes
size-in-bytes
Name of the section ['.rsrc', '.reloc', '.rdata', '.data', '.text']
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
--
text
text
Free text value to attach to the section
+Size of the section, in bytes
@@ -5886,40 +6135,10 @@ pe-section is a MISP object available in JSON format at
sha224
sha224
sha512
sha512
Secure Hash Algorithm 2 (224 bits)
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
--
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
md5
md5
[Insecure] MD5 hash (128 bits)
+Secure Hash Algorithm 2 (512 bits)
@@ -5964,30 +6183,20 @@ person is a MISP object available in JSON format at
gender
gender
passport-expiration
passport-expiration
The gender of a natural person. ['Male', 'Female', 'Other', 'Prefer not to say']
+The expiration date of a passport.
first-name
first-name
text
text
First name of a natural person.
--
place-of-birth
place-of-birth
Place of birth of a natural person.
+A description of the person or identity.
@@ -6004,16 +6213,36 @@ person is a MISP object available in JSON format at
last-name
last-name
middle-name
middle-name
Last name of a natural person.
+Middle name of a natural person.
place-of-birth
place-of-birth
Place of birth of a natural person.
++
gender
gender
The gender of a natural person. ['Male', 'Female', 'Other', 'Prefer not to say']
++
nationality
nationality
alias
text
Alias name or known as.
--
text
text
A description of the person or identity.
--
date-of-birth
date-of-birth
Date of birth of a natural person (in YYYY-MM-DD format).
--
middle-name
middle-name
Middle name of a natural person.
--
identity-card-number
identity-card-number
The identity card number of a natural person.
--
passport-expiration
passport-expiration
The expiration date of a passport.
--
passport-country
passport-country
date-of-birth
date-of-birth
Date of birth of a natural person (in YYYY-MM-DD format).
++
alias
text
Alias name or known as.
++
title
text
last-name
last-name
Last name of a natural person.
++
first-name
first-name
First name of a natural person.
++
identity-card-number
identity-card-number
The identity card number of a natural person.
++
social-security-number
text
imei
text
International Mobile Equipment Identity (IMEI) is a number, usually unique, to identify 3GPP and iDEN mobile phones, as well as some satellite phones.
--
imsi
text
A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.
--
first-seen
datetime
When the phone has been accessible or seen for the first time.
--
gummei
text
Globally Unique MME Identifier (GUMMEI) is composed from MCC, MNC and MME Identifier (MMEI).
--
text
text
last-seen
datetime
When the phone has been accessible or seen for the last time.
--
guti
tmsi
text
Globally Unique Temporary UE Identity (GUTI) is a temporary identification to not reveal the phone (user equipment in 3GPP jargon) composed of GUMMEI and the M-TMSI.
+Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated.
tmsi
msisdn
text
Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated.
+MSISDN (pronounced as /'em es ai es di en/ or misden) is a number uniquely identifying a subscription in a GSM or a UMTS mobile network. Simply put, it is the mapping of the telephone number to the SIM card in a mobile/cellular phone. This abbreviation has a several interpretations, the most common one being Mobile Station International Subscriber Directory Number.
@@ -6262,15 +6431,173 @@ phone is a MISP object available in JSON format at
msisdn
gummei
text
MSISDN (pronounced as /'em es ai es di en/ or misden) is a number uniquely identifying a subscription in a GSM or a UMTS mobile network. Simply put, it is the mapping of the telephone number to the SIM card in a mobile/cellular phone. This abbreviation has a several interpretations, the most common one being Mobile Station International Subscriber Directory Number.
+Globally Unique MME Identifier (GUMMEI) is composed from MCC, MNC and MME Identifier (MMEI).
guti
text
Globally Unique Temporary UE Identity (GUTI) is a temporary identification to not reveal the phone (user equipment in 3GPP jargon) composed of GUMMEI and the M-TMSI.
++
first-seen
datetime
When the phone has been accessible or seen for the first time.
++
imsi
text
A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.
++
last-seen
datetime
When the phone has been accessible or seen for the last time.
++
imei
text
International Mobile Equipment Identity (IMEI) is a number, usually unique, to identify 3GPP and iDEN mobile phones, as well as some satellite phones.
++
Object describing a system process..
++ + | ++process is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. + | +
Object attribute | +MISP attribute type | +Description | +Disable correlation | +
---|---|---|---|
pid |
+text |
+
+ Process ID of the process. + |
+
+ + |
+
creation-time |
+datetime |
+
+ Local date/time at which the process was created. + |
+
+ + |
+
child-pid |
+text |
+
+ Process ID of the child(ren) process. + |
+
+ + |
+
parent_pid |
+text |
+
+ Process ID of the parent process. + |
+
+ + |
+
name |
+text |
+
+ Name of the process + |
+
+ + |
+
port |
+src-port |
+
+ Port(s) owned by the process. + |
+
+ + |
+
start-time |
+datetime |
+
+ Local date/time at which the process was started. + |
+
+ + |
+
callbacks
-counter
Amount of callbacks (functions started as thread)
--
not-referenced-strings
counter
Amount of not referenced strings
--
gml
attachment
Graph export in G>raph Modelling Language format
--
referenced-strings
counter
Amount of referenced strings
--
dangling-strings
counter
Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)
--
ratio-string
float
Ratio: amount of referenced strings per kilobyte of code section
--
total-functions
counter
Total amount of functions in the file.
--
total-api
counter
Total amount of API calls
--
ratio-api
float
Ratio: amount of API calls per kilobyte of code section
--
miss-api
counter
Amount of API call reference that does not resolve to a function offset
--
text
text
get-proc-address
miss-api
counter
Amount of calls to GetProcAddress
--
ratio-functions
float
Ratio: amount of functions per kilobyte of code section
--
r2-commit-version
text
Radare2 commit ID used to generate this object
--
unknown-references
counter
Amount of API calls not ending in a function (Radare2 bug, probalby)
+Amount of API call reference that does not resolve to a function offset
@@ -6480,10 +6677,60 @@ r2graphity is a MISP object available in JSON format at
shortest-path-to-create-thread
callback-average
counter
Shortest path to the first time the binary calls CreateThread
+Average size of a callback
++
ratio-string
float
Ratio: amount of referenced strings per kilobyte of code section
++
not-referenced-strings
counter
Amount of not referenced strings
++
local-references
counter
Amount of API calls inside a code section
++
total-functions
counter
Total amount of functions in the file.
++
r2-commit-version
text
Radare2 commit ID used to generate this object
@@ -6500,20 +6747,100 @@ r2graphity is a MISP object available in JSON format at
callback-average
unknown-references
counter
Average size of a callback
+Amount of API calls not ending in a function (Radare2 bug, probalby)
local-references
callbacks
counter
Amount of API calls inside a code section
+Amount of callbacks (functions started as thread)
++
gml
attachment
Graph export in G>raph Modelling Language format
++
dangling-strings
counter
Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)
++
get-proc-address
counter
Amount of calls to GetProcAddress
++
total-api
counter
Total amount of API calls
++
ratio-functions
float
Ratio: amount of functions per kilobyte of code section
++
shortest-path-to-create-thread
counter
Shortest path to the first time the binary calls CreateThread
++
referenced-strings
counter
Amount of referenced strings
++
ratio-api
float
Ratio: amount of API calls per kilobyte of code section
@@ -6568,16 +6895,6 @@ regexp is a MISP object available in JSON format at
regexp-type
text
Type of the regular expression syntax. ['PCRE', 'PCRE2', 'POSIX BRE', 'POSIX ERE']
--
regexp
text
comment
comment
A description of the regular expression.
++
type
text
comment
comment
regexp-type
text
A description of the regular expression.
+Type of the regular expression syntax. ['PCRE', 'PCRE2', 'POSIX BRE', 'POSIX ERE']
+
data
-text
key
regkey
Data stored in the registry key
--
root-keys
text
Root key of the Windows registry (extracted from the key) ['HKCC', 'HKCR', 'HKCU', 'HKDD', 'HKEY_CLASSES_ROOT', 'HKEY_CURRENT_CONFIG', 'HKEY_CURRENT_USER', 'HKEY_DYN_DATA', 'HKEY_LOCAL_MACHINE', 'HKEY_PERFORMANCE_DATA', 'HKEY_USERS', 'HKLM', 'HKPD', 'HKU']
--
name
text
Name of the registry key
+Full key path
@@ -6686,6 +6993,16 @@ registry-key is a MISP object available in JSON format at
root-keys
text
Root key of the Windows registry (extracted from the key) ['HKCC', 'HKCR', 'HKCU', 'HKDD', 'HKEY_CLASSES_ROOT', 'HKEY_CURRENT_CONFIG', 'HKEY_CURRENT_USER', 'HKEY_DYN_DATA', 'HKEY_LOCAL_MACHINE', 'HKEY_PERFORMANCE_DATA', 'HKEY_USERS', 'HKLM', 'HKPD', 'HKU']
++
last-modified
datetime
key
regkey
name
text
Full key path
+Name of the registry key
data
text
Data stored in the registry key
++
queue
+subject
text
Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
+Subject of the RTIR ticket
++
status
text
Status of the RTIR ticket ['new', 'open', 'stalled', 'resolved', 'rejected', 'deleted']
++
ticket-number
text
ticket-number of the RTIR ticket
++
constituency
text
Constituency of the RTIR ticket
@@ -6842,40 +7199,10 @@ rtir is a MISP object available in JSON format at
ticket-number
queue
text
ticket-number of the RTIR ticket
--
subject
text
Subject of the RTIR ticket
--
constituency
text
Constituency of the RTIR ticket
--
status
text
Status of the RTIR ticket ['new', 'open', 'stalled', 'resolved', 'rejected', 'deleted']
+Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
@@ -6920,10 +7247,10 @@ sandbox-report is a MISP object available in JSON format at
results
on-premise-sandbox
text
Freetext result values
+The on-premise sandbox used ['cuckoo', 'symantec-cas-on-premise', 'bluecoat-maa', 'trendmicro-deep-discovery-analyzer', 'fireeye-ax', 'vmray', 'joe-sandbox-on-premise']
@@ -6940,6 +7267,26 @@ sandbox-report is a MISP object available in JSON format at
results
text
Freetext result values
++
saas-sandbox
text
A non-on-premise sandbox, also results are not publicly available ['forticloud-sandbox', 'joe-sandbox-cloud', 'symantec-cas-cloud']
++
web-sandbox
text
score
text
Score
--
sandbox-type
text
The type of sandbox used ['on-premise', 'web', 'saas']
--
permalink
link
on-premise-sandbox
sandbox-type
text
The on-premise sandbox used ['cuckoo', 'symantec-cas-on-premise', 'bluecoat-maa', 'trendmicro-deep-discovery-analyzer', 'fireeye-ax', 'vmray', 'joe-sandbox-on-premise']
+The type of sandbox used ['on-premise', 'web', 'saas']
saas-sandbox
score
text
A non-on-premise sandbox, also results are not publicly available ['forticloud-sandbox', 'joe-sandbox-cloud', 'symantec-cas-cloud']
+Score
@@ -7038,20 +7365,10 @@ sb-signature is a MISP object available in JSON format at
signature
text
datetime
datetime
Name of detection signature - set the description of the detection signature as a comment
--
software
text
Name of Sandbox software
+Datetime
@@ -7068,10 +7385,20 @@ sb-signature is a MISP object available in JSON format at
datetime
datetime
signature
text
Datetime
+Name of detection signature - set the description of the detection signature as a comment
++
software
text
Name of Sandbox software
@@ -7116,186 +7443,26 @@ ss7-attack is a MISP object available in JSON format at
MapSmscGT
SccpCgGT
text
MAP SMSC. Phone number.
+Signaling Connection Control Part (SCCP) CgGT - Phone number.
MapImsi
MapVersion
text
MAP IMSI. Phone number starting with MCC/MNC.
--
MapGsmscfGT
text
MAP GSMSCF GT. Phone number.
--
SccpCdGT
text
Signaling Connection Control Part (SCCP) CdGT - Phone number.
--
MapApplicationContext
text
MAP application context in OID format.
+Map version. ['1', '2', '3']
MapGmlc
text
MAP GMLC. Phone number.
--
MapMsisdn
text
MAP MSISDN. Phone number.
--
MapOpCode
text
MAP operation codes - Decimal value between 0-99.
--
MapSmsTP-DCS
text
MAP SMS TP-DCS.
--
MapSmsText
text
MAP SMS Text. Important indicators in SMS text.
--
MapSmsTP-OA
text
MAP SMS TP-OA. Phone number.
--
MapSmsTypeNumber
text
MAP SMS TypeNumber.
--
MapSmsTP-PID
text
MAP SMS TP-PID.
--
SccpCdSSN
text
Signaling Connection Control Part (SCCP) - Decimal value between 0-255.
--
MapVlrGT
text
MAP VLR GT. Phone number.
--
SccpCgSSN
text
Signaling Connection Control Part (SCCP) - Decimal value between 0-255.
--
SccpCdPC
text
Signaling Connection Control Part (SCCP) CdPC - Phone number.
--
MapUssdContent
text
MAP USSD Content.
--
text
text
MapUssdCoding
MapGsmscfGT
text
MAP USSD Content.
+MAP GSMSCF GT. Phone number.
++
SccpCdSSN
text
Signaling Connection Control Part (SCCP) - Decimal value between 0-255.
first-seen
datetime
MapSmsTP-OA
text
When the attack has been seen for the first time.
+MAP SMS TP-OA. Phone number.
++
MapGmlc
text
MAP GMLC. Phone number.
++
SccpCgPC
text
Signaling Connection Control Part (SCCP) CgPC - Phone number.
++
MapUssdCoding
text
MAP USSD Content.
@@ -7336,6 +7543,86 @@ ss7-attack is a MISP object available in JSON format at
MapSmscGT
text
MAP SMSC. Phone number.
++
MapSmsTypeNumber
text
MAP SMS TypeNumber.
++
MapOpCode
text
MAP operation codes - Decimal value between 0-99.
++
MapSmsTP-PID
text
MAP SMS TP-PID.
++
SccpCdPC
text
Signaling Connection Control Part (SCCP) CdPC - Phone number.
++
MapVlrGT
text
MAP VLR GT. Phone number.
++
MapSmsText
text
MAP SMS Text. Important indicators in SMS text.
++
SccpCdGT
text
Signaling Connection Control Part (SCCP) CdGT - Phone number.
++
Category
text
MapVersion
MapApplicationContext
text
Map version. ['1', '2', '3']
+MAP application context in OID format.
SccpCgGT
MapImsi
text
Signaling Connection Control Part (SCCP) CgGT - Phone number.
+MAP IMSI. Phone number starting with MCC/MNC.
SccpCgPC
MapUssdContent
text
Signaling Connection Control Part (SCCP) CgPC - Phone number.
+MAP USSD Content.
MapSmsTP-DCS
text
MAP SMS TP-DCS.
++
SccpCgSSN
text
Signaling Connection Control Part (SCCP) - Decimal value between 0-255.
++
MapMsisdn
text
MAP MSISDN. Phone number.
++
first-seen
datetime
When the attack has been seen for the first time.
++
stix2-pattern
-stix2-pattern
STIX 2 pattern
--
version
text
stix2-pattern
stix2-pattern
STIX 2 pattern
++
suricata
-suricata
Suricata rule.
--
ref
link
Reference to the Suricata rule such as origin of the rule or alike.
--
version
text
suricata
suricata
Suricata rule.
++
ref
link
Reference to the Suricata rule such as origin of the rule or alike.
++
targeted_ip_of_system
-ip-src
timestamp_seen
datetime
Targeted system IP address
+Registered date and time
@@ -7580,10 +7907,10 @@ target-system is a MISP object available in JSON format at
timestamp_seen
datetime
targeted_ip_of_system
ip-src
Registered date and time
+Targeted system IP address
@@ -7628,10 +7955,20 @@ timesketch-timeline is a MISP object available in JSON format at
timestamp_desc
text
datetime
datetime
Text explaining what type of timestamp is it
+When the log entry was seen
++
timestamp
timestamp-microsec
When the log entry was seen in microseconds since Unix epoch
@@ -7648,20 +7985,10 @@ timesketch-timeline is a MISP object available in JSON format at
datetime
datetime
timestamp_desc
text
When the log entry was seen
--
timestamp
timestamp-microsec
When the log entry was seen in microseconds since Unix epoch
+Text explaining what type of timestamp is it
@@ -7706,16 +8033,6 @@ timestamp is a MISP object available in JSON format at
precision
text
Timestamp precision represents the precision given to first_seen and/or last_seen in this object. ['year', 'month', 'day', 'hour', 'minute', 'full']
--
last-seen
datetime
precision
text
Timestamp precision represents the precision given to first_seen and/or last_seen in this object. ['year', 'month', 'day', 'hour', 'minute', 'full']
++
nickname
-text
router’s nickname.
--
version_line
text
versioning information reported by the node.
--
flags
text
list of flag associated with the node.
--
fingerprint
text
last-seen
datetime
When the Tor node designed by the IP address has been seen for the last time.
--
text
text
first-seen
datetime
flags
text
When the Tor node designed by the IP address has been seen for the first time.
--
address
ip-src
IP address of the Tor node seen.
+list of flag associated with the node.
version
version_line
text
parsed version of tor, this is None if the relay’s using a new versioning scheme.
+versioning information reported by the node.
@@ -7894,6 +8171,26 @@ tor-node is a MISP object available in JSON format at
version
text
parsed version of tor, this is None if the relay’s using a new versioning scheme.
++
address
ip-src
IP address of the Tor node seen.
++
document
text
last-seen
datetime
When the Tor node designed by the IP address has been seen for the last time.
++
first-seen
datetime
When the Tor node designed by the IP address has been seen for the first time.
++
nickname
text
router’s nickname.
++
teller
-text
Person who conducted the transaction.
--
to-country
text
Target country of a transaction.
--
transmode-comment
text
Comment describing transmode-code, if needed.
--
location
text
amount
text
The value of the transaction in local currency.
--
transmode-code
text
How the transaction was conducted.
--
transaction-number
text
A unique number identifying a transaction.
--
authorized
text
Person who autorized the transaction.
--
text
text
from-country
date
datetime
Date and time of the transaction.
++
amount
text
Origin country of a transaction.
+The value of the transaction in local currency.
++
transmode-comment
text
Comment describing transmode-code, if needed.
++
transmode-code
text
How the transaction was conducted.
++
teller
text
Person who conducted the transaction.
@@ -8052,13 +8349,13 @@ transaction is a MISP object available in JSON format at
from-funds-code
to-country
text
Type of funds used to initiate a transaction. ['A Deposit', 'C Currency exchange', 'D Casino chips', 'E Bank draft', 'F Money order', 'G Traveler’s cheques', 'H Life insurance policy', 'I Real estate', 'J Securities', 'K Cash', 'O Other', 'P Cheque']
+Target country of a transaction.
+
date
-datetime
from-funds-code
text
Date and time of the transaction.
+Type of funds used to initiate a transaction. ['A Deposit', 'C Currency exchange', 'D Casino chips', 'E Bank draft', 'F Money order', 'G Traveler’s cheques', 'H Life insurance policy', 'I Real estate', 'J Securities', 'K Cash', 'O Other', 'P Cheque']
++
authorized
text
Person who autorized the transaction.
++
transaction-number
text
A unique number identifying a transaction.
++
from-country
text
Origin country of a transaction.
@@ -8120,50 +8447,10 @@ url is a MISP object available in JSON format at
url
url
Full URL
--
credential
subdomain
text
Credential (username, password)
--
tld
text
Top-Level Domain
--
domain
domain
Full domain
--
last-seen
datetime
Last time this URL has been seen
+Subdomain
@@ -8180,6 +8467,56 @@ url is a MISP object available in JSON format at
fragment
text
Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.
++
tld
text
Top-Level Domain
++
query_string
text
Query (after path, preceded by '?')
++
domain
domain
Full domain
++
host
hostname
Full hostname
++
domain_without_tld
text
credential
text
Credential (username, password)
++
last-seen
datetime
Last time this URL has been seen
++
scheme
text
fragment
text
Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.
--
first-seen
datetime
host
hostname
Full hostname
--
subdomain
text
Subdomain
--
query_string
text
Query (after path, preceded by '?')
--
port
port
url
url
Full URL
++
external
+target-external
External target organisations affected by this attack.
++
node
target-machine
roles
description
text
The list of roles targeted within the victim.
--
classification
text
The type of entity being targeted. ['individual', 'group', 'organization', 'class', 'unknown']
--
user
target-user
The username(s) of the user targeted.
--
regions
target-location
The list of regions or locations from the victim targeted. ISO 3166 should be used.
+Description of the victim
@@ -8398,20 +8705,40 @@ victim is a MISP object available in JSON format at
description
roles
text
Description of the victim
+The list of roles targeted within the victim.
external
target-external
user
target-user
External target organisations affected by this attack.
+The username(s) of the user targeted.
++
classification
text
The type of entity being targeted. ['individual', 'group', 'organization', 'class', 'unknown']
++
regions
target-location
The list of regions or locations from the victim targeted. ISO 3166 should be used.
@@ -8456,16 +8783,6 @@ virustotal-report is a MISP object available in JSON format at
last-submission
datetime
Last Submission
--
comment
text
detection-ratio
text
Detection Ratio
++
first-submission
datetime
permalink
link
Permalink Reference
++
community-score
text
permalink
link
last-submission
datetime
Permalink Reference
+Last Submission
detection-ratio
text
Detection Ratio
--
created
-datetime
First time when the vulnerability was discovered
--
vulnerable_configuration
text
The vulnerable configuration is described in CPE format
--
modified
datetime
Last modification date
--
summary
text
Summary of the vulnerability
--
published
datetime
Initial publication date
--
state
text
State of the vulnerability. A vulnerability can have multiple states depending of the current actions performed. ['Published', 'Embargo', 'Reviewed', 'Vulnerability ID Assigned', 'Reported', 'Fixed']
--
text
text
state
text
State of the vulnerability. A vulnerability can have multiple states depending of the current actions performed. ['Published', 'Embargo', 'Reviewed', 'Vulnerability ID Assigned', 'Reported', 'Fixed']
++
created
datetime
First time when the vulnerability was discovered
++
modified
datetime
Last modification date
++
id
vulnerability
published
datetime
Initial publication date
++
vulnerable_configuration
text
The vulnerable configuration is described in CPE format
++
summary
text
Summary of the vulnerability
++
creation-date
-datetime
text
text
Initial creation of the whois entry
+Full whois entry
expiration-date
registrant-name
whois-registrant-name
Registrant name
++
ip-address
ip-src
IP address of the whois entry
++
comment
text
Comment of the whois entry
++
modification-date
datetime
Expiration of the whois entry
+Last update of the whois entry
@@ -8712,30 +9069,20 @@ whois is a MISP object available in JSON format at
text
text
registrant-phone
whois-registrant-phone
Full whois entry
--
registrant-email
whois-registrant-email
Registrant email address
+Registrant phone number
registrant-name
whois-registrant-name
registrant-org
whois-registrant-org
Registrant name
+Registrant organisation
@@ -8762,50 +9109,30 @@ whois is a MISP object available in JSON format at
registrant-phone
whois-registrant-phone
Registrant phone number
--
modification-date
expiration-date
datetime
Last update of the whois entry
+Expiration of the whois entry
registrant-org
whois-registrant-org
creation-date
datetime
Registrant organisation
+Initial creation of the whois entry
+
comment
text
registrant-email
whois-registrant-email
Comment of the whois entry
--
ip-address
ip-src
IP address of the whois entry
+Registrant email address
@@ -8850,20 +9177,10 @@ x509 is a MISP object available in JSON format at
x509-fingerprint-sha256
x509-fingerprint-sha256
Secure Hash Algorithm 2 (256 bits)
--
pubkey-info-algorithm
subject
text
Algorithm of the public key
+Subject of the certificate
@@ -8880,6 +9197,16 @@ x509 is a MISP object available in JSON format at
pubkey-info-modulus
text
Modulus of the public key
++
validity-not-before
datetime
x509-fingerprint-sha1
x509-fingerprint-sha1
self_signed
boolean
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
issuer
text
Issuer of the certificate
--
text
text
Free text description of hte certificate
--
validity-not-after
datetime
Certificate invalid after that date
--
serial-number
text
Serial number of the certificate
+Self-signed certificate
@@ -8950,60 +9237,10 @@ x509 is a MISP object available in JSON format at
pubkey-info-modulus
pubkey-info-algorithm
text
Modulus of the public key
--
pem
text
Raw certificate in PEM formati (Unix-like newlines)
--
is_ca
boolean
CA certificate
--
version
text
Version of the certificate
--
dns_names
text
DNS names
--
self_signed
boolean
Self-signed certificate
+Algorithm of the public key
@@ -9030,10 +9267,100 @@ x509 is a MISP object available in JSON format at
subject
text
text
Subject of the certificate
+Free text description of hte certificate
++
issuer
text
Issuer of the certificate
++
version
text
Version of the certificate
++
pem
text
Raw certificate in PEM formati (Unix-like newlines)
++
x509-fingerprint-sha1
x509-fingerprint-sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
serial-number
text
Serial number of the certificate
++
x509-fingerprint-sha256
x509-fingerprint-sha256
Secure Hash Algorithm 2 (256 bits)
++
validity-not-after
datetime
Certificate invalid after that date
++
is_ca
boolean
CA certificate
++
dns_names
text
DNS names
@@ -9078,16 +9405,6 @@ yabin is a MISP object available in JSON format at
yara-hunt
yara
Wide yara rule generated from -yh.
--
whitelist
comment
yara
yara
Yara rule generated from -y.
--
comment
comment
yara-hunt
yara
Wide yara rule generated from -yh.
++
yara
yara
Yara rule generated from -y.
++
yara
-yara
comment
comment
YARA rule.
+A description of the YARA rule.
comment
comment
yara
yara
A description of the YARA rule.
+YARA rule.