From 5a7998446bca3de27efa7121726aab8d2576e540 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Thu, 8 Feb 2018 11:59:55 +0100
Subject: [PATCH] fix: objects updated
---
objects.html | 5710 +-
objects.pdf | 179829 ++++++++++++++++++++++++++----------------------
2 files changed, 99516 insertions(+), 86023 deletions(-)
diff --git a/objects.html b/objects.html
index d9e3fd4..1d7c87b 100755
--- a/objects.html
+++ b/objects.html
@@ -445,6 +445,9 @@ body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-b
text
text
A description of the leak which could include the potential victim(s) or description of the leak.
--
duplicate_number
counter
Number of known duplicates.
--
duplicate
text
Duplicate of the existing leaks.
--
raw-data
attachment
Raw data as received by the AIL sensor compressed and encoded in Base64.
--
origin
text
type
first-seen
datetime
When the leak has been accessible or seen for the first time.
++
duplicate_number
counter
Number of known duplicates.
++
sensor
text
Type of information leak as discovered and classified by an AIL module. ['Credential', 'CreditCards', 'Mail', 'Onion', 'Phone', 'Keys']
+The AIL sensor uuid where the leak was processed and analysed.
++
raw-data
attachment
Raw data as received by the AIL sensor compressed and encoded in Base64.
++
text
text
A description of the leak which could include the potential victim(s) or description of the leak.
++
duplicate
text
Duplicate of the existing leaks.
@@ -648,20 +662,10 @@ ail-leak is a MISP object available in JSON format at
first-seen
datetime
When the leak has been accessible or seen for the first time.
--
sensor
type
text
The AIL sensor uuid where the leak was processed and analysed.
+Type of information leak as discovered and classified by an AIL module. ['Credential', 'CreditCards', 'Mail', 'Onion', 'Phone', 'Keys']
@@ -764,16 +768,6 @@ annotation is a MISP object available in JSON format at
text
text
Raw text of the annotation
--
creation-date
datetime
type
text
text
Type of the annotation ['Annotation', 'Executive Summary', 'Introduction', 'Conclusion', 'Disclaimer', 'Keywords', 'Acknowledgement', 'Other', 'Copyright', 'Authors', 'Logo']
+Raw text of the annotation
+
type
+text
Type of the annotation ['Annotation', 'Executive Summary', 'Introduction', 'Conclusion', 'Disclaimer', 'Keywords', 'Acknowledgement', 'Other', 'Copyright', 'Authors', 'Logo']
++
modification-date
datetime
description
mp-export
text
Description of the autonomous system
+This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
export
text
The outbound routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
--
mp-import
text
The inbound IPv4 or IPv6 routing policy of the AS in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
--
first-seen
datetime
First time the ASN was seen
--
import
text
last-seen
datetime
Last time the ASN was seen
--
mp-export
description
text
This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
+Description of the autonomous system
@@ -942,6 +906,36 @@ asn is a MISP object available in JSON format at
last-seen
datetime
Last time the ASN was seen
++
asn
AS
Autonomous System Number
++
mp-import
text
The inbound IPv4 or IPv6 routing policy of the AS in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
++
subnet-announced
ip-src
asn
AS
first-seen
datetime
Autonomous System Number
+First time the ASN was seen
++
export
text
The outbound routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
@@ -1000,16 +1004,6 @@ av-signature is a MISP object available in JSON format at
text
text
Free text value to attach to the file
--
software
text
text
text
Free text value to attach to the file
++
signature
text
non-banking-institution
boolean
account
bank-account-nr
A flag to define if this account belong to a non-banking organisation. If set to true, it’s a non-banking organisation.
+Account number
-
swift
bic
SWIFT or BIC as defined in ISO 9362.
-+
beneficiary-comment
+status-code
text
Comment about the final beneficiary.
+Account status at the time of the transaction processed. ['A - Active', 'B - Inactive', 'C - Dormant']
beneficiary
branch
text
Final beneficiary of the bank account.
+Branch code or name
personal-account-type
text
Account type. ['A - Business', 'B - Personal Current', 'C - Savings', 'D - Trust Account', 'E - Trading Account', 'O - Other']
--
account
bank-account-nr
Account number
--
date-balance
datetime
opened
closed
datetime
When the account was opened.
+When the account was closed.
++
text
text
A description of the bank account.
@@ -1178,33 +1162,33 @@ bank-account is a MISP object available in JSON format at
account-name
personal-account-type
text
A field to freely describe the bank account details.
--
text
text
A description of the bank account.
+Account type. ['A - Business', 'B - Personal Current', 'C - Savings', 'D - Trust Account', 'E - Trading Account', 'O - Other']
iban
iban
swift
bic
IBAN of the bank account.
+SWIFT or BIC as defined in ISO 9362.
+
+
opened
datetime
When the account was opened.
+
status-code
+beneficiary-comment
text
Account status at the time of the transaction processed. ['A - Active', 'B - Inactive', 'C - Dormant']
+Comment about the final beneficiary.
closed
non-banking-institution
boolean
A flag to define if this account belong to a non-banking organisation. If set to true, it’s a non-banking organisation.
++
account-name
text
A field to freely describe the bank account details.
++
beneficiary
text
Final beneficiary of the bank account.
++
iban
iban
IBAN of the bank account.
++
Common Alerting Protocol Version (CAP) alert object.
++ + | ++cap-alert is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. + | +
Object attribute | +MISP attribute type | +Description | +Disable correlation | +|
---|---|---|---|---|
source |
+text |
+
+ The text identifying the source of the alert message. The particular source of this alert; e.g., an operator or a specific device. + |
+
+ + |
+|
identifier |
+text |
+
+ The identifier of the alert message in a number or string uniquely identifying this message, assigned by the sender. + |
+
+ + |
+|
status |
+text |
+
+ The code denoting the appropriate handling of the alert message. ['Actual', 'Exercise', 'System', 'Test', 'Draft'] + |
+
+ + |
+|
code |
+text |
+
+ The code denoting the special handling of the alert message. + |
+
+ + |
+|
incident |
+text |
+
+ The group listing naming the referent incident(s) of the alert message. (1) Used to collate multiple messages referring to different aspects of the same incident. (2) If multiple incident identifiers are referenced, they SHALL be separated by whitespace. Incident names including whitespace SHALL be surrounded by double-quotes. + |
+
+ + |
+|
sender |
+text |
+
+ The identifier of the sender of the alert message which identifies the originator of this alert. Guaranteed by assigner to be unique globally; e.g., may be based on an Internet domain name. + |
+
+ + |
+|
restriction |
+text |
+
+ The text describing the rule for limiting distribution of the restricted alert message. + |
+
+ + |
+|
references |
+text |
+
+ The group listing identifying earlier message(s) referenced by the alert message. (1) The extended message identifier(s) (in the form sender,identifier,sent) of an earlier CAP message or messages referenced by this one. (2) If multiple messages are referenced, they SHALL be separated by whitespace. + |
+
+ + |
+|
msgType |
+text |
+
+ The code denoting the nature of the alert message. ['Alert', 'Update', 'Cancel', 'Ack', 'Error'] + |
+
+ + |
+|
sent |
datetime |
- When the account was closed. +The time and date of the origination of the alert message. |
|
|
branch |
+addresses |
text |
- Branch code or name +The group listing of intended recipients of the alert message. (1) Required when <scope> is “Private”, optional when <scope> is “Public” or “Restricted”. (2) Each recipient SHALL be identified by an identifier or an address. (3) Multiple space-delimited addresses MAY be included. Addresses including whitespace MUST be enclosed in double-quotes. |
|
scope |
+text |
+
+ The code denoting the intended distribution of the alert message. ['Public', 'Restricted', 'Private'] + |
+
+ + |
+|
note |
+text |
+
+ The text describing the purpose or significance of the alert message. + |
+
+ + |
+
Common Alerting Protocol Version (CAP) info object.
++ + | ++cap-info is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. + | +
Object attribute | +MISP attribute type | +Description | +Disable correlation | +
---|---|---|---|
urgency |
+text |
+
+ The code denoting the urgency of the subject event of the alert message. ['Immediate', 'Expected', 'Future', 'Past', 'Unknown'] + |
+
+ + |
+
senderName |
+text |
+
+ The text naming the originator of the alert message. + |
+
+ + |
+
contact |
+text |
+
+ The text describing the contact for follow-up and confirmation of the alert message. + |
+
+ + |
+
parameter |
+text |
+
+ A system-specific additional parameter associated with the alert message. + |
+
+ + |
+
event |
+text |
+
+ The text denoting the type of the subject event of the alert message. + |
+
+ + |
+
web |
+link |
+
+ The identifier of the hyperlink associating additional information with the alert message. + |
+
+ + |
+
audience |
+text |
+
+ The text describing the intended audience of the alert message. + |
+
+ + |
+
category |
+text |
+
+ The code denoting the category of the subject event of the alert message. ['Geo', 'Met', 'Safety', 'Security', 'Rescue', 'Fire', 'Health', 'Env', 'Transport', 'Infra', 'CBRNE', 'Other'] + |
+
+ + |
+
certainty |
+text |
+
+ The code denoting the certainty of the subject event of the alert message. For backward compatibility with CAP 1.0, the deprecated value of “Very Likely” SHOULD be treated as equivalent to “Likely”. ['Likely', 'Possible', 'Unlikely', 'Unknown'] + |
+
+ + |
+
severity |
+text |
+
+ The code denoting the severity of the subject event of the alert message. ['Extreme', 'Severe', 'Moderate', 'Minor', 'Unknown'] + |
+
+ + |
+
headline |
+text |
+
+ The text headline of the alert message. + |
+
+ + |
+
expires |
+datetime |
+
+ The expiry time of the information of the alert message. + |
+
+ + |
+
language |
+text |
+
+ The code denoting the language of the info sub-element of the alert message. + |
+
+ + |
+
eventCode |
+text |
+
+ A system-specific code identifying the event type of the alert message. + |
+
+ + |
+
description |
+text |
+
+ The text describing the subject event of the alert message. + |
+
+ + |
+
instruction |
+text |
+
+ The text describing the recommended action to be taken by recipients of the alert message. + |
+
+ + |
+
responseType |
+text |
+
+ The code denoting the type of action recommended for the target audience. ['Shelter', 'Evacuate', 'Prepare', 'Execute', 'Avoid', 'Monitor', 'Assess', 'AllClear', 'None'] + |
+
+ + |
+
onset |
+datetime |
+
+ The expected time of the beginning of the subject event of the alert message. + |
+
+ + |
+
effective |
+datetime |
+
+ The effective time of the information of the alert message. + |
+
+ + |
+
Common Alerting Protocol Version (CAP) resource object.
++ + | ++cap-resource is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. + | +
Object attribute | +MISP attribute type | +Description | +Disable correlation | +
---|---|---|---|
uri |
+link |
+
+ The identifier of the hyperlink for the resource file. + |
+
+ + |
+
size |
+text |
+
+ The integer indicating the size of the resource file. + |
+
+ + |
+
derefUri |
+attachment |
+
+ The base-64 encoded data content of the resource file. + |
+
+ + |
+
mimeType |
+mime-type |
+
+ The identifier of the MIME content type and sub-type describing the resource file. + |
+
+ + |
+
resourceDesc |
+text |
+
+ The text describing the type and content of the resource file. + |
+
+ + |
+
digest |
+sha1 |
+
+ The code representing the digital digest (“hash”) computed from the resource file (OPTIONAL). + |
+
+ + |
+
symbol
-text
The (uppercase) symbol of the cryptocurrency used. Symbol should be from https://coinmarketcap.com/all/views/all/ ['BTC', 'ETH', 'BCH', 'XRP', 'MIOTA', 'DASH', 'BTG', 'LTC', 'ADA', 'XMR', 'ETC', 'NEO', 'NEM', 'EOS', 'XLM', 'BCC', 'LSK', 'OMG', 'QTUM', 'ZEC', 'USDT', 'HSR', 'STRAT', 'WAVES', 'PPT']
--
address
btc
first-seen
last-seen
datetime
First time this payment destination address has been seen
+Last time this payment destination address has been seen
@@ -1356,10 +1844,20 @@ coin-address is a MISP object available in JSON format at
last-seen
symbol
text
The (uppercase) symbol of the cryptocurrency used. Symbol should be from https://coinmarketcap.com/all/views/all/ ['BTC', 'ETH', 'BCH', 'XRP', 'MIOTA', 'DASH', 'BTG', 'LTC', 'ADA', 'XMR', 'ETC', 'NEO', 'NEM', 'EOS', 'XLM', 'BCC', 'LSK', 'OMG', 'QTUM', 'ZEC', 'USDT', 'HSR', 'STRAT', 'WAVES', 'PPT']
++
first-seen
datetime
Last time this payment destination address has been seen
+First time this payment destination address has been seen
@@ -1404,6 +1902,16 @@ cookie is a MISP object available in JSON format at
cookie
cookie
Full cookie
++
type
text
text
text
A description of the cookie.
++
cookie-value
text
text
text
A description of the cookie.
--
cookie
cookie
Full cookie
--
text
+username
text
A description of the credential(s)
+Username related to the password(s)
+
password
+text
Password
++
origin
text
username
text
text
Username related to the password(s)
+A description of the credential(s)
-
type
text
Type of password(s) ['password', 'api-key', 'encryption-key', 'unknown']
-+
password
+type
text
Password
+Type of password(s) ['password', 'api-key', 'encryption-key', 'unknown']
@@ -1600,36 +2098,6 @@ credit-card is a MISP object available in JSON format at
expiration
datetime
Maximum date of validity
--
card-security-code
text
Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card.
--
comment
comment
A description of the card.
--
version
text
name
text
Name of the card owner.
--
cc-number
cc-number
comment
comment
A description of the card.
++
name
text
Name of the card owner.
++
card-security-code
text
Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card.
++
expiration
datetime
Maximum date of validity
++
last-seen
+datetime
End of the attack
++
dst-port
port
Destination port of the attack
++
first-seen
datetime
Beginning of the attack
++
total-bps
counter
Bits per second
++
total-pps
counter
Packets per second
++
text
text
dst-port
port
protocol
text
Destination port of the attack
+Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']
++
ip-dst
ip-dst
Destination IP (victim)
last-seen
datetime
End of the attack
--
ip-dst
ip-dst
Destination IP (victim)
--
total-pps
counter
Packets per second
--
first-seen
datetime
Beginning of the attack
--
protocol
text
Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']
--
total-bps
counter
Bits per second
--
ApplicationId
-text
Application-ID is used to identify for which Diameter application the message is applicable. Application-ID is a decimal representation.
--
CmdCode
text
Origin-Host
text
Origin-Host.
--
IdrFlags
text
IDR-Flags.
--
SessionId
text
first-seen
datetime
text
text
When the attack has been seen for the first time.
+A description of the attack seen.
Origin-Host
text
Origin-Host.
++
category
text
text
IdrFlags
text
A description of the attack seen.
+IDR-Flags.
Destination-Realm
text
Destination-Realm.
--
Origin-Realm
text
ApplicationId
text
Application-ID is used to identify for which Diameter application the message is applicable. Application-ID is a decimal representation.
++
Destination-Host
text
Destination-Realm
text
Destination-Realm.
++
first-seen
datetime
When the attack has been seen for the first time.
++
last-seen
+datetime
Last time the tuple has been seen
++
domain
domain
last-seen
datetime
Last time the tuple has been seen
--
text
+number-sections
counter
Number of sections
++
entrypoint-address
text
Free text value to attach to the ELF
+Address of the entry point
@@ -2132,6 +2640,16 @@ elf is a MISP object available in JSON format at
text
text
Free text value to attach to the ELF
++
type
text
entrypoint-address
text
Address of the entry point
--
number-sections
counter
Number of sections
--
flag
-text
sha256
sha256
Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']
--
text
text
Free text value to attach to the section
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
+Secure Hash Algorithm 2 (256 bits)
@@ -2250,66 +2718,6 @@ elf-section is a MISP object available in JSON format at
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
md5
md5
[Insecure] MD5 hash (128 bits)
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
--
type
text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
sha1
sha1
name
size-in-bytes
size-in-bytes
Size of the section, in bytes
++
text
text
Name of the section
+Free text value to attach to the section
++
type
text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
md5
md5
[Insecure] MD5 hash (128 bits)
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
name
text
Name of the section
++
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
flag
text
Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']
++
to
+email-dst
Destination email address
++
thread-index
email-thread-index
Identifies a particular conversation thread
++
from-display-name
email-src-display-name
Display name of the sender
++
email-body
email-body
Body of the email
++
x-mailer
email-x-mailer
X-Mailer generally tells the program that was used to draft and send the original email
++
subject
email-subject
Subject
++
reply-to
email-reply-to
Email address the reply will be sent to
++
send-date
datetime
Date the email has been sent
++
cc
email-dst
Carbon copy
++
mime-boundary
email-mime-boundary
MIME Boundary
++
to-display-name
email-dst-display-name
Display name of the receiver
++
return-path
text
Message return path
++
message-id
email-message-id
x-mailer
email-x-mailer
X-Mailer generally tells the program that was used to draft and send the original email
--
to
email-dst
Destination email address
--
mime-boundary
email-mime-boundary
MIME Boundary
--
subject
email-subject
Subject
--
header
email-header
Full headers
--
from-display-name
email-src-display-name
Display name of the sender
--
screenshot
attachment
reply-to
email-reply-to
Email address the reply will be sent to
--
thread-index
email-thread-index
Identifies a particular conversation thread
--
return-path
text
Message return path
--
to-display-name
email-dst-display-name
Display name of the receiver
--
cc
email-dst
Carbon copy
--
send-date
datetime
Date the email has been sent
--
attachment
email-attachment
email-body
email-body
header
email-header
Body of the email
+Full headers
@@ -2596,90 +3094,10 @@ file is a MISP object available in JSON format at
pattern-in-file
pattern-in-file
sha256
sha256
Pattern that can be found in the file
--
tlsh
tlsh
Fuzzy hash by Trend Micro: Locality Sensitive Hash
--
malware-sample
malware-sample
The file itself (binary)
--
text
text
Free text value to attach to the file
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
--
mimetype
text
Mime type
--
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
+Secure Hash Algorithm 2 (256 bits)
@@ -2696,50 +3114,20 @@ file is a MISP object available in JSON format at
md5
md5
sha384
sha384
[Insecure] MD5 hash (128 bits)
+Secure Hash Algorithm 2 (384 bits)
sha256
sha256
tlsh
tlsh
Secure Hash Algorithm 2 (256 bits)
--
size-in-bytes
size-in-bytes
Size of the file, in bytes
--
authentihash
authentihash
Authenticode executable signature hash
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
+Fuzzy hash by Trend Micro: Locality Sensitive Hash
@@ -2766,6 +3154,56 @@ file is a MISP object available in JSON format at
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
text
text
Free text value to attach to the file
++
entropy
float
Entropy of the whole file
++
md5
md5
[Insecure] MD5 hash (128 bits)
++
malware-sample
malware-sample
The file itself (binary)
++
state
text
authentihash
authentihash
Authenticode executable signature hash
++
certificate
x509-fingerprint-sha1
entropy
float
sha512/256
sha512/256
Entropy of the whole file
+Secure Hash Algorithm 2 (256 bits)
++
mimetype
text
Mime type
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
size-in-bytes
size-in-bytes
Size of the file, in bytes
++
pattern-in-file
pattern-in-file
Pattern that can be found in the file
++
address
+text
Address.
++
city
text
City.
++
zipcode
text
Zip Code.
++
last-seen
datetime
When the location was seen for the last time.
++
longitude
float
The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference
++
country
text
Country.
++
text
text
region
text
Region.
--
country
text
Country.
--
longitude
altitude
float
The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference
+The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.
+
last-seen
-datetime
When the location was seen for the last time.
--
address
region
text
Address.
--
zipcode
text
Zip Code.
--
city
text
City.
--
altitude
float
The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.
+Region.
@@ -2982,30 +3480,10 @@ gtp-attack is a MISP object available in JSON format at
GtpInterface
GtpMessageType
text
GTP interface. ['S5', 'S11', 'S10', 'S8', 'Gn', 'Gp']
--
first-seen
datetime
When the attack has been seen for the first time.
--
GtpServingNetwork
text
GTP Serving Network.
+GTP defines a set of messages between two associated GSNs or an SGSN and an RNC. Message type is described as a decimal value.
@@ -3022,6 +3500,46 @@ gtp-attack is a MISP object available in JSON format at
text
text
A description of the GTP attack.
++
ipDest
ip-dst
IP destination address.
++
GtpMsisdn
text
GTP MSISDN.
++
PortSrc
port
Source port.
++
PortDest
text
GtpImei
text
GTP IMEI (International Mobile Equipment Identity).
--
text
text
A description of the GTP attack.
--
GtpImsi
text
GtpMsisdn
GtpInterface
text
GTP MSISDN.
--
ipDest
ip-dst
IP destination address.
--
GtpMessageType
text
GTP defines a set of messages between two associated GSNs or an SGSN and an RNC. Message type is described as a decimal value.
+GTP interface. ['S5', 'S11', 'S10', 'S8', 'Gn', 'Gp']
PortSrc
port
GtpImei
text
Source port.
+GTP IMEI (International Mobile Equipment Identity).
++
first-seen
datetime
When the attack has been seen for the first time.
++
GtpServingNetwork
text
GTP Serving Network.
@@ -3150,56 +3648,6 @@ http-request is a MISP object available in JSON format at
method
http-method
HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)
--
basicauth-user
text
HTTP Basic Authentication Username
--
proxy-password
text
HTTP Proxy Password
--
cookie
text
An HTTP cookie previously sent by the server with Set-Cookie
--
url
url
Full HTTP Request URL
--
host
hostname
content-type
other
referer
referer
The MIME type of the body of the request
+This is the address of the previous web page from which a link to the currently requested page was followed
text
text
method
http-method
HTTP Request comment
+HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)
referer
referer
proxy-password
text
This is the address of the previous web page from which a link to the currently requested page was followed
+HTTP Proxy Password
@@ -3260,10 +3708,10 @@ http-request is a MISP object available in JSON format at
user-agent
user-agent
content-type
other
The user agent string of the user agent
+The MIME type of the body of the request
user-agent
user-agent
The user agent string of the user agent
++
cookie
text
An HTTP cookie previously sent by the server with Set-Cookie
++
basicauth-user
text
HTTP Basic Authentication Username
++
text
text
HTTP Request comment
++
url
url
Full HTTP Request URL
++
domain
+domain
Domain
++
dst-port
port
Destination port
++
last-seen
datetime
Last time the tuple has been seen
++
text
text
dst-port
port
Destination port
--
first-seen
datetime
last-seen
datetime
Last time the tuple has been seen
--
domain
domain
Domain
--
ip
ip-dst
ip-src
ip-src
last-seen
datetime
Source IP Address
+Last seen of the SSL/TLS handshake
+
ip-dst
+ip-dst
Destination IP address
++
first-seen
datetime
ip-dst
ip-dst
ip-src
ip-src
Destination IP address
+Source IP Address
last-seen
datetime
Last seen of the SSL/TLS handshake
--
text
+registration-number
text
A description of the entity.
+Registration number of an entity in the relevant authority.
+
business
-text
Business area of an entity.
--
name
text
registration-number
text
text
Registration number of an entity in the relevant authority.
+A description of the entity.
+
business
text
Business area of an entity.
++
name
+text
Binary’s name
++
text
text
Free text value to attach to the Mach-O file
++
number-sections
counter
Number of sections
++
type
text
text
text
Free text value to attach to the Mach-O file
--
name
text
Binary’s name
--
number-sections
counter
Number of sections
--
text
-text
sha256
sha256
Free text value to attach to the section
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
+Secure Hash Algorithm 2 (256 bits)
@@ -3760,56 +4238,6 @@ macho-section is a MISP object available in JSON format at
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
md5
md5
[Insecure] MD5 hash (128 bits)
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
sha1
sha1
name
size-in-bytes
size-in-bytes
Size of the section, in bytes
++
text
text
Name of the section
+Free text value to attach to the section
md5
md5
[Insecure] MD5 hash (128 bits)
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
name
text
Name of the section
++
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
post
-text
Raw post
--
creation-date
datetime
username-quoted
text
Username who are quoted into the microblog post
--
username
text
Username who posted the microblog post
--
type
text
Type of the microblog post ['Twitter', 'Facebook', 'LinkedIn', 'Reddit', 'Google+', 'Instagram', 'Forum', 'Other']
--
modification-date
removal-date
datetime
Last update of the microblog post
+When the microblog post was removed
url
url
post
text
Original URL location of the microblog post
+Raw post
@@ -3968,10 +4426,50 @@ microblog is a MISP object available in JSON format at
removal-date
username
text
Username who posted the microblog post
++
username-quoted
text
Username who are quoted into the microblog post
++
modification-date
datetime
When the microblog post was removed
+Last update of the microblog post
++
type
text
Type of the microblog post ['Twitter', 'Facebook', 'LinkedIn', 'Reddit', 'Google+', 'Instagram', 'Forum', 'Other']
++
url
url
Original URL location of the microblog post
@@ -4016,16 +4514,6 @@ mutex is a MISP object available in JSON format at
description
text
Description
--
operating-system
text
description
text
Description
++
src-port
+port
Source port of the netflow
++
dst-port
port
Destination port of the netflow
++
protocol
text
Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']
++
direction
text
Direction of this flow ['Ingress', 'Egress']
++
tcp-flags
text
TCP flags of the flow
++
ip-dst
ip-dst
IP address destination of the netflow
++
ip-src
ip-src
IP address source of the netflow
++
ip_version
counter
IP version of this flow
++
flow-count
counter
Flows counted in this flow
++
dst-as
AS
Destination AS number for this flow
++
ip-protocol-number
size-in-bytes
IP protocol number of this flow
++
packet-count
counter
Packets counted in this flow
++
byte-count
counter
flow-count
counter
Flows counted in this flow
--
ip-src
ip-src
IP address source of the netflow
--
first-packet-seen
datetime
icmp-type
text
ICMP type of the flow (if the traffic is ICMP)
--
tcp-flags
text
TCP flags of the flow
--
last-packet-seen
datetime
direction
icmp-type
text
Direction of this flow ['Ingress', 'Egress']
+ICMP type of the flow (if the traffic is ICMP)
packet-count
counter
Packets counted in this flow
--
dst-port
port
Destination port of the netflow
--
ip-dst
ip-dst
IP address destination of the netflow
--
src-port
port
Source port of the netflow
--
ip_version
counter
IP version of this flow
--
ip-protocol-number
size-in-bytes
IP protocol number of this flow
--
protocol
text
Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']
--
dst-as
AS
Destination AS number for this flow
--
zone_time_last
+zone_time_first
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import.
--
rrtype
text
Resource Record type as seen by the passive DNS. ['A', 'AAAA', 'CNAME', 'PTR', 'SOA', 'TXT', 'DNAME', 'NS', 'SRV', 'RP', 'NAPTR', 'HINFO', 'A6']
--
time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS
+First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
@@ -4332,33 +4810,13 @@ passive-dns is a MISP object available in JSON format at
time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS
--
zone_time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
--
rrname
origin
text
Resource Record name of the queried resource.
+Origin of the Passive DNS response
+
origin
-text
time_first
datetime
Origin of the Passive DNS response
+First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS
++
zone_time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import.
@@ -4402,6 +4870,16 @@ passive-dns is a MISP object available in JSON format at
rrname
text
Resource Record name of the queried resource.
++
sensor_id
text
time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS
++
rrtype
text
Resource Record type as seen by the passive DNS. ['A', 'AAAA', 'CNAME', 'PTR', 'SOA', 'TXT', 'DNAME', 'NS', 'SRV', 'RP', 'NAPTR', 'HINFO', 'A6']
++
entrypoint-section-at-position
-text
Name of the section and position of the section in the PE
--
file-version
text
FileVersion in the resources
--
number-sections
counter
Number of sections
--
compilation-timestamp
datetime
Compilation timestamp defined in the PE header
--
file-description
text
FileDescription in the resources
--
pehash
pehash
original-filename
filename
OriginalFilename in the resources
--
product-version
text
ProductVersion in the resources
--
text
text
Free text value to attach to the PE
--
product-name
text
lang-id
text
Lang ID in the resources
--
imphash
imphash
Hash (md5) calculated from the import table
--
company-name
text
CompanyName in the resources
--
type
text
Type of PE ['exe', 'dll', 'driver', 'unknown']
--
entrypoint-address
text
Address of the entry point
--
internal-filename
filename
number-sections
counter
Number of sections
++
entrypoint-address
text
Address of the entry point
++
original-filename
filename
OriginalFilename in the resources
++
text
text
Free text value to attach to the PE
++
impfuzzy
impfuzzy
type
text
Type of PE ['exe', 'dll', 'driver', 'unknown']
++
file-description
text
FileDescription in the resources
++
imphash
imphash
Hash (md5) calculated from the import table
++
lang-id
text
Lang ID in the resources
++
file-version
text
FileVersion in the resources
++
entrypoint-section-at-position
text
Name of the section and position of the section in the PE
++
legal-copyright
text
company-name
text
CompanyName in the resources
++
compilation-timestamp
datetime
Compilation timestamp defined in the PE header
++
product-version
text
ProductVersion in the resources
++
text
-text
sha256
sha256
Free text value to attach to the section
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
+Secure Hash Algorithm 2 (256 bits)
@@ -4806,56 +5284,6 @@ pe-section is a MISP object available in JSON format at
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
md5
md5
[Insecure] MD5 hash (128 bits)
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
sha1
sha1
name
text
size-in-bytes
size-in-bytes
Name of the section ['.rsrc', '.reloc', '.rdata', '.data', '.text']
+Size of the section, in bytes
text
text
Free text value to attach to the section
++
entropy
float
Entropy of the whole section
++
md5
md5
[Insecure] MD5 hash (128 bits)
++
characteristic
text
entropy
float
sha512/256
sha512/256
Entropy of the whole section
+Secure Hash Algorithm 2 (256 bits)
++
name
text
Name of the section ['.rsrc', '.reloc', '.rdata', '.data', '.text']
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
passport-number
-passport-number
identity-card-number
identity-card-number
The passport number of a natural person.
+The identity card number of a natural person.
passport-expiration
passport-expiration
The expiration date of a passport.
++
nationality
nationality
The nationality of a natural person.
++
middle-name
middle-name
social-security-number
text
Social security number
--
title
text
Title of the natural person such as Dr. or equivalent.
--
mothers-name
text
Mother name, father, second name or other names following country’s regulation.
--
last-name
last-name
nationality
nationality
alias
text
The nationality of a natural person.
+Alias name or known as.
++
mothers-name
text
Mother name, father, second name or other names following country’s regulation.
++
passport-country
passport-country
The country in which the passport was issued.
identity-card-number
identity-card-number
passport-number
passport-number
The identity card number of a natural person.
+The passport number of a natural person.
++
redress-number
redress-number
The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.
++
title
text
Title of the natural person such as Dr. or equivalent.
++
social-security-number
text
Social security number
++
date-of-birth
date-of-birth
Date of birth of a natural person (in YYYY-MM-DD format).
@@ -5034,6 +5582,16 @@ person is a MISP object available in JSON format at
place-of-birth
place-of-birth
Place of birth of a natural person.
++
text
text
passport-expiration
passport-expiration
The expiration date of a passport.
--
date-of-birth
date-of-birth
Date of birth of a natural person (in YYYY-MM-DD format).
--
place-of-birth
place-of-birth
Place of birth of a natural person.
--
passport-country
passport-country
The country in which the passport was issued.
--
alias
text
Alias name or known as.
--
redress-number
redress-number
The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.
--
serial-number
-text
Serial Number.
--
imei
text
text
imsi
text
A description of the phone.
+A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.
++
serial-number
text
Serial Number.
++
last-seen
datetime
When the phone has been accessible or seen for the last time.
@@ -5202,16 +5710,26 @@ phone is a MISP object available in JSON format at
imsi
guti
text
A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.
+Globally Unique Temporary UE Identity (GUTI) is a temporary identification to not reveal the phone (user equipment in 3GPP jargon) composed of GUMMEI and the M-TMSI.
text
text
A description of the phone.
++
first-seen
datetime
last-seen
datetime
When the phone has been accessible or seen for the last time.
--
gummei
text
guti
text
Globally Unique Temporary UE Identity (GUTI) is a temporary identification to not reveal the phone (user equipment in 3GPP jargon) composed of GUMMEI and the M-TMSI.
--
not-referenced-strings
-counter
Amount of not referenced strings
--
callbacks
counter
Amount of callbacks (functions started as thread)
--
gml
attachment
Graph export in G>raph Modelling Language format
--
get-proc-address
counter
Amount of calls to GetProcAddress
--
dangling-strings
counter
Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)
--
r2-commit-version
text
Radare2 commit ID used to generate this object
--
shortest-path-to-create-thread
counter
Shortest path to the first time the binary calls CreateThread
--
ratio-api
float
Ratio: amount of API calls per kilobyte of code section
--
local-references
counter
Amount of API calls inside a code section
--
callback-largest
counter
Largest callback
--
memory-allocations
counter
Amount of memory allocations
--
total-functions
counter
ratio-functions
float
Ratio: amount of functions per kilobyte of code section
--
referenced-strings
counter
Amount of referenced strings
--
total-api
counter
Total amount of API calls
--
ratio-string
float
Ratio: amount of referenced strings per kilobyte of code section
--
refsglobalvar
counter
miss-api
create-thread
counter
Amount of API call reference that does not resolve to a function offset
+Amount of calls to CreateThread
callback-average
dangling-strings
counter
Average size of a callback
+Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)
@@ -5490,6 +5838,106 @@ r2graphity is a MISP object available in JSON format at
r2-commit-version
text
Radare2 commit ID used to generate this object
++
miss-api
counter
Amount of API call reference that does not resolve to a function offset
++
total-api
counter
Total amount of API calls
++
not-referenced-strings
counter
Amount of not referenced strings
++
shortest-path-to-create-thread
counter
Shortest path to the first time the binary calls CreateThread
++
referenced-strings
counter
Amount of referenced strings
++
callbacks
counter
Amount of callbacks (functions started as thread)
++
local-references
counter
Amount of API calls inside a code section
++
callback-average
counter
Average size of a callback
++
callback-largest
counter
Largest callback
++
unknown-references
counter
create-thread
memory-allocations
counter
Amount of calls to CreateThread
+Amount of memory allocations
++
ratio-functions
float
Ratio: amount of functions per kilobyte of code section
++
get-proc-address
counter
Amount of calls to GetProcAddress
++
ratio-api
float
Ratio: amount of API calls per kilobyte of code section
++
gml
attachment
Graph export in G>raph Modelling Language format
++
ratio-string
float
Ratio: amount of referenced strings per kilobyte of code section
@@ -5548,6 +6046,26 @@ regexp is a MISP object available in JSON format at
comment
comment
A description of the regular expression.
++
regexp
text
regexp
++
type
text
regexp
text
regexp
--
comment
comment
A description of the regular expression.
--
data-type
-text
Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
--
root-keys
text
Root key of the Windows registry (extracted from the key) ['HKCC', 'HKCR', 'HKCU', 'HKDD', 'HKEY_CLASSES_ROOT', 'HKEY_CURRENT_CONFIG', 'HKEY_CURRENT_USER', 'HKEY_DYN_DATA', 'HKEY_LOCAL_MACHINE', 'HKEY_PERFORMANCE_DATA', 'HKEY_USERS', 'HKLM', 'HKPD', 'HKU']
--
name
text
Name of the registry key
--
key
regkey
Full key path
--
data
text
data-type
text
Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
++
key
regkey
Full key path
++
name
text
Name of the registry key
++
hive
text
root-keys
text
Root key of the Windows registry (extracted from the key) ['HKCC', 'HKCR', 'HKCU', 'HKDD', 'HKEY_CLASSES_ROOT', 'HKEY_CURRENT_CONFIG', 'HKEY_CURRENT_USER', 'HKEY_DYN_DATA', 'HKEY_LOCAL_MACHINE', 'HKEY_PERFORMANCE_DATA', 'HKEY_USERS', 'HKLM', 'HKPD', 'HKU']
++
status
+queue
text
Status of the RTIR ticket ['new', 'open', 'stalled', 'resolved', 'rejected', 'deleted']
--
classification
text
Classification of the RTIR ticket
--
constituency
text
Constituency of the RTIR ticket
+Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
@@ -5832,26 +6310,6 @@ rtir is a MISP object available in JSON format at
ip
ip-dst
IPs automatically extracted from the RTIR ticket
--
queue
text
Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
--
ticket-number
text
status
text
Status of the RTIR ticket ['new', 'open', 'stalled', 'resolved', 'rejected', 'deleted']
++
constituency
text
Constituency of the RTIR ticket
++
classification
text
Classification of the RTIR ticket
++
ip
ip-dst
IPs automatically extracted from the RTIR ticket
++
results
-text
Freetext result values
--
saas-sandbox
text
score
on-premise-sandbox
text
Score
+The on-premise sandbox used ['cuckoo', 'symantec-cas-on-premise', 'bluecoat-maa', 'trendmicro-deep-discovery-analyzer', 'fireeye-ax', 'vmray', 'joe-sandbox-on-premise']
web-sandbox
results
text
A web sandbox where results are publicly available via an URL ['malwr', 'hybrid-analysis']
--
permalink
link
Permalink reference
--
sandbox-type
text
The type of sandbox used ['on-premise', 'web', 'saas']
+Freetext result values
@@ -5970,10 +6438,40 @@ sandbox-report is a MISP object available in JSON format at
on-premise-sandbox
sandbox-type
text
The on-premise sandbox used ['cuckoo', 'symantec-cas-on-premise', 'bluecoat-maa', 'trendmicro-deep-discovery-analyzer', 'fireeye-ax', 'vmray', 'joe-sandbox-on-premise']
+The type of sandbox used ['on-premise', 'web', 'saas']
++
permalink
link
Permalink reference
++
web-sandbox
text
A web sandbox where results are publicly available via an URL ['malwr', 'hybrid-analysis']
++
score
text
Score
@@ -6018,16 +6516,6 @@ sb-signature is a MISP object available in JSON format at
text
text
Additional signature description
--
software
text
text
text
Additional signature description
++
signature
text
MapMsisdn
SccpCdPC
text
MAP MSISDN. Phone number.
+Signaling Connection Control Part (SCCP) CdPC - Phone number.
MapGsmscfGT
MapGmlc
text
MAP GSMSCF GT. Phone number.
+MAP GMLC. Phone number.
@@ -6126,6 +6624,16 @@ ss7-attack is a MISP object available in JSON format at
text
text
A description of the attack seen via SS7 logging.
++
MapSmsTypeNumber
text
MapMscGT
MapGsmscfGT
text
MAP MSC GT. Phone number.
--
MapImsi
text
MAP IMSI. Phone number starting with MCC/MNC.
--
Category
text
Category ['Cat0', 'Cat1', 'Cat2.1', 'Cat2.2', 'Cat3.1', 'Cat3.2', 'Cat3.3', 'CatSMS', 'CatSpoofing']
--
SccpCgPC
text
Signaling Connection Control Part (SCCP) CgPC - Phone number.
--
MapVlrGT
text
MAP VLR GT. Phone number.
--
MapUssdContent
text
MAP USSD Content.
--
SccpCdPC
text
Signaling Connection Control Part (SCCP) CdPC - Phone number.
--
MapGmlc
text
MAP GMLC. Phone number.
+MAP GSMSCF GT. Phone number.
@@ -6236,36 +6674,26 @@ ss7-attack is a MISP object available in JSON format at
SccpCdSSN
MapOpCode
text
Signaling Connection Control Part (SCCP) - Decimal value between 0-255.
+MAP operation codes - Decimal value between 0-99.
MapSmscGT
SccpCgGT
text
MAP SMSC. Phone number.
+Signaling Connection Control Part (SCCP) CgGT - Phone number.
first-seen
datetime
When the attack has been seen for the first time.
--
MapSmsText
text
text
text
A description of the attack seen via SS7 logging.
--
SccpCgGT
text
Signaling Connection Control Part (SCCP) CgGT - Phone number.
--
MapSmsTP-OA
text
MAP SMS TP-OA. Phone number.
--
MapSmsTP-PID
text
MAP SMS TP-PID.
--
MapOpCode
text
MAP operation codes - Decimal value between 0-99.
--
SccpCdGT
text
Category
text
Category ['Cat0', 'Cat1', 'Cat2.1', 'Cat2.2', 'Cat3.1', 'Cat3.2', 'Cat3.3', 'CatSMS', 'CatSpoofing']
++
first-seen
datetime
When the attack has been seen for the first time.
++
SccpCgPC
text
Signaling Connection Control Part (SCCP) CgPC - Phone number.
++
MapImsi
text
MAP IMSI. Phone number starting with MCC/MNC.
++
MapMsisdn
text
MAP MSISDN. Phone number.
++
MapMscGT
text
MAP MSC GT. Phone number.
++
MapUssdContent
text
MAP USSD Content.
++
MapSmscGT
text
MAP SMSC. Phone number.
++
SccpCdSSN
text
Signaling Connection Control Part (SCCP) - Decimal value between 0-255.
++
MapSmsTP-PID
text
MAP SMS TP-PID.
++
MapVlrGT
text
MAP VLR GT. Phone number.
++
MapSmsTP-OA
text
MAP SMS TP-OA. Phone number.
++
stix2-pattern
-stix2-pattern
comment
comment
STIX 2 pattern
+A description of the stix2-pattern.
comment
comment
stix2-pattern
stix2-pattern
A description of the stix2-pattern.
+STIX 2 pattern
@@ -6452,10 +6950,20 @@ tor-node is a MISP object available in JSON format at
flags
address
ip-src
IP address of the Tor node seen.
++
fingerprint
text
list of flag associated with the node.
+router’s fingerprint.
@@ -6472,36 +6980,16 @@ tor-node is a MISP object available in JSON format at
version
text
text
parsed version of tor, this is None if the relay’s using a new versioning scheme.
--
first-seen
datetime
When the Tor node designed by the IP address has been seen for the first time.
+Tor node comment.
address
ip-src
IP address of the Tor node seen.
--
published
datetime
nickname
text
router’s nickname.
++
version
text
parsed version of tor, this is None if the relay’s using a new versioning scheme.
++
description
text
text
flags
text
Tor node comment.
--
nickname
text
router’s nickname.
+list of flag associated with the node.
@@ -6562,10 +7060,128 @@ tor-node is a MISP object available in JSON format at
fingerprint
first-seen
datetime
When the Tor node designed by the IP address has been seen for the first time.
++
An object to describe a financial transaction..
++ + | ++transaction is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. + | +
Object attribute | +MISP attribute type | +Description | +Disable correlation | +|||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
transmode-comment |
text |
- router’s fingerprint. +Comment describing transmode-code, if needed. + |
+
+ + |
+|||||||||
amount |
+text |
+
+ The value of the transaction in local currency. + |
+
+ + |
+|||||||||
date-posting |
+datetime |
+
+ Date of posting, if different from date of transaction. + |
+
+ + |
+|||||||||
location |
+text |
+
+ Location where the transaction took place. + |
+
+ + |
+|||||||||
text |
+text |
+
+ A description of the transaction. + |
+
+ + |
+|||||||||
transmode-code |
+text |
+
+ How the transaction was conducted. + |
+
+ + |
+|||||||||
date |
+datetime |
+
+ Date and time of the transaction. + |
+
+ + |
+|||||||||
transaction-number |
+text |
+
+ A unique number identifying a transaction. |
@@ -6610,20 +7226,20 @@ url is a MISP object available in JSON format at scheme |
-text |
+host |
+hostname |
- Scheme ['http', 'https', 'ftp', 'gopher', 'sip'] +Full hostname |
- +
|
||||
fragment |
-text |
+domain |
+domain |
- Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource. +Full domain |
@@ -6640,60 +7256,10 @@ url is a MISP object available in JSON format at port |
-port |
-
- Port number - |
-
- - |
-||||
first-seen |
-datetime |
-
- First time this URL has been seen - |
-
- - |
-|||||||||
subdomain |
+text |
text |
- Subdomain - |
-
- - |
-||||||||
domain |
-domain |
-
- Full domain - |
-
- - |
-|||||||||
resource_path |
-text |
-
- Path (between hostname:port and query) - |
-
- - |
-|||||||||
url |
-url |
-
- Full URL +Description of the URL |
@@ -6720,10 +7286,10 @@ url is a MISP object available in JSON format at text |
+fragment |
text |
- Description of the URL +Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource. |
@@ -6740,13 +7306,13 @@ url is a MISP object available in JSON format at host |
-hostname |
+scheme |
+text |
- Full hostname +Scheme ['http', 'https', 'ftp', 'gopher', 'sip'] |
- +
|
first-seen |
+datetime |
+
+ First time this URL has been seen + |
+
+ + |
+|||||||||
subdomain |
+text |
+
+ Subdomain + |
+
+ + |
+|||||||||
resource_path |
+text |
+
+ Path (between hostname:port and query) + |
+
+ + |
+|||||||||
port |
+port |
+
+ Port number + |
+
+ + |
+|||||||||
url |
+url |
+
+ Full URL + |
+
+ + |
+
description
-text
Description of the victim
--
external
target-external
External target organisations affected by this attack.
--
target-email
The email address(es) of the user targeted.
--
classification
text
The type of entity being targeted. ['individual', 'group', 'organization', 'class', 'unknown']
--
node
target-machine
Name(s) of node that was targeted.
--
roles
text
The list of roles targeted within the victim.
--
name
target-org
The name of the department(s) or organisation(s) targeted.
--
regions
target-location
The list of regions or locations from the victim targeted. ISO 3166 should be used.
--
ip-address
ip-dst
IP address(es) of the node targeted.
--
sectors
text
ip-address
ip-dst
IP address(es) of the node targeted.
++
description
text
Description of the victim
++
target-email
The email address(es) of the user targeted.
++
regions
target-location
The list of regions or locations from the victim targeted. ISO 3166 should be used.
++
external
target-external
External target organisations affected by this attack.
++
name
target-org
The name of the department(s) or organisation(s) targeted.
++
roles
text
The list of roles targeted within the victim.
++
node
target-machine
Name(s) of node that was targeted.
++
classification
text
The type of entity being targeted. ['individual', 'group', 'organization', 'class', 'unknown']
++
detection-ratio
-text
Detection Ratio
--
permalink
link
Permalink Reference
--
community-score
text
permalink
link
Permalink Reference
++
first-submission
datetime
detection-ratio
text
Detection Ratio
++
text
+summary
text
Description of the vulnerability
--
vulnerable_configuration
text
The vulnerable configuration is described in CPE format
+Summary of the vulnerability
@@ -7064,36 +7670,6 @@ vulnerability is a MISP object available in JSON format at
summary
text
Summary of the vulnerability
--
created
datetime
First time when the vulnerability was discovered
--
id
vulnerability
Vulnerability ID (generally CVE, but not necessarely). The id is not required as the object itself has an UUID and the CVE id can updated later.
--
references
link
vulnerable_configuration
text
The vulnerable configuration is described in CPE format
++
text
text
Description of the vulnerability
++
created
datetime
First time when the vulnerability was discovered
++
published
datetime
id
vulnerability
Vulnerability ID (generally CVE, but not necessarely). The id is not required as the object itself has an UUID and the CVE id can updated later.
++
text
-text
Full whois entry
--
creation-date
datetime
registrant-org
whois-registrant-org
Registrant organisation
--
nameserver
hostname
Nameserver
--
domain
domain
registrant-phone
whois-registrant-phone
nameserver
hostname
Registrant phone number
--
expiration-date
datetime
Expiration of the whois entry
+Nameserver
@@ -7242,10 +7818,10 @@ whois is a MISP object available in JSON format at
registrar
whois-registrar
registrant-name
whois-registrant-name
Registrar of the whois entry
+Registrant name
@@ -7262,10 +7838,50 @@ whois is a MISP object available in JSON format at
registrant-name
whois-registrant-name
expiration-date
datetime
Registrant name
+Expiration of the whois entry
++
text
text
Full whois entry
++
registrar
whois-registrar
Registrar of the whois entry
++
registrant-phone
whois-registrant-phone
Registrant phone number
++
registrant-org
whois-registrant-org
Registrant organisation
@@ -7310,6 +7926,16 @@ x509 is a MISP object available in JSON format at
pubkey-info-size
text
Length of the public key (in bits)
++
x509-fingerprint-md5
x509-fingerprint-md5
x509-fingerprint-sha256
x509-fingerprint-sha256
Secure Hash Algorithm 2 (256 bits)
--
validity-not-after
datetime
Certificate invalid after that date
--
version
text
Version of the certificate
--
subject
text
Subject of the certificate
--
pubkey-info-modulus
text
Modulus of the public key
--
serial-number
text
Serial number of the certificate
--
validity-not-before
datetime
Certificate invalid before that date
--
pubkey-info-exponent
text
text
text
x509-fingerprint-sha256
x509-fingerprint-sha256
Free text description of hte certificate
+Secure Hash Algorithm 2 (256 bits)
pubkey-info-size
version
text
Length of the public key (in bits)
+Version of the certificate
pubkey-info-algorithm
pubkey-info-modulus
text
Algorithm of the public key
--
issuer
text
Issuer of the certificate
+Modulus of the public key
@@ -7450,6 +7996,46 @@ x509 is a MISP object available in JSON format at
serial-number
text
Serial number of the certificate
++
pubkey-info-algorithm
text
Algorithm of the public key
++
subject
text
Subject of the certificate
++
validity-not-before
datetime
Certificate invalid before that date
++
x509-fingerprint-sha1
x509-fingerprint-sha1
text
text
Free text description of hte certificate
++
validity-not-after
datetime
Certificate invalid after that date
++
issuer
text
Issuer of the certificate
++
yara-hunt
-yara
Wide yara rule generated from -yh.
--
whitelist
comment
comment
Whitelist name used to generate the rules.
+A description of Yara rule generated.
comment
version
comment
A description of Yara rule generated.
+yabin.py and regex.txt version used for the generation of the yara rules.
@@ -7538,15 +8144,25 @@ yabin is a MISP object available in JSON format at
version
whitelist
comment
yabin.py and regex.txt version used for the generation of the yara rules.
+Whitelist name used to generate the rules.
yara-hunt
yara
Wide yara rule generated from -yh.
++