diff --git a/objects.html b/objects.html index e8d852f..3136a0b 100755 --- a/objects.html +++ b/objects.html @@ -443,6 +443,7 @@ body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-b
type
+text
Type of information leak as discovered and classified by an AIL module. ['Credential', 'CreditCards', 'Mail', 'Onion', 'Phone', 'Keys']
++
origin
text
The link where the leak is (or was) accessible at first-seen.
++
duplicate_number
counter
duplicate
text
last-seen
datetime
Duplicate of the existing leaks.
+When the leak has been accessible or seen for the last time.
+
last-seen
+first-seen
datetime
When the leak has been accessible or seen for the last time.
+When the leak has been accessible or seen for the first time.
@@ -617,6 +638,16 @@ ail-leak is a MISP object available in JSON format at
duplicate
text
Duplicate of the existing leaks.
++
raw-data
attachment
origin
text
The link where the leak is (or was) accessible at first-seen.
--
first-seen
datetime
When the leak has been accessible or seen for the first time.
--
type
text
Type of information leak as discovered and classified by an AIL module. ['Credential', 'CreditCards', 'Mail', 'Onion', 'Phone', 'Keys']
--
subnet-announced
-ip-src
Subnet announced
--
description
text
Description of the autonomous system
--
mp-export
text
This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
--
country
text
subnet-announced
ip-src
Subnet announced
++
mp-import
text
export
text
The outbound routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
++
last-seen
datetime
asn
AS
Autonomous System Number
--
export
description
text
The outbound routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
+Description of the autonomous system
asn
AS
Autonomous System Number
++
mp-export
text
This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
++
datetime
-datetime
software
text
Datetime
+Name of antivirus software
software
text
datetime
datetime
Name of antivirus software
+Datetime
@@ -935,6 +936,94 @@ av-signature is a MISP object available in JSON format at +
An address used in a cryptocurrency.
++ + | ++coin-address is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. + | +
Object attribute | +MISP attribute type | +Description | +Disable correlation | +
---|---|---|---|
address |
+btc |
+
+ Address used as a payment destination in a cryptocurrency + |
+
+ + |
+
symbol |
+text |
+
+ The (uppercase) symbol of the cryptocurrency used. Symbol should be from https://coinmarketcap.com/all/views/all/ ['BTC', 'ETH', 'BCH', 'XRP', 'MIOTA', 'DASH', 'BTG', 'LTC', 'ADA', 'XMR', 'ETC', 'NEO', 'NEM', 'EOS', 'XLM', 'BCC', 'LSK', 'OMG', 'QTUM', 'ZEC', 'USDT', 'HSR', 'STRAT', 'WAVES', 'PPT'] + |
+
+ + |
+
last-seen |
+datetime |
+
+ Last time this payment destination address has been seen + |
+
+ + |
+
text |
+text |
+
+ Free text value + |
+
+ + |
+
first-seen |
+datetime |
+
+ First time this payment destination address has been seen + |
+
+ + |
+
cookie
cookie-name
text
Full cookie
+Name of the cookie (if splitted)
cookie-name
cookie-value
text
Name of the cookie (if splitted)
+Value of the cookie (if splitted)
@@ -1009,10 +1098,10 @@ cookie is a MISP object available in JSON format at
cookie-value
text
cookie
cookie
Value of the cookie (if splitted)
+Full cookie
@@ -1057,10 +1146,10 @@ credential is a MISP object available in JSON format at
notification
username
text
Mention of any notification(s) towards the potential owner(s) of the credential(s) ['victim-notified', 'service-notified', 'none']
+Username related to the password(s)
@@ -1077,20 +1166,10 @@ credential is a MISP object available in JSON format at
text
notification
text
A description of the credential(s)
--
username
text
Username related to the password(s)
+Mention of any notification(s) towards the potential owner(s) of the credential(s) ['victim-notified', 'service-notified', 'none']
@@ -1107,6 +1186,16 @@ credential is a MISP object available in JSON format at
text
text
A description of the credential(s)
++
origin
text
issued
datetime
Initial date of validity or issued date.
--
version
name
text
Version of the card.
+Name of the card owner.
cc-number
cc-number
comment
comment
credit-card number as encoded on the card.
+A description of the card.
@@ -1205,10 +1284,30 @@ credit-card is a MISP object available in JSON format at
name
version
text
Name of the card owner.
+Version of the card.
++
issued
datetime
Initial date of validity or issued date.
++
cc-number
cc-number
credit-card number as encoded on the card.
comment
comment
A description of the card.
--
last-seen
-datetime
ip-src
ip-src
End of the attack
--
total-bps
counter
Bits per second
--
text
text
Description of the DDoS
--
dst-port
port
Destination port of the attack
+IP address originating the attack
@@ -1333,30 +1392,10 @@ ddos is a MISP object available in JSON format at
first-seen
datetime
Beginning of the attack
--
ip-src
ip-src
IP address originating the attack
--
protocol
text
text
Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']
+Description of the DDoS
@@ -1373,6 +1412,36 @@ ddos is a MISP object available in JSON format at
last-seen
datetime
End of the attack
++
dst-port
port
Destination port of the attack
++
first-seen
datetime
Beginning of the attack
++
src-port
port
total-bps
counter
Bits per second
++
protocol
text
Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']
++
last-seen
-datetime
ip
ip-dst
Last time the tuple has been seen
--
first-seen
datetime
First time the tuple has been seen
+IP Address
@@ -1451,6 +1530,16 @@ domain-ip is a MISP object available in JSON format at
last-seen
datetime
Last time the tuple has been seen
++
text
text
ip
ip-dst
first-seen
datetime
IP Address
+First time the tuple has been seen
@@ -1519,6 +1608,16 @@ elf is a MISP object available in JSON format at
text
text
Free text value to attach to the ELF
++
entrypoint-address
text
type
text
Type of ELF ['CORE', 'DYNAMIC', 'EXECUTABLE', 'HIPROC', 'LOPROC', 'NONE', 'RELOCATABLE']
++
number-sections
counter
text
text
Free text value to attach to the ELF
--
arch
text
type
text
Type of ELF ['CORE', 'DYNAMIC', 'EXECUTABLE', 'HIPROC', 'LOPROC', 'NONE', 'RELOCATABLE']
--
entropy
-float
Entropy of the whole section
--
sha224
sha224
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
size-in-bytes
-size-in-bytes
type
text
Size of the section, in bytes
+Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
text
text
Free text value to attach to the section
--
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
--
flag
text
Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
md5
md5
sha512/256
sha512/256
entropy
float
Secure Hash Algorithm 2 (256 bits)
+Entropy of the whole section
++
size-in-bytes
size-in-bytes
Size of the section, in bytes
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
@@ -1707,16 +1766,6 @@ elf-section is a MISP object available in JSON format at
name
text
Name of the section
--
sha512
sha512
sha512/224
sha512/224
name
text
Secure Hash Algorithm 2 (224 bits)
+Name of the section
+
+
flag
text
Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']
+
type
+text
text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
+Free text value to attach to the section
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
++
header
-email-header
mime-boundary
email-mime-boundary
Full headers
+MIME Boundary
subject
email-subject
from
email-src
Subject
--
from-display-name
email-src-display-name
Display name of the sender
+Sender email address
@@ -1835,60 +1914,20 @@ email is a MISP object available in JSON format at
x-mailer
email-x-mailer
X-Mailer generally tells the program that was used to draft and send the original email
--
return-path
text
Message return path
--
mime-boundary
email-mime-boundary
MIME Boundary
--
attachment
email-attachment
Attachment
--
thread-index
email-thread-index
Identifies a particular conversation thread
--
cc
to
email-dst
Carbon copy
+Destination email address
++
subject
email-subject
Subject
@@ -1905,10 +1944,10 @@ email is a MISP object available in JSON format at
reply-to
email-reply-to
attachment
email-attachment
Email address the reply will be sent to
+Attachment
@@ -1925,6 +1964,36 @@ email is a MISP object available in JSON format at
from-display-name
email-src-display-name
Display name of the sender
++
reply-to
email-reply-to
Email address the reply will be sent to
++
return-path
text
Message return path
++
message-id
email-message-id
to
cc
email-dst
Destination email address
+Carbon copy
from
email-src
x-mailer
email-x-mailer
Sender email address
+X-Mailer generally tells the program that was used to draft and send the original email
++
thread-index
email-thread-index
Identifies a particular conversation thread
++
header
email-header
Full headers
@@ -1993,18 +2082,8 @@ file is a MISP object available in JSON format at
entropy
float
Entropy of the whole file
--
sha224
sha224
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
size-in-bytes
-size-in-bytes
certificate
x509-fingerprint-sha1
Size of the file, in bytes
--
tlsh
tlsh
Fuzzy hash by Trend Micro: Locality Sensitive Hash
--
mimetype
text
Mime type
--
text
text
Free text value to attach to the file
--
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
--
filename
filename
Filename on disk
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
+Certificate value if the binary is signed with another authentication scheme than authenticode
@@ -2086,7 +2105,17 @@ file is a MISP object available in JSON format at
state
text
State of the file ['Harmless', 'Signed', 'Revoked', 'Expired', 'Trusted', 'Malicious']
+State of the file ['Malicious', 'Harmless', 'Signed', 'Revoked', 'Expired', 'Trusted']
++
filename
filename
Filename on disk
@@ -2103,20 +2132,30 @@ file is a MISP object available in JSON format at
authentihash
authentihash
entropy
float
Authenticode executable signature hash
+Entropy of the whole file
++
tlsh
tlsh
Fuzzy hash by Trend Micro: Locality Sensitive Hash
sha512/256
sha512/256
sha224
sha224
Secure Hash Algorithm 2 (256 bits)
+Secure Hash Algorithm 2 (224 bits)
@@ -2133,6 +2172,16 @@ file is a MISP object available in JSON format at
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
++
malware-sample
malware-sample
size-in-bytes
size-in-bytes
Size of the file, in bytes
++
mimetype
text
Mime type
++
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
text
text
Free text value to attach to the file
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
sha512
sha512
sha512/224
sha512/224
authentihash
authentihash
Secure Hash Algorithm 2 (224 bits)
--
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
certificate
x509-fingerprint-sha1
Certificate value if the binary is signed with another authentication scheme than authenticode
+Authenticode executable signature hash
@@ -2231,16 +2320,6 @@ geolocation is a MISP object available in JSON format at
latitude
float
The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.
--
city
text
text
text
altitude
float
A generic description of the location.
+The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.
++
longitude
float
The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference
@@ -2281,30 +2370,20 @@ geolocation is a MISP object available in JSON format at
first-seen
datetime
text
text
When the location was seen for the first time.
+A generic description of the location.
altitude
latitude
float
The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.
--
longitude
float
The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference
+The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.
first-seen
datetime
When the location was seen for the first time.
++
referer
-referer
This is the address of the previous web page from which a link to the currently requested page was followed
--
text
text
HTTP Request comment
--
content-type
other
The MIME type of the body of the request
--
method
http-method
HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)
--
basicauth-user
text
HTTP Basic Authentication Username
--
proxy-user
text
HTTP Proxy Username
--
host
hostname
url
url
referer
referer
Full HTTP Request URL
+This is the address of the previous web page from which a link to the currently requested page was followed
++
proxy-password
text
HTTP Proxy Password
@@ -2459,20 +2498,10 @@ http-request is a MISP object available in JSON format at
uri
uri
url
url
Request URI
--
proxy-password
text
HTTP Proxy Password
+Full HTTP Request URL
method
http-method
HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)
++
basicauth-user
text
HTTP Basic Authentication Username
++
text
text
HTTP Request comment
++
proxy-user
text
HTTP Proxy Username
++
content-type
other
The MIME type of the body of the request
++
uri
uri
Request URI
++
src-port
-port
last-seen
datetime
Source port
+Last time the tuple has been seen
@@ -2547,6 +2636,16 @@ ip-port is a MISP object available in JSON format at
first-seen
datetime
First time the tuple has been seen
++
dst-port
port
last-seen
datetime
src-port
port
Last time the tuple has been seen
--
first-seen
datetime
First time the tuple has been seen
+Source port
@@ -2635,10 +2724,10 @@ ja3 is a MISP object available in JSON format at
ja3-fingerprint-md5
md5
ip-src
ip-src
Hash identifying source
+Source IP Address
@@ -2665,10 +2754,10 @@ ja3 is a MISP object available in JSON format at
ip-src
ip-src
ja3-fingerprint-md5
md5
Source IP Address
+Hash identifying source
@@ -2743,13 +2832,13 @@ macho is a MISP object available in JSON format at
text
type
text
Free text value to attach to the Mach-O file
+Type of Mach-O ['BUNDLE', 'CORE', 'DSYM', 'DYLIB', 'DYLIB_STUB', 'DYLINKER', 'EXECUTE', 'FVMLIB', 'KEXT_BUNDLE', 'OBJECT', 'PRELOAD']
+
type
+text
text
Type of Mach-O ['BUNDLE', 'CORE', 'DSYM', 'DYLIB', 'DYLIB_STUB', 'DYLINKER', 'EXECUTE', 'FVMLIB', 'KEXT_BUNDLE', 'OBJECT', 'PRELOAD']
+Free text value to attach to the Mach-O file
+
entropy
-float
Entropy of the whole section
--
sha224
sha224
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
size-in-bytes
-size-in-bytes
Size of the section, in bytes
--
text
text
Free text value to attach to the section
--
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
md5
md5
sha512/256
sha512/256
entropy
float
Secure Hash Algorithm 2 (256 bits)
+Entropy of the whole section
++
size-in-bytes
size-in-bytes
Size of the section, in bytes
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
@@ -2901,16 +2960,6 @@ macho-section is a MISP object available in JSON format at
name
text
Name of the section
--
sha512
sha512
sha512/224
sha512/224
name
text
Secure Hash Algorithm 2 (224 bits)
+Name of the section
+
text
text
Free text value to attach to the section
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
++
creation-date
-datetime
Initial creation of the microblog post
--
username-quoted
text
link
url
url
Link into the microblog post
+Original URL location of the microblog post
++
creation-date
datetime
Initial creation of the microblog post
@@ -3019,10 +3108,10 @@ microblog is a MISP object available in JSON format at
removal-date
datetime
post
text
When the microblog post was removed
+Raw post
@@ -3039,16 +3128,6 @@ microblog is a MISP object available in JSON format at
post
text
Raw post
--
type
text
url
link
url
Original URL location of the microblog post
+Link into the microblog post
++
removal-date
datetime
When the microblog post was removed
@@ -3107,36 +3196,16 @@ netflow is a MISP object available in JSON format at
first-packet-seen
datetime
byte-count
counter
First packet seen in this flow
--
tcp-flags
text
TCP flags of the flow
+Bytes counted in this flow
src-port
port
Source port of the netflow
--
icmp-type
text
last-packet-seen
datetime
Last packet seen in this flow
--
direction
text
Direction of this flow ['Ingress', 'Egress']
--
ip-dst
ip-dst
IP address destination of the netflow
--
flow-count
counter
Flows counted in this flow
--
packet-count
counter
Packets counted in this flow
--
src-as
AS
ip-protocol-number
size-in-bytes
ip-src
ip-src
IP protocol number of this flow
+IP address source of the netflow
++
packet-count
counter
Packets counted in this flow
dst-as
AS
src-port
port
Destination AS number for this flow
+Source port of the netflow
++
ip-dst
ip-dst
IP address destination of the netflow
@@ -3237,6 +3276,26 @@ netflow is a MISP object available in JSON format at
last-packet-seen
datetime
Last packet seen in this flow
++
first-packet-seen
datetime
First packet seen in this flow
++
protocol
text
ip-src
ip-src
IP address source of the netflow
--
byte-count
flow-count
counter
Bytes counted in this flow
+Flows counted in this flow
ip-protocol-number
size-in-bytes
IP protocol number of this flow
++
direction
text
Direction of this flow ['Ingress', 'Egress']
++
tcp-flags
text
TCP flags of the flow
++
dst-as
AS
Destination AS number for this flow
++
count
-counter
How many authoritative DNS answers were received at the Passive DNS Server’s collectors with exactly the given set of values as answers
--
rrtype
bailiwick
text
Resource Record type as seen by the passive DNS ['A', 'AAAA', 'CNAME', 'PTR', 'SOA', 'TXT', 'DNAME', 'NS', 'SRV', 'RP', 'NAPTR', 'HINFO', 'A6']
--
text
text
-
-
time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS
--
zone_time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
--
sensor_id
text
Sensor information where the record was seen
+Best estimate of the apex of the zone where this data is authoritative
@@ -3395,20 +3434,50 @@ passive-dns is a MISP object available in JSON format at
bailiwick
origin
text
Best estimate of the apex of the zone where this data is authoritative
+Origin of the Passive DNS response
origin
rdata
text
Origin of the Passive DNS response
+Resource records of the queried resource
++
text
text
+
+
sensor_id
text
Sensor information where the record was seen
++
time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS
@@ -3425,10 +3494,30 @@ passive-dns is a MISP object available in JSON format at
rdata
count
counter
How many authoritative DNS answers were received at the Passive DNS Server’s collectors with exactly the given set of values as answers
++
zone_time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
++
rrtype
text
Resource records of the queried resource
+Resource Record type as seen by the passive DNS ['A', 'AAAA', 'CNAME', 'PTR', 'SOA', 'TXT', 'DNAME', 'NS', 'SRV', 'RP', 'NAPTR', 'HINFO', 'A6']
@@ -3473,10 +3562,20 @@ paste is a MISP object available in JSON format at
paste
title
text
Raw text of the paste or post
+Title of the paste or post.
++
origin
text
Original source of the paste or post. ['pastebin.com', 'pastebin.com_pro', 'pastie.org', 'slexy.org', 'gist.github.com', 'codepad.org', 'safebin.net', 'hastebin.com', 'ghostbin.com']
@@ -3503,26 +3602,6 @@ paste is a MISP object available in JSON format at
origin
text
Original source of the paste or post. ['pastebin.com', 'pastebin.com_pro', 'pastie.org', 'slexy.org', 'gist.github.com', 'codepad.org', 'safebin.net', 'hastebin.com', 'ghostbin.com']
--
title
text
Title of the paste or post.
--
url
url
paste
text
Raw text of the paste or post
++
legal-copyright
-text
LegalCopyright in the resources
--
entrypoint-address
text
Address of the entry point
--
file-version
text
FileVersion in the resources
--
number-sections
counter
Number of sections
--
text
text
Free text value to attach to the PE
--
compilation-timestamp
datetime
Compilation timestamp defined in the PE header
--
lang-id
text
Lang ID in the resources
--
product-name
text
company-name
text
CompanyName in the resources
--
imphash
imphash
Hash (md5) calculated from the import table
--
original-filename
filename
OriginalFilename in the resources
--
pehash
pehash
Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
--
entrypoint-section-at-position
text
impfuzzy
impfuzzy
Fuzzy Hash (ssdeep) calculated from the import table
--
product-version
text
file-description
text
FileDescription in the resources
++
internal-filename
filename
file-description
entrypoint-address
text
FileDescription in the resources
+Address of the entry point
impfuzzy
impfuzzy
Fuzzy Hash (ssdeep) calculated from the import table
++
compilation-timestamp
datetime
Compilation timestamp defined in the PE header
++
imphash
imphash
Hash (md5) calculated from the import table
++
file-version
text
FileVersion in the resources
++
legal-copyright
text
LegalCopyright in the resources
++
pehash
pehash
Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
++
text
text
Free text value to attach to the PE
++
original-filename
filename
OriginalFilename in the resources
++
lang-id
text
Lang ID in the resources
++
number-sections
counter
Number of sections
++
company-name
text
CompanyName in the resources
++
entropy
-float
Entropy of the whole section
--
sha224
sha224
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
size-in-bytes
-size-in-bytes
Size of the section, in bytes
--
text
text
Free text value to attach to the section
--
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
md5
md5
sha512/256
sha512/256
entropy
float
Secure Hash Algorithm 2 (256 bits)
+Entropy of the whole section
++
size-in-bytes
size-in-bytes
Size of the section, in bytes
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
characteristic
text
Characteristic of the section ['read', 'write', 'executable']
@@ -3879,16 +3948,6 @@ pe-section is a MISP object available in JSON format at
name
text
Name of the section ['.rsrc', '.reloc', '.rdata', '.data', '.text']
--
sha512
sha512
sha512/224
sha512/224
name
text
Secure Hash Algorithm 2 (224 bits)
+Name of the section ['.rsrc', '.reloc', '.rdata', '.data', '.text']
+
characteristic
+text
text
Characteristic of the section ['read', 'write', 'executable']
+Free text value to attach to the section
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
@@ -3967,26 +4056,16 @@ person is a MISP object available in JSON format at
middle-name
middle-name
date-of-birth
date-of-birth
Middle name of a natural person
+Date of birth of a natural person (in YYYY-MM-DD format).
text
text
A description of the person or identity.
--
passport-number
passport-number
place-of-birth
place-of-birth
Place of birth of a natural person.
--
last-name
last-name
Last name of a natural person.
--
first-name
first-name
First name of a natural person.
--
redress-number
redress-number
passport-country
passport-country
place-of-birth
place-of-birth
The country in which the passport was issued.
+Place of birth of a natural person.
@@ -4057,10 +4106,10 @@ person is a MISP object available in JSON format at
date-of-birth
date-of-birth
middle-name
middle-name
Date of birth of a natural person (in YYYY-MM-DD format).
+Middle name of a natural person
@@ -4077,6 +4126,36 @@ person is a MISP object available in JSON format at
text
text
A description of the person or identity.
++
first-name
first-name
First name of a natural person.
++
last-name
last-name
Last name of a natural person.
++
gender
gender
passport-country
passport-country
The country in which the passport was issued.
++
guti
-text
Globally Unique Temporary UE Identity (GUTI) is a temporary identification to not reveal the phone (user equipment in 3GPP jargon) composed of GUMMEI and the M-TMSI.
--
text
text
A description of the phone.
--
gummei
text
tmsi
text
Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated.
--
imei
text
International Mobile Equipment Identity (IMEI) is a number, usually unique, to identify 3GPP and iDEN mobile phones, as well as some satellite phones.
--
last-seen
datetime
imsi
text
text
A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.
+A description of the phone.
+
imsi
+text
A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.
++
serial-number
text
imei
text
International Mobile Equipment Identity (IMEI) is a number, usually unique, to identify 3GPP and iDEN mobile phones, as well as some satellite phones.
++
tmsi
text
Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated.
++
guti
text
Globally Unique Temporary UE Identity (GUTI) is a temporary identification to not reveal the phone (user equipment in 3GPP jargon) composed of GUMMEI and the M-TMSI.
++
msisdn
text
callback-largest
dangling-strings
counter
Largest callback
--
r2-commit-version
text
Radare2 commit ID used to generate this object
--
not-referenced-strings
counter
Amount of not referenced strings
+Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)
@@ -4303,36 +4372,6 @@ r2graphity is a MISP object available in JSON format at
miss-api
counter
Amount of API call reference that does not resolve to a function offset
--
shortest-path-to-create-thread
counter
Shortest path to the first time the binary calls CreateThread
--
unknown-references
counter
Amount of API calls not ending in a function (Radare2 bug, probalby)
--
refsglobalvar
counter
ratio-functions
float
Ratio: amount of functions per kilobyte of code section
--
local-references
get-proc-address
counter
Amount of API calls inside a code section
--
total-api
counter
Total amount of API calls
--
memory-allocations
counter
Amount of memory allocations
--
dangling-strings
counter
Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)
--
create-thread
counter
Amount of calls to CreateThread
--
callback-average
counter
Average size of a callback
+Amount of calls to GetProcAddress
@@ -4443,10 +4422,40 @@ r2graphity is a MISP object available in JSON format at
gml
attachment
create-thread
counter
Graph export in G>raph Modelling Language format
+Amount of calls to CreateThread
++
local-references
counter
Amount of API calls inside a code section
++
ratio-functions
float
Ratio: amount of functions per kilobyte of code section
++
not-referenced-strings
counter
Amount of not referenced strings
@@ -4463,10 +4472,20 @@ r2graphity is a MISP object available in JSON format at
get-proc-address
total-api
counter
Amount of calls to GetProcAddress
+Total amount of API calls
++
callback-largest
counter
Largest callback
unknown-references
counter
Amount of API calls not ending in a function (Radare2 bug, probalby)
++
r2-commit-version
text
Radare2 commit ID used to generate this object
++
memory-allocations
counter
Amount of memory allocations
++
gml
attachment
Graph export in G>raph Modelling Language format
++
shortest-path-to-create-thread
counter
Shortest path to the first time the binary calls CreateThread
++
miss-api
counter
Amount of API call reference that does not resolve to a function offset
++
callback-average
counter
Average size of a callback
++
regexp
-text
regexp
--
regexp-type
text
regexp
text
regexp
++
hive
-reg-hive
last-modified
datetime
Hive used to store the registry key (file on disk)
+Last time the registry key has been modified
last-modified
datetime
name
reg-name
Last time the registry key has been modified
+Name of the registry key
@@ -4629,20 +4718,20 @@ registry-key is a MISP object available in JSON format at
data
reg-data
hive
reg-hive
Data stored in the registry key
+Hive used to store the registry key (file on disk)
name
reg-name
data
reg-data
Name of the registry key
+Data stored in the registry key
@@ -4687,20 +4776,20 @@ report is a MISP object available in JSON format at
summary
case-number
text
Free text summary of the report
+Case number
case-number
summary
text
Case number
+Free text summary of the report
@@ -4755,6 +4844,36 @@ rtir is a MISP object available in JSON format at
constituency
text
Constituency of the RTIR ticket
++
ip
ip-dst
IPs automatically extracted from the RTIR ticket
++
queue
text
Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
++
classification
text
queue
text
Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
--
constituency
text
Constituency of the RTIR ticket
--
status
text
ip
ip-dst
IPs automatically extracted from the RTIR ticket
--
version
+version_line
text
parsed version of tor, this is None if the relay’s using a new versioning scheme.
+versioning information reported by the node.
nickname
text
router’s nickname.
--
text
text
Tor node comment.
--
description
text
Tor node description.
--
fingerprint
text
document
version
text
Raw document from the consensus.
+parsed version of tor, this is None if the relay’s using a new versioning scheme.
+
flags
+nickname
text
list of flag associated with the node.
+router’s nickname.
@@ -4953,6 +5012,16 @@ tor-node is a MISP object available in JSON format at
text
text
Tor node comment.
++
first-seen
datetime
version_line
description
text
versioning information reported by the node.
+Tor node description.
++
document
text
Raw document from the consensus.
++
flags
text
list of flag associated with the node.
@@ -5021,10 +5110,20 @@ url is a MISP object available in JSON format at
text
subdomain
text
Description of the URL
+Subdomain
++
domain
domain
Full domain
@@ -5041,56 +5140,6 @@ url is a MISP object available in JSON format at
fragment
text
Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.
--
credential
text
Credential (username, password)
--
host
hostname
Full hostname
--
domain
domain
Full domain
--
url
url
Full URL
--
resource_path
text
last-seen
datetime
fragment
text
Last time this URL has been seen
+Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.
++
port
port
Port number
++
domain_without_tld
text
Domain without Top-Level Domain
@@ -5121,13 +5190,33 @@ url is a MISP object available in JSON format at
port
port
url
url
Port number
+Full URL
+
+
last-seen
datetime
Last time this URL has been seen
++
text
text
Description of the URL
+
domain_without_tld
-text
host
hostname
Domain without Top-Level Domain
+Full hostname
subdomain
credential
text
Subdomain
+Credential (username, password)
+
name
+target-org
The name of the department(s) or organisation(s) targeted.
++
ip-address
ip-dst
IP address(es) of the node targeted.
++
target-email
The email address(es) of the user targeted.
++
sectors
text
The list of sectors that the victim belong to ['agriculture', 'aerospace', 'automotive', 'communications', 'construction', 'defence', 'education', 'energy', 'engineering', 'entertainment', 'financial services', 'government national', 'government regional', 'government local', 'government public services', 'healthcare', 'hospitality leisure', 'infrastructure', 'insurance', 'manufacturing', 'mining', 'non profit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities']
++
description
text
-
sectors
text
The list of sectors that the victim belong to ['agriculture', 'aerospace', 'automotive', 'communications', 'construction', 'defence', 'education', 'energy', 'engineering', 'entertainment', 'financial\xadservices', 'government\xadnational', 'government\xadregional', 'government\xadlocal', 'government\xadpublic\xadservices', 'healthcare', 'hospitality\xadleisure', 'infrastructure', 'insurance', 'manufacturing', 'mining', 'non\xadprofit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities']
--
name
text
The name of the victim targeted. The name can be an organisation or a group of organisations.
-+
regions
text
target-location
The list of regions or locations from the victim targeted. ISO 3166 should be used.
external
target-external
External target organisations affected by this attack.
++
node
target-machine
Name(s) of node that was targeted.
++
user
target-user
The username(s) of the user targeted.
++
first-submission
-datetime
First Submission
--
detection-ratio
text
last-submission
first-submission
datetime
Last Submission
+First Submission
last-submission
datetime
Last Submission
++
published
-datetime
references
link
Initial publication date
--
summary
text
Summary of the vulnerability
--
text
text
Description of the vulnerability
--
modified
datetime
Last modification date
+External references
@@ -5435,20 +5544,50 @@ vulnerability is a MISP object available in JSON format at
id
vulnerability
text
text
Vulnerability ID (generally CVE, but not necessarely)
+Description of the vulnerability
references
link
summary
text
External references
+Summary of the vulnerability
++
modified
datetime
Last modification date
++
published
datetime
Initial publication date
++
id
vulnerability
Vulnerability ID (generally CVE, but not necessarely)
@@ -5503,16 +5642,6 @@ whois is a MISP object available in JSON format at
domain
domain
Domain of the whois entry
--
registrant-phone
whois-registrant-phone
modification-date
datetime
registrar
whois-registrar
Last update of the whois entry
--
text
text
Full whois entry
--
expiration-date
datetime
Expiration of the whois entry
--
registrant-name
whois-registrant-name
Registrant name
+Registrar of the whois entry
@@ -5573,10 +5672,50 @@ whois is a MISP object available in JSON format at
registrar
whois-registrar
registrant-name
whois-registrant-name
Registrar of the whois entry
+Registrant name
++
text
text
Full whois entry
++
modification-date
datetime
Last update of the whois entry
++
expiration-date
datetime
Expiration of the whois entry
++
domain
domain
Domain of the whois entry
@@ -5621,66 +5760,6 @@ x509 is a MISP object available in JSON format at
x509-fingerprint-sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
pubkey-info-size
text
Length of the public key (in bits)
--
subject
text
Subject of the certificate
--
text
text
Free text description of hte certificate
--
validity-not-before
datetime
Certificate invalid before that date
--
issuer
text
Issuer of the certificate
--
raw-base64
text
pubkey-info-modulus
pubkey-info-exponent
text
Modulus of the public key
+Exponent of the public key
@@ -5731,10 +5810,40 @@ x509 is a MISP object available in JSON format at
pubkey-info-algorithm
subject
text
Algorithm of the public key
+Subject of the certificate
++
issuer
text
Issuer of the certificate
++
serial-number
text
Serial number of the certificate
++
pubkey-info-modulus
text
Modulus of the public key
@@ -5751,20 +5860,50 @@ x509 is a MISP object available in JSON format at
pubkey-info-exponent
text
validity-not-before
datetime
Exponent of the public key
+Certificate invalid before that date
serial-number
text
text
Serial number of the certificate
+Free text description of hte certificate
++
x509-fingerprint-sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
pubkey-info-size
text
Length of the public key (in bits)
++
pubkey-info-algorithm
text
Algorithm of the public key
@@ -5819,13 +5958,13 @@ yabin is a MISP object available in JSON format at
whitelist
comment
yara
yara
Whitelist name used to generate the rules.
+Yara rule generated from -y.
+
yara
-yara
whitelist
comment
Yara rule generated from -y.
+Whitelist name used to generate the rules.
+