diff --git a/objects.html b/objects.html index 814beb2..e58dc10 100755 --- a/objects.html +++ b/objects.html @@ -491,6 +491,7 @@ body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-b
type
+sensor
text
Type of information leak as discovered and classified by an AIL module. ['Credential', 'CreditCards', 'Mail', 'Onion', 'Phone', 'Keys']
--
original-date
datetime
When the information available in the leak was created. It’s usually before the first-seen.
--
text
text
A description of the leak which could include the potential victim(s) or description of the leak.
--
origin
text
The link where the leak is (or was) accessible at first-seen.
--
duplicate
text
Duplicate of the existing leaks.
+The AIL sensor uuid where the leak was processed and analysed.
@@ -639,13 +600,13 @@ ail-leak is a MISP object available in JSON format at
last-seen
datetime
origin
text
When the leak has been accessible or seen for the last time.
+The link where the leak is (or was) accessible at first-seen.
+
type
+text
Type of information leak as discovered and classified by an AIL module. ['Credential', 'CreditCards', 'Mail', 'Onion', 'Phone', 'Keys']
++
text
text
A description of the leak which could include the potential victim(s) or description of the leak.
++
duplicate_number
counter
sensor
duplicate
text
The AIL sensor uuid where the leak was processed and analysed.
+Duplicate of the existing leaks.
original-date
datetime
When the information available in the leak was created. It’s usually before the first-seen.
++
last-seen
datetime
When the leak has been accessible or seen for the last time.
++
type
-text
Type of the annotation ['Annotation', 'Executive Summary', 'Introduction', 'Conclusion', 'Disclaimer', 'Keywords', 'Acknowledgement', 'Other', 'Copyright', 'Authors', 'Logo']
--
format
text
text
text
creation-date
datetime
Raw text of the annotation
+Initial creation of the annotation
@@ -815,10 +806,10 @@ annotation is a MISP object available in JSON format at
creation-date
datetime
text
text
Initial creation of the annotation
+Raw text of the annotation
type
text
Type of the annotation ['Annotation', 'Executive Summary', 'Introduction', 'Conclusion', 'Disclaimer', 'Keywords', 'Acknowledgement', 'Other', 'Copyright', 'Authors', 'Logo']
++
description
+mp-export
text
Description of the autonomous system
+This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
import
text
The inbound IPv4 routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
--
first-seen
datetime
First time the ASN was seen
--
country
text
Country code of the main location of the autonomous system
--
last-seen
datetime
Last time the ASN was seen
--
asn
AS
mp-export
mp-import
text
This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
+The inbound IPv4 or IPv6 routing policy of the AS in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
description
text
Description of the autonomous system
++
first-seen
datetime
First time the ASN was seen
++
subnet-announced
ip-src
mp-import
import
text
The inbound IPv4 or IPv6 routing policy of the AS in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
+The inbound IPv4 routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
country
text
Country code of the main location of the autonomous system
++
last-seen
datetime
Last time the ASN was seen
++
signature
+text
Name of detection signature
++
datetime
datetime
signature
text
Name of detection signature
--
report-code
-text
non-banking-institution
boolean
Report code of the bank account. ['CTR Cash Transaction Report', 'STR Suspicious Transaction Report', 'EFT Electronic Funds Transfer', 'IFT International Funds Transfer', 'TFR Terror Financing Report', 'BCR Border Cash Report', 'UTR Unusual Transaction Report', 'AIF Additional Information File – Can be used for example to get full disclosure of transactions of an account for a period of time without reporting it as a CTR.', 'IRI Incoming Request for Information – International', 'ORI Outgoing Request for Information – International', 'IRD Incoming Request for Information – Domestic', 'ORD Outgoing Request for Information – Domestic']
--
balance
text
The balance of the account after the suspicious transaction was processed.
--
account
bank-account-nr
Account number
--
currency-code
text
Currency of the account. ['USD', 'EUR']
--
personal-account-type
text
Account type. ['A - Business', 'B - Personal Current', 'C - Savings', 'D - Trust Account', 'E - Trading Account', 'O - Other']
--
iban
iban
IBAN of the bank account.
--
comments
text
Comments about the bank account.
+A flag to define if this account belong to a non-banking organisation. If set to true, it’s a non-banking organisation.
@@ -1169,30 +1110,10 @@ bank-account is a MISP object available in JSON format at
beneficiary-comment
balance
text
Comment about the final beneficiary.
--
status-code
text
Account status at the time of the transaction processed. ['A - Active', 'B - Inactive', 'C - Dormant']
--
closed
datetime
When the account was closed.
+The balance of the account after the suspicious transaction was processed.
@@ -1209,36 +1130,26 @@ bank-account is a MISP object available in JSON format at
institution-name
text
Name of the bank or financial organisation.
--
non-banking-institution
boolean
A flag to define if this account belong to a non-banking organisation. If set to true, it’s a non-banking organisation.
--
opened
date-balance
datetime
When the account was opened.
+When the balance was reported.
iban
iban
IBAN of the bank account.
++
swift
bic
client-number
institution-name
text
Client number as seen by the bank.
+Name of the bank or financial organisation.
++
account-name
text
A field to freely describe the bank account details.
date-balance
opened
datetime
When the balance was reported.
+When the account was opened.
closed
datetime
When the account was closed.
++
status-code
text
Account status at the time of the transaction processed. ['A - Active', 'B - Inactive', 'C - Dormant']
++
beneficiary
text
Final beneficiary of the bank account.
++
account
bank-account-nr
Account number
++
aba-rtn
aba-rtn
beneficiary
beneficiary-comment
text
Final beneficiary of the bank account.
+Comment about the final beneficiary.
account-name
client-number
text
A field to freely describe the bank account details.
+Client number as seen by the bank.
comments
text
Comments about the bank account.
++
currency-code
text
Currency of the account. ['USD', 'EUR']
++
personal-account-type
text
Account type. ['A - Business', 'B - Personal Current', 'C - Savings', 'D - Trust Account', 'E - Trading Account', 'O - Other']
++
report-code
text
Report code of the bank account. ['CTR Cash Transaction Report', 'STR Suspicious Transaction Report', 'EFT Electronic Funds Transfer', 'IFT International Funds Transfer', 'TFR Terror Financing Report', 'BCR Border Cash Report', 'UTR Unusual Transaction Report', 'AIF Additional Information File – Can be used for example to get full disclosure of transactions of an account for a period of time without reporting it as a CTR.', 'IRI Incoming Request for Information – International', 'ORI Outgoing Request for Information – International', 'IRD Incoming Request for Information – Domestic', 'ORD Outgoing Request for Information – Domestic']
++
note
-text
The text describing the purpose or significance of the alert message.
--
incident
text
The group listing naming the referent incident(s) of the alert message. (1) Used to collate multiple messages referring to different aspects of the same incident. (2) If multiple incident identifiers are referenced, they SHALL be separated by whitespace. Incident names including whitespace SHALL be surrounded by double-quotes.
--
source
text
The text identifying the source of the alert message. The particular source of this alert; e.g., an operator or a specific device.
--
scope
text
The code denoting the intended distribution of the alert message. ['Public', 'Restricted', 'Private']
--
msgType
text
The code denoting the nature of the alert message. ['Alert', 'Update', 'Cancel', 'Ack', 'Error']
--
sent
datetime
The time and date of the origination of the alert message.
--
sender
text
The identifier of the sender of the alert message which identifies the originator of this alert. Guaranteed by assigner to be unique globally; e.g., may be based on an Internet domain name.
--
code
text
The code denoting the special handling of the alert message.
--
status
text
The code denoting the appropriate handling of the alert message. ['Actual', 'Exercise', 'System', 'Test', 'Draft']
--
identifier
text
note
text
The text describing the purpose or significance of the alert message.
++
references
text
incident
text
The group listing naming the referent incident(s) of the alert message. (1) Used to collate multiple messages referring to different aspects of the same incident. (2) If multiple incident identifiers are referenced, they SHALL be separated by whitespace. Incident names including whitespace SHALL be surrounded by double-quotes.
++
msgType
text
The code denoting the nature of the alert message. ['Alert', 'Update', 'Cancel', 'Ack', 'Error']
++
sender
text
The identifier of the sender of the alert message which identifies the originator of this alert. Guaranteed by assigner to be unique globally; e.g., may be based on an Internet domain name.
++
source
text
The text identifying the source of the alert message. The particular source of this alert; e.g., an operator or a specific device.
++
restriction
text
status
text
The code denoting the appropriate handling of the alert message. ['Actual', 'Exercise', 'System', 'Test', 'Draft']
++
code
text
The code denoting the special handling of the alert message.
++
scope
text
The code denoting the intended distribution of the alert message. ['Public', 'Restricted', 'Private']
++
sent
datetime
The time and date of the origination of the alert message.
++
addresses
text
effective
datetime
instruction
text
The effective time of the information of the alert message.
+The text describing the recommended action to be taken by recipients of the alert message.
@@ -1535,100 +1536,10 @@ cap-info is a MISP object available in JSON format at
expires
datetime
The expiry time of the information of the alert message.
--
certainty
urgency
text
The code denoting the certainty of the subject event of the alert message. For backward compatibility with CAP 1.0, the deprecated value of “Very Likely” SHOULD be treated as equivalent to “Likely”. ['Likely', 'Possible', 'Unlikely', 'Unknown']
--
language
text
The code denoting the language of the info sub-element of the alert message.
--
instruction
text
The text describing the recommended action to be taken by recipients of the alert message.
--
category
text
The code denoting the category of the subject event of the alert message. ['Geo', 'Met', 'Safety', 'Security', 'Rescue', 'Fire', 'Health', 'Env', 'Transport', 'Infra', 'CBRNE', 'Other']
--
responseType
text
The code denoting the type of action recommended for the target audience. ['Shelter', 'Evacuate', 'Prepare', 'Execute', 'Avoid', 'Monitor', 'Assess', 'AllClear', 'None']
--
headline
text
The text headline of the alert message.
--
senderName
text
The text naming the originator of the alert message.
--
parameter
text
A system-specific additional parameter associated with the alert message.
--
description
text
The text describing the subject event of the alert message.
+The code denoting the urgency of the subject event of the alert message. ['Immediate', 'Expected', 'Future', 'Past', 'Unknown']
@@ -1645,6 +1556,16 @@ cap-info is a MISP object available in JSON format at
certainty
text
The code denoting the certainty of the subject event of the alert message. For backward compatibility with CAP 1.0, the deprecated value of “Very Likely” SHOULD be treated as equivalent to “Likely”. ['Likely', 'Possible', 'Unlikely', 'Unknown']
++
contact
text
headline
text
The text headline of the alert message.
++
parameter
text
A system-specific additional parameter associated with the alert message.
++
category
text
The code denoting the category of the subject event of the alert message. ['Geo', 'Met', 'Safety', 'Security', 'Rescue', 'Fire', 'Health', 'Env', 'Transport', 'Infra', 'CBRNE', 'Other']
++
web
link
The identifier of the hyperlink associating additional information with the alert message.
++
senderName
text
The text naming the originator of the alert message.
++
eventCode
text
urgency
text
expires
datetime
The code denoting the urgency of the subject event of the alert message. ['Immediate', 'Expected', 'Future', 'Past', 'Unknown']
+The expiry time of the information of the alert message.
web
link
responseType
text
The identifier of the hyperlink associating additional information with the alert message.
+The code denoting the type of action recommended for the target audience. ['Shelter', 'Evacuate', 'Prepare', 'Execute', 'Avoid', 'Monitor', 'Assess', 'AllClear', 'None']
effective
datetime
The effective time of the information of the alert message.
++
language
text
The code denoting the language of the info sub-element of the alert message.
++
description
text
The text describing the subject event of the alert message.
++
uri
-link
size
text
The identifier of the hyperlink for the resource file.
+The integer indicating the size of the resource file.
+
derefUri
+attachment
The base-64 encoded data content of the resource file.
++
mimeType
mime-type
size
text
uri
link
The integer indicating the size of the resource file.
+The identifier of the hyperlink for the resource file.
-
derefUri
attachment
The base-64 encoded data content of the resource file.
-+
first-seen
-datetime
First time this payment destination address has been seen
--
symbol
text
first-seen
datetime
First time this payment destination address has been seen
++
last-seen
datetime
cookie-name
text
Name of the cookie (if splitted)
++
type
text
cookie-name
text
Name of the cookie (if splitted)
--
type
+efficacy
text
The type of the course of action. ['Perimeter Blocking', 'Internal Blocking', 'Redirection', 'Redirection (Honey Pot)', 'Hardening', 'Patching', 'Eradication', 'Rebuilding', 'Training', 'Monitoring', 'Physical Access Restrictions', 'Logical Access Restrictions', 'Public Disclosure', 'Diplomatic Actions', 'Policy Actions', 'Other']
--
impact
text
The estimated impact of applying the course of action. ['High', 'Medium', 'Low', 'None', 'Unknown']
--
description
text
A description of the course of action.
--
name
text
The name used to identify the course of action.
+The estimated efficacy of applying the course of action. ['High', 'Medium', 'Low', 'None', 'Unknown']
@@ -2077,6 +2048,36 @@ course-of-action is a MISP object available in JSON format at
type
text
The type of the course of action. ['Perimeter Blocking', 'Internal Blocking', 'Redirection', 'Redirection (Honey Pot)', 'Hardening', 'Patching', 'Eradication', 'Rebuilding', 'Training', 'Monitoring', 'Physical Access Restrictions', 'Logical Access Restrictions', 'Public Disclosure', 'Diplomatic Actions', 'Policy Actions', 'Other']
++
impact
text
The estimated impact of applying the course of action. ['High', 'Medium', 'Low', 'None', 'Unknown']
++
name
text
The name used to identify the course of action.
++
stage
text
efficacy
description
text
The estimated efficacy of applying the course of action. ['High', 'Medium', 'Low', 'None', 'Unknown']
+A description of the course of action.
@@ -2145,6 +2146,46 @@ cowrie is a MISP object available in JSON format at
sensor
text
Cowrie sensor name
++
username
text
Username related to the password(s)
++
isError
text
isError
++
dst_ip
ip-dst
Destination IP address of the session
++
macCS
text
timestamp
datetime
When the event happened
--
src_ip
ip-src
Source IP address of the session
--
compCS
text
session
text
Session id
--
dst_ip
ip-dst
Destination IP address of the session
--
src_port
port
Source port of the session
--
input
text
Input of the session
--
keyAlgs
text
protocol
text
Protocol used in the cowrie honeypot
--
sensor
text
Cowrie sensor name
--
system
text
System origin in cowrie honeypot
--
dst_port
port
Destination port of the session
--
username
text
Username related to the password(s)
--
eventid
text
Eventid of the session in the cowrie honeypot
--
encCS
text
isError
session
text
isError
+Session id
++
protocol
text
Protocol used in the cowrie honeypot
++
timestamp
datetime
When the event happened
++
input
text
Input of the session
++
src_ip
ip-src
Source IP address of the session
++
system
text
System origin in cowrie honeypot
++
src_port
port
Source port of the session
++
eventid
text
Eventid of the session in the cowrie honeypot
++
dst_port
port
Destination port of the session
@@ -2363,40 +2364,10 @@ credential is a MISP object available in JSON format at
type
password
text
Type of password(s) ['password', 'api-key', 'encryption-key', 'unknown']
--
format
text
Format of the password(s) ['clear-text', 'hashed', 'encrypted', 'unknown']
--
text
text
A description of the credential(s)
--
username
text
Username related to the password(s)
+Password
@@ -2413,10 +2384,10 @@ credential is a MISP object available in JSON format at
password
username
text
Password
+Username related to the password(s)
type
text
Type of password(s) ['password', 'api-key', 'encryption-key', 'unknown']
++
text
text
A description of the credential(s)
++
format
text
Format of the password(s) ['clear-text', 'hashed', 'encrypted', 'unknown']
++
issued
-datetime
Initial date of validity or issued date.
--
name
card-security-code
text
Name of the card owner.
+Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card.
@@ -2501,10 +2492,10 @@ credit-card is a MISP object available in JSON format at
comment
comment
expiration
datetime
A description of the card.
+Maximum date of validity
@@ -2521,20 +2512,30 @@ credit-card is a MISP object available in JSON format at
expiration
datetime
name
text
Maximum date of validity
+Name of the card owner.
card-security-code
text
issued
datetime
Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card.
+Initial date of validity or issued date.
++
comment
comment
A description of the card.
@@ -2589,26 +2590,6 @@ ddos is a MISP object available in JSON format at
ip-dst
ip-dst
Destination IP (victim)
--
text
text
Description of the DDoS
--
dst-port
port
domain-dst
domain
protocol
text
Destination domain (victim)
+Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']
@@ -2639,16 +2620,6 @@ ddos is a MISP object available in JSON format at
last-seen
datetime
End of the attack
--
total-bps
counter
ip-src
ip-src
text
text
IP address originating the attack
+Description of the DDoS
++
domain-dst
domain
Destination domain (victim)
protocol
text
last-seen
datetime
Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']
+End of the attack
++
ip-dst
ip-dst
Destination IP (victim)
++
ip-src
ip-src
IP address originating the attack
@@ -2727,16 +2728,36 @@ diameter-attack is a MISP object available in JSON format at
Destination-Realm
ApplicationId
text
Destination-Realm.
+Application-ID is used to identify for which Diameter application the message is applicable. Application-ID is a decimal representation.
SessionId
text
Session-ID.
++
CmdCode
text
A decimal representation of the diameter Command Code.
++
text
text
Username
Origin-Host
text
Username (in this case, usually the IMSI).
--
ApplicationId
text
Application-ID is used to identify for which Diameter application the message is applicable. Application-ID is a decimal representation.
--
Destination-Host
text
Destination-Host.
+Origin-Host.
@@ -2787,10 +2788,40 @@ diameter-attack is a MISP object available in JSON format at
SessionId
first-seen
datetime
When the attack has been seen for the first time.
++
Destination-Host
text
Session-ID.
+Destination-Host.
++
Origin-Realm
text
Origin-Realm.
++
Username
text
Username (in this case, usually the IMSI).
@@ -2807,40 +2838,10 @@ diameter-attack is a MISP object available in JSON format at
first-seen
datetime
When the attack has been seen for the first time.
--
CmdCode
Destination-Realm
text
A decimal representation of the diameter Command Code.
--
Origin-Realm
text
Origin-Realm.
--
Origin-Host
text
Origin-Host.
+Destination-Realm.
@@ -2895,10 +2896,20 @@ domain-ip is a MISP object available in JSON format at
last-seen
ip
ip-dst
IP Address
++
first-seen
datetime
Last time the tuple has been seen
+First time the tuple has been seen
@@ -2915,20 +2926,10 @@ domain-ip is a MISP object available in JSON format at
ip
ip-dst
IP Address
--
first-seen
last-seen
datetime
First time the tuple has been seen
+Last time the tuple has been seen
@@ -2973,6 +2974,16 @@ elf is a MISP object available in JSON format at
number-sections
counter
Number of sections
++
type
text
os_abi
text
Header operating system application binary interface (ABI) ['AIX', 'ARM', 'AROS', 'C6000_ELFABI', 'C6000_LINUX', 'CLOUDABI', 'FENIXOS', 'FREEBSD', 'GNU', 'HPUX', 'HURD', 'IRIX', 'MODESTO', 'NETBSD', 'NSK', 'OPENBSD', 'OPENVMS', 'SOLARIS', 'STANDALONE', 'SYSTEMV', 'TRU64']
--
entrypoint-address
text
number-sections
counter
arch
text
Number of sections
+Architecture of the ELF file ['None', 'M32', 'SPARC', 'i386', 'ARCH_68K', 'ARCH_88K', 'IAMCU', 'ARCH_860', 'MIPS', 'S370', 'MIPS_RS3_LE', 'PARISC', 'VPP500', 'SPARC32PLUS', 'ARCH_960', 'PPC', 'PPC64', 'S390', 'SPU', 'V800', 'FR20', 'RH32', 'RCE', 'ARM', 'ALPHA', 'SH', 'SPARCV9', 'TRICORE', 'ARC', 'H8_300', 'H8_300H', 'H8S', 'H8_500', 'IA_64', 'MIPS_X', 'COLDFIRE', 'ARCH_68HC12', 'MMA', 'PCP', 'NCPU', 'NDR1', 'STARCORE', 'ME16', 'ST100', 'TINYJ', 'x86_64', 'PDSP', 'PDP10', 'PDP11', 'FX66', 'ST9PLUS', 'ST7', 'ARCH_68HC16', 'ARCH_68HC11', 'ARCH_68HC08', 'ARCH_68HC05', 'SVX', 'ST19', 'VAX', 'CRIS', 'JAVELIN', 'FIREPATH', 'ZSP', 'MMIX', 'HUANY', 'PRISM', 'AVR', 'FR30', 'D10V', 'D30V', 'V850', 'M32R', 'MN10300', 'MN10200', 'PJ', 'OPENRISC', 'ARC_COMPACT', 'XTENSA', 'VIDEOCORE', 'TMM_GPP', 'NS32K', 'TPC', 'SNP1K', 'ST200', 'IP2K', 'MAX', 'CR', 'F2MC16', 'MSP430', 'BLACKFIN', 'SE_C33', 'SEP', 'ARCA', 'UNICORE', 'EXCESS', 'DXP', 'ALTERA_NIOS2', 'CRX', 'XGATE', 'C166', 'M16C', 'DSPIC30F', 'CE', 'M32C', 'TSK3000', 'RS08', 'SHARC', 'ECOG2', 'SCORE7', 'DSP24', 'VIDEOCORE3', 'LATTICEMICO32', 'SE_C17', 'TI_C6000', 'TI_C2000', 'TI_C5500', 'MMDSP_PLUS', 'CYPRESS_M8C', 'R32C', 'TRIMEDIA', 'HEXAGON', 'ARCH_8051', 'STXP7X', 'NDS32', 'ECOG1', 'ECOG1X', 'MAXQ30', 'XIMO16', 'MANIK', 'CRAYNV2', 'RX', 'METAG', 'MCST_ELBRUS', 'ECOG16', 'CR16', 'ETPU', 'SLE9X', 'L10M', 'K10M', 'AARCH64', 'AVR32', 'STM8', 'TILE64', 'TILEPRO', 'CUDA', 'TILEGX', 'CLOUDSHIELD', 'COREA_1ST', 'COREA_2ND', 'ARC_COMPACT2', 'OPEN8', 'RL78', 'VIDEOCORE5', 'ARCH_78KOR', 'ARCH_56800EX', 'BA1', 'BA2', 'XCORE', 'MCHP_PIC', 'INTEL205', 'INTEL206', 'INTEL207', 'INTEL208', 'INTEL209', 'KM32', 'KMX32', 'KMX16', 'KMX8', 'KVARC', 'CDP', 'COGE', 'COOL', 'NORC', 'CSR_KALIMBA', 'AMDGPU']
arch
os_abi
text
Architecture of the ELF file ['None', 'M32', 'SPARC', 'i386', 'ARCH_68K', 'ARCH_88K', 'IAMCU', 'ARCH_860', 'MIPS', 'S370', 'MIPS_RS3_LE', 'PARISC', 'VPP500', 'SPARC32PLUS', 'ARCH_960', 'PPC', 'PPC64', 'S390', 'SPU', 'V800', 'FR20', 'RH32', 'RCE', 'ARM', 'ALPHA', 'SH', 'SPARCV9', 'TRICORE', 'ARC', 'H8_300', 'H8_300H', 'H8S', 'H8_500', 'IA_64', 'MIPS_X', 'COLDFIRE', 'ARCH_68HC12', 'MMA', 'PCP', 'NCPU', 'NDR1', 'STARCORE', 'ME16', 'ST100', 'TINYJ', 'x86_64', 'PDSP', 'PDP10', 'PDP11', 'FX66', 'ST9PLUS', 'ST7', 'ARCH_68HC16', 'ARCH_68HC11', 'ARCH_68HC08', 'ARCH_68HC05', 'SVX', 'ST19', 'VAX', 'CRIS', 'JAVELIN', 'FIREPATH', 'ZSP', 'MMIX', 'HUANY', 'PRISM', 'AVR', 'FR30', 'D10V', 'D30V', 'V850', 'M32R', 'MN10300', 'MN10200', 'PJ', 'OPENRISC', 'ARC_COMPACT', 'XTENSA', 'VIDEOCORE', 'TMM_GPP', 'NS32K', 'TPC', 'SNP1K', 'ST200', 'IP2K', 'MAX', 'CR', 'F2MC16', 'MSP430', 'BLACKFIN', 'SE_C33', 'SEP', 'ARCA', 'UNICORE', 'EXCESS', 'DXP', 'ALTERA_NIOS2', 'CRX', 'XGATE', 'C166', 'M16C', 'DSPIC30F', 'CE', 'M32C', 'TSK3000', 'RS08', 'SHARC', 'ECOG2', 'SCORE7', 'DSP24', 'VIDEOCORE3', 'LATTICEMICO32', 'SE_C17', 'TI_C6000', 'TI_C2000', 'TI_C5500', 'MMDSP_PLUS', 'CYPRESS_M8C', 'R32C', 'TRIMEDIA', 'HEXAGON', 'ARCH_8051', 'STXP7X', 'NDS32', 'ECOG1', 'ECOG1X', 'MAXQ30', 'XIMO16', 'MANIK', 'CRAYNV2', 'RX', 'METAG', 'MCST_ELBRUS', 'ECOG16', 'CR16', 'ETPU', 'SLE9X', 'L10M', 'K10M', 'AARCH64', 'AVR32', 'STM8', 'TILE64', 'TILEPRO', 'CUDA', 'TILEGX', 'CLOUDSHIELD', 'COREA_1ST', 'COREA_2ND', 'ARC_COMPACT2', 'OPEN8', 'RL78', 'VIDEOCORE5', 'ARCH_78KOR', 'ARCH_56800EX', 'BA1', 'BA2', 'XCORE', 'MCHP_PIC', 'INTEL205', 'INTEL206', 'INTEL207', 'INTEL208', 'INTEL209', 'KM32', 'KMX32', 'KMX16', 'KMX8', 'KVARC', 'CDP', 'COGE', 'COOL', 'NORC', 'CSR_KALIMBA', 'AMDGPU']
+Header operating system application binary interface (ABI) ['AIX', 'ARM', 'AROS', 'C6000_ELFABI', 'C6000_LINUX', 'CLOUDABI', 'FENIXOS', 'FREEBSD', 'GNU', 'HPUX', 'HURD', 'IRIX', 'MODESTO', 'NETBSD', 'NSK', 'OPENBSD', 'OPENVMS', 'SOLARIS', 'STANDALONE', 'SYSTEMV', 'TRU64']
@@ -3071,13 +3072,13 @@ elf-section is a MISP object available in JSON format at
type
text
sha512/256
sha512/256
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
+Secure Hash Algorithm 2 (256 bits)
+
text
-text
sha512/224
sha512/224
Free text value to attach to the section
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
+Secure Hash Algorithm 2 (224 bits)
@@ -3121,10 +3112,60 @@ elf-section is a MISP object available in JSON format at
entropy
float
flag
text
Entropy of the whole section
+Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']
++
name
text
Name of the section
++
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
text
text
Free text value to attach to the section
++
type
text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
@@ -3141,70 +3182,20 @@ elf-section is a MISP object available in JSON format at
sha512/256
sha512/256
sha512
sha512
Secure Hash Algorithm 2 (256 bits)
+Secure Hash Algorithm 2 (512 bits)
name
text
entropy
float
Name of the section
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
flag
text
Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']
+Entropy of the whole section
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
to
-email-dst
eml
attachment
Destination email address
+Full EML
attachment
email-attachment
thread-index
email-thread-index
Attachment
+Identifies a particular conversation thread
@@ -3289,30 +3290,10 @@ email is a MISP object available in JSON format at
header
email-header
return-path
text
Full headers
--
from
email-src
Sender email address
--
reply-to
email-reply-to
Email address the reply will be sent to
+Message return path
@@ -3329,26 +3310,6 @@ email is a MISP object available in JSON format at
to-display-name
email-dst-display-name
Display name of the receiver
--
from-display-name
email-src-display-name
Display name of the sender
--
screenshot
attachment
send-date
datetime
reply-to
email-reply-to
Date the email has been sent
--
cc
email-dst
Carbon copy
--
subject
email-subject
Subject
--
return-path
text
Message return path
+Email address the reply will be sent to
@@ -3409,6 +3340,66 @@ email is a MISP object available in JSON format at
to-display-name
email-dst-display-name
Display name of the receiver
++
send-date
datetime
Date the email has been sent
++
header
email-header
Full headers
++
subject
email-subject
Subject
++
to
email-dst
Destination email address
++
from-display-name
email-src-display-name
Display name of the sender
++
x-mailer
email-x-mailer
thread-index
email-thread-index
attachment
email-attachment
Identifies a particular conversation thread
+Attachment
++
from
email-src
Sender email address
++
cc
email-dst
Carbon copy
@@ -3467,6 +3478,16 @@ fail2ban is a MISP object available in JSON format at
sensor
text
Identifier of the sensor
++
victim
text
logline
text
banned-ip
ip-src
Example log line that caused the ban.
+IP Address banned by fail2ban
-
logfile
attachment
Full logfile related to the attack.
-+
banned-ip
-ip-src
logfile
attachment
IP Address banned by fail2ban
+Full logfile related to the attack.
+
+
logline
text
Example log line that caused the ban.
+
sensor
text
Identifier of the sensor
--
tlsh
-tlsh
sha512/256
sha512/256
Fuzzy hash by Trend Micro: Locality Sensitive Hash
+Secure Hash Algorithm 2 (256 bits)
size-in-bytes
size-in-bytes
malware-sample
malware-sample
Size of the file, in bytes
--
authentihash
authentihash
Authenticode executable signature hash
--
mimetype
mime-type
Mime type
--
entropy
float
Entropy of the whole file
--
md5
md5
[Insecure] MD5 hash (128 bits)
--
path
text
Path of the filename complete or partial
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
pattern-in-file
pattern-in-file
Pattern that can be found in the file
+The file itself (binary)
@@ -3695,8 +3626,68 @@ file is a MISP object available in JSON format at
sha512/256
sha512/256
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
md5
md5
[Insecure] MD5 hash (128 bits)
++
pattern-in-file
pattern-in-file
Pattern that can be found in the file
++
tlsh
tlsh
Fuzzy hash by Trend Micro: Locality Sensitive Hash
++
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
sha224
-sha224
Secure Hash Algorithm 2 (224 bits)
--
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
filename
filename
malware-sample
malware-sample
mimetype
mime-type
The file itself (binary)
+Mime type
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
size-in-bytes
size-in-bytes
Size of the file, in bytes
++
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
@@ -3785,6 +3766,16 @@ file is a MISP object available in JSON format at
entropy
float
Entropy of the whole file
++
sha384
sha384
authentihash
authentihash
Authenticode executable signature hash
++
path
text
Path of the filename complete or partial
++
text
-text
longitude
float
A generic description of the location.
+The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference
region
text
Region.
--
address
text
country
text
text
Country.
--
last-seen
datetime
When the location was seen for the last time.
--
latitude
float
The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.
--
longitude
float
The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference
+A generic description of the location.
country
text
Country.
++
region
text
Region.
++
latitude
float
The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.
++
last-seen
datetime
When the location was seen for the last time.
++
GtpVersion
-text
ipSrc
ip-src
GTP version ['0', '1', '2']
--
first-seen
datetime
When the attack has been seen for the first time.
--
GtpMessageType
text
GTP defines a set of messages between two associated GSNs or an SGSN and an RNC. Message type is described as a decimal value.
--
GtpImsi
text
GTP IMSI (International mobile subscriber identity).
--
GtpMsisdn
text
GTP MSISDN.
--
PortSrc
port
Source port.
--
ipDest
ip-dst
IP destination address.
+IP source address.
@@ -4061,20 +4012,10 @@ gtp-attack is a MISP object available in JSON format at
ipSrc
ip-src
first-seen
datetime
IP source address.
--
GtpServingNetwork
text
GTP Serving Network.
+When the attack has been seen for the first time.
@@ -4091,6 +4032,56 @@ gtp-attack is a MISP object available in JSON format at
PortSrc
port
Source port.
++
GtpVersion
text
GTP version ['0', '1', '2']
++
GtpMessageType
text
GTP defines a set of messages between two associated GSNs or an SGSN and an RNC. Message type is described as a decimal value.
++
GtpMsisdn
text
GTP MSISDN.
++
GtpServingNetwork
text
GTP Serving Network.
++
GtpInterface
text
ipDest
ip-dst
IP destination address.
++
GtpImsi
text
GTP IMSI (International mobile subscriber identity).
++
method
-http-method
basicauth-user
text
HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)
+HTTP Basic Authentication Username
+
cookie
+proxy-user
text
An HTTP cookie previously sent by the server with Set-Cookie
--
basicauth-user
text
HTTP Basic Authentication Username
--
content-type
other
The MIME type of the body of the request
+HTTP Proxy Username
@@ -4219,16 +4210,6 @@ http-request is a MISP object available in JSON format at
proxy-password
text
HTTP Proxy Password
--
basicauth-password
text
user-agent
user-agent
The user agent string of the user agent
--
referer
other
This is the address of the previous web page from which a link to the currently requested page was followed
--
uri
uri
proxy-user
method
http-method
HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)
++
proxy-password
text
HTTP Proxy Username
+HTTP Proxy Password
++
referer
other
This is the address of the previous web page from which a link to the currently requested page was followed
++
user-agent
user-agent
The user agent string of the user agent
++
content-type
other
The MIME type of the body of the request
++
cookie
text
An HTTP cookie previously sent by the server with Set-Cookie
@@ -4317,13 +4328,13 @@ ip-port is a MISP object available in JSON format at
domain
domain
dst-port
port
Domain
+Destination port
+
dst-port
-port
Destination port
--
first-seen
datetime
domain
domain
Domain
++
hostname
hostname
last-seen
datetime
Last time the tuple has been seen
--
ip
ip-dst
last-seen
datetime
Last time the tuple has been seen
++
ip-dst
-ip-dst
Destination IP address
--
description
text
ip-dst
ip-dst
Destination IP address
++
ja3-fingerprint-md5
md5
ip-src
ip-src
Source IP Address
++
last-seen
datetime
ip-src
ip-src
Source IP Address
--
text
-text
A description of the entity.
--
commercial-name
text
Commercial name of an entity.
--
registration-number
text
Registration number of an entity in the relevant authority.
--
business
text
Business area of an entity.
--
phone-number
phone-number
registration-number
text
Registration number of an entity in the relevant authority.
++
text
text
A description of the entity.
++
legal-form
text
commercial-name
text
Commercial name of an entity.
++
business
text
Business area of an entity.
++
type
+entrypoint-address
text
Type of Mach-O ['BUNDLE', 'CORE', 'DSYM', 'DYLIB', 'DYLIB_STUB', 'DYLINKER', 'EXECUTE', 'FVMLIB', 'KEXT_BUNDLE', 'OBJECT', 'PRELOAD']
+Address of the entry point
+
entrypoint-address
+type
text
Address of the entry point
+Type of Mach-O ['BUNDLE', 'CORE', 'DSYM', 'DYLIB', 'DYLIB_STUB', 'DYLINKER', 'EXECUTE', 'FVMLIB', 'KEXT_BUNDLE', 'OBJECT', 'PRELOAD']
++
text
text
Free text value to attach to the Mach-O file
text
text
Free text value to attach to the Mach-O file
--
sha512/256
+sha512/256
Secure Hash Algorithm 2 (256 bits)
++
size-in-bytes
size-in-bytes
text
text
sha512/224
sha512/224
Free text value to attach to the section
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
+Secure Hash Algorithm 2 (224 bits)
@@ -4769,10 +4780,40 @@ macho-section is a MISP object available in JSON format at
entropy
float
name
text
Entropy of the whole section
+Name of the section
++
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
text
text
Free text value to attach to the section
@@ -4789,66 +4830,26 @@ macho-section is a MISP object available in JSON format at
sha512/256
sha512/256
sha512
sha512
Secure Hash Algorithm 2 (256 bits)
+Secure Hash Algorithm 2 (512 bits)
name
text
entropy
float
Name of the section
+Entropy of the whole section
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
sha384
sha384
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
post
+text
Raw post
++
creation-date
datetime
Initial creation of the microblog post
++
type
text
username-quoted
text
Username who are quoted into the microblog post
++
modification-date
datetime
Last update of the microblog post
++
link
url
post
text
Raw post
--
username-quoted
text
Username who are quoted into the microblog post
--
creation-date
datetime
Initial creation of the microblog post
--
modification-date
datetime
Last update of the microblog post
--
removal-date
datetime
description
name
text
Description
+name of the mutex
name
description
text
name of the mutex
+Description
@@ -5093,36 +5104,16 @@ netflow is a MISP object available in JSON format at
ip_version
packet-count
counter
IP version of this flow
+Packets counted in this flow
byte-count
counter
Bytes counted in this flow
--
dst-port
port
Destination port of the netflow
--
src-as
AS
dst-as
AS
byte-count
counter
Destination AS number for this flow
--
last-packet-seen
datetime
Last packet seen in this flow
--
icmp-type
text
ICMP type of the flow (if the traffic is ICMP)
+Bytes counted in this flow
@@ -5183,13 +5154,43 @@ netflow is a MISP object available in JSON format at
packet-count
counter
first-packet-seen
datetime
Packets counted in this flow
+First packet seen in this flow
+
+
last-packet-seen
datetime
Last packet seen in this flow
++
dst-port
port
Destination port of the netflow
++
src-port
port
Source port of the netflow
+
direction
-text
Direction of this flow ['Ingress', 'Egress']
--
flow-count
counter
src-port
port
dst-as
AS
Source port of the netflow
+Destination AS number for this flow
ip_version
counter
IP version of this flow
++
ip-src
ip-src
direction
text
Direction of this flow ['Ingress', 'Egress']
++
icmp-type
text
ICMP type of the flow (if the traffic is ICMP)
++
ip-protocol-number
size-in-bytes
first-packet-seen
datetime
First packet seen in this flow
--
time_last
-datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS
--
rrtype
rrname
text
Resource Record type as seen by the passive DNS. ['A', 'AAAA', 'CNAME', 'PTR', 'SOA', 'TXT', 'DNAME', 'NS', 'SRV', 'RP', 'NAPTR', 'HINFO', 'A6']
+Resource Record name of the queried resource.
+
sensor_id
-text
Sensor information where the record was seen
--
zone_time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
--
time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS
--
count
counter
time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS
++
zone_time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
++
rrtype
text
Resource Record type as seen by the passive DNS. ['A', 'AAAA', 'CNAME', 'PTR', 'SOA', 'TXT', 'DNAME', 'NS', 'SRV', 'RP', 'NAPTR', 'HINFO', 'A6']
++
time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS
++
sensor_id
text
Sensor information where the record was seen
++
zone_time_last
datetime
rrname
text
Resource Record name of the queried resource.
--
paste
+text
Raw text of the paste or post
++
origin
text
last-seen
datetime
When the paste has been accessible or seen for the last time.
--
paste
text
Raw text of the paste or post
--
title
text
last-seen
datetime
When the paste has been accessible or seen for the last time.
++
type
-text
number-sections
counter
Type of PE ['exe', 'dll', 'driver', 'unknown']
+Number of sections
@@ -5577,23 +5588,33 @@ pe is a MISP object available in JSON format at
file-description
compilation-timestamp
datetime
Compilation timestamp defined in the PE header
++
product-name
text
FileDescription in the resources
+ProductName in the resources
number-sections
counter
impfuzzy
impfuzzy
Number of sections
+Fuzzy Hash (ssdeep) calculated from the import table
+
pehash
-pehash
Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
--
company-name
text
product-name
entrypoint-section-at-position
text
ProductName in the resources
+Name of the section and position of the section in the PE
product-version
legal-copyright
text
ProductVersion in the resources
+LegalCopyright in the resources
compilation-timestamp
datetime
type
text
Compilation timestamp defined in the PE header
+Type of PE ['exe', 'dll', 'driver', 'unknown']
+
product-version
+text
ProductVersion in the resources
++
imphash
imphash
impfuzzy
impfuzzy
Fuzzy Hash (ssdeep) calculated from the import table
--
legal-copyright
file-description
text
LegalCopyright in the resources
+FileDescription in the resources
@@ -5727,13 +5738,13 @@ pe is a MISP object available in JSON format at
entrypoint-section-at-position
text
pehash
pehash
Name of the section and position of the section in the PE
+Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
+
sha512/256
+sha512/256
Secure Hash Algorithm 2 (256 bits)
++
size-in-bytes
size-in-bytes
characteristic
text
sha512/224
sha512/224
Characteristic of the section ['read', 'write', 'executable']
--
text
text
Free text value to attach to the section
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
+Secure Hash Algorithm 2 (224 bits)
@@ -5825,36 +5826,6 @@ pe-section is a MISP object available in JSON format at
entropy
float
Entropy of the whole section
--
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
name
text
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
ssdeep
ssdeep
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
sha256
sha256
text
text
Free text value to attach to the section
++
characteristic
text
Characteristic of the section ['read', 'write', 'executable']
++
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
++
entropy
float
Entropy of the whole section
++
sha384
sha384
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
text
-text
nationality
nationality
A description of the person or identity.
--
passport-expiration
passport-expiration
The expiration date of a passport.
+The nationality of a natural person.
@@ -5983,6 +5984,96 @@ person is a MISP object available in JSON format at
first-name
first-name
First name of a natural person.
++
last-name
last-name
Last name of a natural person.
++
text
text
A description of the person or identity.
++
date-of-birth
date-of-birth
Date of birth of a natural person (in YYYY-MM-DD format).
++
redress-number
redress-number
The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.
++
alias
text
Alias name or known as.
++
passport-country
passport-country
The country in which the passport was issued.
++
mothers-name
text
Mother name, father, second name or other names following country’s regulation.
++
gender
gender
The gender of a natural person. ['Male', 'Female', 'Other', 'Prefer not to say']
++
middle-name
middle-name
passport-country
passport-country
The country in which the passport was issued.
--
alias
text
Alias name or known as.
--
first-name
first-name
First name of a natural person.
--
redress-number
redress-number
The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.
--
date-of-birth
date-of-birth
Date of birth of a natural person (in YYYY-MM-DD format).
--
gender
gender
The gender of a natural person. ['Male', 'Female', 'Other', 'Prefer not to say']
--
mothers-name
text
Mother name, father, second name or other names following country’s regulation.
--
nationality
nationality
The nationality of a natural person.
--
passport-number
passport-number
The passport number of a natural person.
--
place-of-birth
place-of-birth
last-name
last-name
passport-number
passport-number
Last name of a natural person.
+The passport number of a natural person.
passport-expiration
passport-expiration
The expiration date of a passport.
++
first-seen
-datetime
guti
text
When the phone has been accessible or seen for the first time.
+Globally Unique Temporary UE Identity (GUTI) is a temporary identification to not reveal the phone (user equipment in 3GPP jargon) composed of GUMMEI and the M-TMSI.
+
imsi
gummei
text
A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.
+Globally Unique MME Identifier (GUMMEI) is composed from MCC, MNC and MME Identifier (MMEI).
@@ -6191,10 +6202,30 @@ phone is a MISP object available in JSON format at
guti
first-seen
datetime
When the phone has been accessible or seen for the first time.
++
text
text
Globally Unique Temporary UE Identity (GUTI) is a temporary identification to not reveal the phone (user equipment in 3GPP jargon) composed of GUMMEI and the M-TMSI.
+A description of the phone.
++
imsi
text
A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.
@@ -6221,10 +6252,10 @@ phone is a MISP object available in JSON format at
gummei
serial-number
text
Globally Unique MME Identifier (GUMMEI) is composed from MCC, MNC and MME Identifier (MMEI).
+Serial Number.
text
text
A description of the phone.
--
serial-number
text
Serial Number.
--
gml
-attachment
unknown-references
counter
Graph export in G>raph Modelling Language format
+Amount of API calls not ending in a function (Radare2 bug, probalby)
++
text
text
Description of the r2graphity object
@@ -6319,20 +6340,40 @@ r2graphity is a MISP object available in JSON format at
ratio-string
float
memory-allocations
counter
Ratio: amount of referenced strings per kilobyte of code section
+Amount of memory allocations
r2-commit-version
text
callback-largest
counter
Radare2 commit ID used to generate this object
+Largest callback
++
shortest-path-to-create-thread
counter
Shortest path to the first time the binary calls CreateThread
++
create-thread
counter
Amount of calls to CreateThread
@@ -6349,10 +6390,50 @@ r2graphity is a MISP object available in JSON format at
unknown-references
ratio-string
float
Ratio: amount of referenced strings per kilobyte of code section
++
get-proc-address
counter
Amount of API calls not ending in a function (Radare2 bug, probalby)
+Amount of calls to GetProcAddress
++
not-referenced-strings
counter
Amount of not referenced strings
++
gml
attachment
Graph export in G>raph Modelling Language format
++
r2-commit-version
text
Radare2 commit ID used to generate this object
@@ -6369,10 +6450,30 @@ r2graphity is a MISP object available in JSON format at
get-proc-address
total-functions
counter
Amount of calls to GetProcAddress
+Total amount of functions in the file.
++
refsglobalvar
counter
Amount of API calls outside of code section (glob var, dynamic API)
++
total-api
counter
Total amount of API calls
@@ -6399,96 +6500,6 @@ r2graphity is a MISP object available in JSON format at
not-referenced-strings
counter
Amount of not referenced strings
--
text
text
Description of the r2graphity object
--
create-thread
counter
Amount of calls to CreateThread
--
total-api
counter
Total amount of API calls
--
ratio-api
float
Ratio: amount of API calls per kilobyte of code section
--
refsglobalvar
counter
Amount of API calls outside of code section (glob var, dynamic API)
--
shortest-path-to-create-thread
counter
Shortest path to the first time the binary calls CreateThread
--
memory-allocations
counter
Amount of memory allocations
--
total-functions
counter
Total amount of functions in the file.
--
referenced-strings
counter
callback-largest
counter
ratio-api
float
Largest callback
+Ratio: amount of API calls per kilobyte of code section
@@ -6557,6 +6568,16 @@ regexp is a MISP object available in JSON format at
regexp
text
regexp
++
type
text
regexp-type
text
Type of the regular expression syntax. ['PCRE', 'PCRE2', 'POSIX BRE', 'POSIX ERE']
--
comment
comment
regexp
regexp-type
text
regexp
+Type of the regular expression syntax. ['PCRE', 'PCRE2', 'POSIX BRE', 'POSIX ERE']
+
name
-text
Name of the registry key
--
root-keys
text
hive
text
Hive used to store the registry key (file on disk)
++
data
text
hive
name
text
Hive used to store the registry key (file on disk)
+Name of the registry key
+
classification
+queue
text
Classification of the RTIR ticket
--
constituency
text
Constituency of the RTIR ticket
--
subject
text
Subject of the RTIR ticket
--
ip
ip-dst
IPs automatically extracted from the RTIR ticket
+Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
@@ -6851,10 +6832,40 @@ rtir is a MISP object available in JSON format at
queue
ip
ip-dst
IPs automatically extracted from the RTIR ticket
++
subject
text
Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
+Subject of the RTIR ticket
++
classification
text
Classification of the RTIR ticket
++
constituency
text
Constituency of the RTIR ticket
@@ -6909,20 +6920,30 @@ sandbox-report is a MISP object available in JSON format at
web-sandbox
permalink
link
Permalink reference
++
on-premise-sandbox
text
A web sandbox where results are publicly available via an URL ['malwr', 'hybrid-analysis']
+The on-premise sandbox used ['cuckoo', 'symantec-cas-on-premise', 'bluecoat-maa', 'trendmicro-deep-discovery-analyzer', 'fireeye-ax', 'vmray', 'joe-sandbox-on-premise']
results
web-sandbox
text
Freetext result values
+A web sandbox where results are publicly available via an URL ['malwr', 'hybrid-analysis']
@@ -6939,20 +6960,20 @@ sandbox-report is a MISP object available in JSON format at
score
results
text
Score
+Freetext result values
saas-sandbox
score
text
A non-on-premise sandbox, also results are not publicly available ['forticloud-sandbox', 'joe-sandbox-cloud', 'symantec-cas-cloud']
+Score
@@ -6969,25 +6990,15 @@ sandbox-report is a MISP object available in JSON format at
on-premise-sandbox
saas-sandbox
text
The on-premise sandbox used ['cuckoo', 'symantec-cas-on-premise', 'bluecoat-maa', 'trendmicro-deep-discovery-analyzer', 'fireeye-ax', 'vmray', 'joe-sandbox-on-premise']
+A non-on-premise sandbox, also results are not publicly available ['forticloud-sandbox', 'joe-sandbox-cloud', 'symantec-cas-cloud']
permalink
link
Permalink reference
--
signature
+text
Name of detection signature - set the description of the detection signature as a comment
++
datetime
datetime
signature
text
Name of detection signature - set the description of the detection signature as a comment
--
MapUssdCoding
+SccpCdSSN
text
MAP USSD Content.
+Signaling Connection Control Part (SCCP) - Decimal value between 0-255.
@@ -7125,40 +7136,70 @@ ss7-attack is a MISP object available in JSON format at
SccpCdGT
MapUssdCoding
text
Signaling Connection Control Part (SCCP) CdGT - Phone number.
--
first-seen
datetime
When the attack has been seen for the first time.
+MAP USSD Content.
MapMsisdn
text
text
MAP MSISDN. Phone number.
+A description of the attack seen via SS7 logging.
++
SccpCgPC
text
Signaling Connection Control Part (SCCP) CgPC - Phone number.
MapMscGT
MapImsi
text
MAP MSC GT. Phone number.
+MAP IMSI. Phone number starting with MCC/MNC.
++
MapSmscGT
text
MAP SMSC. Phone number.
++
MapSmsTP-OA
text
MAP SMS TP-OA. Phone number.
++
MapSmsText
text
MAP SMS Text. Important indicators in SMS text.
@@ -7185,16 +7226,6 @@ ss7-attack is a MISP object available in JSON format at
MapOpCode
text
MAP operation codes - Decimal value between 0-99.
--
MapGsmscfGT
text
MapGmlc
text
MAP GMLC. Phone number.
--
MapSmsTP-DCS
text
MAP SMS TP-DCS.
--
SccpCgSSN
text
MapSmsTypeNumber
Category
text
MAP SMS TypeNumber.
+Category ['Cat0', 'Cat1', 'Cat2.1', 'Cat2.2', 'Cat3.1', 'Cat3.2', 'Cat3.3', 'CatSMS', 'CatSpoofing']
text
MapMsisdn
text
A description of the attack seen via SS7 logging.
+MAP MSISDN. Phone number.
++
SccpCdPC
text
Signaling Connection Control Part (SCCP) CdPC - Phone number.
++
first-seen
datetime
When the attack has been seen for the first time.
@@ -7265,60 +7296,10 @@ ss7-attack is a MISP object available in JSON format at
SccpCgPC
SccpCdGT
text
Signaling Connection Control Part (SCCP) CgPC - Phone number.
--
MapUssdContent
text
MAP USSD Content.
--
Category
text
Category ['Cat0', 'Cat1', 'Cat2.1', 'Cat2.2', 'Cat3.1', 'Cat3.2', 'Cat3.3', 'CatSMS', 'CatSpoofing']
--
MapSmsText
text
MAP SMS Text. Important indicators in SMS text.
--
SccpCdSSN
text
Signaling Connection Control Part (SCCP) - Decimal value between 0-255.
--
SccpCdPC
text
Signaling Connection Control Part (SCCP) CdPC - Phone number.
+Signaling Connection Control Part (SCCP) CdGT - Phone number.
@@ -7335,35 +7316,65 @@ ss7-attack is a MISP object available in JSON format at
MapSmsTP-OA
MapSmsTypeNumber
text
MAP SMS TP-OA. Phone number.
+MAP SMS TypeNumber.
++
MapSmsTP-DCS
text
MAP SMS TP-DCS.
++
MapGmlc
text
MAP GMLC. Phone number.
MapSmscGT
MapMscGT
text
MAP SMSC. Phone number.
+MAP MSC GT. Phone number.
MapImsi
MapUssdContent
text
MAP IMSI. Phone number starting with MCC/MNC.
+MAP USSD Content.
MapOpCode
text
MAP operation codes - Decimal value between 0-99.
++
suricata
-suricata
comment
comment
Suricata rule.
+A description of the Suricata rule.
comment
comment
suricata
suricata
A description of the Suricata rule.
+Suricata rule.
@@ -7559,20 +7570,20 @@ target-system is a MISP object available in JSON format at
timestamp_seen
datetime
targeted_machine
target-machine
Registered date and time
+Targeted system
targeted_machine
target-machine
timestamp_seen
datetime
Targeted system
+Registered date and time
@@ -7617,6 +7628,26 @@ timesketch-timeline is a MISP object available in JSON format at
datetime
datetime
When the log entry was seen
++
message
text
Informative message of the event
++
timestamp
timestamp-microsec
A generic timestamp object to represent time including first time and last time seen. Relationship will then define the kind of time relationship..
+message |
++ + | ++timestamp is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. + | +
Object attribute | +MISP attribute type | +Description | +Disable correlation | +|||||
---|---|---|---|---|---|---|---|---|
precision |
text |
- Informative message of the event +Timestamp precision represents the precision given to first_seen and/or last_seen in this object. ['year', 'month', 'day', 'hour', 'minute', 'full'] |
- +
|
|||||
datetime |
+first-seen |
datetime |
- When the log entry was seen +First time that the linked object or attribute has been seen. |
- + + |
+||||
text |
+text |
+
+ Description of the time object. + |
+
+ + |
+|||||
last-seen |
+datetime |
+
+ First time that the linked object or attribute has been seen. + |
+
+
|
text |
+address |
+ip-src |
- router’s nickname. - |
-
- - |
-
-
text |
-text |
-
- Tor node comment. - |
-
- - |
-|||||
version_line |
-text |
-
- versioning information reported by the node. - |
-
- - |
-|||||
first-seen |
-datetime |
-
- When the Tor node designed by the IP address has been seen for the first time. - |
-
- - |
-|||||
last-seen |
-datetime |
-
- When the Tor node designed by the IP address has been seen for the last time. - |
-
- - |
-|||||
flags |
-text |
-
- list of flag associated with the node. +IP address of the Tor node seen. |
@@ -7765,13 +7804,13 @@ tor-node is a MISP object available in JSON format at address |
-ip-src |
+first-seen |
+datetime |
- IP address of the Tor node seen. +When the Tor node designed by the IP address has been seen for the first time. |
- +
|
text |
text |
- parsed version of tor, this is None if the relay’s using a new versioning scheme. +Tor node comment. |
- + + |
+|||||
last-seen |
+datetime |
+
+ When the Tor node designed by the IP address has been seen for the last time. + |
+
+
|
|||||
flags |
+text |
+
+ list of flag associated with the node. + |
+
+ + |
+|||||
version_line |
+text |
+
+ versioning information reported by the node. + |
+
+ + |
+|||||
version |
+text |
+
+ parsed version of tor, this is None if the relay’s using a new versioning scheme. + |
+
+ + |
+|||||
nickname |
+text |
+
+ router’s nickname. + |
+
+ + |
+
transmode-comment
+from-country
text
Comment describing transmode-code, if needed.
+Origin country of a transaction.
@@ -7873,26 +7962,6 @@ transaction is a MISP object available in JSON format at
transaction-number
text
A unique number identifying a transaction.
--
from-funds-code
text
Type of funds used to initiate a transaction. ['A Deposit', 'C Currency exchange', 'D Casino chips', 'E Bank draft', 'F Money order', 'G Traveler’s cheques', 'H Life insurance policy', 'I Real estate', 'J Securities', 'K Cash', 'O Other', 'P Cheque']
--
date-posting
datetime
date
datetime
Date and time of the transaction.
--
to-country
text
Target country of a transaction.
--
location
text
from-country
authorized
text
Origin country of a transaction.
+Person who autorized the transaction.
@@ -7953,20 +8002,10 @@ transaction is a MISP object available in JSON format at
transmode-code
text
date
datetime
How the transaction was conducted.
--
amount
text
The value of the transaction in local currency.
+Date and time of the transaction.
@@ -7983,10 +8022,60 @@ transaction is a MISP object available in JSON format at
authorized
to-country
text
Person who autorized the transaction.
+Target country of a transaction.
++
transmode-comment
text
Comment describing transmode-code, if needed.
++
transaction-number
text
A unique number identifying a transaction.
++
transmode-code
text
How the transaction was conducted.
++
from-funds-code
text
Type of funds used to initiate a transaction. ['A Deposit', 'C Currency exchange', 'D Casino chips', 'E Bank draft', 'F Money order', 'G Traveler’s cheques', 'H Life insurance policy', 'I Real estate', 'J Securities', 'K Cash', 'O Other', 'P Cheque']
++
amount
text
The value of the transaction in local currency.
@@ -8041,16 +8130,6 @@ url is a MISP object available in JSON format at
resource_path
text
Path (between hostname:port and query)
--
fragment
text
query_string
text
Query (after path, preceded by '?')
--
port
port
Port number
--
tld
text
text
text
Description of the URL
++
first-seen
datetime
resource_path
text
Path (between hostname:port and query)
++
domain
domain
Full domain
++
subdomain
text
domain_without_tld
text
Domain without Top-Level Domain
++
host
hostname
port
port
Port number
++
scheme
text
text
text
Description of the URL
--
domain_without_tld
text
Domain without Top-Level Domain
--
credential
text
domain
domain
query_string
text
Full domain
+Query (after path, preceded by '?')
@@ -8219,56 +8308,6 @@ victim is a MISP object available in JSON format at
classification
text
The type of entity being targeted. ['individual', 'group', 'organization', 'class', 'unknown']
--
sectors
text
The list of sectors that the victim belong to ['agriculture', 'aerospace', 'automotive', 'communications', 'construction', 'defence', 'education', 'energy', 'engineering', 'entertainment', 'financial services', 'government national', 'government regional', 'government local', 'government public services', 'healthcare', 'hospitality leisure', 'infrastructure', 'insurance', 'manufacturing', 'mining', 'non profit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities']
--
description
text
Description of the victim
--
name
target-org
The name of the department(s) or organisation(s) targeted.
--
ip-address
ip-dst
IP address(es) of the node targeted.
--
roles
text
external
target-external
description
text
External target organisations affected by this attack.
+Description of the victim
node
target-machine
classification
text
Name(s) of node that was targeted.
+The type of entity being targeted. ['individual', 'group', 'organization', 'class', 'unknown']
++
regions
target-location
The list of regions or locations from the victim targeted. ISO 3166 should be used.
@@ -8319,10 +8368,50 @@ victim is a MISP object available in JSON format at
regions
target-location
name
target-org
The list of regions or locations from the victim targeted. ISO 3166 should be used.
+The name of the department(s) or organisation(s) targeted.
++
sectors
text
The list of sectors that the victim belong to ['agriculture', 'aerospace', 'automotive', 'communications', 'construction', 'defence', 'education', 'energy', 'engineering', 'entertainment', 'financial services', 'government national', 'government regional', 'government local', 'government public services', 'healthcare', 'hospitality leisure', 'infrastructure', 'insurance', 'manufacturing', 'mining', 'non profit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities']
++
node
target-machine
Name(s) of node that was targeted.
++
ip-address
ip-dst
IP address(es) of the node targeted.
++
external
target-external
External target organisations affected by this attack.
@@ -8367,6 +8456,26 @@ virustotal-report is a MISP object available in JSON format at
permalink
link
Permalink Reference
++
last-submission
datetime
Last Submission
++
detection-ratio
text
last-submission
datetime
Last Submission
--
first-submission
datetime
permalink
link
Permalink Reference
--
vulnerable_configuration
-text
The vulnerable configuration is described in CPE format
--
text
text
Description of the vulnerability
--
created
datetime
published
datetime
Initial publication date
++
modified
datetime
Last modification date
++
id
vulnerability
published
datetime
text
text
Initial publication date
--
references
link
External references
+Description of the vulnerability
@@ -8545,13 +8624,23 @@ vulnerability is a MISP object available in JSON format at
modified
datetime
references
link
Last modification date
+External references
+
+
vulnerable_configuration
text
The vulnerable configuration is described in CPE format
+
domain
-domain
registrant-name
whois-registrant-name
Domain of the whois entry
+Registrant name
@@ -8613,26 +8702,6 @@ whois is a MISP object available in JSON format at
text
text
Full whois entry
--
registrant-email
whois-registrant-email
Registrant email address
--
creation-date
datetime
ip-address
ip-src
text
text
IP address of the whois entry
--
registrant-phone
whois-registrant-phone
Registrant phone number
--
expiration-date
datetime
Expiration of the whois entry
+Full whois entry
registrant-name
whois-registrant-name
domain
domain
Registrant name
+Domain of the whois entry
@@ -8703,16 +8752,36 @@ whois is a MISP object available in JSON format at
comment
text
registrant-email
whois-registrant-email
Comment of the whois entry
+Registrant email address
registrant-phone
whois-registrant-phone
Registrant phone number
++
expiration-date
datetime
Expiration of the whois entry
++
modification-date
datetime
comment
text
Comment of the whois entry
++
ip-address
ip-src
IP address of the whois entry
++
self_signed
-boolean
Self-signed certificate
--
text
pubkey-info-exponent
text
Free text description of hte certificate
--
pubkey-info-size
text
Length of the public key (in bits)
--
serial-number
text
Serial number of the certificate
--
is_ca
boolean
CA certificate
--
dns_names
text
DNS names
--
validity-not-after
datetime
Certificate invalid after that date
--
x509-fingerprint-sha256
x509-fingerprint-sha256
Secure Hash Algorithm 2 (256 bits)
--
raw-base64
text
Raw certificate base64 encoded (DER format)
+Exponent of the public key
@@ -8861,10 +8870,20 @@ x509 is a MISP object available in JSON format at
pubkey-info-exponent
text
text
Exponent of the public key
+Free text description of hte certificate
++
issuer
text
Issuer of the certificate
@@ -8881,40 +8900,20 @@ x509 is a MISP object available in JSON format at
subject
pubkey-info-size
text
Subject of the certificate
+Length of the public key (in bits)
x509-fingerprint-sha1
x509-fingerprint-sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
version
dns_names
text
Version of the certificate
--
pubkey-info-algorithm
text
Algorithm of the public key
+DNS names
@@ -8941,10 +8940,100 @@ x509 is a MISP object available in JSON format at
issuer
validity-not-after
datetime
Certificate invalid after that date
++
serial-number
text
Issuer of the certificate
+Serial number of the certificate
++
x509-fingerprint-sha256
x509-fingerprint-sha256
Secure Hash Algorithm 2 (256 bits)
++
subject
text
Subject of the certificate
++
self_signed
boolean
Self-signed certificate
++
raw-base64
text
Raw certificate base64 encoded (DER format)
++
pubkey-info-algorithm
text
Algorithm of the public key
++
version
text
Version of the certificate
++
x509-fingerprint-sha1
x509-fingerprint-sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
is_ca
boolean
CA certificate
@@ -8989,16 +9078,6 @@ yabin is a MISP object available in JSON format at
version
comment
yabin.py and regex.txt version used for the generation of the yara rules.
--
yara-hunt
yara
version
comment
yabin.py and regex.txt version used for the generation of the yara rules.
++
comment
comment
yara
yara
YARA rule.
++
version
text
yara
yara
YARA rule.
--