diff --git a/objects.html b/objects.html
index e586879..3190667 100755
--- a/objects.html
+++ b/objects.html
@@ -556,20 +556,10 @@ ail-leak is a MISP object available in JSON format at original-date
datetime
raw-data
text
When the information available in the leak was created. It’s usually before the first-seen.
--
first-seen
datetime
When the leak has been accessible or seen for the first time.
+Raw data as received by the AIL sensor compressed and encoded in Base64.
@@ -586,26 +576,16 @@ ail-leak is a MISP object available in JSON format at
text
text
first-seen
datetime
A description of the leak which could include the potential victim(s) or description of the leak.
+When the leak has been accessible or seen for the first time.
origin
link
The link where the leak is (or was) accessible at first-seen.
--
last-seen
datetime
original-date
datetime
When the information available in the leak was created. It’s usually before the first-seen.
++
origin
link
The link where the leak is (or was) accessible at first-seen.
++
text
text
A description of the leak which could include the potential victim(s) or description of the leak.
++
subnet-announced
+mp-export
text
Subnet announced
--
first-seen
datetime
First time the ASN was seen
+This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
@@ -694,16 +694,6 @@ asn is a MISP object available in JSON format at
export
text
The outbound routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
--
asn
as
mp-export
text
This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
--
description
text
Description of the autonomous system
--
last-seen
first-seen
datetime
Last time the ASN was seen
+First time the ASN was seen
@@ -754,6 +724,26 @@ asn is a MISP object available in JSON format at
last-seen
datetime
Last time the ASN was seen
++
subnet-announced
ip-src
Subnet announced
++
mp-import
text
export
text
The outbound routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
++
description
text
Description of the autonomous system
++
text
-text
datetime
datetime
Free text value to attach to the file
+Datetime
datetime
datetime
text
text
Datetime
+Free text value to attach to the file
@@ -880,6 +890,16 @@ cookie is a MISP object available in JSON format at
cookie-name
text
Name of the cookie (if splitted)
++
cookie-value
text
type
text
Type of cookie and how it’s used in this specific object. ['Session management', 'Personalization', 'Tracking', 'Exfiltration', 'Malicious Payload', 'Beaconing']
++
cookie
cookie
cookie-name
text
Name of the cookie (if splitted)
--
text
text
type
text
Type of cookie and how it’s used in this specific object. ['Session management', 'Personalization', 'Tracking', 'Exfiltration', 'Malicious Payload', 'Beaconing']
--
password
+origin
text
Password
+Origin of the credential(s) ['bruteforce-scanning', 'malware-analysis', 'memory-analysis', 'network-analysis', 'leak', 'unknown']
type
username
text
Type of password(s) ['password', 'api-key', 'encryption-key', 'unknown']
+Username related to the password(s)
@@ -998,26 +1008,6 @@ credential is a MISP object available in JSON format at
text
text
A description of the credential(s)
--
origin
text
Origin of the credential(s) ['bruteforce-scanning', 'malware-analysis', 'memory-analysis', 'network-analysis', 'leak', 'unknown']
--
format
text
username
type
text
Username related to the password(s)
+Type of password(s) ['password', 'api-key', 'encryption-key', 'unknown']
++
text
text
A description of the credential(s)
++
password
text
Password
@@ -1076,16 +1086,6 @@ credit-card is a MISP object available in JSON format at
version
text
Version of the card.
--
issued
datetime
expiration
datetime
Maximum date of validity
--
name
version
text
Name of the card owner.
--
cc-number
cc-number
credit-card number as encoded on the card.
+Version of the card.
cc-number
cc-number
credit-card number as encoded on the card.
++
expiration
datetime
Maximum date of validity
++
name
text
Name of the card owner.
++
ip-src
-ip-src
dst-port
port
IP address originating the attack
+Destination port of the attack
@@ -1204,56 +1214,6 @@ ddos is a MISP object available in JSON format at
protocol
text
Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']
--
src-port
port
Port originating the attack
--
total-pps
counter
Packets per second
--
dst-port
port
Destination port of the attack
--
text
text
Description of the DDoS
--
total-bps
counter
ip-src
ip-src
IP address originating the attack
++
last-seen
datetime
End of the attack
++
first-seen
datetime
last-seen
datetime
total-pps
counter
End of the attack
+Packets per second
++
src-port
port
Port originating the attack
++
text
text
Description of the DDoS
++
protocol
text
Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']
@@ -1322,26 +1332,6 @@ domain-ip is a MISP object available in JSON format at
first-seen
datetime
First time the tuple has been seen
--
text
text
A description of the tuple
--
last-seen
datetime
first-seen
datetime
First time the tuple has been seen
++
text
text
A description of the tuple
++
ip
ip-dst
text
text
number-sections
counter
Free text value to attach to the ELF
+Number of sections
type
text
Type of ELF ['CORE', 'DYNAMIC', 'EXECUTABLE', 'HIPROC', 'LOPROC', 'NONE', 'RELOCATABLE']
--
arch
text
Architecture of the ELF file ['None', 'M32', 'SPARC', 'i386', 'ARCH_68K', 'ARCH_88K', 'IAMCU', 'ARCH_860', 'MIPS', 'S370', 'MIPS_RS3_LE', 'PARISC', 'VPP500', 'SPARC32PLUS', 'ARCH_960', 'PPC', 'PPC64', 'S390', 'SPU', 'V800', 'FR20', 'RH32', 'RCE', 'ARM', 'ALPHA', 'SH', 'SPARCV9', 'TRICORE', 'ARC', 'H8_300', 'H8_300H', 'H8S', 'H8_500', 'IA_64', 'MIPS_X', 'COLDFIRE', 'ARCH_68HC12', 'MMA', 'PCP', 'NCPU', 'NDR1', 'STARCORE', 'ME16', 'ST100', 'TINYJ', 'x86_64', 'PDSP', 'PDP10', 'PDP11', 'FX66', 'ST9PLUS', 'ST7', 'ARCH_68HC16', 'ARCH_68HC11', 'ARCH_68HC08', 'ARCH_68HC05', 'SVX', 'ST19', 'VAX', 'CRIS', 'JAVELIN', 'FIREPATH', 'ZSP', 'MMIX', 'HUANY', 'PRISM', 'AVR', 'FR30', 'D10V', 'D30V', 'V850', 'M32R', 'MN10300', 'MN10200', 'PJ', 'OPENRISC', 'ARC_COMPACT', 'XTENSA', 'VIDEOCORE', 'TMM_GPP', 'NS32K', 'TPC', 'SNP1K', 'ST200', 'IP2K', 'MAX', 'CR', 'F2MC16', 'MSP430', 'BLACKFIN', 'SE_C33', 'SEP', 'ARCA', 'UNICORE', 'EXCESS', 'DXP', 'ALTERA_NIOS2', 'CRX', 'XGATE', 'C166', 'M16C', 'DSPIC30F', 'CE', 'M32C', 'TSK3000', 'RS08', 'SHARC', 'ECOG2', 'SCORE7', 'DSP24', 'VIDEOCORE3', 'LATTICEMICO32', 'SE_C17', 'TI_C6000', 'TI_C2000', 'TI_C5500', 'MMDSP_PLUS', 'CYPRESS_M8C', 'R32C', 'TRIMEDIA', 'HEXAGON', 'ARCH_8051', 'STXP7X', 'NDS32', 'ECOG1', 'ECOG1X', 'MAXQ30', 'XIMO16', 'MANIK', 'CRAYNV2', 'RX', 'METAG', 'MCST_ELBRUS', 'ECOG16', 'CR16', 'ETPU', 'SLE9X', 'L10M', 'K10M', 'AARCH64', 'AVR32', 'STM8', 'TILE64', 'TILEPRO', 'CUDA', 'TILEGX', 'CLOUDSHIELD', 'COREA_1ST', 'COREA_2ND', 'ARC_COMPACT2', 'OPEN8', 'RL78', 'VIDEOCORE5', 'ARCH_78KOR', 'ARCH_56800EX', 'BA1', 'BA2', 'XCORE', 'MCHP_PIC', 'INTEL205', 'INTEL206', 'INTEL207', 'INTEL208', 'INTEL209', 'KM32', 'KMX32', 'KMX16', 'KMX8', 'KVARC', 'CDP', 'COGE', 'COOL', 'NORC', 'CSR_KALIMBA', 'AMDGPU']
--
os_abi
text
Header operating system application binary interface (ABI) ['AIX', 'ARM', 'AROS', 'C6000_ELFABI', 'C6000_LINUX', 'CLOUDABI', 'FENIXOS', 'FREEBSD', 'GNU', 'HPUX', 'HURD', 'IRIX', 'MODESTO', 'NETBSD', 'NSK', 'OPENBSD', 'OPENVMS', 'SOLARIS', 'STANDALONE', 'SYSTEMV', 'TRU64']
--
entrypoint-address
text
number-sections
counter
arch
text
Number of sections
+Architecture of the ELF file ['None', 'M32', 'SPARC', 'i386', 'ARCH_68K', 'ARCH_88K', 'IAMCU', 'ARCH_860', 'MIPS', 'S370', 'MIPS_RS3_LE', 'PARISC', 'VPP500', 'SPARC32PLUS', 'ARCH_960', 'PPC', 'PPC64', 'S390', 'SPU', 'V800', 'FR20', 'RH32', 'RCE', 'ARM', 'ALPHA', 'SH', 'SPARCV9', 'TRICORE', 'ARC', 'H8_300', 'H8_300H', 'H8S', 'H8_500', 'IA_64', 'MIPS_X', 'COLDFIRE', 'ARCH_68HC12', 'MMA', 'PCP', 'NCPU', 'NDR1', 'STARCORE', 'ME16', 'ST100', 'TINYJ', 'x86_64', 'PDSP', 'PDP10', 'PDP11', 'FX66', 'ST9PLUS', 'ST7', 'ARCH_68HC16', 'ARCH_68HC11', 'ARCH_68HC08', 'ARCH_68HC05', 'SVX', 'ST19', 'VAX', 'CRIS', 'JAVELIN', 'FIREPATH', 'ZSP', 'MMIX', 'HUANY', 'PRISM', 'AVR', 'FR30', 'D10V', 'D30V', 'V850', 'M32R', 'MN10300', 'MN10200', 'PJ', 'OPENRISC', 'ARC_COMPACT', 'XTENSA', 'VIDEOCORE', 'TMM_GPP', 'NS32K', 'TPC', 'SNP1K', 'ST200', 'IP2K', 'MAX', 'CR', 'F2MC16', 'MSP430', 'BLACKFIN', 'SE_C33', 'SEP', 'ARCA', 'UNICORE', 'EXCESS', 'DXP', 'ALTERA_NIOS2', 'CRX', 'XGATE', 'C166', 'M16C', 'DSPIC30F', 'CE', 'M32C', 'TSK3000', 'RS08', 'SHARC', 'ECOG2', 'SCORE7', 'DSP24', 'VIDEOCORE3', 'LATTICEMICO32', 'SE_C17', 'TI_C6000', 'TI_C2000', 'TI_C5500', 'MMDSP_PLUS', 'CYPRESS_M8C', 'R32C', 'TRIMEDIA', 'HEXAGON', 'ARCH_8051', 'STXP7X', 'NDS32', 'ECOG1', 'ECOG1X', 'MAXQ30', 'XIMO16', 'MANIK', 'CRAYNV2', 'RX', 'METAG', 'MCST_ELBRUS', 'ECOG16', 'CR16', 'ETPU', 'SLE9X', 'L10M', 'K10M', 'AARCH64', 'AVR32', 'STM8', 'TILE64', 'TILEPRO', 'CUDA', 'TILEGX', 'CLOUDSHIELD', 'COREA_1ST', 'COREA_2ND', 'ARC_COMPACT2', 'OPEN8', 'RL78', 'VIDEOCORE5', 'ARCH_78KOR', 'ARCH_56800EX', 'BA1', 'BA2', 'XCORE', 'MCHP_PIC', 'INTEL205', 'INTEL206', 'INTEL207', 'INTEL208', 'INTEL209', 'KM32', 'KMX32', 'KMX16', 'KMX8', 'KVARC', 'CDP', 'COGE', 'COOL', 'NORC', 'CSR_KALIMBA', 'AMDGPU']
++
type
text
Type of ELF ['CORE', 'DYNAMIC', 'EXECUTABLE', 'HIPROC', 'LOPROC', 'NONE', 'RELOCATABLE']
++
text
text
Free text value to attach to the ELF
os_abi
text
Header operating system application binary interface (ABI) ['AIX', 'ARM', 'AROS', 'C6000_ELFABI', 'C6000_LINUX', 'CLOUDABI', 'FENIXOS', 'FREEBSD', 'GNU', 'HPUX', 'HURD', 'IRIX', 'MODESTO', 'NETBSD', 'NSK', 'OPENBSD', 'OPENVMS', 'SOLARIS', 'STANDALONE', 'SYSTEMV', 'TRU64']
++
sha384
-sha384
text
text
Secure Hash Algorithm 2 (384 bits)
+Free text value to attach to the section
++
md5
md5
[Insecure] MD5 hash (128 bits)
type
text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
flag
text
Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']
++
name
text
Name of the section
++
sha256
sha256
name
text
sha384
sha384
Name of the section
+Secure Hash Algorithm 2 (384 bits)
+
ssdeep
-ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
sha512/224
sha512/224
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
flag
-text
Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']
--
type
text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
--
sha224
sha224
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
text
-text
ssdeep
ssdeep
Free text value to attach to the section
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
+Fuzzy hash using context triggered piecewise hashes (CTPH)
md5
md5
[Insecure] MD5 hash (128 bits)
--
to
+cc
email-dst
Destination email address
+Carbon copy
@@ -1716,50 +1726,10 @@ email is a MISP object available in JSON format at
reply-to
email-reply-to
Email address the reply will be sent to
--
x-mailer
email-x-mailer
X-Mailer generally tells the program that was used to draft and send the original email
--
from
email-src
Sender email address
--
attachment
email-attachment
Attachment
--
cc
to
email-dst
Carbon copy
+Destination email address
@@ -1776,26 +1746,16 @@ email is a MISP object available in JSON format at
mime-boundary
email-mime-boundary
screenshot
attachment
MIME Boundary
+Screenshot of email
send-date
datetime
Date the email has been sent
--
header
email-header
screenshot
attachment
mime-boundary
email-mime-boundary
Screenshot of email
+MIME Boundary
++
x-mailer
email-x-mailer
X-Mailer generally tells the program that was used to draft and send the original email
++
reply-to
email-reply-to
Email address the reply will be sent to
++
send-date
datetime
Date the email has been sent
++
from
email-src
Sender email address
++
attachment
email-attachment
Attachment
++
thread-index
email-thread-index
Identifies a particular conversation thread
thread-index
email-thread-index
Identifies a particular conversation thread
--
filename
-filename
malware-sample
malware-sample
Filename on disk
+The file itself (binary)
sha384
sha384
ssdeep
ssdeep
Secure Hash Algorithm 2 (384 bits)
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
+Fuzzy hash using context triggered piecewise hashes (CTPH)
@@ -1944,40 +1934,10 @@ file is a MISP object available in JSON format at
size-in-bytes
size-in-bytes
sha512/256
sha512/256
Size of the file, in bytes
--
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
mimetype
text
Mime type
--
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
+Secure Hash Algorithm 2 (256 bits)
@@ -1994,10 +1954,30 @@ file is a MISP object available in JSON format at
tlsh
tlsh
mimetype
text
Fuzzy hash by Trend Micro: Locality Sensitive Hash
+Mime type
++
text
text
Free text value to attach to the file
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
@@ -2014,10 +1994,50 @@ file is a MISP object available in JSON format at
authentihash
authentihash
sha512
sha512
Authenticode executable signature hash
+Secure Hash Algorithm 2 (512 bits)
++
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
++
size-in-bytes
size-in-bytes
Size of the file, in bytes
++
tlsh
tlsh
Fuzzy hash by Trend Micro: Locality Sensitive Hash
++
filename
filename
Filename on disk
@@ -2034,6 +2054,16 @@ file is a MISP object available in JSON format at
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
sha1
sha1
text
text
authentihash
authentihash
Free text value to attach to the file
--
malware-sample
malware-sample
The file itself (binary)
+Authenticode executable signature hash
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
region
-text
altitude
float
Region.
+The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.
last-seen
datetime
When the location was seen for the last time.
++
longitude
float
The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference
++
country
text
altitude
latitude
float
The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.
--
longitude
float
The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference
+The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.
@@ -2192,23 +2212,13 @@ geolocation is a MISP object available in JSON format at
last-seen
datetime
region
text
When the location was seen for the last time.
+Region.
-
latitude
float
The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.
-+
method
-http-method
HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)
--
proxy-user
text
HTTP Proxy Username
--
basicauth-user
text
HTTP Basic Authentication Username
--
host
hostname
The domain name of the server
--
cookie
text
basicauth-password
text
HTTP Basic Authentication Password
--
text
text
HTTP Request comment
--
proxy-password
text
HTTP Proxy Password
--
referer
referer
This is the address of the previous web page from which a link to the currently requested page was followed
--
user-agent
user-agent
The user agent string of the user agent
--
content-type
other
host
hostname
The domain name of the server
++
proxy-password
text
HTTP Proxy Password
++
method
http-method
HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)
++
user-agent
user-agent
The user agent string of the user agent
++
referer
referer
This is the address of the previous web page from which a link to the currently requested page was followed
++
proxy-user
text
HTTP Proxy Username
++
basicauth-user
text
HTTP Basic Authentication Username
++
basicauth-password
text
HTTP Basic Authentication Password
++
text
text
HTTP Request comment
++
first-seen
-datetime
First time the tuple has been seen
--
src-port
port
Source port
--
dst-port
port
text
text
first-seen
datetime
Description of the tuple
+First time the tuple has been seen
src-port
port
Source port
++
text
text
Description of the tuple
++
ip-src
-ip-src
Source IP Address
--
ip-dst
ip-dst
description
text
Type of detected software ie software, malware
--
ja3-fingerprint-md5
md5
Hash identifying source
--
first-seen
datetime
ip-src
ip-src
Source IP Address
++
last-seen
datetime
ja3-fingerprint-md5
md5
Hash identifying source
++
description
text
Type of detected software ie software, malware
++
text
+type
text
Free text value to attach to the Mach-O file
+Type of Mach-O ['BUNDLE', 'CORE', 'DSYM', 'DYLIB', 'DYLIB_STUB', 'DYLINKER', 'EXECUTE', 'FVMLIB', 'KEXT_BUNDLE', 'OBJECT', 'PRELOAD']
+
type
+text
text
Type of Mach-O ['BUNDLE', 'CORE', 'DSYM', 'DYLIB', 'DYLIB_STUB', 'DYLINKER', 'EXECUTE', 'FVMLIB', 'KEXT_BUNDLE', 'OBJECT', 'PRELOAD']
+Free text value to attach to the Mach-O file
+
sha384
-sha384
text
text
Secure Hash Algorithm 2 (384 bits)
+Free text value to attach to the section
++
md5
md5
[Insecure] MD5 hash (128 bits)
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
name
text
Name of the section
++
sha256
sha256
name
text
sha384
sha384
Name of the section
+Secure Hash Algorithm 2 (384 bits)
+
ssdeep
-ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
sha512/224
sha512/224
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
sha224
-sha224
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
text
-text
ssdeep
ssdeep
Free text value to attach to the section
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
+Fuzzy hash using context triggered piecewise hashes (CTPH)
md5
md5
[Insecure] MD5 hash (128 bits)
--
username-quoted
-text
Username who are quoted into the microblog post
--
url
url
Original URL location of the microblog post
--
modification-date
datetime
type
text
Type of the microblog post ['Twitter', 'Facebook', 'LinkedIn', 'Reddit', 'Google+', 'Instagram', 'Forum', 'Other']
--
link
url
Link into the microblog post
--
creation-date
datetime
Initial creation of the microblog post
--
post
text
url
url
Original URL location of the microblog post
++
creation-date
datetime
Initial creation of the microblog post
++
link
url
Link into the microblog post
++
username-quoted
text
Username who are quoted into the microblog post
++
type
text
Type of the microblog post ['Twitter', 'Facebook', 'LinkedIn', 'Reddit', 'Google+', 'Instagram', 'Forum', 'Other']
++
removal-date
datetime
direction
text
Direction of this flow ['Ingress', 'Egress']
++
dst-port
port
Destination port of the netflow
++
tcp-flags
text
TCP flags of the flow
++
byte-count
counter
Bytes counted in this flow
++
ip_version
counter
IP version of this flow
++
src-port
port
Source port of the netflow
++
icmp-type
text
ICMP type of the flow (if the traffic is ICMP)
++
ip-dst
ip-dst
IP address destination of the netflow
++
last-packet-seen
datetime
Last packet seen in this flow
++
packet-count
counter
Packets counted in this flow
++
ip-protocol-number
size-in-bytes
IP protocol number of this flow
++
ip-src
ip-src
ip-dst
ip-dst
src-as
AS
IP address destination of the netflow
--
ip-protocol-number
size-in-bytes
IP protocol number of this flow
--
protocol
text
Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']
+Source AS number for this flow
@@ -3058,30 +3158,10 @@ netflow is a MISP object available in JSON format at
dst-port
port
protocol
text
Destination port of the netflow
--
packet-count
counter
Packets counted in this flow
--
src-as
AS
Source AS number for this flow
+Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']
ip_version
counter
IP version of this flow
--
last-packet-seen
datetime
Last packet seen in this flow
--
tcp-flags
text
TCP flags of the flow
--
src-port
port
Source port of the netflow
--
direction
text
Direction of this flow ['Ingress', 'Egress']
--
byte-count
counter
Bytes counted in this flow
--
icmp-type
text
ICMP type of the flow (if the traffic is ICMP)
--
bailiwick
+text
Best estimate of the apex of the zone where this data is authoritative
++
time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS
++
rrtype
text
zone_time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
--
count
counter
How many authoritative DNS answers were received at the Passive DNS Server’s collectors with exactly the given set of values as answers
--
origin
text
zone_time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
--
rrname
text
bailiwick
text
zone_time_last
datetime
Best estimate of the apex of the zone where this data is authoritative
+Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
++
count
counter
How many authoritative DNS answers were received at the Passive DNS Server’s collectors with exactly the given set of values as answers
++
time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS
@@ -3306,20 +3326,10 @@ passive-dns is a MISP object available in JSON format at
time_last
zone_time_first
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS
--
time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS
+First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
@@ -3404,16 +3414,6 @@ paste is a MISP object available in JSON format at
origin
text
Original source of the paste or post. ['pastebin.com', 'pastebin.com_pro', 'pastie.org', 'slexy.org', 'gist.github.com', 'codepad.org', 'safebin.net', 'hastebin.com', 'ghostbin.com']
--
last-seen
datetime
origin
text
Original source of the paste or post. ['pastebin.com', 'pastebin.com_pro', 'pastie.org', 'slexy.org', 'gist.github.com', 'codepad.org', 'safebin.net', 'hastebin.com', 'ghostbin.com']
++
imphash
-imphash
legal-copyright
text
Hash (md5) calculated from the import table
+LegalCopyright in the resources
-
impfuzzy
impfuzzy
Fuzzy Hash (ssdeep) calculated from the import table
--
compilation-timestamp
datetime
Compilation timestamp defined in the PE header
-+
file-version
-text
FileVersion in the resources
--
entrypoint-address
text
Address of the entry point
--
number-sections
counter
internal-filename
filename
entrypoint-address
text
InternalFilename in the resources
+Address of the entry point
++
compilation-timestamp
datetime
Compilation timestamp defined in the PE header
@@ -3552,13 +3532,23 @@ pe is a MISP object available in JSON format at
legal-copyright
text
internal-filename
filename
LegalCopyright in the resources
+InternalFilename in the resources
+
+
impfuzzy
impfuzzy
Fuzzy Hash (ssdeep) calculated from the import table
+
imphash
+imphash
Hash (md5) calculated from the import table
++
original-filename
filename
OriginalFilename in the resources
++
pehash
pehash
Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
++
file-description
text
FileDescription in the resources
++
product-name
text
ProductName in the resources
++
file-version
text
FileVersion in the resources
++
entrypoint-section-at-position
text
file-description
text
FileDescription in the resources
--
text
text
pehash
pehash
Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
--
original-filename
filename
OriginalFilename in the resources
--
product-name
text
ProductName in the resources
--
sha384
-sha384
text
text
Secure Hash Algorithm 2 (384 bits)
+Free text value to attach to the section
++
md5
md5
[Insecure] MD5 hash (128 bits)
characteristic
text
Characteristic of the section ['read', 'write', 'executable']
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
name
text
Name of the section ['.rsrc', '.reloc', '.rdata', '.data', '.text']
++
sha256
sha256
name
text
sha384
sha384
Name of the section ['.rsrc', '.reloc', '.rdata', '.data', '.text']
+Secure Hash Algorithm 2 (384 bits)
+
ssdeep
-ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
sha512/224
sha512/224
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
sha224
-sha224
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
text
-text
ssdeep
ssdeep
Free text value to attach to the section
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
+Fuzzy hash using context triggered piecewise hashes (CTPH)
characteristic
text
Characteristic of the section ['read', 'write', 'executable']
--
md5
md5
[Insecure] MD5 hash (128 bits)
--
first-name
-first-name
last-name
last-name
First name of a natural person.
+Last name of a natural person.
@@ -3878,10 +3888,20 @@ person is a MISP object available in JSON format at
gender
gender
redress-number
redress-number
The gender of a natural person. ['Male', 'Female', 'Other', 'Prefer not to say']
+The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.
++
first-name
first-name
First name of a natural person.
@@ -3898,20 +3918,20 @@ person is a MISP object available in JSON format at
last-name
last-name
middle-name
middle-name
Last name of a natural person.
+Middle name of a natural person
nationality
nationality
passport-country
passport-country
The nationality of a natural person.
+The country in which the passport was issued.
@@ -3928,20 +3948,30 @@ person is a MISP object available in JSON format at
redress-number
redress-number
passport-number
passport-number
The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.
+The passport number of a natural person.
middle-name
middle-name
nationality
nationality
Middle name of a natural person
+The nationality of a natural person.
++
gender
gender
The gender of a natural person. ['Male', 'Female', 'Other', 'Prefer not to say']
passport-country
passport-country
The country in which the passport was issued.
--
passport-number
passport-number
The passport number of a natural person.
--
text
+text
A description of the phone.
++
imsi
text
A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.
++
first-seen
datetime
serial-number
guti
text
Serial Number.
+Globally Unique Temporary UE Identity (GUTI) is a temporary identification to not reveal the phone (user equipment in 3GPP jargon) composed of GUMMEI and the M-TMSI.
@@ -4066,26 +4096,6 @@ phone is a MISP object available in JSON format at
guti
text
Globally Unique Temporary UE Identity (GUTI) is a temporary identification to not reveal the phone (user equipment in 3GPP jargon) composed of GUMMEI and the M-TMSI.
--
imsi
text
A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.
--
gummei
text
text
serial-number
text
A description of the phone.
+Serial Number.
+
local-references
+total-functions
counter
Amount of API calls inside a code section
+Total amount of functions in the file.
++
ratio-api
float
Ratio: amount of API calls per kilobyte of code section
@@ -4174,46 +4194,6 @@ r2graphity is a MISP object available in JSON format at
referenced-strings
counter
Amount of referenced strings
--
callback-largest
counter
Largest callback
--
total-functions
counter
Total amount of functions in the file.
--
ratio-string
float
Ratio: amount of referenced strings per kilobyte of code section
--
dangling-strings
counter
refsglobalvar
counter
Amount of API calls outside of code section (glob var, dynamic API)
--
shortest-path-to-create-thread
counter
Shortest path to the first time the binary calls CreateThread
--
text
text
Description of the r2graphity object
--
ratio-api
float
Ratio: amount of API calls per kilobyte of code section
--
get-proc-address
counter
gml
attachment
Graph export in G>raph Modelling Language format
--
memory-allocations
counter
Amount of memory allocations
--
unknown-references
counter
Amount of API calls not ending in a function (Radare2 bug, probalby)
--
ratio-functions
float
Ratio: amount of functions per kilobyte of code section
--
r2-commit-version
text
Radare2 commit ID used to generate this object
--
callbacks
counter
miss-api
counter
Amount of API call reference that does not resolve to a function offset
--
not-referenced-strings
counter
unknown-references
counter
Amount of API calls not ending in a function (Radare2 bug, probalby)
++
create-thread
counter
refsglobalvar
counter
Amount of API calls outside of code section (glob var, dynamic API)
++
miss-api
counter
Amount of API call reference that does not resolve to a function offset
++
ratio-string
float
Ratio: amount of referenced strings per kilobyte of code section
++
r2-commit-version
text
Radare2 commit ID used to generate this object
++
local-references
counter
Amount of API calls inside a code section
++
gml
attachment
Graph export in G>raph Modelling Language format
++
text
text
Description of the r2graphity object
++
ratio-functions
float
Ratio: amount of functions per kilobyte of code section
++
referenced-strings
counter
Amount of referenced strings
++
memory-allocations
counter
Amount of memory allocations
++
callback-largest
counter
Largest callback
++
shortest-path-to-create-thread
counter
Shortest path to the first time the binary calls CreateThread
++
regexp
+regexp-type
text
regexp
+Type of the regular expression syntax. ['PCRE', 'PCRE2', 'POSIX BRE', 'POSIX ERE']
+
regexp-type
+regexp
text
Type of the regular expression syntax. ['PCRE', 'PCRE2', 'POSIX BRE', 'POSIX ERE']
+regexp
+
data
-reg-data
data-type
reg-datatype
Data stored in the registry key
+Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
@@ -4500,30 +4510,10 @@ registry-key is a MISP object available in JSON format at
name
reg-name
data
reg-data
Name of the registry key
--
data-type
reg-datatype
Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
--
last-modified
datetime
Last time the registry key has been modified
+Data stored in the registry key
name
reg-name
Name of the registry key
++
last-modified
datetime
Last time the registry key has been modified
++
constituency
+classification
text
Constituency of the RTIR ticket
+Classification of the RTIR ticket
@@ -4666,10 +4676,10 @@ rtir is a MISP object available in JSON format at
classification
text
ip
ip-dst
Classification of the RTIR ticket
+IPs automatically extracted from the RTIR ticket
@@ -4686,10 +4696,10 @@ rtir is a MISP object available in JSON format at
ip
ip-dst
constituency
text
IPs automatically extracted from the RTIR ticket
+Constituency of the RTIR ticket
@@ -4744,13 +4754,13 @@ tor-node is a MISP object available in JSON format at
flags
document
text
list of flag associated with the node.
+Raw document from the consensus.
+
nickname
-text
router’s nickname.
--
published
datetime
document
version_line
text
Raw document from the consensus.
+versioning information reported by the node.
+
version_line
+last-seen
datetime
When the Tor node designed by the IP address has been seen for the last time.
++
flags
text
versioning information reported by the node.
+list of flag associated with the node.
@@ -4854,13 +4864,13 @@ tor-node is a MISP object available in JSON format at
last-seen
datetime
nickname
text
When the Tor node designed by the IP address has been seen for the last time.
+router’s nickname.
+
fragment
+domain
domain
Full domain
++
query_string
text
Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.
+Query (after path, preceded by '?')
@@ -4922,56 +4942,6 @@ url is a MISP object available in JSON format at
resource_path
text
Path (between hostname:port and query)
--
domain_without_tld
text
Domain without Top-Level Domain
--
host
hostname
Full hostname
--
scheme
text
Scheme ['http', 'https', 'ftp', 'gopher', 'sip']
--
credential
text
Credential (username, password)
--
url
url
domain
domain
Full domain
--
subdomain
text
Subdomain
--
query_string
text
Query (after path, preceded by '?')
--
text
text
Description of the URL
--
tld
text
last-seen
datetime
subdomain
text
Last time this URL has been seen
+Subdomain
+
scheme
text
Scheme ['http', 'https', 'ftp', 'gopher', 'sip']
++
fragment
text
Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.
++
host
hostname
Full hostname
++
credential
text
Credential (username, password)
++
domain_without_tld
text
Domain without Top-Level Domain
++
last-seen
datetime
Last time this URL has been seen
++
text
text
Description of the URL
++
resource_path
text
Path (between hostname:port and query)
++
sectors
-text
The list of sectors that the victim belong to ['agriculture', 'aerospace', 'automotive', 'communications', 'construction', 'defence', 'education', 'energy', 'engineering', 'entertainment', 'financial\xadservices', 'government\xadnational', 'government\xadregional', 'government\xadlocal', 'government\xadpublic\xadservices', 'healthcare', 'hospitality\xadleisure', 'infrastructure', 'insurance', 'manufacturing', 'mining', 'non\xadprofit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities']
--
regions
text
name
text
The name of the victim targeted. The name can be an organisation or a group of organisations.
--
description
text
Description of the victim
--
classification
text
sectors
text
The list of sectors that the victim belong to ['agriculture', 'aerospace', 'automotive', 'communications', 'construction', 'defence', 'education', 'energy', 'engineering', 'entertainment', 'financial\xadservices', 'government\xadnational', 'government\xadregional', 'government\xadlocal', 'government\xadpublic\xadservices', 'healthcare', 'hospitality\xadleisure', 'infrastructure', 'insurance', 'manufacturing', 'mining', 'non\xadprofit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities']
++
name
text
The name of the victim targeted. The name can be an organisation or a group of organisations.
++
roles
text
description
text
Description of the victim
++
last-submission
+first-submission
datetime
Last Submission
+First Submission
@@ -5208,26 +5218,6 @@ virustotal-report is a MISP object available in JSON format at
permalink
link
Permalink Reference
--
first-submission
datetime
First Submission
--
detection-ratio
text
last-submission
datetime
Last Submission
++
permalink
link
Permalink Reference
++
modified
-datetime
id
vulnerability
Last modification date
+Vulnerability ID (generally CVE, but not necessarely)
references
link
summary
text
External references
+Summary of the vulnerability
@@ -5306,6 +5316,16 @@ vulnerability is a MISP object available in JSON format at
references
link
External references
++
vulnerable_configuration
text
summary
text
modified
datetime
Summary of the vulnerability
--
id
vulnerability
Vulnerability ID (generally CVE, but not necessarely)
+Last modification date
@@ -5424,6 +5434,16 @@ whois is a MISP object available in JSON format at
expiration-date
datetime
Expiration of the whois entry
++
creation-date
datetime
expiration-date
datetime
Expiration of the whois entry
--
issuer
+subject
text
Issuer of the certificate
--
serial-number
text
Serial number of the certificate
--
validity-not-after
datetime
Certificate invalid after that date
--
x509-fingerprint-sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
pubkey-info-algorithm
text
Algorithm of the public key
+Subject of the certificate
@@ -5582,10 +5552,20 @@ x509 is a MISP object available in JSON format at
pubkey-info-exponent
x509-fingerprint-sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
issuer
text
Exponent of the public key
+Issuer of the certificate
@@ -5602,20 +5582,50 @@ x509 is a MISP object available in JSON format at
subject
serial-number
text
Subject of the certificate
+Serial number of the certificate
text
x509-fingerprint-sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
x509-fingerprint-md5
md5
[Insecure] MD5 hash (128 bits)
++
validity-not-after
datetime
Certificate invalid after that date
++
pubkey-info-algorithm
text
Free text description of hte certificate
+Algorithm of the public key
@@ -5632,6 +5642,26 @@ x509 is a MISP object available in JSON format at
pubkey-info-exponent
text
Exponent of the public key
++
text
text
Free text description of hte certificate
++
validity-not-before
datetime
x509-fingerprint-sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
x509-fingerprint-md5
md5
[Insecure] MD5 hash (128 bits)
--
version
+whitelist
comment
yabin.py and regex.txt version used for the generation of the yara rules.
+Whitelist name used to generate the rules.
@@ -5730,10 +5740,10 @@ yabin is a MISP object available in JSON format at
whitelist
version
comment
Whitelist name used to generate the rules.
+yabin.py and regex.txt version used for the generation of the yara rules.