diff --git a/objects.html b/objects.html
index 14e9051..c97cbd9 100755
--- a/objects.html
+++ b/objects.html
@@ -572,16 +572,26 @@ ail-leak is a MISP object available in JSON format at original-date
last-seen
datetime
When the information available in the leak was created. It’s usually before the first-seen.
+When the leak has been accessible or seen for the last time.
type
text
Type of information leak as discovered and classified by an AIL module. ['Credential', 'CreditCards', 'Mail', 'Onion', 'Phone', 'Keys']
++
first-seen
datetime
last-seen
original-date
datetime
When the leak has been accessible or seen for the last time.
+When the information available in the leak was created. It’s usually before the first-seen.
duplicate_number
counter
Number of known duplicates.
--
duplicate
sensor
text
Duplicate of the existing leaks.
+The AIL sensor uuid where the leak was processed and analysed.
@@ -642,16 +642,6 @@ ail-leak is a MISP object available in JSON format at
sensor
text
The AIL sensor uuid where the leak was processed and analysed.
--
raw-data
attachment
type
duplicate
text
Type of information leak as discovered and classified by an AIL module. ['Credential', 'CreditCards', 'Mail', 'Onion', 'Phone', 'Keys']
+Duplicate of the existing leaks.
++
duplicate_number
counter
Number of known duplicates.
@@ -768,16 +768,6 @@ annotation is a MISP object available in JSON format at
modification-date
datetime
Last update of the annotation
--
type
text
text
text
Raw text of the annotation
--
creation-date
datetime
Initial creation of the annotation
--
format
text
text
text
Raw text of the annotation
++
modification-date
datetime
Last update of the annotation
++
creation-date
datetime
Initial creation of the annotation
++
subnet-announced
-ip-src
last-seen
datetime
Subnet announced
+Last time the ASN was seen
+
import
mp-import
text
The inbound IPv4 routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
--
mp-export
text
This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
+The inbound IPv4 or IPv6 routing policy of the AS in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
@@ -906,36 +896,6 @@ asn is a MISP object available in JSON format at
description
text
Description of the autonomous system
--
mp-import
text
The inbound IPv4 or IPv6 routing policy of the AS in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
--
last-seen
datetime
Last time the ASN was seen
--
asn
AS
import
text
The inbound IPv4 routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
++
subnet-announced
ip-src
Subnet announced
++
first-seen
datetime
description
text
Description of the autonomous system
++
mp-export
text
This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
++
software
+text
Name of antivirus software
++
signature
text
text
text
Free text value to attach to the file
--
datetime
datetime
software
text
text
Name of antivirus software
+Free text value to attach to the file
@@ -1082,66 +1082,26 @@ bank-account is a MISP object available in JSON format at
currency-code
comments
text
Currency of the account. ['USD', 'EUR']
+Comments about the bank account.
report-code
account-name
text
Report code of the bank account. ['CTR Cash Transaction Report', 'STR Suspicious Transaction Report', 'EFT Electronic Funds Transfer', 'IFT International Funds Transfer', 'TFR Terror Financing Report', 'BCR Border Cash Report', 'UTR Unusual Transaction Report', 'AIF Additional Information File – Can be used for example to get full disclosure of transactions of an account for a period of time without reporting it as a CTR.', 'IRI Incoming Request for Information – International', 'ORI Outgoing Request for Information – International', 'IRD Incoming Request for Information – Domestic', 'ORD Outgoing Request for Information – Domestic']
--
branch
text
Branch code or name
--
account
bank-account-nr
Account number
+A field to freely describe the bank account details.
client-_number
text
Client number as seen by the bank.
--
institution-code
text
Name of the bank or financial organisation.
--
status-code
text
balance
text
swift
bic
The balance of the account after the suspicious transaction was processed.
+SWIFT or BIC as defined in ISO 9362.
opened
datetime
text
text
When the account was opened.
+A description of the bank account.
++
branch
text
Branch code or name
@@ -1202,6 +1172,46 @@ bank-account is a MISP object available in JSON format at
institution-code
text
Name of the bank or financial organisation.
++
currency-code
text
Currency of the account. ['USD', 'EUR']
++
closed
datetime
When the account was closed.
++
account
bank-account-nr
Account number
++
iban
iban
text
text
A description of the bank account.
--
account-name
text
A field to freely describe the bank account details.
--
swift
bic
SWIFT or BIC as defined in ISO 9362.
--
beneficiary-comment
text
comments
report-code
text
Comments about the bank account.
+Report code of the bank account. ['CTR Cash Transaction Report', 'STR Suspicious Transaction Report', 'EFT Electronic Funds Transfer', 'IFT International Funds Transfer', 'TFR Terror Financing Report', 'BCR Border Cash Report', 'UTR Unusual Transaction Report', 'AIF Additional Information File – Can be used for example to get full disclosure of transactions of an account for a period of time without reporting it as a CTR.', 'IRI Incoming Request for Information – International', 'ORI Outgoing Request for Information – International', 'IRD Incoming Request for Information – Domestic', 'ORD Outgoing Request for Information – Domestic']
++
balance
text
The balance of the account after the suspicious transaction was processed.
++
opened
datetime
When the account was opened.
@@ -1272,13 +1272,13 @@ bank-account is a MISP object available in JSON format at
closed
datetime
client-_number
text
When the account was closed.
+Client number as seen by the bank.
+
code
-text
The code denoting the special handling of the alert message.
--
sender
text
The identifier of the sender of the alert message which identifies the originator of this alert. Guaranteed by assigner to be unique globally; e.g., may be based on an Internet domain name.
--
msgType
text
The code denoting the nature of the alert message. ['Alert', 'Update', 'Cancel', 'Ack', 'Error']
--
status
text
The code denoting the appropriate handling of the alert message. ['Actual', 'Exercise', 'System', 'Test', 'Draft']
--
sent
datetime
The time and date of the origination of the alert message.
--
source
text
The text identifying the source of the alert message. The particular source of this alert; e.g., an operator or a specific device.
--
note
text
identifier
text
sent
datetime
The identifier of the alert message in a number or string uniquely identifying this message, assigned by the sender.
+The time and date of the origination of the alert message.
@@ -1410,10 +1350,40 @@ cap-alert is a MISP object available in JSON format at
incident
references
text
The group listing naming the referent incident(s) of the alert message. (1) Used to collate multiple messages referring to different aspects of the same incident. (2) If multiple incident identifiers are referenced, they SHALL be separated by whitespace. Incident names including whitespace SHALL be surrounded by double-quotes.
+The group listing identifying earlier message(s) referenced by the alert message. (1) The extended message identifier(s) (in the form sender,identifier,sent) of an earlier CAP message or messages referenced by this one. (2) If multiple messages are referenced, they SHALL be separated by whitespace.
++
code
text
The code denoting the special handling of the alert message.
++
source
text
The text identifying the source of the alert message. The particular source of this alert; e.g., an operator or a specific device.
++
sender
text
The identifier of the sender of the alert message which identifies the originator of this alert. Guaranteed by assigner to be unique globally; e.g., may be based on an Internet domain name.
@@ -1430,10 +1400,30 @@ cap-alert is a MISP object available in JSON format at
references
identifier
text
The group listing identifying earlier message(s) referenced by the alert message. (1) The extended message identifier(s) (in the form sender,identifier,sent) of an earlier CAP message or messages referenced by this one. (2) If multiple messages are referenced, they SHALL be separated by whitespace.
+The identifier of the alert message in a number or string uniquely identifying this message, assigned by the sender.
++
msgType
text
The code denoting the nature of the alert message. ['Alert', 'Update', 'Cancel', 'Ack', 'Error']
++
incident
text
The group listing naming the referent incident(s) of the alert message. (1) Used to collate multiple messages referring to different aspects of the same incident. (2) If multiple incident identifiers are referenced, they SHALL be separated by whitespace. Incident names including whitespace SHALL be surrounded by double-quotes.
status
text
The code denoting the appropriate handling of the alert message. ['Actual', 'Exercise', 'System', 'Test', 'Draft']
++
onset
-datetime
event
text
The expected time of the beginning of the subject event of the alert message.
+The text denoting the type of the subject event of the alert message.
++
urgency
text
The code denoting the urgency of the subject event of the alert message. ['Immediate', 'Expected', 'Future', 'Past', 'Unknown']
++
language
text
The code denoting the language of the info sub-element of the alert message.
@@ -1508,26 +1528,6 @@ cap-info is a MISP object available in JSON format at
instruction
text
The text describing the recommended action to be taken by recipients of the alert message.
--
parameter
text
A system-specific additional parameter associated with the alert message.
--
effective
datetime
responseType
text
The code denoting the type of action recommended for the target audience. ['Shelter', 'Evacuate', 'Prepare', 'Execute', 'Avoid', 'Monitor', 'Assess', 'AllClear', 'None']
++
category
text
The code denoting the category of the subject event of the alert message. ['Geo', 'Met', 'Safety', 'Security', 'Rescue', 'Fire', 'Health', 'Env', 'Transport', 'Infra', 'CBRNE', 'Other']
++
description
text
The text describing the subject event of the alert message.
++
senderName
text
event
text
expires
datetime
The text denoting the type of the subject event of the alert message.
+The expiry time of the information of the alert message.
urgency
parameter
text
The code denoting the urgency of the subject event of the alert message. ['Immediate', 'Expected', 'Future', 'Past', 'Unknown']
--
certainty
text
The code denoting the certainty of the subject event of the alert message. For backward compatibility with CAP 1.0, the deprecated value of “Very Likely” SHOULD be treated as equivalent to “Likely”. ['Likely', 'Possible', 'Unlikely', 'Unknown']
--
language
text
The code denoting the language of the info sub-element of the alert message.
--
web
link
The identifier of the hyperlink associating additional information with the alert message.
--
category
text
The code denoting the category of the subject event of the alert message. ['Geo', 'Met', 'Safety', 'Security', 'Rescue', 'Fire', 'Health', 'Env', 'Transport', 'Infra', 'CBRNE', 'Other']
--
responseType
text
The code denoting the type of action recommended for the target audience. ['Shelter', 'Evacuate', 'Prepare', 'Execute', 'Avoid', 'Monitor', 'Assess', 'AllClear', 'None']
--
description
text
The text describing the subject event of the alert message.
+A system-specific additional parameter associated with the alert message.
@@ -1658,20 +1628,50 @@ cap-info is a MISP object available in JSON format at
contact
text
web
link
The text describing the contact for follow-up and confirmation of the alert message.
+The identifier of the hyperlink associating additional information with the alert message.
expires
onset
datetime
The expiry time of the information of the alert message.
+The expected time of the beginning of the subject event of the alert message.
++
certainty
text
The code denoting the certainty of the subject event of the alert message. For backward compatibility with CAP 1.0, the deprecated value of “Very Likely” SHOULD be treated as equivalent to “Likely”. ['Likely', 'Possible', 'Unlikely', 'Unknown']
++
instruction
text
The text describing the recommended action to be taken by recipients of the alert message.
++
contact
text
The text describing the contact for follow-up and confirmation of the alert message.
@@ -1726,30 +1726,10 @@ cap-resource is a MISP object available in JSON format at
digest
sha1
The code representing the digital digest (“hash”) computed from the resource file (OPTIONAL).
--
mimeType
mime-type
The identifier of the MIME content type and sub-type describing the resource file.
--
resourceDesc
size
text
The text describing the type and content of the resource file.
+The integer indicating the size of the resource file.
@@ -1766,15 +1746,35 @@ cap-resource is a MISP object available in JSON format at
size
resourceDesc
text
The integer indicating the size of the resource file.
+The text describing the type and content of the resource file.
mimeType
mime-type
The identifier of the MIME content type and sub-type describing the resource file.
++
digest
sha1
The code representing the digital digest (“hash”) computed from the resource file (OPTIONAL).
++
address
-btc
Address used as a payment destination in a cryptocurrency
--
symbol
text
address
btc
Address used as a payment destination in a cryptocurrency
++
text
text
origin
type
text
Origin of the credential(s) ['bruteforce-scanning', 'malware-analysis', 'memory-analysis', 'network-analysis', 'leak', 'unknown']
+Type of password(s) ['password', 'api-key', 'encryption-key', 'unknown']
++
format
text
Format of the password(s) ['clear-text', 'hashed', 'encrypted', 'unknown']
++
username
text
Username related to the password(s)
@@ -2010,10 +2030,10 @@ credential is a MISP object available in JSON format at
type
origin
text
Type of password(s) ['password', 'api-key', 'encryption-key', 'unknown']
+Origin of the credential(s) ['bruteforce-scanning', 'malware-analysis', 'memory-analysis', 'network-analysis', 'leak', 'unknown']
@@ -2030,16 +2050,6 @@ credential is a MISP object available in JSON format at
username
text
Username related to the password(s)
--
notification
text
format
text
Format of the password(s) ['clear-text', 'hashed', 'encrypted', 'unknown']
--
expiration
-datetime
Maximum date of validity
--
cc-number
cc-number
card-security-code
text
expiration
datetime
Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card.
--
version
text
Version of the card.
+Maximum date of validity
@@ -2158,6 +2138,16 @@ credit-card is a MISP object available in JSON format at
version
text
Version of the card.
++
name
text
card-security-code
text
Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card.
++
src-port
-port
last-seen
datetime
Port originating the attack
+End of the attack
++
total-bps
counter
Bits per second
ip-src
ip-src
domain-dst
domain
IP address originating the attack
+Destination domain (victim)
@@ -2236,60 +2246,10 @@ ddos is a MISP object available in JSON format at
last-seen
datetime
ip-src
ip-src
End of the attack
--
text
text
Description of the DDoS
--
protocol
text
Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']
--
first-seen
datetime
Beginning of the attack
--
ip-dst
ip-dst
Destination IP (victim)
--
total-bps
counter
Bits per second
+IP address originating the attack
@@ -2306,10 +2266,50 @@ ddos is a MISP object available in JSON format at
domain-dst
domain
text
text
Destination domain (victim)
+Description of the DDoS
++
first-seen
datetime
Beginning of the attack
++
protocol
text
Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']
++
ip-dst
ip-dst
Destination IP (victim)
++
src-port
port
Port originating the attack
@@ -2354,40 +2354,20 @@ diameter-attack is a MISP object available in JSON format at
SessionId
CmdCode
text
Session-ID.
+A decimal representation of the diameter Command Code.
+
ApplicationId
Origin-Host
text
Application-ID is used to identify for which Diameter application the message is applicable. Application-ID is a decimal representation.
--
Origin-Realm
text
Origin-Realm.
--
Destination-Realm
text
Destination-Realm.
+Origin-Host.
@@ -2404,16 +2384,6 @@ diameter-attack is a MISP object available in JSON format at
Destination-Host
text
Destination-Host.
--
first-seen
datetime
Username
text
Username (in this case, usually the IMSI).
--
category
text
ApplicationId
text
Application-ID is used to identify for which Diameter application the message is applicable. Application-ID is a decimal representation.
++
Destination-Realm
text
Destination-Realm.
++
Origin-Realm
text
Origin-Realm.
++
SessionId
text
Session-ID.
++
IdrFlags
text
CmdCode
Destination-Host
text
A decimal representation of the diameter Command Code.
+Destination-Host.
+
Origin-Host
Username
text
Origin-Host.
+Username (in this case, usually the IMSI).
@@ -2512,16 +2512,6 @@ domain-ip is a MISP object available in JSON format at
ip
ip-dst
IP Address
--
first-seen
datetime
ip
ip-dst
IP Address
++
domain
domain
number-sections
counter
Number of sections
--
type
text
text
number-sections
counter
Number of sections
++
arch
text
Free text value to attach to the ELF
+Architecture of the ELF file ['None', 'M32', 'SPARC', 'i386', 'ARCH_68K', 'ARCH_88K', 'IAMCU', 'ARCH_860', 'MIPS', 'S370', 'MIPS_RS3_LE', 'PARISC', 'VPP500', 'SPARC32PLUS', 'ARCH_960', 'PPC', 'PPC64', 'S390', 'SPU', 'V800', 'FR20', 'RH32', 'RCE', 'ARM', 'ALPHA', 'SH', 'SPARCV9', 'TRICORE', 'ARC', 'H8_300', 'H8_300H', 'H8S', 'H8_500', 'IA_64', 'MIPS_X', 'COLDFIRE', 'ARCH_68HC12', 'MMA', 'PCP', 'NCPU', 'NDR1', 'STARCORE', 'ME16', 'ST100', 'TINYJ', 'x86_64', 'PDSP', 'PDP10', 'PDP11', 'FX66', 'ST9PLUS', 'ST7', 'ARCH_68HC16', 'ARCH_68HC11', 'ARCH_68HC08', 'ARCH_68HC05', 'SVX', 'ST19', 'VAX', 'CRIS', 'JAVELIN', 'FIREPATH', 'ZSP', 'MMIX', 'HUANY', 'PRISM', 'AVR', 'FR30', 'D10V', 'D30V', 'V850', 'M32R', 'MN10300', 'MN10200', 'PJ', 'OPENRISC', 'ARC_COMPACT', 'XTENSA', 'VIDEOCORE', 'TMM_GPP', 'NS32K', 'TPC', 'SNP1K', 'ST200', 'IP2K', 'MAX', 'CR', 'F2MC16', 'MSP430', 'BLACKFIN', 'SE_C33', 'SEP', 'ARCA', 'UNICORE', 'EXCESS', 'DXP', 'ALTERA_NIOS2', 'CRX', 'XGATE', 'C166', 'M16C', 'DSPIC30F', 'CE', 'M32C', 'TSK3000', 'RS08', 'SHARC', 'ECOG2', 'SCORE7', 'DSP24', 'VIDEOCORE3', 'LATTICEMICO32', 'SE_C17', 'TI_C6000', 'TI_C2000', 'TI_C5500', 'MMDSP_PLUS', 'CYPRESS_M8C', 'R32C', 'TRIMEDIA', 'HEXAGON', 'ARCH_8051', 'STXP7X', 'NDS32', 'ECOG1', 'ECOG1X', 'MAXQ30', 'XIMO16', 'MANIK', 'CRAYNV2', 'RX', 'METAG', 'MCST_ELBRUS', 'ECOG16', 'CR16', 'ETPU', 'SLE9X', 'L10M', 'K10M', 'AARCH64', 'AVR32', 'STM8', 'TILE64', 'TILEPRO', 'CUDA', 'TILEGX', 'CLOUDSHIELD', 'COREA_1ST', 'COREA_2ND', 'ARC_COMPACT2', 'OPEN8', 'RL78', 'VIDEOCORE5', 'ARCH_78KOR', 'ARCH_56800EX', 'BA1', 'BA2', 'XCORE', 'MCHP_PIC', 'INTEL205', 'INTEL206', 'INTEL207', 'INTEL208', 'INTEL209', 'KM32', 'KMX32', 'KMX16', 'KMX8', 'KVARC', 'CDP', 'COGE', 'COOL', 'NORC', 'CSR_KALIMBA', 'AMDGPU']
@@ -2640,20 +2640,20 @@ elf is a MISP object available in JSON format at
entrypoint-address
text
text
Address of the entry point
+Free text value to attach to the ELF
arch
entrypoint-address
text
Architecture of the ELF file ['None', 'M32', 'SPARC', 'i386', 'ARCH_68K', 'ARCH_88K', 'IAMCU', 'ARCH_860', 'MIPS', 'S370', 'MIPS_RS3_LE', 'PARISC', 'VPP500', 'SPARC32PLUS', 'ARCH_960', 'PPC', 'PPC64', 'S390', 'SPU', 'V800', 'FR20', 'RH32', 'RCE', 'ARM', 'ALPHA', 'SH', 'SPARCV9', 'TRICORE', 'ARC', 'H8_300', 'H8_300H', 'H8S', 'H8_500', 'IA_64', 'MIPS_X', 'COLDFIRE', 'ARCH_68HC12', 'MMA', 'PCP', 'NCPU', 'NDR1', 'STARCORE', 'ME16', 'ST100', 'TINYJ', 'x86_64', 'PDSP', 'PDP10', 'PDP11', 'FX66', 'ST9PLUS', 'ST7', 'ARCH_68HC16', 'ARCH_68HC11', 'ARCH_68HC08', 'ARCH_68HC05', 'SVX', 'ST19', 'VAX', 'CRIS', 'JAVELIN', 'FIREPATH', 'ZSP', 'MMIX', 'HUANY', 'PRISM', 'AVR', 'FR30', 'D10V', 'D30V', 'V850', 'M32R', 'MN10300', 'MN10200', 'PJ', 'OPENRISC', 'ARC_COMPACT', 'XTENSA', 'VIDEOCORE', 'TMM_GPP', 'NS32K', 'TPC', 'SNP1K', 'ST200', 'IP2K', 'MAX', 'CR', 'F2MC16', 'MSP430', 'BLACKFIN', 'SE_C33', 'SEP', 'ARCA', 'UNICORE', 'EXCESS', 'DXP', 'ALTERA_NIOS2', 'CRX', 'XGATE', 'C166', 'M16C', 'DSPIC30F', 'CE', 'M32C', 'TSK3000', 'RS08', 'SHARC', 'ECOG2', 'SCORE7', 'DSP24', 'VIDEOCORE3', 'LATTICEMICO32', 'SE_C17', 'TI_C6000', 'TI_C2000', 'TI_C5500', 'MMDSP_PLUS', 'CYPRESS_M8C', 'R32C', 'TRIMEDIA', 'HEXAGON', 'ARCH_8051', 'STXP7X', 'NDS32', 'ECOG1', 'ECOG1X', 'MAXQ30', 'XIMO16', 'MANIK', 'CRAYNV2', 'RX', 'METAG', 'MCST_ELBRUS', 'ECOG16', 'CR16', 'ETPU', 'SLE9X', 'L10M', 'K10M', 'AARCH64', 'AVR32', 'STM8', 'TILE64', 'TILEPRO', 'CUDA', 'TILEGX', 'CLOUDSHIELD', 'COREA_1ST', 'COREA_2ND', 'ARC_COMPACT2', 'OPEN8', 'RL78', 'VIDEOCORE5', 'ARCH_78KOR', 'ARCH_56800EX', 'BA1', 'BA2', 'XCORE', 'MCHP_PIC', 'INTEL205', 'INTEL206', 'INTEL207', 'INTEL208', 'INTEL209', 'KM32', 'KMX32', 'KMX16', 'KMX8', 'KVARC', 'CDP', 'COGE', 'COOL', 'NORC', 'CSR_KALIMBA', 'AMDGPU']
+Address of the entry point
@@ -2698,6 +2698,36 @@ elf-section is a MISP object available in JSON format at
md5
md5
[Insecure] MD5 hash (128 bits)
++
flag
text
Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
text
text
sha512/224
sha512/224
size-in-bytes
size-in-bytes
Secure Hash Algorithm 2 (224 bits)
+Size of the section, in bytes
++
entropy
float
Entropy of the whole section
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
sha512/256
sha512/256
type
text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
++
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
++
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
sha384
-sha384
Secure Hash Algorithm 2 (384 bits)
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
--
md5
md5
[Insecure] MD5 hash (128 bits)
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
type
text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
entropy
float
Entropy of the whole section
--
name
text
flag
text
sha224
sha224
Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']
+Secure Hash Algorithm 2 (224 bits)
+
from-display-name
-email-src-display-name
from
email-src
Display name of the sender
--
screenshot
attachment
Screenshot of email
+Sender email address
@@ -2916,26 +2906,6 @@ email is a MISP object available in JSON format at
return-path
text
Message return path
--
send-date
datetime
Date the email has been sent
--
to
email-dst
return-path
text
Message return path
++
screenshot
attachment
Screenshot of email
++
reply-to
email-reply-to
message-id
email-message-id
cc
email-dst
Message ID
--
thread-index
email-thread-index
Identifies a particular conversation thread
--
header
email-header
Full headers
+Carbon copy
@@ -3006,6 +2976,16 @@ email is a MISP object available in JSON format at
thread-index
email-thread-index
Identifies a particular conversation thread
++
mime-boundary
email-mime-boundary
to-display-name
email-dst-display-name
message-id
email-message-id
Display name of the receiver
+Message ID
@@ -3036,25 +3016,45 @@ email is a MISP object available in JSON format at
from
email-src
header
email-header
Sender email address
+Full headers
cc
email-dst
to-display-name
email-dst-display-name
Carbon copy
+Display name of the receiver
from-display-name
email-src-display-name
Display name of the sender
++
send-date
datetime
Date the email has been sent
++
md5
+md5
[Insecure] MD5 hash (128 bits)
++
certificate
x509-fingerprint-sha1
malware-sample
malware-sample
The file itself (binary)
++
authentihash
authentihash
Authenticode executable signature hash
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
text
text
sha512/224
sha512/224
tlsh
tlsh
Secure Hash Algorithm 2 (224 bits)
+Fuzzy hash by Trend Micro: Locality Sensitive Hash
size-in-bytes
size-in-bytes
Size of the file, in bytes
++
mimetype
mime-type
Mime type
++
entropy
float
Entropy of the whole file
++
sha512/256
sha512/256
ssdeep
ssdeep
pattern-in-file
pattern-in-file
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
size-in-bytes
size-in-bytes
Size of the file, in bytes
--
authentihash
authentihash
Authenticode executable signature hash
+Pattern that can be found in the file
@@ -3194,46 +3244,6 @@ file is a MISP object available in JSON format at
md5
md5
[Insecure] MD5 hash (128 bits)
--
state
text
State of the file ['Malicious', 'Harmless', 'Signed', 'Revoked', 'Expired', 'Trusted']
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
tlsh
tlsh
Fuzzy hash by Trend Micro: Locality Sensitive Hash
--
sha512
sha512
malware-sample
malware-sample
ssdeep
ssdeep
The file itself (binary)
+Fuzzy hash using context triggered piecewise hashes (CTPH)
entropy
float
sha224
sha224
Entropy of the whole file
--
pattern-in-file
pattern-in-file
Pattern that can be found in the file
+Secure Hash Algorithm 2 (224 bits)
mimetype
mime-type
state
text
Mime type
+State of the file ['Malicious', 'Harmless', 'Signed', 'Revoked', 'Expired', 'Trusted']
@@ -3332,23 +3332,43 @@ geolocation is a MISP object available in JSON format at
region
latitude
float
The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.
++
last-seen
datetime
When the location was seen for the last time.
++
country
text
Region.
+Country.
first-seen
datetime
city
text
When the location was seen for the first time.
+City.
+
latitude
-float
The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.
--
city
text
City.
--
text
text
country
text
first-seen
datetime
Country.
+When the location was seen for the first time.
+
last-seen
-datetime
When the location was seen for the last time.
--
altitude
float
region
text
Region.
++
GtpMessageType
-text
GTP defines a set of messages between two associated GSNs or an SGSN and an RNC. Message type is described as a decimal value.
--
GtpImei
text
GTP IMEI (International Mobile Equipment Identity).
--
GtpMsisdn
text
GTP MSISDN.
--
GtpVersion
text
GTP version ['0', '1', '2']
--
GtpImsi
text
GtpInterface
text
GTP interface. ['S5', 'S11', 'S10', 'S8', 'Gn', 'Gp']
--
ipDest
ip-dst
IP destination address.
--
PortDest
text
Destination port.
--
PortSrc
port
GtpServingNetwork
text
GTP Serving Network.
++
GtpMessageType
text
GTP defines a set of messages between two associated GSNs or an SGSN and an RNC. Message type is described as a decimal value.
++
text
text
A description of the GTP attack.
++
first-seen
datetime
GtpMsisdn
text
GTP MSISDN.
++
GtpInterface
text
GTP interface. ['S5', 'S11', 'S10', 'S8', 'Gn', 'Gp']
++
GtpVersion
text
GTP version ['0', '1', '2']
++
ipSrc
ip-src
text
PortDest
text
A description of the GTP attack.
+Destination port.
GtpServingNetwork
text
ipDest
ip-dst
GTP Serving Network.
+IP destination address.
+
+
GtpImei
text
GTP IMEI (International Mobile Equipment Identity).
+
url
-url
Full HTTP Request URL
--
host
hostname
user-agent
user-agent
The user agent string of the user agent
--
cookie
text
An HTTP cookie previously sent by the server with Set-Cookie
--
basicauth-password
text
HTTP Basic Authentication Password
--
method
http-method
HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)
--
content-type
referer
other
The MIME type of the body of the request
--
basicauth-user
text
HTTP Basic Authentication Username
--
text
text
HTTP Request comment
--
uri
uri
Request URI
+This is the address of the previous web page from which a link to the currently requested page was followed
@@ -3758,6 +3678,56 @@ http-request is a MISP object available in JSON format at
basicauth-password
text
HTTP Basic Authentication Password
++
uri
uri
Request URI
++
text
text
HTTP Request comment
++
user-agent
user-agent
The user agent string of the user agent
++
method
http-method
HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)
++
proxy-user
text
referer
content-type
other
This is the address of the previous web page from which a link to the currently requested page was followed
+The MIME type of the body of the request
++
cookie
text
An HTTP cookie previously sent by the server with Set-Cookie
++
url
url
Full HTTP Request URL
++
basicauth-user
text
HTTP Basic Authentication Username
@@ -3816,36 +3816,16 @@ ip-port is a MISP object available in JSON format at
ip
ip-dst
IP Address
--
first-seen
last-seen
datetime
First time the tuple has been seen
+Last time the tuple has been seen
src-port
port
Source port
--
dst-port
port
first-seen
datetime
First time the tuple has been seen
++
ip
ip-dst
IP Address
++
src-port
port
Source port
++
domain
domain
last-seen
datetime
Last time the tuple has been seen
--
first-seen
-datetime
ja3-fingerprint-md5
md5
First seen of the SSL/TLS handshake
+Hash identifying source
+
ip-src
+ip-src
Source IP Address
++
description
text
ja3-fingerprint-md5
md5
first-seen
datetime
Hash identifying source
+First seen of the SSL/TLS handshake
-
ip-src
ip-src
Source IP Address
-+
registration-number
-text
Registration number of an entity in the relevant authority.
--
legal-form
text
Legal form of an entity.
--
business
text
Business area of an entity.
--
text
text
A description of the entity.
--
phone-number
phone-number
text
text
A description of the entity.
++
business
text
Business area of an entity.
++
legal-form
text
Legal form of an entity.
++
name
text
registration-number
text
Registration number of an entity in the relevant authority.
++
type
+text
Type of Mach-O ['BUNDLE', 'CORE', 'DSYM', 'DYLIB', 'DYLIB_STUB', 'DYLINKER', 'EXECUTE', 'FVMLIB', 'KEXT_BUNDLE', 'OBJECT', 'PRELOAD']
++
name
text
Binary’s name
++
number-sections
counter
name
text
Binary’s name
--
type
text
Type of Mach-O ['BUNDLE', 'CORE', 'DSYM', 'DYLIB', 'DYLIB_STUB', 'DYLINKER', 'EXECUTE', 'FVMLIB', 'KEXT_BUNDLE', 'OBJECT', 'PRELOAD']
--
text
text
md5
md5
[Insecure] MD5 hash (128 bits)
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
text
text
sha512/224
sha512/224
size-in-bytes
size-in-bytes
Secure Hash Algorithm 2 (224 bits)
+Size of the section, in bytes
+
+
entropy
float
Entropy of the whole section
+
ssdeep
-ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
sha384
sha384
size-in-bytes
size-in-bytes
Size of the section, in bytes
--
md5
md5
[Insecure] MD5 hash (128 bits)
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
sha512
sha512
entropy
float
ssdeep
ssdeep
Entropy of the whole section
+Fuzzy hash using context triggered piecewise hashes (CTPH)
+
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
url
-url
Original URL location of the microblog post
--
modification-date
datetime
Last update of the microblog post
--
username-quoted
text
link
url
removal-date
datetime
Link into the microblog post
+When the microblog post was removed
++
modification-date
datetime
Last update of the microblog post
@@ -4446,20 +4436,20 @@ microblog is a MISP object available in JSON format at
post
text
url
url
Raw post
+Original URL location of the microblog post
removal-date
datetime
link
url
When the microblog post was removed
+Link into the microblog post
post
text
Raw post
++
description
+name
text
Description
+name of the mutex
@@ -4534,10 +4534,10 @@ mutex is a MISP object available in JSON format at
name
description
text
name of the mutex
+Description
@@ -4582,23 +4582,83 @@ netflow is a MISP object available in JSON format at
tcp-flags
first-packet-seen
datetime
First packet seen in this flow
++
protocol
text
TCP flags of the flow
+Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']
++
last-packet-seen
datetime
Last packet seen in this flow
++
ip-src
ip-src
IP address source of the netflow
++
dst-as
AS
Destination AS number for this flow
++
src-as
AS
Source AS number for this flow
++
direction
text
Direction of this flow ['Ingress', 'Egress']
ip_version
counter
src-port
port
IP version of this flow
+Source port of the netflow
+
protocol
-text
ip-dst
ip-dst
Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']
+IP address destination of the netflow
src-port
port
Source port of the netflow
--
first-packet-seen
datetime
First packet seen in this flow
--
packet-count
counter
Packets counted in this flow
--
ip-src
ip-src
IP address source of the netflow
--
byte-count
counter
Bytes counted in this flow
--
icmp-type
text
ICMP type of the flow (if the traffic is ICMP)
--
dst-port
port
last-packet-seen
datetime
Last packet seen in this flow
--
src-as
AS
Source AS number for this flow
--
ip-dst
ip-dst
IP address destination of the netflow
--
dst-as
AS
Destination AS number for this flow
--
direction
icmp-type
text
Direction of this flow ['Ingress', 'Egress']
+ICMP type of the flow (if the traffic is ICMP)
++
packet-count
counter
Packets counted in this flow
++
tcp-flags
text
TCP flags of the flow
++
byte-count
counter
Bytes counted in this flow
++
ip_version
counter
IP version of this flow
@@ -4790,6 +4790,56 @@ passive-dns is a MISP object available in JSON format at
zone_time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import.
++
rrtype
text
Resource Record type as seen by the passive DNS. ['A', 'AAAA', 'CNAME', 'PTR', 'SOA', 'TXT', 'DNAME', 'NS', 'SRV', 'RP', 'NAPTR', 'HINFO', 'A6']
++
bailiwick
text
Best estimate of the apex of the zone where this data is authoritative
++
text
text
Description of the passive DNS record.
++
zone_time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
++
rdata
text
sensor_id
text
Sensor information where the record was seen
++
count
counter
bailiwick
text
Best estimate of the apex of the zone where this data is authoritative
--
time_last
time_first
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS
--
zone_time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import.
--
rrtype
text
Resource Record type as seen by the passive DNS. ['A', 'AAAA', 'CNAME', 'PTR', 'SOA', 'TXT', 'DNAME', 'NS', 'SRV', 'RP', 'NAPTR', 'HINFO', 'A6']
--
zone_time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
+First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS
@@ -4880,30 +4900,10 @@ passive-dns is a MISP object available in JSON format at
text
text
Description of the passive DNS record.
--
time_first
time_last
datetime
First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS
--
sensor_id
text
Sensor information where the record was seen
+Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS
@@ -4948,13 +4948,13 @@ paste is a MISP object available in JSON format at
url
url
last-seen
datetime
Link to the original source of the paste or post.
+When the paste has been accessible or seen for the last time.
+
last-seen
-datetime
paste
text
When the paste has been accessible or seen for the last time.
+Raw text of the paste or post
+
paste
+title
text
Raw text of the paste or post
+Title of the paste or post.
title
text
url
url
Title of the paste or post.
+Link to the original source of the paste or post.
@@ -5046,66 +5046,6 @@ pe is a MISP object available in JSON format at
number-sections
counter
Number of sections
--
internal-filename
filename
InternalFilename in the resources
--
product-version
text
ProductVersion in the resources
--
type
text
Type of PE ['exe', 'dll', 'driver', 'unknown']
--
imphash
imphash
Hash (md5) calculated from the import table
--
entrypoint-address
text
Address of the entry point
--
legal-copyright
text
lang-id
text
Lang ID in the resources
--
file-version
text
FileVersion in the resources
--
company-name
text
CompanyName in the resources
--
pehash
pehash
Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
--
entrypoint-section-at-position
text
Name of the section and position of the section in the PE
--
text
text
Free text value to attach to the PE
--
impfuzzy
impfuzzy
Fuzzy Hash (ssdeep) calculated from the import table
--
file-description
text
FileDescription in the resources
--
product-name
text
original-filename
number-sections
counter
Number of sections
++
entrypoint-address
text
Address of the entry point
++
text
text
Free text value to attach to the PE
++
entrypoint-section-at-position
text
Name of the section and position of the section in the PE
++
internal-filename
filename
OriginalFilename in the resources
+InternalFilename in the resources
type
text
Type of PE ['exe', 'dll', 'driver', 'unknown']
++
pehash
pehash
Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
++
original-filename
filename
OriginalFilename in the resources
++
imphash
imphash
Hash (md5) calculated from the import table
++
product-version
text
ProductVersion in the resources
++
company-name
text
CompanyName in the resources
++
impfuzzy
impfuzzy
Fuzzy Hash (ssdeep) calculated from the import table
++
file-version
text
FileVersion in the resources
++
file-description
text
FileDescription in the resources
++
lang-id
text
Lang ID in the resources
++
md5
+md5
[Insecure] MD5 hash (128 bits)
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
text
text
sha512/224
sha512/224
size-in-bytes
size-in-bytes
Secure Hash Algorithm 2 (224 bits)
+Size of the section, in bytes
+
+
entropy
float
Entropy of the whole section
+
ssdeep
-ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
sha384
sha384
size-in-bytes
size-in-bytes
Size of the section, in bytes
--
md5
md5
[Insecure] MD5 hash (128 bits)
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
sha512
sha512
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
characteristic
text
entropy
float
Entropy of the whole section
--
name
text
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
passport-country
-passport-country
The country in which the passport was issued.
--
redress-number
redress-number
The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.
--
gender
gender
The gender of a natural person. ['Male', 'Female', 'Other', 'Prefer not to say']
--
last-name
last-name
Last name of a natural person.
--
first-name
first-name
social-security-number
text
Social security number
--
passport-expiration
passport-expiration
The expiration date of a passport.
--
mothers-name
text
Mother name, father, second name or other names following country’s regulation.
--
date-of-birth
date-of-birth
passport-number
passport-number
alias
text
The passport number of a natural person.
+Alias name or known as.
@@ -5552,20 +5482,20 @@ person is a MISP object available in JSON format at
text
text
passport-expiration
passport-expiration
A description of the person or identity.
+The expiration date of a passport.
place-of-birth
place-of-birth
text
text
Place of birth of a natural person.
+A description of the person or identity.
@@ -5582,16 +5512,6 @@ person is a MISP object available in JSON format at
middle-name
middle-name
Middle name of a natural person.
--
title
text
alias
mothers-name
text
Alias name or known as.
+Mother name, father, second name or other names following country’s regulation.
++
social-security-number
text
Social security number
++
place-of-birth
place-of-birth
Place of birth of a natural person.
++
last-name
last-name
Last name of a natural person.
++
gender
gender
The gender of a natural person. ['Male', 'Female', 'Other', 'Prefer not to say']
++
middle-name
middle-name
Middle name of a natural person.
++
redress-number
redress-number
The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.
++
passport-country
passport-country
The country in which the passport was issued.
++
passport-number
passport-number
The passport number of a natural person.
@@ -5670,23 +5670,23 @@ phone is a MISP object available in JSON format at
msisdn
text
first-seen
datetime
MSISDN (pronounced as /'em es ai es di en/ or misden) is a number uniquely identifying a subscription in a GSM or a UMTS mobile network. Simply put, it is the mapping of the telephone number to the SIM card in a mobile/cellular phone. This abbreviation has a several interpretations, the most common one being Mobile Station International Subscriber Directory Number.
+When the phone has been accessible or seen for the first time.
+
imsi
text
last-seen
datetime
A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.
+When the phone has been accessible or seen for the last time.
+
guti
+imsi
text
Globally Unique Temporary UE Identity (GUTI) is a temporary identification to not reveal the phone (user equipment in 3GPP jargon) composed of GUMMEI and the M-TMSI.
+A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.
@@ -5730,23 +5730,23 @@ phone is a MISP object available in JSON format at
last-seen
datetime
msisdn
text
When the phone has been accessible or seen for the last time.
+MSISDN (pronounced as /'em es ai es di en/ or misden) is a number uniquely identifying a subscription in a GSM or a UMTS mobile network. Simply put, it is the mapping of the telephone number to the SIM card in a mobile/cellular phone. This abbreviation has a several interpretations, the most common one being Mobile Station International Subscriber Directory Number.
+
first-seen
datetime
guti
text
When the phone has been accessible or seen for the first time.
+Globally Unique Temporary UE Identity (GUTI) is a temporary identification to not reveal the phone (user equipment in 3GPP jargon) composed of GUMMEI and the M-TMSI.
+
create-thread
+counter
Amount of calls to CreateThread
++
not-referenced-strings
counter
referenced-strings
local-references
counter
Amount of referenced strings
+Amount of API calls inside a code section
gml
attachment
r2-commit-version
text
Graph export in G>raph Modelling Language format
--
total-functions
counter
Total amount of functions in the file.
--
total-api
counter
Total amount of API calls
--
ratio-string
float
Ratio: amount of referenced strings per kilobyte of code section
+Radare2 commit ID used to generate this object
@@ -5858,6 +5838,36 @@ r2graphity is a MISP object available in JSON format at
callback-largest
counter
Largest callback
++
ratio-string
float
Ratio: amount of referenced strings per kilobyte of code section
++
ratio-api
float
Ratio: amount of API calls per kilobyte of code section
++
refsglobalvar
counter
ratio-functions
float
Ratio: amount of functions per kilobyte of code section
++
get-proc-address
counter
callback-largest
referenced-strings
counter
Largest callback
+Amount of referenced strings
@@ -5908,16 +5928,6 @@ r2graphity is a MISP object available in JSON format at
r2-commit-version
text
Radare2 commit ID used to generate this object
--
dangling-strings
counter
ratio-api
float
Ratio: amount of API calls per kilobyte of code section
--
local-references
total-functions
counter
Amount of API calls inside a code section
--
unknown-references
counter
Amount of API calls not ending in a function (Radare2 bug, probalby)
--
create-thread
counter
Amount of calls to CreateThread
+Total amount of functions in the file.
@@ -5988,10 +5968,20 @@ r2graphity is a MISP object available in JSON format at
ratio-functions
float
gml
attachment
Ratio: amount of functions per kilobyte of code section
+Graph export in G>raph Modelling Language format
++
unknown-references
counter
Amount of API calls not ending in a function (Radare2 bug, probalby)
total-api
counter
Total amount of API calls
++
regexp-type
+text
Type of the regular expression syntax. ['PCRE', 'PCRE2', 'POSIX BRE', 'POSIX ERE']
++
regexp
text
regexp-type
text
Type of the regular expression syntax. ['PCRE', 'PCRE2', 'POSIX BRE', 'POSIX ERE']
--
data
-text
Data stored in the registry key
--
root-keys
text
data-type
text
Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
--
key
regkey
Full key path
--
last-modified
datetime
data
text
Data stored in the registry key
++
key
regkey
Full key path
++
name
text
data-type
text
Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
++
hive
text
subject
text
Subject of the RTIR ticket
--
classification
text
constituency
ticket-number
text
Constituency of the RTIR ticket
+ticket-number of the RTIR ticket
status
constituency
text
Status of the RTIR ticket ['new', 'open', 'stalled', 'resolved', 'rejected', 'deleted']
+Constituency of the RTIR ticket
@@ -6350,10 +6340,20 @@ rtir is a MISP object available in JSON format at
ticket-number
subject
text
ticket-number of the RTIR ticket
+Subject of the RTIR ticket
++
status
text
Status of the RTIR ticket ['new', 'open', 'stalled', 'resolved', 'rejected', 'deleted']
@@ -6398,26 +6398,6 @@ sandbox-report is a MISP object available in JSON format at
sandbox-type
text
The type of sandbox used ['on-premise', 'web', 'saas']
--
results
text
Freetext result values
--
web-sandbox
text
saas-sandbox
text
A non-on-premise sandbox, also results are not publicly available ['forticloud-sandbox', 'joe-sandbox-cloud', 'symantec-cas-cloud']
--
raw-report
text
Raw report from sandbox
--
score
text
results
text
Freetext result values
++
raw-report
text
Raw report from sandbox
++
on-premise-sandbox
text
The on-premise sandbox used ['cuckoo', 'symantec-cas-on-premise', 'bluecoat-maa', 'trendmicro-deep-discovery-analyzer', 'fireeye-ax', 'vmray', 'joe-sandbox-on-premise']
++
permalink
link
on-premise-sandbox
saas-sandbox
text
The on-premise sandbox used ['cuckoo', 'symantec-cas-on-premise', 'bluecoat-maa', 'trendmicro-deep-discovery-analyzer', 'fireeye-ax', 'vmray', 'joe-sandbox-on-premise']
+A non-on-premise sandbox, also results are not publicly available ['forticloud-sandbox', 'joe-sandbox-cloud', 'symantec-cas-cloud']
++
sandbox-type
text
The type of sandbox used ['on-premise', 'web', 'saas']
@@ -6516,6 +6516,16 @@ sb-signature is a MISP object available in JSON format at
software
text
Name of Sandbox software
++
signature
text
text
text
Additional signature description
--
datetime
datetime
software
text
text
Name of Sandbox software
+Additional signature description
@@ -6594,70 +6594,10 @@ ss7-attack is a MISP object available in JSON format at
SccpCdPC
MapVlrGT
text
Signaling Connection Control Part (SCCP) CdPC - Phone number.
--
MapUssdCoding
text
MAP USSD Content.
--
MapSmsTP-OA
text
MAP SMS TP-OA. Phone number.
--
SccpCgPC
text
Signaling Connection Control Part (SCCP) CgPC - Phone number.
--
SccpCgSSN
text
Signaling Connection Control Part (SCCP) - Decimal value between 0-255.
--
MapSmsText
text
MAP SMS Text. Important indicators in SMS text.
--
MapGsmscfGT
text
MAP GSMSCF GT. Phone number.
+MAP VLR GT. Phone number.
@@ -6674,6 +6614,16 @@ ss7-attack is a MISP object available in JSON format at
text
text
A description of the attack seen via SS7 logging.
++
SccpCgGT
text
MapUssdContent
first-seen
datetime
When the attack has been seen for the first time.
++
SccpCgPC
text
MAP USSD Content.
+Signaling Connection Control Part (SCCP) CgPC - Phone number.
MapMsisdn
text
MAP MSISDN. Phone number.
++
MapSmsTP-OA
text
MAP SMS TP-OA. Phone number.
++
MapSmsTP-DCS
text
MAP SMS TP-DCS.
++
MapSmsTypeNumber
text
MapImsi
text
MAP IMSI. Phone number starting with MCC/MNC.
++
MapSmsText
text
MAP SMS Text. Important indicators in SMS text.
++
MapMscGT
text
MAP MSC GT. Phone number.
++
MapUssdCoding
text
MAP USSD Content.
++
Category
text
Category ['Cat0', 'Cat1', 'Cat2.1', 'Cat2.2', 'Cat3.1', 'Cat3.2', 'Cat3.3', 'CatSMS', 'CatSpoofing']
++
MapApplicationContext
text
MAP application context in OID format.
++
MapOpCode
text
MAP operation codes - Decimal value between 0-99.
++
MapVersion
text
MapSmsTP-DCS
SccpCdPC
text
MAP SMS TP-DCS.
--
text
text
A description of the attack seen via SS7 logging.
--
MapMscGT
text
MAP MSC GT. Phone number.
+Signaling Connection Control Part (SCCP) CdPC - Phone number.
MapApplicationContext
MapUssdContent
text
MAP application context in OID format.
--
SccpCdGT
text
Signaling Connection Control Part (SCCP) CdGT - Phone number.
+MAP USSD Content.
Category
text
Category ['Cat0', 'Cat1', 'Cat2.1', 'Cat2.2', 'Cat3.1', 'Cat3.2', 'Cat3.3', 'CatSMS', 'CatSpoofing']
--
first-seen
datetime
When the attack has been seen for the first time.
--
SccpCdSSN
text
MapImsi
MapGsmscfGT
text
MAP IMSI. Phone number starting with MCC/MNC.
+MAP GSMSCF GT. Phone number.
MapVlrGT
SccpCdGT
text
MAP VLR GT. Phone number.
+Signaling Connection Control Part (SCCP) CdGT - Phone number.
MapMsisdn
SccpCgSSN
text
MAP MSISDN. Phone number.
--
MapOpCode
text
MAP operation codes - Decimal value between 0-99.
+Signaling Connection Control Part (SCCP) - Decimal value between 0-255.
@@ -6892,20 +6892,20 @@ stix2-pattern is a MISP object available in JSON format at
comment
comment
stix2-pattern
stix2-pattern
A description of the stix2-pattern.
+STIX 2 pattern
stix2-pattern
stix2-pattern
comment
comment
STIX 2 pattern
+A description of the stix2-pattern.
@@ -6950,40 +6950,20 @@ tor-node is a MISP object available in JSON format at
flags
text
text
list of flag associated with the node.
--
document
text
Raw document from the consensus.
+Tor node comment.
nickname
version
text
router’s nickname.
--
fingerprint
text
router’s fingerprint.
+parsed version of tor, this is None if the relay’s using a new versioning scheme.
@@ -7000,10 +6980,40 @@ tor-node is a MISP object available in JSON format at
published
flags
text
list of flag associated with the node.
++
nickname
text
router’s nickname.
++
last-seen
datetime
router’s publication time. This can be different from first-seen and last-seen.
+When the Tor node designed by the IP address has been seen for the last time.
++
document
text
Raw document from the consensus.
@@ -7020,16 +7030,6 @@ tor-node is a MISP object available in JSON format at
text
text
Tor node comment.
--
description
text
last-seen
published
datetime
When the Tor node designed by the IP address has been seen for the last time.
+router’s publication time. This can be different from first-seen and last-seen.
version
fingerprint
text
parsed version of tor, this is None if the relay’s using a new versioning scheme.
+router’s fingerprint.
@@ -7108,66 +7108,6 @@ transaction is a MISP object available in JSON format at
authorized
text
Person who autorized the transaction.
--
teller
text
Person who conducted the transaction.
--
date-posting
datetime
Date of posting, if different from date of transaction.
--
text
text
A description of the transaction.
--
location
text
Location where the transaction took place.
--
amount
text
The value of the transaction in local currency.
--
transmode-code
text
transaction-number
from-country
text
A unique number identifying a transaction.
+Origin country of a transaction.
@@ -7198,6 +7138,96 @@ transaction is a MISP object available in JSON format at
teller
text
Person who conducted the transaction.
++
text
text
A description of the transaction.
++
from-funds-code
text
Type of funds used to initiate a transaction. ['A Deposit', 'C Currency exchange', 'D Casino chips', 'E Bank draft', 'F Money order', 'G Traveler’s cheques', 'H Life insurance policy', 'I Real estate', 'J Securities', 'K Cash', 'O Other', 'P Cheque']
++
amount
text
The value of the transaction in local currency.
++
location
text
Location where the transaction took place.
++
transaction-number
text
A unique number identifying a transaction.
++
to-country
text
Target country of a transaction.
++
to-funds-code
text
Type of funds used to finalize a transaction. ['A Deposit', 'C Currency exchange', 'D Casino chips', 'E Bank draft', 'F Money order', 'G Traveler’s cheques', 'H Life insurance policy', 'I Real estate', 'J Securities', 'K Cash', 'O Other', 'P Cheque']
++
authorized
text
Person who autorized the transaction.
++
date
datetime
date-posting
datetime
Date of posting, if different from date of transaction.
++
url
-url
last-seen
datetime
Full URL
+Last time this URL has been seen
+
subdomain
-text
Subdomain
--
tld
text
Top-Level Domain
--
credential
text
Credential (username, password)
--
resource_path
text
Path (between hostname:port and query)
--
scheme
text
port
port
text
text
Port number
+Description of the URL
+
tld
+text
Top-Level Domain
++
fragment
text
Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.
++
port
port
Port number
++
subdomain
text
Subdomain
++
resource_path
text
Path (between hostname:port and query)
++
credential
text
Credential (username, password)
++
domain_without_tld
text
fragment
text
url
url
Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.
+Full URL
@@ -7366,16 +7426,6 @@ url is a MISP object available in JSON format at
text
text
Description of the URL
--
query_string
text
last-seen
datetime
Last time this URL has been seen
--
user
-target-user
The username(s) of the user targeted.
--
classification
text
regions
target-location
The list of regions or locations from the victim targeted. ISO 3166 should be used.
--
sectors
text
The list of sectors that the victim belong to ['agriculture', 'aerospace', 'automotive', 'communications', 'construction', 'defence', 'education', 'energy', 'engineering', 'entertainment', 'financial services', 'government national', 'government regional', 'government local', 'government public services', 'healthcare', 'hospitality leisure', 'infrastructure', 'insurance', 'manufacturing', 'mining', 'non profit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities']
--
ip-address
ip-dst
IP address(es) of the node targeted.
--
description
text
regions
target-location
The list of regions or locations from the victim targeted. ISO 3166 should be used.
++
user
target-user
The username(s) of the user targeted.
++
sectors
text
The list of sectors that the victim belong to ['agriculture', 'aerospace', 'automotive', 'communications', 'construction', 'defence', 'education', 'energy', 'engineering', 'entertainment', 'financial services', 'government national', 'government regional', 'government local', 'government public services', 'healthcare', 'hospitality leisure', 'infrastructure', 'insurance', 'manufacturing', 'mining', 'non profit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities']
++
target-email
external
target-external
External target organisations affected by this attack.
++
name
target-org
external
target-external
ip-address
ip-dst
External target organisations affected by this attack.
+IP address(es) of the node targeted.
@@ -7582,30 +7622,20 @@ virustotal-report is a MISP object available in JSON format at
detection-ratio
text
Detection Ratio
--
first-submission
last-submission
datetime
First Submission
+Last Submission
last-submission
datetime
permalink
link
Last Submission
+Permalink Reference
@@ -7622,10 +7652,20 @@ virustotal-report is a MISP object available in JSON format at
permalink
link
detection-ratio
text
Permalink Reference
+Detection Ratio
++
first-submission
datetime
First Submission
@@ -7670,26 +7710,26 @@ vulnerability is a MISP object available in JSON format at
references
link
External references
--
created
published
datetime
First time when the vulnerability was discovered
+Initial publication date
summary
text
Summary of the vulnerability
++
state
text
published
datetime
references
link
Initial publication date
+External references
+
id
-vulnerability
created
datetime
Vulnerability ID (generally CVE, but not necessarely). The id is not required as the object itself has an UUID and the CVE id can updated later.
+First time when the vulnerability was discovered
+
summary
-text
id
vulnerability
Summary of the vulnerability
+Vulnerability ID (generally CVE, but not necessarely). The id is not required as the object itself has an UUID and the CVE id can updated later.
@@ -7798,26 +7838,6 @@ whois is a MISP object available in JSON format at
modification-date
datetime
Last update of the whois entry
--
nameserver
hostname
Nameserver
--
registrar
whois-registrar
registrant-name
whois-registrant-name
Registrant name
--
expiration-date
datetime
Expiration of the whois entry
--
registrant-phone
whois-registrant-phone
registrant-email
whois-registrant-email
modification-date
datetime
Registrant email address
+Last update of the whois entry
+
domain
domain
registrant-name
whois-registrant-name
Domain of the whois entry
+Registrant name
expiration-date
datetime
Expiration of the whois entry
++
registrant-email
whois-registrant-email
Registrant email address
++
domain
domain
Domain of the whois entry
++
nameserver
hostname
Nameserver
++
x509-fingerprint-md5
-x509-fingerprint-md5
x509-fingerprint-sha1
x509-fingerprint-sha1
[Insecure] MD5 hash (128 bits)
+[Insecure] Secure Hash Algorithm 1 (160 bits)
@@ -7966,80 +8006,10 @@ x509 is a MISP object available in JSON format at
serial-number
raw-base64
text
Serial number of the certificate
--
validity-not-after
datetime
Certificate invalid after that date
--
issuer
text
Issuer of the certificate
--
x509-fingerprint-sha1
x509-fingerprint-sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
pubkey-info-modulus
text
Modulus of the public key
--
validity-not-before
datetime
Certificate invalid before that date
--
subject
text
Subject of the certificate
--
pubkey-info-exponent
text
Exponent of the public key
+Raw certificate base64 encoded
@@ -8056,10 +8026,10 @@ x509 is a MISP object available in JSON format at
pubkey-info-size
serial-number
text
Length of the public key (in bits)
+Serial number of the certificate
@@ -8076,6 +8046,36 @@ x509 is a MISP object available in JSON format at
validity-not-after
datetime
Certificate invalid after that date
++
validity-not-before
datetime
Certificate invalid before that date
++
pubkey-info-modulus
text
Modulus of the public key
++
x509-fingerprint-sha256
x509-fingerprint-sha256
raw-base64
pubkey-info-exponent
text
Raw certificate base64 encoded
+Exponent of the public key
++
issuer
text
Issuer of the certificate
++
subject
text
Subject of the certificate
++
pubkey-info-size
text
Length of the public key (in bits)
++
x509-fingerprint-md5
x509-fingerprint-md5
[Insecure] MD5 hash (128 bits)
@@ -8134,6 +8174,16 @@ yabin is a MISP object available in JSON format at
yara
yara
Yara rule generated from -y.
++
whitelist
comment
version
comment
yabin.py and regex.txt version used for the generation of the yara rules.
--
yara-hunt
yara
yara
yara
version
comment
Yara rule generated from -y.
+yabin.py and regex.txt version used for the generation of the yara rules.
+