From ada8abf8bbc65fa19f1da676a902ffb8ec829394 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Tue, 1 May 2018 20:01:53 +0200
Subject: [PATCH] Object template updated
---
objects.html | 5754 +-
objects.pdf | 233653 ++++++++++++++++++++++++------------------------
2 files changed, 119913 insertions(+), 119494 deletions(-)
diff --git a/objects.html b/objects.html
index e58dc10..e2d3fc1 100755
--- a/objects.html
+++ b/objects.html
@@ -580,30 +580,40 @@ ail-leak is a MISP object available in JSON format at sensor
origin
text
The AIL sensor uuid where the leak was processed and analysed.
+The link where the leak is (or was) accessible at first-seen.
first-seen
original-date
datetime
When the leak has been accessible or seen for the first time.
+When the information available in the leak was created. It’s usually before the first-seen.
origin
duplicate_number
counter
Number of known duplicates.
++
sensor
text
The link where the leak is (or was) accessible at first-seen.
+The AIL sensor uuid where the leak was processed and analysed.
@@ -640,13 +650,23 @@ ail-leak is a MISP object available in JSON format at
duplicate_number
counter
last-seen
datetime
Number of known duplicates.
+When the leak has been accessible or seen for the last time.
+
+
first-seen
datetime
When the leak has been accessible or seen for the first time.
+
original-date
datetime
When the information available in the leak was created. It’s usually before the first-seen.
--
last-seen
datetime
When the leak has been accessible or seen for the last time.
--
comment
-comment
permission
text
Comment about the set of android permission(s)
+Android permission ['ACCESS_CHECKIN_PROPERTIES', 'ACCESS_COARSE_LOCATION', 'ACCESS_FINE_LOCATION', 'ACCESS_LOCATION_EXTRA_COMMANDS', 'ACCESS_NETWORK_STATE', 'ACCESS_NOTIFICATION_POLICY', 'ACCESS_WIFI_STATE', 'ACCOUNT_MANAGER', 'ADD_VOICEMAIL', 'ANSWER_PHONE_CALLS', 'BATTERY_STATS', 'BIND_ACCESSIBILITY_SERVICE', 'BIND_APPWIDGET', 'BIND_AUTOFILL_SERVICE', 'BIND_CARRIER_MESSAGING_SERVICE', 'BIND_CHOOSER_TARGET_SERVICE', 'BIND_CONDITION_PROVIDER_SERVICE', 'BIND_DEVICE_ADMIN', 'BIND_DREAM_SERVICE', 'BIND_INCALL_SERVICE', 'BIND_INPUT_METHOD', 'BIND_MIDI_DEVICE_SERVICE', 'BIND_NFC_SERVICE', 'BIND_NOTIFICATION_LISTENER_SERVICE', 'BIND_PRINT_SERVICE', 'BIND_QUICK_SETTINGS_TILE', 'BIND_REMOTEVIEWS', 'BIND_SCREENING_SERVICE', 'BIND_TELECOM_CONNECTION_SERVICE', 'BIND_TEXT_SERVICE', 'BIND_TV_INPUT', 'BIND_VISUAL_VOICEMAIL_SERVICE', 'BIND_VOICE_INTERACTION', 'BIND_VPN_SERVICE', 'BIND_VR_LISTENER_SERVICE', 'BIND_WALLPAPER', 'BLUETOOTH', 'BLUETOOTH_ADMIN', 'BLUETOOTH_PRIVILEGED', 'BODY_SENSORS', 'BROADCAST_PACKAGE_REMOVED', 'BROADCAST_SMS', 'BROADCAST_STICKY', 'BROADCAST_WAP_PUSH', 'CALL_PHONE', 'CALL_PRIVILEGED', 'CAMERA', 'CAPTURE_AUDIO_OUTPUT', 'CAPTURE_SECURE_VIDEO_OUTPUT', 'CAPTURE_VIDEO_OUTPUT', 'CHANGE_COMPONENT_ENABLED_STATE', 'CHANGE_CONFIGURATION', 'CHANGE_NETWORK_STATE', 'CHANGE_WIFI_MULTICAST_STATE', 'CHANGE_WIFI_STATE', 'CLEAR_APP_CACHE', 'CONTROL_LOCATION_UPDATES', 'DELETE_CACHE_FILES', 'DELETE_PACKAGES', 'DIAGNOSTIC', 'DISABLE_KEYGUARD', 'DUMP', 'EXPAND_STATUS_BAR', 'FACTORY_TEST', 'GET_ACCOUNTS', 'GET_ACCOUNTS_PRIVILEGED', 'GET_PACKAGE_SIZE', 'GET_TASKS', 'GLOBAL_SEARCH', 'INSTALL_LOCATION_PROVIDER', 'INSTALL_PACKAGES', 'INSTALL_SHORTCUT', 'INSTANT_APP_FOREGROUND_SERVICE', 'INTERNET', 'KILL_BACKGROUND_PROCESSES', 'LOCATION_HARDWARE', 'MANAGE_DOCUMENTS', 'MANAGE_OWN_CALLS', 'MASTER_CLEAR', 'MEDIA_CONTENT_CONTROL', 'MODIFY_AUDIO_SETTINGS', 'MODIFY_PHONE_STATE', 'MOUNT_FORMAT_FILESYSTEMS', 'MOUNT_UNMOUNT_FILESYSTEMS', 'NFC', 'PACKAGE_USAGE_STATS', 'PERSISTENT_ACTIVITY', 'PROCESS_OUTGOING_CALLS', 'READ_CALENDAR', 'READ_CALL_LOG', 'READ_CONTACTS', 'READ_EXTERNAL_STORAGE', 'READ_FRAME_BUFFER', 'READ_INPUT_STATE', 'READ_LOGS', 'READ_PHONE_NUMBERS', 'READ_PHONE_STATE', 'READ_SMS', 'READ_SYNC_SETTINGS', 'READ_SYNC_STATS', 'READ_VOICEMAIL', 'REBOOT', 'RECEIVE_BOOT_COMPLETED', 'RECEIVE_MMS', 'RECEIVE_SMS', 'RECEIVE_WAP_PUSH', 'RECORD_AUDIO', 'REORDER_TASKS', 'REQUEST_COMPANION_RUN_IN_BACKGROUND', 'REQUEST_COMPANION_USE_DATA_IN_BACKGROUND', 'REQUEST_DELETE_PACKAGES', 'REQUEST_IGNORE_BATTERY_OPTIMIZATIONS', 'REQUEST_INSTALL_PACKAGES', 'RESTART_PACKAGES', 'SEND_RESPOND_VIA_MESSAGE', 'SEND_SMS', 'SET_ALARM', 'SET_ALWAYS_FINISH', 'SET_ANIMATION_SCALE', 'SET_DEBUG_APP', 'SET_PREFERRED_APPLICATIONS', 'SET_PROCESS_LIMIT', 'SET_TIME', 'SET_TIME_ZONE', 'SET_WALLPAPER', 'SET_WALLPAPER_HINTS', 'SIGNAL_PERSISTENT_PROCESSES', 'STATUS_BAR', 'SYSTEM_ALERT_WINDOW', 'TRANSMIT_IR', 'UNINSTALL_SHORTCUT', 'UPDATE_DEVICE_STATS', 'USE_FINGERPRINT', 'USE_SIP', 'VIBRATE', 'WAKE_LOCK', 'WRITE_APN_SETTINGS', 'WRITE_CALENDAR', 'WRITE_CALL_LOG', 'WRITE_CONTACTS', 'WRITE_EXTERNAL_STORAGE', 'WRITE_GSERVICES', 'WRITE_SECURE_SETTINGS', 'WRITE_SETTINGS', 'WRITE_SYNC_SETTINGS', 'WRITE_VOICEMAIL']
permission
text
comment
comment
Android permission ['ACCESS_CHECKIN_PROPERTIES', 'ACCESS_COARSE_LOCATION', 'ACCESS_FINE_LOCATION', 'ACCESS_LOCATION_EXTRA_COMMANDS', 'ACCESS_NETWORK_STATE', 'ACCESS_NOTIFICATION_POLICY', 'ACCESS_WIFI_STATE', 'ACCOUNT_MANAGER', 'ADD_VOICEMAIL', 'ANSWER_PHONE_CALLS', 'BATTERY_STATS', 'BIND_ACCESSIBILITY_SERVICE', 'BIND_APPWIDGET', 'BIND_AUTOFILL_SERVICE', 'BIND_CARRIER_MESSAGING_SERVICE', 'BIND_CHOOSER_TARGET_SERVICE', 'BIND_CONDITION_PROVIDER_SERVICE', 'BIND_DEVICE_ADMIN', 'BIND_DREAM_SERVICE', 'BIND_INCALL_SERVICE', 'BIND_INPUT_METHOD', 'BIND_MIDI_DEVICE_SERVICE', 'BIND_NFC_SERVICE', 'BIND_NOTIFICATION_LISTENER_SERVICE', 'BIND_PRINT_SERVICE', 'BIND_QUICK_SETTINGS_TILE', 'BIND_REMOTEVIEWS', 'BIND_SCREENING_SERVICE', 'BIND_TELECOM_CONNECTION_SERVICE', 'BIND_TEXT_SERVICE', 'BIND_TV_INPUT', 'BIND_VISUAL_VOICEMAIL_SERVICE', 'BIND_VOICE_INTERACTION', 'BIND_VPN_SERVICE', 'BIND_VR_LISTENER_SERVICE', 'BIND_WALLPAPER', 'BLUETOOTH', 'BLUETOOTH_ADMIN', 'BLUETOOTH_PRIVILEGED', 'BODY_SENSORS', 'BROADCAST_PACKAGE_REMOVED', 'BROADCAST_SMS', 'BROADCAST_STICKY', 'BROADCAST_WAP_PUSH', 'CALL_PHONE', 'CALL_PRIVILEGED', 'CAMERA', 'CAPTURE_AUDIO_OUTPUT', 'CAPTURE_SECURE_VIDEO_OUTPUT', 'CAPTURE_VIDEO_OUTPUT', 'CHANGE_COMPONENT_ENABLED_STATE', 'CHANGE_CONFIGURATION', 'CHANGE_NETWORK_STATE', 'CHANGE_WIFI_MULTICAST_STATE', 'CHANGE_WIFI_STATE', 'CLEAR_APP_CACHE', 'CONTROL_LOCATION_UPDATES', 'DELETE_CACHE_FILES', 'DELETE_PACKAGES', 'DIAGNOSTIC', 'DISABLE_KEYGUARD', 'DUMP', 'EXPAND_STATUS_BAR', 'FACTORY_TEST', 'GET_ACCOUNTS', 'GET_ACCOUNTS_PRIVILEGED', 'GET_PACKAGE_SIZE', 'GET_TASKS', 'GLOBAL_SEARCH', 'INSTALL_LOCATION_PROVIDER', 'INSTALL_PACKAGES', 'INSTALL_SHORTCUT', 'INSTANT_APP_FOREGROUND_SERVICE', 'INTERNET', 'KILL_BACKGROUND_PROCESSES', 'LOCATION_HARDWARE', 'MANAGE_DOCUMENTS', 'MANAGE_OWN_CALLS', 'MASTER_CLEAR', 'MEDIA_CONTENT_CONTROL', 'MODIFY_AUDIO_SETTINGS', 'MODIFY_PHONE_STATE', 'MOUNT_FORMAT_FILESYSTEMS', 'MOUNT_UNMOUNT_FILESYSTEMS', 'NFC', 'PACKAGE_USAGE_STATS', 'PERSISTENT_ACTIVITY', 'PROCESS_OUTGOING_CALLS', 'READ_CALENDAR', 'READ_CALL_LOG', 'READ_CONTACTS', 'READ_EXTERNAL_STORAGE', 'READ_FRAME_BUFFER', 'READ_INPUT_STATE', 'READ_LOGS', 'READ_PHONE_NUMBERS', 'READ_PHONE_STATE', 'READ_SMS', 'READ_SYNC_SETTINGS', 'READ_SYNC_STATS', 'READ_VOICEMAIL', 'REBOOT', 'RECEIVE_BOOT_COMPLETED', 'RECEIVE_MMS', 'RECEIVE_SMS', 'RECEIVE_WAP_PUSH', 'RECORD_AUDIO', 'REORDER_TASKS', 'REQUEST_COMPANION_RUN_IN_BACKGROUND', 'REQUEST_COMPANION_USE_DATA_IN_BACKGROUND', 'REQUEST_DELETE_PACKAGES', 'REQUEST_IGNORE_BATTERY_OPTIMIZATIONS', 'REQUEST_INSTALL_PACKAGES', 'RESTART_PACKAGES', 'SEND_RESPOND_VIA_MESSAGE', 'SEND_SMS', 'SET_ALARM', 'SET_ALWAYS_FINISH', 'SET_ANIMATION_SCALE', 'SET_DEBUG_APP', 'SET_PREFERRED_APPLICATIONS', 'SET_PROCESS_LIMIT', 'SET_TIME', 'SET_TIME_ZONE', 'SET_WALLPAPER', 'SET_WALLPAPER_HINTS', 'SIGNAL_PERSISTENT_PROCESSES', 'STATUS_BAR', 'SYSTEM_ALERT_WINDOW', 'TRANSMIT_IR', 'UNINSTALL_SHORTCUT', 'UPDATE_DEVICE_STATS', 'USE_FINGERPRINT', 'USE_SIP', 'VIBRATE', 'WAKE_LOCK', 'WRITE_APN_SETTINGS', 'WRITE_CALENDAR', 'WRITE_CALL_LOG', 'WRITE_CONTACTS', 'WRITE_EXTERNAL_STORAGE', 'WRITE_GSERVICES', 'WRITE_SECURE_SETTINGS', 'WRITE_SETTINGS', 'WRITE_SYNC_SETTINGS', 'WRITE_VOICEMAIL']
+Comment about the set of android permission(s)
@@ -776,13 +776,13 @@ annotation is a MISP object available in JSON format at
format
text
modification-date
datetime
Format of the annotation ['text', 'markdown', 'asciidoctor', 'MultiMarkdown', 'GFM', 'pandoc', 'Fountain', 'CommonWork', 'kramdown-rfc2629', 'rfc7328', 'Extra']
+Last update of the annotation
+
format
+text
Format of the annotation ['text', 'markdown', 'asciidoctor', 'MultiMarkdown', 'GFM', 'pandoc', 'Fountain', 'CommonWork', 'kramdown-rfc2629', 'rfc7328', 'Extra']
++
ref
link
text
text
Raw text of the annotation
--
modification-date
datetime
Last update of the annotation
--
type
text
text
text
Raw text of the annotation
++
mp-export
-text
asn
AS
This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
+Autonomous System Number
asn
AS
import
text
Autonomous System Number
+The inbound IPv4 routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
@@ -904,26 +904,6 @@ asn is a MISP object available in JSON format at
description
text
Description of the autonomous system
--
first-seen
datetime
First time the ASN was seen
--
subnet-announced
ip-src
import
mp-export
text
The inbound IPv4 routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
--
country
text
Country code of the main location of the autonomous system
+This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
description
text
Description of the autonomous system
++
first-seen
datetime
First time the ASN was seen
++
country
text
Country code of the main location of the autonomous system
++
datetime
-datetime
Datetime
--
software
text
datetime
datetime
Datetime
++
non-banking-institution
-boolean
A flag to define if this account belong to a non-banking organisation. If set to true, it’s a non-banking organisation.
--
institution-code
text
Institution code of the bank.
--
balance
text
The balance of the account after the suspicious transaction was processed.
--
text
text
A description of the bank account.
--
date-balance
datetime
When the balance was reported.
--
iban
iban
IBAN of the bank account.
--
swift
bic
SWIFT or BIC as defined in ISO 9362.
--
institution-name
text
account-name
text
A field to freely describe the bank account details.
--
opened
datetime
When the account was opened.
--
closed
datetime
When the account was closed.
--
status-code
text
Account status at the time of the transaction processed. ['A - Active', 'B - Inactive', 'C - Dormant']
--
beneficiary
text
Final beneficiary of the bank account.
--
account
bank-account-nr
Account number
--
aba-rtn
aba-rtn
ABA routing transit number
--
branch
text
Branch code or name
--
beneficiary-comment
text
swift
bic
SWIFT or BIC as defined in ISO 9362.
++
institution-code
text
Institution code of the bank.
++
iban
iban
IBAN of the bank account.
++
personal-account-type
text
Account type. ['A - Business', 'B - Personal Current', 'C - Savings', 'D - Trust Account', 'E - Trading Account', 'O - Other']
++
client-number
text
aba-rtn
aba-rtn
ABA routing transit number
++
comments
text
date-balance
datetime
When the balance was reported.
++
account-name
text
A field to freely describe the bank account details.
++
currency-code
text
personal-account-type
non-banking-institution
boolean
A flag to define if this account belong to a non-banking organisation. If set to true, it’s a non-banking organisation.
++
branch
text
Account type. ['A - Business', 'B - Personal Current', 'C - Savings', 'D - Trust Account', 'E - Trading Account', 'O - Other']
+Branch code or name
++
opened
datetime
When the account was opened.
++
text
text
A description of the bank account.
++
balance
text
The balance of the account after the suspicious transaction was processed.
++
closed
datetime
When the account was closed.
account
bank-account-nr
Account number
++
beneficiary
text
Final beneficiary of the bank account.
++
status-code
text
Account status at the time of the transaction processed. ['A - Active', 'B - Inactive', 'C - Dormant']
++
identifier
-text
The identifier of the alert message in a number or string uniquely identifying this message, assigned by the sender.
--
note
text
references
text
The group listing identifying earlier message(s) referenced by the alert message. (1) The extended message identifier(s) (in the form sender,identifier,sent) of an earlier CAP message or messages referenced by this one. (2) If multiple messages are referenced, they SHALL be separated by whitespace.
--
incident
text
The group listing naming the referent incident(s) of the alert message. (1) Used to collate multiple messages referring to different aspects of the same incident. (2) If multiple incident identifiers are referenced, they SHALL be separated by whitespace. Incident names including whitespace SHALL be surrounded by double-quotes.
--
msgType
text
The code denoting the nature of the alert message. ['Alert', 'Update', 'Cancel', 'Ack', 'Error']
--
sender
text
The identifier of the sender of the alert message which identifies the originator of this alert. Guaranteed by assigner to be unique globally; e.g., may be based on an Internet domain name.
--
source
text
The text identifying the source of the alert message. The particular source of this alert; e.g., an operator or a specific device.
--
restriction
text
The text describing the rule for limiting distribution of the restricted alert message.
--
status
text
code
incident
text
The code denoting the special handling of the alert message.
--
scope
text
The code denoting the intended distribution of the alert message. ['Public', 'Restricted', 'Private']
+The group listing naming the referent incident(s) of the alert message. (1) Used to collate multiple messages referring to different aspects of the same incident. (2) If multiple incident identifiers are referenced, they SHALL be separated by whitespace. Incident names including whitespace SHALL be surrounded by double-quotes.
@@ -1468,6 +1388,16 @@ cap-alert is a MISP object available in JSON format at
identifier
text
The identifier of the alert message in a number or string uniquely identifying this message, assigned by the sender.
++
addresses
text
scope
text
The code denoting the intended distribution of the alert message. ['Public', 'Restricted', 'Private']
++
references
text
The group listing identifying earlier message(s) referenced by the alert message. (1) The extended message identifier(s) (in the form sender,identifier,sent) of an earlier CAP message or messages referenced by this one. (2) If multiple messages are referenced, they SHALL be separated by whitespace.
++
source
text
The text identifying the source of the alert message. The particular source of this alert; e.g., an operator or a specific device.
++
msgType
text
The code denoting the nature of the alert message. ['Alert', 'Update', 'Cancel', 'Ack', 'Error']
++
restriction
text
The text describing the rule for limiting distribution of the restricted alert message.
++
code
text
The code denoting the special handling of the alert message.
++
sender
text
The identifier of the sender of the alert message which identifies the originator of this alert. Guaranteed by assigner to be unique globally; e.g., may be based on an Internet domain name.
++
instruction
-text
The text describing the recommended action to be taken by recipients of the alert message.
--
audience
text
The text describing the intended audience of the alert message.
--
urgency
text
The code denoting the urgency of the subject event of the alert message. ['Immediate', 'Expected', 'Future', 'Past', 'Unknown']
--
severity
text
The code denoting the severity of the subject event of the alert message. ['Extreme', 'Severe', 'Moderate', 'Minor', 'Unknown']
--
certainty
text
The code denoting the certainty of the subject event of the alert message. For backward compatibility with CAP 1.0, the deprecated value of “Very Likely” SHOULD be treated as equivalent to “Likely”. ['Likely', 'Possible', 'Unlikely', 'Unknown']
--
contact
text
The text describing the contact for follow-up and confirmation of the alert message.
--
headline
text
The text headline of the alert message.
--
parameter
text
A system-specific additional parameter associated with the alert message.
--
category
text
The code denoting the category of the subject event of the alert message. ['Geo', 'Met', 'Safety', 'Security', 'Rescue', 'Fire', 'Health', 'Env', 'Transport', 'Infra', 'CBRNE', 'Other']
--
web
link
The identifier of the hyperlink associating additional information with the alert message.
--
senderName
text
description
text
The text describing the subject event of the alert message.
++
eventCode
text
event
text
The text denoting the type of the subject event of the alert message.
--
expires
datetime
The expiry time of the information of the alert message.
--
responseType
text
onset
datetime
The expected time of the beginning of the subject event of the alert message.
--
effective
datetime
The effective time of the information of the alert message.
--
language
text
description
web
link
The identifier of the hyperlink associating additional information with the alert message.
++
severity
text
The text describing the subject event of the alert message.
+The code denoting the severity of the subject event of the alert message. ['Extreme', 'Severe', 'Moderate', 'Minor', 'Unknown']
++
category
text
The code denoting the category of the subject event of the alert message. ['Geo', 'Met', 'Safety', 'Security', 'Rescue', 'Fire', 'Health', 'Env', 'Transport', 'Infra', 'CBRNE', 'Other']
++
event
text
The text denoting the type of the subject event of the alert message.
++
certainty
text
The code denoting the certainty of the subject event of the alert message. For backward compatibility with CAP 1.0, the deprecated value of “Very Likely” SHOULD be treated as equivalent to “Likely”. ['Likely', 'Possible', 'Unlikely', 'Unknown']
++
audience
text
The text describing the intended audience of the alert message.
++
instruction
text
The text describing the recommended action to be taken by recipients of the alert message.
++
urgency
text
The code denoting the urgency of the subject event of the alert message. ['Immediate', 'Expected', 'Future', 'Past', 'Unknown']
++
expires
datetime
The expiry time of the information of the alert message.
++
effective
datetime
The effective time of the information of the alert message.
++
parameter
text
A system-specific additional parameter associated with the alert message.
++
onset
datetime
The expected time of the beginning of the subject event of the alert message.
++
headline
text
The text headline of the alert message.
++
contact
text
The text describing the contact for follow-up and confirmation of the alert message.
@@ -1744,10 +1744,20 @@ cap-resource is a MISP object available in JSON format at
resourceDesc
text
uri
link
The text describing the type and content of the resource file.
+The identifier of the hyperlink for the resource file.
++
derefUri
attachment
The base-64 encoded data content of the resource file.
@@ -1774,10 +1784,10 @@ cap-resource is a MISP object available in JSON format at
derefUri
attachment
resourceDesc
text
The base-64 encoded data content of the resource file.
+The text describing the type and content of the resource file.
uri
link
The identifier of the hyperlink for the resource file.
--
symbol
+text
text
The (uppercase) symbol of the cryptocurrency used. Symbol should be from https://coinmarketcap.com/all/views/all/ ['BTC', 'ETH', 'BCH', 'XRP', 'MIOTA', 'DASH', 'BTG', 'LTC', 'ADA', 'XMR', 'ETC', 'NEO', 'NEM', 'EOS', 'XLM', 'BCC', 'LSK', 'OMG', 'QTUM', 'ZEC', 'USDT', 'HSR', 'STRAT', 'WAVES', 'PPT']
+Free text value
@@ -1862,10 +1862,10 @@ coin-address is a MISP object available in JSON format at
text
text
last-seen
datetime
Free text value
+Last time this payment destination address has been seen
@@ -1882,10 +1882,10 @@ coin-address is a MISP object available in JSON format at
last-seen
datetime
symbol
text
Last time this payment destination address has been seen
+The (uppercase) symbol of the cryptocurrency used. Symbol should be from https://coinmarketcap.com/all/views/all/ ['BTC', 'ETH', 'BCH', 'XRP', 'MIOTA', 'DASH', 'BTG', 'LTC', 'ADA', 'XMR', 'ETC', 'NEO', 'NEM', 'EOS', 'XLM', 'BCC', 'LSK', 'OMG', 'QTUM', 'ZEC', 'USDT', 'HSR', 'STRAT', 'WAVES', 'PPT']
@@ -1930,10 +1930,10 @@ cookie is a MISP object available in JSON format at
cookie-name
cookie-value
text
Name of the cookie (if splitted)
+Value of the cookie (if splitted)
@@ -1950,16 +1950,6 @@ cookie is a MISP object available in JSON format at
cookie-value
text
Value of the cookie (if splitted)
--
text
text
cookie-name
text
Name of the cookie (if splitted)
++
efficacy
-text
The estimated efficacy of applying the course of action. ['High', 'Medium', 'Low', 'None', 'Unknown']
--
objective
text
The objective of the course of action.
--
cost
text
stage
text
The stage of the threat management lifecycle that the course of action is applicable to. ['Remedy', 'Response']
++
name
text
The name used to identify the course of action.
++
efficacy
text
The estimated efficacy of applying the course of action. ['High', 'Medium', 'Low', 'None', 'Unknown']
++
type
text
name
text
The name used to identify the course of action.
--
stage
text
The stage of the threat management lifecycle that the course of action is applicable to. ['Remedy', 'Response']
--
description
text
objective
text
The objective of the course of action.
++
sensor
+input
text
Cowrie sensor name
+Input of the session
+
isError
+sensor
text
isError
+Cowrie sensor name
dst_ip
ip-dst
isError
text
Destination IP address of the session
+isError
@@ -2196,16 +2196,6 @@ cowrie is a MISP object available in JSON format at
compCS
text
SSH compression algorithm supported in the session
--
message
text
keyAlgs
src_ip
ip-src
Source IP address of the session
++
eventid
text
SSH public-key algorithm supported in the session
+Eventid of the session in the cowrie honeypot
encCS
text
dst_ip
ip-dst
SSH symmetric encryption algorithm supported in the session
+Destination IP address of the session
@@ -2246,50 +2246,10 @@ cowrie is a MISP object available in JSON format at
protocol
encCS
text
Protocol used in the cowrie honeypot
--
timestamp
datetime
When the event happened
--
input
text
Input of the session
--
src_ip
ip-src
Source IP address of the session
--
system
text
System origin in cowrie honeypot
+SSH symmetric encryption algorithm supported in the session
@@ -2306,10 +2266,10 @@ cowrie is a MISP object available in JSON format at
eventid
keyAlgs
text
Eventid of the session in the cowrie honeypot
+SSH public-key algorithm supported in the session
system
text
System origin in cowrie honeypot
++
compCS
text
SSH compression algorithm supported in the session
++
timestamp
datetime
When the event happened
++
protocol
text
Protocol used in the cowrie honeypot
++
notification
-text
Mention of any notification(s) towards the potential owner(s) of the credential(s) ['victim-notified', 'service-notified', 'none']
--
username
text
origin
format
text
Origin of the credential(s) ['bruteforce-scanning', 'malware-analysis', 'memory-analysis', 'network-analysis', 'leak', 'unknown']
+Format of the password(s) ['clear-text', 'hashed', 'encrypted', 'unknown']
++
notification
text
Mention of any notification(s) towards the potential owner(s) of the credential(s) ['victim-notified', 'service-notified', 'none']
@@ -2424,10 +2424,10 @@ credential is a MISP object available in JSON format at
format
origin
text
Format of the password(s) ['clear-text', 'hashed', 'encrypted', 'unknown']
+Origin of the credential(s) ['bruteforce-scanning', 'malware-analysis', 'memory-analysis', 'network-analysis', 'leak', 'unknown']
@@ -2472,26 +2472,6 @@ credit-card is a MISP object available in JSON format at
card-security-code
text
Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card.
--
version
text
Version of the card.
--
expiration
datetime
cc-number
cc-number
credit-card number as encoded on the card.
--
name
text
Name of the card owner.
--
issued
datetime
name
text
Name of the card owner.
++
comment
comment
card-security-code
text
Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card.
++
cc-number
cc-number
credit-card number as encoded on the card.
++
version
text
Version of the card.
++
first-seen
-datetime
ip-dst
ip-dst
Beginning of the attack
--
dst-port
port
Destination port of the attack
+Destination IP (victim)
@@ -2610,40 +2600,10 @@ ddos is a MISP object available in JSON format at
src-port
port
ip-src
ip-src
Port originating the attack
--
total-bps
counter
Bits per second
--
text
text
Description of the DDoS
--
domain-dst
domain
Destination domain (victim)
+IP address originating the attack
@@ -2660,20 +2620,20 @@ ddos is a MISP object available in JSON format at
ip-dst
ip-dst
dst-port
port
Destination IP (victim)
+Destination port of the attack
ip-src
ip-src
total-bps
counter
IP address originating the attack
+Bits per second
domain-dst
domain
Destination domain (victim)
++
text
text
Description of the DDoS
++
first-seen
datetime
Beginning of the attack
++
src-port
port
Port originating the attack
++
ApplicationId
-text
Application-ID is used to identify for which Diameter application the message is applicable. Application-ID is a decimal representation.
--
SessionId
text
CmdCode
Destination-Realm
text
A decimal representation of the diameter Command Code.
--
text
text
A description of the attack seen.
--
Origin-Host
text
Origin-Host.
--
category
text
Category. ['Cat0', 'Cat1', 'Cat2', 'Cat3', 'CatSMS']
--
first-seen
datetime
When the attack has been seen for the first time.
--
Destination-Host
text
Destination-Host.
--
Origin-Realm
text
Origin-Realm.
--
Username
text
Username (in this case, usually the IMSI).
+Destination-Realm.
@@ -2838,10 +2758,90 @@ diameter-attack is a MISP object available in JSON format at
Destination-Realm
category
text
Destination-Realm.
+Category. ['Cat0', 'Cat1', 'Cat2', 'Cat3', 'CatSMS']
++
text
text
A description of the attack seen.
++
first-seen
datetime
When the attack has been seen for the first time.
++
Origin-Host
text
Origin-Host.
++
Destination-Host
text
Destination-Host.
++
CmdCode
text
A decimal representation of the diameter Command Code.
++
Username
text
Username (in this case, usually the IMSI).
++
Origin-Realm
text
Origin-Realm.
++
ApplicationId
text
Application-ID is used to identify for which Diameter application the message is applicable. Application-ID is a decimal representation.
@@ -2886,16 +2886,6 @@ domain-ip is a MISP object available in JSON format at
domain
domain
Domain name
--
ip
ip-dst
first-seen
last-seen
datetime
First time the tuple has been seen
+Last time the tuple has been seen
@@ -2926,10 +2916,20 @@ domain-ip is a MISP object available in JSON format at
last-seen
domain
domain
Domain name
++
first-seen
datetime
Last time the tuple has been seen
+First time the tuple has been seen
@@ -2974,26 +2974,16 @@ elf is a MISP object available in JSON format at
number-sections
counter
os_abi
text
Number of sections
+Header operating system application binary interface (ABI) ['AIX', 'ARM', 'AROS', 'C6000_ELFABI', 'C6000_LINUX', 'CLOUDABI', 'FENIXOS', 'FREEBSD', 'GNU', 'HPUX', 'HURD', 'IRIX', 'MODESTO', 'NETBSD', 'NSK', 'OPENBSD', 'OPENVMS', 'SOLARIS', 'STANDALONE', 'SYSTEMV', 'TRU64']
type
text
Type of ELF ['CORE', 'DYNAMIC', 'EXECUTABLE', 'HIPROC', 'LOPROC', 'NONE', 'RELOCATABLE']
--
text
text
entrypoint-address
text
Address of the entry point
--
arch
text
os_abi
type
text
Header operating system application binary interface (ABI) ['AIX', 'ARM', 'AROS', 'C6000_ELFABI', 'C6000_LINUX', 'CLOUDABI', 'FENIXOS', 'FREEBSD', 'GNU', 'HPUX', 'HURD', 'IRIX', 'MODESTO', 'NETBSD', 'NSK', 'OPENBSD', 'OPENVMS', 'SOLARIS', 'STANDALONE', 'SYSTEMV', 'TRU64']
+Type of ELF ['CORE', 'DYNAMIC', 'EXECUTABLE', 'HIPROC', 'LOPROC', 'NONE', 'RELOCATABLE']
++
entrypoint-address
text
Address of the entry point
++
number-sections
counter
Number of sections
@@ -3072,26 +3072,6 @@ elf-section is a MISP object available in JSON format at
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
--
sha512/224
sha512/224
md5
md5
[Insecure] MD5 hash (128 bits)
--
flag
text
Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']
--
name
text
Name of the section
--
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
text
text
Free text value to attach to the section
--
type
text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
--
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
entropy
float
name
text
Name of the section
++
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
sha384
sha384
text
text
Free text value to attach to the section
++
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
sha224
sha224
size-in-bytes
size-in-bytes
Size of the section, in bytes
++
flag
text
Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']
++
type
text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
++
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
md5
md5
[Insecure] MD5 hash (128 bits)
++
eml
-attachment
from
email-src
Full EML
+Sender email address
thread-index
email-thread-index
to-display-name
email-dst-display-name
Identifies a particular conversation thread
+Display name of the receiver
message-id
email-message-id
from-display-name
email-src-display-name
Message ID
--
return-path
text
Message return path
+Display name of the sender
@@ -3310,6 +3300,66 @@ email is a MISP object available in JSON format at
return-path
text
Message return path
++
send-date
datetime
Date the email has been sent
++
to
email-dst
Destination email address
++
header
email-header
Full headers
++
message-id
email-message-id
Message ID
++
attachment
email-attachment
Attachment
++
screenshot
attachment
eml
attachment
Full EML
++
cc
email-dst
Carbon copy
++
reply-to
email-reply-to
to-display-name
email-dst-display-name
x-mailer
email-x-mailer
Display name of the receiver
--
send-date
datetime
Date the email has been sent
--
header
email-header
Full headers
+X-Mailer generally tells the program that was used to draft and send the original email
@@ -3380,60 +3430,10 @@ email is a MISP object available in JSON format at
to
email-dst
thread-index
email-thread-index
Destination email address
--
from-display-name
email-src-display-name
Display name of the sender
--
x-mailer
email-x-mailer
X-Mailer generally tells the program that was used to draft and send the original email
--
attachment
email-attachment
Attachment
--
from
email-src
Sender email address
--
cc
email-dst
Carbon copy
+Identifies a particular conversation thread
@@ -3478,46 +3478,6 @@ fail2ban is a MISP object available in JSON format at
sensor
text
Identifier of the sensor
--
victim
text
Identifier of the victim
--
banned-ip
ip-src
IP Address banned by fail2ban
--
processing-timestamp
datetime
Timestamp of the report
--
attack-type
text
failures
counter
Amount of failures that lead to the ban.
++
logfile
attachment
logline
sensor
text
Example log line that caused the ban.
+Identifier of the sensor
failures
counter
processing-timestamp
datetime
Amount of failures that lead to the ban.
+Timestamp of the report
++
banned-ip
ip-src
IP Address banned by fail2ban
++
victim
text
Identifier of the victim
++
logline
text
Example log line that caused the ban.
@@ -3596,46 +3596,6 @@ file is a MISP object available in JSON format at
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
malware-sample
malware-sample
The file itself (binary)
--
certificate
x509-fingerprint-sha1
Certificate value if the binary is signed with another authentication scheme than authenticode
--
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
sha512/224
sha512/224
md5
md5
entropy
float
[Insecure] MD5 hash (128 bits)
+Entropy of the whole file
++
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
pattern-in-file
pattern-in-file
sha256
sha256
Pattern that can be found in the file
+Secure Hash Algorithm 2 (256 bits)
@@ -3676,20 +3646,20 @@ file is a MISP object available in JSON format at
ssdeep
ssdeep
sha512/256
sha512/256
Fuzzy hash using context triggered piecewise hashes (CTPH)
+Secure Hash Algorithm 2 (256 bits)
sha256
sha256
sha384
sha384
Secure Hash Algorithm 2 (256 bits)
+Secure Hash Algorithm 2 (384 bits)
@@ -3716,6 +3686,46 @@ file is a MISP object available in JSON format at
authentihash
authentihash
Authenticode executable signature hash
++
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
certificate
x509-fingerprint-sha1
Certificate value if the binary is signed with another authentication scheme than authenticode
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
mimetype
mime-type
sha224
sha224
malware-sample
malware-sample
Secure Hash Algorithm 2 (224 bits)
+The file itself (binary)
@@ -3746,13 +3756,13 @@ file is a MISP object available in JSON format at
sha512
sha512
path
text
Secure Hash Algorithm 2 (512 bits)
+Path of the filename complete or partial
+
entropy
-float
pattern-in-file
pattern-in-file
Entropy of the whole file
--
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
+Pattern that can be found in the file
authentihash
authentihash
ssdeep
ssdeep
Authenticode executable signature hash
+Fuzzy hash using context triggered piecewise hashes (CTPH)
path
text
md5
md5
Path of the filename complete or partial
+[Insecure] MD5 hash (128 bits)
+
zipcode
-text
Zip Code.
--
longitude
float
The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference
--
address
text
Address.
--
first-seen
datetime
When the location was seen for the first time.
--
text
text
A generic description of the location.
--
altitude
float
The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.
--
city
text
City.
--
country
text
region
text
Region.
--
latitude
float
address
text
Address.
++
zipcode
text
Zip Code.
++
altitude
float
The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.
++
longitude
float
The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference
++
region
text
Region.
++
last-seen
datetime
text
text
A generic description of the location.
++
first-seen
datetime
When the location was seen for the first time.
++
city
text
City.
++
ipSrc
-ip-src
GtpInterface
text
IP source address.
+GTP interface. ['S5', 'S11', 'S10', 'S8', 'Gn', 'Gp']
+
first-seen
-datetime
PortSrc
port
When the attack has been seen for the first time.
+Source port.
++
GtpServingNetwork
text
GTP Serving Network.
@@ -4032,36 +4042,6 @@ gtp-attack is a MISP object available in JSON format at
PortSrc
port
Source port.
--
GtpVersion
text
GTP version ['0', '1', '2']
--
GtpMessageType
text
GTP defines a set of messages between two associated GSNs or an SGSN and an RNC. Message type is described as a decimal value.
--
GtpMsisdn
text
GtpServingNetwork
text
first-seen
datetime
GTP Serving Network.
--
GtpInterface
text
GTP interface. ['S5', 'S11', 'S10', 'S8', 'Gn', 'Gp']
+When the attack has been seen for the first time.
@@ -4102,10 +4072,20 @@ gtp-attack is a MISP object available in JSON format at
ipDest
ip-dst
GtpVersion
text
IP destination address.
+GTP version ['0', '1', '2']
++
ipSrc
ip-src
IP source address.
GtpMessageType
text
GTP defines a set of messages between two associated GSNs or an SGSN and an RNC. Message type is described as a decimal value.
++
ipDest
ip-dst
IP destination address.
++
url
-url
basicauth-password
text
Full HTTP Request URL
+HTTP Basic Authentication Password
basicauth-user
text
method
http-method
HTTP Basic Authentication Username
--
text
text
HTTP Request comment
+HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)
proxy-user
text
url
url
HTTP Proxy Username
--
host
hostname
The domain name of the server
--
basicauth-password
text
HTTP Basic Authentication Password
+Full HTTP Request URL
@@ -4230,16 +4200,46 @@ http-request is a MISP object available in JSON format at
method
http-method
user-agent
user-agent
HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)
+The user agent string of the user agent
++
text
text
HTTP Request comment
content-type
other
The MIME type of the body of the request
++
cookie
text
An HTTP cookie previously sent by the server with Set-Cookie
++
proxy-password
text
user-agent
user-agent
host
hostname
The user agent string of the user agent
+The domain name of the server
content-type
other
The MIME type of the body of the request
--
cookie
proxy-user
text
An HTTP cookie previously sent by the server with Set-Cookie
+HTTP Proxy Username
++
basicauth-user
text
HTTP Basic Authentication Username
@@ -4328,13 +4328,23 @@ ip-port is a MISP object available in JSON format at
dst-port
port
domain
domain
Destination port
+Domain
+
+
ip
ip-dst
IP Address
+
hostname
+hostname
Hostname
++
last-seen
datetime
Last time the tuple has been seen
++
text
text
domain
domain
dst-port
port
Domain
--
hostname
hostname
Hostname
--
ip
ip-dst
IP Address
--
last-seen
datetime
Last time the tuple has been seen
+Destination port
@@ -4446,26 +4446,6 @@ ja3 is a MISP object available in JSON format at
description
text
Type of detected software ie software, malware
--
first-seen
datetime
First seen of the SSL/TLS handshake
--
ip-dst
ip-dst
ja3-fingerprint-md5
md5
Hash identifying source
--
ip-src
ip-src
ja3-fingerprint-md5
md5
Hash identifying source
++
description
text
Type of detected software ie software, malware
++
first-seen
datetime
First seen of the SSL/TLS handshake
++
phone-number
-phone-number
legal-form
text
Phone number of an entity.
+Legal form of an entity.
@@ -4564,6 +4564,16 @@ legal-entity is a MISP object available in JSON format at
phone-number
phone-number
Phone number of an entity.
++
registration-number
text
legal-form
text
Legal form of an entity.
--
commercial-name
text
entrypoint-address
text
text
Address of the entry point
+Free text value to attach to the Mach-O file
name
text
Binary’s name
--
type
text
text
entrypoint-address
text
Free text value to attach to the Mach-O file
+Address of the entry point
name
text
Binary’s name
++
sha512/256
-sha512/256
Secure Hash Algorithm 2 (256 bits)
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
--
sha512/224
sha512/224
md5
md5
entropy
float
[Insecure] MD5 hash (128 bits)
+Entropy of the whole section
+
ssdeep
-ssdeep
sha512
sha512
Fuzzy hash using context triggered piecewise hashes (CTPH)
+Secure Hash Algorithm 2 (512 bits)
@@ -4810,6 +4790,26 @@ macho-section is a MISP object available in JSON format at
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
++
text
text
sha512
sha512
sha224
sha224
Secure Hash Algorithm 2 (512 bits)
+Secure Hash Algorithm 2 (224 bits)
entropy
float
size-in-bytes
size-in-bytes
Entropy of the whole section
+Size of the section, in bytes
sha384
sha384
ssdeep
ssdeep
Secure Hash Algorithm 2 (384 bits)
+Fuzzy hash using context triggered piecewise hashes (CTPH)
sha224
sha224
md5
md5
Secure Hash Algorithm 2 (224 bits)
+[Insecure] MD5 hash (128 bits)
@@ -4918,6 +4918,36 @@ microblog is a MISP object available in JSON format at
username
text
Username who posted the microblog post
++
modification-date
datetime
Last update of the microblog post
++
removal-date
datetime
When the microblog post was removed
++
post
text
type
text
Type of the microblog post ['Twitter', 'Facebook', 'LinkedIn', 'Reddit', 'Google+', 'Instagram', 'Forum', 'Other']
--
username-quoted
text
modification-date
datetime
type
text
Last update of the microblog post
+Type of the microblog post ['Twitter', 'Facebook', 'LinkedIn', 'Reddit', 'Google+', 'Instagram', 'Forum', 'Other']
+
username
text
Username who posted the microblog post
--
removal-date
datetime
When the microblog post was removed
--
name
+operating-system
text
name of the mutex
+Operating system where the mutex has been seen ['Windows', 'Unix']
@@ -5056,10 +5056,10 @@ mutex is a MISP object available in JSON format at
operating-system
name
text
Operating system where the mutex has been seen ['Windows', 'Unix']
+name of the mutex
@@ -5104,46 +5104,66 @@ netflow is a MISP object available in JSON format at
packet-count
counter
ip-protocol-number
size-in-bytes
Packets counted in this flow
+IP protocol number of this flow
src-as
AS
last-packet-seen
datetime
Source AS number for this flow
+Last packet seen in this flow
byte-count
counter
Bytes counted in this flow
--
protocol
icmp-type
text
Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']
+ICMP type of the flow (if the traffic is ICMP)
++
src-port
port
Source port of the netflow
dst-as
AS
Destination AS number for this flow
++
flow-count
counter
Flows counted in this flow
++
ip-dst
ip-dst
last-packet-seen
datetime
ip-src
ip-src
Last packet seen in this flow
+IP address source of the netflow
@@ -5184,60 +5204,30 @@ netflow is a MISP object available in JSON format at
src-port
port
Source port of the netflow
--
tcp-flags
text
TCP flags of the flow
--
flow-count
byte-count
counter
Flows counted in this flow
+Bytes counted in this flow
dst-as
packet-count
counter
Packets counted in this flow
++
src-as
AS
Destination AS number for this flow
--
ip_version
counter
IP version of this flow
--
ip-src
ip-src
IP address source of the netflow
+Source AS number for this flow
@@ -5254,25 +5244,35 @@ netflow is a MISP object available in JSON format at
icmp-type
tcp-flags
text
ICMP type of the flow (if the traffic is ICMP)
+TCP flags of the flow
ip-protocol-number
size-in-bytes
ip_version
counter
IP protocol number of this flow
+IP version of this flow
protocol
text
Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']
++
rdata
-text
Resource records of the queried resource
--
rrname
text
Resource Record name of the queried resource.
--
origin
text
Origin of the Passive DNS response
--
count
counter
How many authoritative DNS answers were received at the Passive DNS Server’s collectors with exactly the given set of values as answers.
--
text
text
Description of the passive DNS record.
--
time_last
time_first
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS
+First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS
@@ -5392,10 +5342,10 @@ passive-dns is a MISP object available in JSON format at
time_first
datetime
text
text
First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS
+Description of the passive DNS record.
@@ -5412,6 +5362,26 @@ passive-dns is a MISP object available in JSON format at
time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS
++
origin
text
Origin of the Passive DNS response
++
zone_time_last
datetime
count
counter
How many authoritative DNS answers were received at the Passive DNS Server’s collectors with exactly the given set of values as answers.
++
rdata
text
Resource records of the queried resource
++
rrname
text
Resource Record name of the queried resource.
++
bailiwick
text
paste
text
Raw text of the paste or post
--
origin
text
first-seen
last-seen
datetime
When the paste has been accessible or seen for the first time.
+When the paste has been accessible or seen for the last time.
paste
text
Raw text of the paste or post
++
title
text
last-seen
first-seen
datetime
When the paste has been accessible or seen for the last time.
+When the paste has been accessible or seen for the first time.
@@ -5568,6 +5568,16 @@ pe is a MISP object available in JSON format at
pehash
pehash
Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
++
number-sections
counter
file-description
text
FileDescription in the resources
++
product-name
text
ProductName in the resources
++
text
text
compilation-timestamp
datetime
Compilation timestamp defined in the PE header
--
product-name
text
ProductName in the resources
--
impfuzzy
impfuzzy
Fuzzy Hash (ssdeep) calculated from the import table
--
file-version
text
FileVersion in the resources
--
company-name
text
CompanyName in the resources
--
original-filename
filename
OriginalFilename in the resources
--
entrypoint-section-at-position
text
Name of the section and position of the section in the PE
--
legal-copyright
text
LegalCopyright in the resources
--
type
text
Type of PE ['exe', 'dll', 'driver', 'unknown']
--
lang-id
text
entrypoint-address
text
Address of the entry point
--
product-version
text
file-description
company-name
text
FileDescription in the resources
+CompanyName in the resources
file-version
text
FileVersion in the resources
++
impfuzzy
impfuzzy
Fuzzy Hash (ssdeep) calculated from the import table
++
internal-filename
filename
pehash
pehash
type
text
Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
+Type of PE ['exe', 'dll', 'driver', 'unknown']
++
compilation-timestamp
datetime
Compilation timestamp defined in the PE header
entrypoint-address
text
Address of the entry point
++
entrypoint-section-at-position
text
Name of the section and position of the section in the PE
++
original-filename
filename
OriginalFilename in the resources
++
legal-copyright
text
LegalCopyright in the resources
++
sha512/256
-sha512/256
Secure Hash Algorithm 2 (256 bits)
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
--
sha512/224
sha512/224
md5
md5
entropy
float
[Insecure] MD5 hash (128 bits)
+Entropy of the whole section
+
ssdeep
-ssdeep
sha512
sha512
Fuzzy hash using context triggered piecewise hashes (CTPH)
+Secure Hash Algorithm 2 (512 bits)
@@ -5856,6 +5836,26 @@ pe-section is a MISP object available in JSON format at
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
++
text
text
sha512
sha512
sha224
sha224
Secure Hash Algorithm 2 (512 bits)
+Secure Hash Algorithm 2 (224 bits)
entropy
float
size-in-bytes
size-in-bytes
Entropy of the whole section
+Size of the section, in bytes
sha384
sha384
ssdeep
ssdeep
Secure Hash Algorithm 2 (384 bits)
+Fuzzy hash using context triggered piecewise hashes (CTPH)
sha224
sha224
md5
md5
Secure Hash Algorithm 2 (224 bits)
+[Insecure] MD5 hash (128 bits)
@@ -5964,26 +5964,16 @@ person is a MISP object available in JSON format at
nationality
nationality
gender
gender
The nationality of a natural person.
+The gender of a natural person. ['Male', 'Female', 'Other', 'Prefer not to say']
identity-card-number
identity-card-number
The identity card number of a natural person.
--
first-name
first-name
place-of-birth
place-of-birth
Place of birth of a natural person.
++
passport-number
passport-number
The passport number of a natural person.
++
last-name
last-name
nationality
nationality
The nationality of a natural person.
++
redress-number
redress-number
The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.
++
alias
text
Alias name or known as.
++
text
text
redress-number
redress-number
middle-name
middle-name
The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.
+Middle name of a natural person.
alias
text
identity-card-number
identity-card-number
Alias name or known as.
+The identity card number of a natural person.
passport-expiration
passport-expiration
The expiration date of a passport.
++
passport-country
passport-country
gender
gender
The gender of a natural person. ['Male', 'Female', 'Other', 'Prefer not to say']
--
middle-name
middle-name
Middle name of a natural person.
--
social-security-number
text
Social security number
--
place-of-birth
place-of-birth
Place of birth of a natural person.
--
title
text
passport-number
passport-number
social-security-number
text
The passport number of a natural person.
+Social security number
passport-expiration
passport-expiration
The expiration date of a passport.
--
guti
+imei
text
Globally Unique Temporary UE Identity (GUTI) is a temporary identification to not reveal the phone (user equipment in 3GPP jargon) composed of GUMMEI and the M-TMSI.
+International Mobile Equipment Identity (IMEI) is a number, usually unique, to identify 3GPP and iDEN mobile phones, as well as some satellite phones.
gummei
imsi
text
Globally Unique MME Identifier (GUMMEI) is composed from MCC, MNC and MME Identifier (MMEI).
--
tmsi
text
Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated.
+A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.
@@ -6212,6 +6202,16 @@ phone is a MISP object available in JSON format at
gummei
text
Globally Unique MME Identifier (GUMMEI) is composed from MCC, MNC and MME Identifier (MMEI).
++
text
text
imsi
last-seen
datetime
When the phone has been accessible or seen for the last time.
++
guti
text
A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.
+Globally Unique Temporary UE Identity (GUTI) is a temporary identification to not reveal the phone (user equipment in 3GPP jargon) composed of GUMMEI and the M-TMSI.
imei
tmsi
text
International Mobile Equipment Identity (IMEI) is a number, usually unique, to identify 3GPP and iDEN mobile phones, as well as some satellite phones.
--
msisdn
text
MSISDN (pronounced as /'em es ai es di en/ or misden) is a number uniquely identifying a subscription in a GSM or a UMTS mobile network. Simply put, it is the mapping of the telephone number to the SIM card in a mobile/cellular phone. This abbreviation has a several interpretations, the most common one being Mobile Station International Subscriber Directory Number.
+Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated.
@@ -6262,13 +6262,13 @@ phone is a MISP object available in JSON format at
last-seen
datetime
msisdn
text
When the phone has been accessible or seen for the last time.
+MSISDN (pronounced as /'em es ai es di en/ or misden) is a number uniquely identifying a subscription in a GSM or a UMTS mobile network. Simply put, it is the mapping of the telephone number to the SIM card in a mobile/cellular phone. This abbreviation has a several interpretations, the most common one being Mobile Station International Subscriber Directory Number.
+
unknown-references
+callbacks
counter
Amount of API calls not ending in a function (Radare2 bug, probalby)
--
text
text
Description of the r2graphity object
--
dangling-strings
counter
Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)
--
memory-allocations
counter
Amount of memory allocations
--
callback-largest
counter
Largest callback
--
shortest-path-to-create-thread
counter
Shortest path to the first time the binary calls CreateThread
--
create-thread
counter
Amount of calls to CreateThread
--
local-references
counter
Amount of API calls inside a code section
--
ratio-string
float
Ratio: amount of referenced strings per kilobyte of code section
--
get-proc-address
counter
Amount of calls to GetProcAddress
+Amount of callbacks (functions started as thread)
@@ -6430,20 +6340,30 @@ r2graphity is a MISP object available in JSON format at
r2-commit-version
text
referenced-strings
counter
Radare2 commit ID used to generate this object
+Amount of referenced strings
callbacks
dangling-strings
counter
Amount of callbacks (functions started as thread)
+Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)
++
ratio-string
float
Ratio: amount of referenced strings per kilobyte of code section
@@ -6460,20 +6380,20 @@ r2graphity is a MISP object available in JSON format at
refsglobalvar
total-api
counter
Amount of API calls outside of code section (glob var, dynamic API)
+Total amount of API calls
total-api
counter
ratio-api
float
Total amount of API calls
+Ratio: amount of API calls per kilobyte of code section
@@ -6490,20 +6410,20 @@ r2graphity is a MISP object available in JSON format at
callback-average
counter
text
text
Average size of a callback
+Description of the r2graphity object
referenced-strings
get-proc-address
counter
Amount of referenced strings
+Amount of calls to GetProcAddress
@@ -6520,10 +6440,90 @@ r2graphity is a MISP object available in JSON format at
ratio-api
float
r2-commit-version
text
Ratio: amount of API calls per kilobyte of code section
+Radare2 commit ID used to generate this object
++
unknown-references
counter
Amount of API calls not ending in a function (Radare2 bug, probalby)
++
memory-allocations
counter
Amount of memory allocations
++
refsglobalvar
counter
Amount of API calls outside of code section (glob var, dynamic API)
++
shortest-path-to-create-thread
counter
Shortest path to the first time the binary calls CreateThread
++
create-thread
counter
Amount of calls to CreateThread
++
callback-average
counter
Average size of a callback
++
local-references
counter
Amount of API calls inside a code section
++
callback-largest
counter
Largest callback
@@ -6568,6 +6568,16 @@ regexp is a MISP object available in JSON format at
regexp-type
text
Type of the regular expression syntax. ['PCRE', 'PCRE2', 'POSIX BRE', 'POSIX ERE']
++
regexp
text
regexp-type
text
Type of the regular expression syntax. ['PCRE', 'PCRE2', 'POSIX BRE', 'POSIX ERE']
--
root-keys
-text
Root key of the Windows registry (extracted from the key) ['HKCC', 'HKCR', 'HKCU', 'HKDD', 'HKEY_CLASSES_ROOT', 'HKEY_CURRENT_CONFIG', 'HKEY_CURRENT_USER', 'HKEY_DYN_DATA', 'HKEY_LOCAL_MACHINE', 'HKEY_PERFORMANCE_DATA', 'HKEY_USERS', 'HKLM', 'HKPD', 'HKU']
--
data-type
text
Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
--
hive
text
Hive used to store the registry key (file on disk)
--
data
text
root-keys
text
Root key of the Windows registry (extracted from the key) ['HKCC', 'HKCR', 'HKCU', 'HKDD', 'HKEY_CLASSES_ROOT', 'HKEY_CURRENT_CONFIG', 'HKEY_CURRENT_USER', 'HKEY_DYN_DATA', 'HKEY_LOCAL_MACHINE', 'HKEY_PERFORMANCE_DATA', 'HKEY_USERS', 'HKLM', 'HKPD', 'HKU']
++
name
text
data-type
text
Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
++
last-modified
datetime
hive
text
Hive used to store the registry key (file on disk)
++
case-number
+summary
text
Case number
+Free text summary of the report
summary
case-number
text
Free text summary of the report
+Case number
@@ -6822,16 +6822,6 @@ rtir is a MISP object available in JSON format at
ticket-number
text
ticket-number of the RTIR ticket
--
ip
ip-dst
subject
classification
text
Subject of the RTIR ticket
+Classification of the RTIR ticket
classification
ticket-number
text
Classification of the RTIR ticket
+ticket-number of the RTIR ticket
++
subject
text
Subject of the RTIR ticket
@@ -6920,30 +6920,10 @@ sandbox-report is a MISP object available in JSON format at
permalink
link
Permalink reference
--
on-premise-sandbox
results
text
The on-premise sandbox used ['cuckoo', 'symantec-cas-on-premise', 'bluecoat-maa', 'trendmicro-deep-discovery-analyzer', 'fireeye-ax', 'vmray', 'joe-sandbox-on-premise']
--
web-sandbox
text
A web sandbox where results are publicly available via an URL ['malwr', 'hybrid-analysis']
+Freetext result values
@@ -6960,10 +6940,10 @@ sandbox-report is a MISP object available in JSON format at
results
web-sandbox
text
Freetext result values
+A web sandbox where results are publicly available via an URL ['malwr', 'hybrid-analysis']
@@ -6990,6 +6970,26 @@ sandbox-report is a MISP object available in JSON format at
permalink
link
Permalink reference
++
on-premise-sandbox
text
The on-premise sandbox used ['cuckoo', 'symantec-cas-on-premise', 'bluecoat-maa', 'trendmicro-deep-discovery-analyzer', 'fireeye-ax', 'vmray', 'joe-sandbox-on-premise']
++
saas-sandbox
text
datetime
datetime
Datetime
--
software
text
datetime
datetime
Datetime
++
SccpCdSSN
+MapSmscGT
text
Signaling Connection Control Part (SCCP) - Decimal value between 0-255.
--
SccpCgGT
text
Signaling Connection Control Part (SCCP) CgGT - Phone number.
--
MapUssdCoding
text
MAP USSD Content.
--
text
text
A description of the attack seen via SS7 logging.
--
SccpCgPC
text
Signaling Connection Control Part (SCCP) CgPC - Phone number.
+MAP SMSC. Phone number.
@@ -7176,56 +7136,6 @@ ss7-attack is a MISP object available in JSON format at
MapSmscGT
text
MAP SMSC. Phone number.
--
MapSmsTP-OA
text
MAP SMS TP-OA. Phone number.
--
MapSmsText
text
MAP SMS Text. Important indicators in SMS text.
--
MapVersion
text
Map version. ['1', '2', '3']
--
MapApplicationContext
text
MAP application context in OID format.
--
MapGsmscfGT
text
SccpCgSSN
text
Signaling Connection Control Part (SCCP) - Decimal value between 0-255.
--
Category
text
Category ['Cat0', 'Cat1', 'Cat2.1', 'Cat2.2', 'Cat3.1', 'Cat3.2', 'Cat3.3', 'CatSMS', 'CatSpoofing']
--
MapMsisdn
text
MAP MSISDN. Phone number.
--
SccpCdPC
text
Signaling Connection Control Part (SCCP) CdPC - Phone number.
--
first-seen
datetime
When the attack has been seen for the first time.
--
MapSmsTP-PID
text
MAP SMS TP-PID.
--
SccpCdGT
text
MapVlrGT
MapApplicationContext
text
MAP VLR GT. Phone number.
--
MapSmsTypeNumber
text
MAP SMS TypeNumber.
--
MapSmsTP-DCS
text
MAP SMS TP-DCS.
+MAP application context in OID format.
@@ -7346,10 +7176,110 @@ ss7-attack is a MISP object available in JSON format at
MapMscGT
MapMsisdn
text
MAP MSC GT. Phone number.
+MAP MSISDN. Phone number.
++
MapOpCode
text
MAP operation codes - Decimal value between 0-99.
++
MapSmsTP-DCS
text
MAP SMS TP-DCS.
++
MapSmsText
text
MAP SMS Text. Important indicators in SMS text.
++
MapSmsTP-OA
text
MAP SMS TP-OA. Phone number.
++
MapSmsTypeNumber
text
MAP SMS TypeNumber.
++
MapSmsTP-PID
text
MAP SMS TP-PID.
++
SccpCdSSN
text
Signaling Connection Control Part (SCCP) - Decimal value between 0-255.
++
MapVlrGT
text
MAP VLR GT. Phone number.
++
SccpCgSSN
text
Signaling Connection Control Part (SCCP) - Decimal value between 0-255.
++
SccpCdPC
text
Signaling Connection Control Part (SCCP) CdPC - Phone number.
@@ -7366,15 +7296,85 @@ ss7-attack is a MISP object available in JSON format at
MapOpCode
text
text
MAP operation codes - Decimal value between 0-99.
+A description of the attack seen via SS7 logging.
MapUssdCoding
text
MAP USSD Content.
++
first-seen
datetime
When the attack has been seen for the first time.
++
MapMscGT
text
MAP MSC GT. Phone number.
++
Category
text
Category ['Cat0', 'Cat1', 'Cat2.1', 'Cat2.2', 'Cat3.1', 'Cat3.2', 'Cat3.3', 'CatSMS', 'CatSpoofing']
++
MapVersion
text
Map version. ['1', '2', '3']
++
SccpCgGT
text
Signaling Connection Control Part (SCCP) CgGT - Phone number.
++
SccpCgPC
text
Signaling Connection Control Part (SCCP) CgPC - Phone number.
++
stix2-pattern
+stix2-pattern
STIX 2 pattern
++
version
text
stix2-pattern
stix2-pattern
STIX 2 pattern
--
version
-text
Version of the Suricata rule depending where the suricata rule is known to work as expected.
--
comment
comment
A description of the Suricata rule.
--
suricata
suricata
version
text
Version of the Suricata rule depending where the suricata rule is known to work as expected.
++
comment
comment
A description of the Suricata rule.
++
datetime
-datetime
timestamp_desc
text
When the log entry was seen
+Text explaining what type of timestamp is it
@@ -7648,20 +7648,20 @@ timesketch-timeline is a MISP object available in JSON format at
timestamp
timestamp-microsec
datetime
datetime
When the log entry was seen in microseconds since Unix epoch
+When the log entry was seen
timestamp_desc
text
timestamp
timestamp-microsec
Text explaining what type of timestamp is it
+When the log entry was seen in microseconds since Unix epoch
@@ -7716,7 +7716,7 @@ timestamp is a MISP object available in JSON format at
first-seen
last-seen
datetime
First time that the linked object or attribute has been seen.
@@ -7736,7 +7736,7 @@ timestamp is a MISP object available in JSON format atlast-seen
first-seen
datetime
First time that the linked object or attribute has been seen.
@@ -7784,90 +7784,10 @@ tor-node is a MISP object available in JSON format ataddress
ip-src
IP address of the Tor node seen.
--
description
nickname
text
Tor node description.
--
first-seen
datetime
When the Tor node designed by the IP address has been seen for the first time.
--
fingerprint
text
router’s fingerprint.
--
published
datetime
router’s publication time. This can be different from first-seen and last-seen.
--
text
text
Tor node comment.
--
last-seen
datetime
When the Tor node designed by the IP address has been seen for the last time.
--
document
text
Raw document from the consensus.
--
flags
text
list of flag associated with the node.
+router’s nickname.
@@ -7884,6 +7804,66 @@ tor-node is a MISP object available in JSON format at
flags
text
list of flag associated with the node.
++
fingerprint
text
router’s fingerprint.
++
last-seen
datetime
When the Tor node designed by the IP address has been seen for the last time.
++
text
text
Tor node comment.
++
first-seen
datetime
When the Tor node designed by the IP address has been seen for the first time.
++
address
ip-src
IP address of the Tor node seen.
++
version
text
nickname
text
published
datetime
router’s nickname.
+router’s publication time. This can be different from first-seen and last-seen.
+
+
description
text
Tor node description.
++
document
text
Raw document from the consensus.
+
from-country
-text
Origin country of a transaction.
--
text
text
A description of the transaction.
--
date-posting
datetime
Date of posting, if different from date of transaction.
--
location
text
Location where the transaction took place.
--
authorized
text
Person who autorized the transaction.
--
to-funds-code
text
Type of funds used to finalize a transaction. ['A Deposit', 'C Currency exchange', 'D Casino chips', 'E Bank draft', 'F Money order', 'G Traveler’s cheques', 'H Life insurance policy', 'I Real estate', 'J Securities', 'K Cash', 'O Other', 'P Cheque']
--
date
datetime
Date and time of the transaction.
--
teller
text
transaction-number
location
text
A unique number identifying a transaction.
+Location where the transaction took place.
++
amount
text
The value of the transaction in local currency.
@@ -8062,6 +8002,56 @@ transaction is a MISP object available in JSON format at
transaction-number
text
A unique number identifying a transaction.
++
authorized
text
Person who autorized the transaction.
++
text
text
A description of the transaction.
++
from-country
text
Origin country of a transaction.
++
date-posting
datetime
Date of posting, if different from date of transaction.
++
from-funds-code
text
amount
to-funds-code
text
The value of the transaction in local currency.
+Type of funds used to finalize a transaction. ['A Deposit', 'C Currency exchange', 'D Casino chips', 'E Bank draft', 'F Money order', 'G Traveler’s cheques', 'H Life insurance policy', 'I Real estate', 'J Securities', 'K Cash', 'O Other', 'P Cheque']
++
date
datetime
Date and time of the transaction.
@@ -8130,10 +8130,10 @@ url is a MISP object available in JSON format at
fragment
credential
text
Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.
+Credential (username, password)
@@ -8150,6 +8150,26 @@ url is a MISP object available in JSON format at
domain
domain
Full domain
++
last-seen
datetime
Last time this URL has been seen
++
text
text
first-seen
datetime
domain_without_tld
text
First time this URL has been seen
+Domain without Top-Level Domain
++
scheme
text
Scheme ['http', 'https', 'ftp', 'gopher', 'sip']
@@ -8180,10 +8210,30 @@ url is a MISP object available in JSON format at
domain
domain
fragment
text
Full domain
+Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.
++
first-seen
datetime
First time this URL has been seen
++
host
hostname
Full hostname
@@ -8200,30 +8250,10 @@ url is a MISP object available in JSON format at
last-seen
datetime
Last time this URL has been seen
--
domain_without_tld
query_string
text
Domain without Top-Level Domain
--
host
hostname
Full hostname
+Query (after path, preceded by '?')
scheme
text
Scheme ['http', 'https', 'ftp', 'gopher', 'sip']
--
credential
text
Credential (username, password)
--
query_string
text
Query (after path, preceded by '?')
--
roles
-text
The list of roles targeted within the victim.
--
target-email
description
text
Description of the victim
--
classification
text
The type of entity being targeted. ['individual', 'group', 'organization', 'class', 'unknown']
--
regions
target-location
The list of regions or locations from the victim targeted. ISO 3166 should be used.
--
user
target-user
The username(s) of the user targeted.
--
name
target-org
The name of the department(s) or organisation(s) targeted.
--
sectors
text
The list of sectors that the victim belong to ['agriculture', 'aerospace', 'automotive', 'communications', 'construction', 'defence', 'education', 'energy', 'engineering', 'entertainment', 'financial services', 'government national', 'government regional', 'government local', 'government public services', 'healthcare', 'hospitality leisure', 'infrastructure', 'insurance', 'manufacturing', 'mining', 'non profit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities']
--
node
target-machine
sectors
text
The list of sectors that the victim belong to ['agriculture', 'aerospace', 'automotive', 'communications', 'construction', 'defence', 'education', 'energy', 'engineering', 'entertainment', 'financial services', 'government national', 'government regional', 'government local', 'government public services', 'healthcare', 'hospitality leisure', 'infrastructure', 'insurance', 'manufacturing', 'mining', 'non profit', 'pharmaceuticals', 'retail', 'technology', 'telecommunications', 'transportation', 'utilities']
++
name
target-org
The name of the department(s) or organisation(s) targeted.
++
roles
text
The list of roles targeted within the victim.
++
classification
text
The type of entity being targeted. ['individual', 'group', 'organization', 'class', 'unknown']
++
user
target-user
The username(s) of the user targeted.
++
regions
target-location
The list of regions or locations from the victim targeted. ISO 3166 should be used.
++
ip-address
ip-dst
description
text
Description of the victim
++
external
target-external
permalink
link
Permalink Reference
--
last-submission
datetime
detection-ratio
text
Detection Ratio
--
community-score
text
Community Score
--
comment
text
community-score
text
Community Score
++
permalink
link
Permalink Reference
++
detection-ratio
text
Detection Ratio
++
published
-datetime
vulnerable_configuration
text
Initial publication date
+The vulnerable configuration is described in CPE format
+
id
-vulnerability
Vulnerability ID (generally CVE, but not necessarely). The id is not required as the object itself has an UUID and the CVE id can updated later.
--
text
text
Description of the vulnerability
--
state
text
State of the vulnerability. A vulnerability can have multiple states depending of the current actions performed. ['Published', 'Embargo', 'Reviewed', 'Vulnerability ID Assigned', 'Reported', 'Fixed']
--
summary
text
published
datetime
Initial publication date
++
state
text
State of the vulnerability. A vulnerability can have multiple states depending of the current actions performed. ['Published', 'Embargo', 'Reviewed', 'Vulnerability ID Assigned', 'Reported', 'Fixed']
++
text
text
Description of the vulnerability
++
references
link
vulnerable_configuration
text
id
vulnerability
The vulnerable configuration is described in CPE format
+Vulnerability ID (generally CVE, but not necessarely). The id is not required as the object itself has an UUID and the CVE id can updated later.
@@ -8682,26 +8682,6 @@ whois is a MISP object available in JSON format at
registrant-name
whois-registrant-name
Registrant name
--
registrant-org
whois-registrant-org
Registrant organisation
--
creation-date
datetime
expiration-date
datetime
Expiration of the whois entry
++
domain
domain
Domain of the whois entry
++
text
text
domain
domain
registrant-email
whois-registrant-email
Domain of the whois entry
+Registrant email address
++
registrant-name
whois-registrant-name
Registrant name
@@ -8752,16 +8762,6 @@ whois is a MISP object available in JSON format at
registrant-email
whois-registrant-email
Registrant email address
--
registrant-phone
whois-registrant-phone
expiration-date
datetime
Expiration of the whois entry
--
modification-date
datetime
registrant-org
whois-registrant-org
Registrant organisation
++
comment
text
pubkey-info-exponent
text
x509-fingerprint-sha256
x509-fingerprint-sha256
Exponent of the public key
+Secure Hash Algorithm 2 (256 bits)
pem
pubkey-info-algorithm
text
Raw certificate in PEM formati (Unix-like newlines)
--
text
text
Free text description of hte certificate
--
issuer
text
Issuer of the certificate
--
pubkey-info-modulus
text
Modulus of the public key
--
pubkey-info-size
text
Length of the public key (in bits)
--
dns_names
text
DNS names
+Algorithm of the public key
@@ -8940,6 +8890,36 @@ x509 is a MISP object available in JSON format at
x509-fingerprint-sha1
x509-fingerprint-sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
issuer
text
Issuer of the certificate
++
text
text
Free text description of hte certificate
++
validity-not-after
datetime
x509-fingerprint-sha256
x509-fingerprint-sha256
Secure Hash Algorithm 2 (256 bits)
--
subject
pubkey-info-exponent
text
Subject of the certificate
+Exponent of the public key
self_signed
pubkey-info-modulus
text
Modulus of the public key
++
pem
text
Raw certificate in PEM formati (Unix-like newlines)
++
is_ca
boolean
Self-signed certificate
--
raw-base64
text
Raw certificate base64 encoded (DER format)
--
pubkey-info-algorithm
text
Algorithm of the public key
+CA certificate
@@ -9020,20 +8990,50 @@ x509 is a MISP object available in JSON format at
x509-fingerprint-sha1
x509-fingerprint-sha1
dns_names
text
[Insecure] Secure Hash Algorithm 1 (160 bits)
+DNS names
is_ca
self_signed
boolean
CA certificate
+Self-signed certificate
++
pubkey-info-size
text
Length of the public key (in bits)
++
raw-base64
text
Raw certificate base64 encoded (DER format)
++
subject
text
Subject of the certificate
@@ -9088,26 +9088,6 @@ yabin is a MISP object available in JSON format at
version
comment
yabin.py and regex.txt version used for the generation of the yara rules.
--
comment
comment
A description of Yara rule generated.
--
whitelist
comment
version
comment
yabin.py and regex.txt version used for the generation of the yara rules.
++
yara
yara
comment
comment
A description of Yara rule generated.
++
yara
-yara
context
text
YARA rule.
+Context where the YARA rule can be applied ['all', 'disk', 'memory', 'network']
@@ -9186,6 +9186,16 @@ yara is a MISP object available in JSON format at
yara
yara
YARA rule.
++
comment
comment