diff --git a/objects.html b/objects.html
index 9e591b9..bc61a9e 100755
--- a/objects.html
+++ b/objects.html
@@ -558,13 +558,13 @@ ail-leak is a MISP object available in JSON format at duplicate_number
counter
last-seen
datetime
Number of known duplicates.
+When the leak has been accessible or seen for the last time.
+
sensor
+type
text
The AIL sensor uuid where the leak was processed and analysed.
+Type of information leak as discovered and classified by an AIL module. ['Credential', 'CreditCards', 'Mail', 'Onion', 'Phone', 'Keys']
last-seen
datetime
When the leak has been accessible or seen for the last time.
--
first-seen
datetime
When the leak has been accessible or seen for the first time.
--
origin
text
type
duplicate
text
Type of information leak as discovered and classified by an AIL module. ['Credential', 'CreditCards', 'Mail', 'Onion', 'Phone', 'Keys']
+Duplicate of the existing leaks.
duplicate
sensor
text
Duplicate of the existing leaks.
+The AIL sensor uuid where the leak was processed and analysed.
++
first-seen
datetime
When the leak has been accessible or seen for the first time.
++
duplicate_number
counter
Number of known duplicates.
@@ -754,20 +754,50 @@ asn is a MISP object available in JSON format at
mp-export
text
asn
AS
This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
+Autonomous System Number
asn
AS
subnet-announced
ip-src
Autonomous System Number
+Subnet announced
++
mp-import
text
The inbound IPv4 or IPv6 routing policy of the AS in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
++
last-seen
datetime
Last time the ASN was seen
++
mp-export
text
This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
@@ -784,16 +814,6 @@ asn is a MISP object available in JSON format at
import
text
The inbound IPv4 routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
--
first-seen
datetime
last-seen
datetime
Last time the ASN was seen
--
mp-import
text
The inbound IPv4 or IPv6 routing policy of the AS in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
--
subnet-announced
ip-src
Subnet announced
--
description
text
import
text
The inbound IPv4 routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
++
address
-btc
last-seen
datetime
Address used as a payment destination in a cryptocurrency
--
symbol
text
The (uppercase) symbol of the cryptocurrency used. Symbol should be from https://coinmarketcap.com/all/views/all/ ['BTC', 'ETH', 'BCH', 'XRP', 'MIOTA', 'DASH', 'BTG', 'LTC', 'ADA', 'XMR', 'ETC', 'NEO', 'NEM', 'EOS', 'XLM', 'BCC', 'LSK', 'OMG', 'QTUM', 'ZEC', 'USDT', 'HSR', 'STRAT', 'WAVES', 'PPT']
+Last time this payment destination address has been seen
last-seen
first-seen
datetime
Last time this payment destination address has been seen
+First time this payment destination address has been seen
@@ -1010,15 +1000,25 @@ coin-address is a MISP object available in JSON format at
first-seen
datetime
symbol
text
First time this payment destination address has been seen
+The (uppercase) symbol of the cryptocurrency used. Symbol should be from https://coinmarketcap.com/all/views/all/ ['BTC', 'ETH', 'BCH', 'XRP', 'MIOTA', 'DASH', 'BTG', 'LTC', 'ADA', 'XMR', 'ETC', 'NEO', 'NEM', 'EOS', 'XLM', 'BCC', 'LSK', 'OMG', 'QTUM', 'ZEC', 'USDT', 'HSR', 'STRAT', 'WAVES', 'PPT']
address
btc
Address used as a payment destination in a cryptocurrency
++
type
+cookie-value
text
Type of cookie and how it’s used in this specific object. ['Session management', 'Personalization', 'Tracking', 'Exfiltration', 'Malicious Payload', 'Beaconing']
+Value of the cookie (if splitted)
++
cookie-name
text
Name of the cookie (if splitted)
@@ -1088,20 +1098,10 @@ cookie is a MISP object available in JSON format at
cookie-name
type
text
Name of the cookie (if splitted)
--
cookie-value
text
Value of the cookie (if splitted)
+Type of cookie and how it’s used in this specific object. ['Session management', 'Personalization', 'Tracking', 'Exfiltration', 'Malicious Payload', 'Beaconing']
@@ -1146,16 +1146,6 @@ credential is a MISP object available in JSON format at
username
text
Username related to the password(s)
--
notification
text
text
username
text
A description of the credential(s)
+Username related to the password(s)
+
+
type
text
Type of password(s) ['password', 'api-key', 'encryption-key', 'unknown']
+
type
+text
text
Type of password(s) ['password', 'api-key', 'encryption-key', 'unknown']
+A description of the credential(s)
+
comment
-comment
A description of the card.
--
expiration
datetime
Maximum date of validity
--
cc-number
cc-number
credit-card number as encoded on the card.
--
card-security-code
text
Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card.
--
version
text
card-security-code
text
Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card.
++
comment
comment
A description of the card.
++
cc-number
cc-number
credit-card number as encoded on the card.
++
expiration
datetime
Maximum date of validity
++
total-pps
-counter
Packets per second
--
protocol
text
Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']
--
ip-dst
ip-dst
Destination IP (victim)
--
src-port
port
Port originating the attack
--
last-seen
datetime
text
text
Description of the DDoS
--
domain-dst
domain
dst-port
port
text
text
Destination port of the attack
+Description of the DDoS
-
ip-src
ip-src
IP address originating the attack
-+
dst-port
+port
Destination port of the attack
++
protocol
text
Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']
++
first-seen
datetime
src-port
port
Port originating the attack
++
ip-dst
ip-dst
Destination IP (victim)
++
total-pps
counter
Packets per second
++
ip-src
ip-src
IP address originating the attack
++
ip
-ip-dst
IP Address
--
last-seen
datetime
first-seen
datetime
First time the tuple has been seen
++
text
text
first-seen
datetime
ip
ip-dst
First time the tuple has been seen
+IP Address
+
number-sections
-counter
Number of sections
--
arch
text
Architecture of the ELF file ['None', 'M32', 'SPARC', 'i386', 'ARCH_68K', 'ARCH_88K', 'IAMCU', 'ARCH_860', 'MIPS', 'S370', 'MIPS_RS3_LE', 'PARISC', 'VPP500', 'SPARC32PLUS', 'ARCH_960', 'PPC', 'PPC64', 'S390', 'SPU', 'V800', 'FR20', 'RH32', 'RCE', 'ARM', 'ALPHA', 'SH', 'SPARCV9', 'TRICORE', 'ARC', 'H8_300', 'H8_300H', 'H8S', 'H8_500', 'IA_64', 'MIPS_X', 'COLDFIRE', 'ARCH_68HC12', 'MMA', 'PCP', 'NCPU', 'NDR1', 'STARCORE', 'ME16', 'ST100', 'TINYJ', 'x86_64', 'PDSP', 'PDP10', 'PDP11', 'FX66', 'ST9PLUS', 'ST7', 'ARCH_68HC16', 'ARCH_68HC11', 'ARCH_68HC08', 'ARCH_68HC05', 'SVX', 'ST19', 'VAX', 'CRIS', 'JAVELIN', 'FIREPATH', 'ZSP', 'MMIX', 'HUANY', 'PRISM', 'AVR', 'FR30', 'D10V', 'D30V', 'V850', 'M32R', 'MN10300', 'MN10200', 'PJ', 'OPENRISC', 'ARC_COMPACT', 'XTENSA', 'VIDEOCORE', 'TMM_GPP', 'NS32K', 'TPC', 'SNP1K', 'ST200', 'IP2K', 'MAX', 'CR', 'F2MC16', 'MSP430', 'BLACKFIN', 'SE_C33', 'SEP', 'ARCA', 'UNICORE', 'EXCESS', 'DXP', 'ALTERA_NIOS2', 'CRX', 'XGATE', 'C166', 'M16C', 'DSPIC30F', 'CE', 'M32C', 'TSK3000', 'RS08', 'SHARC', 'ECOG2', 'SCORE7', 'DSP24', 'VIDEOCORE3', 'LATTICEMICO32', 'SE_C17', 'TI_C6000', 'TI_C2000', 'TI_C5500', 'MMDSP_PLUS', 'CYPRESS_M8C', 'R32C', 'TRIMEDIA', 'HEXAGON', 'ARCH_8051', 'STXP7X', 'NDS32', 'ECOG1', 'ECOG1X', 'MAXQ30', 'XIMO16', 'MANIK', 'CRAYNV2', 'RX', 'METAG', 'MCST_ELBRUS', 'ECOG16', 'CR16', 'ETPU', 'SLE9X', 'L10M', 'K10M', 'AARCH64', 'AVR32', 'STM8', 'TILE64', 'TILEPRO', 'CUDA', 'TILEGX', 'CLOUDSHIELD', 'COREA_1ST', 'COREA_2ND', 'ARC_COMPACT2', 'OPEN8', 'RL78', 'VIDEOCORE5', 'ARCH_78KOR', 'ARCH_56800EX', 'BA1', 'BA2', 'XCORE', 'MCHP_PIC', 'INTEL205', 'INTEL206', 'INTEL207', 'INTEL208', 'INTEL209', 'KM32', 'KMX32', 'KMX16', 'KMX8', 'KVARC', 'CDP', 'COGE', 'COOL', 'NORC', 'CSR_KALIMBA', 'AMDGPU']
--
text
text
Free text value to attach to the ELF
--
entrypoint-address
text
text
text
Free text value to attach to the ELF
++
arch
text
Architecture of the ELF file ['None', 'M32', 'SPARC', 'i386', 'ARCH_68K', 'ARCH_88K', 'IAMCU', 'ARCH_860', 'MIPS', 'S370', 'MIPS_RS3_LE', 'PARISC', 'VPP500', 'SPARC32PLUS', 'ARCH_960', 'PPC', 'PPC64', 'S390', 'SPU', 'V800', 'FR20', 'RH32', 'RCE', 'ARM', 'ALPHA', 'SH', 'SPARCV9', 'TRICORE', 'ARC', 'H8_300', 'H8_300H', 'H8S', 'H8_500', 'IA_64', 'MIPS_X', 'COLDFIRE', 'ARCH_68HC12', 'MMA', 'PCP', 'NCPU', 'NDR1', 'STARCORE', 'ME16', 'ST100', 'TINYJ', 'x86_64', 'PDSP', 'PDP10', 'PDP11', 'FX66', 'ST9PLUS', 'ST7', 'ARCH_68HC16', 'ARCH_68HC11', 'ARCH_68HC08', 'ARCH_68HC05', 'SVX', 'ST19', 'VAX', 'CRIS', 'JAVELIN', 'FIREPATH', 'ZSP', 'MMIX', 'HUANY', 'PRISM', 'AVR', 'FR30', 'D10V', 'D30V', 'V850', 'M32R', 'MN10300', 'MN10200', 'PJ', 'OPENRISC', 'ARC_COMPACT', 'XTENSA', 'VIDEOCORE', 'TMM_GPP', 'NS32K', 'TPC', 'SNP1K', 'ST200', 'IP2K', 'MAX', 'CR', 'F2MC16', 'MSP430', 'BLACKFIN', 'SE_C33', 'SEP', 'ARCA', 'UNICORE', 'EXCESS', 'DXP', 'ALTERA_NIOS2', 'CRX', 'XGATE', 'C166', 'M16C', 'DSPIC30F', 'CE', 'M32C', 'TSK3000', 'RS08', 'SHARC', 'ECOG2', 'SCORE7', 'DSP24', 'VIDEOCORE3', 'LATTICEMICO32', 'SE_C17', 'TI_C6000', 'TI_C2000', 'TI_C5500', 'MMDSP_PLUS', 'CYPRESS_M8C', 'R32C', 'TRIMEDIA', 'HEXAGON', 'ARCH_8051', 'STXP7X', 'NDS32', 'ECOG1', 'ECOG1X', 'MAXQ30', 'XIMO16', 'MANIK', 'CRAYNV2', 'RX', 'METAG', 'MCST_ELBRUS', 'ECOG16', 'CR16', 'ETPU', 'SLE9X', 'L10M', 'K10M', 'AARCH64', 'AVR32', 'STM8', 'TILE64', 'TILEPRO', 'CUDA', 'TILEGX', 'CLOUDSHIELD', 'COREA_1ST', 'COREA_2ND', 'ARC_COMPACT2', 'OPEN8', 'RL78', 'VIDEOCORE5', 'ARCH_78KOR', 'ARCH_56800EX', 'BA1', 'BA2', 'XCORE', 'MCHP_PIC', 'INTEL205', 'INTEL206', 'INTEL207', 'INTEL208', 'INTEL209', 'KM32', 'KMX32', 'KMX16', 'KMX8', 'KVARC', 'CDP', 'COGE', 'COOL', 'NORC', 'CSR_KALIMBA', 'AMDGPU']
++
number-sections
counter
Number of sections
++
sha512/256
-sha512/256
Secure Hash Algorithm 2 (256 bits)
--
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
md5
md5
entropy
float
Entropy of the whole section
++
name
text
size-in-bytes
size-in-bytes
Size of the section, in bytes
++
sha224
sha224
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
text
text
entropy
float
type
text
Entropy of the whole section
+Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
sha256
sha256
type
text
sha512
sha512
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
--
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
+Secure Hash Algorithm 2 (512 bits)
size-in-bytes
size-in-bytes
sha512/224
sha512/224
Size of the section, in bytes
+Secure Hash Algorithm 2 (224 bits)
+
to
-email-dst
thread-index
email-thread-index
Destination email address
+Identifies a particular conversation thread
subject
email-subject
screenshot
attachment
Subject
--
cc
email-dst
Carbon copy
--
from
email-src
Sender email address
--
to-display-name
email-dst-display-name
Display name of the receiver
--
message-id
email-message-id
Message ID
--
x-mailer
email-x-mailer
X-Mailer generally tells the program that was used to draft and send the original email
--
from-display-name
email-src-display-name
Display name of the sender
+Screenshot of email
@@ -1974,10 +1914,80 @@ email is a MISP object available in JSON format at
thread-index
email-thread-index
send-date
datetime
Identifies a particular conversation thread
+Date the email has been sent
++
from-display-name
email-src-display-name
Display name of the sender
++
cc
email-dst
Carbon copy
++
to-display-name
email-dst-display-name
Display name of the receiver
++
subject
email-subject
Subject
++
header
email-header
Full headers
++
message-id
email-message-id
Message ID
++
to
email-dst
Destination email address
@@ -2004,30 +2014,20 @@ email is a MISP object available in JSON format at
screenshot
attachment
from
email-src
Screenshot of email
+Sender email address
send-date
datetime
x-mailer
email-x-mailer
Date the email has been sent
--
header
email-header
Full headers
+X-Mailer generally tells the program that was used to draft and send the original email
@@ -2082,76 +2082,6 @@ file is a MISP object available in JSON format at
tlsh
tlsh
Fuzzy hash by Trend Micro: Locality Sensitive Hash
--
certificate
x509-fingerprint-sha1
Certificate value if the binary is signed with another authentication scheme than authenticode
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
state
text
State of the file ['Malicious', 'Harmless', 'Signed', 'Revoked', 'Expired', 'Trusted']
--
md5
md5
pattern-in-file
pattern-in-file
Pattern that can be found in the file
--
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
text
text
Free text value to attach to the file
--
filename
filename
Filename on disk
--
entropy
float
certificate
x509-fingerprint-sha1
Certificate value if the binary is signed with another authentication scheme than authenticode
++
authentihash
authentihash
sha256
sha256
ssdeep
ssdeep
Secure Hash Algorithm 2 (256 bits)
+Fuzzy hash using context triggered piecewise hashes (CTPH)
++
filename
filename
Filename on disk
@@ -2252,16 +2152,36 @@ file is a MISP object available in JSON format at
mimetype
text
size-in-bytes
size-in-bytes
Mime type
+Size of the file, in bytes
pattern-in-file
pattern-in-file
Pattern that can be found in the file
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
sha384
sha384
size-in-bytes
size-in-bytes
sha512/256
sha512/256
Size of the file, in bytes
+Secure Hash Algorithm 2 (256 bits)
++
text
text
Free text value to attach to the file
tlsh
tlsh
Fuzzy hash by Trend Micro: Locality Sensitive Hash
++
state
text
State of the file ['Malicious', 'Harmless', 'Signed', 'Revoked', 'Expired', 'Trusted']
++
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
++
mimetype
text
Mime type
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
longitude
-float
The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference
--
latitude
float
The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.
--
last-seen
datetime
text
text
A generic description of the location.
--
first-seen
datetime
When the location was seen for the first time.
--
altitude
float
text
text
A generic description of the location.
++
longitude
float
The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference
++
city
text
City.
++
latitude
float
The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.
++
country
text
first-seen
datetime
When the location was seen for the first time.
++
region
text
city
text
City.
--
content-type
-other
The MIME type of the body of the request
--
referer
referer
This is the address of the previous web page from which a link to the currently requested page was followed
--
basicauth-user
text
HTTP Basic Authentication Username
--
proxy-user
text
HTTP Proxy Username
--
cookie
text
proxy-password
text
HTTP Proxy Password
--
method
http-method
basicauth-password
text
text
HTTP Basic Authentication Password
+HTTP Request comment
++
uri
uri
Request URI
++
referer
referer
This is the address of the previous web page from which a link to the currently requested page was followed
++
user-agent
user-agent
The user agent string of the user agent
++
proxy-user
text
HTTP Proxy Username
++
basicauth-user
text
HTTP Basic Authentication Username
@@ -2538,30 +2538,10 @@ http-request is a MISP object available in JSON format at
text
text
content-type
other
HTTP Request comment
--
user-agent
user-agent
The user agent string of the user agent
--
uri
uri
Request URI
+The MIME type of the body of the request
basicauth-password
text
HTTP Basic Authentication Password
++
proxy-password
text
HTTP Proxy Password
++
first-seen
-datetime
ip
ip-dst
First time the tuple has been seen
+IP Address
+
first-seen
+datetime
First time the tuple has been seen
++
src-port
port
ip
ip-dst
IP Address
--
description
-text
Type of detected software ie software, malware
--
ip-dst
ip-dst
Destination IP address
--
last-seen
datetime
first-seen
datetime
First seen of the SSL/TLS handshake
--
ip-src
ip-src
first-seen
datetime
First seen of the SSL/TLS handshake
++
ja3-fingerprint-md5
md5
ip-dst
ip-dst
Destination IP address
++
description
text
Type of detected software ie software, malware
++
type
-text
Type of Mach-O ['BUNDLE', 'CORE', 'DSYM', 'DYLIB', 'DYLIB_STUB', 'DYLINKER', 'EXECUTE', 'FVMLIB', 'KEXT_BUNDLE', 'OBJECT', 'PRELOAD']
--
text
text
name
text
Binary’s name
--
entrypoint-address
text
type
text
Type of Mach-O ['BUNDLE', 'CORE', 'DSYM', 'DYLIB', 'DYLIB_STUB', 'DYLINKER', 'EXECUTE', 'FVMLIB', 'KEXT_BUNDLE', 'OBJECT', 'PRELOAD']
++
name
text
Binary’s name
++
sha512/256
-sha512/256
Secure Hash Algorithm 2 (256 bits)
--
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
md5
md5
entropy
float
Entropy of the whole section
++
name
text
size-in-bytes
size-in-bytes
Size of the section, in bytes
++
sha224
sha224
text
text
Free text value to attach to the section
--
entropy
float
Entropy of the whole section
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
sha384
sha384
size-in-bytes
size-in-bytes
sha512/256
sha512/256
Size of the section, in bytes
+Secure Hash Algorithm 2 (256 bits)
++
text
text
Free text value to attach to the section
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
url
+link
url
Original URL location of the microblog post
+Link into the microblog post
++
post
text
Raw post
@@ -3088,10 +3098,10 @@ microblog is a MISP object available in JSON format at
username-quoted
type
text
Username who are quoted into the microblog post
+Type of the microblog post ['Twitter', 'Facebook', 'LinkedIn', 'Reddit', 'Google+', 'Instagram', 'Forum', 'Other']
@@ -3108,20 +3118,10 @@ microblog is a MISP object available in JSON format at
link
url
url
Link into the microblog post
--
modification-date
datetime
Last update of the microblog post
+Original URL location of the microblog post
@@ -3138,20 +3138,20 @@ microblog is a MISP object available in JSON format at
type
text
modification-date
datetime
Type of the microblog post ['Twitter', 'Facebook', 'LinkedIn', 'Reddit', 'Google+', 'Instagram', 'Forum', 'Other']
+Last update of the microblog post
post
username-quoted
text
Raw post
+Username who are quoted into the microblog post
@@ -3196,6 +3196,116 @@ netflow is a MISP object available in JSON format at
tcp-flags
text
TCP flags of the flow
++
byte-count
counter
Bytes counted in this flow
++
first-packet-seen
datetime
First packet seen in this flow
++
packet-count
counter
Packets counted in this flow
++
dst-port
port
Destination port of the netflow
++
protocol
text
Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']
++
ip-dst
ip-dst
IP address destination of the netflow
++
ip-src
ip-src
IP address source of the netflow
++
last-packet-seen
datetime
Last packet seen in this flow
++
ip-protocol-number
size-in-bytes
IP protocol number of this flow
++
src-as
AS
Source AS number for this flow
++
dst-as
AS
ip-dst
ip-dst
IP address destination of the netflow
--
icmp-type
text
byte-count
counter
Bytes counted in this flow
--
ip-protocol-number
size-in-bytes
IP protocol number of this flow
--
tcp-flags
text
TCP flags of the flow
--
direction
text
Direction of this flow ['Ingress', 'Egress']
--
flow-count
counter
Flows counted in this flow
--
src-as
AS
Source AS number for this flow
--
packet-count
counter
Packets counted in this flow
--
protocol
text
Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']
--
last-packet-seen
datetime
Last packet seen in this flow
--
ip-src
ip-src
IP address source of the netflow
--
dst-port
port
Destination port of the netflow
--
src-port
port
first-packet-seen
datetime
flow-count
counter
First packet seen in this flow
+Flows counted in this flow
+
+
direction
text
Direction of this flow ['Ingress', 'Egress']
+
bailiwick
+text
Best estimate of the apex of the zone where this data is authoritative
++
sensor_id
text
Sensor information where the record was seen
++
rrtype
text
Resource Record type as seen by the passive DNS ['A', 'AAAA', 'CNAME', 'PTR', 'SOA', 'TXT', 'DNAME', 'NS', 'SRV', 'RP', 'NAPTR', 'HINFO', 'A6']
++
count
counter
How many authoritative DNS answers were received at the Passive DNS Server’s collectors with exactly the given set of values as answers
++
rdata
text
Resource records of the queried resource
++
zone_time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
++
time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS
++
rrname
text
Resource Record name of the queried resource
++
zone_time_first
datetime
sensor_id
text
Sensor information where the record was seen
--
bailiwick
text
Best estimate of the apex of the zone where this data is authoritative
--
rdata
text
Resource records of the queried resource
--
rrname
text
Resource Record name of the queried resource
--
rrtype
text
Resource Record type as seen by the passive DNS ['A', 'AAAA', 'CNAME', 'PTR', 'SOA', 'TXT', 'DNAME', 'NS', 'SRV', 'RP', 'NAPTR', 'HINFO', 'A6']
--
text
text
-
-
time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS
--
zone_time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
--
origin
text
count
counter
text
text
How many authoritative DNS answers were received at the Passive DNS Server’s collectors with exactly the given set of values as answers
+
@@ -3562,16 +3562,6 @@ paste is a MISP object available in JSON format at
url
url
Link to the original source of the paste or post.
--
last-seen
datetime
title
origin
text
Title of the paste or post.
+Original source of the paste or post. ['pastebin.com', 'pastebin.com_pro', 'pastie.org', 'slexy.org', 'gist.github.com', 'codepad.org', 'safebin.net', 'hastebin.com', 'ghostbin.com']
paste
title
text
Raw text of the paste or post
+Title of the paste or post.
@@ -3612,10 +3602,20 @@ paste is a MISP object available in JSON format at
origin
url
url
Link to the original source of the paste or post.
++
paste
text
Original source of the paste or post. ['pastebin.com', 'pastebin.com_pro', 'pastie.org', 'slexy.org', 'gist.github.com', 'codepad.org', 'safebin.net', 'hastebin.com', 'ghostbin.com']
+Raw text of the paste or post
@@ -3660,66 +3660,6 @@ pe is a MISP object available in JSON format at
number-sections
counter
Number of sections
--
legal-copyright
text
LegalCopyright in the resources
--
internal-filename
filename
InternalFilename in the resources
--
entrypoint-section-at-position
text
Name of the section and position of the section in the PE
--
entrypoint-address
text
Address of the entry point
--
lang-id
text
Lang ID in the resources
--
file-version
text
product-version
text
ProductVersion in the resources
--
pehash
pehash
Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
--
file-description
text
FileDescription in the resources
--
compilation-timestamp
datetime
Compilation timestamp defined in the PE header
--
text
text
Free text value to attach to the PE
--
company-name
text
product-name
text
original-filename
filename
ProductName in the resources
--
impfuzzy
impfuzzy
Fuzzy Hash (ssdeep) calculated from the import table
+OriginalFilename in the resources
type
pehash
pehash
Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
++
entrypoint-section-at-position
text
Type of PE ['exe', 'dll', 'driver', 'unknown']
+Name of the section and position of the section in the PE
++
internal-filename
filename
InternalFilename in the resources
++
legal-copyright
text
LegalCopyright in the resources
++
compilation-timestamp
datetime
Compilation timestamp defined in the PE header
++
product-version
text
ProductVersion in the resources
@@ -3830,15 +3760,85 @@ pe is a MISP object available in JSON format at
original-filename
filename
number-sections
counter
OriginalFilename in the resources
+Number of sections
++
lang-id
text
Lang ID in the resources
++
file-description
text
FileDescription in the resources
++
text
text
Free text value to attach to the PE
++
type
text
Type of PE ['exe', 'dll', 'driver', 'unknown']
++
impfuzzy
impfuzzy
Fuzzy Hash (ssdeep) calculated from the import table
entrypoint-address
text
Address of the entry point
++
product-name
text
ProductName in the resources
++
sha512/256
-sha512/256
Secure Hash Algorithm 2 (256 bits)
--
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
md5
md5
entropy
float
Entropy of the whole section
++
name
text
sha224
sha224
size-in-bytes
size-in-bytes
Secure Hash Algorithm 2 (224 bits)
+Size of the section, in bytes
+
text
-text
sha224
sha224
Free text value to attach to the section
--
entropy
float
Entropy of the whole section
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
+Secure Hash Algorithm 2 (224 bits)
@@ -4008,15 +3958,65 @@ pe-section is a MISP object available in JSON format at
size-in-bytes
size-in-bytes
sha512/256
sha512/256
Size of the section, in bytes
+Secure Hash Algorithm 2 (256 bits)
++
text
text
Free text value to attach to the section
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
date-of-birth
-date-of-birth
gender
gender
Date of birth of a natural person (in YYYY-MM-DD format).
+The gender of a natural person. ['Male', 'Female', 'Other', 'Prefer not to say']
redress-number
redress-number
date-of-birth
date-of-birth
The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.
+Date of birth of a natural person (in YYYY-MM-DD format).
@@ -4096,30 +4096,10 @@ person is a MISP object available in JSON format at
middle-name
middle-name
passport-expiration
passport-expiration
Middle name of a natural person
--
gender
gender
The gender of a natural person. ['Male', 'Female', 'Other', 'Prefer not to say']
--
last-name
last-name
Last name of a natural person.
+The expiration date of a passport.
@@ -4136,26 +4116,6 @@ person is a MISP object available in JSON format at
text
text
A description of the person or identity.
--
passport-expiration
passport-expiration
The expiration date of a passport.
--
first-name
first-name
text
text
A description of the person or identity.
++
passport-number
passport-number
middle-name
middle-name
Middle name of a natural person
++
redress-number
redress-number
The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.
++
last-name
last-name
Last name of a natural person.
++
gummei
-text
Globally Unique MME Identifier (GUMMEI) is composed from MCC, MNC and MME Identifier (MMEI).
--
guti
text
Globally Unique Temporary UE Identity (GUTI) is a temporary identification to not reveal the phone (user equipment in 3GPP jargon) composed of GUMMEI and the M-TMSI.
--
imei
text
International Mobile Equipment Identity (IMEI) is a number, usually unique, to identify 3GPP and iDEN mobile phones, as well as some satellite phones.
--
last-seen
datetime
text
guti
text
A description of the phone.
--
first-seen
datetime
When the phone has been accessible or seen for the first time.
--
serial-number
text
Serial Number.
+Globally Unique Temporary UE Identity (GUTI) is a temporary identification to not reveal the phone (user equipment in 3GPP jargon) composed of GUMMEI and the M-TMSI.
@@ -4294,6 +4244,16 @@ phone is a MISP object available in JSON format at
text
text
A description of the phone.
++
tmsi
text
serial-number
text
Serial Number.
++
msisdn
text
first-seen
datetime
When the phone has been accessible or seen for the first time.
++
imei
text
International Mobile Equipment Identity (IMEI) is a number, usually unique, to identify 3GPP and iDEN mobile phones, as well as some satellite phones.
++
gummei
text
Globally Unique MME Identifier (GUMMEI) is composed from MCC, MNC and MME Identifier (MMEI).
++
r2-commit-version
+text
Radare2 commit ID used to generate this object
++
create-thread
counter
Amount of calls to CreateThread
++
callback-largest
counter
Largest callback
++
dangling-strings
counter
Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)
++
callback-average
counter
not-referenced-strings
counter
Amount of not referenced strings
--
miss-api
counter
Amount of API call reference that does not resolve to a function offset
--
callbacks
counter
memory-allocations
referenced-strings
counter
Amount of memory allocations
+Amount of referenced strings
ratio-api
text
text
Description of the r2graphity object
++
ratio-functions
float
Ratio: amount of API calls per kilobyte of code section
+Ratio: amount of functions per kilobyte of code section
++
memory-allocations
counter
Amount of memory allocations
@@ -4422,10 +4462,30 @@ r2graphity is a MISP object available in JSON format at
referenced-strings
shortest-path-to-create-thread
counter
Amount of referenced strings
+Shortest path to the first time the binary calls CreateThread
++
ratio-api
float
Ratio: amount of API calls per kilobyte of code section
++
get-proc-address
counter
Amount of calls to GetProcAddress
@@ -4442,16 +4502,6 @@ r2graphity is a MISP object available in JSON format at
r2-commit-version
text
Radare2 commit ID used to generate this object
--
total-functions
counter
shortest-path-to-create-thread
counter
Shortest path to the first time the binary calls CreateThread
--
get-proc-address
counter
Amount of calls to GetProcAddress
--
gml
attachment
Graph export in G>raph Modelling Language format
--
create-thread
counter
Amount of calls to CreateThread
--
refsglobalvar
counter
callback-largest
counter
Largest callback
--
text
text
Description of the r2graphity object
--
unknown-references
counter
dangling-strings
miss-api
counter
Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)
+Amount of API call reference that does not resolve to a function offset
ratio-functions
float
gml
attachment
Ratio: amount of functions per kilobyte of code section
+Graph export in G>raph Modelling Language format
++
not-referenced-strings
counter
Amount of not referenced strings
@@ -4620,16 +4620,6 @@ regexp is a MISP object available in JSON format at
regexp
text
regexp
--
regexp-type
text
type
text
Specify which type corresponds to this regex. ['hostname', 'domain', 'email-src', 'email-dst', 'email-subject', 'url', 'user-agent', 'regkey', 'cookie', 'uri', 'filename', 'windows-service-name', 'windows-scheduled-task']
++
regexp
text
regexp
++
data-type
-reg-datatype
Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
--
data
reg-data
Data stored in the registry key
--
hive
reg-hive
Hive used to store the registry key (file on disk)
--
last-modified
datetime
name
reg-name
key
regkey
Name of the registry key
+Full key path
key
reg-key
data
text
Full key path
+Data stored in the registry key
++
hive
text
Hive used to store the registry key (file on disk)
++
data-type
text
Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
++
name
text
Name of the registry key
@@ -4834,16 +4844,6 @@ rtir is a MISP object available in JSON format at
constituency
text
Constituency of the RTIR ticket
--
ticket-number
text
subject
text
Subject of the RTIR ticket
--
status
text
constituency
text
Constituency of the RTIR ticket
++
ip
ip-dst
classification
queue
text
Classification of the RTIR ticket
+Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
queue
subject
text
Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
+Subject of the RTIR ticket
++
classification
text
Classification of the RTIR ticket
@@ -4942,10 +4952,20 @@ tor-node is a MISP object available in JSON format at
nickname
document
text
router’s nickname.
+Raw document from the consensus.
++
version
text
parsed version of tor, this is None if the relay’s using a new versioning scheme.
@@ -4972,30 +4992,10 @@ tor-node is a MISP object available in JSON format at
published
datetime
router’s publication time. This can be different from first-seen and last-seen.
--
document
nickname
text
Raw document from the consensus.
--
address
ip-src
IP address of the Tor node seen.
+router’s nickname.
@@ -5012,16 +5012,6 @@ tor-node is a MISP object available in JSON format at
last-seen
datetime
When the Tor node designed by the IP address has been seen for the last time.
--
version_line
text
last-seen
datetime
When the Tor node designed by the IP address has been seen for the last time.
++
text
text
address
ip-src
IP address of the Tor node seen.
++
first-seen
datetime
version
text
published
datetime
parsed version of tor, this is None if the relay’s using a new versioning scheme.
+router’s publication time. This can be different from first-seen and last-seen.
+
text
+text
Description of the URL
++
resource_path
text
scheme
text
Scheme ['http', 'https', 'ftp', 'gopher', 'sip']
++
domain_without_tld
text
tld
query_string
text
Top-Level Domain
--
credential
text
Credential (username, password)
+Query (after path, preceded by '?')
fragment
text
Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.
--
url
url
Full URL
--
port
port
Port number
--
last-seen
datetime
text
text
port
port
Description of the URL
--
first-seen
datetime
First time this URL has been seen
+Port number
credential
text
Credential (username, password)
++
subdomain
text
scheme
fragment
text
Scheme ['http', 'https', 'ftp', 'gopher', 'sip']
+Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.
++
first-seen
datetime
First time this URL has been seen
query_string
text
url
url
Query (after path, preceded by '?')
+Full URL
tld
text
Top-Level Domain
++
external
-target-external
External target organisations affected by this attack.
--
description
text
Description of the victim
--
target-email
user
target-user
The username(s) of the user targeted.
--
regions
target-location
The list of regions or locations from the victim targeted. ISO 3166 should be used.
--
roles
text
ip-address
ip-dst
name
target-org
IP address(es) of the node targeted.
+The name of the department(s) or organisation(s) targeted.
classification
text
regions
target-location
The type of entity being targeted. ['individual', 'group', 'organization', 'class', 'unknown']
--
name
target-org
The name of the department(s) or organisation(s) targeted.
+The list of regions or locations from the victim targeted. ISO 3166 should be used.
external
target-external
External target organisations affected by this attack.
++
ip-address
ip-dst
IP address(es) of the node targeted.
++
description
text
Description of the victim
++
user
target-user
The username(s) of the user targeted.
++
classification
text
The type of entity being targeted. ['individual', 'group', 'organization', 'class', 'unknown']
++
permalink
-link
Permalink Reference
--
first-submission
datetime
community-score
text
last-submission
datetime
Community Score
+Last Submission
+
last-submission
-datetime
community-score
text
Last Submission
+Community Score
++
permalink
link
Permalink Reference
@@ -5524,26 +5534,6 @@ vulnerability is a MISP object available in JSON format at
references
link
External references
--
modified
datetime
Last modification date
--
text
text
vulnerable_configuration
text
The vulnerable configuration is described in CPE format
--
published
datetime
Initial publication date
--
summary
text
published
datetime
Initial publication date
++
vulnerable_configuration
text
The vulnerable configuration is described in CPE format
++
references
link
External references
++
modified
datetime
Last modification date
++
text
-text
Full whois entry
--
registrant-name
whois-registrant-name
Registrant name
--
creation-date
datetime
Initial creation of the whois entry
--
registrant-email
whois-registrant-email
Registrant email address
--
domain
domain
Domain of the whois entry
--
registrant-phone
whois-registrant-phone
text
text
Full whois entry
++
modification-date
datetime
registrar
whois-registrar
registrant-org
whois-registrant-org
Registrar of the whois entry
+Registrant organisation
++
domain
domain
Domain of the whois entry
++
creation-date
datetime
Initial creation of the whois entry
registrar
whois-registrar
Registrar of the whois entry
++
registrant-email
whois-registrant-email
Registrant email address
++
registrant-name
whois-registrant-name
Registrant name
++
x509-fingerprint-sha256
-sha256
Secure Hash Algorithm 2 (256 bits)
--
pubkey-info-size
text
Length of the public key (in bits)
--
subject
text
Subject of the certificate
--
pubkey-info-exponent
text
Exponent of the public key
--
serial-number
text
x509-fingerprint-md5
md5
raw-base64
text
[Insecure] MD5 hash (128 bits)
+Raw certificate base64 encoded
++
x509-fingerprint-sha256
x509-fingerprint-sha256
Secure Hash Algorithm 2 (256 bits)
++
subject
text
Subject of the certificate
@@ -5840,30 +5840,20 @@ x509 is a MISP object available in JSON format at
validity-not-before
datetime
x509-fingerprint-md5
x509-fingerprint-md5
Certificate invalid before that date
+[Insecure] MD5 hash (128 bits)
validity-not-after
datetime
version
text
Certificate invalid after that date
--
x509-fingerprint-sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
+Version of the certificate
@@ -5880,20 +5870,50 @@ x509 is a MISP object available in JSON format at
raw-base64
text
x509-fingerprint-sha1
x509-fingerprint-sha1
Raw certificate base64 encoded
+[Insecure] Secure Hash Algorithm 1 (160 bits)
version
pubkey-info-size
text
Version of the certificate
+Length of the public key (in bits)
++
validity-not-after
datetime
Certificate invalid after that date
++
validity-not-before
datetime
Certificate invalid before that date
++
pubkey-info-exponent
text
Exponent of the public key
@@ -5948,6 +5968,16 @@ yabin is a MISP object available in JSON format at
yara-hunt
yara
Wide yara rule generated from -yh.
++
version
comment
comment
comment
A description of Yara rule generated.
--
whitelist
comment
yara-hunt
yara
comment
comment
Wide yara rule generated from -yh.
+A description of Yara rule generated.
+