diff --git a/objects.html b/objects.html
index 3c77416..1fdd4ae 100755
--- a/objects.html
+++ b/objects.html
@@ -523,20 +523,20 @@ ail-leak is a MISP object available in JSON format at sensor
text
origin
url
+
The link where the leak is (or was) accessible at first-seen.
last-seen
datetime
text
text
+
A description of the leak which could include the potential victim(s) or description of the leak.
@@ -546,7 +546,7 @@ ail-leak is a MISP object available in JSON format at
first-seen
datetime
+
When the leak has been accessible or seen for the first time.
@@ -556,27 +556,17 @@ ail-leak is a MISP object available in JSON format at
original-date
datetime
+
When the information available in the leak was created. It’s usually before the first-seen.
origin
url
last-seen
datetime
-
-
text
text
+
When the leak has been accessible or seen for the last time.
sensor
text
The AIL sensor uuid where the leak was processed and analysed.
++
signature
-text
-
-
datetime
datetime
-
-
text
text
-
-
software
text
+
Name of antivirus software
signature
text
Name of detection signature
++
text
text
Free text value to attach to the file
++
datetime
datetime
Datetime
++
text
+text
A description of the cookie.
++
cookie-value
text
+
Value of the cookie (if splitted)
cookie
cookie
type
text
+
Type of cookie and how it’s used in this specific object. ['Session management', 'Personalization', 'Tracking', 'Exfiltration', 'Malicious Payload', 'Beaconing']
@@ -732,27 +742,17 @@ cookie is a MISP object available in JSON format at
cookie-name
text
+
Name of the cookie (if splitted)
text
text
cookie
cookie
-
-
type
text
Type of cookie and how it’s used in this specific object. ['Session management', 'Personalization', 'Tracking', 'Exfiltration', 'Malicious Payload', 'Beaconing']
+Full cookie
@@ -797,30 +797,20 @@ credit-card is a MISP object available in JSON format at
card-security-code
text
-
-
version
text
+
Version of the card.
issued
datetime
cc-number
cc-number
+
credit-card number as encoded on the card.
@@ -830,27 +820,7 @@ credit-card is a MISP object available in JSON format at
name
text
-
-
cc-number
cc-number
-
-
comment
comment
+
Name of the card owner.
@@ -860,8 +830,38 @@ credit-card is a MISP object available in JSON format at
expiration
datetime
Maximum date of validity
+
issued
datetime
Initial date of validity or issued date.
++
card-security-code
text
Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card.
++
comment
comment
A description of the card.
+
last-seen
+datetime
End of the attack
++
text
text
Description of the DDoS
++
ip-dst
ip-dst
Destination ID (victim)
++
total-pps
counter
Packets per second
++
protocol
text
last-seen
datetime
-
-
ip-dst
ip-dst
-
-
dst-port
port
-
-
ip-src
ip-src
-
-
total-bps
counter
-
-
total-pps
counter
-
-
text
text
-
-
src-port
port
+
Bits per second
@@ -998,8 +968,38 @@ ddos is a MISP object available in JSON format at
first-seen
datetime
Beginning of the attack
+
dst-port
port
Destination port of the attack
++
ip-src
ip-src
IP address originating the attack
++
src-port
port
Port originating the attack
+
domain
-domain
-
-
last-seen
datetime
-
-
ip
ip-dst
IP Address
+
domain
domain
Domain name
+
text
text
+
A description of the tuple
@@ -1086,8 +1076,18 @@ domain-ip is a MISP object available in JSON format at
first-seen
datetime
First time the tuple has been seen
+
last-seen
datetime
Last time the tuple has been seen
+
entrypoint-address
+text
Address of the entry point
++
text
text
+
Free text value to attach to the ELF
@@ -1144,7 +1154,7 @@ elf is a MISP object available in JSON format at
number-sections
counter
+
Number of sections
entrypoint-address
text
-
-
sha1
-sha1
ssdeep
ssdeep
+
Fuzzy hash using context triggered piecewise hashes (CTPH)
sha512/224
sha512/224
sha384
sha384
+
Secure Hash Algorithm 2 (384 bits)
sha224
sha224
md5
md5
+
[Insecure] MD5 hash (128 bits)
entropy
float
-
-
flag
text
sha512
sha512
type
text
-
-
size-in-bytes
size-in-bytes
+
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
sha512/256
sha512/256
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
+
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
+
text
text
+
Free text value to attach to the section
@@ -1322,62 +1322,62 @@ elf-section is a MISP object available in JSON format at
name
text
+
Name of the section
sha256
sha256
entropy
float
-
-
md5
md5
-
-
ssdeep
ssdeep
-
-
sha384
sha384
-
-
type
text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
+Entropy of the whole section
size-in-bytes
size-in-bytes
Size of the section, in bytes
++
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
subject
-email-subject
mime-boundary
email-mime-boundary
-
-
to
email-dst
-
-
from-display-name
email-src-display-name
-
-
send-date
datetime
-
-
reply-to
email-reply-to
-
-
attachment
email-attachment
-
-
from
email-src
-
-
header
email-header
+
MIME Boundary
@@ -1500,37 +1430,17 @@ email is a MISP object available in JSON format at
x-mailer
email-x-mailer
+
X-Mailer generally tells the program that was used to draft and send the original email
mime-boundary
email-mime-boundary
from-display-name
email-src-display-name
-
-
thread-index
email-thread-index
-
-
return-path
text
+
Display name of the sender
@@ -1540,7 +1450,7 @@ email is a MISP object available in JSON format at
to-display-name
email-dst-display-name
+
Display name of the receiver
@@ -1550,8 +1460,58 @@ email is a MISP object available in JSON format at
message-id
email-message-id
Message ID
+
return-path
text
Message return path
++
reply-to
email-reply-to
Email address the reply will be sent to
++
subject
email-subject
Subject
++
send-date
datetime
Date the email has been sent
++
thread-index
email-thread-index
Identifies a particular conversation thread
+
cc
email-dst
Carbon copy
+
to
email-dst
Destination email address
++
attachment
email-attachment
Attachment
++
header
email-header
Full headers
++
from
email-src
Sender email address
+
state
-text
-
-
sha1
sha1
-
-
sha512/224
sha512/224
-
-
sha224
sha224
-
-
entropy
float
-
-
pattern-in-file
pattern-in-file
-
-
tlsh
tlsh
-
-
sha512
sha512
-
-
size-in-bytes
size-in-bytes
-
-
sha512/256
sha512/256
-
-
text
text
-
-
authentihash
authentihash
-
-
malware-sample
malware-sample
-
-
sha256
sha256
-
-
md5
md5
+
The file itself (binary)
@@ -1758,8 +1618,18 @@ file is a MISP object available in JSON format at
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
+
tlsh
tlsh
Fuzzy hash by Trend Micro: Locality Sensitive Hash
+
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
+
md5
md5
[Insecure] MD5 hash (128 bits)
++
pattern-in-file
pattern-in-file
Pattern that can be found in the file
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
+
mimetype
text
+
Mime type
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
authentihash
authentihash
Authenticode executable signature hash
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
text
text
Free text value to attach to the file
++
entropy
float
Entropy of the whole file
++
size-in-bytes
size-in-bytes
Size of the file, in bytes
++
state
text
State of the file ['Harmless', 'Signed', 'Revoked', 'Expired', 'Trusted']
++
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
++
filename
filename
Filename on disk
+
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
+
text
text
-
-
last-seen
datetime
-
-
region
text
-
-
country
text
-
-
latitude
float
-
-
city
text
-
-
altitude
float
-
-
first-seen
datetime
+
A generic description of the location.
@@ -1916,12 +1846,82 @@ geolocation is a MISP object available in JSON format at
longitude
float
+
The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference
region
text
Region.
++
latitude
float
The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.
++
last-seen
datetime
When the location was seen for the last time.
++
first-seen
datetime
When the location was seen for the first time.
++
country
text
Country.
++
altitude
float
The altitude is the decimal value of the altitude in the World Geodetic System 84 (WGS84) reference.
++
city
text
City.
++
uri
-uri
-
-
basicauth-user
text
-
-
url
url
-
-
cookie
text
-
-
content-type
other
-
-
user-agent
user-agent
+
The user agent string of the user agent
text
text
uri
uri
-
-
referer
referer
-
-
basicauth-password
text
-
-
proxy-password
text
-
-
host
hostname
+
Request URI
@@ -2074,8 +1984,88 @@ http-request is a MISP object available in JSON format at
proxy-user
text
HTTP Proxy Username
+
content-type
other
The MIME type of the body of the request
++
basicauth-password
text
HTTP Basic Authentication Password
++
url
url
Full HTTP Request URL
++
referer
referer
This is the address of the previous web page from which a link to the currently requested page was followed
++
host
hostname
The domain name of the server
++
proxy-password
text
HTTP Proxy Password
++
text
text
HTTP Request comment
++
basicauth-user
text
HTTP Basic Authentication Username
+
method
http-method
+
HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)
cookie
text
An HTTP cookie previously sent by the server with Set-Cookie
++
last-seen
-datetime
-
-
dst-port
port
-
-
ip
ip-dst
-
-
text
text
+
Description of the tuple
@@ -2172,8 +2142,28 @@ ip-port is a MISP object available in JSON format at
src-port
port
Source port
+
ip
ip-dst
IP Address
++
last-seen
datetime
Last time the tuple has been seen
+
first-seen
datetime
First time the tuple has been seen
+
dst-port
port
Destination port
+
last-seen
-datetime
ja3-fingerprint-md5
md5
Hash identifying source
+
ip-src
ip-src
Source IP Address
+
description
text
+
Type of detected software ie software, malware
ip-dst
ip-dst
last-seen
datetime
-
-
ip-src
ip-src
+
Last seen of the SSL/TLS handshake
@@ -2270,17 +2270,17 @@ ja3 is a MISP object available in JSON format at
first-seen
datetime
+
First seen of the SSL/TLS handshake
ja3-fingerprint-md5
md5
ip-dst
ip-dst
+
Destination IP address
@@ -2325,40 +2325,20 @@ macho is a MISP object available in JSON format at
text
text
-
-
number-sections
counter
-
-
name
text
-
-
entrypoint-address
text
+
Address of the entry point
++
text
text
Free text value to attach to the Mach-O file
number-sections
counter
Number of sections
++
name
text
Binary’s name
++
sha1
-sha1
ssdeep
ssdeep
+
Fuzzy hash using context triggered piecewise hashes (CTPH)
sha512/224
sha512/224
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
+
md5
md5
[Insecure] MD5 hash (128 bits)
+
sha224
sha224
+
Secure Hash Algorithm 2 (224 bits)
entropy
float
sha256
sha256
-
-
sha512
sha512
+
Secure Hash Algorithm 2 (256 bits)
size-in-bytes
size-in-bytes
sha512/224
sha512/224
-
-
sha512/256
sha512/256
+
Secure Hash Algorithm 2 (224 bits)
@@ -2486,7 +2476,7 @@ macho-section is a MISP object available in JSON format at
text
text
+
Free text value to attach to the section
@@ -2496,47 +2486,57 @@ macho-section is a MISP object available in JSON format at
name
text
+
Name of the section
sha256
sha256
entropy
float
+
Entropy of the whole section
++
size-in-bytes
size-in-bytes
Size of the section, in bytes
++
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
md5
md5
sha512/256
sha512/256
+
Secure Hash Algorithm 2 (256 bits)
ssdeep
ssdeep
sha1
sha1
-
-
sha384
sha384
+
[Insecure] Secure Hash Algorithm 1 (160 bits)
@@ -2581,40 +2581,20 @@ microblog is a MISP object available in JSON format at
removal-date
datetime
When the microblog post was removed
++
post
text
-
-
username-quoted
text
-
-
url
url
-
-
link
url
+
Raw post
@@ -2624,17 +2604,7 @@ microblog is a MISP object available in JSON format at
modification-date
datetime
-
-
removal-date
datetime
+
Last update of the microblog post
@@ -2644,7 +2614,7 @@ microblog is a MISP object available in JSON format at
username
text
+
Username who posted the microblog post
@@ -2654,8 +2624,28 @@ microblog is a MISP object available in JSON format at
creation-date
datetime
Initial creation of the microblog post
+
url
url
Original URL location of the microblog post
++
link
url
Link into the microblog post
+
username-quoted
text
Username who are quoted into the microblog post
++
first-packet-seen
-datetime
src-as
AS
+
Source AS number for this flow
@@ -2722,93 +2722,73 @@ netflow is a MISP object available in JSON format at
ip_version
counter
+
IP version of this flow
byte-count
counter
icmp-type
text
+
ICMP type of the flow (if the traffic is ICMP)
ip-dst
ip-dst
-
-
ip-protocol-number
size-in-bytes
+
IP protocol number of this flow
last-packet-seen
datetime
protocol
text
+
Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']
ip-src
ip-src
-
-
packet-count
counter
-
-
src-port
dst-port
port
+
Destination port of the netflow
src-as
AS
ip-dst
ip-dst
+
IP address destination of the netflow
tcp-flags
text
TCP flags of the flow
++
direction
text
flow-count
counter
-
-
dst-port
port
-
-
tcp-flags
text
-
-
dst-as
AS
+
Destination AS number for this flow
icmp-type
text
byte-count
counter
+
Bytes counted in this flow
protocol
text
first-packet-seen
datetime
Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']
+First packet seen in this flow
++
packet-count
counter
Packets counted in this flow
++
flow-count
counter
Flows counted in this flow
++
last-packet-seen
datetime
Last packet seen in this flow
++
ip-src
ip-src
IP address source of the netflow
++
src-port
port
Source port of the netflow
@@ -2917,30 +2917,40 @@ passive-dns is a MISP object available in JSON format at
rrtype
text
Resource Record type as seen by the passive DNS ['A', 'AAAA', 'CNAME', 'PTR', 'SOA', 'TXT', 'DNAME', 'NS', 'SRV', 'RP', 'NAPTR', 'HINFO', 'A6']
++
count
counter
How many authoritative DNS answers were received at the Passive DNS Server’s collectors with exactly the given set of values as answers
++
rdata
text
Resource records of the queried resource
++
zone_time_first
datetime
-
-
time_first
datetime
-
-
time_last
datetime
+
First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
@@ -2950,17 +2960,7 @@ passive-dns is a MISP object available in JSON format at
zone_time_last
datetime
-
-
text
text
+
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
@@ -2970,6 +2970,26 @@ passive-dns is a MISP object available in JSON format at
origin
text
Origin of the Passive DNS response
++
rrname
text
Resource Record name of the queried resource
++
text
text
sensor_id
text
-
-
count
counter
+
Sensor information where the record was seen
@@ -3000,37 +3010,27 @@ passive-dns is a MISP object available in JSON format at
bailiwick
text
+
Best estimate of the apex of the zone where this data is authoritative
rrname
text
time_first
datetime
+
First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS
rrtype
text
time_last
datetime
Resource Record type as seen by the passive DNS ['A', 'AAAA', 'CNAME', 'PTR', 'SOA', 'TXT', 'DNAME', 'NS', 'SRV', 'RP', 'NAPTR', 'HINFO', 'A6']
--
rdata
text
+
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS
@@ -3075,36 +3075,6 @@ paste is a MISP object available in JSON format at
url
url
-
-
paste
text
-
-
last-seen
datetime
-
-
origin
text
paste
text
Raw text of the paste or post
++
url
url
Link to the original source of the paste or post.
++
last-seen
datetime
When the paste has been accessible or seen for the last time.
++
first-seen
datetime
+
When the paste has been accessible or seen for the first time.
@@ -3128,7 +3128,7 @@ paste is a MISP object available in JSON format at
title
text
+
Title of the paste or post.
@@ -3173,50 +3173,20 @@ pe is a MISP object available in JSON format at
text
text
pehash
pehash
-
-
original-filename
filename
+
Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
file-description
product-name
text
-
-
lang-id
text
-
-
legal-copyright
text
+
ProductName in the resources
@@ -3226,47 +3196,17 @@ pe is a MISP object available in JSON format at
compilation-timestamp
datetime
+
Compilation timestamp defined in the PE header
file-version
text
-
-
company-name
text
-
-
entrypoint-address
text
-
-
product-version
text
+
ProductVersion in the resources
@@ -3283,73 +3223,133 @@ pe is a MISP object available in JSON format at
number-sections
counter
company-name
text
+
CompanyName in the resources
impfuzzy
impfuzzy
legal-copyright
text
+
LegalCopyright in the resources
+
+
entrypoint-address
text
Address of the entry point
++
lang-id
text
Lang ID in the resources
++
text
text
Free text value to attach to the PE
+
internal-filename
filename
+
InternalFilename in the resources
imphash
imphash
original-filename
filename
+
OriginalFilename in the resources
product-name
text
number-sections
counter
+
Number of sections
impfuzzy
impfuzzy
Fuzzy Hash (ssdeep) calculated from the import table
++
file-description
text
FileDescription in the resources
++
imphash
imphash
Hash (md5) calculated from the import table
++
entrypoint-section-at-position
text
+
Name of the section and position of the section in the PE
pehash
pehash
file-version
text
+
FileVersion in the resources
+
sha1
-sha1
ssdeep
ssdeep
+
Fuzzy hash using context triggered piecewise hashes (CTPH)
sha512/224
sha512/224
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
+
md5
md5
[Insecure] MD5 hash (128 bits)
+
sha224
sha224
+
Secure Hash Algorithm 2 (224 bits)
entropy
float
sha256
sha256
+
Secure Hash Algorithm 2 (256 bits)
+
sha512
-sha512
sha512/224
sha512/224
-
-
size-in-bytes
size-in-bytes
-
-
sha512/256
sha512/256
+
Secure Hash Algorithm 2 (224 bits)
@@ -3474,7 +3464,7 @@ pe-section is a MISP object available in JSON format at
text
text
+
Free text value to attach to the section
@@ -3491,40 +3481,50 @@ pe-section is a MISP object available in JSON format at
sha256
sha256
entropy
float
+
Entropy of the whole section
++
size-in-bytes
size-in-bytes
Size of the section, in bytes
++
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
md5
md5
sha512/256
sha512/256
+
Secure Hash Algorithm 2 (256 bits)
ssdeep
ssdeep
sha1
sha1
-
-
sha384
sha384
+
[Insecure] Secure Hash Algorithm 1 (160 bits)
@@ -3569,20 +3569,10 @@ person is a MISP object available in JSON format at
first-name
first-name
middle-name
middle-name
-
-
redress-number
redress-number
+
Middle name of a natural person
@@ -3592,18 +3582,48 @@ person is a MISP object available in JSON format at
nationality
nationality
+
The nationality of a natural person.
place-of-birth
place-of-birth
last-name
last-name
Last name of a natural person.
+
redress-number
redress-number
The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.
++
passport-number
passport-number
The passport number of a natural person.
++
first-name
first-name
First name of a natural person.
+
text
text
+
A description of the person or identity.
passport-expiration
passport-expiration
The expiration date of a passport.
++
gender
gender
passport-expiration
passport-expiration
passport-country
passport-country
+
The country in which the passport was issued.
@@ -3642,47 +3672,17 @@ person is a MISP object available in JSON format at
date-of-birth
date-of-birth
+
Date of birth of a natural person (in YYYY-MM-DD format).
passport-number
passport-number
place-of-birth
place-of-birth
-
-
middle-name
middle-name
-
-
last-name
last-name
-
-
passport-country
passport-country
+
Place of birth of a natural person.
@@ -3727,60 +3727,40 @@ phone is a MISP object available in JSON format at
last-seen
datetime
-
-
first-seen
datetime
-
-
imei
text
-
-
tmsi
text
-
-
imsi
text
+
A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.
last-seen
datetime
When the phone has been accessible or seen for the last time.
++
text
text
A description of the phone.
++
guti
text
+
Globally Unique Temporary UE Identity (GUTI) is a temporary identification to not reveal the phone (user equipment in 3GPP jargon) composed of GUMMEI and the M-TMSI.
@@ -3790,7 +3770,7 @@ phone is a MISP object available in JSON format at
msisdn
text
+
MSISDN (pronounced as /'em es ai es di en/ or misden) is a number uniquely identifying a subscription in a GSM or a UMTS mobile network. Simply put, it is the mapping of the telephone number to the SIM card in a mobile/cellular phone. This abbreviation has a several interpretations, the most common one being Mobile Station International Subscriber Directory Number.
@@ -3800,8 +3780,38 @@ phone is a MISP object available in JSON format at
gummei
text
Globally Unique MME Identifier (GUMMEI) is composed from MCC, MNC and MME Identifier (MMEI).
+
imei
text
International Mobile Equipment Identity (IMEI) is a number, usually unique, to identify 3GPP and iDEN mobile phones, as well as some satellite phones.
++
first-seen
datetime
When the phone has been accessible or seen for the first time.
++
tmsi
text
Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated.
+
serial-number
text
+
Serial Number.
text
text
-
-
total-functions
-counter
-
-
dangling-strings
counter
-
-
memory-allocations
counter
-
-
ratio-api
float
+
Amount of memory allocations
@@ -3908,167 +3878,7 @@ r2graphity is a MISP object available in JSON format at
referenced-strings
counter
-
-
text
text
-
-
r2-commit-version
text
-
-
get-proc-address
counter
-
-
refsglobalvar
counter
-
-
callback-largest
counter
-
-
create-thread
counter
-
-
not-referenced-strings
counter
-
-
callbacks
counter
-
-
ratio-string
float
-
-
callback-average
counter
-
-
total-api
counter
-
-
local-references
counter
-
-
gml
attachment
-
-
shortest-path-to-create-thread
counter
-
-
miss-api
counter
-
-
unknown-references
counter
+
Amount of referenced strings
@@ -4078,7 +3888,197 @@ r2graphity is a MISP object available in JSON format at
ratio-functions
float
+
Ratio: amount of functions per kilobyte of code section
++
total-api
counter
Total amount of API calls
++
ratio-api
float
Ratio: amount of API calls per kilobyte of code section
++
not-referenced-strings
counter
Amount of not referenced strings
++
dangling-strings
counter
Amount of dangling strings (string with a code cross reference, that is not within a function. Radare2 failed to detect that function.)
++
text
text
Description of the r2graphity object
++
create-thread
counter
Amount of calls to CreateThread
++
total-functions
counter
Total amount of functions in the file.
++
unknown-references
counter
Amount of API calls not ending in a function (Radare2 bug, probalby)
++
shortest-path-to-create-thread
counter
Shortest path to the first time the binary calls CreateThread
++
callbacks
counter
Amount of callbacks (functions started as thread)
++
r2-commit-version
text
Radare2 commit ID used to generate this object
++
get-proc-address
counter
Amount of calls to GetProcAddress
++
callback-average
counter
Average size of a callback
++
gml
attachment
Graph export in G>raph Modelling Language format
++
miss-api
counter
Amount of API call reference that does not resolve to a function offset
++
local-references
counter
Amount of API calls inside a code section
++
callback-largest
counter
Largest callback
++
refsglobalvar
counter
Amount of API calls outside of code section (glob var, dynamic API)
++
ratio-string
float
Ratio: amount of referenced strings per kilobyte of code section
@@ -4123,10 +4123,10 @@ regexp is a MISP object available in JSON format at
comment
comment
regexp
text
+
regexp
@@ -4143,10 +4143,10 @@ regexp is a MISP object available in JSON format at
regexp
text
comment
comment
+
A description of the regular expression.
@@ -4191,10 +4191,10 @@ registry-key is a MISP object available in JSON format at
data-type
reg-datatype
key
reg-key
Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
+Full key path
@@ -4204,27 +4204,7 @@ registry-key is a MISP object available in JSON format at
name
reg-name
-
-
key
reg-key
-
-
last-modified
datetime
+
Name of the registry key
@@ -4234,7 +4214,7 @@ registry-key is a MISP object available in JSON format at
data
reg-data
+
Data stored in the registry key
@@ -4244,8 +4224,28 @@ registry-key is a MISP object available in JSON format at
hive
reg-hive
Hive used to store the registry key (file on disk)
+
last-modified
datetime
Last time the registry key has been modified
++
data-type
reg-datatype
Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
+
classification
-text
-
-
subject
text
-
-
queue
text
Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
+Subject of the RTIR ticket
@@ -4329,21 +4309,31 @@ rtir is a MISP object available in JSON format at
ticket-number
text
ip
ip-dst
+
IPs automatically extracted from the RTIR ticket
ip
ip-dst
classification
text
Classification of the RTIR ticket
+
ticket-number
text
ticket-number of the RTIR ticket
+
constituency
text
Constituency of the RTIR ticket
+
queue
text
Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
+
nickname
-text
-
-
version
text
-
-
flags
text
-
-
first-seen
datetime
-
-
text
text
-
-
last-seen
datetime
-
-
description
text
-
-
version_line
text
+
parsed version of tor, this is None if the relay’s using a new versioning scheme.
@@ -4480,8 +4410,88 @@ tor-node is a MISP object available in JSON format at
published
datetime
router’s publication time. This can be different from first-seen and last-seen.
++
version_line
text
versioning information reported by the node.
+
description
text
Tor node description.
++
last-seen
datetime
When the Tor node designed by the IP address has been seen for the last time.
++
first-seen
datetime
When the Tor node designed by the IP address has been seen for the first time.
++
fingerprint
text
router’s fingerprint.
++
nickname
text
router’s nickname.
++
flags
text
list of flag associated with the node.
++
text
text
Tor node comment.
+
document
text
+
Raw document from the consensus.
@@ -4500,17 +4510,7 @@ tor-node is a MISP object available in JSON format at
address
ip-src
-
-
fingerprint
text
+
IP address of the Tor node seen.
@@ -4555,70 +4555,10 @@ url is a MISP object available in JSON format at
text
resource_path
text
-
-
domain_without_tld
text
-
-
tld
text
-
-
subdomain
text
-
-
url
url
-
-
host
hostname
-
-
port
port
+
Path (between hostname:port and query)
@@ -4635,10 +4575,20 @@ url is a MISP object available in JSON format at
text
text
Description of the URL
++
first-seen
datetime
+
First time this URL has been seen
@@ -4648,17 +4598,7 @@ url is a MISP object available in JSON format at
last-seen
datetime
-
-
query_string
text
+
Last time this URL has been seen
@@ -4668,17 +4608,7 @@ url is a MISP object available in JSON format at
domain
domain
-
-
fragment
text
+
Full domain
@@ -4688,18 +4618,88 @@ url is a MISP object available in JSON format at
credential
text
+
Credential (username, password)
resource_path
subdomain
text
Subdomain
+
url
url
Full URL
++
port
port
Port number
++
domain_without_tld
text
Domain without Top-Level Domain
++
host
hostname
Full hostname
++
tld
text
Top-Level Domain
++
fragment
text
Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.
++
query_string
text
Query (after path, preceded by '?')
+
regions
+text
The list of regions or locations from the victim targeted. ISO 3166 should be used.
++
name
text
The name of the victim targeted. The name can be an organisation or a group of organisations.
++
roles
text
The list of roles targeted within the victim.
++
classification
text
description
text
-
-
name
text
-
-
roles
text
+
Description of the victim
regions
text
-
-
community-score
+text
Community Score
++
detection-ratio
text
+
Detection Ratio
@@ -4854,7 +4864,7 @@ virustotal-report is a MISP object available in JSON format at
permalink
link
+
Permalink Reference
@@ -4864,7 +4874,7 @@ virustotal-report is a MISP object available in JSON format at
last-submission
datetime
+
Last Submission
@@ -4874,22 +4884,12 @@ virustotal-report is a MISP object available in JSON format at
first-submission
datetime
+
First Submission
community-score
text
-
-
published
datetime
-
-
references
link
-
-
modified
datetime
+
Initial publication date
@@ -4962,17 +4942,7 @@ vulnerability is a MISP object available in JSON format at
id
vulnerability
-
-
vulnerable_configuration
text
+
Vulnerability ID (generally CVE, but not necessarely)
@@ -4982,7 +4952,7 @@ vulnerability is a MISP object available in JSON format at
text
text
+
Description of the vulnerability
@@ -4992,8 +4962,38 @@ vulnerability is a MISP object available in JSON format at
summary
text
Summary of the vulnerability
+
vulnerable_configuration
text
The vulnerable configuration is described in CPE format
++
modified
datetime
Last modification date
++
references
link
External references
+
domain
-domain
registrant-email
whois-registrant-email
+
Registrant email address
registrant-phone
whois-registrant-phone
text
text
+
Full whois entry
@@ -5060,47 +5060,7 @@ whois is a MISP object available in JSON format at
registrant-name
whois-registrant-name
-
-
registrant-email
whois-registrant-email
-
-
modification-date
datetime
-
-
registar
whois-registrar
-
-
text
text
+
Registrant name
@@ -5110,8 +5070,28 @@ whois is a MISP object available in JSON format at
creation-date
datetime
Initial creation of the whois entry
+
registar
whois-registrar
Registrar of the whois entry
++
registrant-phone
whois-registrant-phone
Registrant phone number
+
expiration-date
datetime
Expiration of the whois entry
+
domain
domain
Domain of the whois entry
++
modification-date
datetime
Last update of the whois entry
+
version
text
-
-
x509-fingerprint-sha256
sha256
-
-
subject
text
-
-
validity-not-before
datetime
-
-
pubkey-info-size
text
-
-
pubkey-info-exponent
text
-
-
pubkey-info-algorithm
text
-
-
text
text
-
-
x509-fingerprint-sha1
sha1
-
-
x509-fingerprint-md5
md5
-
-
pubkey-info-modulus
text
-
-
issuer
text
+
Version of the certificate
@@ -5288,8 +5178,18 @@ x509 is a MISP object available in JSON format at
raw-base64
text
Raw certificate base64 encoded
+
x509-fingerprint-sha256
sha256
Secure Hash Algorithm 2 (256 bits)
+
validity-not-after
datetime
Certificate invalid after that date
+
pubkey-info-exponent
text
Exponent of the public key
++
pubkey-info-size
text
Length of the public key (in bits)
++
pubkey-info-algorithm
text
Algorithm of the public key
++
validity-not-before
datetime
Certificate invalid before that date
++
subject
text
Subject of the certificate
++
text
text
Free text description of hte certificate
++
x509-fingerprint-sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
pubkey-info-modulus
text
Modulus of the public key
+
serial-number
text
Serial number of the certificate
+
x509-fingerprint-md5
md5
[Insecure] MD5 hash (128 bits)
++
issuer
text
Issuer of the certificate
+
version
comment
-
-
yara-hunt
yara
-
-
comment
comment
+
yabin.py and regex.txt version used for the generation of the yara rules.
@@ -5386,7 +5366,7 @@ yabin is a MISP object available in JSON format at
yara
yara
+
Yara rule generated from -y.
@@ -5396,12 +5376,32 @@ yabin is a MISP object available in JSON format at
whitelist
comment
+
Whitelist name used to generate the rules.
comment
comment
A description of Yara rule generated.
++
yara-hunt
yara
Wide yara rule generated from -yh.
++