From dbee5fe7460c72b9f1093a683c2c5ab5e08bf468 Mon Sep 17 00:00:00 2001
From: Alexandre Dulaunoy
Date: Wed, 31 Jan 2018 15:07:37 +0100
Subject: [PATCH] objects updated
---
objects.html | 4538 +-
objects.pdf | 176287 ++++++++++++++++++++++++------------------------
2 files changed, 90443 insertions(+), 90382 deletions(-)
diff --git a/objects.html b/objects.html
index 82d3366..fb2258b 100755
--- a/objects.html
+++ b/objects.html
@@ -567,6 +567,16 @@ ail-leak is a MISP object available in JSON format at last-seen
datetime
When the leak has been accessible or seen for the last time.
++
type
text
original-date
datetime
When the information available in the leak was created. It’s usually before the first-seen.
--
text
text
duplicate_number
counter
Number of known duplicates.
--
duplicate
text
Duplicate of the existing leaks.
--
raw-data
attachment
Raw data as received by the AIL sensor compressed and encoded in Base64.
--
last-seen
datetime
When the leak has been accessible or seen for the last time.
--
origin
text
duplicate_number
counter
Number of known duplicates.
++
duplicate
text
Duplicate of the existing leaks.
++
original-date
datetime
When the information available in the leak was created. It’s usually before the first-seen.
++
raw-data
attachment
Raw data as received by the AIL sensor compressed and encoded in Base64.
++
type
-text
ref
link
Type of the annotation ['Annotation', 'Executive Summary', 'Introduction', 'Conclusion', 'Disclaimer', 'Keywords', 'Acknowledgement', 'Other', 'Copyright', 'Authors', 'Logo']
+Reference(s) to the annotation
+
+
creation-date
datetime
Initial creation of the annotation
+
ref
-link
Reference(s) to the annotation
--
modification-date
datetime
creation-date
datetime
type
text
Initial creation of the annotation
+Type of the annotation ['Annotation', 'Executive Summary', 'Introduction', 'Conclusion', 'Disclaimer', 'Keywords', 'Acknowledgement', 'Other', 'Copyright', 'Authors', 'Logo']
+
country
+export
text
Country code of the main location of the autonomous system
--
mp-export
text
This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
--
last-seen
datetime
Last time the ASN was seen
--
subnet-announced
ip-src
Subnet announced
+The outbound routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
@@ -911,20 +881,30 @@ asn is a MISP object available in JSON format at
first-seen
datetime
description
text
First time the ASN was seen
+Description of the autonomous system
+
export
mp-export
text
The outbound routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format
+This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format
++
subnet-announced
ip-src
Subnet announced
@@ -941,16 +921,6 @@ asn is a MISP object available in JSON format at
description
text
Description of the autonomous system
--
asn
AS
country
text
Country code of the main location of the autonomous system
++
last-seen
datetime
Last time the ASN was seen
++
first-seen
datetime
First time the ASN was seen
++
text
+software
text
Free text value to attach to the file
+Name of antivirus software
software
text
text
Name of antivirus software
+Free text value to attach to the file
@@ -1077,20 +1077,10 @@ bank-account is a MISP object available in JSON format at
currency-code
comments
text
Currency of the account. ['USD', 'EUR']
--
swift
bic
SWIFT or BIC as defined in ISO 9362.
+Comments about the bank account.
@@ -1117,30 +1107,10 @@ bank-account is a MISP object available in JSON format at
non-banking-institution
boolean
A flag to define if this account belong to a non-banking organisation. If set to true, it’s a non-banking organisation.
--
date-balance
datetime
When the balance was reported.
--
branch
personal-account-type
text
Branch code or name
+Account type. ['A - Business', 'B - Personal Current', 'C - Savings', 'D - Trust Account', 'E - Trading Account', 'O - Other']
@@ -1157,70 +1127,10 @@ bank-account is a MISP object available in JSON format at
account
bank-account-nr
swift
bic
Account number
--
account-name
text
A field to freely describe the bank account details.
--
text
text
A description of the bank account.
--
comments
text
Comments about the bank account.
--
beneficiary
text
Final beneficiary of the bank account.
--
closed
datetime
When the account was closed.
--
status-code
text
Account status at the time of the transaction processed. ['A - Active', 'B - Inactive', 'C - Dormant']
+SWIFT or BIC as defined in ISO 9362.
@@ -1247,6 +1157,66 @@ bank-account is a MISP object available in JSON format at
branch
text
Branch code or name
++
account-name
text
A field to freely describe the bank account details.
++
account
bank-account-nr
Account number
++
beneficiary
text
Final beneficiary of the bank account.
++
text
text
A description of the bank account.
++
currency-code
text
Currency of the account. ['USD', 'EUR']
++
beneficiary-comment
text
status-code
text
Account status at the time of the transaction processed. ['A - Active', 'B - Inactive', 'C - Dormant']
++
closed
datetime
When the account was closed.
++
non-banking-institution
boolean
A flag to define if this account belong to a non-banking organisation. If set to true, it’s a non-banking organisation.
++
date-balance
datetime
When the balance was reported.
++
iban
iban
personal-account-type
text
Account type. ['A - Business', 'B - Personal Current', 'C - Savings', 'D - Trust Account', 'E - Trading Account', 'O - Other']
--
symbol
-text
The (uppercase) symbol of the cryptocurrency used. Symbol should be from https://coinmarketcap.com/all/views/all/ ['BTC', 'ETH', 'BCH', 'XRP', 'MIOTA', 'DASH', 'BTG', 'LTC', 'ADA', 'XMR', 'ETC', 'NEO', 'NEM', 'EOS', 'XLM', 'BCC', 'LSK', 'OMG', 'QTUM', 'ZEC', 'USDT', 'HSR', 'STRAT', 'WAVES', 'PPT']
--
first-seen
datetime
First time this payment destination address has been seen
--
last-seen
datetime
symbol
text
The (uppercase) symbol of the cryptocurrency used. Symbol should be from https://coinmarketcap.com/all/views/all/ ['BTC', 'ETH', 'BCH', 'XRP', 'MIOTA', 'DASH', 'BTG', 'LTC', 'ADA', 'XMR', 'ETC', 'NEO', 'NEM', 'EOS', 'XLM', 'BCC', 'LSK', 'OMG', 'QTUM', 'ZEC', 'USDT', 'HSR', 'STRAT', 'WAVES', 'PPT']
++
text
text
first-seen
datetime
First time this payment destination address has been seen
++
address
btc
type
cookie-name
text
Type of cookie and how it’s used in this specific object. ['Session management', 'Personalization', 'Tracking', 'Exfiltration', 'Malicious Payload', 'Beaconing']
+Name of the cookie (if splitted)
@@ -1423,13 +1423,13 @@ cookie is a MISP object available in JSON format at
cookie-name
text
text
Name of the cookie (if splitted)
+A description of the cookie.
+
text
+type
text
A description of the cookie.
+Type of cookie and how it’s used in this specific object. ['Session management', 'Personalization', 'Tracking', 'Exfiltration', 'Malicious Payload', 'Beaconing']
+
type
-text
Type of password(s) ['password', 'api-key', 'encryption-key', 'unknown']
--
username
text
Username related to the password(s)
--
text
text
A description of the credential(s)
--
password
text
text
text
A description of the credential(s)
++
origin
text
type
text
Type of password(s) ['password', 'api-key', 'encryption-key', 'unknown']
++
username
text
Username related to the password(s)
++
format
text
name
version
text
Name of the card owner.
+Version of the card.
++
cc-number
cc-number
credit-card number as encoded on the card.
@@ -1619,10 +1629,20 @@ credit-card is a MISP object available in JSON format at
cc-number
cc-number
name
text
credit-card number as encoded on the card.
+Name of the card owner.
++
comment
comment
A description of the card.
version
text
Version of the card.
--
comment
comment
A description of the card.
--
src-port
-port
ip-src
ip-src
Port originating the attack
+IP address originating the attack
@@ -1727,16 +1727,6 @@ ddos is a MISP object available in JSON format at
domain-dst
domain
Destination domain (victim)
--
text
text
first-seen
datetime
Beginning of the attack
--
last-seen
datetime
End of the attack
--
dst-port
src-port
port
Destination port of the attack
--
ip-src
ip-src
IP address originating the attack
--
protocol
text
Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']
+Port originating the attack
@@ -1807,6 +1757,26 @@ ddos is a MISP object available in JSON format at
dst-port
port
Destination port of the attack
++
last-seen
datetime
End of the attack
++
ip-dst
ip-dst
domain-dst
domain
Destination domain (victim)
++
first-seen
datetime
Beginning of the attack
++
protocol
text
Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']
++
first-seen
-datetime
Origin-Host
text
When the attack has been seen for the first time.
+Origin-Host.
+
category
+ApplicationId
text
Category. ['Cat0', 'Cat1', 'Cat2', 'Cat3', 'CatSMS']
--
SessionId
text
Session-ID.
+Application-ID is used to identify for which Diameter application the message is applicable. Application-ID is a decimal representation.
@@ -1905,16 +1895,26 @@ diameter-attack is a MISP object available in JSON format at
Origin-Host
Destination-Realm
text
Origin-Host.
+Destination-Realm.
category
text
Category. ['Cat0', 'Cat1', 'Cat2', 'Cat3', 'CatSMS']
++
Destination-Host
text
SessionId
text
Session-ID.
++
text
text
A description of the attack seen.
++
Origin-Realm
text
Origin-Realm.
++
CmdCode
text
text
text
first-seen
datetime
A description of the attack seen.
+When the attack has been seen for the first time.
Destination-Realm
text
Destination-Realm.
--
Origin-Realm
text
Origin-Realm.
--
ApplicationId
text
Application-ID is used to identify for which Diameter application the message is applicable. Application-ID is a decimal representation.
--
first-seen
-datetime
ip
ip-dst
First time the tuple has been seen
+IP Address
+
domain
-domain
first-seen
datetime
Domain name
+First time the tuple has been seen
+
ip
-ip-dst
domain
domain
IP Address
+Domain name
@@ -2101,26 +2101,6 @@ elf is a MISP object available in JSON format at
entrypoint-address
text
Address of the entry point
--
type
text
Type of ELF ['CORE', 'DYNAMIC', 'EXECUTABLE', 'HIPROC', 'LOPROC', 'NONE', 'RELOCATABLE']
--
os_abi
text
type
text
Type of ELF ['CORE', 'DYNAMIC', 'EXECUTABLE', 'HIPROC', 'LOPROC', 'NONE', 'RELOCATABLE']
++
arch
text
entrypoint-address
text
Address of the entry point
++
flag
+text
Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']
++
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
size-in-bytes
size-in-bytes
Size of the section, in bytes
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
name
text
Name of the section
++
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
md5
md5
[Insecure] MD5 hash (128 bits)
++
type
text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
++
entropy
float
Entropy of the whole section
++
text
text
Free text value to attach to the section
++
ssdeep
ssdeep
text
text
Free text value to attach to the section
--
entropy
float
Entropy of the whole section
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
flag
text
Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
sha1
sha1
type
text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
--
name
text
Name of the section
--
md5
md5
[Insecure] MD5 hash (128 bits)
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
--
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
mime-boundary
-email-mime-boundary
attachment
email-attachment
MIME Boundary
--
to
email-dst
Destination email address
+Attachment
@@ -2417,10 +2407,30 @@ email is a MISP object available in JSON format at
cc
email-dst
to-display-name
email-dst-display-name
Carbon copy
+Display name of the receiver
++
return-path
text
Message return path
++
mime-boundary
email-mime-boundary
MIME Boundary
@@ -2437,30 +2447,30 @@ email is a MISP object available in JSON format at
to-display-name
email-dst-display-name
send-date
datetime
Display name of the receiver
+Date the email has been sent
++
header
email-header
Full headers
email-body
email-body
to
email-dst
Body of the email
--
subject
email-subject
Subject
+Destination email address
@@ -2477,10 +2487,20 @@ email is a MISP object available in JSON format at
attachment
email-attachment
email-body
email-body
Attachment
+Body of the email
++
cc
email-dst
Carbon copy
@@ -2507,16 +2527,6 @@ email is a MISP object available in JSON format at
from-display-name
email-src-display-name
Display name of the sender
--
thread-index
email-thread-index
header
email-header
from-display-name
email-src-display-name
Full headers
+Display name of the sender
send-date
datetime
subject
email-subject
Date the email has been sent
--
return-path
text
Message return path
+Subject
@@ -2595,60 +2595,10 @@ file is a MISP object available in JSON format at
ssdeep
ssdeep
tlsh
tlsh
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
--
text
text
Free text value to attach to the file
--
entropy
float
Entropy of the whole file
--
state
text
State of the file ['Malicious', 'Harmless', 'Signed', 'Revoked', 'Expired', 'Trusted']
--
authentihash
authentihash
Authenticode executable signature hash
+Fuzzy hash by Trend Micro: Locality Sensitive Hash
@@ -2665,6 +2615,16 @@ file is a MISP object available in JSON format at
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
sha224
sha224
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
mimetype
text
Mime type
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
tlsh
tlsh
Fuzzy hash by Trend Micro: Locality Sensitive Hash
--
md5
md5
[Insecure] MD5 hash (128 bits)
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
size-in-bytes
size-in-bytes
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
malware-sample
malware-sample
authentihash
authentihash
Authenticode executable signature hash
++
pattern-in-file
pattern-in-file
filename
filename
mimetype
text
Filename on disk
+Mime type
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
++
sha512/224
sha512/224
sha512
sha512
filename
filename
Secure Hash Algorithm 2 (512 bits)
+Filename on disk
++
md5
md5
[Insecure] MD5 hash (128 bits)
++
entropy
float
Entropy of the whole file
++
text
text
Free text value to attach to the file
++
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
state
text
State of the file ['Malicious', 'Harmless', 'Signed', 'Revoked', 'Expired', 'Trusted']
++
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
++
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
@@ -2833,26 +2833,16 @@ geolocation is a MISP object available in JSON format at
first-seen
last-seen
datetime
When the location was seen for the first time.
+When the location was seen for the last time.
city
text
City.
--
latitude
float
longitude
float
The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference
--
text
text
region
text
Region.
++
country
text
last-seen
datetime
longitude
float
When the location was seen for the last time.
+The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference
region
first-seen
datetime
When the location was seen for the first time.
++
city
text
Region.
+City.
@@ -2961,50 +2961,30 @@ gtp-attack is a MISP object available in JSON format at
GtpMsisdn
GtpImei
text
GTP MSISDN.
+GTP IMEI (International Mobile Equipment Identity).
ipDest
ip-dst
IP destination address.
--
ipSrc
ip-src
IP source address.
--
PortDest
GtpServingNetwork
text
Destination port.
+GTP Serving Network.
text
GtpMessageType
text
A description of the GTP attack.
+GTP defines a set of messages between two associated GSNs or an SGSN and an RNC. Message type is described as a decimal value.
@@ -3031,20 +3011,20 @@ gtp-attack is a MISP object available in JSON format at
GtpImei
GtpMsisdn
text
GTP IMEI (International Mobile Equipment Identity).
+GTP MSISDN.
GtpMessageType
PortDest
text
GTP defines a set of messages between two associated GSNs or an SGSN and an RNC. Message type is described as a decimal value.
+Destination port.
@@ -3061,26 +3041,6 @@ gtp-attack is a MISP object available in JSON format at
PortSrc
port
Source port.
--
GtpServingNetwork
text
GTP Serving Network.
--
first-seen
datetime
text
text
A description of the GTP attack.
++
ipDest
ip-dst
IP destination address.
++
ipSrc
ip-src
IP source address.
++
PortSrc
port
Source port.
++
host
-hostname
url
url
The domain name of the server
+Full HTTP Request URL
method
http-method
basicauth-password
text
HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)
+HTTP Basic Authentication Password
+
proxy-user
-text
HTTP Proxy Username
--
content-type
other
The MIME type of the body of the request
--
uri
uri
Request URI
--
text
text
HTTP Request comment
--
referer
referer
basicauth-password
text
HTTP Basic Authentication Password
--
url
url
Full HTTP Request URL
--
cookie
text
content-type
other
The MIME type of the body of the request
++
text
text
HTTP Request comment
++
uri
uri
Request URI
++
method
http-method
HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)
++
host
hostname
The domain name of the server
++
proxy-user
text
HTTP Proxy Username
++
proxy-password
text
An IP address and a port seen as a tuple (or as a triple) in a specific time frame..
+An IP address (or domain) and a port seen as a tuple (or as a triple) in a specific time frame..
datetime |
-
- First time the tuple has been seen - |
-
- - |
-
-||||||||||
last-seen |
datetime |
@@ -3327,10 +3317,10 @@ ip-port is a MISP object available in JSON format at src-port |
-port |
+ip |
+ip-dst |
- Source port +IP Address |
@@ -3347,10 +3337,30 @@ ip-port is a MISP object available in JSON format at ip |
-ip-dst |
+src-port |
+port |
- IP Address +Source port + |
+
+ + |
+
first-seen |
+datetime |
+
+ First time the tuple has been seen + |
+
+ + |
+|||||||||
domain |
+domain |
+
+ Domain |
@@ -3395,30 +3405,10 @@ ja3 is a MISP object available in JSON format at first-seen |
-datetime |
+ip-src |
+ip-src |
- First seen of the SSL/TLS handshake - |
-
- - |
-||||
last-seen |
-datetime |
-
- Last seen of the SSL/TLS handshake - |
-
- - |
-|||||||||
ja3-fingerprint-md5 |
-md5 |
-
- Hash identifying source +Source IP Address |
@@ -3435,16 +3425,6 @@ ja3 is a MISP object available in JSON format at ip-src |
-ip-src |
-
- Source IP Address - |
-
- - |
-||||||
ip-dst |
ip-dst |
|||||||||||
ja3-fingerprint-md5 |
+md5 |
+
+ Hash identifying source + |
+
+ + |
+|||||||||
last-seen |
+datetime |
+
+ Last seen of the SSL/TLS handshake + |
+
+ + |
+|||||||||
first-seen |
+datetime |
+
+ First seen of the SSL/TLS handshake + |
+
+ + |
+
entrypoint-address
text
Address of the entry point
--
type
text
entrypoint-address
text
Address of the entry point
++
text
text
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
size-in-bytes
size-in-bytes
Size of the section, in bytes
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
name
text
Name of the section
++
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
md5
md5
[Insecure] MD5 hash (128 bits)
++
entropy
float
Entropy of the whole section
++
text
text
Free text value to attach to the section
++
ssdeep
ssdeep
text
text
Free text value to attach to the section
--
entropy
float
Entropy of the whole section
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
--
sha1
sha1
name
text
Name of the section
--
md5
md5
[Insecure] MD5 hash (128 bits)
--
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
--
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
--
type
-text
removal-date
datetime
Type of the microblog post ['Twitter', 'Facebook', 'LinkedIn', 'Reddit', 'Google+', 'Instagram', 'Forum', 'Other']
--
post
text
Raw post
--
username
text
Username who posted the microblog post
--
username-quoted
text
Username who are quoted into the microblog post
--
url
url
Original URL location of the microblog post
--
link
url
Link into the microblog post
+When the microblog post was removed
@@ -3819,6 +3779,16 @@ microblog is a MISP object available in JSON format at
url
url
Original URL location of the microblog post
++
creation-date
datetime
removal-date
datetime
username-quoted
text
When the microblog post was removed
+Username who are quoted into the microblog post
++
link
url
Link into the microblog post
++
type
text
Type of the microblog post ['Twitter', 'Facebook', 'LinkedIn', 'Reddit', 'Google+', 'Instagram', 'Forum', 'Other']
++
username
text
Username who posted the microblog post
++
post
text
Raw post
@@ -3877,20 +3887,20 @@ mutex is a MISP object available in JSON format at
name
description
text
name of the mutex
+Description
description
name
text
Description
+name of the mutex
@@ -3945,96 +3955,6 @@ netflow is a MISP object available in JSON format at
flow-count
counter
Flows counted in this flow
--
src-port
port
Source port of the netflow
--
dst-as
AS
Destination AS number for this flow
--
src-as
AS
Source AS number for this flow
--
ip-src
ip-src
IP address source of the netflow
--
packet-count
counter
Packets counted in this flow
--
ip-protocol-number
size-in-bytes
IP protocol number of this flow
--
icmp-type
text
ICMP type of the flow (if the traffic is ICMP)
--
byte-count
counter
Bytes counted in this flow
--
direction
text
last-packet-seen
datetime
Last packet seen in this flow
--
ip-dst
ip-dst
IP address destination of the netflow
--
ip_version
packet-count
counter
IP version of this flow
+Packets counted in this flow
@@ -4085,6 +3985,36 @@ netflow is a MISP object available in JSON format at
ip-protocol-number
size-in-bytes
IP protocol number of this flow
++
protocol
text
Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']
++
byte-count
counter
Bytes counted in this flow
++
dst-port
port
icmp-type
text
ICMP type of the flow (if the traffic is ICMP)
++
ip_version
counter
IP version of this flow
++
dst-as
AS
Destination AS number for this flow
++
ip-src
ip-src
IP address source of the netflow
++
src-port
port
Source port of the netflow
++
flow-count
counter
Flows counted in this flow
++
last-packet-seen
datetime
Last packet seen in this flow
++
tcp-flags
text
protocol
text
ip-dst
ip-dst
Protocol used for this flow ['TCP', 'UDP', 'ICMP', 'IP']
+IP address destination of the netflow
++
src-as
AS
Source AS number for this flow
@@ -4153,26 +4163,6 @@ passive-dns is a MISP object available in JSON format at
text
text
Description of the passive DNS record.
--
zone_time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
--
sensor_id
text
origin
text
Origin of the Passive DNS response
--
time_last
datetime
rdata
rrtype
text
Resource records of the queried resource
+Resource Record type as seen by the passive DNS. ['A', 'AAAA', 'CNAME', 'PTR', 'SOA', 'TXT', 'DNAME', 'NS', 'SRV', 'RP', 'NAPTR', 'HINFO', 'A6']
+
+
origin
text
Origin of the Passive DNS response
++
time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS
+
time_first
-datetime
First time that the unique tuple (rrname, rrtype, rdata) has been seen by the passive DNS
--
rrname
text
count
counter
rdata
text
How many authoritative DNS answers were received at the Passive DNS Server’s collectors with exactly the given set of values as answers.
+Resource records of the queried resource
++
text
text
Description of the passive DNS record.
rrtype
text
zone_time_first
datetime
Resource Record type as seen by the passive DNS. ['A', 'AAAA', 'CNAME', 'PTR', 'SOA', 'TXT', 'DNAME', 'NS', 'SRV', 'RP', 'NAPTR', 'HINFO', 'A6']
+First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
++
count
counter
How many authoritative DNS answers were received at the Passive DNS Server’s collectors with exactly the given set of values as answers.
@@ -4311,20 +4321,10 @@ paste is a MISP object available in JSON format at
first-seen
datetime
When the paste has been accessible or seen for the first time.
--
title
paste
text
Title of the paste or post.
+Raw text of the paste or post
@@ -4341,16 +4341,6 @@ paste is a MISP object available in JSON format at
paste
text
Raw text of the paste or post
--
url
url
first-seen
datetime
When the paste has been accessible or seen for the first time.
++
title
text
Title of the paste or post.
++
entrypoint-address
-text
original-filename
filename
Address of the entry point
+OriginalFilename in the resources
file-description
text
FileDescription in the resources
++
internal-filename
filename
InternalFilename in the resources
++
pehash
pehash
Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
++
file-version
text
company-name
type
text
CompanyName in the resources
+Type of PE ['exe', 'dll', 'driver', 'unknown']
imphash
imphash
product-name
text
Hash (md5) calculated from the import table
+ProductName in the resources
+
+
entrypoint-section-at-position
text
Name of the section and position of the section in the PE
++
entrypoint-address
text
Address of the entry point
+
number-sections
-counter
Number of sections
--
original-filename
filename
OriginalFilename in the resources
--
pehash
pehash
Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
--
product-version
text
impfuzzy
impfuzzy
Fuzzy Hash (ssdeep) calculated from the import table
--
type
text
Type of PE ['exe', 'dll', 'driver', 'unknown']
--
entrypoint-section-at-position
text
Name of the section and position of the section in the PE
--
product-name
text
ProductName in the resources
--
text
text
file-description
text
number-sections
counter
FileDescription in the resources
+Number of sections
impfuzzy
impfuzzy
Fuzzy Hash (ssdeep) calculated from the import table
++
imphash
imphash
Hash (md5) calculated from the import table
++
legal-copyright
text
internal-filename
filename
company-name
text
InternalFilename in the resources
+CompanyName in the resources
@@ -4627,46 +4637,6 @@ pe-section is a MISP object available in JSON format at
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
--
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
--
text
text
Free text value to attach to the section
--
entropy
float
Entropy of the whole section
--
sha512/256
sha512/256
sha1
sha1
size-in-bytes
size-in-bytes
[Insecure] Secure Hash Algorithm 1 (160 bits)
+Size of the section, in bytes
++
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
@@ -4717,36 +4697,16 @@ pe-section is a MISP object available in JSON format at
md5
md5
sha512
sha512
[Insecure] MD5 hash (128 bits)
+Secure Hash Algorithm 2 (512 bits)
sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
--
sha512/224
sha512/224
sha512
sha512
md5
md5
Secure Hash Algorithm 2 (512 bits)
+[Insecure] MD5 hash (128 bits)
++
entropy
float
Entropy of the whole section
++
text
text
Free text value to attach to the section
++
ssdeep
ssdeep
Fuzzy hash using context triggered piecewise hashes (CTPH)
++
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
++
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
@@ -4805,30 +4815,20 @@ person is a MISP object available in JSON format at
passport-expiration
passport-expiration
first-name
first-name
The expiration date of a passport.
+First name of a natural person.
place-of-birth
place-of-birth
passport-number
passport-number
Place of birth of a natural person.
--
social-security-number
text
Social security number
+The passport number of a natural person.
@@ -4845,6 +4845,26 @@ person is a MISP object available in JSON format at
alias
text
Alias name or known as.
++
passport-expiration
passport-expiration
The expiration date of a passport.
++
redress-number
redress-number
alias
text
passport-country
passport-country
Alias name or known as.
+The country in which the passport was issued.
+
first-name
-first-name
gender
gender
First name of a natural person.
+The gender of a natural person. ['Male', 'Female', 'Other', 'Prefer not to say']
++
date-of-birth
date-of-birth
Date of birth of a natural person (in YYYY-MM-DD format).
++
place-of-birth
place-of-birth
Place of birth of a natural person.
@@ -4915,26 +4955,6 @@ person is a MISP object available in JSON format at
date-of-birth
date-of-birth
Date of birth of a natural person (in YYYY-MM-DD format).
--
passport-number
passport-number
The passport number of a natural person.
--
last-name
last-name
passport-country
passport-country
social-security-number
text
The country in which the passport was issued.
+Social security number
-
gender
gender
The gender of a natural person. ['Male', 'Female', 'Other', 'Prefer not to say']
-+
imsi
+tmsi
text
A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.
+Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated.
first-seen
last-seen
datetime
When the phone has been accessible or seen for the first time.
+When the phone has been accessible or seen for the last time.
gummei
text
Globally Unique MME Identifier (GUMMEI) is composed from MCC, MNC and MME Identifier (MMEI).
++
text
text
msisdn
text
MSISDN (pronounced as /'em es ai es di en/ or misden) is a number uniquely identifying a subscription in a GSM or a UMTS mobile network. Simply put, it is the mapping of the telephone number to the SIM card in a mobile/cellular phone. This abbreviation has a several interpretations, the most common one being Mobile Station International Subscriber Directory Number.
++
serial-number
text
tmsi
imsi
text
Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated.
+A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.
msisdn
text
first-seen
datetime
MSISDN (pronounced as /'em es ai es di en/ or misden) is a number uniquely identifying a subscription in a GSM or a UMTS mobile network. Simply put, it is the mapping of the telephone number to the SIM card in a mobile/cellular phone. This abbreviation has a several interpretations, the most common one being Mobile Station International Subscriber Directory Number.
+When the phone has been accessible or seen for the first time.
+
gummei
text
Globally Unique MME Identifier (GUMMEI) is composed from MCC, MNC and MME Identifier (MMEI).
--
last-seen
datetime
When the phone has been accessible or seen for the last time.
--
refsglobalvar
+counter
Amount of API calls outside of code section (glob var, dynamic API)
++
get-proc-address
counter
ratio-string
float
Ratio: amount of referenced strings per kilobyte of code section
++
gml
attachment
Graph export in G>raph Modelling Language format
++
local-references
counter
Amount of API calls inside a code section
++
dangling-strings
counter
ratio-string
callback-largest
counter
Largest callback
++
create-thread
counter
Amount of calls to CreateThread
++
miss-api
counter
Amount of API call reference that does not resolve to a function offset
++
not-referenced-strings
counter
Amount of not referenced strings
++
callback-average
counter
Average size of a callback
++
ratio-api
float
Ratio: amount of referenced strings per kilobyte of code section
+Ratio: amount of API calls per kilobyte of code section
++
memory-allocations
counter
Amount of memory allocations
++
referenced-strings
counter
Amount of referenced strings
++
ratio-functions
float
Ratio: amount of functions per kilobyte of code section
++
total-api
counter
Total amount of API calls
++
shortest-path-to-create-thread
counter
Shortest path to the first time the binary calls CreateThread
++
text
text
Description of the r2graphity object
@@ -5201,66 +5361,6 @@ r2graphity is a MISP object available in JSON format at
callback-average
counter
Average size of a callback
--
callback-largest
counter
Largest callback
--
refsglobalvar
counter
Amount of API calls outside of code section (glob var, dynamic API)
--
text
text
Description of the r2graphity object
--
local-references
counter
Amount of API calls inside a code section
--
ratio-api
float
Ratio: amount of API calls per kilobyte of code section
--
r2-commit-version
text
miss-api
counter
Amount of API call reference that does not resolve to a function offset
--
total-api
counter
Total amount of API calls
--
referenced-strings
counter
Amount of referenced strings
--
memory-allocations
counter
Amount of memory allocations
--
shortest-path-to-create-thread
counter
Shortest path to the first time the binary calls CreateThread
--
not-referenced-strings
counter
Amount of not referenced strings
--
ratio-functions
float
Ratio: amount of functions per kilobyte of code section
--
gml
attachment
Graph export in G>raph Modelling Language format
--
create-thread
counter
Amount of calls to CreateThread
--
type
-text
Specify which type corresponds to this regex. ['hostname', 'domain', 'email-src', 'email-dst', 'email-subject', 'url', 'user-agent', 'regkey', 'cookie', 'uri', 'filename', 'windows-service-name', 'windows-scheduled-task']
--
regexp-type
text
Type of the regular expression syntax. ['PCRE', 'PCRE2', 'POSIX BRE', 'POSIX ERE']
--
regexp
text
type
text
Specify which type corresponds to this regex. ['hostname', 'domain', 'email-src', 'email-dst', 'email-subject', 'url', 'user-agent', 'regkey', 'cookie', 'uri', 'filename', 'windows-service-name', 'windows-scheduled-task']
++
regexp-type
text
Type of the regular expression syntax. ['PCRE', 'PCRE2', 'POSIX BRE', 'POSIX ERE']
++
data-type
-text
key
regkey
Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
+Full key path
+
data
+data-type
text
Data stored in the registry key
+Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
+
key
-regkey
Full key path
--
root-keys
text
data
text
Data stored in the registry key
++
status
+text
Status of the RTIR ticket ['new', 'open', 'stalled', 'resolved', 'rejected', 'deleted']
++
constituency
text
Constituency of the RTIR ticket
++
queue
text
Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
++
ip
ip-dst
IPs automatically extracted from the RTIR ticket
++
ticket-number
text
constituency
text
Constituency of the RTIR ticket
--
status
text
Status of the RTIR ticket ['new', 'open', 'stalled', 'resolved', 'rejected', 'deleted']
--
ip
ip-dst
IPs automatically extracted from the RTIR ticket
--
queue
text
Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
--
sandbox-type
-text
The type of sandbox used ['on-premise', 'web', 'saas']
--
permalink
link
Permalink reference
--
score
text
Score
--
saas-sandbox
text
raw-report
text
Raw report from sandbox
--
on-premise-sandbox
text
results
permalink
link
Permalink reference
++
raw-report
text
Freetext result values
+Raw report from sandbox
sandbox-type
text
The type of sandbox used ['on-premise', 'web', 'saas']
++
score
text
Score
++
results
text
Freetext result values
++
text
+software
text
Additional signature description
+Name of Sandbox software
software
text
text
Name of Sandbox software
+Additional signature description
@@ -5947,40 +5957,20 @@ ss7-attack is a MISP object available in JSON format at
MapMscGT
SccpCgPC
text
MAP MSC GT. Phone number.
+Signaling Connection Control Part (SCCP) CgPC - Phone number.
MapGsmscfGT
MapSmsTP-PID
text
MAP GSMSCF GT. Phone number.
--
first-seen
datetime
When the attack has been seen for the first time.
--
MapSmsTP-DCS
text
MAP SMS TP-DCS.
+MAP SMS TP-PID.
@@ -5997,6 +5987,36 @@ ss7-attack is a MISP object available in JSON format at
MapUssdCoding
text
MAP USSD Content.
++
SccpCgSSN
text
Signaling Connection Control Part (SCCP) - Decimal value between 0-255.
++
text
text
A description of the attack seen via SS7 logging.
++
MapSmsText
text
SccpCgGT
text
Signaling Connection Control Part (SCCP) CgGT - Phone number.
++
MapImsi
text
MAP IMSI. Phone number starting with MCC/MNC.
++
MapSmscGT
text
MapVersion
text
Map version. ['1', '2', '3']
--
Category
text
text
text
first-seen
datetime
A description of the attack seen via SS7 logging.
+When the attack has been seen for the first time.
MapUssdCoding
MapVersion
text
MAP USSD Content.
+Map version. ['1', '2', '3']
MapVlrGT
text
MAP VLR GT. Phone number.
--
MapSmsTP-PID
text
MAP SMS TP-PID.
--
SccpCdSSN
text
Signaling Connection Control Part (SCCP) - Decimal value between 0-255.
--
MapMsisdn
text
MAP MSISDN. Phone number.
--
SccpCgPC
text
Signaling Connection Control Part (SCCP) CgPC - Phone number.
--
SccpCdPC
text
SccpCgSSN
SccpCdSSN
text
Signaling Connection Control Part (SCCP) - Decimal value between 0-255.
@@ -6137,6 +6117,66 @@ ss7-attack is a MISP object available in JSON format atMapSmsTP-OA
text
MAP SMS TP-OA. Phone number.
++
MapMsisdn
text
MAP MSISDN. Phone number.
++
MapUssdContent
text
MAP USSD Content.
++
MapGmlc
text
MAP GMLC. Phone number.
++
MapVlrGT
text
MAP VLR GT. Phone number.
++
MapMscGT
text
MAP MSC GT. Phone number.
++
MapSmsTypeNumber
text
MapImsi
MapGsmscfGT
text
MAP IMSI. Phone number starting with MCC/MNC.
+MAP GSMSCF GT. Phone number.
MapUssdContent
MapSmsTP-DCS
text
MAP USSD Content.
+MAP SMS TP-DCS.
-
MapSmsTP-OA
text
MAP SMS TP-OA. Phone number.
--
MapGmlc
text
MAP GMLC. Phone number.
--
SccpCgGT
text
Signaling Connection Control Part (SCCP) CgGT - Phone number.
-+
first-seen
+description
text
Tor node description.
++
published
datetime
When the Tor node designed by the IP address has been seen for the first time.
+router’s publication time. This can be different from first-seen and last-seen.
++
fingerprint
text
router’s fingerprint.
++
address
ip-src
IP address of the Tor node seen.
++
document
text
Raw document from the consensus.
@@ -6323,20 +6373,10 @@ tor-node is a MISP object available in JSON format at
published
datetime
router’s publication time. This can be different from first-seen and last-seen.
--
version_line
flags
text
versioning information reported by the node.
+list of flag associated with the node.
@@ -6363,16 +6403,6 @@ tor-node is a MISP object available in JSON format at
flags
text
list of flag associated with the node.
--
text
text
address
ip-src
first-seen
datetime
IP address of the Tor node seen.
--
description
text
Tor node description.
+When the Tor node designed by the IP address has been seen for the first time.
fingerprint
version_line
text
router’s fingerprint.
+versioning information reported by the node.
document
text
Raw document from the consensus.
--
host
-hostname
subdomain
text
Full hostname
--
first-seen
datetime
First time this URL has been seen
+Subdomain
text
text
url
url
Description of the URL
--
resource_path
text
Path (between hostname:port and query)
--
scheme
text
Scheme ['http', 'https', 'ftp', 'gopher', 'sip']
--
fragment
text
Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.
--
domain
domain
Full domain
+Full URL
@@ -6541,10 +6501,10 @@ url is a MISP object available in JSON format at
tld
scheme
text
Top-Level Domain
+Scheme ['http', 'https', 'ftp', 'gopher', 'sip']
@@ -6561,23 +6521,43 @@ url is a MISP object available in JSON format at
query_string
domain_without_tld
text
Query (after path, preceded by '?')
+Domain without Top-Level Domain
subdomain
resource_path
text
Subdomain
+Path (between hostname:port and query)
+
+
text
text
Description of the URL
++
fragment
text
Fragment identifier is a short string of characters that refers to a resource that is subordinate to another, primary resource.
+
domain_without_tld
+tld
text
Domain without Top-Level Domain
+Top-Level Domain
++
host
hostname
Full hostname
url
url
query_string
text
Full URL
+Query (after path, preceded by '?')
domain
domain
Full domain
++
first-seen
datetime
First time this URL has been seen
++
description
+text
Description of the victim
++
target-email
name
target-org
The name of the department(s) or organisation(s) targeted.
--
classification
text
The type of entity being targeted. ['individual', 'group', 'organization', 'class', 'unknown']
--
external
target-external
External target organisations affected by this attack.
--
ip-address
ip-dst
IP address(es) of the node targeted.
--
user
target-user
description
text
node
target-machine
Description of the victim
+Name(s) of node that was targeted.
node
target-machine
external
target-external
Name(s) of node that was targeted.
+External target organisations affected by this attack.
++
ip-address
ip-dst
IP address(es) of the node targeted.
++
name
target-org
The name of the department(s) or organisation(s) targeted.
classification
text
The type of entity being targeted. ['individual', 'group', 'organization', 'class', 'unknown']
++
first-submission
+datetime
First Submission
++
detection-ratio
text
permalink
link
Permalink Reference
--
last-submission
datetime
first-submission
datetime
permalink
link
First Submission
+Permalink Reference
@@ -6885,16 +6895,6 @@ vulnerability is a MISP object available in JSON format at
references
link
External references
--
created
datetime
modified
datetime
Last modification date
++
summary
text
published
datetime
vulnerable_configuration
text
Initial publication date
+The vulnerable configuration is described in CPE format
+
vulnerable_configuration
-text
The vulnerable configuration is described in CPE format
--
id
vulnerability
state
text
published
datetime
State of the vulnerability. A vulnerability can have multiple states depending of the current actions performed. ['Published', 'Embargo', 'Reviewed', 'Vulnerability ID Assigned', 'Reported', 'Fixed']
+Initial publication date
modified
datetime
references
link
Last modification date
+External references
++
state
text
State of the vulnerability. A vulnerability can have multiple states depending of the current actions performed. ['Published', 'Embargo', 'Reviewed', 'Vulnerability ID Assigned', 'Reported', 'Fixed']
@@ -7013,10 +7023,10 @@ whois is a MISP object available in JSON format at
expiration-date
modification-date
datetime
Expiration of the whois entry
+Last update of the whois entry
@@ -7033,20 +7043,10 @@ whois is a MISP object available in JSON format at
registrant-phone
whois-registrant-phone
creation-date
datetime
Registrant phone number
--
nameserver
hostname
Nameserver
+Initial creation of the whois entry
@@ -7063,26 +7063,6 @@ whois is a MISP object available in JSON format at
registrant-name
whois-registrant-name
Registrant name
--
registrar
whois-registrar
Registrar of the whois entry
--
domain
domain
modification-date
registrant-name
whois-registrant-name
Registrant name
++
expiration-date
datetime
Last update of the whois entry
+Expiration of the whois entry
creation-date
datetime
nameserver
hostname
Initial creation of the whois entry
+Nameserver
registrant-phone
whois-registrant-phone
Registrant phone number
++
registrar
whois-registrar
Registrar of the whois entry
++
issuer
+text
Issuer of the certificate
++
validity-not-before
datetime
subject
text
validity-not-after
datetime
Subject of the certificate
+Certificate invalid after that date
x509-fingerprint-md5
x509-fingerprint-md5
pubkey-info-exponent
text
[Insecure] MD5 hash (128 bits)
+Exponent of the public key
@@ -7201,6 +7221,36 @@ x509 is a MISP object available in JSON format at
serial-number
text
Serial number of the certificate
++
x509-fingerprint-sha256
x509-fingerprint-sha256
Secure Hash Algorithm 2 (256 bits)
++
pubkey-info-algorithm
text
Algorithm of the public key
++
raw-base64
text
pubkey-info-size
text
text
Length of the public key (in bits)
+Free text description of hte certificate
@@ -7241,70 +7291,30 @@ x509 is a MISP object available in JSON format at
serial-number
text
x509-fingerprint-md5
x509-fingerprint-md5
Serial number of the certificate
+[Insecure] MD5 hash (128 bits)
issuer
subject
text
Issuer of the certificate
+Subject of the certificate
x509-fingerprint-sha256
x509-fingerprint-sha256
Secure Hash Algorithm 2 (256 bits)
--
text
pubkey-info-size
text
Free text description of hte certificate
--
validity-not-after
datetime
Certificate invalid after that date
--
pubkey-info-algorithm
text
Algorithm of the public key
--
pubkey-info-exponent
text
Exponent of the public key
+Length of the public key (in bits)
@@ -7349,16 +7359,6 @@ yabin is a MISP object available in JSON format at
yara-hunt
yara
Wide yara rule generated from -yh.
--
whitelist
comment
comment
comment
A description of Yara rule generated.
++
version
comment
yabin.py and regex.txt version used for the generation of the yara rules.
++
yara
yara
version
comment
yara-hunt
yara
yabin.py and regex.txt version used for the generation of the yara rules.
+Wide yara rule generated from -yh.
-
comment
comment
A description of Yara rule generated.
-+