diff --git a/objects.html b/objects.html index 8a6dd5b..646c888 100755 --- a/objects.html +++ b/objects.html @@ -486,7 +486,7 @@ body.book #toc,body.book #preamble,body.book h1.sect0,body.book .sect1>h2{page-b
MISP MISP objects to be used in MISP (2.4.80) system and can be used by other information sharing tool. MISP objects are in addition to MISP attributes to allow advanced combinations of attributes. The creation of these objects and their associated attributes are based on real cyber security use-cases and existing practices in information sharing.
+MISP objects to be used in MISP (starting from version 2.4.80) system and can be used by other information sharing tool. MISP objects are in addition to MISP attributes to allow advanced combinations of attributes. The creation of these objects and their associated attributes are based on real cyber security use-cases and existing practices in information sharing.
last-seen
-datetime
When the leak has been accessible or seen for the last time.
--
type
text
Type of information leak as discovered and classified by an AIL module. ['Credential', 'CreditCards', 'Mail', 'Onion', 'Phone', 'Keys']
--
text
text
A description of the leak which could include the potential victim(s) or description of the leak.
--
first-seen
datetime
When the leak has been accessible or seen for the first time.
--
original-date
datetime
type
text
Type of information leak as discovered and classified by an AIL module. ['Credential', 'CreditCards', 'Mail', 'Onion', 'Phone', 'Keys']
++
first-seen
datetime
When the leak has been accessible or seen for the first time.
++
text
text
A description of the leak which could include the potential victim(s) or description of the leak.
++
last-seen
datetime
When the leak has been accessible or seen for the last time.
++
sensor
text
signature
text
Name of detection signature
--
software
text
Name of antivirus software
--
datetime
datetime
software
text
Name of antivirus software
++
signature
text
Name of detection signature
++
cookie-name
-text
Name of the cookie (if splitted)
--
cookie-value
text
Value of the cookie (if splitted)
--
type
text
cookie-name
text
Name of the cookie (if splitted)
++
cookie-value
text
Value of the cookie (if splitted)
++
username
+origin
text
Username related to the password(s)
--
password
text
Password
--
format
text
Format of the password(s) ['clear-text', 'hashed', 'encrypted', 'unknown']
--
type
text
Type of password(s) ['password', 'api-key', 'encryption-key', 'unknown']
+Origin of the credential(s) ['bruteforce-scanning', 'malware-analysis', 'memory-analysis', 'network-analysis', 'leak', 'unknown']
@@ -849,20 +819,50 @@ credential is a MISP object available in JSON format at
notification
format
text
Mention of any notification(s) towards the potential owner(s) of the credential(s) ['victim-notified', 'service-notified', 'none']
+Format of the password(s) ['clear-text', 'hashed', 'encrypted', 'unknown']
origin
password
text
Origin of the credential(s) ['bruteforce-scanning', 'malware-analysis', 'memory-analysis', 'network-analysis', 'leak', 'unknown']
+Password
++
type
text
Type of password(s) ['password', 'api-key', 'encryption-key', 'unknown']
++
username
text
Username related to the password(s)
++
notification
text
Mention of any notification(s) towards the potential owner(s) of the credential(s) ['victim-notified', 'service-notified', 'none']
@@ -907,10 +907,10 @@ credit-card is a MISP object available in JSON format at
issued
datetime
comment
comment
Initial date of validity or issued date.
+A description of the card.
@@ -927,20 +927,20 @@ credit-card is a MISP object available in JSON format at
comment
comment
name
text
A description of the card.
+Name of the card owner.
cc-number
cc-number
issued
datetime
credit-card number as encoded on the card.
+Initial date of validity or issued date.
@@ -957,10 +957,10 @@ credit-card is a MISP object available in JSON format at
name
text
cc-number
cc-number
Name of the card owner.
+credit-card number as encoded on the card.
@@ -1015,50 +1015,10 @@ ddos is a MISP object available in JSON format at
ip-src
ip-src
total-pps
counter
IP address originating the attack
--
src-port
port
Port originating the attack
--
dst-port
port
Destination port of the attack
--
first-seen
datetime
Beginning of the attack
--
ip-dst
ip-dst
Destination ID (victim)
+Packets per second
@@ -1075,6 +1035,46 @@ ddos is a MISP object available in JSON format at
ip-dst
ip-dst
Destination ID (victim)
++
first-seen
datetime
Beginning of the attack
++
total-bps
counter
Bits per second
++
ip-src
ip-src
IP address originating the attack
++
text
text
total-pps
counter
src-port
port
Packets per second
+Port originating the attack
@@ -1105,10 +1105,10 @@ ddos is a MISP object available in JSON format at
total-bps
counter
dst-port
port
Bits per second
+Destination port of the attack
@@ -1153,6 +1153,16 @@ domain-ip is a MISP object available in JSON format at
domain
domain
Domain name
++
first-seen
datetime
text
text
A description of the tuple
++
ip
ip-dst
domain
domain
Domain name
--
text
text
A description of the tuple
--
number-sections
-counter
Number of sections
--
os_abi
text
Header operating system application binary interface (ABI) ['AIX', 'ARM', 'AROS', 'C6000_ELFABI', 'C6000_LINUX', 'CLOUDABI', 'FENIXOS', 'FREEBSD', 'GNU', 'HPUX', 'HURD', 'IRIX', 'MODESTO', 'NETBSD', 'NSK', 'OPENBSD', 'OPENVMS', 'SOLARIS', 'STANDALONE', 'SYSTEMV', 'TRU64']
--
type
text
Type of ELF ['CORE', 'DYNAMIC', 'EXECUTABLE', 'HIPROC', 'LOPROC', 'NONE', 'RELOCATABLE']
--
text
text
number-sections
counter
Number of sections
++
type
text
Type of ELF ['CORE', 'DYNAMIC', 'EXECUTABLE', 'HIPROC', 'LOPROC', 'NONE', 'RELOCATABLE']
++
arch
text
os_abi
text
Header operating system application binary interface (ABI) ['AIX', 'ARM', 'AROS', 'C6000_ELFABI', 'C6000_LINUX', 'CLOUDABI', 'FENIXOS', 'FREEBSD', 'GNU', 'HPUX', 'HURD', 'IRIX', 'MODESTO', 'NETBSD', 'NSK', 'OPENBSD', 'OPENVMS', 'SOLARIS', 'STANDALONE', 'SYSTEMV', 'TRU64']
++
sha1
-sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
--
entropy
float
Entropy of the whole section
--
type
text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
--
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
md5
md5
[Insecure] MD5 hash (128 bits)
--
flag
text
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
type
text
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']
++
sha512
sha512
ssdeep
ssdeep
md5
md5
Fuzzy hash using context triggered piecewise hashes (CTPH)
+[Insecure] MD5 hash (128 bits)
entropy
float
Entropy of the whole section
++
name
text
sha224
sha224
ssdeep
ssdeep
Secure Hash Algorithm 2 (224 bits)
+Fuzzy hash using context triggered piecewise hashes (CTPH)
++
size-in-bytes
size-in-bytes
Size of the section, in bytes
++
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
@@ -1527,6 +1527,26 @@ email is a MISP object available in JSON format at
thread-index
email-thread-index
Identifies a particular conversation thread
++
from-display-name
email-src-display-name
Display name of the sender
++
mime-boundary
email-mime-boundary
to-display-name
email-dst-display-name
Display name of the receiver
--
thread-index
email-thread-index
Identifies a particular conversation thread
--
header
email-header
from
email-src
Sender email address
--
subject
email-subject
Subject
--
message-id
email-message-id
x-mailer
email-x-mailer
X-Mailer generally tells the program that was used to draft and send the original email
--
send-date
datetime
Date the email has been sent
--
cc
email-dst
from-display-name
email-src-display-name
subject
email-subject
Display name of the sender
+Subject
from
email-src
Sender email address
++
send-date
datetime
Date the email has been sent
++
attachment
email-attachment
x-mailer
email-x-mailer
X-Mailer generally tells the program that was used to draft and send the original email
++
to-display-name
email-dst-display-name
Display name of the receiver
++
sha1
-sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
filename
filename
Filename on disk
--
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
--
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
entropy
float
Entropy of the whole file
--
mimetype
state
text
Mime type
--
size-in-bytes
size-in-bytes
Size of the file, in bytes
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
+State of the file ['Harmless', 'Signed', 'Revoked', 'Expired', 'Trusted']
@@ -1825,20 +1745,20 @@ file is a MISP object available in JSON format at
pattern-in-file
pattern-in-file
sha512/256
sha512/256
Pattern that can be found in the file
+Secure Hash Algorithm 2 (256 bits)
sha512
sha512
sha1
sha1
Secure Hash Algorithm 2 (512 bits)
+[Insecure] Secure Hash Algorithm 1 (160 bits)
@@ -1865,10 +1785,30 @@ file is a MISP object available in JSON format at
malware-sample
malware-sample
sha224
sha224
The file itself (binary)
+Secure Hash Algorithm 2 (224 bits)
++
pattern-in-file
pattern-in-file
Pattern that can be found in the file
++
sha512
sha512
Secure Hash Algorithm 2 (512 bits)
@@ -1885,10 +1825,30 @@ file is a MISP object available in JSON format at
state
text
entropy
float
State of the file ['Harmless', 'Signed', 'Revoked', 'Expired', 'Trusted']
+Entropy of the whole file
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
malware-sample
malware-sample
The file itself (binary)
size-in-bytes
size-in-bytes
Size of the file, in bytes
++
filename
filename
Filename on disk
++
mimetype
text
Mime type
++
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
++
latitude
-float
The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.
--
city
region
text
City.
+Region.
last-seen
datetime
When the location was seen for the last time.
--
altitude
float
longitude
float
The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference
++
country
text
text
text
A generic description of the location.
--
first-seen
datetime
region
text
text
Region.
--
longitude
float
The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference
+A generic description of the location.
latitude
float
The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.
++
last-seen
datetime
When the location was seen for the last time.
++
city
text
City.
++
uri
-uri
Request URI
--
host
hostname
content-type
other
The MIME type of the body of the request
--
proxy-user
text
HTTP Proxy Username
--
referer
referer
proxy-user
text
HTTP Proxy Username
++
proxy-password
text
HTTP Proxy Password
++
method
http-method
HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)
++
uri
uri
Request URI
++
cookie
text
content-type
other
The MIME type of the body of the request
++
url
url
Full HTTP Request URL
++
basicauth-user
text
method
http-method
basicauth-password
text
HTTP Method invoked (one of GET, POST, PUT, HEAD, DELETE, OPTIONS, CONNECT)
+HTTP Basic Authentication Password
+
url
url
Full HTTP Request URL
--
proxy-password
text
HTTP Proxy Password
--
basicauth-password
text
HTTP Basic Authentication Password
--
ip
-ip-dst
IP Address
--
last-seen
datetime
Last time the tuple has been seen
--
dst-port
port
ip
ip-dst
IP Address
++
last-seen
datetime
Last time the tuple has been seen
++
ip-src
-ip-src
ip-dst
ip-dst
Source IP Address
--
description
text
Type of detected software ie software, malware
--
ja3-fingerprint-md5
md5
Hash identifying source
+Destination IP address
@@ -2377,10 +2357,20 @@ ja3 is a MISP object available in JSON format at
ip-dst
ip-dst
ip-src
ip-src
Destination IP address
+Source IP Address
++
ja3-fingerprint-md5
md5
Hash identifying source
description
text
Type of detected software ie software, malware
++
entrypoint-address
+name
text
Address of the entry point
+Binary’s name
+
name
+text
text
Binary’s name
+Free text value to attach to the Mach-O file
+
text
+entrypoint-address
text
Free text value to attach to the Mach-O file
+Address of the entry point
@@ -2523,76 +2523,6 @@ macho-section is a MISP object available in JSON format at
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
--
entropy
float
Entropy of the whole section
--
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
md5
md5
[Insecure] MD5 hash (128 bits)
--
sha256
sha256
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
sha512
sha512
ssdeep
ssdeep
md5
md5
Fuzzy hash using context triggered piecewise hashes (CTPH)
+[Insecure] MD5 hash (128 bits)
entropy
float
Entropy of the whole section
++
name
text
sha224
sha224
ssdeep
ssdeep
Secure Hash Algorithm 2 (224 bits)
+Fuzzy hash using context triggered piecewise hashes (CTPH)
++
size-in-bytes
size-in-bytes
Size of the section, in bytes
++
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
@@ -2691,40 +2691,20 @@ microblog is a MISP object available in JSON format at
link
url
Link into the microblog post
--
username
username-quoted
text
Username who posted the microblog post
+Username who are quoted into the microblog post
url
url
Original URL location of the microblog post
--
type
post
text
Type of the microblog post ['Twitter', 'Facebook', 'LinkedIn', 'Reddit', 'Google+', 'Instagram', 'Forum', 'Other']
+Raw post
@@ -2741,10 +2721,20 @@ microblog is a MISP object available in JSON format at
username-quoted
text
url
url
Username who are quoted into the microblog post
+Original URL location of the microblog post
++
link
url
Link into the microblog post
@@ -2761,10 +2751,20 @@ microblog is a MISP object available in JSON format at
post
type
text
Raw post
+Type of the microblog post ['Twitter', 'Facebook', 'LinkedIn', 'Reddit', 'Google+', 'Instagram', 'Forum', 'Other']
++
username
text
Username who posted the microblog post
@@ -2819,6 +2819,16 @@ netflow is a MISP object available in JSON format at
direction
text
Direction of this flow ['Ingress', 'Egress']
++
first-packet-seen
datetime
ip_version
counter
IP version of this flow
--
direction
text
Direction of this flow ['Ingress', 'Egress']
--
ip-protocol-number
size-in-bytes
IP protocol number of this flow
--
dst-port
port
Destination port of the netflow
--
dst-as
AS
Destination AS number for this flow
--
ip-dst
ip-dst
tcp-flags
text
TCP flags of the flow
--
flow-count
ip_version
counter
Flows counted in this flow
--
ip-src
ip-src
IP address source of the netflow
--
icmp-type
text
ICMP type of the flow (if the traffic is ICMP)
+IP version of this flow
@@ -2979,6 +2909,16 @@ netflow is a MISP object available in JSON format at
dst-as
AS
Destination AS number for this flow
++
packet-count
counter
tcp-flags
text
TCP flags of the flow
++
flow-count
counter
Flows counted in this flow
++
dst-port
port
Destination port of the netflow
++
ip-src
ip-src
IP address source of the netflow
++
icmp-type
text
ICMP type of the flow (if the traffic is ICMP)
++
ip-protocol-number
size-in-bytes
IP protocol number of this flow
++
time_last
+datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS
++
rrname
text
Resource Record name of the queried resource
++
zone_time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
++
bailiwick
text
Best estimate of the apex of the zone where this data is authoritative
++
sensor_id
text
origin
text
Origin of the Passive DNS response
--
zone_time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
--
rrtype
text
rrname
origin
text
Resource Record name of the queried resource
--
text
text
-
-
time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen by the passive DNS
+Origin of the Passive DNS response
@@ -3117,10 +3117,20 @@ passive-dns is a MISP object available in JSON format at
bailiwick
zone_time_last
datetime
Last time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
++
text
text
Best estimate of the apex of the zone where this data is authoritative
+
zone_time_first
datetime
First time that the unique tuple (rrname, rrtype, rdata) record has been seen via master file import
--
last-seen
-datetime
When the paste has been accessible or seen for the last time.
--
url
url
Link to the original source of the paste or post.
--
paste
text
title
origin
text
Title of the paste or post.
+Original source of the paste or post. ['pastebin.com', 'pastebin.com_pro', 'pastie.org', 'slexy.org', 'gist.github.com', 'codepad.org', 'safebin.net', 'hastebin.com', 'ghostbin.com']
++
url
url
Link to the original source of the paste or post.
@@ -3235,15 +3225,25 @@ paste is a MISP object available in JSON format at
origin
title
text
Original source of the paste or post. ['pastebin.com', 'pastebin.com_pro', 'pastie.org', 'slexy.org', 'gist.github.com', 'codepad.org', 'safebin.net', 'hastebin.com', 'ghostbin.com']
+Title of the paste or post.
last-seen
datetime
When the paste has been accessible or seen for the last time.
++
compilation-timestamp
-datetime
Compilation timestamp defined in the PE header
--
pehash
pehash
Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
--
internal-filename
filename
InternalFilename in the resources
--
type
text
Type of PE ['exe', 'dll', 'driver', 'unknown']
--
entrypoint-section-at-position
text
Name of the section and position of the section in the PE
--
entrypoint-address
text
Address of the entry point
--
imphash
imphash
Hash (md5) calculated from the import table
--
product-version
text
ProductVersion in the resources
--
number-sections
counter
Number of sections
--
legal-copyright
text
LegalCopyright in the resources
--
original-filename
filename
OriginalFilename in the resources
--
file-version
text
text
text
Free text value to attach to the PE
++
impfuzzy
impfuzzy
text
pehash
pehash
Hash of the structural information about a sample. See https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
++
entrypoint-address
text
Free text value to attach to the PE
+Address of the entry point
++
product-version
text
ProductVersion in the resources
++
compilation-timestamp
datetime
Compilation timestamp defined in the PE header
++
file-description
text
FileDescription in the resources
++
imphash
imphash
Hash (md5) calculated from the import table
++
product-name
text
ProductName in the resources
@@ -3443,20 +3403,60 @@ pe is a MISP object available in JSON format at
product-name
entrypoint-section-at-position
text
ProductName in the resources
+Name of the section and position of the section in the PE
file-description
number-sections
counter
Number of sections
++
internal-filename
filename
InternalFilename in the resources
++
type
text
FileDescription in the resources
+Type of PE ['exe', 'dll', 'driver', 'unknown']
++
original-filename
filename
OriginalFilename in the resources
++
legal-copyright
text
LegalCopyright in the resources
@@ -3501,86 +3501,6 @@ pe-section is a MISP object available in JSON format at
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
--
size-in-bytes
size-in-bytes
Size of the section, in bytes
--
entropy
float
Entropy of the whole section
--
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
--
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
--
md5
md5
[Insecure] MD5 hash (128 bits)
--
characteristic
text
Characteristic of the section ['read', 'write', 'executable']
--
sha256
sha256
sha512/256
sha512/256
Secure Hash Algorithm 2 (256 bits)
++
sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
sha512/224
sha512/224
Secure Hash Algorithm 2 (224 bits)
++
sha224
sha224
Secure Hash Algorithm 2 (224 bits)
++
characteristic
text
Characteristic of the section ['read', 'write', 'executable']
++
sha512
sha512
ssdeep
ssdeep
md5
md5
Fuzzy hash using context triggered piecewise hashes (CTPH)
+[Insecure] MD5 hash (128 bits)
entropy
float
Entropy of the whole section
++
name
text
sha224
sha224
ssdeep
ssdeep
Secure Hash Algorithm 2 (224 bits)
+Fuzzy hash using context triggered piecewise hashes (CTPH)
++
size-in-bytes
size-in-bytes
Size of the section, in bytes
++
sha384
sha384
Secure Hash Algorithm 2 (384 bits)
@@ -3679,66 +3679,6 @@ person is a MISP object available in JSON format at
gender
gender
The gender of a natural person. ['Male', 'Female', 'Other', 'Prefer not to say']
--
passport-number
passport-number
The passport number of a natural person.
--
last-name
last-name
Last name of a natural person.
--
nationality
nationality
The nationality of a natural person.
--
first-name
first-name
First name of a natural person.
--
passport-expiration
passport-expiration
The expiration date of a passport.
--
middle-name
middle-name
date-of-birth
date-of-birth
gender
gender
Date of birth of a natural person (in YYYY-MM-DD format).
+The gender of a natural person. ['Male', 'Female', 'Other', 'Prefer not to say']
text
text
place-of-birth
place-of-birth
A description of the person or identity.
--
redress-number
redress-number
The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.
+Place of birth of a natural person.
@@ -3789,10 +3719,80 @@ person is a MISP object available in JSON format at
place-of-birth
place-of-birth
text
text
Place of birth of a natural person.
+A description of the person or identity.
++
passport-expiration
passport-expiration
The expiration date of a passport.
++
first-name
first-name
First name of a natural person.
++
last-name
last-name
Last name of a natural person.
++
passport-number
passport-number
The passport number of a natural person.
++
nationality
nationality
The nationality of a natural person.
++
date-of-birth
date-of-birth
Date of birth of a natural person (in YYYY-MM-DD format).
++
redress-number
redress-number
The Redress Control Number is the record identifier for people who apply for redress through the DHS Travel Redress Inquiry Program (DHS TRIP). DHS TRIP is for travelers who have been repeatedly identified for additional screening and who want to file an inquiry to have erroneous information corrected in DHS systems.
@@ -3837,20 +3837,10 @@ phone is a MISP object available in JSON format at
first-seen
datetime
When the phone has been accessible or seen for the first time.
--
tmsi
imsi
text
Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated.
+A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.
@@ -3867,6 +3857,26 @@ phone is a MISP object available in JSON format at
msisdn
text
MSISDN (pronounced as /'em es ai es di en/ or misden) is a number uniquely identifying a subscription in a GSM or a UMTS mobile network. Simply put, it is the mapping of the telephone number to the SIM card in a mobile/cellular phone. This abbreviation has a several interpretations, the most common one being Mobile Station International Subscriber Directory Number.
++
first-seen
datetime
When the phone has been accessible or seen for the first time.
++
imei
text
gummei
text
Globally Unique MME Identifier (GUMMEI) is composed from MCC, MNC and MME Identifier (MMEI).
++
guti
text
Globally Unique Temporary UE Identity (GUTI) is a temporary identification to not reveal the phone (user equipment in 3GPP jargon) composed of GUMMEI and the M-TMSI.
++
text
text
gummei
text
Globally Unique MME Identifier (GUMMEI) is composed from MCC, MNC and MME Identifier (MMEI).
--
last-seen
datetime
guti
tmsi
text
Globally Unique Temporary UE Identity (GUTI) is a temporary identification to not reveal the phone (user equipment in 3GPP jargon) composed of GUMMEI and the M-TMSI.
--
msisdn
text
MSISDN (pronounced as /'em es ai es di en/ or misden) is a number uniquely identifying a subscription in a GSM or a UMTS mobile network. Simply put, it is the mapping of the telephone number to the SIM card in a mobile/cellular phone. This abbreviation has a several interpretations, the most common one being Mobile Station International Subscriber Directory Number.
--
imsi
text
A usually unique International Mobile Subscriber Identity (IMSI) is allocated to each mobile subscriber in the GSM/UMTS/EPS system. IMSI can also refer to International Mobile Station Identity in the ITU nomenclature.
+Temporary Mobile Subscriber Identities (TMSI) to visiting mobile subscribers can be allocated.
@@ -3975,26 +3975,6 @@ r2graphity is a MISP object available in JSON format at
referenced-strings
counter
Amount of referenced strings
--
miss-api
counter
Amount of API call reference that does not resolve to a function offset
--
r2-commit-version
text
callbacks
memory-allocations
counter
Amount of callbacks (functions started as thread)
+Amount of memory allocations
@@ -4035,60 +4015,10 @@ r2graphity is a MISP object available in JSON format at
callback-largest
counter
Largest callback
--
text
text
Description of the r2graphity object
--
local-references
counter
Amount of API calls inside a code section
--
get-proc-address
counter
Amount of calls to GetProcAddress
--
memory-allocations
counter
Amount of memory allocations
--
ratio-string
ratio-api
float
Ratio: amount of referenced strings per kilobyte of code section
+Ratio: amount of API calls per kilobyte of code section
@@ -4105,40 +4035,10 @@ r2graphity is a MISP object available in JSON format at
not-referenced-strings
refsglobalvar
counter
Amount of not referenced strings
--
callback-average
counter
Average size of a callback
--
total-api
counter
Total amount of API calls
--
ratio-api
float
Ratio: amount of API calls per kilobyte of code section
+Amount of API calls outside of code section (glob var, dynamic API)
@@ -4155,20 +4055,60 @@ r2graphity is a MISP object available in JSON format at
ratio-functions
float
text
text
Ratio: amount of functions per kilobyte of code section
+Description of the r2graphity object
refsglobalvar
miss-api
counter
Amount of API calls outside of code section (glob var, dynamic API)
+Amount of API call reference that does not resolve to a function offset
++
callback-largest
counter
Largest callback
++
total-api
counter
Total amount of API calls
++
not-referenced-strings
counter
Amount of not referenced strings
++
referenced-strings
counter
Amount of referenced strings
callback-average
counter
Average size of a callback
++
ratio-functions
float
Ratio: amount of functions per kilobyte of code section
++
get-proc-address
counter
Amount of calls to GetProcAddress
++
callbacks
counter
Amount of callbacks (functions started as thread)
++
ratio-string
float
Ratio: amount of referenced strings per kilobyte of code section
++
local-references
counter
Amount of API calls inside a code section
++
regexp
-text
regexp
--
comment
comment
regexp
text
regexp
++
data-type
-reg-datatype
data
reg-data
Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
+Data stored in the registry key
key
reg-key
data-type
reg-datatype
Full key path
+Registry value type ['REG_NONE', 'REG_SZ', 'REG_EXPAND_SZ', 'REG_BINARY', 'REG_DWORD', 'REG_DWORD_LITTLE_ENDIAN', 'REG_DWORD_BIG_ENDIAN', 'REG_LINK', 'REG_MULTI_SZ', 'REG_RESOURCE_LIST', 'REG_FULL_RESOURCE_DESCRIPTOR', 'REG_RESOURCE_REQUIREMENTS_LIST', 'REG_QWORD', 'REG_QWORD_LITTLE_ENDIAN']
@@ -4331,16 +4331,6 @@ registry-key is a MISP object available in JSON format at
hive
reg-hive
Hive used to store the registry key (file on disk)
--
name
reg-name
data
reg-data
key
reg-key
Data stored in the registry key
+Full key path
++
hive
reg-hive
Hive used to store the registry key (file on disk)
@@ -4399,20 +4399,20 @@ report is a MISP object available in JSON format at
summary
case-number
text
Free text summary of the report
+Case number
case-number
summary
text
Case number
+Free text summary of the report
@@ -4457,36 +4457,6 @@ rtir is a MISP object available in JSON format at
classification
text
Classification of the RTIR ticket
--
ip
ip-dst
IPs automatically extracted from the RTIR ticket
--
constituency
text
Constituency of the RTIR ticket
--
ticket-number
text
subject
queue
text
Subject of the RTIR ticket
+Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
@@ -4517,10 +4487,40 @@ rtir is a MISP object available in JSON format at
queue
classification
text
Queue of the RTIR ticket ['incident', 'investigations', 'blocks', 'incident reports']
+Classification of the RTIR ticket
++
constituency
text
Constituency of the RTIR ticket
++
ip
ip-dst
IPs automatically extracted from the RTIR ticket
++
subject
text
Subject of the RTIR ticket
@@ -4565,66 +4565,6 @@ tor-node is a MISP object available in JSON format at
nickname
text
router’s nickname.
--
document
text
Raw document from the consensus.
--
fingerprint
text
router’s fingerprint.
--
last-seen
datetime
When the Tor node designed by the IP address has been seen for the last time.
--
published
datetime
router’s publication time. This can be different from first-seen and last-seen.
--
version
text
parsed version of tor, this is None if the relay’s using a new versioning scheme.
--
description
text
version_line
text
versioning information reported by the node.
--
text
text
Tor node comment.
--
first-seen
datetime
When the Tor node designed by the IP address has been seen for the first time.
--
flags
text
published
datetime
router’s publication time. This can be different from first-seen and last-seen.
++
fingerprint
text
router’s fingerprint.
++
version_line
text
versioning information reported by the node.
++
address
ip-src
version
text
parsed version of tor, this is None if the relay’s using a new versioning scheme.
++
first-seen
datetime
When the Tor node designed by the IP address has been seen for the first time.
++
text
text
Tor node comment.
++
document
text
Raw document from the consensus.
++
last-seen
datetime
When the Tor node designed by the IP address has been seen for the last time.
++
nickname
text
router’s nickname.
++
resource_path
+query_string
text
Path (between hostname:port and query)
+Query (after path, preceded by '?')
++
subdomain
text
Subdomain
++
url
url
Full URL
++
domain_without_tld
text
Domain without Top-Level Domain
@@ -4753,56 +4783,6 @@ url is a MISP object available in JSON format at
scheme
text
Scheme ['http', 'https', 'ftp', 'gopher', 'sip']
--
domain_without_tld
text
Domain without Top-Level Domain
--
last-seen
datetime
Last time this URL has been seen
--
port
port
Port number
--
credential
text
Credential (username, password)
--
domain
domain
text
text
Description of the URL
--
first-seen
datetime
First time this URL has been seen
--
url
url
Full URL
--
tld
text
subdomain
scheme
text
Subdomain
+Scheme ['http', 'https', 'ftp', 'gopher', 'sip']
query_string
resource_path
text
Query (after path, preceded by '?')
+Path (between hostname:port and query)
++
last-seen
datetime
Last time this URL has been seen
++
credential
text
Credential (username, password)
++
first-seen
datetime
First time this URL has been seen
++
text
text
Description of the URL
++
port
port
Port number
@@ -4911,26 +4911,6 @@ victim is a MISP object available in JSON format at
classification
text
The type of entity being targeted. ['individual', 'group', 'organization', 'class', 'unknown']
--
description
text
Description of the victim
--
sectors
text
roles
description
text
The list of roles targeted within the victim.
+Description of the victim
++
classification
text
The type of entity being targeted. ['individual', 'group', 'organization', 'class', 'unknown']
roles
text
The list of roles targeted within the victim.
++
detection-ratio
+text
Detection Ratio
++
first-submission
datetime
last-submission
datetime
Last Submission
--
community-score
text
detection-ratio
text
Detection Ratio
--
permalink
link
last-submission
datetime
Last Submission
++
summary
-text
Summary of the vulnerability
--
modified
datetime
text
text
published
datetime
Description of the vulnerability
--
vulnerable_configuration
text
The vulnerable configuration is described in CPE format
+Initial publication date
@@ -5157,10 +5137,30 @@ vulnerability is a MISP object available in JSON format at
published
datetime
text
text
Initial publication date
+Description of the vulnerability
++
summary
text
Summary of the vulnerability
++
vulnerable_configuration
text
The vulnerable configuration is described in CPE format
@@ -5205,6 +5205,36 @@ whois is a MISP object available in JSON format at
creation-date
datetime
Initial creation of the whois entry
++
registrant-phone
whois-registrant-phone
Registrant phone number
++
domain
domain
Domain of the whois entry
++
registrant-email
whois-registrant-email
domain
domain
registar
whois-registrar
Domain of the whois entry
+Registrar of the whois entry
++
registrant-name
whois-registrant-name
Registrant name
registar
whois-registrar
Registrar of the whois entry
--
registrant-phone
whois-registrant-phone
Registrant phone number
--
creation-date
datetime
Initial creation of the whois entry
--
registrant-name
whois-registrant-name
Registrant name
--
serial-number
+raw-base64
text
Serial number of the certificate
--
pubkey-info-modulus
text
Modulus of the public key
--
pubkey-info-algorithm
text
Algorithm of the public key
--
pubkey-info-exponent
text
Exponent of the public key
--
version
text
Version of the certificate
--
subject
text
Subject of the certificate
--
x509-fingerprint-sha256
sha256
Secure Hash Algorithm 2 (256 bits)
--
x509-fingerprint-sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
--
text
text
Free text description of hte certificate
+Raw certificate base64 encoded
@@ -5433,6 +5353,56 @@ x509 is a MISP object available in JSON format at
issuer
text
Issuer of the certificate
++
version
text
Version of the certificate
++
x509-fingerprint-sha256
sha256
Secure Hash Algorithm 2 (256 bits)
++
subject
text
Subject of the certificate
++
x509-fingerprint-sha1
sha1
[Insecure] Secure Hash Algorithm 1 (160 bits)
++
pubkey-info-size
text
x509-fingerprint-md5
md5
[Insecure] MD5 hash (128 bits)
--
raw-base64
serial-number
text
Raw certificate base64 encoded
+Serial number of the certificate
@@ -5473,10 +5433,50 @@ x509 is a MISP object available in JSON format at
issuer
pubkey-info-algorithm
text
Issuer of the certificate
+Algorithm of the public key
++
x509-fingerprint-md5
md5
[Insecure] MD5 hash (128 bits)
++
pubkey-info-exponent
text
Exponent of the public key
++
text
text
Free text description of hte certificate
++
pubkey-info-modulus
text
Modulus of the public key
@@ -5521,6 +5521,16 @@ yabin is a MISP object available in JSON format at
yara
yara
Yara rule generated from -y.
++
yara-hunt
yara
version
comment
yabin.py and regex.txt version used for the generation of the yara rules.
--
comment
comment
yara
yara
version
comment
Yara rule generated from -y.
+yabin.py and regex.txt version used for the generation of the yara rules.
+