MISP Objects

MISP Objects

MISP ObjectsIntroduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Funding and Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

MISP objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

ail-leak . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

ais-info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

android-app. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

android-permission. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

annotation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

anonymisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

asn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

attack-pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

authentication-failure-report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

authenticode-signerinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

av-signature. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

bank-account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

bgp-hijack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

bgp-ranking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

blog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

boleto . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

btc-transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

btc-wallet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

cap-alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

cap-info. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

cap-resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

coin-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

command-line. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

concordia-mtmf-intrusion-set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

cookie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

cortex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

cortex-taxonomy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

course-of-action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

covid19-csse-daily-report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

covid19-dxy-live-city . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

covid19-dxy-live-province . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

cowrie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

1

cpe-asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

credential . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

credit-card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

crypto-material. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

cytomic-orion-file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

cytomic-orion-machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

dark-pattern-item. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

ddos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

diameter-attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

dkim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

dns-record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

domain-crawled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

domain-ip. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

edr-report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

elf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

elf-section. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

employee . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

exploit-poc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

facebook-account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

facebook-group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

facebook-page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

facebook-post . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

facial-composite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

fail2ban . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

favicon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

forensic-case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

forensic-evidence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

forged-document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

ftm-Airplane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

ftm-Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

ftm-Asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

ftm-Associate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

ftm-Audio. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

ftm-BankAccount . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

ftm-Call . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

ftm-Company . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

ftm-Contract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

ftm-ContractAward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

2

ftm-CourtCase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

ftm-CourtCaseParty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

ftm-Debt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

ftm-Directorship. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

ftm-Document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

ftm-Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

ftm-EconomicActivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

ftm-Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

ftm-Event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

ftm-Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

ftm-Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

ftm-HyperText . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

ftm-Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

ftm-Land . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

ftm-LegalEntity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

ftm-License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

ftm-Membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

ftm-Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

ftm-Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

ftm-Ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

ftm-Package. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

ftm-Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

ftm-Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

ftm-Passport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

ftm-Payment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

ftm-Person . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

ftm-PlainText . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

ftm-PublicBody. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

ftm-RealEstate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

ftm-Representation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

ftm-Row . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

ftm-Sanction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

ftm-Succession . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

ftm-Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

ftm-TaxRoll . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

ftm-UnknownLink . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

ftm-UserAccount . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

ftm-Vehicle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

ftm-Vessel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

ftm-Video . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

ftm-Workbook. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

3

geolocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

git-vuln-finder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

github-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

gitlab-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

gtp-attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

hashlookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

http-request. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

ilr-impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

ilr-notification-incident . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

impersonation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

imsi-catcher. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

instant-message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

instant-message-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

intel471-vulnerability-intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

intelmq_event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

intelmq_report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

internal-reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

interpol-notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

iot-device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

iot-firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

ip-api-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

ip-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

irc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

ja3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

ja3s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

jarm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

keybase-account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

leaked-document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

legal-entity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

lnk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

macho . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

macho-section. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

mactime-timeline-analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

malware-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

meme-image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

microblog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

mutex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

narrative . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

netflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

network-connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

4

network-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

network-socket . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

news-agency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

news-media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

open-data-security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

original-imported-file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

paloalto-threat-event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

parler-account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

parler-comment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

parler-post . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

passive-dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

passive-dns-dnsdbflex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

passive-ssh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

paste . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326

pcap-metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

pe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330

pe-section. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

person. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

pgp-meta . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

phishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

phishing-kit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340

phone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341

postal-address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345

publication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

python-etvx-event-log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

r2graphity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

reddit-account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

reddit-comment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356

reddit-post . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

reddit-subreddit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360

regexp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

registry-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

regripper-NTUser. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

regripper-sam-hive-single-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

regripper-sam-hive-user-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368

regripper-software-hive-BHO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

regripper-software-hive-appInit-DLLS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

regripper-software-hive-application-paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371

regripper-software-hive-applications-installed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372

5

regripper-software-hive-command-shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

regripper-software-hive-software-run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

regripper-software-hive-userprofile-winlogon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

regripper-software-hive-windows-general-info. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

regripper-system-hive-firewall-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380

regripper-system-hive-general-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

regripper-system-hive-network-information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

regripper-system-hive-services-drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384

report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386

research-scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

rogue-dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

rtir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

sandbox-report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

sb-signature. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

scheduled-event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

scrippsco2-c13-daily . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

scrippsco2-c13-monthly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395

scrippsco2-co2-daily . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

scrippsco2-co2-monthly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397

scrippsco2-o18-daily . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

scrippsco2-o18-monthly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

security-playbook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402

shell-commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406

shodan-report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

short-message-service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

shortened-link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409

social-media-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

splunk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

ss7-attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

ssh-authorized-keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

stix2-pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

submarine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

suricata. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420

target-system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

telegram-account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

temporal-event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422

threatgrid-report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423

timecode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423

timesketch-timeline. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424

timesketch_message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

6

Introduction

timestamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425

tor-hiddenservice. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426

tor-node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427

tracking-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428

transaction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429

translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

trustar_report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436

tsk-chats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440

tsk-web-bookmark. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441

tsk-web-cookie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442

tsk-web-downloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443

tsk-web-history. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444

tsk-web-search-query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

twitter-account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

twitter-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449

twitter-post . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450

url . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453

user-account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454

vehicle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457

victim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458

virustotal-graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461

virustotal-report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461

vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462

weakness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464

whois. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

windows-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466

x509. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468

yabin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470

yara . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471

youtube-channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472

youtube-comment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473

youtube-playlist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

youtube-video. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475

Relationships. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477

7

The MISP threat sharing platform is a free and open source software helping information sharingof threat intelligence including cyber security indicators, financial fraud or counter-terrorisminformation. The MISP project includes multiple sub-projects to support the operationalrequirements of analysts and improve the overall quality of information shared.

MISP objects are used in MISP (starting from version 2.4.80) system and can be used by otherinformation sharing tool. MISP objects are in addition to MISP attributes to allow advancedcombinations of attributes. The creation of these objects and their associated attributes are basedon real cyber security use-cases and existing practices in information sharing. The objects are justshared like any other attributes in MISP even if the other MISP instances don’t have the template ofthe object. The following document is generated from the machine-readable JSON describing theMISP objects.

8

https://github.com/MISP/misp-objects

Funding and SupportThe MISP project is financially and resource supported by CIRCL Computer Incident ResponseCenter Luxembourg .

A CEF (Connecting Europe Facility) funding under CEF-TC-2016-3 - Cyber Security has been grantedfrom 1st September 2017 until 31th August 2019 as Improving MISP as building blocks for next-generation information sharing.

If you are interested to co-fund projects around MISP, feel free to get in touch with us.

9

https://www.circl.lu/

https://www.circl.lu/

MISP objects

ail-leakAn information leak as defined by the AIL Analysis Information Leak framework.

ail-leak is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.

Object attribute MISP attributetype

Description Disablecorrelation

Multiple

duplicate text Duplicate of theexisting leaks.

duplicate_number counter Number of knownduplicates.

first-seen datetime When the leak hasbeen accessible orseen for the firsttime.

last-seen datetime When the leak hasbeen accessible orseen for the lasttime.

origin text The link wherethe leak is (orwas) accessible atfirst-seen.

original-date datetime When theinformationavailable in theleak was created.It’s usually beforethe first-seen.

10

https://github.com/MISP/misp-objects/blob/main/objects/ail-leak/definition.json

https://www.github.com/MISP/MISP



Multiple

raw-data attachment Raw data asreceived by theAIL sensorcompressed andencoded inBase64.

sensor text The AIL sensoruuid where theleak wasprocessed andanalysed.

text text A description ofthe leak whichcould include thepotential victim(s)or description ofthe leak.

ais-infoAutomated Indicator Sharing (AIS) Information Source Markings.

ais-info is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.



Multiple

administrative-area

text AISAdministrativeArea representedusing ISO-3166-2.

country text AIS Countryrepresented usingISO-3166-1_alpha-2.

11

https://github.com/MISP/misp-objects/blob/main/objects/ais-info/definition.json




Multiple

industry text AIS IndustryType.['Chemical Sector','CommercialFacilities Sector','CommunicationsSector', 'CriticalManufacturingSector', 'DamsSector', 'DefenseIndustrial BaseSector','EmergencyServices Sector','Energy Sector','Financial ServicesSector', 'Food andAgricultureSector','GovernmentFacilities Sector','Healthcare andPublic HealthSector','InformationTechnologySector', 'NuclearReactors,Materials, andWaste Sector','TransportationSystems Sector','Water andWastewaterSystems Sector','Other']

organisation text AIS OrganisationName.

android-appIndicators related to an Android app.

12

android-app is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

appid text Application ID

certificate sha1 Androidcertificate

domain domain Domain used bythe app

name text Generic name ofthe application

sha256 sha256 SHA256 of theAPK.

android-permissionA set of android permissions - one or more permission(s) which can be linked to other objects (e.g.malware, app).

android-permission is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

comment comment Comment aboutthe set of androidpermission(s)

13

https://github.com/MISP/misp-objects/blob/main/objects/android-app/definition.json


https://github.com/MISP/misp-objects/blob/main/objects/android-permission/definition.json




Multiple

permission text Androidpermission['ACCESS_CHECKIN_PROPERTIES','ACCESS_COARSE_LOCATION','ACCESS_FINE_LOCATION','ACCESS_LOCATION_EXTRA_COMMANDS','ACCESS_NETWORK_STATE','ACCESS_NOTIFICATION_POLICY','ACCESS_WIFI_STATE','ACCOUNT_MANAGER','ADD_VOICEMAIL','ANSWER_PHONE_CALLS','BATTERY_STATS','BIND_ACCESSIBILITY_SERVICE','BIND_APPWIDGET','BIND_AUTOFILL_SERVICE','BIND_CARRIER_MESSAGING_SERVICE','BIND_CHOOSER_TARGET_SERVICE','BIND_CONDITION_PROVIDER_SERVICE','BIND_DEVICE_ADMIN','BIND_DREAM_SERVICE','BIND_INCALL_SERVICE','BIND_INPUT_METHOD','BIND_MIDI_DEVICE_SERVICE','BIND_NFC_SERVI

14

CE','BIND_NOTIFICATION_LISTENER_SERVICE','BIND_PRINT_SERVICE','BIND_QUICK_SETTINGS_TILE','BIND_REMOTEVIEWS','BIND_SCREENING_SERVICE','BIND_TELECOM_CONNECTION_SERVICE','BIND_TEXT_SERVICE','BIND_TV_INPUT','BIND_VISUAL_VOICEMAIL_SERVICE','BIND_VOICE_INTERACTION','BIND_VPN_SERVICE','BIND_VR_LISTENER_SERVICE','BIND_WALLPAPER', 'BLUETOOTH','BLUETOOTH_ADMIN','BLUETOOTH_PRIVILEGED','BODY_SENSORS','BROADCAST_PACKAGE_REMOVED','BROADCAST_SMS','BROADCAST_STICKY','BROADCAST_WAP_PUSH','CALL_PHONE','CALL_PRIVILEGED', 'CAMERA','CAPTURE_AUDIO_OUTPUT','CAPTURE_SECUR

annotationAn annotation object allowing analysts to add annotations, comments, executive summary to aMISP event, objects or attributes.

annotation is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

attachment attachment An attachment tosupport theannotation

creation-date datetime Initial creation ofthe annotation

format text Format of theannotation ['text','markdown','asciidoctor','MultiMarkdown','GFM', 'pandoc','Fountain','CommonWork','kramdown-rfc2629', 'rfc7328','Extra']

modification-date datetime Last update of theannotation

ref link Reference(s) to theannotation

text text Raw text of theannotation

15

https://github.com/MISP/misp-objects/blob/main/objects/annotation/definition.json


E_VIDEO_OUTPUT','CAPTURE_VIDEO_OUTPUT','CHANGE_COMPONENT_ENABLED_STATE','CHANGE_CONFIGURATION','CHANGE_NETWORK_STATE','CHANGE_WIFI_MULTICAST_STATE','CHANGE_WIFI_STATE','CLEAR_APP_CACHE','CONTROL_LOCATION_UPDATES','DELETE_CACHE_FILES','DELETE_PACKAGES', 'DIAGNOSTIC','DISABLE_KEYGUARD', 'DUMP','EXPAND_STATUS_BAR','FACTORY_TEST','GET_ACCOUNTS','GET_ACCOUNTS_PRIVILEGED','GET_PACKAGE_SIZE', 'GET_TASKS','GLOBAL_SEARCH','INSTALL_LOCATION_PROVIDER','INSTALL_PACKAGES','INSTALL_SHORTCUT','INSTANT_APP_FOREGROUND_SERVICE', 'INTERNET','KILL_BACKGROUND_PROCESSES','LOCATION_HARDWARE',



Multiple

type text Type of theannotation['Annotation','ExecutiveSummary','Introduction','Conclusion','Disclaimer','Keywords','Acknowledgement', 'Other','Copyright','Authors', 'Logo','Full Report']

anonymisationAnonymisation object describing an anonymisation technique used to encode MISP attributevalues. Reference: https://www.caida.org/tools/taxonomy/anonymization.xml.

anonymisation is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

description text Description of theanonymisationtechnique or toolused

16

https://www.caida.org/tools/taxonomy/anonymization.xml

https://github.com/MISP/misp-objects/blob/main/objects/anonymisation/definition.json


'MANAGE_DOCUMENTS','MANAGE_OWN_CALLS','MASTER_CLEAR','MEDIA_CONTENT_CONTROL','MODIFY_AUDIO_SETTINGS','MODIFY_PHONE_STATE','MOUNT_FORMAT_FILESYSTEMS','MOUNT_UNMOUNT_FILESYSTEMS','NFC','PACKAGE_USAGE_STATS','PERSISTENT_ACTIVITY','PROCESS_OUTGOING_CALLS','READ_CALENDAR','READ_CALL_LOG','READ_CONTACTS','READ_EXTERNAL_STORAGE','READ_FRAME_BUFFER','READ_INPUT_STATE', 'READ_LOGS','READ_PHONE_NUMBERS','READ_PHONE_STATE', 'READ_SMS','READ_SYNC_SETTINGS','READ_SYNC_STATS','READ_VOICEMAIL', 'REBOOT','RECEIVE_BOOT_COMPLETED','RECEIVE_MMS','RECEIVE_SMS',



Multiple

encryption-function

text Encryptionfunction oralgorithm used toanonymise theattribute ['aes128','aes-128-cbc', 'aes-128-cfb', 'aes-128-cfb1', 'aes-128-cfb8', 'aes-128-ctr','aes-128-ecb', 'aes-128-ofb', 'aes192','aes-192-cbc', 'aes-192-cfb', 'aes-192-cfb1', 'aes-192-cfb8', 'aes-192-ctr','aes-192-ecb', 'aes-192-ofb', 'aes-256-cfb', 'aes-256-cfb1','aes-256-cfb8', 'aes-256-ctr', 'aes-256-ecb', 'aes-256-ofb','bf', 'bf-cbc', 'bf-cfb', 'bf-ecb', 'bf-ofb', 'blowfish','camellia128','camellia-128-cbc','camellia-128-cfb','camellia-128-cfb1', 'camellia-128-cfb8','camellia-128-ctr','camellia-128-ecb','camellia-128-ofb','camellia192','camellia-192-cbc','camellia-192-cfb','camellia-192-cfb1', 'camellia-192-cfb8','camellia-192-ctr','camellia-192-ecb','camellia-192-ofb','camellia256','camellia-256-cbc','camellia-256-cfb','camellia-256-cfb1', 'camellia-256-cfb8',

17

'RECEIVE_WAP_PUSH','RECORD_AUDIO','REORDER_TASKS','REQUEST_COMPANION_RUN_IN_BACKGROUND','REQUEST_COMPANION_USE_DATA_IN_BACKGROUND','REQUEST_DELETE_PACKAGES','REQUEST_IGNORE_BATTERY_OPTIMIZATIONS','REQUEST_INSTALL_PACKAGES','RESTART_PACKAGES','SEND_RESPOND_VIA_MESSAGE','SEND_SMS','SET_ALARM','SET_ALWAYS_FINISH','SET_ANIMATION_SCALE','SET_DEBUG_APP','SET_PREFERRED_APPLICATIONS','SET_PROCESS_LIMIT', 'SET_TIME','SET_TIME_ZONE','SET_WALLPAPER','SET_WALLPAPER_HINTS','SIGNAL_PERSISTENT_PROCESSES','STATUS_BAR','SYSTEM_ALERT_WINDOW','TRANSMIT_IR','UNINSTALL_SHORTCUT','UPDATE_DEVICE_STATS',

'camellia-256-ctr','camellia-256-ecb','camellia-256-ofb','cast', 'cast5-cbc','cast5-cfb', 'cast5-ecb', 'cast5-ofb','cast-cbc', 'des','des3', 'des-cbc','des-cfb', 'des-ecb','des-ede', 'des-ede3', 'des-ede3-cbc', 'des-ede3-cfb', 'des-ede3-ofb','des-ede-cbc', 'des-ede-cfb', 'des-ede-ofb', 'des-ofb','desx', 'gost89','gost89-cnt', 'idea','idea-cbc', 'idea-cfb', 'idea-ecb','idea-ofb', 'rc2','rc2-40-cbc', 'rc2-64-cbc', 'rc2-cbc','rc2-cfb', 'rc2-ecb','rc2-ofb', 'rc4', 'rc4-40', 'rc4-64', 'rc5','rc5-cbc', 'rc5-cfb','rc5-ecb', 'rc5-ofb','seed', 'seed-cbc','seed-cfb', 'seed-ecb', 'seed-ofb','sm4', 'sm4-cbc','sm4-cfb', 'sm4-ctr', 'sm4-ecb','sm4-ofb']



Multiple

iv text Initialisationvector for theencryptionfunction used toanonymise theattribute

key text Key (such as a PSKin a keyed-hash-function) used toanonymise theattribute

keyed-hash-function

text Keyed-hashfunction used toanonymise theattribute ['hmac-sha1', 'hmac-md5','hmac-sha256','hmac-sha384','hmac-sha512']

level-of-knowledge

text Level ofknowledge of theorganisation whocreated this object['Only theanonymised datais known','Deanonymiseddata is known']

18

'USE_FINGERPRINT', 'USE_SIP','VIBRATE','WAKE_LOCK','WRITE_APN_SETTINGS','WRITE_CALENDAR','WRITE_CALL_LOG','WRITE_CONTACTS','WRITE_EXTERNAL_STORAGE','WRITE_GSERVICES','WRITE_SECURE_SETTINGS','WRITE_SETTINGS','WRITE_SYNC_SETTINGS','WRITE_VOICEMAIL']



Multiple

method text Anonymisation(or pseudo-anonymisation)method(s) used["hiding -Attribute isreplaced with aconstant value(typically 0) of thesame size.Sometimes called'black marker'.",'hash - A hashfunction mapseach attribute to anew (notnecessarilyunique) attribute.','permutation -Maps eachoriginal value to aunique newvalue.', "prefix-preserving - Anytwo values thathad the same n-bitprefix beforeanonymisationwill still have thesame n-bit prefixas each other afteranonymization.(Would be moreaccurately called'prefix-relationship-preserving',because the actualprefix values arenot preserved.) ",'shift - Adds afixed offset toeachvalue/attribute.','enumeration -Map each originalvalue to a newvalue such that

19

their ordering ispreserved.','partitioning -Possible valuesare partitionedinto meaningfulsets; actual valuesare replaced witha fixed value fromthe same set. E.g.,TCP port numbers0 to 1023 arereplaced with 0,and 1024 to 65535replaced with65535.', 'updated -Checksums arerecalculated toreflect changesmade to otherfields.', 'truncation- Field isshortened, losingdata at the end.','encryption -Attribute isencrypted.']



Multiple

regexp text Regularexpression toperfom theanonymisation(reversible or not)

asnAutonomous system object describing an autonomous system which can include one or morenetwork operators management an entity (e.g. ISP) along with their routing policy, routing prefixesor alike.

asn is a MISP object available in JSON format at this location The JSON format canbe freely reused in your application or automatically enabled in MISP.



Multiple

asn AS AutonomousSystem Number

country text Country code ofthe main locationof theautonomoussystem

description text Description of theautonomoussystem

export text The outboundrouting policy ofthe AS in RFC 2622– Routing PolicySpecificationLanguage (RPSL)format

first-seen datetime First time the ASNwas seen

20

https://github.com/MISP/misp-objects/blob/main/objects/asn/definition.json




Multiple

import text The inbound IPv4routing policy ofthe AS in RFC 2622– Routing PolicySpecificationLanguage (RPSL)format

last-seen datetime Last time the ASNwas seen

mp-export text This attributeperforms thesame function asthe exportattribute above.The difference isthat mp-exportallows both IPv4and IPv6 addressfamilies to bespecified. Theexport isdescribed in RFC4012 – RoutingPolicySpecificationLanguage nextgeneration(RPSLng), section4.5. format

mp-import text The inbound IPv4or IPv6 routingpolicy of the AS inRFC 4012 –Routing PolicySpecificationLanguage nextgeneration(RPSLng), section4.5. format

21



Multiple

subnet-announced ip-src Subnet announced

attack-patternAttack pattern describing a common attack pattern enumeration and classification.

attack-pattern is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

id text CAPEC ID.

name text Name of theattack pattern.

prerequisites text Prerequisites forthe attack patternto succeed.

references link Externalreferences

related-weakness weakness Weakness relatedto the attackpattern.

solutions text Solutions for theattack pattern tobe countered.

summary text Summarydescription of theattack pattern.

authentication-failure-reportAuthentication Failure Report.

22

https://github.com/MISP/misp-objects/blob/main/objects/attack-pattern/definition.json


authentication-failure-report is a MISP object available in JSON format at thislocation The JSON format can be freely reused in your application orautomatically enabled in MISP.



Multiple

ip-dst ip-dst Destination IP.

ip-src ip-src IP addressoriginating theauthenticationfailure.

total counter the number ofauthenticationfailures reported.

type text the type ofauthenticationfailure. ['ssh']

username text the usernameused.

authenticode-signerinfoAuthenticode Signer Info.

authenticode-signerinfo is a MISP object available in JSON format at this locationThe JSON format can be freely reused in your application or automatically enabledin MISP.



Multiple

content-type text Content type

digest-base64 text Signature createdby the signingcertificate’sprivate key

digest_algorithm text Algorithm used tohash the file.

23

https://github.com/MISP/misp-objects/blob/main/objects/authentication-failure-report/definition.json

https://github.com/MISP/misp-objects/blob/main/objects/authentication-failure-report/definition.json


https://github.com/MISP/misp-objects/blob/main/objects/authenticode-signerinfo/definition.json




Multiple

encryption_algorithm

text Algorithm used toencrypt the digest

issuer text Issuer of thecertificate

program-name text Program name

serial-number text Serial number ofthe certificate

signature_algorithm

text Signaturealgorithm['SHA1_WITH_RSA_ENCRYPTION','SHA256_WITH_RSA_ENCRYPTION']

text text Free textdescription of thesigner info

url url Url

version text Version of thecertificate

av-signatureAntivirus detection signature.

av-signature is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

datetime datetime Datetime

signature text Name of detectionsignature

24

https://github.com/MISP/misp-objects/blob/main/objects/av-signature/definition.json




Multiple

software text Name of antivirussoftware

text text Free text value toattach to the file

bank-accountAn object describing bank account information based on account description from goAML 4.0.

bank-account is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

aba-rtn aba-rtn ABA routingtransit number

account bank-account-nr Account number

account-name text A field to freelydescribe the bankaccount details.

balance text The balance of theaccount after thesuspicioustransaction wasprocessed.

beneficiary text Final beneficiaryof the bankaccount.

beneficiary-comment

text Comment aboutthe finalbeneficiary.

branch text Branch code orname

25

https://github.com/MISP/misp-objects/blob/main/objects/bank-account/definition.json




Multiple

client-number text Client number asseen by the bank.

closed datetime When the accountwas closed.

comments text Comments aboutthe bank account.

currency-code text Currency of theaccount. ['USD','EUR']

date-balance datetime When the balancewas reported.

iban iban IBAN of the bankaccount.

institution-code text Institution code ofthe bank.

institution-name text Name of the bankor financialorganisation.

non-banking-institution

boolean A flag to define ifthis accountbelong to a non-bankingorganisation. If setto true, it’s a non-bankingorganisation.['True', 'False']

opened datetime When the accountwas opened.

26



Multiple

personal-account-type

text Account type. ['A -Business', 'B -Personal Current','C - Savings', 'D -Trust Account', 'E -Trading Account','O - Other']

27



Multiple

report-code text Report code of thebank account.['CTR CashTransactionReport', 'STRSuspiciousTransactionReport', 'EFTElectronic FundsTransfer', 'IFTInternationalFunds Transfer','TFR TerrorFinancing Report','BCR Border CashReport', 'UTRUnusualTransactionReport', 'AIFAdditionalInformation File –Can be used forexample to get fulldisclosure oftransactions of anaccount for aperiod of timewithout reportingit as a CTR.', 'IRIIncoming Requestfor Information –International','ORI OutgoingRequest forInformation –International','IRD IncomingRequest forInformation –Domestic', 'ORDOutgoing Requestfor Information –Domestic']

28



Multiple

status-code text Account status atthe time of thetransactionprocessed. ['A -Active', 'B -Inactive', 'C -Dormant']

swift bic SWIFT or BIC asdefined in ISO9362.

text text A description ofthe bank account.

bgp-hijackObject encapsulating BGP Hijack description as specified, for example, by bgpstream.com.

bgp-hijack is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

country text Country code ofthe main locationof the attackingautonomoussystem

description text BGP Hijack details

detected-asn AS DetectedAutonomousSystem Number

end datetime Last time thePrefix hijack wasseen

29

https://github.com/MISP/misp-objects/blob/main/objects/bgp-hijack/definition.json




Multiple

expected-asn AS ExpectedAutonomousSystem Number

start datetime First time thePrefix hijack wasseen

subnet-announced ip-src Subnet announced

bgp-rankingBGP Ranking object describing the ranking of an ASN for a given day, along with its position, 1being the most malicious ASN of the day, with the highest ranking. This object is meant to have arelationship with the corresponding ASN object and represents its ranking for a specific date.

bgp-ranking is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

address-family text The IP addressfamily concernedby the ranking.['v4', 'v6']

date datetime Date fo theranking.

position float Position of theASN for a givenday.

ranking float Ranking of theAutonomousSystem number.

blogBlog post like Medium or WordPress.

30

https://github.com/MISP/misp-objects/blob/main/objects/bgp-ranking/definition.json


blog is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.



Multiple

archive link Archive of theoriginal document(Internet Archive,Archive.is, etc).

creation-date datetime Initial creation ofthe blog post.

embedded-link url Site linked by theblog post.

embedded-safe-link

link Safe site linked bythe blog post.

link link Original link intothe blog post(Supposedharmless).

modification-date datetime Last update of theblog post.

post text Raw post.

removal-date datetime When the blogpost was removed.

title text Title of blog post.

type text Type of blog post.['Medium','WordPress','Blogger','Tumbler','LiveJournal','Forum', 'Other']

31

https://github.com/MISP/misp-objects/blob/main/objects/blog/definition.json




Multiple

url url Original URLlocation of theblog post(potentiallymalicious).

username text Username whoposted the blogpost.

username-quoted text Username whoare quoted intothe blog post.

verified-username text Is the usernameaccount verifiedby the operator ofthe blog platform.['Verified','Unverified','Unknown']

boletoA common form of payment used in Brazil.

boleto is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.



Multiple

beneficiary text Final beneficiaryof the boleto.

beneficiary-bank-account

bank-account-nr Recipient bankaccount number

beneficiary-bank-agency

bank-account-nr Recipient bankagency number

32

https://github.com/MISP/misp-objects/blob/main/objects/boleto/definition.json




Multiple

boleto-number text Boleto codenumbers

creation-date datetime Date the boletowas created

febraban-code text Financialinstitution code inBrazil that createdthe boleto.

generator-financial-institution

text Name of the bankor financialorganisation thatcreated the boleto.

payment-due-date datetime Boleto paymentdate

payment-status text Inform if boletowas as paid or not['Not Paid', 'Paid']

payment-value float The paymentboleto value inBrazilian Reais

requester text Organisation,service oraffiliated personthat requestedcreation of theboleto.

btc-transactionAn object to describe a Bitcoin transaction. Best to be used with bitcoin-wallet.

btc-transaction is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.

33

https://github.com/MISP/misp-objects/blob/main/objects/btc-transaction/definition.json




Multiple

btc-address btc A Bitcointransactionaladdress

time datetime Date and time oftransaction

transaction-number

text A Bitcointransactionnumber in asequence oftransactions

value_BTC float Value in BTC atdate/timedisplayed in field'time'

value_EUR float Value in EUR withconversion rate asof date/timedisplayed in field'time'

value_USD float Value in USD withconversion rate asof date/timedisplayed in field'time'

btc-walletAn object to describe a Bitcoin wallet. Best to be used with bitcoin-transactions.

btc-wallet is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

BTC_received float Value of receivedBTC

34

https://github.com/MISP/misp-objects/blob/main/objects/btc-wallet/definition.json




Multiple

BTC_sent float Value of sent BTC

balance_BTC float Value in BTC atdate/timedisplayed in field'time'

time datetime Date and time oflookup/conversion

wallet-address btc A Bitcoin walletaddress

cap-alertCommon Alerting Protocol Version (CAP) alert object.

cap-alert is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.

35

https://github.com/MISP/misp-objects/blob/main/objects/cap-alert/definition.json




Multiple

addresses text The group listingof intendedrecipients of thealert message. (1)Required when<scope> is“Private”, optionalwhen <scope> is“Public” or“Restricted”. (2)Each recipientSHALL beidentified by anidentifier or anaddress. (3)Multiple space-delimitedaddresses MAY beincluded.Addressesincludingwhitespace MUSTbe enclosed indouble-quotes.

code text The code denotingthe specialhandling of thealert message.

identifier text The identifier ofthe alert messagein a number orstring uniquelyidentifying thismessage, assignedby the sender.

36



Multiple

incident text The group listingnaming thereferentincident(s) of thealert message. (1)Used to collatemultiple messagesreferring todifferent aspectsof the sameincident. (2) Ifmultiple incidentidentifiers arereferenced, theySHALL beseparated bywhitespace.Incident namesincludingwhitespace SHALLbe surrounded bydouble-quotes.

msgType text The code denotingthe nature of thealert message.['Alert', 'Update','Cancel', 'Ack','Error']

note text The textdescribing thepurpose orsignificance of thealert message.

37



Multiple

references text The group listingidentifying earliermessage(s)referenced by thealert message. (1)The extendedmessageidentifier(s) (inthe formsender,identifier,sent) of an earlierCAP message ormessagesreferenced by thisone. (2) If multiplemessages arereferenced, theySHALL beseparated bywhitespace.

restriction text The textdescribing therule for limitingdistribution of therestricted alertmessage.

scope text The code denotingthe intendeddistribution of thealert message.['Public','Restricted','Private']

38



Multiple

sender text The identifier ofthe sender of thealert messagewhich identifiesthe originator ofthis alert.Guaranteed byassigner to beunique globally;e.g., may be basedon an Internetdomain name.

sent datetime The time and dateof the originationof the alertmessage.

source text The textidentifying thesource of the alertmessage. Theparticular sourceof this alert; e.g.,an operator or aspecific device.

status text The code denotingthe appropriatehandling of thealert message.['Actual','Exercise','System', 'Test','Draft']

cap-infoCommon Alerting Protocol Version (CAP) info object.

cap-info is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.

39

https://github.com/MISP/misp-objects/blob/main/objects/cap-info/definition.json




Multiple

audience text The textdescribing theintended audienceof the alertmessage.

category text The code denotingthe category of thesubject event ofthe alert message.['Geo', 'Met','Safety', 'Security','Rescue', 'Fire','Health', 'Env','Transport', 'Infra','CBRNE', 'Other']

certainty text The code denotingthe certainty ofthe subject eventof the alertmessage. Forbackwardcompatibility withCAP 1.0, thedeprecated valueof “Very Likely”SHOULD betreated asequivalent to“Likely”. ['Likely','Possible','Unlikely','Unknown']

contact text The textdescribing thecontact for follow-up andconfirmation ofthe alert message.

40



Multiple

description text The textdescribing thesubject event ofthe alert message.

effective datetime The effective timeof the informationof the alertmessage.

event text The text denotingthe type of thesubject event ofthe alert message.

eventCode text A system-specificcode identifyingthe event type ofthe alert message.

expires datetime The expiry time ofthe information ofthe alert message.

headline text The text headlineof the alertmessage.

instruction text The textdescribing therecommendedaction to be takenby recipients ofthe alert message.

language text The code denotingthe language ofthe info sub-element of thealert message.

41



Multiple

onset datetime The expected timeof the beginningof the subjectevent of the alertmessage.

parameter text A system-specificadditionalparameterassociated withthe alert message.

responseType text The code denotingthe type of actionrecommended forthe targetaudience.['Shelter','Evacuate','Prepare','Execute', 'Avoid','Monitor', 'Assess','AllClear', 'None']

senderName text The text namingthe originator ofthe alert message.

severity text The code denotingthe severity of thesubject event ofthe alert message.['Extreme','Severe','Moderate','Minor','Unknown']

42



Multiple

urgency text The code denotingthe urgency of thesubject event ofthe alert message.['Immediate','Expected','Future', 'Past','Unknown']

web link The identifier ofthe hyperlinkassociatingadditionalinformation withthe alert message.

cap-resourceCommon Alerting Protocol Version (CAP) resource object.

cap-resource is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

derefUri attachment The base-64encoded datacontent of theresource file.

digest sha1 The coderepresenting thedigital digest(“hash”) computedfrom the resourcefile (OPTIONAL).

43

https://github.com/MISP/misp-objects/blob/main/objects/cap-resource/definition.json




Multiple

mimeType mime-type The identifier ofthe MIME contenttype and sub-typedescribing theresource file.

resourceDesc text The textdescribing thetype and contentof the resourcefile.

size text The integerindicating the sizeof the resourcefile.

uri link The identifier ofthe hyperlink forthe resource file.

coin-addressAn address used in a cryptocurrency.

coin-address is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

address btc Bitcoin addressused as a paymentdestination in acryptocurrency

address-xmr xmr Monero addressused as a paymentdestination in acryptocurrency

44

https://github.com/MISP/misp-objects/blob/main/objects/coin-address/definition.json




Multiple

current-balance float Current balance ofaddress

first-seen datetime First time thispaymentdestinationaddress has beenseen

last-seen datetime Last time thispaymentdestinationaddress has beenseen

last-updated datetime Last time thebalances andtotals have beenupdated

symbol text The (uppercase)symbol of thecryptocurrencyused. Symbolshould be fromhttps://coinmarketcap.com/all/views/all/ ['BTC', 'ETH','BCH', 'XRP','MIOTA', 'DASH','BTG', 'LTC', 'ADA','XMR', 'ETC', 'NEO','NEM', 'EOS','XLM', 'BCC', 'LSK','OMG', 'QTUM','ZEC', 'USDT','HSR', 'STRAT','WAVES', 'PPT','ETN']

text text Free text value

45

https://coinmarketcap.com/all/views/all/





Multiple

total-received float Total balancereceived

total-sent float Total balance sent

total-transactions text Total transactionsperformed

commandCommand functionalities related to specific commands executed by a program, whether it ismalicious or not. Command-line are attached to this object for the related commands.

command is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

description text Description of thecommandfunctionalities

location text Location of thecommandfunctionality['Bundled','Module','Libraries','Unknown']

trigger text How thecommands aretriggered ['Local','Network','Unknown']

command-lineCommand line and options related to a specific command executed by a program, whether it ismalicious or not.

46

https://github.com/MISP/misp-objects/blob/main/objects/command/definition.json


command-line is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

description text description of thecommand

value text command code

concordia-mtmf-intrusion-setIntrusion Set - Phase Description.

concordia-mtmf-intrusion-set is a MISP object available in JSON format at thislocation The JSON format can be freely reused in your application orautomatically enabled in MISP.



Multiple

AttackName text Name of theAttack

CMTMF_ATCKID counter Identifier of theAttack

FeedbackLoop counter Feedback LoopSequence

PhName text Name of the Phase(Tactic)

PhSequence counter Phase Sequence

description text Description of thephase

cookieAn HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to theuser’s web browser. The browser may store it and send it back with the next request to the sameserver. Typically, it’s used to tell if two requests came from the same browser — keeping a user

47

https://github.com/MISP/misp-objects/blob/main/objects/command-line/definition.json


https://github.com/MISP/misp-objects/blob/main/objects/concordia-mtmf-intrusion-set/definition.json

https://github.com/MISP/misp-objects/blob/main/objects/concordia-mtmf-intrusion-set/definition.json


logged-in, for example. It remembers stateful information for the stateless HTTP protocol. (asdefined by the Mozilla foundation.

cookie is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.



Multiple

cookie cookie Full cookie

cookie-name text Name of thecookie (if splitted)

cookie-value text Value of thecookie (if splitted)

expires datetime Expirationdate/time of thecookie

http-only boolean True if send onlythrough HTTP['True', 'False']

path text Path defined inthe cookie

secure boolean True if cookie issent over TLS['True', 'False']

text text A description ofthe cookie.

type text Type of cookieand how it’s usedin this specificobject. ['Sessionmanagement','Personalization','Tracking','Exfiltration','MaliciousPayload','Beaconing']

48

https://github.com/MISP/misp-objects/blob/main/objects/cookie/definition.json


cortexCortex object describing a complete cortex analysis. Observables would be attribute with arelationship from this object.

cortex is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.



Multiple

full text Cortex reportobject (full report)in JSON

name text Cortexanalyser/workername

server-name text Name of thecortex server

start-date datetime When the Cortexanalyser wasstarted

success boolean Result of thecortex job ['True','False']

summary text Cortex summaryobject (summary)in JSON

cortex-taxonomyCortex object describing an Cortex Taxonomy (or mini report).

cortex-taxonomy is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.

49

https://github.com/MISP/misp-objects/blob/main/objects/cortex/definition.json


https://github.com/MISP/misp-objects/blob/main/objects/cortex-taxonomy/definition.json




Multiple

cortex_url link URL to the Cortexjob

level text Cortex TaxonomyLevel ['info', 'safe','suspicious','malicious']

namespace text Cortex TaxonomyNamespace

predicate text Cortex TaxonomyPredicate

value text Cortex TaxonomyValue

course-of-actionAn object describing a specific measure taken to prevent or respond to an attack.

course-of-action is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

cost text The estimated costof applying thecourse of action.['High', 'Medium','Low', 'None','Unknown']

description text A description ofthe course ofaction.

50

https://github.com/MISP/misp-objects/blob/main/objects/course-of-action/definition.json




Multiple

efficacy text The estimatedefficacy ofapplying thecourse of action.['High', 'Medium','Low', 'None','Unknown']

impact text The estimatedimpact of applyingthe course ofaction. ['High','Medium', 'Low','None', 'Unknown']

name text The name used toidentify the courseof action.

objective text The objective ofthe course ofaction.

stage text The stage of thethreatmanagementlifecycle that thecourse of action isapplicable to.['Remedy','Response','Further AnalysisRequired']

51



Multiple

type text The type of thecourse of action.['PerimeterBlocking','InternalBlocking','Redirection','Redirection(Honey Pot)','Hardening','Patching','Eradication','Rebuilding','Training','Monitoring','Physical AccessRestrictions','Logical AccessRestrictions','Public Disclosure','DiplomaticActions', 'PolicyActions', 'Other']

covid19-csse-daily-reportCSSE COVID-19 Daily report.

covid19-csse-daily-report is a MISP object available in JSON format at this locationThe JSON format can be freely reused in your application or automatically enabledin MISP.



Multiple

active counter the number ofactive cases.

52

https://github.com/MISP/misp-objects/blob/main/objects/covid19-csse-daily-report/definition.json




Multiple

confirmed counter the number ofconfirmed cases.For HubeiProvince: fromFeb 13 (GMT +8),we report bothclinicallydiagnosed andlab-confirmedcases. For lab-confirmed casesonly (Before Feb17), please refer tohttps://github.com/CSSEGISandData/COVID-19/tree/master/who_covid_19_situation_reports.

country-region text country/regionname conformingto WHO (will beupdated).

county counter US County (USOnly)

death counter the number ofdeaths.

fips counter FederalInformationProcessingStandard countycode (US Only)

latitude float Approximatelatitude of theentry

53

https://github.com/CSSEGISandData/COVID-19/tree/master/who_covid_19_situation_reports








Multiple

longitude float Approximatelongitude of theentry

province-state text province name;US/Canada/Australia/ - city name,state/provincename; Others -name of the event(e.g., "DiamondPrincess" cruiseship); othercountries - blank.

recovered counter the number ofrecovered cases.

update datetime Time of the lastupdate that day(UTC)

covid19-dxy-live-cityCOVID 19 from dxy.cn - Aggregation by city.

covid19-dxy-live-city is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

city text Name of theChinese city, inChinese.

current-confirmed counter Current numberof confirmed cases

total-confirmed counter Total number ofconfirmed cases.

54

https://github.com/MISP/misp-objects/blob/main/objects/covid19-dxy-live-city/definition.json




Multiple

total-cured counter Total number ofcured cases.

total-death counter Total number ofdeaths.

update datetime Approximate timeof the update(~hour)

covid19-dxy-live-provinceCOVID 19 from dxy.cn - Aggregation by province.

covid19-dxy-live-province is a MISP object available in JSON format at thislocation The JSON format can be freely reused in your application orautomatically enabled in MISP.



Multiple

comment text Comment, inchinese

current-confirmed counter Current numberof confirmed cases

province text Name of theChinese province,in Chinese.

total-confirmed counter Total number ofconfirmed cases.

total-cured counter Total number ofcured cases.

total-death counter Total number ofdeaths.

55

https://github.com/MISP/misp-objects/blob/main/objects/covid19-dxy-live-province/definition.json

https://github.com/MISP/misp-objects/blob/main/objects/covid19-dxy-live-province/definition.json




Multiple

update datetime Approximate timeof the update(~hour)

cowrieCowrie honeypot object template.

cowrie is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.



Multiple

compCS text SSH compressionalgorithmsupported in thesession

dst_ip ip-dst Destination IPaddress of thesession

dst_port port Destination portof the session

encCS text SSH symmetricencryptionalgorithmsupported in thesession

eventid text Eventid of thesession in thecowrie honeypot

hassh hassh-md5 HASSH of theclient SSH sessionfollowingSalesforcealgorithm

56

https://github.com/MISP/misp-objects/blob/main/objects/cowrie/definition.json




Multiple

input text Input of thesession

isError text isError

keyAlgs text SSH public-keyalgorithmsupported in thesession

macCS text SSH MACsupported in thesesssion

message text Message of thecowrie honeypot

password text Password

protocol text Protocol used inthe cowriehoneypot

sensor text Cowrie sensorname

session text Session id

src_ip ip-src Source IP addressof the session

src_port port Source port of thesession

system text System origin incowrie honeypot

timestamp datetime When the eventhappened

username text Username relatedto the password(s)

57

cpe-assetAn asset which can be defined by a CPE. This can be a generic asset. CPE is a structured namingscheme for information technology systems, software, and packages.

cpe-asset is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

cpe cpe CPE—the well-formed CPEname(WFN).WFNs can be usedto describe a set ofproducts or toidentify anindividualproduct.

description text Complementarydescription of theasset

58

https://github.com/MISP/misp-objects/blob/main/objects/cpe-asset/definition.json




Multiple

edition text The editionattribute isconsidereddeprecated in thisspecification, andit SHOULD beassigned thelogical value ANYexcept whererequired forbackwardcompatibility withversion 2.2 of theCPEspecification.Thisattribute isreferred to as the“legacyedition”attribute.If thisattribute isused,values forthis attributeSHOULD captureedition-relatedterms applied bythe vendor to theproduct. Valuesfor this attributeSHOULD beselected from anattribute-specificvalid-values list,which MAYbedefined by otherspecifications thatutilize thisspecification. Anycharacter stringmeeting therequirements forWFNs (cf. 5.3.2)MAY be specifiedas the value of theattribute.

59



Multiple

language text Values forthisattributeSHALL be validlanguage tags asdefined by[RFC5646], andSHOULD be usedto define thelanguagesupported in theuser interface ofthe product beingdescribed.Although any validlanguage tag MAYbe used, only tagscontaininglanguage andregioncodesSHOULD beused.

60



Multiple

other text Values for thisattribute SHOULDcapture any othergeneraldescriptive oridentifyinginformationwhich is vendor-or product-specific and whichdoes not logicallyfit in any otherattribute value.Values SHOULDNOT be used forstoring instance-specific data (e.g.,globally-uniqueidentifiers orInternet Protocoladdresses).Valuesfor this attributeSHOULD beselected from avalid-values listthat is refinedover time; this listMAYbe defined byotherspecifications thatutilize thisspecification. Anycharacter stringmeeting therequirements forWFNs (cf. 5.3.2)MAYbe specifiedas the value of theattribute.

part text Part - application,operating systemsor hardwaredevices ['a', 'o', 'h']

61



Multiple

product text Values for thisattribute SHOULDdescribe oridentify the mostcommon andrecognizable titleor name of theproduct. Valuesfor this attributeSHOULD beselected from anattribute-specificvalid-values list,which MAYbedefined by otherspecifications thatutilize thisspecification. Anycharacter stringmeeting therequirements forWFNs(cf. 5.3.2)MAY be specifiedas the value of theattribute.

62



Multiple

sw_edition text Values for thisattribute SHOULDcharacterize howthe product istailored to aparticular marketor class of endusers. Values forthis attributeSHOULD beselected from anattribute-specificvalid-values list,which MAYbedefined by otherspecifications thatutilize thisspecification. Anycharacter stringmeeting therequirements forWFNs(cf. 5.3.2)MAYbe specifiedas the value of theattribute.

63



Multiple

target_hw text Values for thisattribute SHOULDcharacterize theinstruction setarchitecture (e.g.,x86) on which theproduct beingdescribed oridentified by theWFN operates.Bytecode-intermediatelanguages, such asJava bytecode forthe Java VirtualMachine orMicrosoftCommonIntermediateLanguage for theCommonLanguageRuntime virtualmachine, SHALLbe consideredinstruction setarchitectures.Values for thisattribute SHOULDbe selected froman attribute-specific valid-values list, whichMAYbe defined byotherspecifications thatutilize thisspecification. Anycharacter stringmeeting therequirements forWFNs(cf. 5.3.2)MAYbe specifiedas the value of theattribute.

64



Multiple

target_sw text Values for thisattribute SHOULDicharacterize thesoftwarecomputingenvironmentwithin which theproductoperates.Valuesfor this attributeSHOULD beselected from anattribute-specificvalid-values list,which MAYbedefined by otherspecifications thatutilize thisspecification. Anycharacter stringmeeting therequirements forWFNs(cf. 5.3.2)MAYbe specifiedas the value of theattribute.

65



Multiple

update text Values for thisattribute SHOULDbe vendor-specificalphanumericstringscharacterizing theparticular update,service pack, orpoint release ofthe product.Valuesfor this attributeSHOULD beselected from anattribute-specificvalid-values list,which MAYbedefined by otherspecifications thatutilize thisspecification. Anycharacter stringmeeting therequirements forWFNs (cf. 5.3.2)MAYbe specifiedas the value of theattribute.

66



Multiple

vendor text Values for thisattribute SHOULDdescribe oridentify theperson ororganization thatmanufactured orcreated theproduct. Valuesfor this attributeSHOULD beselected from anattribute-specificvalid-values list,which MAYbedefined by otherspecifications thatutilize thisspecification. Anycharacter stringmeeting therequirements forWFNs (cf. 5.3.2)MAY be specifiedas the value of theattribute

67



Multiple

version text Values for thisattribute SHOULDbe vendor-specificalphanumericstringscharacterizing theparticular releaseversion of theproduct.VersioninformationSHOULD becopied directly(with escaping ofprintable non-alphanumericcharacters asrequired) fromdiscoverable dataand SHOULDNOTbe truncatedor otherwisemodified. Anycharacter stringmeeting therequirements forWFNs (cf. 5.3.2)MAYbe specifiedas the value of theattribute.

credentialCredential describes one or more credential(s) including password(s), api key(s) or decryptionkey(s).

credential is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.

68

https://github.com/MISP/misp-objects/blob/main/objects/credential/definition.json




Multiple

format text Format of thepassword(s)['clear-text','hashed','encrypted','unknown']

notification text Mention of anynotification(s)towards thepotential owner(s)of thecredential(s)['victim-notified','service-notified','none']

origin text Origin of thecredential(s)['bruteforce-scanning','malware-analysis','memory-analysis','network-analysis','leak', 'unknown']


text text A description ofthe credential(s)

type text Type ofpassword(s)['password', 'api-key', 'encryption-key', 'unknown']

username text Username relatedto the password(s)

69

credit-cardA payment card like credit card, debit card or any similar cards which can be used for financialtransactions.

credit-card is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

bank_name text Name of the bankwhich have issuedthe card

card-security-code text Card security code(CSC, CVD, CVV,CVC and SPC) asembossed orprinted on thecard.

cc-number cc-number credit-cardnumber asencoded on thecard.

comment comment A description ofthe card.

expiration datetime Maximum date ofvalidity

iin text InternationalIssuer Number(First eight digitsof the credit cardnumber

issued datetime Initial date ofvalidity or issueddate.

name text Name of the cardowner.

70

https://github.com/MISP/misp-objects/blob/main/objects/credit-card/definition.json




Multiple

version text Version of thecard.

crypto-materialCryptographic materials such as public or/and private keys.

crypto-material is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

Gx text Curve Parameter -Gx in decimal

Gy text Curve Parameter -Gy in decimal

b text Curve Parameter -B in decimal

curve-length text Length of theCurve in bits

e text RSA publicexponent

71

https://github.com/MISP/misp-objects/blob/main/objects/crypto-material/definition.json




Multiple

ecdsa-type text Curve type of theECDSAcryptographicmaterials['Anomalous', 'M-221', 'E-222', 'NISTP-224','Curve1174','Curve25519','BN(2,254)','brainpoolP256t1','ANSSI FRP256v1','NIST P-256','secp256k1', 'E-382', 'M-383','Curve383187','brainpoolP384t1','NIST P-384','Curve41417','Ed448-Goldilocks','M-511', 'E-521']

g text Curve Parameter -G in decimal

generic-symmetric-key

text Genericsymmetric key(please precise thetype)

modulus text ModulusParameter - inhexadecimal - no0x, no :

n text Curve Parameter -N in decimal

72



Multiple

origin text Origin of thecryptographicmaterials['mathematical-attack','exhaustive-search','bruteforce-attack', 'malware-extraction','memory-interception','network-interception','leak', 'unknown']

p text Prime Parameter -P in decimal

private text Private part of thecryptographicmaterials in PEMformat

public text Public part of thecryptographicmaterials in PEMformat

q text Prime Parameter -Q in decimal

rsa-modulus-size text RSA modulus sizein bits

text text A description ofthe cryptographicmaterials.

73



Multiple

type text Type ofcrytographicmaterials ['RSA','DSA', 'ECDSA','RC4', 'XOR','unknown']

x text Curve Parameter -X in decimal

y text Curve Parameter -Y in decimal

cytomic-orion-fileCytomic Orion File Detection.

cytomic-orion-file is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

classification text File classification -number

classificationName text File classification

fileName filename Original filename

fileSize size-in-bytes Size of the file

first-seen datetime First seentimestamp of thefile

last-seen datetime Last seentimestamp of thefile

74

https://github.com/MISP/misp-objects/blob/main/objects/cytomic-orion-file/definition.json


cytomic-orion-machineCytomic Orion File at Machine Detection.

cytomic-orion-machine is a MISP object available in JSON format at this locationThe JSON format can be freely reused in your application or automatically enabledin MISP.



Multiple

clientCreationDateUTC

datetime Client creationdate UTC

clientId text Client id

clientName target-org Client name

creationDate datetime Client creationdate

first-seen datetime First seen onmachine

last-seen datetime Last seen onmachine

lastSeenUtc datetime Client last seenUTC

machineMuid text Machine UID

machineName target-machine Machine name

machinePath text Path of observable

dark-pattern-itemAn Item whose User Interface implements a dark pattern.

dark-pattern-item is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.

75

https://github.com/MISP/misp-objects/blob/main/objects/cytomic-orion-machine/definition.json


https://github.com/MISP/misp-objects/blob/main/objects/dark-pattern-item/definition.json




Multiple

comment text textual commentabout the item

gain text What is theimplementer isgaining bydeceiving the user['registration','personal data','money', 'contacts','audience']

implementer text Who is the vendor/ holder of theitem

location text Location where tofind the item

screenshot attachment A screencaptureor a screengrab ofthe item at work

time datetime Date and timewhen first-seen

user text who are the userof the item

ddosDDoS object describes a current DDoS activity from a specific or/and to a specific target. Type ofDDoS can be attached to the object as a taxonomy.

ddos is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.



Multiple

domain-dst domain Destinationdomain (victim)

76

https://github.com/MISP/misp-objects/blob/main/objects/ddos/definition.json




Multiple

dst-port port Destination portof the attack

first-seen datetime Beginning of theattack

ip-dst ip-dst Destination IP(victim)

ip-src ip-src IP addressoriginating theattack

last-seen datetime End of the attack

protocol text Protocol used forthe attack ['TCP','UDP', 'ICMP', 'IP']

src-port port Port originatingthe attack

text text Description of theDDoS

total-bps counter Bits per second

total-pps counter Packets persecond

deviceAn object to define a device.

device is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.



Multiple

MAC-address mac-address Device MACaddress

77

https://github.com/MISP/misp-objects/blob/main/objects/device/definition.json




Multiple

OS text OS of the device

alias text Alias of the Device

analysis-date datetime Date of deviceanalysis

attachment attachment An attachment

description text Description of theDevice

device-type text Type of the device['PC', 'Mobile','Laptop', 'HID','TV', 'IoT','Hardware','Other']

dns-name text Device DNS Name

hits counter Number of hits forthe device

78



Multiple

infection_type text Type of infectionif the device is inInfected status['android_spams','android.bakdoor.prizmes','android.bankbot','android.banker.anubis','android.bankspy','android.cliaid','android.darksilent','android.fakeav','android.fakebank','android.fakedoc','android.fakeinst','android.fakemart','android.faketoken', 'android.fobus','android.fungram','android.geost','android.gopl','android.hiddad','android.hqwar','android.hummer','android.infosteal','android.iop','android.lockdroid','android.milipnot','android.nitmo','android.opfake','android.premiumtext','android.provar','android.pwstealer','android.rootnik','android.skyfin','android.smsbot','android.smssilence','android.smsspy','android.smsspy.be24',

79

'android.sssaaa','android.teleplus','android.uupay','android.voxv','avalanche-andromeda','banatrix','bankpatch','bebloh', 'bedep','betabot','bitcoinminer','blackbeard','blakamba','boinberg','buhtrap','caphaw','carberp', 'chafer','changeup','chinad', 'citadel','cobint','coinminer','conficker','cryptowall','cutwail', 'cycbot','diaminer','dimnie','dipverdle','dircrypt','dirtjumper','disorderstatus','dmsniff', 'dofoil','domreg','dorkbot','dorkbot-ssl','dresscode','dybalom','ek.fallout','emoted', 'emotet','esfury', 'expiro','exploitkit.fallout','extenbro','fake_cs_updater','fakerean','fallout.exploitkit','fast-flux', 'fast-flux-double', 'fast-flux;fast-flux-double',



Multiple

ip-address ip-src Device IP address

name text Name of theDevice

status text Status of thedevice ['Infected','Exposed','Unknown','Clean']

version text Version of thedevice/ OS

diameter-attackAttack as seen on diameter authentication against a GSM, UMTS or LTE network.

diameter-attack is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

ApplicationId text Application-ID isused to identifyfor whichDiameterapplication themessage isapplicable.Application-ID is adecimalrepresentation.

CmdCode text A decimalrepresentation ofthe diameterCommand Code.

Destination-Host text Destination-Host.

80

https://github.com/MISP/misp-objects/blob/main/objects/diameter-attack/definition.json


'fleercivet','fobber','foxbantrix','foxbantrix-unknown','generic.malware','geodo', 'gonderici','gootkit', 'gozi','gspy', 'gtfobot','hancitor', 'harnig','htm5player.vast','ibanking', 'icedid','infected','iotreaper', 'ip-spoofer', 'ircbot','isfb', 'jadtre', 'jdk-update-apt','js.worm.bondat','junk-domains','kasidet', 'kbot','kelihos','kelihos.e','keylogger','keylogger-ftp','keylogger-vbklip','kidminer','kingminer','koobface','kraken', 'kronos','kwampirs','lethic','linux.backdoor.setag','linux.ngioweb','litemanager','loader', 'locky','loki', 'lokibot','luminositylink','lurkbanker','madominer','magecart','maliciouswebsites','malvertising.doubleclick','malwaretom','marcher','matrix', 'matsnu',



Multiple

Destination-Realm text Destination-Realm.

IdrFlags text IDR-Flags.

Origin-Host text Origin-Host.

Origin-Realm text Origin-Realm.

SessionId text Session-ID.

Username text Username (in thiscase, usually theIMSI).

category text Category. ['Cat0','Cat1', 'Cat2', 'Cat3','CatSMS']

first-seen datetime When the attackhas been seen forthe first time.

text text A description ofthe attack seen.

dkimDomainKeys Identified Mail - DKIM.

dkim is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.



Multiple

d domain DKIM domainused for theselector record

81

https://github.com/MISP/misp-objects/blob/main/objects/dkim/definition.json


'menupass','mewsspy','miner.monero','minr', 'mirai','mix2', 'mkero','monero', 'mozi','muddywater','murofet','mysafeproxymonitor', 'nametrick','necurs','netsupport','nettraveler','neurevt', 'nitol','nivdort','nukebot', 'null','nymaim','nymain','osx.fakeflash','palevo','pawnstorm','phishing','phishing.cobalt','phishing.cobalt_dickens', 'phorpiex','pitou', 'plasma-tomas','ponmocup','pony', 'poseidon','powerstats','proxyback','pushdo','pws.pony','pykspa', 'qadars','qakbot', 'qqblack','qrypter.rat','qsnatch', 'racoon','ramdo', 'ramnit','ranbyus','ransom.cerber','ransomware','ransomware.shade', 'rat.vermin','renocide', 'revil','rodecap', 'sality','sality-p2p','servhelper','sgminer', 'shifu',



Multiple

dkim dkim DomainKeysIdentified Mail -DKIM full DNSTXT record

h text DKIM hash type['sha1', 'md5']

k text DKIM key type['rsa']

n text DKIMadministratornote

public-key text DKIM public key

s text DKIM servicerecord

t text DKIM domaintesting ['y', 's']

version text DKIM version['DKIM1']

dns-recordA set of DNS records observed for a specific domain.

dns-record is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

a-record ip-dst IPv4 addressassociated with Arecord

82

https://github.com/MISP/misp-objects/blob/main/objects/dns-record/definition.json


'shiz', 'sinowal','sisron','sodinokibi','spam', 'sphinx','spyeye', 'ssh-brute-force', 'ssl','ssl-az7', 'ssl-unknown-bot-test','ssl-vmzeus','stantinko', 'tdss','teleru', 'telnet-brute-force','tinba', 'tinba-dga','trickbot', 'triton','trojan.click3','trojan.fakeav','trojan.includer','trojan.win32.razy.gen', 'unknown','unknown-bot-test', 'valak','vawtrak', 'vbklip','verst','victorygate.a','victorygate.b','victorygate.c','virut', 'vmzeus','vobfus','volatile_cedar','vpnfilter_stage3','wannacrypt','wauchos','webminer.cdn','win.neurevt','worm.kasidet','worm.phorpiex','wowlik', 'wrokni','xbash','xmrminer', 'xpaj','xshellghost','yoddos', 'zeus','zeus_gameover','zeus_panda','zloader']



Multiple

aaaa-record ip-dst IPv6 addressassociated withAAAA record

cname-record domain Domainassociated withCNAME record

mx-record domain Domainassociated withMX record

ns-record domain Domainassociated with NSrecord

ptr-record domain Domainassociated withPTR record

queried-domain domain Domain name

soa-record domain Domainassociated withSOA record

spf-record ip-dst IP addressesassociated withSPF record

srv-record domain Domainassociated withSRV record

text text A description ofthe records

txt-record text Content associatedwith TXT record

83

domain-crawledA domain crawled over time.

domain-crawled is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

domain domain Domain name

text text A description ofthe tuple

url url domain url

domain-ipA domain/hostname and IP address seen as a tuple in a specific time frame.

domain-ip is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

domain domain Domain name

first-seen datetime First time thetuple has beenseen

hostname hostname Hostname relatedto the IP

ip ip-dst IP Address

last-seen datetime Last time the tuplehas been seen

84

https://github.com/MISP/misp-objects/blob/main/objects/domain-crawled/definition.json


https://github.com/MISP/misp-objects/blob/main/objects/domain-ip/definition.json




Multiple

port port Associated TCPport with thedomain

registration-date datetime Registration dateof domain

text text A description ofthe tuple

edr-reportAn Object Template to encode an EDR detection report.

edr-report is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

additional-file attachment Additional fileinvolved indetection

command attachment JSON filecontaining theoutput of acommand ran atreport generation

comment text Any valuablecomment aboutthe report

drivers attachment JSON filecontainingmetadata aboutdrivers loaded onthe system

85

https://github.com/MISP/misp-objects/blob/main/objects/edr-report/definition.json




Multiple

endpoint-id text Unique identifierof the endpointconcerned by thereport

event attachment Raw EDR eventwhich triggeredreporting

executable attachment Executable fileinvolved indetection

hostname text Endpointhostname

id text Report uniqueidentifier

ip ip-src Endpoint IPaddress

modules attachment JSON filecontainingmetadata aboutmodules loadedon the system

processes attachment JSON filecontainingmetadata aboutrunning processesat the time ofdetection

product text EDR productname

elfObject describing a Executable and Linkable Format.

86

elf is a MISP object available in JSON format at this location The JSON format canbe freely reused in your application or automatically enabled in MISP.

87

https://github.com/MISP/misp-objects/blob/main/objects/elf/definition.json




Multiple

arch text Architecture ofthe ELF file['None', 'M32','SPARC', 'i386','ARCH_68K','ARCH_88K','IAMCU','ARCH_860', 'MIPS','S370','MIPS_RS3_LE','PARISC', 'VPP500','SPARC32PLUS','ARCH_960', 'PPC','PPC64', 'S390','SPU', 'V800','FR20', 'RH32','RCE', 'ARM','ALPHA', 'SH','SPARCV9','TRICORE', 'ARC','H8_300','H8_300H', 'H8S','H8_500', 'IA_64','MIPS_X','COLDFIRE','ARCH_68HC12','MMA', 'PCP','NCPU', 'NDR1','STARCORE','ME16', 'ST100','TINYJ', 'x86_64','PDSP', 'PDP10','PDP11', 'FX66','ST9PLUS', 'ST7','ARCH_68HC16','ARCH_68HC11','ARCH_68HC08','ARCH_68HC05','SVX', 'ST19', 'VAX','CRIS', 'JAVELIN','FIREPATH', 'ZSP','MMIX', 'HUANY','PRISM', 'AVR','FR30', 'D10V','D30V', 'V850','M32R', 'MN10300','MN10200', 'PJ','OPENRISC',

89

'ARC_COMPACT','XTENSA','VIDEOCORE','TMM_GPP','NS32K', 'TPC','SNP1K', 'ST200','IP2K', 'MAX', 'CR','F2MC16','MSP430','BLACKFIN','SE_C33', 'SEP','ARCA', 'UNICORE','EXCESS', 'DXP','ALTERA_NIOS2','CRX', 'XGATE','C166', 'M16C','DSPIC30F', 'CE','M32C', 'TSK3000','RS08', 'SHARC','ECOG2', 'SCORE7','DSP24','VIDEOCORE3','LATTICEMICO32','SE_C17','TI_C6000','TI_C2000','TI_C5500','MMDSP_PLUS','CYPRESS_M8C','R32C','TRIMEDIA','HEXAGON','ARCH_8051','STXP7X', 'NDS32','ECOG1', 'ECOG1X','MAXQ30','XIMO16','MANIK','CRAYNV2', 'RX','METAG','MCST_ELBRUS','ECOG16', 'CR16','ETPU', 'SLE9X','L10M', 'K10M','AARCH64','AVR32', 'STM8','TILE64','TILEPRO', 'CUDA',



Multiple

entrypoint-address

text Address of theentry point

number-sections counter Number ofsections

os_abi text Header operatingsystem applicationbinary interface(ABI) ['AIX', 'ARM','AROS','C6000_ELFABI','C6000_LINUX','CLOUDABI','FENIXOS','FREEBSD', 'GNU','HPUX', 'HURD','IRIX', 'MODESTO','NETBSD', 'NSK','OPENBSD','OPENVMS','SOLARIS','STANDALONE','SYSTEMV','TRU64']

text text Free text value toattach to the ELF

type text Type of ELF['CORE','DYNAMIC','EXECUTABLE','HIPROC','LOPROC', 'NONE','RELOCATABLE']

elf-sectionObject describing a section of an Executable and Linkable Format.

elf-section is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.

90

https://github.com/MISP/misp-objects/blob/main/objects/elf-section/definition.json


'TILEGX','CLOUDSHIELD','COREA_1ST','COREA_2ND','ARC_COMPACT2','OPEN8', 'RL78','VIDEOCORE5','ARCH_78KOR','ARCH_56800EX','BA1', 'BA2','XCORE','MCHP_PIC','INTEL205','INTEL206','INTEL207','INTEL208','INTEL209','KM32', 'KMX32','KMX16', 'KMX8','KVARC', 'CDP','COGE', 'COOL','NORC','CSR_KALIMBA','AMDGPU']



Multiple

entropy float Entropy of thewhole section

flag text Flag of the section['ALLOC','EXCLUDE','EXECINSTR','GROUP','HEX_GPREL','INFO_LINK','LINK_ORDER','MASKOS','MASKPROC','MERGE','MIPS_ADDR','MIPS_LOCAL','MIPS_MERGE','MIPS_NAMES','MIPS_NODUPES','MIPS_NOSTRIP','NONE','OS_NONCONFORMING', 'STRINGS','TLS', 'WRITE','XCORE_SHF_CP_SECTION']

md5 md5 [Insecure] MD5hash (128 bits)

name text Name of thesection

sha1 sha1 [Insecure] SecureHash Algorithm 1(160 bits)

sha224 sha224 Secure HashAlgorithm 2 (224bits)

91



Multiple




sha512/224 sha512/224 Secure HashAlgorithm 2 (224bits)


size-in-bytes size-in-bytes Size of the section,in bytes

ssdeep ssdeep Fuzzy hash usingcontext triggeredpiecewise hashes(CTPH)

text text Free text value toattach to thesection

92



Multiple

type text Type of thesection ['NULL','PROGBITS','SYMTAB','STRTAB', 'RELA','HASH','DYNAMIC','NOTE', 'NOBITS','REL', 'SHLIB','DYNSYM','INIT_ARRAY','FINI_ARRAY','PREINIT_ARRAY','GROUP','SYMTAB_SHNDX','LOOS','GNU_ATTRIBUTES', 'GNU_HASH','GNU_VERDEF','GNU_VERNEED','GNU_VERSYM','HIOS', 'LOPROC','ARM_EXIDX','ARM_PREEMPTMAP','HEX_ORDERED','X86_64_UNWIND','MIPS_REGINFO','MIPS_OPTIONS','MIPS_ABIFLAGS','HIPROC','LOUSER','HIUSER']

emailEmail object describing an email with meta-information.

email is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.

93

https://github.com/MISP/misp-objects/blob/main/objects/email/definition.json




Multiple

attachment email-attachment Attachment

bcc email-dst Blind carbon copy

bcc-display-name email-dst-display-name

Display name ofthe blind carboncopy

cc email-dst Carbon copy

cc-display-name email-dst-display-name

Display name ofthe carbon copy

email-body email-body Body of the email

eml attachment Full EML

from email-src Sender emailaddress

from-display-name

email-src-display-name

Display name ofthe sender

from-domain domain Sender domainaddress (whenonly the sourcedomain is known)

header email-header Full headers

ip-src ip-src Source IP addressof the emailsender

message-id email-message-id Message ID

mime-boundary email-mime-boundary

MIME Boundary

msg attachment Full MSG

94



Multiple

received-header-hostname

hostname Extractedhostname fromparsed headers

received-header-ip ip-src Extracted IPaddress fromparsed headers

reply-to email-reply-to Email address thereply will be sentto

reply-to-display-name

email-dst-display-name

Display name ofthe email addressthe reply will besent to

return-path email-src Message returnpath

screenshot attachment Screenshot ofemail

send-date datetime Date the email hasbeen sent

subject email-subject Subject

thread-index email-thread-index

Identifies aparticularconversationthread

to email-dst Destination emailaddress

to-display-name email-dst-display-name

Display name ofthe receiver

user-agent text User Agent of thesender

95



Multiple

x-mailer email-x-mailer X-Mailer generallytells the programthat was used todraft and send theoriginal email

employeeAn employee and related data points.

employee is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

business-unit target-org the organizationalbusiness unitassociated withthe employee

email-address target-email Employee EmailAddress

employee-type text type of employee['Mid-LevelManager', 'SeniorManager', 'Non-Manager','Supervisor', 'First-Line Manager','Director']

first-name first-name First name ofEmployee

last-name last-name Last nameEmployee

96

https://github.com/MISP/misp-objects/blob/main/objects/employee/definition.json




Multiple

primary-asset target-machine Asset tag of theprimary assetassigned toemployee

text text A description ofthe person oridentity.

userid target-user EMployee useridentification

exploit-pocExploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often arelationship with a vulnerability object.

exploit-poc is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

author text Author of theexploit - proof ofconcept

description text Description of theexploit - proof ofconcept

poc attachment Proof of Conceptor exploit (as ascript, binary ordescribed process)


97

https://github.com/MISP/misp-objects/blob/main/objects/exploit-poc/definition.json




Multiple

vulnerable_configuration

text The vulnerableconfigurationdescribed in CPEformat where theexploit/proof ofconcept is valid

facebook-accountFacebook account.

facebook-account is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

account-id text Account id.

account-name text Account name.

archive link Archive of theaccount (InternetArchive,Archive.is, etc).

attachment attachment A screen captureor exported list ofcontacts etc.

description text A description ofthe user.

link link Original link tothe page(supposedharmless).

98

https://github.com/MISP/misp-objects/blob/main/objects/facebook-account/definition.json




Multiple

url url Original URLlocation of thepage (potentiallymalicious).

user-avatar attachment A user profilepicture or avatar.

facebook-groupPublic or private facebook group.

facebook-group is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

administrator text A user accountwho is an owneror admin of thegroup.

archive link Archive of theoriginal group(Internet Archive,Archive.is, etc).

attachment attachment A screen captureor exported list ofcontacts, groupmembers, etc.

creator text The user accountthat created thegroup.

description text A description ofthe group,channel orcommunity.

99

https://github.com/MISP/misp-objects/blob/main/objects/facebook-group/definition.json




Multiple

embedded-link url Link embedded inthe groupdescription(potentiallymalicious).

embedded-safe-link

link Link embedded inthe groupdescription(supposed safe).

group-alias text Aliases orprevious names ofgroup.

group-name text The name of thegroup, channel orcommunity.

group-type text Facebook grouptype, e.g. general,buy and sell etc.

hashtag text Hashtag used toidentify orpromote thegroup.

link link Original link tothe group(supposedharmless).

privacy text Group privacy:public, closed,secret. ['Public','Closed', 'Secret']

url url Original URLlocation of thegroup (potentiallymalicious).

100

facebook-pageFacebook page.

facebook-page is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

archive link Archive of theoriginal page(Internet Archive,Archive.is, etc).

attachment attachment A screen captureor exported list ofcontacts, pagemembers, etc.

contact-detail url Contact url listedon about page.

creator text The user accountthat created thepage.

description text A description ofthe page.

embedded-link url Link embedded inthe pagedescription(potentiallymalicious).

embedded-safe-link

link Link embedded inthe pagedescription(supposed safe).

event text Eventannouncement onpage.

101

https://github.com/MISP/misp-objects/blob/main/objects/facebook-page/definition.json




Multiple

hashtag text Hashtag used toidentify orpromote the page.

link link Original link tothe page(supposedharmless).

page-alias text Aliases orprevious names ofpage.

page-id text Page id (withoutthe @).

page-name text The name of thepage.

page-type text Facebook pagetype, e.g.community,product etc.

related-page-id text id of a page listedas related to thisone (without the@).

related-page-name text name of a pagelisted as related tothis one.

team-member text A user accountwho is a memberof the page.


102

facebook-postPost on a Facebook wall.

facebook-post is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple


attachment attachment The facebook postfile or screencapture.

embedded-link url Link in thefacebook post

embedded-safe-link

link Safe link in thefacebook post

hashtag text Hashtagembedded in thefacebook post

in-reply-to-display-name

text The user displayname of thefacebook this postshares.

in-reply-to-status-id

text The facebook ID ofthe post that thispost shares.

in-reply-to-user-id text The user ID of thefacebook this postshares.

language text The language ofthe post.

103

https://github.com/MISP/misp-objects/blob/main/objects/facebook-post/definition.json




Multiple

link link Original link tothe facebook post(supposedharmless).

post text Raw text of thepost.

post-id text The facebook postid.

post-location text id of the group,page or wall thepost was postedto.

removal-date datetime When thefacebook post wasremoved.

url url Original URL ofthe facebook post,e.g. link shortener(potentiallymalicious).

user-id text Id of the accountwho posted.

user-name text Display name ofthe account whoposted.

username text Username whoposted thefacebook post

username-quoted text Username who isquoted in thefacebook post.

104

facial-compositeAn object which describes a facial composite.

facial-composite is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

facial-composite attachment Facial compositeimage.

technique text Constructiontechnique of thefacial composite.['E-FIT', 'PROfit','Sketch', 'Photofit','EvoFIT','PortraitPad']

text text A description ofthe facialcomposite.

fail2banFail2ban event.

fail2ban is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

attack-type text Type of the attack

banned-ip ip-src IP Address bannedby fail2ban

failures counter Amount offailures that leadto the ban.

105

https://github.com/MISP/misp-objects/blob/main/objects/facial-composite/definition.json


https://github.com/MISP/misp-objects/blob/main/objects/fail2ban/definition.json




Multiple

logfile attachment Full logfile relatedto the attack.

logline text Example log linethat caused theban.

processing-timestamp

datetime Timestamp of thereport

sensor text Identifier of thesensor

victim text Identifier of thevictim

faviconA favicon, also known as a shortcut icon, website icon, tab icon, URL icon, or bookmark icon, is afile containing one or more small icons, associated with a particular website or web page. Theobject template can include the murmur3 hash of the favicon to facilitate correlation.

favicon is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.



Multiple

favicon attachment The raw faviconfile.

favicon-mmh3 favicon-mmh3 favicon-mmh3 isthe murmur3hash of a faviconas used in Shodan.

link link The original linkwhere the faviconwas seen.

106

https://github.com/MISP/misp-objects/blob/main/objects/favicon/definition.json


fileFile object describing a file with meta-information.

file is a MISP object available in JSON format at this location The JSON format canbe freely reused in your application or automatically enabled in MISP.



Multiple

attachment attachment A non-maliciousfile.

authentihash authentihash Authenticodeexecutablesignature hash

certificate x509-fingerprint-sha1

Certificate value ifthe binary issigned withanotherauthenticationscheme thanauthenticode

compilation-timestamp

datetime Compilationtimestamp

entropy float Entropy of thewhole file

107

https://github.com/MISP/misp-objects/blob/main/objects/file/definition.json




Multiple

file-encoding text Encoding formatof the file ['Adobe-Standard-Encoding', 'Adobe-Symbol-Encoding','Amiga-1251','ANSI_X3.110-1983', 'ASMO_449','Big5', 'Big5-HKSCS', 'BOCU-1','BRF', 'BS_4730','BS_viewdata','CESU-8','CP50220','CP51932','CSA_Z243.4-1985-1', 'CSA_Z243.4-1985-2','CSA_Z243.4-1985-gr', 'CSN_369103','DEC-MCS','DIN_66003', 'dk-us', 'DS_2089','EBCDIC-AT-DE','EBCDIC-AT-DE-A','EBCDIC-CA-FR','EBCDIC-DK-NO','EBCDIC-DK-NO-A','EBCDIC-ES','EBCDIC-ES-A','EBCDIC-ES-S','EBCDIC-FI-SE','EBCDIC-FI-SE-A','EBCDIC-FR','EBCDIC-IT','EBCDIC-PT','EBCDIC-UK','EBCDIC-US','ECMA-cyrillic','ES', 'ES2', 'EUC-KR','Extended_UNIX_Code_Fixed_Width_for_Japanese','Extended_UNIX_Code_Packed_Format_for_Japanese','GB18030',

108

'GB_1988-80','GB2312','GB_2312-80','GBK','GOST_19768-74','greek7', 'greek7-old', 'greek-ccitt','HP-DeskTop', 'HP-Legal', 'HP-Math8','HP-Pi-font', 'hp-roman8', 'HZ-GB-2312', 'IBM00858','IBM00924','IBM01140','IBM01141','IBM01142','IBM01143','IBM01144','IBM01145','IBM01146','IBM01147','IBM01148','IBM01149','IBM037', 'IBM038','IBM1026','IBM1047','IBM273', 'IBM274','IBM275', 'IBM277','IBM278', 'IBM280','IBM281', 'IBM284','IBM285', 'IBM290','IBM297', 'IBM420','IBM423', 'IBM424','IBM437', 'IBM500','IBM775', 'IBM850','IBM851', 'IBM852','IBM855', 'IBM857','IBM860', 'IBM861','IBM862', 'IBM863','IBM864', 'IBM865','IBM866', 'IBM868','IBM869', 'IBM870','IBM871', 'IBM880','IBM891', 'IBM903','IBM904', 'IBM905','IBM918', 'IBM-Symbols', 'IBM-Thai', 'IEC_P27-1',



Multiple

filename filename Filename on disk

fullpath text Complete path ofthe filenameincluding thefilename

imphash imphash Hash (md5)calculated fromthe PE importtable

malware-sample malware-sample The file itself(binary)


mimetype mime-type Mime type

path text Path of thefilename completeor partial

pattern-in-file pattern-in-file Pattern that canbe found in thefile




109

'INIS', 'INIS-8','INIS-cyrillic','INVARIANT','ISO_10367-box','ISO-10646-J-1','ISO-10646-UCS-2','ISO-10646-UCS-4','ISO-10646-UCS-Basic', 'ISO-10646-Unicode-Latin1','ISO-10646-UTF-1','ISO-11548-1', 'ISO-2022-CN', 'ISO-2022-CN-EXT','ISO-2022-JP', 'ISO-2022-JP-2', 'ISO-2022-KR','ISO_2033-1983','ISO_5427','ISO_5427:1981','ISO_5428:1980','ISO_646.basic:1983','ISO_646.irv:1983','ISO_6937-2-25','ISO_6937-2-add','ISO-8859-10','ISO_8859-1:1987','ISO-8859-13', 'ISO-8859-14', 'ISO-8859-15', 'ISO-8859-16', 'ISO-8859-1-Windows-3.0-Latin-1', 'ISO-8859-1-Windows-3.1-Latin-1','ISO_8859-2:1987','ISO-8859-2-Windows-Latin-2','ISO_8859-3:1988','ISO_8859-4:1988','ISO_8859-5:1988','ISO_8859-6:1987','ISO_8859-6-E','ISO_8859-6-I','ISO_8859-7:1987','ISO_8859-8:1988','ISO_8859-8-E',



Multiple

sha3-224 sha3-224 Secure HashAlgorithm 3 (224bits)








size-in-bytes size-in-bytes Size of the file, inbytes


110

'ISO_8859-8-I','ISO_8859-9:1989','ISO-8859-9-Windows-Latin-5','ISO_8859-supp','iso-ir-90', 'ISO-Unicode-IBM-1261', 'ISO-Unicode-IBM-1264', 'ISO-Unicode-IBM-1265', 'ISO-Unicode-IBM-1268', 'ISO-Unicode-IBM-1276', 'IT','JIS_C6220-1969-jp', 'JIS_C6220-1969-ro','JIS_C6226-1978','JIS_C6226-1983','JIS_C6229-1984-a','JIS_C6229-1984-b','JIS_C6229-1984-b-add', 'JIS_C6229-1984-hand','JIS_C6229-1984-hand-add','JIS_C6229-1984-kana','JIS_Encoding','JIS_X0201','JIS_X0212-1990','JUS_I.B1.002','JUS_I.B1.003-mac','JUS_I.B1.003-serb','KOI7-switched','KOI8-R', 'KOI8-U','KS_C_5601-1987','KSC5636', 'KZ-1048', 'latin-greek','Latin-greek-1','latin-lap','macintosh','Microsoft-Publishing','MNEM','MNEMONIC',



Multiple

state text State of the file['Malicious','Harmless','Signed', 'Revoked','Expired','Trusted']

telfhash telfhash telfhash - Symbolhash for ELF files.


tlsh tlsh Fuzzy hash byTrend Micro:Locality SensitiveHash

vhash vhash vhash byVirusTotal

forensic-caseAn object template to describe a digital forensic case.

forensic-case is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

additional-comments

text Comments.

analysis-start-date datetime Date when theanalysis began.

case-name text Name to addressthe case.

111

https://github.com/MISP/misp-objects/blob/main/objects/forensic-case/definition.json


'MSZ_7795.3','Name', 'NATS-DANO', 'NATS-DANO-ADD','NATS-SEFI','NATS-SEFI-ADD','NC_NC00-10:81','NF_Z_62-010','NF_Z_62-010_(1973)','NS_4551-1','NS_4551-2','OSD_EBCDIC_DF03_IRV','OSD_EBCDIC_DF04_1','OSD_EBCDIC_DF04_15', 'PC8-Danish-Norwegian', 'PC8-Turkish', 'PT','PT2', 'PTCP154','SCSU','SEN_850200_B','SEN_850200_C','Shift_JIS', 'T.101-G2', 'T.61-7bit','T.61-8bit', 'TIS-620', 'TSCII','UNICODE-1-1','UNICODE-1-1-UTF-7','UNKNOWN-8BIT','US-ASCII', 'us-dk','UTF-16', 'UTF-16BE', 'UTF-16LE','UTF-32', 'UTF-32BE', 'UTF-32LE','UTF-7', 'UTF-8','Ventura-International','Ventura-Math','Ventura-US','videotex-suppl','VIQR', 'VISCII','windows-1250','windows-1251','windows-1252','windows-1253',



Multiple

case-number text Any uniquenumber assignedto the case foruniqueidentification.

name-of-the-analyst

text Name(s) of theanalyst assignedto the case.


forensic-evidenceAn object template to describe a digital forensic evidence.

forensic-evidence is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

acquisition-method

text Method used foracquisition of theevidence. ['Liveacquisition','Dead/Offlineacquisition','Physicalcollection','Logicalcollection', 'Filesystem extraction','Chip-off', 'Other']

112

https://github.com/MISP/misp-objects/blob/main/objects/forensic-evidence/definition.json


'windows-1254','windows-1255','windows-1256','windows-1257','windows-1258','Windows-31J','windows-874']



Multiple

acquisition-tools text Tools used foracquisition of theevidence. ['dd','dc3dd', 'dcfldd','EnCase', 'FTKImager', 'FDAS','TrueBack','Guymager','IXimager', 'Other']

additional-comments

text Comments.

case-number text A unique numberassigned to thecase for uniqueidentification.

evidence-number text A unique numberassigned to theevidence foruniqueidentification.

name text Name of theevidenceacquired.


type text Evidence type.['Computer','Network', 'MobileDevice','Multimedia','Cloud', 'IoT','Other']

forged-documentObject describing a forged document.

113

forged-document is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple


attachment attachment The forgeddocument file.

document-name text Title of thedocument.

document-text text Raw text ofdocument

document-type text The type ofdocument (not thefile type). ['email','letterhead','speech','literature', 'blog','microblog','photo', 'audio','invoice', 'receipt','other']

first-seen datetime When thedocument hasbeen accessible orseen for the firsttime.

last-seen datetime When thedocument hasbeen accessible orseen for the lasttime.

114

https://github.com/MISP/misp-objects/blob/main/objects/forged-document/definition.json




Multiple

link link Original link intothe document(Supposedharmless)

objective text Objective of theforged document.['Disinformation','Advertising','Parody', 'Other']

purpose-of-document

text What thedocument is usedfor.['Identification','Travel', 'Health','Legal', 'Financial','Government','Military', 'Media','Communication','Other']

url url Original URLlocation of thedocument(potentiallymalicious)

ftm-Airplane.

ftm-Airplane is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

address text Address

alephUrl url Aleph URL

115

https://github.com/MISP/misp-objects/blob/main/objects/ftm-airplane/definition.json




Multiple

alias text Other name

amount float Amount

amountEur float Amount in EUR

amountUsd float Amount in USD

buildDate text Build Date

country text Country

currency text Currency

description text Description

icaoCode text ICAO aircraft typedesignator

indexText text Index text

indexUpdatedAt text Index updated at

keywords text Keywords

manufacturer text Manufacturer

model text Model

modifiedAt text Modified on

name text Name

notes text Notes

previousName text Previous name

program text Program

publisher text Publishing source

116



Multiple

publisherUrl url Publishing sourceURL

registrationDate text Registration Date

registrationNumber

text RegistrationNumber

retrievedAt text Retrieved on

serialNumber text Serial Number

sourceUrl url Source link

summary text Summary

topics text Topics

type text Type

weakAlias text Weak alias

wikidataId text Wikidata ID

wikipediaUrl url Wikipedia Article

ftm-Assessment.

ftm-Assessment is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple



117

https://github.com/MISP/misp-objects/blob/main/objects/ftm-assessment/definition.json




Multiple


assessmentId text Assessment ID







name text Name

notes text Notes



publishDate text Date of publishing






topics text Topics


118



Multiple



ftm-Asset.

ftm-Asset is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple




amount float Amount










name text Name

119

https://github.com/MISP/misp-objects/blob/main/objects/ftm-asset/definition.json




Multiple

notes text Notes








topics text Topics




ftm-AssociateNon-family association between two people.

ftm-Associate is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple


date text Date


120

https://github.com/MISP/misp-objects/blob/main/objects/ftm-associate/definition.json




Multiple

endDate text End date





recordId text Record ID

relationship text Nature of theassociation


sourceUrl url Source URL

startDate text Start date


ftm-Audio.

ftm-Audio is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple




121

https://github.com/MISP/misp-objects/blob/main/objects/ftm-audio/definition.json




Multiple

author text The originalauthor, not theuploader

authoredAt text Authored on

companiesMentioned

text Detectedcompanies

contentHash sha1 SHA1 hash of thedata


crawler text The crawler usedto acquire this file

date text If not otherwisespecified


detectedCountry text Detected country

detectedLanguage text Detected language

duration float Duration of theaudio in ms

emailMentioned email-src Detected e-mailaddresses

encoding text File encoding

extension text File extension

fileName text File name

fileSize float File size

122



Multiple

generator text The program usedto generate thisfile

ibanMentioned iban Detected IBANs



ipMentioned ip-src Detected IPaddresses


language text Language

locationMentioned text Detected locations

messageId text Message ID of adocument; uniquein most cases

mimeType mime-type MIME type


name text Name

namesMentioned text Detected names

notes text Notes

peopleMentioned text Detected people

phoneMentioned phone-number Detected phones


processingError text Processing error

123



Multiple

processingStatus text Processing status


publishedAt text Published on




samplingRate float Sampling rate ofthe audio in Hz



title text Title

topics text Topics




ftm-BankAccount.

ftm-BankAccount is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.

124

https://github.com/MISP/misp-objects/blob/main/objects/ftm-bankaccount/definition.json




Multiple

accountNumber text Account Number

accountType text Account Type




amount float Amount



balance float Balance

bankAddress text Bank Address

bankName text Bank Name

bic text Bank IdentifierCode




iban iban IBAN





125



Multiple

name text Name

notes text Notes








topics text Topics




ftm-Call.

ftm-Call is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.



Multiple


callerNumber phone-number Caller’s Number

126

https://github.com/MISP/misp-objects/blob/main/objects/ftm-call/definition.json




Multiple

date text Date


duration float Call Duration inseconds






receiverNumber phone-number Receiver’sNumber






ftm-Company.

ftm-Company is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.

127

https://github.com/MISP/misp-objects/blob/main/objects/ftm-company/definition.json




Multiple




amount float Amount



bikCode text Russian bankaccount code

bvdId text Bureau van DijkID

caemCode text (RO) What kind ofactivity a legalentity is allowedto develop

capital text Capital

cikCode text US SEC CentralIndex Key

classification text Classification

coatoCode text COATO / SOATO /OKATO




128



Multiple

dissolutionDate text The date the legalentity wasdissolved, ifapplicable

dunsCode text Dun & Bradstreetidentifier

email email-src Email address

fnsCode text (RU, ФНС) FederalTax Servicerelated info

fssCode text (RU, ФСС) SocialSecurity

ibcRuc text ibcRUC

icijId text ID according toInternationalConsortium forInvestigativeJournalists

idNumber text ID number of anyapplicable ID

incorporationDate text The date the legalentity wasincorporated



innCode text Russian companyID

ipoCode text IPO

irsCode text US tax ID

129



Multiple

jibCode text Yugoslaviacompany ID

jurisdiction text Jurisdiction


kppCode text (RU, КПП) inaddition to INNfor orgs; reasonfor registration atFNS

legalForm text Legal form

mainCountry text Primary countryof this entity

mbsCode text MBS


name text Name

notes text Notes

ogrnCode text Major StateRegistrationNumber

okopfCode text (RU, ОКОПФ)What kind ofbusiness entity

okpoCode text Russian industryclassifier

oksmCode text Russian (ОКСМ)countries classifer

130



Multiple

okvedCode text (RU, ОКВЭД)Economicalactivity classifier.OKVED2 is thesame but newer

opencorporatesUrl url OpenCorporatesURL

pfrNumber text (RU, ПФР) PensionFund Registrationnumber. AAA-BBB-CCCCCC,where AAA isorganisationregion, BBB isdistrict, CCCCCCnumber at aspecific branch

phone phone-number Phone number





registrationNumber

text Registrationnumber


sector text Sector


status text Status

131



Multiple


swiftBic text Bank identifiercode

taxNumber text Tax identificationnumber

taxStatus text Tax status

topics text Topics

vatCode text (EU) VAT number

voenCode text Azerbaijantaxpayer ID


website url Website address



ftm-ContractAn contract or contract lot issued by an authority. Multiple lots may be awarded to differentsuppliers (see ContractAward). .

ftm-Contract is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple




132

https://github.com/MISP/misp-objects/blob/main/objects/ftm-contract/definition.json




Multiple

amount float Amount



cancelled text Cancelled?


contractDate text Contract date


criteria text Contract awardcriteria







method text Procurementmethod


name text Contract name

notes text Notes

noticeId text Contract AwardNotice ID

133



Multiple

numberAwards text Number ofawards


procedure text Contractprocedure

procedureNumber text Procedurenumber






status text Procurementstatus


title text Contract title

topics text Topics

type text Type of contract.Potentially W(Works), U(Supplies), S(Services).




134

ftm-ContractAwardA contract or contract lot as awarded to a supplier.

ftm-ContractAward is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple


amended text Was this awardamended,modified orupdated by asubsequentdocument?

amount float Amount



cpvCode text ContractProcurementVocabulary (whattype ofgoods/services,EU)


date text Date

decisionReason text Decision reason


documentNumber text Documentnumber

documentType text Document type

135

https://github.com/MISP/misp-objects/blob/main/objects/ftm-contractaward/definition.json




Multiple



lotNumber text Lot number


nutsCode text Nomencalture ofTerritorial Unitsfor Statistics(NUTS)





role text Role



status text Status


ftm-CourtCase.

ftm-CourtCase is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.

136

https://github.com/MISP/misp-objects/blob/main/objects/ftm-courtcase/definition.json




Multiple




caseNumber text Case number

category text Category

closeDate text Close date


court text Court


fileDate text File date





name text Name

notes text Notes





137



Multiple



status text Status


topics text Topics

type text Type




ftm-CourtCaseParty.

ftm-CourtCaseParty is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple


date text Date





138

https://github.com/MISP/misp-objects/blob/main/objects/ftm-courtcaseparty/definition.json




Multiple





role text Role



status text Status


ftm-DebtA monetary debt between two parties.

ftm-Debt is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple


amount float Amount




date text Date

139

https://github.com/MISP/misp-objects/blob/main/objects/ftm-debt/definition.json




Multiple












ftm-Directorship.

ftm-Directorship is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple


date text Date



140

https://github.com/MISP/misp-objects/blob/main/objects/ftm-directorship/definition.json




Multiple







role text Role

secretary text Secretary



status text Status


ftm-Document.

ftm-Document is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple




141

https://github.com/MISP/misp-objects/blob/main/objects/ftm-document/definition.json




Multiple



companiesMentioned
















142



Multiple










name text Name


notes text Notes








143



Multiple






title text Title

topics text Topics




ftm-Documentation.

ftm-Documentation is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple


date text Date




144

https://github.com/MISP/misp-objects/blob/main/objects/ftm-documentation/definition.json




Multiple






role text Role



status text Status


ftm-EconomicActivityA foreign economic activity.

ftm-EconomicActivity is a MISP object available in JSON format at this locationThe JSON format can be freely reused in your application or automatically enabledin MISP.



Multiple


ccdNumber text Customs CargoDeclarationNumber

ccdValue text Declaration Value

145

https://github.com/MISP/misp-objects/blob/main/objects/ftm-economicactivity/definition.json




Multiple

customsAmount text Customs Value ofgoods

customsProcedure text CustomsProcedure — typeof customsclearance

date text Date

departureCountry text Country out ofwhich the goodsare transported


destinationCountry

text Final destinationfor the goods

directionOfTransportation

text Direction oftransportation(import/export)

dollarExchRate text USD ExchangeRate for theactivity


goodsDescription text Description ofgoods


invoiceAmount text Invoice Value ofgoods


originCountry text Country of originof goods

146



Multiple








tradingCountry text Trading Countryof the companywhich transportsthe goods viaRussian border

vedCode text (Код ТН ВЭД)Foreign EconomicActivityCommodity Code

vedCodeDescription

text (Описание кодаТН ВЭД) ForeignEconomic ActivityCommodity Codedescription

ftm-Email.

ftm-Email is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.

147

https://github.com/MISP/misp-objects/blob/main/objects/ftm-email/definition.json




Multiple






bcc text Blind carbon copy

bodyHtml text HTML

bodyText text Text

cc text Carbon copy

companiesMentioned










148



Multiple





from text From


headers text Raw headers


inReplyTo text Message ID of thepreceding email inthe thread










149



Multiple

name text Name


notes text Notes











sender text Sender


subject text Subject


threadTopic text Thread topic

title text Title

to text To

150



Multiple

topics text Topics




ftm-Event.

ftm-Event is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple




companiesMentioned



date text Date






151

https://github.com/MISP/misp-objects/blob/main/objects/ftm-event/definition.json




Multiple


important text Important





location text Location



name text Name


notes text Notes









152



Multiple




topics text Topics




ftm-FamilyFamily relationship between two people.

ftm-Family is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple


date text Date







153

https://github.com/MISP/misp-objects/blob/main/objects/ftm-family/definition.json




Multiple


relationship text Nature of therelationship, fromthe person’sperspective eg.'mother', where'relative' is motherof 'person'.





ftm-Folder.

ftm-Folder is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple






154

https://github.com/MISP/misp-objects/blob/main/objects/ftm-folder/definition.json




Multiple

companiesMentioned


















155



Multiple








name text Name


notes text Notes










156



Multiple




title text Title

topics text Topics




ftm-HyperText.

ftm-HyperText is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple






bodyHtml text HTML

bodyText text Text

157

https://github.com/MISP/misp-objects/blob/main/objects/ftm-hypertext/definition.json




Multiple

companiesMentioned


















158



Multiple








name text Name


notes text Notes










159



Multiple




title text Title

topics text Topics




ftm-Image.

ftm-Image is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple






bodyText text Text

160

https://github.com/MISP/misp-objects/blob/main/objects/ftm-image/definition.json




Multiple

companiesMentioned


















161



Multiple








name text Name


notes text Notes










162



Multiple




title text Title

topics text Topics




ftm-Land.

ftm-Land is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple




amount float Amount



area float Area

cadastralCode text Cadastral code

163

https://github.com/MISP/misp-objects/blob/main/objects/ftm-land/definition.json




Multiple

censusBlock text Census block


createDate text Record date



encumbrance text An encumbranceis a right to,interest in, orlegal liability onreal property thatdoes not prohibitpassing title to theproperty but thatdiminishes itsvalue.




landType text Land type

latitude float Latitude

longitude float Longitude


name text Name

notes text Notes



164



Multiple

propertyType text Property type



registrationNumber





tenure text Tenure

titleNumber text Title number

topics text Topics




ftm-LegalEntityA legal entity may be a person or a company.

ftm-LegalEntity is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple


165

https://github.com/MISP/misp-objects/blob/main/objects/ftm-legalentity/definition.json




Multiple
















166



Multiple

jurisdiction text Country or regionin which thisentity operates





name text Name

notes text Notes








registrationNumber

text Companyregistrationnumber


sector text Sector

167



Multiple


status text Status





topics text Topics






ftm-LicenseA grant of land, rights or property. A type of Contract.

ftm-License is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple




168

https://github.com/MISP/misp-objects/blob/main/objects/ftm-license/definition.json




Multiple

amount float Amount



area text Area

cancelled text Cancelled?


commodities text Commodities

contractDate text Contract date


criteria text Contract awardcriteria







method text Procurementmethod


name text Contract name

notes text Notes

169



Multiple

noticeId text Contract AwardNotice ID

numberAwards text Number ofawards


procedure text Contractprocedure

procedureNumber text Procedurenumber





reviewDate text License reviewdate


status text Procurementstatus


title text Contract title

topics text Topics

type text Type of contract.Potentially W(Works), U(Supplies), S(Services).

170



Multiple




ftm-Membership.

ftm-Membership is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple


date text Date









role text Role


171

https://github.com/MISP/misp-objects/blob/main/objects/ftm-membership/definition.json




Multiple


status text Status


ftm-Message.

ftm-Message is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple






bodyHtml text HTML

bodyText text Text

companiesMentioned




172

https://github.com/MISP/misp-objects/blob/main/objects/ftm-message/definition.json




Multiple














inReplyTo text Message ID of theprecedingmessage in thethread




173



Multiple





metadata text Metadata



name text Name


notes text Notes










174



Multiple





subject text Subject


threadTopic text Thread topic

title text Title

topics text Topics




ftm-Organization.

ftm-Organization is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple




175

https://github.com/MISP/misp-objects/blob/main/objects/ftm-organization/definition.json




Multiple















176



Multiple





name text Name

notes text Notes








registrationNumber



sector text Sector


status text Status

177



Multiple





topics text Topics






ftm-Ownership.

ftm-Ownership is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple


date text Date




178

https://github.com/MISP/misp-objects/blob/main/objects/ftm-ownership/definition.json




Multiple

legalBasis text Legal basis


ownershipType text Type of ownership

percentage text Percentage held





role text Role

sharesCount text Number of shares

sharesCurrency text Currency ofshares

sharesType text Type of shares

sharesValue text Value of shares



status text Status


ftm-Package.

179

ftm-Package is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple






companiesMentioned












180

https://github.com/MISP/misp-objects/blob/main/objects/ftm-package/definition.json




Multiple














name text Name


notes text Notes



181



Multiple











title text Title

topics text Topics




ftm-Page.

ftm-Page is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.

182

https://github.com/MISP/misp-objects/blob/main/objects/ftm-page/definition.json




Multiple

bodyText text Text

detectedLanguage text Auto-detectedlanguage

index float Index


ftm-Pages.

ftm-Pages is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple






companiesMentioned





183

https://github.com/MISP/misp-objects/blob/main/objects/ftm-pages/definition.json




Multiple



















184



Multiple



name text Name


notes text Notes

pdfHash sha1 PDF alternativeversion checksum













title text Title

topics text Topics

185



Multiple




ftm-PassportPassport.

ftm-Passport is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple


authority text Authority

birthDate text Date of birth

birthPlace text Place of birth


date text Date



gender text Gender

givenName text Given name



passportNumber text Passport number

186

https://github.com/MISP/misp-objects/blob/main/objects/ftm-passport/definition.json




Multiple

personalNumber text Personal number








surname text Surname

type text Document type

ftm-PaymentA monetary payment between two parties.

ftm-Payment is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple


amount float Amount




187

https://github.com/MISP/misp-objects/blob/main/objects/ftm-payment/definition.json




Multiple

date text Date





programme text Programme name,funding code,categoryidentifier, etc.



purpose text Payment purpose



sequenceNumber text Sequence number




transactionNumber

text Transactionnumber

ftm-PersonAn individual.

188

ftm-Person is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple




birthDate text Birth date

birthPlace text Place of birth




deathDate text Death date





fatherName text Patronymic

firstName text First name

gender text Gender

189

https://github.com/MISP/misp-objects/blob/main/objects/ftm-person/definition.json




Multiple









lastName text Last name



middleName text Middle name


motherName text Matronymic

name text Name

nationality text Nationality

190



Multiple

notes text Notes



passportNumber text Passport


position text Position





registrationNumber



secondName text Second name

sector text Sector


status text Status



191



Multiple



title text Title

topics text Topics






ftm-PlainText.

ftm-PlainText is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple






192

https://github.com/MISP/misp-objects/blob/main/objects/ftm-plaintext/definition.json




Multiple

bodyText text Text

companiesMentioned


















193



Multiple








name text Name


notes text Notes










194



Multiple




title text Title

topics text Topics




ftm-PublicBodyA public body, such as a ministry, department or state company.

ftm-PublicBody is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple








195

https://github.com/MISP/misp-objects/blob/main/objects/ftm-publicbody/definition.json




Multiple















196



Multiple

name text Name

notes text Notes








registrationNumber



sector text Sector


status text Status





197



Multiple

topics text Topics






ftm-RealEstateA piece of land or property.

ftm-RealEstate is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple




amount float Amount



area float Area

cadastralCode text Cadastral code

censusBlock text Census block


198

https://github.com/MISP/misp-objects/blob/main/objects/ftm-realestate/definition.json




Multiple

createDate text Record date



encumbrance text An encumbranceis a right to,interest in, orlegal liability onreal property thatdoes not prohibitpassing title to theproperty but thatdiminishes itsvalue.




landType text Land type

latitude float Latitude

longitude float Longitude


name text Name

notes text Notes



propertyType text Property type


199



Multiple


registrationNumber





tenure text Tenure

titleNumber text Title number

topics text Topics




ftm-RepresentationA mediatory, intermediary, middleman, or broker acting on behalf of a legal entity.

ftm-Representation is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple


date text Date


200

https://github.com/MISP/misp-objects/blob/main/objects/ftm-representation/definition.json




Multiple








role text Role



status text Status


ftm-Row.

ftm-Row is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

cells text Cells

index float Index


201

https://github.com/MISP/misp-objects/blob/main/objects/ftm-row/definition.json


ftm-SanctionA sanction designation.

ftm-Sanction is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple


authority text Authority


date text Date


duration text Duration







reason text Reason





202

https://github.com/MISP/misp-objects/blob/main/objects/ftm-sanction/definition.json




Multiple

status text Status


ftm-SuccessionTwo entities that legally succeed each other.

ftm-Succession is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple


date text Date









role text Role



203

https://github.com/MISP/misp-objects/blob/main/objects/ftm-succession/definition.json




Multiple

status text Status


ftm-Table.

ftm-Table is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple






columns text Column headings

companiesMentioned





csvHash sha1 CSV alternativeversion checksum

204

https://github.com/MISP/misp-objects/blob/main/objects/ftm-table/definition.json




Multiple



















205



Multiple



name text Name


notes text Notes











rowCount float Number of rows



title text Title

topics text Topics

206



Multiple




ftm-TaxRollA tax declaration of an individual.

ftm-TaxRoll is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple


birthDate text Date of birth


date text Date



givenName text Given name

income text Registered income





207

https://github.com/MISP/misp-objects/blob/main/objects/ftm-taxroll/definition.json




Multiple






surname text Surname

taxPaid text Amount of taxpaid

wealth text Registered wealth

ftm-UnknownLink.

ftm-UnknownLink is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple


date text Date






208

https://github.com/MISP/misp-objects/blob/main/objects/ftm-unknownlink/definition.json




Multiple




role text Role



status text Status


ftm-UserAccount.

ftm-UserAccount is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple






email email-src E-mail


209

https://github.com/MISP/misp-objects/blob/main/objects/ftm-useraccount/definition.json




Multiple




name text Name

notes text Notes

number phone-number Phone Number







service text Service



topics text Topics

username text Username




210

ftm-Vehicle.

ftm-Vehicle is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple




amount float Amount










model text Model


name text Name

notes text Notes

211

https://github.com/MISP/misp-objects/blob/main/objects/ftm-vehicle/definition.json




Multiple






registrationNumber





topics text Topics

type text Type




ftm-VesselA boat or ship.

ftm-Vessel is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple


212

https://github.com/MISP/misp-objects/blob/main/objects/ftm-vessel/definition.json




Multiple



amount float Amount




callSign text Call Sign


crsNumber text CRS Number



flag text Flag

grossRegisteredTonnage

float Gross RegisteredTonnage

imoNumber text IMO Number




mmsi text MMSI

model text Model


213



Multiple

name text Name

nameChangeDate text Date of NameChange

navigationArea text Navigation Area

notes text Notes

pastFlags text Past Flags

pastNames text Past Names

pastTypes text Past Types






registrationNumber


registrationPort text Port ofRegistration




tonnage text Tonnage

topics text Topics

214



Multiple

type text Type




ftm-Video.

ftm-Video is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple






companiesMentioned





215

https://github.com/MISP/misp-objects/blob/main/objects/ftm-video/definition.json




Multiple





duration float Duration of thevideo in ms














216



Multiple




name text Name


notes text Notes













title text Title

217



Multiple

topics text Topics




ftm-Workbook.

ftm-Workbook is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple






companiesMentioned





218

https://github.com/MISP/misp-objects/blob/main/objects/ftm-workbook/definition.json




Multiple



















219



Multiple



name text Name


notes text Notes













title text Title

topics text Topics


220



Multiple



geolocationAn object to describe a geographic location.

geolocation is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

accuracy-radius float The approximateaccuracy radius,in kilometers,around thelatitude andlongitude for thegeographicalentity (country,subdivision, cityor postal code)associated withthe related object.(based on geoip2accuracy ofmaxmind)

address text Address.

altitude float The altitude is thedecimal value ofthe altitude in theWorld GeodeticSystem 84(WGS84)reference.

city text City.

221

https://github.com/MISP/misp-objects/blob/main/objects/geolocation/definition.json




Multiple

country text Country.

countrycode text Country code inISO 3166-1 alpha-2

epsg text EPSG GeodeticParameter value.This is an integervalue of the EPSG.

first-seen datetime When the locationwas seen for thefirst time.

last-seen datetime When the locationwas seen for thelast time.

latitude float The latitude is thedecimal value ofthe latitude in theWorld GeodeticSystem 84(WGS84)reference.

longitude float The longitude isthe decimal valueof the longitude inthe WorldGeodetic System84 (WGS84)reference

neighborhood text Neighborhood.

region text Region.

222



Multiple

spacial-reference text Default spacial orprojection refencefor this object.['WGS84EPSG:4326','MercatorEPSG:3857']

text text A genericdescription of thelocation.

zipcode text Zip Code.

git-vuln-finderExport from git-vuln-finder.

git-vuln-finder is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

author text Commit author

author-email email-src Commit authorsemail

authored_date datetime Date the commitwas originallymade

branches text Branches thecommit is on

commit-id git-commit-id Commit ID wherethe vulnerabilityis fixed.

committed_date datetime Date the commitwas modified last

223

https://github.com/MISP/misp-objects/blob/main/objects/git-vuln-finder/definition.json




Multiple

cve vulnerability CVE associated tothe vulnerability

language text Language of thecommit (ISO 639-1codes)

message text Commit message

origin text Origin of therepository

origin-github-api url Full path to thecommit on github

pattern-matches text Pattern matchingfor thevulnerability

pattern-selected text Pattern used tofind thevulnerability

state text State of thevulnerability['under-review','cve-assigned']

stats.deletions counter Number ofdeletions in thecommit

stats.files counter Number of fileschanged in thecommit

stats.insertions counter Number ofinsertions in thecommit

224



Multiple

stats.lines counter Number of linechanges in thecommit

summary text Commit summary

tags text User defined tags

github-userGitHub user.

github-user is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

avatar_url link Avatar URL

bio text Biography of theGitHub user.

blog text Blog - often usedas website field ofthe user

company text Company

follower github-username GitHub user isfollowed by.

following github-username Followed GitHubusers by theGitHub user.

link link Original Link tothe GitHubaccount.

location text Location given bythe GitHub user

225

https://github.com/MISP/misp-objects/blob/main/objects/github-user/definition.json




Multiple

node_id text GitHub GraphQLnode_id

organisation github-organisation

Organisationaffiliation of theGitHub user (itcan be multiple).

profile-image attachment Profile image ofthe GitHub user (itcan be multiple).

public_gists text

public_repos text

repository github-repository GitHub repositoryunder the GitHubuser.

ssh-public-key text SSH public keyassociated to theGitHub user.

twitter_username text Associated twitteraccount

user-fullname text Fullname of theGitHub user.

username github-username GitHub username.

verified text User verified.['True', 'False']

gitlab-userGitLab user. Gitlab.com user or self-hosted GitLab instance.

gitlab-user is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.

226

https://github.com/MISP/misp-objects/blob/main/objects/gitlab-user/definition.json




Multiple

avatar_url link Avatar url of theGitLab User

id text GitLab User id

name text Complete Name ofthe GitLab User Id

state text State of the GitLabUser ['active','inactive','blocked']

username text Username of theGitLab User

web_url link Profile url of theGitLab User

gtp-attackGTP attack object as seen on a GSM, UMTS or LTE network.

gtp-attack is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

GtpImei text GTP IMEI(InternationalMobile EquipmentIdentity).

GtpImsi text GTP IMSI(Internationalmobile subscriberidentity).

GtpInterface text GTP interface.['S5', 'S11', 'S10','S8', 'Gn', 'Gp']

227

https://github.com/MISP/misp-objects/blob/main/objects/gtp-attack/definition.json




Multiple

GtpMessageType text GTP defines a setof messagesbetween twoassociated GSNsor an SGSN and anRNC. Message typeis described as adecimal value.

GtpMsisdn text GTP MSISDN.

GtpServingNetwork

text GTP ServingNetwork.

GtpVersion text GTP version ['0','1', '2']

PortDest text Destination port.

PortSrc port Source port.


ipDest ip-dst IP destinationaddress.

ipSrc ip-src IP source address.

text text A description ofthe GTP attack.

hashlookuphashlookup object as described on hashlookup services from circl.lu - https://www.circl.lu/services/hashlookup.

hashlookup is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.

228

https://www.circl.lu/services/hashlookup

https://www.circl.lu/services/hashlookup

https://github.com/MISP/misp-objects/blob/main/objects/hashlookup/definition.json




Multiple

FileName filename Complete path ofthe filenameincluding thefilename

FileSize size-in-bytes Size of the file, inbytes

KnownMalicious text Source of thehashlookuprecord if it’s aknown maliciousfile

MD5 md5 MD5 hash (128bits) in hexrepresentation

PackageArch text Packagearchitecture

PackageDescription

text Packagedescription andinformation

PackageMaintainer

text PackageMaintainer(s)

PackageName text Package Name

PackageRelease text Package Release

PackageVersion text Package Version

SHA-1 sha1 Secure HashAlgorithm 1 (160bits) in hexrepresentation

229



Multiple

SHA-256 sha256 Secure HashAlgorithm 2 (256bits) in hexrepresentation

SSDEEP ssdeep SSDEEP - Fuzzyhashing

TLSH tlsh TLSH - TrendMicro LocalitySensitive Hash

source text Source of thehashlookuprecord

http-requestA single HTTP request header.

http-request is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

basicauth-password

text HTTP BasicAuthenticationPassword

basicauth-user text HTTP BasicAuthenticationUsername

content-type other The MIME type ofthe body of therequest

cookie text An HTTP cookiepreviously sent bythe server withSet-Cookie

230

https://github.com/MISP/misp-objects/blob/main/objects/http-request/definition.json




Multiple

header text An HTTP headersent during HTTPrequest

host hostname The domain nameof the server

ip-dst ip-dst The IP address ofthe server

ip-src ip-src The IP address ofthe client

method http-method HTTP Methodinvoked (one ofGET, POST, PUT,HEAD, DELETE,OPTIONS,CONNECT)

proxy-password text HTTP ProxyPassword

proxy-user text HTTP ProxyUsername

referer other This is the addressof the previousweb page fromwhich a link to thecurrentlyrequested pagewas followed

text text HTTP Requestcomment

uri uri Request URI

url url Full HTTP RequestURL

231



Multiple

user-agent user-agent The user agentstring of the useragent

ilr-impactInstitut Luxembourgeois de Regulation - Impact.

ilr-impact is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

duree text Duree del’incident en hh :mm

nombre-utilisateurs-touches

text Nombred’utilisateurstouches parl’incident

pourcentage-utilisateurs-touches

text Pourcentaged’utilisateurs duservice touchespar l’incident

service text Service impactepar l’incident['Telephonie fixe','Acces Internetfixe', 'Telephoniemobile', 'AccesInternet mobile']

ilr-notification-incidentInstitut Luxembourgeois de Regulation - Notification d’incident.

232

https://github.com/MISP/misp-objects/blob/main/objects/ilr-impact/definition.json


ilr-notification-incident is a MISP object available in JSON format at this locationThe JSON format can be freely reused in your application or automatically enabledin MISP.



Multiple

actions-corrective text Actionscorrectives a longterme

actions-posterieur text Actionsposterieures del’incident pourminimiser lerisque

autres-informations

text Autresinformationsconcernant lanature del’incidentnotamment la listedes actifs affecteset les causessubsequenteseventuelles,declenches par lacause initiale

cause-initiale-incident

text Cause initiale del’incident ['rreurhumaine', "Defautsysteme'hardware','software','procedures'",'Attaquemalveillante','Defaut d’unepartie tierce ouexterne','Catastrophenaturelle']

233

https://github.com/MISP/misp-objects/blob/main/objects/ilr-notification-incident/definition.json




Multiple

date-incident datetime Date/heure de ladetection del’incident:

date-pre-notification

text Date de la pre-notification

delimitation-geographique

text Delimitationgeographique['Nationale','Regionale']

description-incident

text Descriptiongenerale del’incident

description-probleme-services-urgence

text Description duprobleme sur lesservicesd’urgencesimpactes

details-service text Details relatifs auservice concerneet a l’impact del’incident

email-contact-incident

text Email de lapersonne decontact en rapportavec l’incident

impact-servicesw-urgence

text Servicesd’urgencesimpactes ? ['Oui','Non']

interconnections-affectees

text Interconnectionsnationales et/ouinternationalesaffectees

234



Multiple

nom-contact-incident

text Nom de lapersonne decontact en rapportavec l’incident

nom-entreprise text Nom del’entreprisenotifiee

remarques text Remarque(s),notamment lesexperiencesgagnees et lesleçons tirees del’incident

telephone-contact-incident

text Telephone de lapersonne decontact en rapportavec l’incident

traitement-incident

text Traitement del’incident etactions effectueesen ordrechronologique

zone-impactee text zones/communes/villes impactees

imageObject describing an image file.

image is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.

235

https://github.com/MISP/misp-objects/blob/main/objects/image/definition.json




Multiple

archive link Archive of theimage (InternetArchive,Archive.is, etc).

attachment attachment The image file.

filename filename The imagefilename.

image-text text Raw text of image

link link Original link intothe image(Supposedharmless)

url url Original URLlocation of theimage (potentiallymalicious)

username text Username whoposted the image.

impersonationRepresent an impersonating account.

impersonation is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

account-name text Name of theimpersonatingaccount

account-url url url of theimpersonatingaccount

236

https://github.com/MISP/misp-objects/blob/main/objects/impersonation/definition.json




Multiple

impersonated-account-name

text Name of theimpersonatedaccount

impersonated-account-url

link url of theimpersonatedaccount

objective text Objective of theimpersonation['Informationstealing','Disinformation','Distrusting','Advertising','Parody', 'Other']

real-name text Real name of theimpersonatedperson or entity

type text Type of theaccount ['Person','Association','Enterprise','Other']

type-of-account text Type of theimpersonatedaccount ['Twitter','Facebook','LinkedIn','Reddit', 'Google+','Instagram','Forum', 'Other']

imsi-catcherIMSI Catcher entry object based on the open source IMSI cather.

imsi-catcher is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.

237

https://github.com/MISP/misp-objects/blob/main/objects/imsi-catcher/definition.json




Multiple

brand text Brand associatedwith the IMSIregistration.

cellid text CellID

country text Country wherethe IMSI isregistered.

first-seen datetime When the IMSIhas beenaccessible or seenfor the first time.

imsi text A usually uniqueInternationalMobile SubscriberIdentity (IMSI) isallocated to eachmobile subscriberin theGSM/UMTS/EPSsystem. IMSI canalso refer toInternationalMobile StationIdentity in the ITUnomenclature.

lac text LAC - LocationArea Code

mcc text MCC - MobileCountry Code

mnc text MNC - MobileNetwork Code

operator text Operatorassociated withthe IMSIregistration.

238



Multiple

seq counter A sequencenumber for thecollection

text text A description ofthe IMSI record.

tmsi-1 text Temporary MobileSubscriberIdentities (TMSI)to visiting mobilesubscribers can beallocated.

tmsi-2 text Temporary MobileSubscriberIdentities (TMSI)to visiting mobilesubscribers can beallocated.

instant-messageInstant Message (IM) object template describing one or more IM message.

instant-message is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.

239

https://github.com/MISP/misp-objects/blob/main/objects/instant-message/definition.json




Multiple

app-used text The IMapplication usedto send themessage.['WhatsApp','Google Hangouts','FacebookMessenger','Telegram','Signal', 'WeChat','BlackBerryMessenger','TeamSpeak','TorChat','RetroShare','Slack']

archive link Archive of theoriginal message(Internet Archive,Archive.is, etc).

attachment attachment The message fileor screen capture.

body text Message body ofthe IM.

from-name text Name of theperson that sentthe message.

from-number phone-number Phone numberused to send themessage.

from-user text User account thatsent the message.

link link Original link intothe message(Supposedharmless).

240



Multiple

received-date datetime Received date ofthe message.

sent-date datetime Initial sent date ofthe message.

subject text Subject of themessage if any.

to-name text Name of theperson thatreceived themessage.

to-number phone-number Phone numberreceiving themessage.

to-user text User account thatreceived themessage.

url url Original URLlocation of themessage(potentiallymalicious).

instant-message-groupInstant Message (IM) group object template describing a public or private IM group, channel orconversation.

instant-message-group is a MISP object available in JSON format at this locationThe JSON format can be freely reused in your application or automatically enabledin MISP.

241

https://github.com/MISP/misp-objects/blob/main/objects/instant-message-group/definition.json




Multiple

app-used text The IMapplication usedto send themessage.['WhatsApp','Google Hangouts','FacebookMessenger','Telegram','Signal', 'WeChat','BlackBerryMessenger','TeamSpeak','TorChat','RetroShare','Slack']



group-alias text Aliases of group,channel orcommunity.


link link Original link intothe group(Supposedharmless).

person-name text A person who is amember of thegroup.

242



Multiple


username text A user accountwho is a memberof the group.

intel471-vulnerability-intelligenceIntel 471 vulnerability intelligence object.

intel471-vulnerability-intelligence is a MISP object available in JSON format at thislocation The JSON format can be freely reused in your application orautomatically enabled in MISP.



Multiple

activity-location-open-source

boolean The vulnerabilityis being discussedin open source.['True', 'False']

activity-location-private

boolean The vulnerabilityis being discussedin private/directcommunications.['True', 'False']

activity-location-underground

boolean The vulnerabilityis being discussedin theunderground.['True', 'False']

countermeasures text Summary ofcountermeasuresto protect againstthe vulnerability.

243

https://github.com/MISP/misp-objects/blob/main/objects/intel471-vulnerability-intelligence/definition.json

https://github.com/MISP/misp-objects/blob/main/objects/intel471-vulnerability-intelligence/definition.json




Multiple

cve-id text Thevulnerability’sCVE ID.

cvss-score-v2 float CVSS score(version 2).

cvss-score-v3 float CVSS score(version 3).

detection text Detectionsignatures/definitions exist for thevulnerability.

exploit-status-available

boolean Exploit code forthe vulnerabilityis available.['True', 'False']

exploit-status-not-observed

boolean Exploit code orusage has notbeen observed forthe vulnerability.['True', 'False']

exploit-status-productized

boolean There is a modulefor thevulnerability incommercialexploit kits ornetwork securitytools. ['True','False']

exploit-status-weaponized

boolean The vulnerabilityhas been used inan attack or hasbeen included inan exploit kit.['True', 'False']

244



Multiple

interest-level-disclosed-publicly

boolean The vulnerabilityhas been disclosedpublicly. ['True','False']

interest-level-exploit-sought

boolean An exploit for thevulnerability isbeing sought.['True', 'False']

interest-level-researched-publicly

boolean The vulnerabilityhas beenresearched ordocumentedpublicly. ['True','False']

modified datetime Last modificationdate.

patch-status text Availability of apatch for thevulnerability.

product-name text Product name.

proof-of-concept text Proof of conceptcode ordemonstrationexists.

published datetime Initial publicationdate.

references link Externalreferences.

risk-level text Risk level of thevulnerability.

summary text Summary of thevulnerability.

245



Multiple

underground-activity-status

text Indicates ifundergroundactivity has beenobserved for thevulnerability.

underground-activity-summary

text Description ofundergroundactivity related tothe vulnerability.

vendor-name text Vendor name.

vulnerability-status

text The status ofvulnerability.

vulnerability-type text The type ofvulnerability.

vulnerable-configuration

text Vulnerableconfiguration inCPE format.

intelmq_eventIntelMQ Event.

intelmq_event is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.

246

https://github.com/MISP/misp-objects/blob/main/objects/intelmq_event/definition.json




Multiple

classification.identifier

text The lowercaseidentifier definesthe actualsoftware orservice (e.g.'heartbleed' or'ntp_version') orstandardizedmalware name(e.g. 'zeus'). Notethat you MAYoverwrite thisfield duringprocessing foryour individualsetup. This field isnot standardizedacross IntelMQsetups/users.

247



Multiple

classification.taxonomy

text We recognize theneed for the CSIRTteams to apply astatic (incident)taxonomy toabuse data. Withthis goal in mindthe type IOC willserve as a basisfor this activity.Each value of thedynamic typemappingtranslates to a anelement in thestatic taxonomy.The EuropeanCSIRT teams forexample havedecided to applythe eCSIRT.netincidentclassification. Thevalue of thetaxonomy key isthus a derivativeof the dynamictype above. Formore informationabout check[ENISAtaxonomies](http://www.enisa.europa.eu/activities/cert/support/incident-management/browsable/incident-handling-process/incident-taxonomy/existing-taxonomies).

248

http://www.enisa.europa.eu/activities/cert/support/incident-management/browsable/incident-handling-process/incident-taxonomy/existing-taxonomies














Multiple

classification.type text The abuse typeIOC is one of themost crucialpieces ofinformation forany given abuseevent. The mainidea of dynamictyping is to keepour ontologyflexible, since weneed to evolvewith the evolvingthreatscape ofabuse data. Incontrast with thestatic taxonomybelow, thedynamic typing isused to performbusiness decisionsin the abusehandling pipeline.Furthermore, thevalue data setshould be kept asminimal aspossible to avoid'type explosion',which in turndilutes thebusiness value ofthe dynamictyping. In general,we normally havetwo types of abusetype IOC: onesreferring to acompromisedresource or onesreferring to piecesof the criminalinfrastructure,such as acommand andcontrol servers forexample.

249



Multiple

comment text Free textcommentaryabout the abuseevent inserted byan analyst.

destination.abuse_contact

text Abuse contact fordestinationaddress. A commaseparated list.

destination.account

text An account nameor email address,which has beenidentified to relateto the destinationof an abuse event.

destination.allocated

datetime Allocation datecorresponding toBGP prefix.

destination.as_name

text The autonomoussystem name towhich theconnectionheaded.

destination.asn AS The autonomoussystem number towhich theconnectionheaded.

destination.domain_suffix

text The suffix of thedomain from thepublic suffix list.

250



Multiple

destination.fqdn domain A DNS namerelated to the hostfrom which theconnectionoriginated. DNSallows evenbinary data inDNS, so we haveto alloweverything. A finalpoint is stripped,string is convertedto lower casecharacters.

destination.geolocation.cc

text Country-Codeaccording toISO3166-1 alpha-2for the destinationIP.

destination.geolocation.city

text Some geolocationservices refer tocity-levelgeolocation.

destination.geolocation.country

text The country namederived from theISO3166 countrycode (assigned tocc field).

destination.geolocation.latitude

float Latitudecoordinatesderived from ageolocationservice, such asMaxMind geoipdb.

251



Multiple

destination.geolocation.longitude

float Longitudecoordinatesderived from ageolocationservice, such asMaxMind geoipdb.

destination.geolocation.region

text Some geolocationservices refer toregion-levelgeolocation.

destination.geolocation.state

text Some geolocationservices refer tostate-levelgeolocation.

destination.ip ip-dst The IP which isthe target of theobservedconnections.

destination.local_hostname

hostname Some sourcesreport a internalhostname within aNAT related to thename configuredfor acompromizedsystem

destination.local_ip

ip-dst Some sourcesreport a internal(NATed) IPaddress related acompromizedsystem. N.B.RFC1918 IPs areOK here.

252



Multiple

destination.network

ip-dst CIDR for anautonomoussystem. Alsoknown as BGPprefix. If multiplevalues arepossible, select themost specific.

destination.port counter The port to whichthe connectionheaded.

destination.registry

text The IP registry agiven ip address isallocated by.

destination.reverse_dns

text Reverse DNSname acquiredthrough a reverseDNS query on anIP address. N.B.Record typesother than PTRrecords may alsoappear in thereverse DNS tree.Furthermore,unfortunately,there is no ruleprohibiting peoplefrom writinganything in a PTRrecord. EvenJavaScript willwork. A finalpoint is stripped,string is convertedto lower casecharacters.

253



Multiple

destination.tor_node

boolean If the destinationIP was a knowntor node. ['True','False']

destination.url url A URL denotes onIOC, which refersto a maliciousresource, whoseinterpretation isdefined by theabuse type. A URLwith the abusetype phishingrefers to aphishing resource.

destination.urlpath

text The path portionof an HTTP orrelated networkrequest.

event_description.target

text Some sourcesdenominate thetarget(organization) of aan attack.

event_description.text

text A free-formtextualdescription of anabuse event.

event_description.url

url A description URLis a link to afurtherdescription of thethe abuse event inquestion.

254



Multiple

event_hash text Computed eventhash with specifickeys and valuesthat identify aunique event. Atpresent, the hashshould default tousing the SHA1function. Pleasenote that for anevent hash to beable to matchmore than oneevent(deduplication)the receiver of anevent shouldcalculate it basedon a minimal setof keys and valuespresent in theevent. Using forexample theobservation timein the calculationwill most likelyrender thechecksum uselessfor deduplicationpurposes.

255



Multiple

extra text All anecdotalinformation,which cannot beparsed into thedataharmonizationelements. E.g.os.name,os.version, etc.Note: this is onlyintended formapping anyfields which cannot map naturallyinto the dataharmonization. Itis not intended forextending the dataharmonizationwith your ownfields.

feed.accuracy float A float between 0and 100 thatrepresents howaccurate the datain the feed is

feed.code text Code name for thefeed, e.g. DFGS,HSDAG etc.

feed.documentation

text A URL or hintwhere to find thedocumentation ofthis feed.

feed.name text Name for the feed,usually found incollector botconfiguration.

256



Multiple

feed.provider text Name for theprovider of thefeed, usuallyfound in collectorbot configuration.

feed.url url The URL of agiven abuse feed,where applicable

malware.hash.md5

md5 A string depictingan MD5 checksumfor a file, be it amalware samplefor example.

malware.hash.sha1

sha1 A string depictinga SHA1 checksumfor a file, be it amalware samplefor example.

malware.hash.sha256

sha256 A string depictinga SHA256checksum for afile, be it amalware samplefor example.

malware.name text The malwarename in lowercase.

malware.version text A version stringfor an identifiedartifactgeneration, e.g. acrime-ware kit.

257



Multiple

misp.attribute_uuid

text MISP - MalwareInformationSharing Platform& Threat SharingUUID of anattribute.

misp.event_uuid text MISP - MalwareInformationSharing Platform& Threat SharingUUID.

output text Event dataconverted intoforeign format,intended to beexported byoutput plugin.

protocol.application

text e.g. vnc, ssh, sip,irc, http or smtp.

protocol.transport text e.g. tcp, udp, icmp.

raw text The original lineof the event fromencoded inbase64.

rtir_id counter Request TrackerIncident Responseticket id.

258



Multiple

screenshot_url url Some source mayreport URLsrelated to a animage generatedof a resourcewithout anymetadata. Or anURL pointing toresource, whichhas been renderedinto a webshot,e.g. a PNG imageand the relevantmetadata relatedto itsretrieval/generation.

source.abuse_contact

text Abuse contact forsource address. Acomma separatedlist.

source.account text An account nameor email address,which has beenidentified to relateto the source of anabuse event.

source.allocated datetime Allocation datecorresponding toBGP prefix.

source.as_name text The autonomoussystem name fromwhich theconnectionoriginated.

259



Multiple

source.asn AS The autonomoussystem numberfrom whichoriginated theconnection.

source.domain_suffix

text The suffix of thedomain from thepublic suffix list.

source.fqdn domain A DNS namerelated to the hostfrom which theconnectionoriginated. DNSallows evenbinary data inDNS, so we haveto alloweverything. A finalpoint is stripped,string is convertedto lower casecharacters.

source.geolocation.cc

text Country-Codeaccording toISO3166-1 alpha-2for the source IP.

source.geolocation.city

text Some geolocationservices refer tocity-levelgeolocation.

source.geolocation.country

text The country namederived from theISO3166 countrycode (assigned tocc field).

260



Multiple

source.geolocation.cymru_cc

text The country codedenoted for the ipby the TeamCymru asn to ipmapping service.

source.geolocation.geoip_cc

text MaxMind CountryCode (ISO3166-1alpha-2).

source.geolocation.latitude

float Latitudecoordinatesderived from ageolocationservice, such asMaxMind geoipdb.

source.geolocation.longitude

float Longitudecoordinatesderived from ageolocationservice, such asMaxMind geoipdb.

source.geolocation.region

text Some geolocationservices refer toregion-levelgeolocation.

source.geolocation.state

text Some geolocationservices refer tostate-levelgeolocation.

source.ip ip-src The ip observed toinitiate theconnection

261



Multiple

source.local_hostname

hostname Some sourcesreport a internalhostname within aNAT related to thename configuredfor acompromisedsystem

source.local_ip ip-src Some sourcesreport a internal(NATed) IPaddress related acompromisedsystem. N.B.RFC1918 IPs areOK here.

source.network ip-src CIDR for anautonomoussystem. Alsoknown as BGPprefix. If multiplevalues arepossible, select themost specific.

source.port counter The port fromwhich theconnectionoriginated.

source.registry text The IP registry agiven ip address isallocated by.

262



Multiple

source.reverse_dns

text Reverse DNSname acquiredthrough a reverseDNS query on anIP address. N.B.Record typesother than PTRrecords may alsoappear in thereverse DNS tree.Furthermore,unfortunately,there is no ruleprohibiting peoplefrom writinganything in a PTRrecord. EvenJavaScript willwork. A finalpoint is stripped,string is convertedto lower casecharacters.

source.tor_node boolean If the source IPwas a known tornode. ['True','False']

source.url url A URL denotes anIOC, which refersto a maliciousresource, whoseinterpretation isdefined by theabuse type. A URLwith the abusetype phishingrefers to aphishing resource.

263



Multiple

source.urlpath text The path portionof an HTTP orrelated networkrequest.

status text Status of themaliciousresource(phishing,dropzone, etc), e.g.online, offline.

time.observation datetime The time thecollector of thelocal instanceprocessed(observed) theevent.

time.source datetime The time ofoccurence of theevent as reportedthe feed (source).

tlp text Traffic LightProtocol level ofthe event.

intelmq_reportIntelMQ Report.

intelmq_report is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.

264

https://github.com/MISP/misp-objects/blob/main/objects/intelmq_report/definition.json




Multiple

extra text All anecdotalinformation of thereport, whichcannot be parsedinto the dataharmonizationelements. E.g.subject of mails,etc. This is data isnot automaticallypropagated to theevents.

feed.accuracy float A float between 0and 100 thatrepresents howaccurate the datain the feed is

feed.code text Code name for thefeed, e.g. DFGS,HSDAG etc.

feed.documentation

text A URL or hintwhere to find thedocumentation ofthis feed.

feed.name text Name for the feed,usually found incollector botconfiguration.

feed.provider text Name for theprovider of thefeed, usuallyfound in collectorbot configuration.

feed.url url The URL of agiven abuse feed,where applicable

265



Multiple

raw text The original rawand unparseddata encoded inbase64.

rtir_id counter Request TrackerIncident Responseticket id.

time.observation datetime The time thecollector of thelocal instanceprocessed(observed) theevent.

internal-referenceInternal reference.

internal-reference is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

comment comment Commentassociated to theidentifier.

identifier text Identifier of thereference. Shouldbe unique in yoursystem.

link link Link associated tothe identifier.

type text Type of internalreference.

266

https://github.com/MISP/misp-objects/blob/main/objects/internal-reference/definition.json


interpol-noticeAn object which describes a Interpol notice.

interpol-notice is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

alias text Alias name orknown as.

charges text Charges publishedas provided byrequesting entity

colour-of-eyes text Description of aperson’s colour ofeyes.

colour-of-hair text Description of aperson’s colour ofhair.

date-of-birth date-of-birth Date of birth of anatural person (inYYYY-MM-DDformat).

date-of-disappearance

text Date ofdisappearance ofa missing person.

distinguishing-marks-and-characteristics

text Distinguishingmarks andcharacteristics ofa person.

father-s-family-name-&-forename

text Father’s familyname & forename.

forename first-name First name of anatural person.

267

https://github.com/MISP/misp-objects/blob/main/objects/interpol-notice/definition.json




Multiple

height text Height of aperson.

language-spoken text Languages spokenby a person.

mother-s-family-name-&-forename

text Mother’s familyname & forename.

nationality nationality The nationality ofa natural person.

notice-color text The color/type ofthe notice ['Red','Yellow', 'Blue','Black', 'Green','Orange', 'Purple']

place-of-birth place-of-birth Place of birth of anatural person.

place-of-disappearance

text Place of birth of anatural person.

portrait attachment Portrait of theperson.

present-family-name

last-name Last name of anatural person.

sex gender The gender of anatural person.['Male', 'Female','Other', 'Prefer notto say']

weight text weight of aperson.

iot-deviceAn IoT device.

268

iot-device is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

architecture text architecture of theIoT device ['ARC','ARM', 'M68000','MicroBlaze','MIPS', 'NSD32','Nios II','PowerPC', 'RISC-V', 'Sandbox', 'SH','x86', 'Xtensa']

boot-log attachment Boot log of the IoTdevice

fcc-id text FCC-ID of the IoTdevice

jtag-interface text JTAG interface ofthe IoT device['Yes', 'No','Unknown','Disabled']

model text Model of the IoTdevice

picture-device attachment Picture of the IoTdevice

picture-pcb attachment Picture of the IoTdevice PCB

269

https://github.com/MISP/misp-objects/blob/main/objects/iot-device/definition.json




Multiple

platform text Platform of of theIoT device ['mach-aspeed', 'mach-at91', 'mach-bcm283x', 'mach-bcmstb', 'mach-cortina', 'mach-davinci', 'mach-exynos', 'mach-highbank', 'mach-imx', 'mach-integrator', 'mach-k3', 'mach-keystone', 'mach-kirkwood', 'mach-mediatek', 'mach-meson', 'mach-mvebu', 'mach-omap2', 'mach-orion5x', 'mach-owl', 'mach-qemu','mach-rmobile','mach-rockchip','mach-s5pc1xx','mach-snapdragon','mach-socfpga','mach-sti', 'mach-stm32', 'mach-stm32mp', 'mach-sunxi', 'mach-tegra', 'mach-u8500', 'mach-uniphier', 'mach-versal', 'mach-versatile', 'mach-zynq', 'mach-zynqmp', 'mach-zynqmp-r5','mcf5227x','mcf523x','mcf52x2','mcf530x','mcf532x','mcf5445x','mcf547x_8x','mach-ath79','mach-bmips',

270

'mach-jz47xx','mach-mscc','mach-mtmips','mach-pic32']



Multiple

reference link Reference of theIoT device

serial-interface text Serial interface ofthe IoT device['Yes', 'No','Unknown','Disabled']

spi-interface text SPI interface ofthe IoT device['Yes', 'No','Unknown','Disabled']

vendor text Vendor of the IoTdevice

iot-firmwareA firmware for an IoT device.

iot-firmware is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

binwalk-entropy-graph

attachment Entropy graph ofthe firmware

binwalk-output attachment Binwalk output ofthe firmwareimage

boot-log attachment Boot log of the IoTdevice for thisfirmware

filename text Filename of thefirmware

271

https://github.com/MISP/misp-objects/blob/main/objects/iot-firmware/definition.json




Multiple

firmware attachment Firmware of theIoT device

format text Format of thefirmware ['raw','Intel hex','Motorola S-Record','Unknown']







size-in-bytes size-in-bytes Size of the file, inbytes

version text Version of thefirmware

ip-api-addressIP Address information. Useful if you are pulling your ip information from ip-api.com.

272

ip-api-address is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

ISP text ISP.

asn AS AutonomousSystem Number

city text City.

country text Country name

country-code text Country code

first-seen datetime First time the ASNwas seen

ip-src ip-src Source IP addressof the networkconnection.

last-seen datetime Last time the ASNwas seen

latitude float The latitude is thedecimal value ofthe latitude in theWorld GeodeticSystem 84(WGS84)reference.

longitude float The longitude isthe decimal valueof the longitude inthe WorldGeodetic System84 (WGS84)reference

organization text organization

273

https://github.com/MISP/misp-objects/blob/main/objects/ip-api-address/definition.json




Multiple

region text Region. example:California.

region-code text Region code.example: CA

state text State.

zipcode text Zip Code.

ip-portAn IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific timeframe.

ip-port is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.



Multiple

domain domain Domain

dst-port port Destination port

first-seen datetime First time thetuple has beenseen

hostname hostname Hostname


ip-dst ip-dst destination IPaddress

ip-src ip-src source IP address

last-seen datetime Last time the tuplehas been seen

274

https://github.com/MISP/misp-objects/blob/main/objects/ip-port/definition.json




Multiple

src-port port Source port

text text Description of thetuple

ircAn IRC object to describe an IRC server and the associated channels.

irc is a MISP object available in JSON format at this location The JSON format canbe freely reused in your application or automatically enabled in MISP.



Multiple

channel text IRC channelassociated to theIRC server

dst-port port Destination portto reach the IRCserver

first-seen datetime First time the IRCserver with theassociatedchannels has beenseen

hostname hostname Hostname of theIRC server

ip ip-dst IP address of theIRC server

last-seen datetime Last time the IRCserver with theassociatedchannels has beenseen

275

https://github.com/MISP/misp-objects/blob/main/objects/irc/definition.json




Multiple

nickname text IRC nicknameused to connect tothe associated IRCserver andchannels

text text Description of theIRC server

ja3JA3 is a new technique for creating SSL client fingerprints that are easy to produce and can beeasily shared for threat intelligence. Fingerprints are composed of Client Hello packet; SSL Version,Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. https://github.com/salesforce/ja3.

ja3 is a MISP object available in JSON format at this location The JSON format canbe freely reused in your application or automatically enabled in MISP.



Multiple

description text Type of detectedsoftware iesoftware,malware

first-seen datetime First seen of theSSL/TLShandshake

ip-dst ip-dst Destination IPaddress

ip-src ip-src Source IP Address

ja3-fingerprint-md5

ja3-fingerprint-md5

Hash identifyingsource

last-seen datetime Last seen of theSSL/TLShandshake

276

https://github.com/salesforce/ja3


https://github.com/MISP/misp-objects/blob/main/objects/ja3/definition.json


ja3sJA3S is JA3 for the Server side of the SSL/TLS communication and fingerprints how servers respondto particular clients. JA3S fingerprints are composed of Server Hello packet; SSL Version, Cipher,SSLExtensions. https://github.com/salesforce/ja3.

ja3s is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.



Multiple

description text Type of detectedsoftware iesoftware,malware, c&c

first-seen datetime First seen of theSSL/TLShandshake

ip-dst ip-dst Destination IPaddress

ip-src ip-src Source IP Address

ja3-fingerprint-md5

ja3-fingerprint-md5

Hash identifyingclient

ja3s-fingerprint-md5

ja3-fingerprint-md5

Hash identifyingserver

last-seen datetime Last seen of theSSL/TLShandshake

jarmJarm object to describe an TLS/SSL implementation used for malicious or legitimate use-case.

jarm is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.

277


https://github.com/MISP/misp-objects/blob/main/objects/ja3s/definition.json


https://github.com/MISP/misp-objects/blob/main/objects/jarm/definition.json




Multiple

jarm jarm-fingerprint JARM Hash of thisimplementation

reference link Reference to thetool matching thisfingerprint

scope text Scope of the tool['Malicious - C2','Malicious - Client','Malicious -Unknown','Legitimate','Undefined']

tls-implementation

text SSL/TLSimplementationmatching thisobject

tool text Tool having thisjarm fingerprint

keybase-accountInformation related to a keybase account, from API Users Object.

keybase-account is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

bio text Bio of the keybaseuser

cryptocurrency_addresses

btc Associatedcryptocurrencyaddress with thekeybase user

278

https://github.com/MISP/misp-objects/blob/main/objects/keybase-account/definition.json




Multiple

emails text Emails associatedwith the keybaseuser

full_name text Full name

id text Keybase useridentifier

location text Location

private_keys text OpenPGP privatekeys associatedwith the keybaseuser

public_keys text OpenPGP publickeys associatedwith the keybaseuser

username text Keybaseusername

leaked-documentObject describing a leaked document.

leaked-document is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple


attachment attachment The leakeddocument file.

279

https://github.com/MISP/misp-objects/blob/main/objects/leaked-document/definition.json




Multiple

document-name text Title of thedocument.

document-text text Raw text ofdocument

document-type text The type ofdocument (not thefile type). ['email','letterhead','speech','literature', 'photo','audio', 'invoice','receipt', 'other']

first-seen datetime When thedocument hasbeen accessible orseen for the firsttime.

last-seen datetime When thedocument hasbeen accessible orseen for the lasttime.

link link Original link intothe document(Supposedharmless)

objective text Reason for leakingthe document.['Disinformation','Influence','Whistleblowing','Extortion','Other']

origin text Original source ofleaked document.

280



Multiple

purpose-of-document

text What thedocument is usedfor.['Identification','Travel', 'Health','Legal', 'Financial','Government','Military', 'Media','Communication','Other']

url url Original URLlocation of thedocument(potentiallymalicious)

legal-entityAn object to describe a legal entity.

legal-entity is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

business text Business area ofthe entity.

commercial-name text Commercial nameof the entity.

legal-form text Legal form of theentity.

logo attachment Logo of the entity.

name text Name of theentity.

281

https://github.com/MISP/misp-objects/blob/main/objects/legal-entity/definition.json




Multiple

phone-number phone-number Phone number ofthe entity.

registration-number

text Registrationnumber of theentity in therelevant authority.

text text A description ofthe entity.

website link Website of theentity.

lnkLNK object describing a Windows LNK binary file (aka Windows shortcut).

lnk is a MISP object available in JSON format at this location The JSON format canbe freely reused in your application or automatically enabled in MISP.



Multiple

birth-droid-file-identifier

text Birth droidvolume identifier(UUIDv1 whereMAC can beextracted)

birth-droid-volume-identifier

text Droid volumeidentifier

droid-file-identifier

text Droid fileidentifier (UUIDv1where MAC can beextracted)

droid-volume-identifier

text Droid volumeidentifier

282

https://github.com/MISP/misp-objects/blob/main/objects/lnk/definition.json




Multiple

entropy float Entropy of thewhole file

filename filename Filename on disk

fullpath text Complete path ofthe LNK filenameincluding thefilename

lnk-access-time datetime Access time of theLNK

lnk-command-line-arguments

text LNK commandline arguments

lnk-creation-time datetime Creation time ofthe LNK

lnk-description text LNK description

lnk-drive-serial-number

text Drive serialnumber

lnk-drive-type text Drive type

lnk-file-attribute-flags

text File attribute flags

lnk-file-size size-in-bytes Size of the targetfile, in bytes

lnk-hot-key-value text Hot Key value

lnk-icon-index text Icon index

lnk-local-path text Local path

lnk-modification-time

datetime Modification timeof the LNK

lnk-relative-path text Relative path

283



Multiple

lnk-show-window-value

text Show Windowvalue

lnk-volume-label text Volume label

lnk-working-directory

text LNK working path

machine-identifier text Machine identifier

malware-sample malware-sample The LNK file itself(binary)


path text Path of the LNKfilename completeor partial

pattern-in-file pattern-in-file Pattern that canbe found in thefile






284



Multiple



size-in-bytes size-in-bytes Size of the LNKfile, in bytes


state text State of the LNKfile ['Malicious','Harmless','Trusted']


tlsh tlsh Fuzzy hash byTrend Micro:Locality SensitiveHash

machoObject describing a file in Mach-O format.

macho is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.



Multiple

entrypoint-address


285

https://github.com/MISP/misp-objects/blob/main/objects/macho/definition.json




Multiple

name text Binary’s name


text text Free text value toattach to theMach-O file

type text Type of Mach-O['BUNDLE', 'CORE','DSYM', 'DYLIB','DYLIB_STUB','DYLINKER','EXECUTE','FVMLIB','KEXT_BUNDLE','OBJECT','PRELOAD']

macho-sectionObject describing a section of a file in Mach-O format.

macho-section is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple



name text Name of thesection


286

https://github.com/MISP/misp-objects/blob/main/objects/macho-section/definition.json




Multiple










mactime-timeline-analysisMactime template, used in forensic investigations to describe the timeline of a file activity.

287

mactime-timeline-analysis is a MISP object available in JSON format at thislocation The JSON format can be freely reused in your application orautomatically enabled in MISP.



Multiple

activityType text Determines thetype of activityconducted on thefile at a given time['Accessed','Created','Changed','Modified', 'Other']

datetime datetime Date and timewhen theoperation wasconducted on thefile

file attachment Mactime outputfile

file-path text Location of the fileon the disc

filePermissions text Describespermissionsassigned the file

file_size text Determines thefile size in bytes

malware-configMalware configuration recovered or extracted from a malicious binary.

malware-config is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.

288

https://github.com/MISP/misp-objects/blob/main/objects/mactime-timeline-analysis/definition.json

https://github.com/MISP/misp-objects/blob/main/objects/mactime-timeline-analysis/definition.json


https://github.com/MISP/misp-objects/blob/main/objects/malware-config/definition.json




Multiple

config text Raw (decrypted,decoded) text ofthe malwareconfiguration.

encrypted text Encrypted orencoded text ofthe malwareconfiguration inbase64.

first-seen datetime When themalwareconfiguration hasbeen seen for thefirst time.

format text Original format ofthe malwareconfiguration.['JSON', 'yaml','INI', 'other']

last-seen datetime When themalwareconfiguration hasbeen seen for thelast time.

password text Password orencryption keyused to encryptthe malwareconfiguration.

meme-imageObject describing a meme (image).

meme-image is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.

289

https://github.com/MISP/misp-objects/blob/main/objects/meme-image/definition.json




Multiple

5Ds-of-propaganda

text 5 D’s ofpropaganda aretactics of rebuttalused to defendagainst criticismand adversarialnarratives.['dismiss', 'distort','distract', 'dismay','divide']

a/b-test boolean A flag to define ifthis meme is partof an a/b test. If setto true, it is part ofan a/b test set.['True', 'False']


attachment attachment The image file.

crosspost link Safe site wherethe meme hasbeen posted.

crosspost-unsafe url Unsafe site wherethe meme hasbeen posted.

document-text text Raw text of meme

first-seen datetime When the memehas beenaccessible or seenfor the first time.

290



Multiple

last-seen datetime When the memehas beenaccessible or seenfor the last time.

link link Original link intothe meme(Supposedharmless)

meme-reference link A link to know-your-meme orsimilar referencematerial.

objective text Objective of thememe.['Disinformation','Advertising','Parody', 'Other']

url url Original URLlocation of thememe (potentiallymalicious)

username text Username whoposted the meme.

microblogMicroblog post like a Twitter tweet or a post on a Facebook wall.

microblog is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.

291

https://github.com/MISP/misp-objects/blob/main/objects/microblog/definition.json




Multiple


attachment attachment The microblogpost file or screencapture.

creation-date datetime Initial creation ofthe microblog post

display-name text Display name ofthe account whoposted themicroblog.

embedded-link url Link into themicroblog post

embedded-safe-link

link Safe link into themicroblog post

hashtag text Hashtagembedded in themicroblog post


text The user displayname of themicroblog thispost replies to.


text The microblog IDof the microblogthis post repliesto.

in-reply-to-user-id text The user ID of themicroblog thispost replies to.


292



Multiple

link link Original link tothe microblog post(supposedharmless).

modification-date datetime Last update of themicroblog post


removal-date datetime When themicroblog postwas removed.

state text State of themicroblog post['Informative','Malicious','Misinformation','Disinformation','Unknown']

title text Title of the post.

twitter-id twitter-id The microblogpost id.

type text Type of themicroblog post['Twitter','Facebook','LinkedIn','Reddit', 'Google+','Instagram','Forum', 'Other']

url url Original URL ofthe microblog post(potentiallymalicious).

293



Multiple

username text Username whoposted themicroblog post(without the @prefix)

username-quoted text Username whoare quoted in themicroblog post.

verified-username text Is the usernameaccount verifiedby the operator ofthe microblogplatform['Verified','Unverified','Unknown']

mutexObject to describe mutual exclusion locks (mutex) as seen in memory or computer program.

mutex is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.



Multiple


name text name of themutex

operating-system text Operating systemwhere the mutexhas been seen['Windows', 'Unix']

294

https://github.com/MISP/misp-objects/blob/main/objects/mutex/definition.json


narrativeObject describing a narrative.

narrative is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

5Ds-of-propaganda

text 5 D’s ofpropaganda aretactics of rebuttalused to defendagainst criticismand adversarialnarratives.['dismiss', 'distort','distract', 'dismay','divide']

archive link Archive of theoriginal narrativesource (InternetArchive,Archive.is, etc).

attachment attachment Documentsrelated to thenarrative.

external-references

link Link to externalreferences.

link link Original link tothe narrativesource (Supposedharmless)

narrative-disproof text Disproof orevidence againstthe narrative.

narrative-summary

text A summary of thenarrative.

295

https://github.com/MISP/misp-objects/blob/main/objects/narrative/definition.json




Multiple

objective text Objective of thenarrative.['Disinformation','Advertising','Parody', 'Other']

url url Original link tothe narrativesource (Supposedmalicious)

netflowNetflow object describes an network object based on the Netflowv5/v9 minimal definition.

netflow is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.



Multiple

byte-count counter Bytes counted inthis flow

community-id community-id Community id ofthe representedflow

direction text Direction of thisflow ['Ingress','Egress']

dst-as AS Destination ASnumber for thisflow

dst-port port Destination portof the netflow

first-packet-seen datetime First packet seenin this flow

296

https://github.com/MISP/misp-objects/blob/main/objects/netflow/definition.json




Multiple

flow-count counter Flows counted inthis flow

icmp-type text ICMP type of theflow (if the trafficis ICMP)

ip-dst ip-dst IP addressdestination of thenetflow

ip-protocol-number

size-in-bytes IP protocolnumber of thisflow

ip-src ip-src IP address sourceof the netflow

ip_version counter IP version of thisflow

last-packet-seen datetime Last packet seenin this flow

packet-count counter Packets counted inthis flow

protocol text Protocol used forthis flow ['TCP','UDP', 'ICMP', 'IP']

src-as AS Source AS numberfor this flow

src-port port Source port of thenetflow

tcp-flags text TCP flags of theflow

297

network-connectionA local or remote network connection.

network-connection is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

community-id community-id Flow descriptionas a community IDhash value

dst-port port Destination portof the neworkconnection.

first-packet-seen datetime Datetime of thefirst packet seen.

hostname-dst hostname Destinationhostname of thenetworkconnection.

hostname-src hostname Source hostnameof the networkconnection.

ip-dst ip-dst Destination IPaddress of theneworkconnection.

ip-src ip-src Source IP addressof the neworkconnection.

layer3-protocol text Layer 3 protocolof the networkconnection. ['IP','ICMP', 'ARP']

298

https://github.com/MISP/misp-objects/blob/main/objects/network-connection/definition.json




Multiple

layer4-protocol text Layer 4 protocolof the networkconnection. ['TCP','UDP']

layer7-protocol text Layer 7 protocolof the networkconnection.['HTTP', 'HTTPS','FTP']

src-port port Source port of theneworkconnection.

network-profileElements that can be used to profile, pivot or identify a network infrastructure, including domains,ip and urls.

network-profile is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

asn AS ASN where thecontent is hosted

certificate-common-name

text Certificatecommon name

certificate-country text Certificate countryname

certificate-creation-date

datetime Certificate date itwas created

certificate-expiry-date

datetime Certificate date itwill expire

299

https://github.com/MISP/misp-objects/blob/main/objects/network-profile/definition.json




Multiple

certificate-issuer text Certificate Issuer

certificate-organization

text Certificateorganization

certificate-organization-locality

text Certificate locality

certificate-organization-state

text Certificate state orprovincy name

certificate-organization-unit

text Certificateorganization unit

dns-server hostname DNS server

domain domain Domain of thewhois entry

evidences attachment Screenshot of thenetworkresources.

google-analytics-id text Google analyticsIDS

hosting-provider text The hostingprovider/ISPwhere theresources are.

ip-address ip-src IP address of thewhois entry

jarm jarm-fingerprint JARM Footprintstring

port port Port number

query_string text Query (after path,preceded by '?')

300



Multiple

resource_path text Path (betweenhostname:portand query)

service-abuse text Service abused bythreat actors aspart of theirinfrastructure.['OneDrive','Google Drive','Dropbox','Microsoft','Google','DuckDNS','Cloudflare', 'AWS']

subdomain text Subdomain

text text Full whois entry

threat-actor-infrastructure-pattern

text Patterns found onthreat actorinfrastructure thatcan correlate withother analysis.

threat-actor-infrastructure-value

text Unique valeufound on threatactorinfrastructureidentified throughan investigation.

tld text Top-Level Domain

url url Full URL

whois-creation-date

datetime Initial creation ofthe whois entry

whois-expiration-date

datetime Expiration of thewhois entry

301



Multiple

whois-registrant-email

whois-registrant-email

Registrant emailaddress

whois-registrant-name

whois-registrant-name

Registrant name

whois-registrant-org

whois-registrant-org

Registrantorganisation

whois-registrant-phone

whois-registrant-phone

Registrant phonenumber

whois-registrar whois-registrar Registrar of thewhois entry

network-socketNetwork socket object describes a local or remote network connections based on the socket datastructure.

network-socket is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.

302

https://github.com/MISP/misp-objects/blob/main/objects/network-socket/definition.json




Multiple

address-family text Address familywho specifies theaddress familytype (AF_*) of thesocket connection.['AF_UNSPEC','AF_LOCAL','AF_UNIX','AF_FILE','AF_INET','AF_AX25','AF_IPX','AF_APPLETALK','AF_NETROM','AF_BRIDGE','AF_ATMPVC','AF_X25','AF_INET6','AF_ROSE','AF_DECnet','AF_NETBEUI','AF_SECURITY','AF_KEY','AF_NETLINK','AF_ROUTE','AF_PACKET','AF_ASH','AF_ECONET','AF_ATMSVC','AF_RDS', 'AF_SNA','AF_IRDA','AF_PPPOX','AF_WANPIPE','AF_LLC', 'AF_IB','AF_MPLS','AF_CAN','AF_TIPC','AF_BLUETOOTH','AF_IUCV','AF_RXRPC','AF_ISDN','AF_PHONET','AF_IEEE802154','AF_CAIF','AF_ALG','AF_NFC','AF_VSOCK','AF_KCM',

304

'AF_MAX']



Multiple

domain-family text Domain familywho specifies thecommunicationdomain (PF_*) ofthe socketconnection.['PF_UNSPEC','PF_LOCAL','PF_UNIX','PF_FILE','PF_INET','PF_AX25','PF_IPX','PF_APPLETALK','PF_NETROM','PF_BRIDGE','PF_ATMPVC','PF_X25','PF_INET6','PF_ROSE','PF_DECnet','PF_NETBEUI','PF_SECURITY','PF_KEY','PF_NETLINK','PF_ROUTE','PF_PACKET','PF_ASH','PF_ECONET','PF_ATMSVC','PF_RDS', 'PF_SNA','PF_IRDA','PF_PPPOX','PF_WANPIPE','PF_LLC', 'PF_IB','PF_MPLS','PF_CAN','PF_TIPC','PF_BLUETOOTH','PF_IUCV','PF_RXRPC','PF_ISDN','PF_PHONET','PF_IEEE802154','PF_CAIF','PF_ALG','PF_NFC','PF_VSOCK',

305

'PF_KCM','PF_MAX']



Multiple

dst-port port Destination portof the networksocket connection.

filename filename Socket usingfilename

hostname-dst hostname Destinationhostname of thenetwork socketconnection.

hostname-src hostname Source (local)hostname of thenetwork socketconnection.

ip-dst ip-dst Destination IPaddress of thenetwork socketconnection.

ip-src ip-src Source (local) IPaddress of thenetwork socketconnection.

option text Option on thesocket connection.

protocol text Protocol used bythe networksocket. ['TCP','UDP', 'ICMP', 'IP']

socket-type text Type of the socket.['SOCK_STREAM','SOCK_DGRAM','SOCK_RAW','SOCK_RDM','SOCK_SEQPACKET']

306



Multiple

src-port port Source (local) portof the networksocket connection.

state text State of the socketconnection.['blocking','listening']

news-agencyNews agencies compile news and disseminate news in bulk.

news-agency is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

address text Postal address ofthe news agency.

alias text Alias of the newsagency.


attachment attachment The news file,screen capture,audio, etc.

e-mail email-src Email address ofthe organization.

fax-number phone-number Fax number of thenews agency.

307

https://github.com/MISP/misp-objects/blob/main/objects/news-agency/definition.json




Multiple

link link Original link tothe news agency(Supposedharmless).

name text Name of the newsagency.

phone-number phone-number Phone number ofthe news agency.

url url Original URLlocation of thenews agency(potentiallymalicious).

news-mediaNews media are forms of mass media delivering news to the general public.

news-media is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

address text Postal address ofthe news source.

alias text Alias of the newssource.

archive link Archive of thenews (InternetArchive,Archive.is, etc).

attachment attachment The news file,screen capture,audio, etc.

308

https://github.com/MISP/misp-objects/blob/main/objects/news-media/definition.json




Multiple

content text Raw content of thenews.

e-mail email-src Email address ofthe news source.

embedded-link url Site linked by theblog post.

embedded-safe-link

link Safe site linked bythe blog post.

fax-number phone-number Fax number of thenews source.

link link Original link tonews (Supposedharmless).

phone-number phone-number Phone number ofthe news source.

source text Name of the newssource.

sub-type text Format of thenews post(business daily,local news,metasite, etc).['Business Daily','Local News','State News','National News','Metasite','PoliticalCommentary','Clipper', 'PressureGroup', 'Staging','Trade Site','Other']

title text Title of the post.

309



Multiple

transcription text Transcribedaudio/visualcontent.

type text Type of newsmedia(newspaper, TV,podcast, etc).['Newspaper','Newspaper(Online)','Magazine','Magazine(Online)', 'TV','Tube', 'Radio','Radio (Online)','Podcast','AlternativeMedia', 'Other']

url url Original URLlocation of news(potentiallymalicious).

username text Username whoposted the blogpost.

open-data-securityAn object describing an open dataset available and described under the open data security model.ref. https://github.com/CIRCL/open-data-security.

open-data-security is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.

310

https://github.com/CIRCL/open-data-security

https://github.com/MISP/misp-objects/blob/main/objects/open-data-security/definition.json




Multiple

description comment an exhaustivedescription of thedataset includingmethods ofcollection,extraction oranalysis

frequency text frequency of thedataset generationwhich MUST beexpressed inyearly, monthly,daily, hourly['yearly','monthly', 'daily','hourly']

human-validated text human-validateddescribes if thedataset has beenmanuallyvalidated ['true','false', 'unknown']

license text license MUST beexpressed in SPDXformat to describeunder whichlicense the datasetis distributed

link link link to opendataset

machine-validated text machine-validateddescribes if thedataset has beenautomaticallyvalidated ['true','false', 'unknown']

311



Multiple

producer link producer MUST beexpressed as anURI to referencethe originalproducer of thedataset

source text original source ofthe dataset

subtitle text an extended titleof the dataset

time-precision text time-precisionMUST beexpressed inyears, months,days, hours,minutes orseconds todescribe theprecision of thetime expressed['years', 'months','days', 'hours','minutes','seconds']

title text a comprehensiveand concise title ofthe dataset

organizationAn object which describes an organization.

organization is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.

312

https://github.com/MISP/misp-objects/blob/main/objects/organization/definition.json




Multiple

VAT text VAT or TAX-ID ofthe organization

address text Postal address ofthe organization.

alias text Alias of theorganization

date-of-inception date-of-birth Date of inceptionof theorganization

description text Description of theorganization

e-mail email-src Email address ofthe organization.

fax-number phone-number Fax number of theorganization.

name text Name of theorganization

phone-number phone-number Phone number ofthe organization.

role text The role of theorganization.['Suspect', 'Victim','Defendent','Accused', 'Culprit','Accomplice','Target', 'Source','Originator','Informant','Emitter']

type-of-organization

text Type of theorganization

313

original-imported-fileObject describing the original file used to import data in MISP.

original-imported-file is a MISP object available in JSON format at this locationThe JSON format can be freely reused in your application or automatically enabledin MISP.



Multiple

format text Format of dataimported. ['STIX1.0', 'STIX 1.1','STIX 1.2', 'STIX2.0', 'OpenIOC']

imported-sample attachment The originalimported file itself(binary).

uri uri URI related to theimported file.

paloalto-threat-eventPalo Alto Threat Log Event.

paloalto-threat-event is a MISP object available in JSON format at this locationThe JSON format can be freely reused in your application or automatically enabledin MISP.



Multiple

app text The applicationidentified (e.g.vnc, ssh, sip, irc,http or smtp).

direction text The Direction ofthe Event.

314

https://github.com/MISP/misp-objects/blob/main/objects/original-imported-file/definition.json


https://github.com/MISP/misp-objects/blob/main/objects/paloalto-threat-event/definition.json




Multiple

dport counter The port to whichthe connectionheaded.

dst ip-dst The Destination IPwhich is the targetof the observedconnections.

dstloc text The DestinationLocation of theevent.

proto text The transportprotocol (e.g. tcp,udp, icmp).

sport counter The port fromwhich theconnectionoriginated.

src ip-src The ip observed toinitiate theconnection

srcloc text The SourceLocation of theevent.

subtype text The subtype of theLog Event.

thr_category text The ThreatCategory.

threatid text The Threat ID.

time_generated datetime The datetime ofthe event.

315



Multiple

type text The type of theLog Event

parler-accountParler account.

parler-account is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

account-id text Numeric id of theaccount.

account-name text Name of theaccount.

archive link Archive of theoriginal parley(Internet Archive,Archive.is, etc).

attachment attachment The parley file orscreen capture.

badge float Post badge.

bio text The account bio.

comments text The number ofuser comments.

cover-photo attachment Commentcontroversy.

followers text Number offollowers.

following text Number user isfollowing.

316

https://github.com/MISP/misp-objects/blob/main/objects/parler-account/definition.json




Multiple

human boolean Account 'human'bool. ['True','False']

interactions float Accountinteractions.

likes text Number userlikes.

link link Original URL ofthe parley(supposedharmless).

posts text Number userposts.

profile-photo attachment Commentcontroversy.

score text User score.

url url Original URL ofthe parley, e.g.link shortener(potentiallymalicious).

verified boolean Account 'verified'bool. ['True','False']

parler-commentParler comment.

parler-comment is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.

317

https://github.com/MISP/misp-objects/blob/main/objects/parler-comment/definition.json




Multiple



badge float Comment badge.

body text Raw text of thepost.

comment-depth float Comment nestingdepth.

comments text Comments on thisobject.

controversy float Commentcontroversy.

creator text Name of theaccount thatposted this parley.

creator-id text ID of the accountthat posted thisparley.

downvotes text Commentdownvotes.

embedded-link url Link in the parley

embedded-safe-link

link Safe link in theparley

hashtag text Hashtagembedded in theparley.

318



Multiple


text The user displayname of theparley this postshares.

in-reply-to-parley-id

text The Parler ID ofthe parley thatthis post shares.

in-reply-to-user-id text The user ID of theparley this postshares.

link link Original link tothe post (supposedharmless).

post-id text Numeric id of theparley.

score text Comment score.

upvotes text Comment upvotes.


username-quoted text Username who isquoted in theparley.

parler-postParler post (parley).

parler-post is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.

319

https://github.com/MISP/misp-objects/blob/main/objects/parler-post/definition.json




Multiple


article boolean Indicates if thepost is an article.['True', 'False']


badge float Post badge.

body text Raw text of thepost.

comments text Number ofcomments on thisobject.

creator text Name of theaccount thatposted this parley.

creator-id text ID of the accountthat posted thisparley.

depth float Post nestingdepth.

embedded-link url Link in the parley

embedded-safe-link

link Safe link in theparley

hashtag text Hashtagembedded in theparley.

320



Multiple

impressions text Number ofimpressions.


text The user displayname of theparley this postshares.

in-reply-to-parley-id

text The Parler ID ofthe parley thatthis post shares.

in-reply-to-user-id text The user ID of theparley this postshares.


post-id text Numeric id of theparley.

share-link link Sharable linkgenerated byParler (supposedharmless).

upvotes text Comment upvotes.


username-quoted text Username who isquoted in theparley.

321

passive-dnsPassive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-07. Seehttps://tools.ietf.org/id/draft-dulaunoy-dnsop-passive-dns-cof-07.html.

passive-dns is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

bailiwick domain Best estimate ofthe apex of thezone where thisdata isauthoritative

count counter How manyauthoritative DNSanswers werereceived at thePassive DNSServer’s collectorswith exactly thegiven set of valuesas answers.

origin text Origin of thePassive DNSresponse. Thisfield isrepresented as aUniform ResourceIdentifier (URI)

raw_rdata text Resource recordsof the queriedresource, inhexadecimal. Allrdata entries atonce.

322

https://tools.ietf.org/id/draft-dulaunoy-dnsop-passive-dns-cof-07.html

https://github.com/MISP/misp-objects/blob/main/objects/passive-dns/definition.json




Multiple

rdata text Resource recordsof the queriedresource. Notethat this field isadded for eachrdata entry in therrset.

rrname text Resource Recordname of thequeried resource.

rrtype text Resource Recordtype as seen bythe passive DNS.['A', 'AAAA','CNAME', 'PTR','SOA', 'TXT','DNAME', 'NS','SRV', 'RP','NAPTR', 'HINFO','A6']

sensor_id text Sensorinformationwhere the recordwas seen

text text Description of thepassive DNSrecord.

time_first datetime First time that theunique tuple(rrname, rrtype,rdata) has beenseen by thepassive DNS

323



Multiple

time_first_ms datetime Same meaning asthe field'time_first', withthe onlydifference, thatthe resolution is inmilliseconds since1st of January1970 (UTC)

time_last datetime Last time that theunique tuple(rrname, rrtype,rdata) record hasbeen seen by thepassive DNS

time_last_ms datetime Same meaning asthe field'time_last', withthe onlydifference, thatthe resolution is inmilliseconds since1st of January1970 (UTC)

zone_time_first datetime First time that theunique tuple(rrname, rrtype,rdata) record hasbeen seen viamaster file import

zone_time_last datetime Last time that theunique tuple(rrname, rrtype,rdata) record hasbeen seen viamaster file import.

324

passive-dns-dnsdbflexDNSDBFLEX object. This object is used at farsight security. Roughly based on Passive DNS records asexpressed in draft-dulaunoy-dnsop-passive-dns-cof-07. See https://tools.ietf.org/id/draft-dulaunoy-dnsop-passive-dns-cof-07.html.

passive-dns-dnsdbflex is a MISP object available in JSON format at this locationThe JSON format can be freely reused in your application or automatically enabledin MISP.



Multiple

rrname text Resource Recordname of thequeried resource.

rrtype text Resource Recordtype as seen bythe passive DNS.['A', 'AAAA','CNAME', 'PTR','SOA', 'TXT','DNAME', 'NS','SRV', 'RP','NAPTR', 'HINFO','A6']

passive-sshPassive-ssh object as described on passive-ssh services from circl.lu - https://github.com/D4-project/passive-ssh.

passive-ssh is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

base64 text Base64representation ofthe ssh-key

fingerprint ssh-fingerprint Fingerprint of theSSH key

325



https://github.com/MISP/misp-objects/blob/main/objects/passive-dns-dnsdbflex/definition.json


https://github.com/D4-project/passive-ssh

https://github.com/D4-project/passive-ssh

https://github.com/MISP/misp-objects/blob/main/objects/passive-ssh/definition.json




Multiple

first_seen datetime First time that thepassive-ssh objecthas been seen bythe passive SSH

host ip-dst IP Address of thehost(s) thatexposed this SSHkey

last_seen datetime Last time that thepassive-ssh objecthas been seen bythe passive SSH

pastePaste or similar post from a website allowing to share privately or publicly posts.

paste is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.



Multiple

first-seen datetime When the pastehas beenaccessible or seenfor the first time.

last-seen datetime When the pastehas beenaccessible or seenfor the last time.

link link Link to theoriginal source ofthe source or post(when usedlegitimately forOSINT source oralike).

326

https://github.com/MISP/misp-objects/blob/main/objects/paste/definition.json




Multiple

origin text Original source ofthe paste or post.['pastebin.com','pastebin.com_pro', 'pastebin.fr','pastie.org','slexy.org','gist.github.com','codepad.org','safebin.net','hastebin.com','ghostbin.com','paste.ee','0bin.net']

paste text Raw text of thepaste or post

paste-file attachment Content of thepaste in file

title text Title of the pasteor post.

url url Link to theoriginal source ofthe paste or post(when usedmaliciously).

username text User who postedthe post.

pcap-metadataNetwork packet capture metadata.

pcap-metadata is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.

327

https://github.com/MISP/misp-objects/blob/main/objects/pcap-metadata/definition.json




Multiple

capture-interface text Interface namewhere the packetcapture wasrunning.

capture-length text Capture length seton the capturedinterface.

first-packet-seen datetime When the firstpacket has beenseen.

last-packet-seen datetime When the lastpacket has beenseen.

328



Multiple

protocol text Capture protocol(linktype name).['PER_PACKET','UNKNOWN','ETHERNET','TOKEN_RING','SLIP', 'PPP','FDDI','FDDI_BITSWAPPED', 'RAW_IP','ARCNET','ARCNET_LINUX','ATM_RFC1483','LINUX_ATM_CLIP', 'LAPB','ATM_PDUS','ATM_PDUS_UNTRUNCATED', 'NULL','ASCEND', 'ISDN','IP_OVER_FC','PPP_WITH_PHDR', 'IEEE_802_11','IEEE_802_11_PRISM','IEEE_802_11_WITH_RADIO','IEEE_802_11_RADIOTAP','IEEE_802_11_AVS', 'SLL', 'FRELAY','FRELAY_WITH_PHDR', 'CHDLC','CISCO_IOS','LOCALTALK','OLD_PFLOG','HHDLC', 'DOCSIS','COSINE','WFLEET_HDLC','SDLC', 'TZSP','ENC', 'PFLOG','CHDLC_WITH_PHDR','BLUETOOTH_H4','MTP2', 'MTP3','IRDA', 'USER0','USER1', 'USER2','USER3', 'USER4','USER5', 'USER6',

329

'USER7', 'USER8','USER9', 'USER10','USER11','USER12','USER13','USER14','USER15','SYMANTEC','APPLE_IP_OVER_IEEE1394','BACNET_MS_TP','NETTL_RAW_ICMP','NETTL_RAW_ICMPV6', 'GPRS_LLC','JUNIPER_ATM1','JUNIPER_ATM2','REDBACK','NETTL_RAW_IP','NETTL_ETHERNET','NETTL_TOKEN_RING','NETTL_FDDI','NETTL_UNKNOWN','MTP2_WITH_PHDR','JUNIPER_PPPOE','GCOM_TIE1','GCOM_SERIAL','NETTL_X25', 'K12','JUNIPER_MLPPP','JUNIPER_MLFR','JUNIPER_ETHER','JUNIPER_PPP','JUNIPER_FRELAY','JUNIPER_CHDLC','JUNIPER_GGSN','LINUX_LAPD','CATAPULT_DCT2000', 'BER','JUNIPER_VP','USB_FREEBSD','IEEE802_16_MAC_CPS','NETTL_RAW_TEL



Multiple

text text A description ofthe packetcapture.

peObject describing a Portable Executable.

pe is a MISP object available in JSON format at this location The JSON format canbe freely reused in your application or automatically enabled in MISP.



Multiple

authentihash authentihash Authenticodeexecutablesignature hash(sha256)

company-name text CompanyName inthe resources

compilation-timestamp

datetime Compilationtimestampdefined in the PEheader

entrypoint-address


entrypoint-section-at-position

text Name of thesection andposition of thesection in the PE

file-description text FileDescription inthe resources

file-version text FileVersion in theresources

330

https://github.com/MISP/misp-objects/blob/main/objects/pe/definition.json


NET', 'USB_LINUX','MPEG', 'PPI', 'ERF','BLUETOOTH_H4_WITH_PHDR','SITA', 'SCCP','BLUETOOTH_HCI', 'IPMB','IEEE802_15_4','X2E_XORAYA','FLEXRAY', 'LIN','MOST', 'CAN20B','LAYER1_EVENT','X2E_SERIAL','I2C','IEEE802_15_4_NONASK_PHY','TNEF','USB_LINUX_MMAPPED', 'GSM_UM','DPNSS','PACKETLOGGER','NSTRACE_1_0','NSTRACE_2_0','FIBRE_CHANNEL_FC2','FIBRE_CHANNEL_FC2_WITH_FRAME_DELIMS','JPEG_JFIF','IPNET','SOCKETCAN','IEEE_802_11_NETMON','IEEE802_15_4_NOFCS', 'RAW_IPFIX','RAW_IP4','RAW_IP6', 'LAPD','DVBCI','MUX27010','MIME','NETANALYZER','NETANALYZER_TRANSPARENT','IP_OVER_IB_SNOOP', 'MPEG_2_TS','PPP_ETHER','NFC_LLCP','NFLOG', 'V5_EF',



Multiple

impfuzzy impfuzzy Fuzzy Hash(ssdeep)calculated fromthe import table

imphash imphash Hash (md5)calculated fromthe import table

internal-filename filename InternalFilenamein the resources

lang-id text Lang ID in theresources

legal-copyright text LegalCopyright inthe resources


original-filename filename OriginalFilenamein the resources

pehash pehash Hash of thestructuralinformation abouta sample. Seehttps://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/

product-name text ProductName inthe resources

product-version text ProductVersion inthe resources

richpe md5 RichPE metadatahash

331

https://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/






'BACNET_MS_TP_WITH_PHDR','IXVERIWAVE','SDH', 'DBUS','AX25_KISS','AX25', 'SCTP','INFINIBAND','JUNIPER_SVCS','USBPCAP','RTAC_SERIAL','BLUETOOTH_LE_LL','WIRESHARK_UPPER_PDU','STANAG_4607','STANAG_5066_D_PDU', 'NETLINK','BLUETOOTH_LINUX_MONITOR','BLUETOOTH_BREDR_BB','BLUETOOTH_LE_LL_WITH_PHDR','NSTRACE_3_0','LOGCAT','LOGCAT_BRIEF','LOGCAT_PROCESS', 'LOGCAT_TAG','LOGCAT_THREAD', 'LOGCAT_TIME','LOGCAT_THREADTIME','LOGCAT_LONG','PKTAP', 'EPON','IPMI_TRACE','LOOP', 'JSON','NSTRACE_3_5','ISO14443','GFP_T', 'GFP_F','IP_OVER_IB_PCAP', 'JUNIPER_VN','USB_DARWIN','LORATAP','3MB_ETHERNET','VSOCK','NORDIC_BLE','NETMON_NET_NETEVENT',



Multiple

text text Free text value toattach to the PE

type text Type of PE ['exe','dll', 'driver','unknown']

pe-sectionObject describing a section of a Portable Executable.

pe-section is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

characteristic text Characteristic ofthe section ['read','write','executable']



name text Name of thesection ['.rsrc','.reloc', '.rdata','.data', '.text']

offset hex Section’s offset



332

https://github.com/MISP/misp-objects/blob/main/objects/pe-section/definition.json


'NETMON_HEADER','NETMON_NET_FILTER','NETMON_NETWORK_INFO_EX','MA_WFP_CAPTURE_V4','MA_WFP_CAPTURE_V6','MA_WFP_CAPTURE_2V4','MA_WFP_CAPTURE_2V6','MA_WFP_CAPTURE_AUTH_V4','MA_WFP_CAPTURE_AUTH_V6','JUNIPER_ST','ETHERNET_MPACKET','DOCSIS31_XRA31']



Multiple









virtual_address hex Section’s virtualaddress

virtual_size size-in-bytes Section’s virtualsize

personAn object which describes a person or an identity.

333

person is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.



Multiple

address text Postal address ofthe person.

alias text Alias name orknown as.

birth-certificate-number

text Birth CertificateNumber

date-of-birth date-of-birth Date of birth of anatural person (inYYYY-MM-DDformat).

dni text Spanish NationalID

e-mail email-src Email address ofthe person.

fax-number phone-number Fax number of theperson.

first-name first-name First name of anatural person.

full-name full-name Full name of anatural personusually composedof first-name,middle-name andlast-name.

function text Function of thenatural personsuch as analyst,cyber operator,lawyer.

334

https://github.com/MISP/misp-objects/blob/main/objects/person/definition.json




Multiple

gender gender The gender of anatural person.['Male', 'Female','Other', 'Prefer notto say', 'Unknown']

identity-card-number

identity-card-number

The identity cardnumber of anatural person.

last-name last-name Last name of anatural person.

middle-name middle-name Middle name of anatural person.

mothers-name text Mother name,father, secondname or othernames followingcountry’sregulation.

nationality nationality The nationality ofa natural person.

nic-hdl text NIC Handle(NetworkInformationCentre handle) ofthe person.

nie text Foreign NationalID (Spain)

nif text Tax ID Number(Spain)

occupation text Work oroccupation of theperson or identity.

335



Multiple

ofac-identification-number

text ofac-identificationNumber

passport-country passport-country The country inwhich thepassport wasissued.

passport-expiration

passport-expiration

The expirationdate of a passport.

passport-number passport-number The passportnumber of anatural person.

phone-number phone-number Phone number ofthe person.

place-of-birth place-of-birth Place of birth of anatural person.

portrait attachment Portrait of theperson.

336



Multiple

redress-number redress-number The RedressControl Number isthe recordidentifier forpeople who applyfor redressthrough the DHSTravel RedressInquiry Program(DHS TRIP). DHSTRIP is fortravelers whohave beenrepeatedlyidentified foradditionalscreening andwho want to filean inquiry to haveerroneousinformationcorrected in DHSsystems.

role text The role of aperson. ['Suspect','Victim','Defendent','Accused', 'Culprit','Accomplice','Witness', 'Target','Source','Originator','Informant','Emitter']

social-security-number

text Social securitynumber.

text text A description ofthe person oridentity.

337



Multiple

title text Title of the naturalperson such as Dr.or equivalent.

pgp-metaMetadata extracted from a PGP keyblock, message or signature.

pgp-meta is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

key-id text Key ID inhexadecimal

user-id-email text User ID packet,email address ofthe key holder(UTF-8 text)

user-id-name text User ID packet,name of the keyholder

phishingPhishing template to describe a phishing website and its analysis.

phishing is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

hostname hostname host of thephishing website

internal-reference text Internal referencesuch as ticket ID

338

https://github.com/MISP/misp-objects/blob/main/objects/pgp-meta/definition.json


https://github.com/MISP/misp-objects/blob/main/objects/phishing/definition.json




Multiple

online text If the phishing isonline andoperational, bydefault is yes['Yes', 'No']

phishtank-detail-url

link Phishtank detailURL to thereported phishing

phishtank-id text Phishtank ID ofthe reportedphishing

screenshot attachment Screenshot ofphishing site

submission-time datetime When thephishing wassubmitted and/orreported

takedown-request datetime When thephishing wasrequested to betaken down

takedown-request-to

text Destination emailaddress for take-down request

takedown-time datetime When thephishing wastaken down

target text Targetedorganisation bythe phishing

url url Original URL ofthe phishingwebsite

339



Multiple

url-redirect url Redirect URL ofthe phishingwebsite

verification-time datetime When thephishing wasverified

verified text The phishing hasbeen verified bythe team handlingthe phishing ['No','Yes']

phishing-kitObject to describe a phishing-kit.

phishing-kit is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

date-found datetime Date when thephishing kit wasfound

email-type text Type of the Email

internal-reference text Internal referencesuch as ticket ID

kit-mailer text Mailer Kit Used

kit-name text Name of thePhishing Kit

kit-url url URL of PhishingKit

340

https://github.com/MISP/misp-objects/blob/main/objects/phishing-kit/definition.json




Multiple

online text If the phishing kitis online andoperational, bydefault is yes['Yes', 'No']

phishing-domain url Domain used forPhishing

reference-link link Link where thePhishing Kit wasobserved

target text What wastargeted using thisphishing kit

threat-actor text Identified threatactor

threat-actor-email email-src Email of theThreat Actor

phoneA phone or mobile phone object which describe a phone.

phone is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.



Multiple

brand text Brand of thephone.

first-seen datetime When the phonehas beenaccessible or seenfor the first time.

341

https://github.com/MISP/misp-objects/blob/main/objects/phone/definition.json




Multiple

gummei text Globally UniqueMME Identifier(GUMMEI) iscomposed fromMCC, MNC andMME Identifier(MMEI).

guti text Globally UniqueTemporary UEIdentity (GUTI) isa temporaryidentification tonot reveal thephone (userequipment in3GPP jargon)composed ofGUMMEI and theM-TMSI.

imei text InternationalMobile EquipmentIdentity (IMEI) is anumber, usuallyunique, to identify3GPP and iDENmobile phones, aswell as somesatellite phones.

342



Multiple

imsi text A usually uniqueInternationalMobile SubscriberIdentity (IMSI) isallocated to eachmobile subscriberin theGSM/UMTS/EPSsystem. IMSI canalso refer toInternationalMobile StationIdentity in the ITUnomenclature.

last-seen datetime When the phonehas beenaccessible or seenfor the last time.

model text Model of thephone.

343



Multiple

msisdn text MSISDN(pronounced as/'em es ai es di en/or misden) is anumber uniquelyidentifying asubscription in aGSM or a UMTSmobile network.Simply put, it isthe mapping ofthe telephonenumber to the SIMcard in amobile/cellularphone. Thisabbreviation has aseveralinterpretations,the most commonone being MobileStationInternationalSubscriberDirectoryNumber.

serial-number text Serial Number.

text text A description ofthe phone.

tmsi text Temporary MobileSubscriberIdentities (TMSI)to visiting mobilesubscribers can beallocated.

postal-addressA postal address.

344

postal-address is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

apartment text Apartment / suitenumber

city text City or town name


description text Description of theaddress

number text House number

postal-code text ZIP / postal code

province text Province

state text State

street text Street name

processObject describing a system process.

process is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.



Multiple

args text Arguments of theprocess

child-pid text Process ID of thechild(ren) process

command-line text Command line ofthe process

345

https://github.com/MISP/misp-objects/blob/main/objects/postal-address/definition.json


https://github.com/MISP/misp-objects/blob/main/objects/process/definition.json




Multiple

creation-time datetime Local date/time atwhich the processwas created

current-directory text Current workingdirectory of theprocess

fake-process-name boolean Is the processspawned under afalse name. ['1', '0']

guid text The globallyunique identifierof the assigned bythe vendorproduct

hidden boolean Specifies whetherthe process ishidden ['True','False']

image filename Path of processimage

integrity-level text Integrity level ofthe process['system', 'high','medium', 'low','untrusted']

name text Name of theprocess

parent-command-line

text Command line ofthe parent process

346



Multiple

parent-guid text The globallyunique idenifierof the parentprocess assignedby the vendorproduct

parent-image filename Path of parentprocess image

parent-pid text Process ID of theparent process

parent-process-name

text Process name ofthe parent

parent-process-path

text Parent processpath of the parent

pgid text Identifier of thegroup of processesthe process belongto

pid text Process ID of theprocess

port port Port(s) owned bythe process

process-state process-state State of process.['D', 'R', 'S', 'T', 't','W', 'X', 'Z', '<', 'N','L', 's', 'l', '+']

start-time datetime Local date/time atwhich the processwas started

user-creator text User who createdof the process

347



Multiple

user-process text User who isrunning theprocess at thetime of theanalysis

publicationAn object to describe a book, journal, or academic publication.

publication is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

DOI text DOI System isused to identifydigital resources.

ISBN text InternationalStandard BookNumber.

academic-institution

text Academicinstitutionassociated withthe publisher orauthors.


attachment attachment The publicationfile or screencapture.

author text Author of thepublication.

348

https://github.com/MISP/misp-objects/blob/main/objects/publication/definition.json




Multiple

content text Content of thepublication.

contributor text Contributorsinclude editors,compilers, andtranslators.

description text A description ofthe publication.

edition text Edition of thepublication.

embedded-link url Link contained inthe publication(possiblymalicious).

embedded-safe-link

link Link contained inthe publication(assumed safe).

link link Original link tothe publication(supposedharmless).

publisher text Publisher of thedocument.

series text Series of thepublication.

title text Content of thepublication.

url url Original link tothe publication(possiblymalicious).

349



Multiple

volume text Volume of thepublication.

website link Website of thepublisher.

year text Year ofpublication.

python-etvx-event-logEvent log object template to share information of the activities conducted on a system. .

python-etvx-event-log is a MISP object available in JSON format at this locationThe JSON format can be freely reused in your application or automatically enabledin MISP.



Multiple

Computer text Computer nameon which theevent occurred

Correlation-ID text Unique activityidentity whichrelates the eventto a process.

Event-data text Event datadescription.

Keywords text Tags used for theevent for thepurpose offiltering orsearching.['Network','Security','Resource notfound', 'other']

350

https://github.com/MISP/misp-objects/blob/main/objects/python-etvx-event-log/definition.json




Multiple

Operational-code text The opcode(numeric value orname) associatedwith the activitycarried out by theevent.

Processor-ID text ID of theprocessor thatprocessed theevent.

Relative-Correlation-ID

text Related activity IDwhich identitysimilar activitieswhich occurred asa part of theevent.

Session-ID text Terminal serversession ID.

Thread-ID text Thread id thatgenerated theevent.

User text Name or the UserID the event isassociated with.

comment text Additionalcomments.

event-channel text Channel throughwhich the eventoccurred['Application','System', 'Security','Setup', 'other']

event-date-time datetime Date and timewhen the eventwas logged.

351



Multiple

event-id text A unique numberwhich identifiesthe event.

event-type text Event-typeassigned to theevent ['Admin','Operational','Audit', 'Analytic','Debug', 'other']

kernel-time datetime Execution time ofthe kernel modeinstruction.

level text Determines theevent severity.['Information','Warning', 'Error','Critical', 'SuccessAudit', 'FailureAudit']

log text Log file where theevent wasrecorded.

name text Name of theevent.

source text The source of theevent log -application/software that logged theevent.

task-category text Activity by theevent publisher

user-time datetime Date and timewhen the userinstruction wasexecuted.

352

r2graphityIndicators extracted from files using radare2 and graphml.

r2graphity is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

callback-average counter Average size of acallback

callback-largest counter Largest callback

callbacks counter Amount ofcallbacks(functions startedas thread)

create-thread counter Amount of calls toCreateThread

dangling-strings counter Amount ofdangling strings(string with a codecross reference,that is not withina function.Radare2 failed todetect thatfunction.)

get-proc-address counter Amount of calls toGetProcAddress

gml attachment Graph export inG>raph ModellingLanguage format

local-references counter Amount of APIcalls inside a codesection

353

https://github.com/MISP/misp-objects/blob/main/objects/r2graphity/definition.json




Multiple

memory-allocations

counter Amount ofmemoryallocations

miss-api counter Amount of APIcall reference thatdoes not resolve toa function offset

not-referenced-strings

counter Amount of notreferenced strings

r2-commit-version text Radare2 commitID used togenerate thisobject

ratio-api float Ratio: amount ofAPI calls perkilobyte of codesection

ratio-functions float Ratio: amount offunctions perkilobyte of codesection

ratio-string float Ratio: amount ofreferenced stringsper kilobyte ofcode section

referenced-strings counter Amount ofreferenced strings

refsglobalvar counter Amount of APIcalls outside ofcode section (globvar, dynamic API)

354



Multiple

shortest-path-to-create-thread

counter Shortest path tothe first time thebinary callsCreateThread

text text Description of ther2graphity object

total-api counter Total amount ofAPI calls

total-functions counter Total amount offunctions in thefile.

unknown-references

counter Amount of APIcalls not ending ina function(Radare2 bug,probalby)

reddit-accountReddit account.

reddit-account is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

account-avatar attachment A screen captureor exportedaccount avatar.

account-avatar-url url A user profilepicture or avatar.

account-id text Account id.

account-name text Account name (donot include u/).

355

https://github.com/MISP/misp-objects/blob/main/objects/reddit-account/definition.json




Multiple




link link Original link tothe account page(supposedharmless).

moderator-of text Subreddits ofwhich thisaccount is amoderator(exclude the r/).

trophies text Trophies listed inthe accountTrophy Case.


reddit-commentA Reddit post comment.

reddit-comment is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.

356

https://github.com/MISP/misp-objects/blob/main/objects/reddit-comment/definition.json




Multiple

archive link Archive of theoriginal comment(Internet Archive,Archive.is, etc).

attachment attachment A screen captureor exported filefrom thecomment.

author text The user accountthat created thepost (do notinclude u/).

body text The raw text ofthe comment.

description text A description ofthe comment.

embedded-link url Link embedded inthe subredditdescription(potentiallymalicious).

embedded-safe-link

link Link embedded inthe subredditdescription(supposed safe).

hashtag text Hashtag used toidentify orpromote thecomment.

link link Original link tothe comment(supposedharmless).

357



Multiple

subreddit-name text The name of thesubreddit where itwas posted(exclude the r/).

url url Original URLlocation of thecomment(potentiallymalicious).

username-quoted text Username whoare quoted in thecomment (do notinclude u/).

reddit-postA Reddit post.

reddit-post is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

archive link Archive of theoriginal Redditpost (InternetArchive,Archive.is, etc).

attachment attachment A screen captureor exported filefrom the Redditpost.

author text The user accountthat created thepost (do notinclude u/).

358

https://github.com/MISP/misp-objects/blob/main/objects/reddit-post/definition.json




Multiple

description text A description ofthe post.

edited text Has the post beenedited? ['True','False']


embedded-safe-link


hashtag text Hashtag used toidentify orpromote theReddit post.

link link Original link tothe Reddit post(supposedharmless).

post-content text The raw text ofthe Reddit post.

post-title text The title of theReddit post.

subreddit-name text The name of thesubreddit where itwas posted(exclude the r/).

thumbnail attachment Screen capture orexported postthumbnail.

359



Multiple

thumbnail-url url Link to postthumbnail.

url url Original URLlocation of theReddit post(potentiallymalicious).

username-quoted text Username whoare quoted in theReddit post (donot include u/).

reddit-subredditPublic or private subreddit.

reddit-subreddit is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

active-user-count text Number of activeaccounts in thesubreddit.

archive link Archive of theoriginal subreddit(Internet Archive,Archive.is, etc).

attachment attachment A screen captureor exported list ofcontacts,subredditmembers, etc.

360

https://github.com/MISP/misp-objects/blob/main/objects/reddit-subreddit/definition.json




Multiple

banner-background-image

attachment A screen captureor exportedsubreddit header.

banner-background-url

url A link to thesubreddit header.

creator text The user accountthat created thesubreddit (do notinclude u/).

description text A description ofthe subreddit.

display-name text The name of thesubreddit (excludethe r/).


embedded-safe-link


hashtag text Hashtag used toidentify orpromote thesubreddit.

header-title text A title of thesubreddit.

icon-img attachment A screen captureor exportedsubredditcommunity icon.

361



Multiple

icon-img-url url A link to thesubredditcommunity icon.

link link Original link tothe subreddit(supposedharmless).

moderator text A user accountwho is amoderator of thesubreddit (do notinclude u/).

privacy text Subreddit privacy.['Public', 'Private']

rules text Raw text of therules of thesubreddit.

submit-text text The submissionform raw textwhen posting tothe subreddit.

subreddit-alias text Aliases orprevious names ofsubreddit.

subreddit-type text Subreddit type,e.g. general, buyand sell etc.

url url Original URLlocation of thesubreddit(potentiallymalicious).

362

regexpAn object describing a regular expression (regex or regexp). The object can be linked via arelationship to other attributes or objects to describe how it can be represented as a regularexpression.

regexp is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.



Multiple

comment comment A description ofthe regularexpression.

regexp text regexp

regexp-type text Type of theregularexpression syntax.['PCRE', 'PCRE2','POSIX BRE','POSIX ERE', 'FCRE(FarsightCompatibleRegularExpressions)']

type text Specify whichtype correspondsto this regex.['hostname','domain', 'email-src', 'email-dst','email-subject','url', 'user-agent','regkey', 'cookie','uri', 'filename','windows-service-name', 'windows-scheduled-task']

363

https://github.com/MISP/misp-objects/blob/main/objects/regexp/definition.json


registry-keyRegistry key object describing a Windows registry key with value and last-modified timestamp.

registry-key is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

data text Data stored in theregistry key

data-type text Registry valuetype ['REG_NONE','REG_SZ','REG_EXPAND_SZ','REG_BINARY','REG_DWORD','REG_DWORD_LITTLE_ENDIAN','REG_DWORD_BIG_ENDIAN','REG_LINK','REG_MULTI_SZ','REG_RESOURCE_LIST','REG_FULL_RESOURCE_DESCRIPTOR','REG_RESOURCE_REQUIREMENTS_LIST','REG_QWORD','REG_QWORD_LITTLE_ENDIAN']

hive text Hive used to storethe registry key(file on disk)

key regkey Full key path

last-modified datetime Last time theregistry key hasbeen modified

364

https://github.com/MISP/misp-objects/blob/main/objects/registry-key/definition.json




Multiple

name text Name of theregistry key

root-keys text Root key of theWindows registry(extracted fromthe key) ['HKCC','HKCR', 'HKCU','HKDD','HKEY_CLASSES_ROOT','HKEY_CURRENT_CONFIG','HKEY_CURRENT_USER','HKEY_DYN_DATA','HKEY_LOCAL_MACHINE','HKEY_PERFORMANCE_DATA','HKEY_USERS','HKLM', 'HKPD','HKU']

regripper-NTUserRegripper Object template designed to present user specific configuration details extracted fromthe NTUSER.dat hive.

regripper-NTUser is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

applications-installed

text List ofapplicationsinstalled.

365

https://github.com/MISP/misp-objects/blob/main/objects/regripper-ntuser/definition.json




Multiple

applications-run text List ofapplications set torun on the system.

comments text Additionalinformationrelated to the userprofile

external-devices text List of externaldevices connectedto the system bythe user.

key text Registry keywhere theinformation isretrieved from.

key-last-write-time datetime Date and timewhen the key waslast updated.

logon-user-name text Name assigned tothe user profile.

mount-points text Details of themount pointscreated on thesystem.

network-connected-to

text List of networksthe userconnected thesystem to.

nukeOnDelete boolean Determines if theRecycle bin optionhas been disabled.['True', 'False']

366



Multiple

recent-files-accessed

text List of recent filesaccessed by theuser.

recent-folders-accessed

text List of recentfolders accessedby the user.

typed-urls text Urls typed by theuser in internetexplorer

user-init text Applications orprocesses set torun when the userlogs onto thewindows system.

regripper-sam-hive-single-userRegripper Object template designed to present user profile details extracted from the SAM hive.

regripper-sam-hive-single-user is a MISP object available in JSON format at thislocation The JSON format can be freely reused in your application orautomatically enabled in MISP.



Multiple

comments text Full nameassigned to theuser profile.

full-user-name text Full nameassigned to theuser profile.


367

https://github.com/MISP/misp-objects/blob/main/objects/regripper-sam-hive-single-user/definition.json

https://github.com/MISP/misp-objects/blob/main/objects/regripper-sam-hive-single-user/definition.json




Multiple


last-login-time datetime Date and timewhen the user lastlogged onto thesystem.

login-count counter Number of timesthe user logged-inonto the system.

pwd-fail-date datetime Date and timewhen a passwordlast failed for thisuser profile.

pwd-reset-time datetime Date and timewhen thepassword was lastreset.

user-name text User nameassigned to theuser profile.

regripper-sam-hive-user-groupRegripper Object template designed to present group profile details extracted from the SAM hive.

regripper-sam-hive-user-group is a MISP object available in JSON format at thislocation The JSON format can be freely reused in your application orautomatically enabled in MISP.



Multiple

full-name text Full nameassigned to theprofile.

368

https://github.com/MISP/misp-objects/blob/main/objects/regripper-sam-hive-user-group/definition.json

https://github.com/MISP/misp-objects/blob/main/objects/regripper-sam-hive-user-group/definition.json




Multiple

group-comment text Any groupcomment added.

group-name text Name assigned tothe profile.

group-users text Users belonging tothe group



last-write-date-time

datetime Date and timewhen the groupkey was updated.

regripper-software-hive-BHORegripper Object template designed to gather information of the browser helper objects installedon the system.

regripper-software-hive-BHO is a MISP object available in JSON format at thislocation The JSON format can be freely reused in your application orautomatically enabled in MISP.



Multiple

BHO-key-last-write-time

datetime Date and timewhen the BHO keywas last updated.

BHO-name text Name of thebrowser helperobject.

369

https://github.com/MISP/misp-objects/blob/main/objects/regripper-software-hive-bho/definition.json

https://github.com/MISP/misp-objects/blob/main/objects/regripper-software-hive-bho/definition.json




Multiple

class text Class to which theBHO belongs to.

comments text Additionalcomments.

key text Software hive keywhere theinformation isretrieved from.

last-write-time datetime Date and timewhen the key waslast updated.

module text DLL module theBHO belongs to.

references link References to theBHO.

regripper-software-hive-appInit-DLLSRegripper Object template designed to gather information of the DLL files installed on the system.

regripper-software-hive-appInit-DLLS is a MISP object available in JSON format atthis location The JSON format can be freely reused in your application orautomatically enabled in MISP.



Multiple

DLL-last-write-time

datetime Date and timewhen the DLL filewas last updated.

DLL-name text Name of the DLLfile.

DLL-path text Path where theDLL file is stored.

370

https://github.com/MISP/misp-objects/blob/main/objects/regripper-software-hive-appinit-dlls/definition.json




Multiple




references link References to theDLL file.

regripper-software-hive-application-pathsRegripper Object template designed to gather information of the application paths.

regripper-software-hive-application-paths is a MISP object available in JSONformat at this location The JSON format can be freely reused in your applicationor automatically enabled in MISP.



Multiple


executable-file-name

text Name of theexecutable file.



371

https://github.com/MISP/misp-objects/blob/main/objects/regripper-software-hive-application-paths/definition.json




Multiple

path text Path of theexecutable file.

references link References to theapplicationinstalled.

regripper-software-hive-applications-installedRegripper Object template designed to gather information of the applications installed on thesystem.

regripper-software-hive-applications-installed is a MISP object available in JSONformat at this location The JSON format can be freely reused in your applicationor automatically enabled in MISP.



Multiple

app-last-write-time

datetime Date and timewhen theapplication keywas last updated.

app-name text Name of theapplication.



key-path text Path of the key.


372

https://github.com/MISP/misp-objects/blob/main/objects/regripper-software-hive-applications-installed/definition.json




Multiple

references link References to theapplicationinstalled.

version text Version of theapplication.

regripper-software-hive-command-shellRegripper Object template designed to gather information of the shell commands executed on thesystem.

regripper-software-hive-command-shell is a MISP object available in JSON formatat this location The JSON format can be freely reused in your application orautomatically enabled in MISP.



Multiple

command text Commandexecuted.




shell text Type of shell usedto execute thecommand. ['exe','cmd', 'bat', 'hta','pif', 'Other']

shell-path text Path of the shell.

373

https://github.com/MISP/misp-objects/blob/main/objects/regripper-software-hive-command-shell/definition.json


regripper-software-hive-software-runRegripper Object template designed to gather information of the applications set to run on thesystem.

regripper-software-hive-software-run is a MISP object available in JSON format atthis location The JSON format can be freely reused in your application orautomatically enabled in MISP.



Multiple

application-name text Name of theapplication run.

application-path text Path where theapplication isinstalled.


key text Software hive keywhere theinformation isretrieved from.['Run', 'RunOnce','Runservices','Terminal', 'Other']

key-path text Path of the key.


references link References to theapplications.

regripper-software-hive-userprofile-winlogonRegripper Object template designed to gather user profile information when the user logs onto thesystem, gathered from the software hive.

374

https://github.com/MISP/misp-objects/blob/main/objects/regripper-software-hive-software-run/definition.json


regripper-software-hive-userprofile-winlogon is a MISP object available in JSONformat at this location The JSON format can be freely reused in your applicationor automatically enabled in MISP.



Multiple

AutoAdminLogon boolean Flag value todetermine ifautologon isenabled for a userwithout enteringthe password.['True', 'False']

AutoRestartShell boolean Value of the flagset to auto restartthe shell if itcrashes or shutsdownautomatically.['True', 'False']

CachedLogonCount

counter Number of timesthe user haslogged into thesystem.

Comments text Additionalcomments.

DefaultUserName text user-name of thedefault user.

DisableCAD boolean Flag to determineif user login isenabled bypressingCtrl+ALT+Delete.['True', 'False']

Legal-notice-caption

text Message title set todisplay when theuser logs-in.

375

https://github.com/MISP/misp-objects/blob/main/objects/regripper-software-hive-userprofile-winlogon/definition.json




Multiple

Legal-notice-text text Message set todisplay when theuser logs-in.

PasswordExpiryWarining

counter Number of timesthe passwordexpiry warningappeared.

PowerdownAfterShutDown

boolean Flag value- if thesystem is set topower down afterit is shutdown.['True', 'False']

PreCreateKnownFolders

text create knownfolders key

ReportBootOk boolean Flag to check if thereboot wassuccessful. ['True','False']

SID text Security identifierassigned to theuser profile.

Shell text Shell set to runwhen the userlogs onto thesystem.

ShutdownFlags counter Number of timesshutdown isinitiated from aprocess when theuser is logged-in.

376



Multiple

ShutdownWithoutLogon

boolean Value of the flagset to enableshutdown withoutrequiring a user tologin. ['True','False']

UserInit text Applications andfiles set to runwhen the userlogs onto thesystem (Userlogon activity).

WinStationsDisabled

boolean Flag value set toenable/disablelogons to thesystem. ['True','False']

user-profile-key-last-write-time

datetime Date and timewhen the key waslast updated.

user-profile-key-path

text key where theuser-profileinformation isretrieved from.

user-profile-last-write-time

datetime Date and timewhen the userprofile was lastupdated.

user-profile-path text Path of the userprofile on thesystem

winlogon-key-last-write-time

datetime Date and timewhen thewinlogon key waslast updated.

377



Multiple

winlogon-key-path text winlogon keyreferred in orderto retrieve defaultuser information

regripper-software-hive-windows-general-infoRegripper Object template designed to gather general windows information extracted from thesoftware-hive.

regripper-software-hive-windows-general-info is a MISP object available in JSONformat at this location The JSON format can be freely reused in your applicationor automatically enabled in MISP.



Multiple

BuildGUID text Build ID.

BuildLab text WindowsBuildLab string.

BuildLabEx text WindowsBuildLabEx string.

CSDVersion text Version of theservice packinstalled.

CurrentBuild text Build number ofthe windows OS.

CurrentBuildType text Current build typeof the OS.

CurrentVersion text Current version ofwindows

EditionID text Windows edition.

378

https://github.com/MISP/misp-objects/blob/main/objects/regripper-software-hive-windows-general-info/definition.json




Multiple

InstallDate datetime Date whenwindows wasinstalled.

InstallationType text Type of windowsinstallation.

PathName text Path to the rootdirectory.

ProductID text ID of the productversion.

ProductName text Name of thewindows version.

RegisteredOrganization

text Name of theregisteredorganization.

RegisteredOwner text Name of theregistered owner.

SoftwareType text Software type ofwindows.['System','Application','other']

SystemRoot text Root directory.

comment comment Additionalcomments.


win-cv-path text key where thewindowsinformation isretrieved from

379

regripper-system-hive-firewall-configurationRegripper Object template designed to present firewall configuration information extracted fromthe system-hive.

regripper-system-hive-firewall-configuration is a MISP object available in JSONformat at this location The JSON format can be freely reused in your applicationor automatically enabled in MISP.



Multiple


disable-notification

boolean Boolean flag todetermine iffirewallnotifications areenabled. ['True','False']

enbled-firewall boolean Boolean flag todetermine if thefirewall isenabled. ['True','False']

last-write-time datetime Date and timewhen the firewallprofile policy waslast updated.

profile text Firewall Profiletype ['DomainProfile', 'StandardProfile', 'NetworkProfile', 'PublicProfile', 'PrivateProfile', 'other']

380

https://github.com/MISP/misp-objects/blob/main/objects/regripper-system-hive-firewall-configuration/definition.json


regripper-system-hive-general-configurationRegripper Object template designed to present general system properties extracted from thesystem-hive.

regripper-system-hive-general-configuration is a MISP object available in JSONformat at this location The JSON format can be freely reused in your applicationor automatically enabled in MISP.



Multiple


computer-name text name of thecomputer underanalysis

fDenyTSConnections:

boolean Specifies whetherremoteconnections areenabled ordisabled on thesystem. ['True','False']


shutdown-time datetime Date and timewhen the systemwas shutdown.

timezone-bias text Offset in minutesfrom UTC. Offsetadded to the localtime to get a UTCvalue.

381

https://github.com/MISP/misp-objects/blob/main/objects/regripper-system-hive-general-configuration/definition.json




Multiple

timezone-daylight-bias

text value in minutesto be added to thevalue of timezone-bias to generatethe bias usedduring daylighttime.

timezone-daylight-date

datetime Daylight date -daylight savingmonths

timezone-daylight-name

text Timezone nameused duringdaylight savingmonths.

timezone-last-write-time

datetime Date and timewhen thetimezone key waslast updated.

timezone-standard-bias

text value in minutesto be added to thevalue of timezone-bias to generatethe bias usedduring standardtime.

timezone-standard-date

datetime Standard date -non daylightsaving months

timezone-standard-name

text Timezonestandard nameused during non-daylight savingmonths.

382

regripper-system-hive-network-informationRegripper object template designed to gather network information from the system-hive.

regripper-system-hive-network-information is a MISP object available in JSONformat at this location The JSON format can be freely reused in your applicationor automatically enabled in MISP.



Multiple

DHCP-IP-address ip-dst DHCP service - IPaddress

DHCP-domain text Name of the DHCPdomain service

DHCP-name-server

ip-dst DHCP Nameserver - IPaddress.

DHCP-server ip-dst DHCP server - IPaddress.

DHCP-subnet-mask

ip-dst DHCP subnetmask - IP address.

TCPIP-key text TCPIP key

TCPIP-key-last-write-time

datetime Datetime whenthe key was lastupdated.

additional-comments

text Comments.

interface-GUID text GUID valueassigned to theinterface.

interface-IPcheckingEnabled

boolean

interface-MediaSubType

text

383

https://github.com/MISP/misp-objects/blob/main/objects/regripper-system-hive-network-information/definition.json




Multiple

interface-PnpInstanceID

text Plug and Playinstance IDassigned to theinterface.

interface-last-write-time

datetime Last date and timewhen theinterface key wasupdated.

interface-name text Name of theinterface.

network-key text Registry keyassigned to thenetwork

network-key-last-write-time

datetime Date and timewhen the networkkey was lastupdated.

network-key-path text Path of the keywhere theinformation isretrieved from.

regripper-system-hive-services-driversRegripper Object template designed to gather information regarding the services/drivers from thesystem-hive.

regripper-system-hive-services-drivers is a MISP object available in JSON format atthis location The JSON format can be freely reused in your application orautomatically enabled in MISP.



Multiple


384

https://github.com/MISP/misp-objects/blob/main/objects/regripper-system-hive-services-drivers/definition.json




Multiple

display text Displayname/informationof the service orthe driver.

group text Group to whichthe system/driverbelong to. ['Base','Boot BusExtender', 'BootFile System','Cryptography','Extended base','Event Log','Filter', 'FSFilterBottom', 'FSFilterInfrastructure','File System','FSFilterVirtualization','Keyboard Port','Network', 'NDIS','Parallelarbitrator','Pointer Port', 'PnPFilter','ProfSvc_Group','PNP_TDI', 'SCSIMiniport', 'SCSICDROM Class','System BusExtender', 'VideoSave', 'other']

image-path text Path of theservice/drive


name text name of the key

385



Multiple

start text When theservice/driverstarts or executes.['Boot start','System start','Auto start','Manual','Disabled']

type text Service/drivertype. ['Kerneldriver', 'Filesystem driver','Own process','Share process','Interactive','Other']

reportMetadata used to generate an executive level report.

report is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.



Multiple

case-number text Case number

link link Link to the reportmentioned

report-file attachment Attachment(s) thatis related to thereport

summary text Free textsummary of thereport

386

https://github.com/MISP/misp-objects/blob/main/objects/report/definition.json




Multiple

type text Type of report['Report', 'Alert','Incident','Operation', 'PressArticle', 'PressRelease', 'OnlineArticle', 'Blogpost']

research-scannerInformation related to known scanning activity (e.g. from research projects).

research-scanner is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

asn AS AutonomousSystem Numberrelated to project

contact_email email-dst Project contactinformation

contact_phone phone-number Phone numberrelated to project

domain domain Domain related toproject

project text Description ofscanning project

project_url link URL related toproject

scanning_ip ip-src IP address used byproject

387

https://github.com/MISP/misp-objects/blob/main/objects/research-scanner/definition.json




Multiple

scheduled_end datetime Scheduled end ofscanning activity

scheduled_start datetime Scheduled start ofscanning activity

rogue-dnsRogue DNS as defined by CERT.br.

rogue-dns is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

hijacked-domain hostname Domain/hostnamehijacked by thethe rogue DNS

phishing-ip ip-dst Resource recordsreturns by therogue DNS

rogue-dns ip-dst IP address of therogue DNS

status text How manyauthoritative DNSanswers werereceived at thePassive DNSServer’s collectorswith exactly thegiven set of valuesas answers.['ROGUE DNS','Unknown']

timestamp datetime Last time that therogue DNS valuewas seen.

388

https://github.com/MISP/misp-objects/blob/main/objects/rogue-dns/definition.json


rtirRTIR - Request Tracker for Incident Response.

rtir is a MISP object available in JSON format at this location The JSON format canbe freely reused in your application or automatically enabled in MISP.



Multiple

classification text Classification ofthe RTIR ticket

constituency text Constituency ofthe RTIR ticket

ip ip-dst IPs automaticallyextracted from theRTIR ticket

queue text Queue of the RTIRticket ['incident','investigations','blocks', 'incidentreports']

status text Status of the RTIRticket ['new','open', 'stalled','resolved','rejected','deleted']

subject text Subject of theRTIR ticket

ticket-number text ticket-number ofthe RTIR ticket

sandbox-reportSandbox report.

389

https://github.com/MISP/misp-objects/blob/main/objects/rtir/definition.json


sandbox-report is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

on-premise-sandbox

text The on-premisesandbox used['cuckoo','symantec-cas-on-premise','bluecoat-maa','trendmicro-deep-discovery-analyzer', 'fireeye-ax', 'vmray', 'joe-sandbox-on-premise']

permalink link Permalinkreference

raw-report text Raw report fromsandbox

results text Freetext resultvalues

saas-sandbox text A non-on-premisesandbox, alsoresults are notpublicly available['forticloud-sandbox', 'joe-sandbox-cloud','symantec-cas-cloud']

sandbox-file attachment File related tosandbox run

sandbox-type text The type ofsandbox used ['on-premise', 'web','saas']

390

https://github.com/MISP/misp-objects/blob/main/objects/sandbox-report/definition.json




Multiple

score text Score

web-sandbox text A web sandboxwhere results arepublicly availablevia an URL['malwr', 'hybrid-analysis']

sb-signatureSandbox detection signature.

sb-signature is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

datetime datetime Datetime

signature text Name of detectionsignature - set thedescription of thedetectionsignature as acomment

software text Name of Sandboxsoftware

text text Additionalsignaturedescription

scheduled-eventEvent object template describing a gathering of individuals in meatspace.

391

https://github.com/MISP/misp-objects/blob/main/objects/sb-signature/definition.json


scheduled-event is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

address text Postal address ofthe event.

administrator text A user accountwho is an owneror admin of theevent.

archive link Archive of theoriginal event(Internet Archive,Archive.is, etc).

attachment attachment A screen captureor otherattachmentrelevant to theevent.

e-mail email-src Email address ofthe event contact.

embedded-link url Link embedded inthe eventdescription(potentiallymalicious).

embedded-safe-link

link Link embedded inthe eventdescription(supposed safe).

event-alias text Aliases of event.

392

https://github.com/MISP/misp-objects/blob/main/objects/scheduled-event/definition.json




Multiple

event-listing text Social media andother platformson which theevent isadvertised.['Twitter','Facebook','Meetup','Eventbrite','Other']

event-name text The name of theevent.

fax-number phone-number Fax number of theevent contact.

hashtag text Hashtag used toidentify orpromote theevent.

link link Original link intothe event(supposedharmless).

person-name text A person who isgoing to the event.

phone-number phone-number Phone number ofthe event contact.

scheduled-date datetime Initial creation ofthe microblog post

url url Original URLlocation of theevent (potentiallymalicious).

393



Multiple

username text A user accountwho is going tothe event.

scrippsco2-c13-dailyDaily average C13 concentrations (ppm) derived from flask air samples.

scrippsco2-c13-daily is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

c13-value float C13 value (ppm) -C13concentrations aremeasured on the'08A' CalibrationScale

flag counter Flag (seetaxonomy fordetails).

number-flask counter Number of flasksused in dailyaverage.

sample-date-excel float M$Excelspreadsheet dateformat.

sample-date-fractional

float Decimal year andfractional year.

sample-datetime datetime Datetime thesample has beentaken

394

https://github.com/MISP/misp-objects/blob/main/objects/scrippsco2-c13-daily/definition.json


scrippsco2-c13-monthlyMonthly average C13 concentrations (ppm) derived from flask air samples.

scrippsco2-c13-monthly is a MISP object available in JSON format at this locationThe JSON format can be freely reused in your application or automatically enabledin MISP.



Multiple

monthly-c13 float Monthly C13concentrations inmicro-mol C13 permole (ppm)reported on the2008A SIOmanometric molefraction scale. Thisis the standardversion of the datamost often sought.

monthly-c13-seasonal-adjustment

float Same data after aseasonaladjustment toremove the quasi-regular seasonalcycle. Theadjustmentinvolvessubtracting fromthe data a 4-harmonic fit witha linear gainfactor.

monthly-c13-smoothed

float Smoothed versionof the datagenerated from astiff cubic splinefunction plus 4-harmonicfunctions withlinear gain.

395

https://github.com/MISP/misp-objects/blob/main/objects/scrippsco2-c13-monthly/definition.json




Multiple

monthly-c13-smoothed-seasonal-adjustment

float Same smoothedversion with theseasonal cycleremoved.




sample-datetime datetime The monthlyvalues have beenadjusted to 24:00hours on the 15thof each month.

scrippsco2-co2-dailyDaily average CO2 concentrations (ppm) derived from flask air samples.

scrippsco2-co2-daily is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

co2-value float CO2 value (ppm) -CO2concentrations aremeasured on the'08A' CalibrationScale


396

https://github.com/MISP/misp-objects/blob/main/objects/scrippsco2-co2-daily/definition.json




Multiple






scrippsco2-co2-monthlyMonthly average CO2 concentrations (ppm) derived from flask air samples.

scrippsco2-co2-monthly is a MISP object available in JSON format at this locationThe JSON format can be freely reused in your application or automatically enabledin MISP.



Multiple

monthly-co2 float Monthly CO2concentrations inmicro-mol CO2per mole (ppm)reported on the2008A SIOmanometric molefraction scale. Thisis the standardversion of the datamost often sought.

397

https://github.com/MISP/misp-objects/blob/main/objects/scrippsco2-co2-monthly/definition.json




Multiple

monthly-co2-seasonal-adjustment


monthly-co2-smoothed


monthly-co2-smoothed-seasonal-adjustment






398

scrippsco2-o18-dailyDaily average O18 concentrations (ppm) derived from flask air samples.

scrippsco2-o18-daily is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple



o18-value float O18 value (ppm) -O18concentrations aremeasured on the'08A' CalibrationScale





scrippsco2-o18-monthlyMonthly average O18 concentrations (ppm) derived from flask air samples.

scrippsco2-o18-monthly is a MISP object available in JSON format at this locationThe JSON format can be freely reused in your application or automatically enabledin MISP.

399

https://github.com/MISP/misp-objects/blob/main/objects/scrippsco2-o18-daily/definition.json


https://github.com/MISP/misp-objects/blob/main/objects/scrippsco2-o18-monthly/definition.json




Multiple

monthly-o18 float Monthly O18concentrations inmicro-mol O18per mole (ppm)reported on the2008A SIOmanometric molefraction scale. Thisis the standardversion of the datamost often sought.

monthly-o18-seasonal-adjustment


monthly-o18-smoothed


monthly-o18-smoothed-seasonal-adjustment



400



Multiple




scriptObject describing a computer program written to be run in a special run-time environment. Thescript or shell script can be used for malicious activities but also as support tools for threat analysts.

script is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.



Multiple

comment text Commentassociated to thescript.

filename filename Filename used forthe script.

language text Scripting languageused for the script.['PowerShell','VBScript', 'Bash','Lua', 'JavaScript','AppleScript','AWK', 'Python','Perl', 'Ruby','Winbatch','AutoIt', 'PHP','Nim']

script text Free text of thescript.

401

https://github.com/MISP/misp-objects/blob/main/objects/script/definition.json




Multiple

script-as-attachment

attachment Attachment of thescript.

state text Known state of thescript. ['Malicious','Unknown','Harmless','Trusted']

security-playbookAn object to manage, represent, and share course of action playbooks (security playbooks) forcyberspace defense.

security-playbook is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

created datetime The time at whichthe playbook wasoriginally created.

creator text The entity thatcreated thisplaybook. It canbe a naturalperson or anorganization. Itmay berepresented usingan id thatidentifies thecreator.

402

https://github.com/MISP/misp-objects/blob/main/objects/security-playbook/definition.json




Multiple

description text More details,context, andpossibly anexplanation aboutwhat thisplaybook does andtries toaccomplish.

id text A value thatuniquelyidentifies theplaybook.

impact counter An integer thatrepresents theimpact theplaybook has onthe organizationfrom 0 to 100. Avalue of 0 meansspecificallyundefined. Valuesrange from 1, thelowest impact, to avalue of 100, thehighest. Forexample, a purelyinvestigativeplaybook that isnon-invasivewould have a lowimpact value of 1,whereas aplaybook thatperforms changessuch as addingrules into afirewall wouldhave a higherimpact value.

403



Multiple

label text An optional set ofterms, labels ortags associatedwith this playbook(e.g., aliases ofadversary groupsor operations thatthis playbook isrelated to).

modified datetime The time that thisparticular versionof the playbookwas last modified.

organization-type text Type of anorganization, thatthe playbook isintended for. Thiscan be an industrysector.

playbook attachment The wholeplaybook in itsnative format(e.g., CACAOJSON). Producersand consumers ofplaybooks use thisproperty to shareand retrieveplaybooks.

playbook-abstraction

text Identifies the levelof completeness ofthe playbook.['guideline','playbooktemplate','playbook', 'partialworkflow', 'fullworkflow', 'fullyscripted']

404



Multiple

playbook-standard text Identification ofthe playbookstandard.

playbook-type text The securityoperationalfunctions theplaybookaddresses. Aplaybook mayaccount formultiple types(e.g., detection,investigation).['notificationplaybook','detectionplaybook','investigationplaybook','preventionplaybook','mitigationplaybook','remediationplaybook', 'attackplaybook']

priority counter An integer thatrepresents thepriority of thisplaybook relativeto other definedplaybooks. A valueof 0 meansspecificallyundefined. Valuesrange from 1, thehighest priority, toa value of 100, thelowest.

405



Multiple

revoked boolean A boolean thatidentifies if theplaybook creatordeems that thisplaybook is nolonger valid.['True', 'False']

severity counter A positive integerthat representsthe seriousness ofthe conditions thatthis playbookaddresses. A valueof 0 meansspecificallyundefined. Valuesrange from 1, thelowest severity, toa value of 100, thehighest.

valid-from datetime The time fromwhich theplaybook isconsidered validand the steps thatit contains can beexecuted.

valid-until datetime The time at whichthis playbookshould no longerbe considered avalid playbook tobe executed.

shell-commandsObject describing a series of shell commands executed. This object can be linked with maliciousfiles in order to describe a specific execution of shell commands.

406

shell-commands is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

comment text Commentassociated to theshell commandsexecuted.

language text Scripting languageused for the shellcommandsexecuted.['PowerShell','VBScript', 'Bash','Lua', 'JavaScript','AppleScript','AWK', 'Python','Perl', 'Ruby','Winbatch','AutoIt', 'PHP']

script text Free text of thescript if availablewhich executedthe shellcommands.

shell-command text

state text Known state of thescript. ['Malicious','Unknown','Harmless','Trusted']

shodan-reportShodan Report for a given IP.

shodan-report is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.

407

https://github.com/MISP/misp-objects/blob/main/objects/shell-commands/definition.json


https://github.com/MISP/misp-objects/blob/main/objects/shodan-report/definition.json




Multiple

banner text server bannerreported

hostname domain Hostnames found

ip ip-dst IP AddressQueried

org text AssociatedOrganization

port port Listening Port

text text A description ofthe report

short-message-serviceShort Message Service (SMS) object template describing one or more SMS message. Restriction ofthe initial format 3GPP 23.038 GSM character set doesn’t apply.

short-message-service is a MISP object available in JSON format at this locationThe JSON format can be freely reused in your application or automatically enabledin MISP.



Multiple

body text Message body ofthe SMS

from phone-number Phone numberused to send theSMS

name text Sender name

phone-company text Phone company ofthe number usedto send the SMS

408

https://github.com/MISP/misp-objects/blob/main/objects/short-message-service/definition.json




Multiple

received-date datetime Received date ofthe SMS

sent-date datetime Initial sent date ofthe SMS

smsc phone-number SMS MessageCenter

to phone-number Phone numberreceiving the SMS

url-rfc5724 url url representingSMS using RFC5724 (not urlcontained in theSMS which shoulduse an url object)

shortened-linkShortened link and its redirect target.

shortened-link is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

credential text Credential(username,password)

domain domain Full domain

first-seen datetime First time thisshortened URLhas been seen

redirect-url url Redirected to URL

shortened-url url Shortened URL

409

https://github.com/MISP/misp-objects/blob/main/objects/shortened-link/definition.json




Multiple

text text Description andcontext of theshortened URL

social-media-groupSocial media group object template describing a public or private group or channel.

social-media-group is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

administrator text A user accountwho is an owneror admin of thegroup.



description text A description ofthe group,channel orcommunity.

embedded-link url Link embedded inthe groupdescription(potentiallymalicious).

410

https://github.com/MISP/misp-objects/blob/main/objects/social-media-group/definition.json




Multiple

embedded-safe-link

link Link embedded inthe groupdescription(supposed safe).

group-alias text Aliases of group,channel orcommunity.


hashtag text Hashtag used toidentify orpromote thegroup.

link link Original link intothe group(supposedharmless).

person-name text A person who is amember of thegroup.

platform text The social mediaplatform used.['Facebook','Twitter']


username text A user accountwho is a memberof the group.

411

splunkSplunk / Splunk ES object.

splunk is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.



Multiple

description comment Description

drill-down text Drilldown

earliest text Earliest time

latest text Latest time

response-action text Response action['notable', 'risk']

schedule other Schedule

search text Search /Correlation search

ss7-attackSS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging.

ss7-attack is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

Category text Category ['Cat0','Cat1', 'Cat2.1','Cat2.2', 'Cat3.1','Cat3.2', 'Cat3.3','CatSMS','CatSpoofing']

412

https://github.com/MISP/misp-objects/blob/main/objects/splunk/definition.json


https://github.com/MISP/misp-objects/blob/main/objects/ss7-attack/definition.json




Multiple

GtAssignee text GT Assignee this isthe party that gotthe GT rangeassigned by theirRegulator.

GtLessee text GT Lessee is athird party whowill use a leasedglobal title from aGT Lessor.

GtLessor text GT Lessor is a GTAssignee that hasdecided to leaseone or more oftheir GTs to athird party, the GTLessee, typicallyon a commercialbasis.

GtSubLessee text GT Sub-Lessee –this is anadditional thirdparty who hasentered into anagreement withthe GT Lessee tosub-lease a GTfrom them.

MapApplicationContext

text MAP applicationcontext in OIDformat.

MapGmlc text MAP GMLC. Phonenumber.

MapGsmscfGT text MAP GSMSCF GT.Phone number.

413



Multiple

MapImsi text MAP IMSI. Phonenumber startingwith MCC/MNC.

MapMscGT text MAP MSC GT.Phone number.

MapMsisdn text MAP MSISDN.Phone number.

MapOpCode text MAP operationcodes - Decimalvalue between 0-99.

MapSmsTP-DCS text MAP SMS TP-DCS.

MapSmsTP-OA text MAP SMS TP-OA.Phone number.

MapSmsTP-PID text MAP SMS TP-PID.

MapSmsText text MAP SMS Text.Importantindicators in SMStext.

MapSmsTypeNumber

text MAP SMSTypeNumber.

MapSmscGT text MAP SMSC. Phonenumber.

MapUssdCoding text MAP USSDContent.

MapUssdContent text MAP USSDContent.

MapVersion text Map version. ['1','2', '3']

414



Multiple

MapVlrGT text MAP VLR GT.Phone number.

SccpCdGT text SignalingConnectionControl Part(SCCP) CdGT -Phone number.

SccpCdPC text SignalingConnectionControl Part(SCCP) CdPC -Phone number.

SccpCdSSN text SignalingConnectionControl Part(SCCP) - Decimalvalue between 0-255.

SccpCgGT text SignalingConnectionControl Part(SCCP) CgGT -Phone number.

SccpCgPC text SignalingConnectionControl Part(SCCP) CgPC -Phone number.

SccpCgSSN text SignalingConnectionControl Part(SCCP) - Decimalvalue between 0-255.

415



Multiple


text text A description ofthe attack seen viaSS7 logging.

ssh-authorized-keysAn object to store ssh authorized keys file.

ssh-authorized-keys is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

first-seen datetime First time the sshauthorized keysfile has been seen

full-line text One full-line of theauthorized key file

hostname hostname hostname


key text Public key inbase64 as found inthe authorized keyfile

key-id text Key-id and optionpart of the publickey line

last-seen datetime Last time the sshauthorized keysfile has been seen

416

https://github.com/MISP/misp-objects/blob/main/objects/ssh-authorized-keys/definition.json




Multiple

text text A description ofthe ssh authorizedkeys

stix2-patternAn object describing a STIX pattern. The object can be linked via a relationship to other attributesor objects to describe how it can be represented as a STIX pattern.

stix2-pattern is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

comment comment A description ofthe stix2-pattern.

stix2-pattern stix2-pattern STIX 2 pattern

version text Version of STIX 2pattern. ['stix 2.0']

submarineSubmarine description.

submarine is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

active counter The number ofsubmarines of thisclass in activeservice

armament text Armamentscarried by thesubmarine

417

https://github.com/MISP/misp-objects/blob/main/objects/stix2-pattern/definition.json


https://github.com/MISP/misp-objects/blob/main/objects/submarine/definition.json




Multiple

beam float The beammeasurement ofthe submarine inmeters

builders text The organisationbuilding this classof submarines

cancelled counter The number ofsubmarines of thisclass cancelled

class text Submarine class

complement counter Crew size

completed counter The number ofsubmarines of thisclass built

displacement counter Displacement intonns

draught float The draughtmeasurement ofthe submarine inmeters

endurance counter Expectedsubmergedendurance in days

in_service_from counter The year thesubmarineentered service

in_service_until counter The year thesubmarine leftservice

418



Multiple

length float The lengthmeasurement ofthe submarine inmeters

operator text The countriesoperating suchvessels (can bemultiple)

planned counter The number ofsubmarines of thisclass planned tobe built

predecessor text Predecessor class

propulsion text The propulsion ofthe submarine,add multiple ifapplicabe

retired counter The number ofsubmarines of thisclass that has beenretired

speed_submerged float Surfaced topspeed in knots

speed_surfaced float Surfaced topspeed in knots

successor text Successor class

419



Multiple

type text Submarine type['Ballistic missilesubmarine','Cruise missilesubmarine','Nuclear-poweredattack submarine','Non-nuclearattack submarinewith air-independentpropulsion','Diesel-electricattack submarine','Midgetsubmarine','Special missionsubmarine']

suricataAn object describing one or more Suricata rule(s) along with version and contextual information.

suricata is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

comment comment A description ofthe Suricatarule(s).

ref link Reference to theSuricata rule suchas origin of therule or alike.

suricata snort Suricata rule.

420

https://github.com/MISP/misp-objects/blob/main/objects/suricata/definition.json




Multiple

version text Version of theSuricata ruledepending wherethe suricata rule isknown to work asexpected.

target-systemDescription about an targeted system, this could potentially be a compromissed internal system.

target-system is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

targeted_ip_of_system

ip-src Targeted systemIP address

targeted_machine target-machine Targeted system

timestamp_seen datetime Registered dateand time

telegram-accountInformation related to a telegram account.

telegram-account is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

first_name text First name

id text Telegram useridentifier

421

https://github.com/MISP/misp-objects/blob/main/objects/target-system/definition.json


https://github.com/MISP/misp-objects/blob/main/objects/telegram-account/definition.json




Multiple

last_name text Last name

phone text Phone associatedwith the telegramuser

username text Telegramusername

verified text Verified

temporal-eventA temporal event consists of some temporal and spacial boundaries. Spacial boundaries can bephysical, virtual or hybrid.

temporal-event is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

description text Free textdescription of thetemporal event.

link link Link or referenceto the temporalevent mentioned.

summary text One line summaryof the temporalevent.

type text Type of temporalevent. ['PhysicalEvent', 'VirtualEvent', 'HybridEvent', 'Unknown']

422

https://github.com/MISP/misp-objects/blob/main/objects/temporal-event/definition.json


threatgrid-reportThreatGrid report.

threatgrid-report is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

analysis_submitted_at

text Submission date

heuristic_raw_score

text heuristic_raw_score

heuristic_score text heuristic_score

id text ThreatGrid ID

iocs text iocs

original_filename text Original filename

permalink text permalink

threat_score text threat_score

timecodeTimecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the videosequence.

timecode is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

description text Description of thevideo sequence

423

https://github.com/MISP/misp-objects/blob/main/objects/threatgrid-report/definition.json


https://github.com/MISP/misp-objects/blob/main/objects/timecode/definition.json




Multiple

end-marker-timecode

text End markertimecode in theformathh:mm:ss;ff

end-timecode text End markertimecode in theformathh:mm:ss.mms

recording-date datetime Date of recordingof the videosequence

start-marker-timecode

text Start markertimecode in theformathh:mm:ss;ff

start-timecode text Start markertimecode in theformathh:mm:ss.mms

timesketch-timelineA timesketch timeline object based on mandatory field in timesketch to describe a log entry.

timesketch-timeline is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

datetime datetime When the logentry was seen

message text Informativemessage of theevent

424

https://github.com/MISP/misp-objects/blob/main/objects/timesketch-timeline/definition.json




Multiple

timestamp text When the logentry was seen inmicrosecondssince Unix epoch

timestamp_desc text Text explainingwhat type oftimestamp is it

timesketch_messageA timesketch message entry.

timesketch_message is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

datetime datetime datetime of themessage

message text message

timestampA generic timestamp object to represent time including first time and last time seen. Relationshipwill then define the kind of time relationship.

timestamp is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

first-seen datetime First time that thelinked object orattribute has beenseen.

425

https://github.com/MISP/misp-objects/blob/main/objects/timesketch_message/definition.json


https://github.com/MISP/misp-objects/blob/main/objects/timestamp/definition.json




Multiple

last-seen datetime First time that thelinked object orattribute has beenseen.

precision text Timestampprecisionrepresents theprecision given tofirst_seen and/orlast_seen in thisobject. ['year','month', 'day','hour', 'minute','full']

text text Description of thetime object.

tor-hiddenserviceTor hidden service (onion service) object.

tor-hiddenservice is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

address text onion address ofthe Tor node seen.

description text Tor onion servicecomment.

first-seen datetime When the Torhidden servicewas been seen forthe first time.

426

https://github.com/MISP/misp-objects/blob/main/objects/tor-hiddenservice/definition.json




Multiple

last-seen datetime When the Torhidden servicewas seen for thelast time.

tor-nodeTor node (which protects your privacy on the internet by hiding the connection between usersInternet address and the services used by the users) description which are part of the Tor networkat a time.

tor-node is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

address ip-src IP address of theTor node seen.

description text Tor nodedescription.

document text Raw documentfrom theconsensus.

fingerprint text router’sfingerprint.

first-seen datetime When the Tornode designed bythe IP address hasbeen seen for thefirst time.

flags text list of flagassociated withthe node.

427

https://github.com/MISP/misp-objects/blob/main/objects/tor-node/definition.json




Multiple

last-seen datetime When the Tornode designed bythe IP address hasbeen seen for thelast time.

nickname text router’snickname.

published datetime router’spublication time.This can bedifferent fromfirst-seen and last-seen.

text text Tor nodecomment.

version text parsed version oftor, this is None ifthe relay’s using anew versioningscheme.

version_line text versioninginformationreported by thenode.

tracking-idAnalytics and tracking ID such as used in Google Analytics or other analytic platform.

tracking-id is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

description text Description of thetracking id.

428

https://github.com/MISP/misp-objects/blob/main/objects/tracking-id/definition.json




Multiple

first-seen datetime First time thetracking code wasseen.

hostname hostname Hostname wherethe tracking idwas found(assumed safe).

id text Tracking code.

last-seen datetime Last time thetracking code wasseen.

tracker text Name of thetracker -organisationdoing the trackingand/or analytics.['GoogleAnalytics', 'Piwik','Kissmetrics','Woopra','Chartbeat']

url url URL where thetracking id wasfound (potentiallymalicious).

transactionAn object to describe a financial transaction.

transaction is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.

429

https://github.com/MISP/misp-objects/blob/main/objects/transaction/definition.json




Multiple

amount text The value of thetransaction inlocal currency.

authorized text Person whoautorized thetransaction.

date datetime Date and time ofthe transaction.

date-posting datetime Date of posting, ifdifferent fromdate oftransaction.

from-country text Origin country ofa transaction.

from-funds-code text Type of fundsused to initiate atransaction. ['ADeposit', 'CCurrencyexchange', 'DCasino chips', 'EBank draft', 'FMoney order', 'GTraveler’scheques', 'H Lifeinsurance policy','I Real estate', 'JSecurities', 'KCash', 'O Other', 'PCheque']

location text Location wherethe transactiontook place.

teller text Person whoconducted thetransaction.

430



Multiple

text text A description ofthe transaction.

to-country text Target country ofa transaction.

to-funds-code text Type of fundsused to finalize atransaction. ['ADeposit', 'CCurrencyexchange', 'DCasino chips', 'EBank draft', 'FMoney order', 'GTraveler’scheques', 'H Lifeinsurance policy','I Real estate', 'JSecurities', 'KCash', 'O Other', 'PCheque']

transaction-number

text A unique numberidentifying atransaction.

transmode-code text How thetransaction wasconducted.

transmode-comment

text Commentdescribingtransmode-code, ifneeded.

translationUsed to keep a text and its translation.

translation is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.

431

https://github.com/MISP/misp-objects/blob/main/objects/translation/definition.json




Multiple

original-language text Language of theoriginal text['Mandarin(language family)','Spanish', 'English','Hindi', 'Bengali','Portuguese','Russian','Japanese','Western Punjabi','Marathi', 'Telugu','Wu (languagefamily)', 'Turkish','Korean', 'French','German','Vietnamese','Tamil', 'Yue(language family)','Urdu', 'Javanese','Italian', 'EgyptianArabic', 'Gujarati','Iranian Persian','Bhojpuri', 'MinNan (languagefamily)', 'Hakka','Jinyu', 'Hausa','Kannada','Indonesian(IndonesianMalay)', 'Polish','Yoruba', 'XiangChinese (languagefamily)','Malayalam','Odia', 'Maithili','Burmese','Eastern Punjabi','Sunda', 'SudaneseArabic', 'AlgerianArabic', 'MoroccanArabic','Ukrainian', 'Igbo','Northern Uzbek','Sindhi', 'NorthLevantine Arabic','Romanian','Tagalog', 'Dutch','Saʽidi Arabic',

433

'Gan', 'Amharic','Northern Pashto','Magahi', 'Thai','Saraiki', 'Khmer','Chhattisgarhi','Somali', 'Malay(MalaysianMalay)', 'Cebuano','Nepali','MesopotamianArabic','Assamese','Sinhala','NorthernKurdish', 'HejaziArabic', 'NigerianFulfulde', 'SouthAzerbaijani','Greek','Chittagonian','Kazakh', 'Deccan','Hungarian','Kinyarwanda','Zulu', 'SouthLevantine Arabic','Tunisian Arabic','Sanaani SpokenArabic', 'Min BeiChinese (languagefamily)', 'SouthernPashto', 'Rundi','Czech', 'Taʽizzi-Adeni Arabic','Uyghur', 'MinDong Chinese(language family)','Sylheti ']



Multiple

original-text text Original text

translated-text text Text aftertranslation

434



Multiple

translation-language

text Language oftranslation['Mandarin(language family)','Spanish', 'English','Hindi', 'Bengali','Portuguese','Russian','Japanese','Western Punjabi','Marathi', 'Telugu','Wu (languagefamily)', 'Turkish','Korean', 'French','German','Vietnamese','Tamil', 'Yue(language family)','Urdu', 'Javanese','Italian', 'EgyptianArabic', 'Gujarati','Iranian Persian','Bhojpuri', 'MinNan (languagefamily)', 'Hakka','Jinyu', 'Hausa','Kannada','Indonesian(IndonesianMalay)', 'Polish','Yoruba', 'XiangChinese (languagefamily)','Malayalam','Odia', 'Maithili','Burmese','Eastern Punjabi','Sunda', 'SudaneseArabic', 'AlgerianArabic', 'MoroccanArabic','Ukrainian', 'Igbo','Northern Uzbek','Sindhi', 'NorthLevantine Arabic','Romanian','Tagalog', 'Dutch','Saʽidi Arabic',

435

'Gan', 'Amharic','Northern Pashto','Magahi', 'Thai','Saraiki', 'Khmer','Chhattisgarhi','Somali', 'Malay(MalaysianMalay)', 'Cebuano','Nepali','MesopotamianArabic','Assamese','Sinhala','NorthernKurdish', 'HejaziArabic', 'NigerianFulfulde', 'SouthAzerbaijani','Greek','Chittagonian','Kazakh', 'Deccan','Hungarian','Kinyarwanda','Zulu', 'SouthLevantine Arabic','Tunisian Arabic','Sanaani SpokenArabic', 'Min BeiChinese (languagefamily)', 'SouthernPashto', 'Rundi','Czech', 'Taʽizzi-Adeni Arabic','Uyghur', 'MinDong Chinese(language family)','Sylheti ']



Multiple

translation-service text translation serviceused for thetranslation['GoogleTranslate','MicrosoftTranslator','Babelfish','Reverso', 'Dict.cc','Linguee','unknown']

translation-type text type of translation['Automatedtranslation','Manualtranslation']

trustar_reportTruStar Report.

trustar_report is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

BITCOIN_ADDRESS

btc A bitcoin addressis an identifier of26-35alphanumericcharacters,beginning withthe number 1 or 3,that represents apossibledestination for abitcoin payment.

436

https://github.com/MISP/misp-objects/blob/main/objects/trustar_report/definition.json




Multiple

CIDR_BLOCK ip-src CIDR (ClasslessInter-DomainRouting) identifiesa range of IPaddresses, andwas introduced asa way to allowmore flexibleallocation ofInternet Protocol(IP) addressesthan was possiblewith the originalsystem of IPaddress classes.

COMMENTS text A space foradditionalcomments.

CVE vulnerability The CommonVulnerabilitiesand Exposures(CVE) systemprovides areference-methodfor publiclyknowninformation-securityvulnerabilitiesand exposures.

EMAIL_ADDRESS email-src An email addressis a uniqueidentifier for anemail account.

437



Multiple

INDICATOR_SUMMARY

text Free textsummary datarelated to anindicator. Thisshould include anormalized scoreif one exists.

IP ip-dst An InternetProtocol address(IP address) is anumerical labelassigned to eachdeviceparticipating in acomputer networkthat uses theInternet Protocolforcommunication.

MALWARE malware-type Names of softwarethat are intendedto damage ordisable computersand computersystems.

MD5 md5 The MD5algorithm is awidely used hashfunctionproducing a 128-bit hash value.

438



Multiple

REGISTRY_KEY regkey The registry is ahierarchicaldatabase thatcontains data thatis critical for theoperation ofWindows and theapplications andservices that runon Windows.

REPORT_LINK link A link to theTruSTAR report.Access may berestricteddepending on userpermissions.

SHA1 sha1 SHA-1 (SecureHash Algorithm 1)is a cryptographichash functionwhich takes aninput andproduces a 160-bit(20-byte) hashvalue known as amessage digest -typically renderedas a hexadecimalnumber, 40 digitslong. SHA-1 isprone to lengthextension attacks.

439



Multiple

SHA256 sha256 SHA-256 is amember of theSHA-2cryptographichash functionsdesigned by theNSA, which arethe successors toSHA-1. It isrepresented as a64-characterhexadecimalstring.

SOFTWARE filename The name of a fileon a filesystem.

THREAT_ACTOR threat-actor A stringidentifying thethreat actor.

URL url A UniformResource Locator(URL) is areference to a webresource thatspecifies itslocation on acomputer networkand a mechanismfor retrieving it.

tsk-chatsAn Object Template to gather information from evidential or interesting exchange of messagesidentified during a digital forensic investigation.

tsk-chats is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.

440

https://github.com/MISP/misp-objects/blob/main/objects/tsk-chats/definition.json




Multiple

Source text Source of themessage.(Contactdetails)

additional-comments

text Comments.

app-used text Application usedto send themessage.

attachments link Externalreferences

datetime-received datetime date and timewhen the messagewas received.

datetime-sent datetime date and the timewhen the messagewas sent.

destination text Destination of themessage.(Contactdetails)

message text Messageexchanged.

message-type text the type ofmessage extractedfrom the forensic-evidence. ['SMS','MMS', 'InstantMessage (IM)','Voice Message']

subject text Subject of themessage if any.

tsk-web-bookmarkAn Object Template to add evidential bookmarks identified during a digital forensic investigation.

441

tsk-web-bookmark is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

URL link The URL saved asbookmark.

additional-comments

text Comments.

browser text Browser used toaccess the URL.['IE', 'Safari','Chrome', 'Firefox','Opera mini','Chromium']

datetime-bookmarked

datetime date and timewhen the URL wasadded to favorites.

domain-ip ip-src IP of the URLdomain.

domain-name text Domain of theURL.

name text Book mark name.

title text Title of the webpage

tsk-web-cookieAn TSK-Autopsy Object Template to represent cookies identified during a forensic investigation.

tsk-web-cookie is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.

442

https://github.com/MISP/misp-objects/blob/main/objects/tsk-web-bookmark/definition.json


https://github.com/MISP/misp-objects/blob/main/objects/tsk-web-cookie/definition.json




Multiple

URL link The website URLthat created thecookie.

additional-comments

text Comments.

browser text Browser on whichthe cookie wascreated. ['IE','Safari', 'Chrome','Firefox', 'Operamini', 'Chromium']

datetime-created datetime date and timewhen the cookiewas created.

domain-ip ip-src IP of the domainthat created theURL.

domain-name text Domain of theURL that createdthe cookie.

name text Name of thecookie

value text Value assigned tothe cookie.

tsk-web-downloadsAn Object Template to add web-downloads.

tsk-web-downloads is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.

443

https://github.com/MISP/misp-objects/blob/main/objects/tsk-web-downloads/definition.json




Multiple

additional-comments

text Comments.

attachment attachment The downloadedfile itself.

datetime-accessed datetime date and timewhen the file wasdownloaded.

name text Name of the filedownloaded.

path-downloadedTo

text Location the filewas downloadedto.

pathID text Id of the attributefile where theinformation isgathered from.

url url The URL used todownload the file.

tsk-web-historyAn Object Template to share web history information.

tsk-web-history is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

URL link The URL accessed.

additional-comments

text Comments.

444

https://github.com/MISP/misp-objects/blob/main/objects/tsk-web-history/definition.json




Multiple

browser text Browser used toaccess the URL.['IE', 'Safari','Chrome', 'Firefox','Opera mini','Chromium']

datetime-accessed datetime date and the timewhen the URL wasaccessed.

domain-ip ip-src IP of the URLdomain.

domain-name text Domain of theURL.

referrer text where the URLwas referred from

title text Title of the webpage

tsk-web-search-queryAn Object Template to share web search query information.

tsk-web-search-query is a MISP object available in JSON format at this locationThe JSON format can be freely reused in your application or automatically enabledin MISP.



Multiple

additional-comments

text Comments.

browser text Browser used.['IE', 'Safari','Chrome', 'Firefox','Opera mini','Chromium']

445

https://github.com/MISP/misp-objects/blob/main/objects/tsk-web-search-query/definition.json




Multiple

datetime-searched datetime date and timewhen the searchwas conducted.

domain text The domain of thesearch engine.['Google', 'Yahoo','Bing', 'Alta Vista','MSN']

text text the search wordor sentence.

username text User name or IDassociated withthe search.

twitter-accountTwitter account.

twitter-account is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple



bio text Displayedbiography of theuser.


446

https://github.com/MISP/misp-objects/blob/main/objects/twitter-account/definition.json




Multiple

displayed-name text Displayed name.

embedded-link url Link embedded inthe userdescription(potentiallymalicious).

embedded-safe-link

link Link embedded inthe userdescription(supposed safe).

followers text Number offollowers.

following text Number ofaccounts thisaccounts isfollowing.

hashtag text Hashtagembedded in theuser description.

id text Numeric accountid.

joined-date datetime When the accountwas created

likes text Number of likesthis account has.

link link Original link tothe user(supposedharmless).

listed text Number of liststhe user is on.

447



Multiple

location text User descriptionof location.

media text Number of imagesand videos posted.

name text User’s screenname (without the@).

private text User verified.['True', 'False']

profile-banner attachment A screenshot orexported useravatar.

profile-banner-url url A link to the user’sbackgroundimage.

profile-image attachment A screenshot orexported useravatar.

profile-image-url url A link to the user’savatar.

tweets text Number of tweetsposted.

twitter-followers text followers accountsof interest

twitter-following text followingaccounts ofinterest

url url Original URLlocation of theuser (potentiallymalicious).

448



Multiple

verified text User verified.['True', 'False']

twitter-listTwitter list.

twitter-list is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple



description text A description ofthe list.

embedded-link url Link embedded inthe description(potentiallymalicious).

embedded-safe-link

link Link embedded inthe description(supposed safe).

hashtag text Hashtagembedded in thedescription.

id text Numeric list id.

449

https://github.com/MISP/misp-objects/blob/main/objects/twitter-list/definition.json




Multiple

link link Original link tothe list (supposedharmless).

member-count text Number ofaccountsfollowing this list.

name text List’s screen name(without the @).

subscriber-count text Number ofaccountssubscribing to thislist.

url url Original URLlocation of the list(potentiallymalicious).

user-id text Id of the accountthat manages thislist.

user-name text Name of theaccount thatmanages this list(without the @).

twitter-postTwitter post (tweet).

twitter-post is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.

450

https://github.com/MISP/misp-objects/blob/main/objects/twitter-post/definition.json




Multiple

archive link Archive of theoriginal tweet(Internet Archive,Archive.is, etc).

attachment attachment The tweet file orscreen capture.

created-at datetime Datetime of Tweetpublication

embedded-link url Link in the tweet

embedded-safe-link

link Safe link in thetweet

favorite-count text Number offavorites.

geo text Geolocation data.

hashtag text Hashtagembedded in thetweet


text The user displayname of the tweetthis post shares.


text The twitter ID ofthe tweet that thispost shares.

in-reply-to-user-id text The user ID of thetweet this postshares.


451



Multiple


media attachment Media (Photos,videos) present intweet

name text Name of theaccount thatposted this tweet.

possibly-sensitive text Does this postcontain sensitivecontent?

possibly-sensitive-appealable

text Is the sensitivecontent of thispost appealable?


post-id text Numeric id of thetweet.

removal-date datetime When the tweetwas removed.

retweet-count text Number ofretweets.

source text Source of tweet(android, web etc).

url url Original URL ofthe tweet, e.g. linkshortener(potentiallymalicious).

452



Multiple

user-id text Id of the accountthat posted thistweet.

username-quoted text Username who isquoted in thetweet.

urlurl object describes an url along with its normalized field (like extracted using faup parsing library)and its metadata.

url is a MISP object available in JSON format at this location The JSON format canbe freely reused in your application or automatically enabled in MISP.



Multiple

credential text Credential(username,password)

domain domain Full domain

domain_without_tld

text Domain withoutTop-Level Domain

first-seen datetime First time this URLhas been seen

fragment text Fragmentidentifier is ashort string ofcharacters thatrefers to aresource that issubordinate toanother, primaryresource.

host hostname Full hostname

453

https://github.com/MISP/misp-objects/blob/main/objects/url/definition.json




Multiple

ip ip-dst Better type whenthe host is an IP.

last-seen datetime Last time this URLhas been seen

port port Port number

query_string text Query (after path,preceded by '?')

resource_path text Path (betweenhostname:portand query)

scheme text Scheme ['http','https', 'ftp','gopher', 'sip']

subdomain text Subdomain

text text Description of theURL

tld text Top-Level Domain

url url Full URL

user-accountUser-account object, defining aspects of user identification, authentication, privileges and otherrelevant data points.

user-account is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.

454

https://github.com/MISP/misp-objects/blob/main/objects/user-account/definition.json




Multiple

account-type text Type of theaccount.['facebook', 'ldap','nis', 'openid','radius', 'skype','tacacs', 'twitter','unix', 'windows-local', 'windows-domain']

can_escalate_privs boolean Specifies if theaccount has theability to escalateprivileges. ['True','False']

created datetime Creation time ofthe account.

description text A description ofthe user account.

disabled boolean Specifies if theaccount isdesabled. ['True','False']

display-name text Display name ofthe account.

expires datetime Expiration time ofthe account

first_login datetime First timesomeone logged into the account.

group text UNIX group(s) theaccount ismember of.

455



Multiple

group-id text Identifier of theprimary group ofthe account, incase of a UNIXaccount.

home_dir text Home directory ofthe UNIX account.

is_service_account boolean Specifies if theaccount isassociated with anetwork service.['True', 'False']

last_login datetime Last time someonelogged in to theaccount.

link link Original link intothe account page(Supposedharmless)

password text Password relatedto the username.

password_last_changed

datetime Last time thepassword hasbeen changed.

privileged boolean Specifies if theaccount hasprivileges such asroot rights. ['True','False']

shell text UNIX commandshell of theaccount.

user-avatar attachment A user profilepicture or avatar.

456



Multiple

user-id text Identifier of theaccount.

username text Username relatedto the password.

vehicleVehicle object template to describe a vehicle information and registration.

vehicle is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.



Multiple

date-first-registration

text Date of firstregistration

description text Description of thevehicle

dyno-power text Dyno poweroutput

exterior-color text Exterior color ofthe vehicule

gearbox text Gearbox

image attachment Image of thevehicle.

image-url text Image URL

indicative-value text Indicative value

interior-color text Interior color ofthe vehicule

457

https://github.com/MISP/misp-objects/blob/main/objects/vehicle/definition.json




Multiple

license-plate-number

text License platenumber

make text Manufacturer ofthe vehicle

model text Model of thevehicle

state text State of thevehicule (stolen orrecovered)

type text Type of thevehicule ['car','bus', 'caravan','bicycle', 'boat','taxi', 'campervan', 'motorcycle','truck', 'scooter','tractor', 'trailer','van']

vin text Vehicleidentificationnumber (VIN)

victimVictim object describes the target of an attack or abuse.

victim is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.

458

https://github.com/MISP/misp-objects/blob/main/objects/victim/definition.json




Multiple

classification text The type of entitybeing targeted.['individual','group','organization','class', 'unknown']

description text Description of thevictim

domain domain Domain name ofthe organisationtargeted.

email target-email The emailaddress(es) of theuser targeted.

external target-external External targetorganisationsaffected by thisattack.

ip-address ip-dst IP address(es) ofthe node targeted.

name target-org The name of thedepartment(s) ororganisation(s)targeted.

node target-machine Name(s) of nodethat was targeted.

reference text External referenceto the victim/case.

regions target-location The list of regionsor locations fromthe victimtargeted. ISO 3166should be used.

459



Multiple

roles text The list of rolestargeted withinthe victim.

sectors text The list of sectorsthat the victimbelong to['agriculture','aerospace','automotive','communications','construction','defence','education','energy','engineering','entertainment','financialservices','governmentnational','governmentregional','governmentlocal','governmentpublic services','healthcare','hospitalityleisure','infrastructure','insurance','manufacturing','mining', 'nonprofit','pharmaceuticals','retail','technology','telecommunications','transportation','utilities']

460



Multiple

user target-user The username(s)of the usertargeted.

virustotal-graphVirusTotal graph.

virustotal-graph is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

access text Access to theVirusTotal graph['Private', 'Public']

comment text Comment relatedto this VirusTotalgraph

permalink link PermalinkReference to theVirusTotal graph

screenshot attachment Screenshot of theVirusTotal graph

virustotal-reportVirusTotal report.

virustotal-report is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.

461

https://github.com/MISP/misp-objects/blob/main/objects/virustotal-graph/definition.json


https://github.com/MISP/misp-objects/blob/main/objects/virustotal-report/definition.json




Multiple

comment text Comment relatedto this hash

community-score text Community Score

detection-ratio text Detection Ratio

first-submission datetime First Submission

last-submission datetime Last Submission

permalink link PermalinkReference

vulnerabilityVulnerability object describing a common vulnerability enumeration which can describepublished, unpublished, under review or embargo vulnerability for software, equipments orhardware.

vulnerability is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

created datetime First time whenthe vulnerabilitywas discovered

credit text Whoreported/foundthe vulnerabilitysuch as anorganisation,person ornickname.

462

https://github.com/MISP/misp-objects/blob/main/objects/vulnerability/definition.json




Multiple

cvss-score float Score of theCommonVulnerabilityScoring System(version 3).

cvss-string text String of theCommonVulnerabilityScoring System(version 3).

description text Description of thevulnerability

id vulnerability Vulnerability ID(generally CVE,but notnecessarely). Theid is not requiredas the object itselfhas an UUID andthe CVE id can beupdate orassigned later.

modified datetime Last modificationdate

published datetime Initial publicationdate


463



Multiple

state text State of thevulnerability. Avulnerability canhave multiplestates dependingof the currentactionsperformed.['Published','Embargo','Reviewed','Vulnerability IDAssigned','Reported', 'Fixed']

summary text Summary of thevulnerability

vulnerable-configuration

cpe The vulnerableconfiguration isdescribed in CPEformat

weaknessWeakness object describing a common weakness enumeration which can describe usable,incomplete, draft or deprecated weakness for software, equipment of hardware.

weakness is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.



Multiple

description text Description of theweakness.

id weakness Weakness ID(generally CWE).

name text Name of theweakness.

464

https://github.com/MISP/misp-objects/blob/main/objects/weakness/definition.json




Multiple

status text Status of theweakness.['Incomplete','Deprecated','Draft', 'Usable']

weakness-abs text Abstraction of theweakness. ['Class','Base', 'Variant']

whoisWhois records information for a domain name or an IP address.

whois is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.



Multiple

comment text Comment of thewhois entry

creation-date datetime Initial creation ofthe whois entry

domain domain Domain of thewhois entry

expiration-date datetime Expiration of thewhois entry

ip-address ip-src IP address of thewhois entry

modification-date datetime Last update of thewhois entry

nameserver hostname Nameserver

registrant-email whois-registrant-email

Registrant emailaddress

465

https://github.com/MISP/misp-objects/blob/main/objects/whois/definition.json




Multiple

registrant-name whois-registrant-name

Registrant name

registrant-org whois-registrant-org

Registrantorganisation

registrant-phone whois-registrant-phone

Registrant phonenumber

registrar whois-registrar Registrar of thewhois entry

text text Full whois entry

windows-serviceWindows service and detailed about a service running a Windows operating system.

windows-service is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple


display windows-service-displayname

Displayname/informationof the service.

466

https://github.com/MISP/misp-objects/blob/main/objects/windows-service/definition.json




Multiple

group text Group to whichthe system/driverbelong to. ['Base','Boot BusExtender', 'BootFile System','Cryptography','Extended base','Event Log','Filter', 'FSFilterBottom', 'FSFilterInfrastructure','File System','FSFilterVirtualization','Keyboard Port','Network', 'NDIS','Parallelarbitrator','Pointer Port', 'PnPFilter','ProfSvc_Group','PNP_TDI', 'SCSIMiniport', 'SCSICDROM Class','System BusExtender', 'VideoSave', 'other']

image-path text Path of theservice/drive

name windows-service-name

name of theservice

start text When theservice/driverstarts or executes.['Boot start','System start','Auto start','Manual','Disabled']

467



Multiple

type text Service/drivertype. ['Kerneldriver', 'Filesystem driver','Own process','Share process','Interactive','Other']

x509x509 object describing a X.509 certificate.

x509 is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.



Multiple

dns_names hostname SubjectAlternative Name- DNS names

email email-dst SubjectAlternative Name- emails

ip ip-dst SubjectAlternative Name- IP

is_ca boolean CA certificate['True', 'False']

issuer text Issuer of thecertificate

pem text Raw certificate inPEM formati(Unix-likenewlines)

468

https://github.com/MISP/misp-objects/blob/main/objects/x509/definition.json




Multiple

pubkey-info-algorithm

text Algorithm of thepublic key

pubkey-info-exponent

text Exponent of thepublic key - indecimal

pubkey-info-modulus

text Modulus of thepublic key - inHexadecimal - no0x, no :

pubkey-info-size text Length of thepublic key (in bitsexpressed indecimal: eg. 256bits)

raw-base64 text Raw certificatebase64 encoded(DER format)

rid text SubjectAlternative Name- RID

self_signed boolean Self-signedcertificate ['True','False']

serial-number text Serial number ofthe certificate

signature_algorithm

text Signaturealgorithm['SHA1_WITH_RSA_ENCRYPTION','SHA256_WITH_RSA_ENCRYPTION']

subject text Subject of thecertificate

469



Multiple

text text Free textdescription of thecertificate

uri uri SubjectAlternative Name- URI

validity-not-after datetime Certificate invalidafter that date

validity-not-before datetime Certificate invalidbefore that date

version text Version of thecertificate

x509-fingerprint-md5

x509-fingerprint-md5

[Insecure] MD5hash (128 bits)

x509-fingerprint-sha1


[Insecure] SecureHash Algorithm 1(160 bits)



Secure HashAlgorithm 2 (256bits)

yabinyabin.py generates Yara rules from function prologs, for matching and hunting binaries. ref:https://github.com/AlienVault-OTX/yabin.

yabin is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.



Multiple

comment comment A description ofYara rulegenerated.

470

https://github.com/AlienVault-OTX/yabin

https://github.com/MISP/misp-objects/blob/main/objects/yabin/definition.json




Multiple

version comment yabin.py andregex.txt versionused for thegeneration of theyara rules.

whitelist comment Whitelist nameused to generatethe rules.

yara yara Yara rulegenerated from -y.

yara-hunt yara Wide yara rulegenerated from-yh.

yaraAn object describing a YARA rule (or a YARA rule name) along with its version.

yara is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.



Multiple

comment comment A description ofthe YARA rule.

context text Context where theYARA rule can beapplied ['all','disk', 'memory','network']

version text Version of theYARA ruledepending wherethe yara rule isknown to work asexpected. ['3.7.1']

471

https://github.com/MISP/misp-objects/blob/main/objects/yara/definition.json




Multiple

yara yara YARA rule.

yara-rule-name text YARA rule name.

youtube-channelA YouTube channel.

youtube-channel is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

about text About page of thechannel.

archive link Archive of thechannel (InternetArchive,Archive.is, etc).


channel-avatar attachment A screen captureor exportedchannel avatar.

channel-banner attachment A screen captureor exportedchannel header.

channel-id text Channel id.

channel-name text Channel name.

description text A description ofthe channel.

472

https://github.com/MISP/misp-objects/blob/main/objects/youtube-channel/definition.json




Multiple

featured-channel text Featured channelnames.

link link Original link tothe channel page(supposedharmless).


youtube-commentA YouTube video comment.

youtube-comment is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

archive link Archive of theoriginal comment(Internet Archive,Archive.is, etc).

attachment attachment A screen captureor exportedcomment.

channel-name text The name of thechannel where itwas posted.

comment text The raw text ofthe YouTube videocomment.

473

https://github.com/MISP/misp-objects/blob/main/objects/youtube-comment/definition.json




Multiple

description text A description ofthe comment.

embedded-link url Link embedded inthe comment(potentiallymalicious).

embedded-safe-link

link Link embedded inthe comment(supposed safe).

hashtag text Hashtag used inthe comment.

link link Original link tothe comment(supposedharmless).

url url Original URLlocation of thecomment(potentiallymalicious).

user-account text The user accountthat commentedon the YouTubevideo.

username-quoted text Username whoare quoted in thecomment.

video-title text The title of theYouTube video.

youtube-playlistA YouTube playlist.

474

youtube-playlist is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.



Multiple

archive link Archive of theplaylist (InternetArchive,Archive.is, etc).


description text A description ofthe playlist.

link link Original link tothe playlist page(supposedharmless).

playlist-id text Playlist id.

playlist-name text Playlist name.


video-link link Link to the videoin playlist(supposedharmless).

youtube-videoA YouTube video.

youtube-video is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.

475

https://github.com/MISP/misp-objects/blob/main/objects/youtube-playlist/definition.json


https://github.com/MISP/misp-objects/blob/main/objects/youtube-video/definition.json




Multiple

archive link Archive of theoriginal YouTubevideo (InternetArchive,Archive.is, etc).

attachment attachment A screen captureor exportedYouTube video.

channel-name text The name of thechannel where itwas posted.

creator text The user accountthat created theYouTube video.

description text A description ofthe YouTubevideo.

embedded-link url Link embedded inthe YouTube videodescription(potentiallymalicious).

embedded-safe-link

link Link embedded inthe YouTube videodescription(supposed safe).

hashtag text Hashtag used toidentify orpromote theYouTube video.

link link Original link tothe YouTube video(supposedharmless).

476



Multiple

url url Original URLlocation of theYouTube video(potentiallymalicious).

username-quoted text Username whoare quoted in theYouTube video ordescription.

video-title text The title of theYouTube video.

video-transcript text The YouTubevideo transcript(closed captions).

RelationshipsDefault type of relationships in MISP objects.

Relationships are part of MISP object and available in JSON format at this location. The JSON formatcan be freely reused in your application or automatically enabled in MISP.

Name of relationship Description Format

derived-from The information in the targetobject is based on informationfrom the source object.

['misp', 'stix-2.0', 'alfred']

executes This relationship describes anobject which executes anotherobject

['misp']

duplicate-of The referenced source andtarget objects are semanticallyduplicates of each other.

['misp', 'stix-2.0']

related-to The referenced source is relatedto the target object.

['alfred', 'followthemoney','misp', 'stix-2.0']

connected-to The referenced source isconnected to the target object.


477

https://github.com/MISP/misp-objects/blob/main/relationships/definition.json



connected-from The referenced source isconnected from the targetobject.


contains The referenced source iscontaining the target object.


contained-by The referenced source iscontained by the target object.


contained-within The referenced source iscontained within the targetobject.


characterized-by The referenced source ischaracterized by the targetobject.


characterizes The referenced source ischaracterizing the target object.


properties-queried The referenced source hasqueried the target object.


properties-queried-by The referenced source isqueried by the target object.


extracted-from The referenced source isextracted from the target object.


supra-domain-of The referenced source is asupra domain of the targetobject.


sub-domain-of The referenced source is a subdomain of the target object.


dropped The referenced source hasdropped the target object.


dropped-by The referenced source isdropped by the target object.


downloaded The referenced source hasdownloaded the target object.


downloaded-from The referenced source has beendownloaded from the targetobject.


resolved-to The referenced source isresolved to the target object.


attributed-to This referenced source isattributed to the target object.


478


targets This relationship describes thatthe source object targets thetarget object.


uses This relationship describes theuse by the source object of thetarget object.


indicates This relationship describes thatthe source object indicates thetarget object.


mentions This relationship describes thatthe source object mentions thetarget object.

['misp']

mitigates This relationship describes asource object which mitigatesthe target object.


variant-of This relationship describes asource object which is a variantof the target object


impersonates This relationship describes asource object whichimpersonates the target object


retrieved-from This relationship describes anobject retrieved from the targetobject.

['misp']

authored-by This relationship describes theauthor of a specific object.

['misp']

is-author-of This relationship describes anobject being author bysomeone.

['misp']

located This relationship describes thelocation (of any type) of aspecific object.

['misp']

included-in This relationship describes anobject included in anotherobject.

['misp']

includes This relationship describes anobject that includes an otherobject.

['misp']

analysed-with This relationship describes anobject analysed by anotherobject.

['misp']

479


claimed-by This relationship describes anobject claimed by anotherobject.

['misp']

communicates-with This relationship describes anobject communicating withanother object.

['misp']

drops This relationship describes anobject which drops anotherobject

['misp']

executed-by This relationship describes anobject executed by anotherobject.

['misp']

affects This relationship describes anobject affected by anotherobject.

['misp', 'alfred']

beacons-to This relationship describes anobject beaconing to anotherobject.

['misp', 'alfred']

abuses This relationship describes anobject which abuses anotherobject.

['misp']

exfiltrates-to This relationship describes anobject exfiltrating to anotherobject.

['misp', 'alfred']

identifies This relationship describes anobject which identifies anotherobject.

['misp', 'alfred']

intercepts This relationship describes anobject which intercepts anotherobject.

['misp', 'alfred']

calls This relationship describes anobject which calls anotherobjects.

['misp']

detected-as This relationship describes anobject which is detected asanother object.

['misp']

480


followed-by This relationship describes anobject which is followed byanother object. This can be usedwhen a time reference ismissing but a sequence isknown.

['misp']

preceding-by This relationship describes anobject which is preceded byanother object. This can be usedwhen a time reference ismissing but a sequence isknown.

['misp']

triggers This relationship describes anobject which triggers anotherobject.

['misp']

vulnerability-of This relationship describes anobject which is a vulnerabilityof another object.

['cert-eu']

works-like This relationship describes anobject which works like anotherobject.

['cert-eu']

seller-of This relationship describes anobject which is selling anotherobject.

['cert-eu']

seller-on This relationship describes anobject which is selling onanother object.

['cert-eu']

trying-to-obtain-the-exploit This relationship describes anobject which is trying to obtainthe exploit described byanother object

['cert-eu']

used-by This relationship describes anobject which is used by anotherobject.

['cert-eu']

affiliated This relationship describes anobject which is affiliated withanother object.

['cert-eu']

alleged-founder-of This relationship describes anobject which is the allegedfounder of another object.

['cert-eu']

481


attacking-other-group This relationship describes anobject which attacks anotherobject.

['cert-eu']

belongs-to This relationship describes anobject which belongs to anotherobject.

['cert-eu', 'followthemoney']

business-relations This relationship describes anobject which has businessrelations with another object.

['cert-eu']

claims-to-be-the-founder-of This relationship describes anobject which claims to be thefounder of another object.

['cert-eu']

cooperates-with This relationship describes anobject which cooperates withanother object.

['cert-eu']

former-member-of This relationship describes anobject which is a formermember of another object.

['cert-eu']

successor-of This relationship describes anobject which is a successor ofanother object.

['cert-eu']

has-joined This relationship describes anobject which has joined anotherobject.

['cert-eu']

member-of This relationship describes anobject which is a member ofanother object.

['cert-eu']

primary-member-of This relationship describes anobject which is a primarymember of another object.

['cert-eu']

administrator-of This relationship describes anobject which is anadministrator of another object.

['cert-eu']

is-in-relation-with This relationship describes anobject which is in relation withanother object,

['cert-eu']

provide-support-to This relationship describes anobject which provides supportto another object.

['cert-eu']

482


regional-branch This relationship describes anobject which is a regionalbranch of another object.

['cert-eu']

similar This relationship describes anobject which is similar toanother object.

['cert-eu']

subgroup This relationship describes anobject which is a subgroup ofanother object.

['cert-eu']

suspected-link This relationship describes anobject which is suspected to belinked with another object.

['misp']

same-as This relationship describes anobject which is the same asanother object.

['misp']

creator-of This relationship describes anobject which is the creator ofanother object.

['cert-eu']

developer-of This relationship describes anobject which is a developer ofanother object.

['cert-eu']

uses-for-recon This relationship describes anobject which uses anotherobject for recon.

['cert-eu']

operator-of This relationship describes anobject which is an operator ofanother object.

['cert-eu']

overlaps This relationship describes anobject which overlaps anotherobject.

['cert-eu']

owner-of This relationship describes anobject which owns anotherobject.

['cert-eu', 'alfred']

publishes-method-for This relationship describes anobject which publishes methodfor another object.

['cert-eu']

recommends-use-of This relationship describes anobject which recommends theuse of another object.

['cert-eu']

483


released-source-code This relationship describes anobject which released sourcecode of another object.

['cert-eu']

released This relationship describes anobject which release anotherobject.

['cert-eu']

exploits This relationship describes anobject (like a PoC/exploit) whichexploits another object (such asa vulnerability object).

['misp']

signed-by This relationship describes anobject signed by another object.

['misp']

delivered-by This relationship describes anobject by another object (suchas exploit kit, dropper).

['misp']

controls This relationship describes anobject which controls anotherobject.

['misp']

annotates This relationships describes anobject which annotates anotherobject.

['misp']

references This relationships describes anobject which referencesanother object or attribute.

['misp']

child-of A child semantic link to aparent.

['alfred']

parent-of A parent semantic link to achild.

['alfred', 'misp']

compromised Represents the semantic link ofhaving compromisedsomething.

['alfred']

connects The initiator of a connection. ['alfred']

connects-to The destination or target of aconnection.

['alfred']

cover-term-for Represents the semantic link ofone thing being the cover termfor another.

['alfred']

disclosed-to Semantic link indicating whereinformation is disclosed to.

['alfred']

484


downloads Represents the semantic link ofone thing downloading another.

['alfred']

downloads-from Represents the semantic link ofmalware being downloadedfrom a location.

['alfred']

generated Represents the semantic link ofan alert generated from asignature.

['alfred']

implements One data object implementsanother.

['alfred']

initiates Represents the semantic link ofa communication initiating anevent.

['alfred']

instance-of Represents the semantic linkbetween a FILE andFILE_BINARY.

['alfred']

issuer-of Represents the semantic link ofbeing the issuer of something.

['alfred']

linked-to Represents the semantic link ofbeing associated withsomething.

['alfred', 'followthemoney']

not-relevant-to Represents the semantic link ofa comm that is not relevant toan EVENT.

['alfred']

part-of Represents the semantic linkthat defines one thing to be partof another in a hierachialstructure from the child to theparent.

['alfred']

processed-by Represents the semantic link ofsomething has been processedby another program.

['alfred']

produced Represents the semantic link ofsomething having producedsomething else.

['alfred']

queried-for The IP Address or domain beingqueried for.

['alfred']

query-returned The IP Address or domainreturned as the result of aquery.

['alfred']

485


registered Represents the semantic link ofsomeone registered some thing.

['alfred']

registered-to Represents the semantic link ofsomething being registered to.

['alfred']

relates Represents the semantic linkbetween HBS Comms andcommunication addresses.

['alfred']

relevant-to Represents the semantic link ofa comm that is relevant to anEVENT.

['alfred']

resolves-to Represents the semantic link ofresolving to something.

['alfred']

responsible-for Represents the semantic link ofsome entity being responsiblefor something.

['alfred']

seeded Represents the semantic link ofa seeded domain redirecting toanother site.

['alfred']

sends A sends semantic link meaning'who sends what'.

['alfred']

sends-as-bcc-to A sends to as BCC semantic linkmeaning 'what sends to who asBCC'.

['alfred']

sends-as-cc-to A sends to as CC semantic linkmeaning 'what sends to who asCC'.

['alfred']

sends-to A sends to semantic linkmeaning 'what sends to who'.

['alfred']

spoofer-of The represents the semanticlink of having spoofedsomething.

['alfred']

subdomain-of Represents a domain being asubdomain of another.

['alfred']

supersedes One data object supersedesanother.

['alfred']

triggered-on Represents the semantic link ofan alert triggered on an event.

['alfred']

uploads Represents the semantic link ofone thing uploading another.

['alfred']

486


user-of The represents the semanticlink of being the user ofsomething.

['alfred']

works-for Represents the semantic link ofworking for something.

['alfred']

works-with Represents an object workingwith another one.

['misp']

witness-of Represents an object being awitness of something.

['misp']

injects-into Represents an object injectingsomething into something

['misp']

injected-into Represents an object which isinjected something intosomething

['misp']

creates Represents an object thatcreates something.

['misp', 'haxpak']

screenshot-of Represents an object being thescreenshot of something.

['misp']

knows Represents an object having theknowledge of another object.

['misp']

describes Represents the semantic link ofdescribing another object.

['misp']

extends Represents the semantic link ofextending another object.

['misp']

writes Reprensents an object whichwrites towards another objector attribute

['misp']

ranked-with Represents the semantic link ofan asn object being ranked witha bgp-ranking object

['misp']

owns owns ['followthemoney']

awarded-to awarded-to ['followthemoney']

directs directs ['followthemoney']

involved-in involved-in ['followthemoney']

associated-with associated-with ['followthemoney']

represents represents ['followthemoney']

owes owes ['followthemoney']

preceeds preceeds ['followthemoney']

487


documents documents ['followthemoney']

paid paid ['followthemoney']

leaks leaks ['misp']

leaked-by leaked-by ['misp']

doxed-by doxed-by ['misp']

alerts alerts about a specific object ['misp']

legal-address-of The referenced source object isthe legal address of the target.

['misp']

shipping-address-of The referenced source object isa shipping address of the target.

['misp']

visited The referenced source objectvisited the target (for examplean address).

['misp']

office-of The referenced source object isan office of the target.

['misp']

picture-of The referenced source object isa picture (photo/image) of thetarget.

['misp']

pictured-by The referenced source object ispictured by the target(photo/image).

['misp']

found-on The referenced source objecthas been found on the target(device, server).

['misp']

found-in The referenced source objecthas been found in the target(document).

['misp']

drives The referenced source objectdrives the target described(often a vehicule).

['misp']

488

MISP Objects

Documents

Transcript of MISP Objects