MISP Objects
-
Upload
khangminh22 -
Category
Documents
-
view
2 -
download
0
Transcript of MISP Objects
MISP Objects
MISP ObjectsIntroduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Funding and Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
MISP objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
ail-leak . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
ais-info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
android-app. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
android-permission. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
annotation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
anonymisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
asn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
attack-pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
authentication-failure-report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
authenticode-signerinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
av-signature. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
bank-account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
bgp-hijack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
bgp-ranking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
blog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
boleto . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
btc-transaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
btc-wallet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
cap-alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
cap-info. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
cap-resource . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
coin-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
command-line. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
concordia-mtmf-intrusion-set. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
cookie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
cortex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
cortex-taxonomy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
course-of-action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
covid19-csse-daily-report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
covid19-dxy-live-city . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
covid19-dxy-live-province . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
cowrie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
1
cpe-asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
credential . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
credit-card . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
crypto-material. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
cytomic-orion-file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
cytomic-orion-machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
dark-pattern-item. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
ddos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
diameter-attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
dkim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
dns-record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
domain-crawled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
domain-ip. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
edr-report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
elf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
elf-section. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
employee . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
exploit-poc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
facebook-account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
facebook-group. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
facebook-page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
facebook-post . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
facial-composite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
fail2ban . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
favicon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
forensic-case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
forensic-evidence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
forged-document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
ftm-Airplane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
ftm-Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
ftm-Asset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
ftm-Associate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
ftm-Audio. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
ftm-BankAccount . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
ftm-Call . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
ftm-Company . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
ftm-Contract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
ftm-ContractAward . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
2
ftm-CourtCase . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
ftm-CourtCaseParty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
ftm-Debt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
ftm-Directorship. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
ftm-Document. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
ftm-Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
ftm-EconomicActivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
ftm-Email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
ftm-Event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
ftm-Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
ftm-Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
ftm-HyperText . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
ftm-Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
ftm-Land . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
ftm-LegalEntity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
ftm-License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
ftm-Membership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
ftm-Message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
ftm-Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
ftm-Ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
ftm-Package. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
ftm-Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
ftm-Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
ftm-Passport . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
ftm-Payment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
ftm-Person . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
ftm-PlainText . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
ftm-PublicBody. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
ftm-RealEstate. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
ftm-Representation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
ftm-Row . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
ftm-Sanction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
ftm-Succession . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
ftm-Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
ftm-TaxRoll . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
ftm-UnknownLink . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
ftm-UserAccount . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
ftm-Vehicle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
ftm-Vessel. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
ftm-Video . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
ftm-Workbook. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
3
geolocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
git-vuln-finder. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
github-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
gitlab-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
gtp-attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
hashlookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
http-request. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
ilr-impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
ilr-notification-incident . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
impersonation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
imsi-catcher. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
instant-message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
instant-message-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
intel471-vulnerability-intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
intelmq_event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
intelmq_report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
internal-reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
interpol-notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
iot-device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
iot-firmware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
ip-api-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
ip-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
irc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
ja3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
ja3s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
jarm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
keybase-account. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
leaked-document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
legal-entity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
lnk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
macho . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
macho-section. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
mactime-timeline-analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
malware-config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
meme-image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
microblog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
mutex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
narrative . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
netflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
network-connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
4
network-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
network-socket . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
news-agency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
news-media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
open-data-security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
original-imported-file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
paloalto-threat-event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
parler-account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
parler-comment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
parler-post . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
passive-dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
passive-dns-dnsdbflex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
passive-ssh. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
paste . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
pcap-metadata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
pe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
pe-section. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
person. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
pgp-meta . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
phishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
phishing-kit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
phone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
postal-address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
publication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
python-etvx-event-log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
r2graphity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
reddit-account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
reddit-comment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
reddit-post . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
reddit-subreddit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
regexp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
registry-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
regripper-NTUser. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
regripper-sam-hive-single-user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
regripper-sam-hive-user-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
regripper-software-hive-BHO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
regripper-software-hive-appInit-DLLS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
regripper-software-hive-application-paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
regripper-software-hive-applications-installed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
5
regripper-software-hive-command-shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
regripper-software-hive-software-run . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
regripper-software-hive-userprofile-winlogon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
regripper-software-hive-windows-general-info. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
regripper-system-hive-firewall-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380
regripper-system-hive-general-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
regripper-system-hive-network-information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
regripper-system-hive-services-drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
research-scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
rogue-dns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
rtir . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
sandbox-report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
sb-signature. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
scheduled-event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
scrippsco2-c13-daily . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
scrippsco2-c13-monthly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
scrippsco2-co2-daily . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
scrippsco2-co2-monthly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
scrippsco2-o18-daily . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
scrippsco2-o18-monthly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
security-playbook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
shell-commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
shodan-report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
short-message-service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
shortened-link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
social-media-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
splunk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
ss7-attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412
ssh-authorized-keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
stix2-pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
submarine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
suricata. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
target-system. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
telegram-account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
temporal-event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
threatgrid-report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
timecode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
timesketch-timeline. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
timesketch_message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
6
Introduction
timestamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
tor-hiddenservice. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
tor-node . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
tracking-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
transaction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431
trustar_report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
tsk-chats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
tsk-web-bookmark. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
tsk-web-cookie . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
tsk-web-downloads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
tsk-web-history. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
tsk-web-search-query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
twitter-account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
twitter-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
twitter-post . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
url . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
user-account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
vehicle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
victim . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
virustotal-graph . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
virustotal-report. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
weakness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
whois. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
windows-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
x509. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
yabin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
yara . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
youtube-channel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
youtube-comment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
youtube-playlist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
youtube-video. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Relationships. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
7
The MISP threat sharing platform is a free and open source software helping information sharingof threat intelligence including cyber security indicators, financial fraud or counter-terrorisminformation. The MISP project includes multiple sub-projects to support the operationalrequirements of analysts and improve the overall quality of information shared.
MISP objects are used in MISP (starting from version 2.4.80) system and can be used by otherinformation sharing tool. MISP objects are in addition to MISP attributes to allow advancedcombinations of attributes. The creation of these objects and their associated attributes are basedon real cyber security use-cases and existing practices in information sharing. The objects are justshared like any other attributes in MISP even if the other MISP instances don’t have the template ofthe object. The following document is generated from the machine-readable JSON describing theMISP objects.
8
Funding and SupportThe MISP project is financially and resource supported by CIRCL Computer Incident ResponseCenter Luxembourg .
A CEF (Connecting Europe Facility) funding under CEF-TC-2016-3 - Cyber Security has been grantedfrom 1st September 2017 until 31th August 2019 as Improving MISP as building blocks for next-generation information sharing.
If you are interested to co-fund projects around MISP, feel free to get in touch with us.
9
MISP objects
ail-leakAn information leak as defined by the AIL Analysis Information Leak framework.
ail-leak is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
duplicate text Duplicate of theexisting leaks.
duplicate_number counter Number of knownduplicates.
first-seen datetime When the leak hasbeen accessible orseen for the firsttime.
last-seen datetime When the leak hasbeen accessible orseen for the lasttime.
origin text The link wherethe leak is (orwas) accessible atfirst-seen.
original-date datetime When theinformationavailable in theleak was created.It’s usually beforethe first-seen.
10
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
raw-data attachment Raw data asreceived by theAIL sensorcompressed andencoded inBase64.
sensor text The AIL sensoruuid where theleak wasprocessed andanalysed.
text text A description ofthe leak whichcould include thepotential victim(s)or description ofthe leak.
ais-infoAutomated Indicator Sharing (AIS) Information Source Markings.
ais-info is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
administrative-area
text AISAdministrativeArea representedusing ISO-3166-2.
country text AIS Countryrepresented usingISO-3166-1_alpha-2.
11
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
industry text AIS IndustryType.['Chemical Sector','CommercialFacilities Sector','CommunicationsSector', 'CriticalManufacturingSector', 'DamsSector', 'DefenseIndustrial BaseSector','EmergencyServices Sector','Energy Sector','Financial ServicesSector', 'Food andAgricultureSector','GovernmentFacilities Sector','Healthcare andPublic HealthSector','InformationTechnologySector', 'NuclearReactors,Materials, andWaste Sector','TransportationSystems Sector','Water andWastewaterSystems Sector','Other']
organisation text AIS OrganisationName.
android-appIndicators related to an Android app.
12
android-app is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
appid text Application ID
certificate sha1 Androidcertificate
domain domain Domain used bythe app
name text Generic name ofthe application
sha256 sha256 SHA256 of theAPK.
android-permissionA set of android permissions - one or more permission(s) which can be linked to other objects (e.g.malware, app).
android-permission is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
comment comment Comment aboutthe set of androidpermission(s)
13
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
permission text Androidpermission['ACCESS_CHECKIN_PROPERTIES','ACCESS_COARSE_LOCATION','ACCESS_FINE_LOCATION','ACCESS_LOCATION_EXTRA_COMMANDS','ACCESS_NETWORK_STATE','ACCESS_NOTIFICATION_POLICY','ACCESS_WIFI_STATE','ACCOUNT_MANAGER','ADD_VOICEMAIL','ANSWER_PHONE_CALLS','BATTERY_STATS','BIND_ACCESSIBILITY_SERVICE','BIND_APPWIDGET','BIND_AUTOFILL_SERVICE','BIND_CARRIER_MESSAGING_SERVICE','BIND_CHOOSER_TARGET_SERVICE','BIND_CONDITION_PROVIDER_SERVICE','BIND_DEVICE_ADMIN','BIND_DREAM_SERVICE','BIND_INCALL_SERVICE','BIND_INPUT_METHOD','BIND_MIDI_DEVICE_SERVICE','BIND_NFC_SERVI
14
CE','BIND_NOTIFICATION_LISTENER_SERVICE','BIND_PRINT_SERVICE','BIND_QUICK_SETTINGS_TILE','BIND_REMOTEVIEWS','BIND_SCREENING_SERVICE','BIND_TELECOM_CONNECTION_SERVICE','BIND_TEXT_SERVICE','BIND_TV_INPUT','BIND_VISUAL_VOICEMAIL_SERVICE','BIND_VOICE_INTERACTION','BIND_VPN_SERVICE','BIND_VR_LISTENER_SERVICE','BIND_WALLPAPER', 'BLUETOOTH','BLUETOOTH_ADMIN','BLUETOOTH_PRIVILEGED','BODY_SENSORS','BROADCAST_PACKAGE_REMOVED','BROADCAST_SMS','BROADCAST_STICKY','BROADCAST_WAP_PUSH','CALL_PHONE','CALL_PRIVILEGED', 'CAMERA','CAPTURE_AUDIO_OUTPUT','CAPTURE_SECUR
annotationAn annotation object allowing analysts to add annotations, comments, executive summary to aMISP event, objects or attributes.
annotation is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
attachment attachment An attachment tosupport theannotation
creation-date datetime Initial creation ofthe annotation
format text Format of theannotation ['text','markdown','asciidoctor','MultiMarkdown','GFM', 'pandoc','Fountain','CommonWork','kramdown-rfc2629', 'rfc7328','Extra']
modification-date datetime Last update of theannotation
ref link Reference(s) to theannotation
text text Raw text of theannotation
15
E_VIDEO_OUTPUT','CAPTURE_VIDEO_OUTPUT','CHANGE_COMPONENT_ENABLED_STATE','CHANGE_CONFIGURATION','CHANGE_NETWORK_STATE','CHANGE_WIFI_MULTICAST_STATE','CHANGE_WIFI_STATE','CLEAR_APP_CACHE','CONTROL_LOCATION_UPDATES','DELETE_CACHE_FILES','DELETE_PACKAGES', 'DIAGNOSTIC','DISABLE_KEYGUARD', 'DUMP','EXPAND_STATUS_BAR','FACTORY_TEST','GET_ACCOUNTS','GET_ACCOUNTS_PRIVILEGED','GET_PACKAGE_SIZE', 'GET_TASKS','GLOBAL_SEARCH','INSTALL_LOCATION_PROVIDER','INSTALL_PACKAGES','INSTALL_SHORTCUT','INSTANT_APP_FOREGROUND_SERVICE', 'INTERNET','KILL_BACKGROUND_PROCESSES','LOCATION_HARDWARE',
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
type text Type of theannotation['Annotation','ExecutiveSummary','Introduction','Conclusion','Disclaimer','Keywords','Acknowledgement', 'Other','Copyright','Authors', 'Logo','Full Report']
anonymisationAnonymisation object describing an anonymisation technique used to encode MISP attributevalues. Reference: https://www.caida.org/tools/taxonomy/anonymization.xml.
anonymisation is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
description text Description of theanonymisationtechnique or toolused
16
'MANAGE_DOCUMENTS','MANAGE_OWN_CALLS','MASTER_CLEAR','MEDIA_CONTENT_CONTROL','MODIFY_AUDIO_SETTINGS','MODIFY_PHONE_STATE','MOUNT_FORMAT_FILESYSTEMS','MOUNT_UNMOUNT_FILESYSTEMS','NFC','PACKAGE_USAGE_STATS','PERSISTENT_ACTIVITY','PROCESS_OUTGOING_CALLS','READ_CALENDAR','READ_CALL_LOG','READ_CONTACTS','READ_EXTERNAL_STORAGE','READ_FRAME_BUFFER','READ_INPUT_STATE', 'READ_LOGS','READ_PHONE_NUMBERS','READ_PHONE_STATE', 'READ_SMS','READ_SYNC_SETTINGS','READ_SYNC_STATS','READ_VOICEMAIL', 'REBOOT','RECEIVE_BOOT_COMPLETED','RECEIVE_MMS','RECEIVE_SMS',
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
encryption-function
text Encryptionfunction oralgorithm used toanonymise theattribute ['aes128','aes-128-cbc', 'aes-128-cfb', 'aes-128-cfb1', 'aes-128-cfb8', 'aes-128-ctr','aes-128-ecb', 'aes-128-ofb', 'aes192','aes-192-cbc', 'aes-192-cfb', 'aes-192-cfb1', 'aes-192-cfb8', 'aes-192-ctr','aes-192-ecb', 'aes-192-ofb', 'aes-256-cfb', 'aes-256-cfb1','aes-256-cfb8', 'aes-256-ctr', 'aes-256-ecb', 'aes-256-ofb','bf', 'bf-cbc', 'bf-cfb', 'bf-ecb', 'bf-ofb', 'blowfish','camellia128','camellia-128-cbc','camellia-128-cfb','camellia-128-cfb1', 'camellia-128-cfb8','camellia-128-ctr','camellia-128-ecb','camellia-128-ofb','camellia192','camellia-192-cbc','camellia-192-cfb','camellia-192-cfb1', 'camellia-192-cfb8','camellia-192-ctr','camellia-192-ecb','camellia-192-ofb','camellia256','camellia-256-cbc','camellia-256-cfb','camellia-256-cfb1', 'camellia-256-cfb8',
17
'RECEIVE_WAP_PUSH','RECORD_AUDIO','REORDER_TASKS','REQUEST_COMPANION_RUN_IN_BACKGROUND','REQUEST_COMPANION_USE_DATA_IN_BACKGROUND','REQUEST_DELETE_PACKAGES','REQUEST_IGNORE_BATTERY_OPTIMIZATIONS','REQUEST_INSTALL_PACKAGES','RESTART_PACKAGES','SEND_RESPOND_VIA_MESSAGE','SEND_SMS','SET_ALARM','SET_ALWAYS_FINISH','SET_ANIMATION_SCALE','SET_DEBUG_APP','SET_PREFERRED_APPLICATIONS','SET_PROCESS_LIMIT', 'SET_TIME','SET_TIME_ZONE','SET_WALLPAPER','SET_WALLPAPER_HINTS','SIGNAL_PERSISTENT_PROCESSES','STATUS_BAR','SYSTEM_ALERT_WINDOW','TRANSMIT_IR','UNINSTALL_SHORTCUT','UPDATE_DEVICE_STATS',
'camellia-256-ctr','camellia-256-ecb','camellia-256-ofb','cast', 'cast5-cbc','cast5-cfb', 'cast5-ecb', 'cast5-ofb','cast-cbc', 'des','des3', 'des-cbc','des-cfb', 'des-ecb','des-ede', 'des-ede3', 'des-ede3-cbc', 'des-ede3-cfb', 'des-ede3-ofb','des-ede-cbc', 'des-ede-cfb', 'des-ede-ofb', 'des-ofb','desx', 'gost89','gost89-cnt', 'idea','idea-cbc', 'idea-cfb', 'idea-ecb','idea-ofb', 'rc2','rc2-40-cbc', 'rc2-64-cbc', 'rc2-cbc','rc2-cfb', 'rc2-ecb','rc2-ofb', 'rc4', 'rc4-40', 'rc4-64', 'rc5','rc5-cbc', 'rc5-cfb','rc5-ecb', 'rc5-ofb','seed', 'seed-cbc','seed-cfb', 'seed-ecb', 'seed-ofb','sm4', 'sm4-cbc','sm4-cfb', 'sm4-ctr', 'sm4-ecb','sm4-ofb']
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
iv text Initialisationvector for theencryptionfunction used toanonymise theattribute
key text Key (such as a PSKin a keyed-hash-function) used toanonymise theattribute
keyed-hash-function
text Keyed-hashfunction used toanonymise theattribute ['hmac-sha1', 'hmac-md5','hmac-sha256','hmac-sha384','hmac-sha512']
level-of-knowledge
text Level ofknowledge of theorganisation whocreated this object['Only theanonymised datais known','Deanonymiseddata is known']
18
'USE_FINGERPRINT', 'USE_SIP','VIBRATE','WAKE_LOCK','WRITE_APN_SETTINGS','WRITE_CALENDAR','WRITE_CALL_LOG','WRITE_CONTACTS','WRITE_EXTERNAL_STORAGE','WRITE_GSERVICES','WRITE_SECURE_SETTINGS','WRITE_SETTINGS','WRITE_SYNC_SETTINGS','WRITE_VOICEMAIL']
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
method text Anonymisation(or pseudo-anonymisation)method(s) used["hiding -Attribute isreplaced with aconstant value(typically 0) of thesame size.Sometimes called'black marker'.",'hash - A hashfunction mapseach attribute to anew (notnecessarilyunique) attribute.','permutation -Maps eachoriginal value to aunique newvalue.', "prefix-preserving - Anytwo values thathad the same n-bitprefix beforeanonymisationwill still have thesame n-bit prefixas each other afteranonymization.(Would be moreaccurately called'prefix-relationship-preserving',because the actualprefix values arenot preserved.) ",'shift - Adds afixed offset toeachvalue/attribute.','enumeration -Map each originalvalue to a newvalue such that
19
their ordering ispreserved.','partitioning -Possible valuesare partitionedinto meaningfulsets; actual valuesare replaced witha fixed value fromthe same set. E.g.,TCP port numbers0 to 1023 arereplaced with 0,and 1024 to 65535replaced with65535.', 'updated -Checksums arerecalculated toreflect changesmade to otherfields.', 'truncation- Field isshortened, losingdata at the end.','encryption -Attribute isencrypted.']
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
regexp text Regularexpression toperfom theanonymisation(reversible or not)
asnAutonomous system object describing an autonomous system which can include one or morenetwork operators management an entity (e.g. ISP) along with their routing policy, routing prefixesor alike.
asn is a MISP object available in JSON format at this location The JSON format canbe freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
asn AS AutonomousSystem Number
country text Country code ofthe main locationof theautonomoussystem
description text Description of theautonomoussystem
export text The outboundrouting policy ofthe AS in RFC 2622– Routing PolicySpecificationLanguage (RPSL)format
first-seen datetime First time the ASNwas seen
20
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
import text The inbound IPv4routing policy ofthe AS in RFC 2622– Routing PolicySpecificationLanguage (RPSL)format
last-seen datetime Last time the ASNwas seen
mp-export text This attributeperforms thesame function asthe exportattribute above.The difference isthat mp-exportallows both IPv4and IPv6 addressfamilies to bespecified. Theexport isdescribed in RFC4012 – RoutingPolicySpecificationLanguage nextgeneration(RPSLng), section4.5. format
mp-import text The inbound IPv4or IPv6 routingpolicy of the AS inRFC 4012 –Routing PolicySpecificationLanguage nextgeneration(RPSLng), section4.5. format
21
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
subnet-announced ip-src Subnet announced
attack-patternAttack pattern describing a common attack pattern enumeration and classification.
attack-pattern is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
id text CAPEC ID.
name text Name of theattack pattern.
prerequisites text Prerequisites forthe attack patternto succeed.
references link Externalreferences
related-weakness weakness Weakness relatedto the attackpattern.
solutions text Solutions for theattack pattern tobe countered.
summary text Summarydescription of theattack pattern.
authentication-failure-reportAuthentication Failure Report.
22
authentication-failure-report is a MISP object available in JSON format at thislocation The JSON format can be freely reused in your application orautomatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
ip-dst ip-dst Destination IP.
ip-src ip-src IP addressoriginating theauthenticationfailure.
total counter the number ofauthenticationfailures reported.
type text the type ofauthenticationfailure. ['ssh']
username text the usernameused.
authenticode-signerinfoAuthenticode Signer Info.
authenticode-signerinfo is a MISP object available in JSON format at this locationThe JSON format can be freely reused in your application or automatically enabledin MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
content-type text Content type
digest-base64 text Signature createdby the signingcertificate’sprivate key
digest_algorithm text Algorithm used tohash the file.
23
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
encryption_algorithm
text Algorithm used toencrypt the digest
issuer text Issuer of thecertificate
program-name text Program name
serial-number text Serial number ofthe certificate
signature_algorithm
text Signaturealgorithm['SHA1_WITH_RSA_ENCRYPTION','SHA256_WITH_RSA_ENCRYPTION']
text text Free textdescription of thesigner info
url url Url
version text Version of thecertificate
av-signatureAntivirus detection signature.
av-signature is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
datetime datetime Datetime
signature text Name of detectionsignature
24
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
software text Name of antivirussoftware
text text Free text value toattach to the file
bank-accountAn object describing bank account information based on account description from goAML 4.0.
bank-account is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
aba-rtn aba-rtn ABA routingtransit number
account bank-account-nr Account number
account-name text A field to freelydescribe the bankaccount details.
balance text The balance of theaccount after thesuspicioustransaction wasprocessed.
beneficiary text Final beneficiaryof the bankaccount.
beneficiary-comment
text Comment aboutthe finalbeneficiary.
branch text Branch code orname
25
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
client-number text Client number asseen by the bank.
closed datetime When the accountwas closed.
comments text Comments aboutthe bank account.
currency-code text Currency of theaccount. ['USD','EUR']
date-balance datetime When the balancewas reported.
iban iban IBAN of the bankaccount.
institution-code text Institution code ofthe bank.
institution-name text Name of the bankor financialorganisation.
non-banking-institution
boolean A flag to define ifthis accountbelong to a non-bankingorganisation. If setto true, it’s a non-bankingorganisation.['True', 'False']
opened datetime When the accountwas opened.
26
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
personal-account-type
text Account type. ['A -Business', 'B -Personal Current','C - Savings', 'D -Trust Account', 'E -Trading Account','O - Other']
27
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
report-code text Report code of thebank account.['CTR CashTransactionReport', 'STRSuspiciousTransactionReport', 'EFTElectronic FundsTransfer', 'IFTInternationalFunds Transfer','TFR TerrorFinancing Report','BCR Border CashReport', 'UTRUnusualTransactionReport', 'AIFAdditionalInformation File –Can be used forexample to get fulldisclosure oftransactions of anaccount for aperiod of timewithout reportingit as a CTR.', 'IRIIncoming Requestfor Information –International','ORI OutgoingRequest forInformation –International','IRD IncomingRequest forInformation –Domestic', 'ORDOutgoing Requestfor Information –Domestic']
28
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
status-code text Account status atthe time of thetransactionprocessed. ['A -Active', 'B -Inactive', 'C -Dormant']
swift bic SWIFT or BIC asdefined in ISO9362.
text text A description ofthe bank account.
bgp-hijackObject encapsulating BGP Hijack description as specified, for example, by bgpstream.com.
bgp-hijack is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
country text Country code ofthe main locationof the attackingautonomoussystem
description text BGP Hijack details
detected-asn AS DetectedAutonomousSystem Number
end datetime Last time thePrefix hijack wasseen
29
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
expected-asn AS ExpectedAutonomousSystem Number
start datetime First time thePrefix hijack wasseen
subnet-announced ip-src Subnet announced
bgp-rankingBGP Ranking object describing the ranking of an ASN for a given day, along with its position, 1being the most malicious ASN of the day, with the highest ranking. This object is meant to have arelationship with the corresponding ASN object and represents its ranking for a specific date.
bgp-ranking is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address-family text The IP addressfamily concernedby the ranking.['v4', 'v6']
date datetime Date fo theranking.
position float Position of theASN for a givenday.
ranking float Ranking of theAutonomousSystem number.
blogBlog post like Medium or WordPress.
30
blog is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
archive link Archive of theoriginal document(Internet Archive,Archive.is, etc).
creation-date datetime Initial creation ofthe blog post.
embedded-link url Site linked by theblog post.
embedded-safe-link
link Safe site linked bythe blog post.
link link Original link intothe blog post(Supposedharmless).
modification-date datetime Last update of theblog post.
post text Raw post.
removal-date datetime When the blogpost was removed.
title text Title of blog post.
type text Type of blog post.['Medium','WordPress','Blogger','Tumbler','LiveJournal','Forum', 'Other']
31
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
url url Original URLlocation of theblog post(potentiallymalicious).
username text Username whoposted the blogpost.
username-quoted text Username whoare quoted intothe blog post.
verified-username text Is the usernameaccount verifiedby the operator ofthe blog platform.['Verified','Unverified','Unknown']
boletoA common form of payment used in Brazil.
boleto is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
beneficiary text Final beneficiaryof the boleto.
beneficiary-bank-account
bank-account-nr Recipient bankaccount number
beneficiary-bank-agency
bank-account-nr Recipient bankagency number
32
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
boleto-number text Boleto codenumbers
creation-date datetime Date the boletowas created
febraban-code text Financialinstitution code inBrazil that createdthe boleto.
generator-financial-institution
text Name of the bankor financialorganisation thatcreated the boleto.
payment-due-date datetime Boleto paymentdate
payment-status text Inform if boletowas as paid or not['Not Paid', 'Paid']
payment-value float The paymentboleto value inBrazilian Reais
requester text Organisation,service oraffiliated personthat requestedcreation of theboleto.
btc-transactionAn object to describe a Bitcoin transaction. Best to be used with bitcoin-wallet.
btc-transaction is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
33
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
btc-address btc A Bitcointransactionaladdress
time datetime Date and time oftransaction
transaction-number
text A Bitcointransactionnumber in asequence oftransactions
value_BTC float Value in BTC atdate/timedisplayed in field'time'
value_EUR float Value in EUR withconversion rate asof date/timedisplayed in field'time'
value_USD float Value in USD withconversion rate asof date/timedisplayed in field'time'
btc-walletAn object to describe a Bitcoin wallet. Best to be used with bitcoin-transactions.
btc-wallet is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
BTC_received float Value of receivedBTC
34
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
BTC_sent float Value of sent BTC
balance_BTC float Value in BTC atdate/timedisplayed in field'time'
time datetime Date and time oflookup/conversion
wallet-address btc A Bitcoin walletaddress
cap-alertCommon Alerting Protocol Version (CAP) alert object.
cap-alert is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
35
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
addresses text The group listingof intendedrecipients of thealert message. (1)Required when<scope> is“Private”, optionalwhen <scope> is“Public” or“Restricted”. (2)Each recipientSHALL beidentified by anidentifier or anaddress. (3)Multiple space-delimitedaddresses MAY beincluded.Addressesincludingwhitespace MUSTbe enclosed indouble-quotes.
code text The code denotingthe specialhandling of thealert message.
identifier text The identifier ofthe alert messagein a number orstring uniquelyidentifying thismessage, assignedby the sender.
36
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
incident text The group listingnaming thereferentincident(s) of thealert message. (1)Used to collatemultiple messagesreferring todifferent aspectsof the sameincident. (2) Ifmultiple incidentidentifiers arereferenced, theySHALL beseparated bywhitespace.Incident namesincludingwhitespace SHALLbe surrounded bydouble-quotes.
msgType text The code denotingthe nature of thealert message.['Alert', 'Update','Cancel', 'Ack','Error']
note text The textdescribing thepurpose orsignificance of thealert message.
37
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
references text The group listingidentifying earliermessage(s)referenced by thealert message. (1)The extendedmessageidentifier(s) (inthe formsender,identifier,sent) of an earlierCAP message ormessagesreferenced by thisone. (2) If multiplemessages arereferenced, theySHALL beseparated bywhitespace.
restriction text The textdescribing therule for limitingdistribution of therestricted alertmessage.
scope text The code denotingthe intendeddistribution of thealert message.['Public','Restricted','Private']
38
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
sender text The identifier ofthe sender of thealert messagewhich identifiesthe originator ofthis alert.Guaranteed byassigner to beunique globally;e.g., may be basedon an Internetdomain name.
sent datetime The time and dateof the originationof the alertmessage.
source text The textidentifying thesource of the alertmessage. Theparticular sourceof this alert; e.g.,an operator or aspecific device.
status text The code denotingthe appropriatehandling of thealert message.['Actual','Exercise','System', 'Test','Draft']
cap-infoCommon Alerting Protocol Version (CAP) info object.
cap-info is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
39
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
audience text The textdescribing theintended audienceof the alertmessage.
category text The code denotingthe category of thesubject event ofthe alert message.['Geo', 'Met','Safety', 'Security','Rescue', 'Fire','Health', 'Env','Transport', 'Infra','CBRNE', 'Other']
certainty text The code denotingthe certainty ofthe subject eventof the alertmessage. Forbackwardcompatibility withCAP 1.0, thedeprecated valueof “Very Likely”SHOULD betreated asequivalent to“Likely”. ['Likely','Possible','Unlikely','Unknown']
contact text The textdescribing thecontact for follow-up andconfirmation ofthe alert message.
40
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
description text The textdescribing thesubject event ofthe alert message.
effective datetime The effective timeof the informationof the alertmessage.
event text The text denotingthe type of thesubject event ofthe alert message.
eventCode text A system-specificcode identifyingthe event type ofthe alert message.
expires datetime The expiry time ofthe information ofthe alert message.
headline text The text headlineof the alertmessage.
instruction text The textdescribing therecommendedaction to be takenby recipients ofthe alert message.
language text The code denotingthe language ofthe info sub-element of thealert message.
41
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
onset datetime The expected timeof the beginningof the subjectevent of the alertmessage.
parameter text A system-specificadditionalparameterassociated withthe alert message.
responseType text The code denotingthe type of actionrecommended forthe targetaudience.['Shelter','Evacuate','Prepare','Execute', 'Avoid','Monitor', 'Assess','AllClear', 'None']
senderName text The text namingthe originator ofthe alert message.
severity text The code denotingthe severity of thesubject event ofthe alert message.['Extreme','Severe','Moderate','Minor','Unknown']
42
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
urgency text The code denotingthe urgency of thesubject event ofthe alert message.['Immediate','Expected','Future', 'Past','Unknown']
web link The identifier ofthe hyperlinkassociatingadditionalinformation withthe alert message.
cap-resourceCommon Alerting Protocol Version (CAP) resource object.
cap-resource is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
derefUri attachment The base-64encoded datacontent of theresource file.
digest sha1 The coderepresenting thedigital digest(“hash”) computedfrom the resourcefile (OPTIONAL).
43
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
mimeType mime-type The identifier ofthe MIME contenttype and sub-typedescribing theresource file.
resourceDesc text The textdescribing thetype and contentof the resourcefile.
size text The integerindicating the sizeof the resourcefile.
uri link The identifier ofthe hyperlink forthe resource file.
coin-addressAn address used in a cryptocurrency.
coin-address is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address btc Bitcoin addressused as a paymentdestination in acryptocurrency
address-xmr xmr Monero addressused as a paymentdestination in acryptocurrency
44
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
current-balance float Current balance ofaddress
first-seen datetime First time thispaymentdestinationaddress has beenseen
last-seen datetime Last time thispaymentdestinationaddress has beenseen
last-updated datetime Last time thebalances andtotals have beenupdated
symbol text The (uppercase)symbol of thecryptocurrencyused. Symbolshould be fromhttps://coinmarketcap.com/all/views/all/ ['BTC', 'ETH','BCH', 'XRP','MIOTA', 'DASH','BTG', 'LTC', 'ADA','XMR', 'ETC', 'NEO','NEM', 'EOS','XLM', 'BCC', 'LSK','OMG', 'QTUM','ZEC', 'USDT','HSR', 'STRAT','WAVES', 'PPT','ETN']
text text Free text value
45
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
total-received float Total balancereceived
total-sent float Total balance sent
total-transactions text Total transactionsperformed
commandCommand functionalities related to specific commands executed by a program, whether it ismalicious or not. Command-line are attached to this object for the related commands.
command is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
description text Description of thecommandfunctionalities
location text Location of thecommandfunctionality['Bundled','Module','Libraries','Unknown']
trigger text How thecommands aretriggered ['Local','Network','Unknown']
command-lineCommand line and options related to a specific command executed by a program, whether it ismalicious or not.
46
command-line is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
description text description of thecommand
value text command code
concordia-mtmf-intrusion-setIntrusion Set - Phase Description.
concordia-mtmf-intrusion-set is a MISP object available in JSON format at thislocation The JSON format can be freely reused in your application orautomatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
AttackName text Name of theAttack
CMTMF_ATCKID counter Identifier of theAttack
FeedbackLoop counter Feedback LoopSequence
PhName text Name of the Phase(Tactic)
PhSequence counter Phase Sequence
description text Description of thephase
cookieAn HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to theuser’s web browser. The browser may store it and send it back with the next request to the sameserver. Typically, it’s used to tell if two requests came from the same browser — keeping a user
47
logged-in, for example. It remembers stateful information for the stateless HTTP protocol. (asdefined by the Mozilla foundation.
cookie is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
cookie cookie Full cookie
cookie-name text Name of thecookie (if splitted)
cookie-value text Value of thecookie (if splitted)
expires datetime Expirationdate/time of thecookie
http-only boolean True if send onlythrough HTTP['True', 'False']
path text Path defined inthe cookie
secure boolean True if cookie issent over TLS['True', 'False']
text text A description ofthe cookie.
type text Type of cookieand how it’s usedin this specificobject. ['Sessionmanagement','Personalization','Tracking','Exfiltration','MaliciousPayload','Beaconing']
48
cortexCortex object describing a complete cortex analysis. Observables would be attribute with arelationship from this object.
cortex is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
full text Cortex reportobject (full report)in JSON
name text Cortexanalyser/workername
server-name text Name of thecortex server
start-date datetime When the Cortexanalyser wasstarted
success boolean Result of thecortex job ['True','False']
summary text Cortex summaryobject (summary)in JSON
cortex-taxonomyCortex object describing an Cortex Taxonomy (or mini report).
cortex-taxonomy is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
49
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
cortex_url link URL to the Cortexjob
level text Cortex TaxonomyLevel ['info', 'safe','suspicious','malicious']
namespace text Cortex TaxonomyNamespace
predicate text Cortex TaxonomyPredicate
value text Cortex TaxonomyValue
course-of-actionAn object describing a specific measure taken to prevent or respond to an attack.
course-of-action is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
cost text The estimated costof applying thecourse of action.['High', 'Medium','Low', 'None','Unknown']
description text A description ofthe course ofaction.
50
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
efficacy text The estimatedefficacy ofapplying thecourse of action.['High', 'Medium','Low', 'None','Unknown']
impact text The estimatedimpact of applyingthe course ofaction. ['High','Medium', 'Low','None', 'Unknown']
name text The name used toidentify the courseof action.
objective text The objective ofthe course ofaction.
stage text The stage of thethreatmanagementlifecycle that thecourse of action isapplicable to.['Remedy','Response','Further AnalysisRequired']
51
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
type text The type of thecourse of action.['PerimeterBlocking','InternalBlocking','Redirection','Redirection(Honey Pot)','Hardening','Patching','Eradication','Rebuilding','Training','Monitoring','Physical AccessRestrictions','Logical AccessRestrictions','Public Disclosure','DiplomaticActions', 'PolicyActions', 'Other']
covid19-csse-daily-reportCSSE COVID-19 Daily report.
covid19-csse-daily-report is a MISP object available in JSON format at this locationThe JSON format can be freely reused in your application or automatically enabledin MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
active counter the number ofactive cases.
52
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
confirmed counter the number ofconfirmed cases.For HubeiProvince: fromFeb 13 (GMT +8),we report bothclinicallydiagnosed andlab-confirmedcases. For lab-confirmed casesonly (Before Feb17), please refer tohttps://github.com/CSSEGISandData/COVID-19/tree/master/who_covid_19_situation_reports.
country-region text country/regionname conformingto WHO (will beupdated).
county counter US County (USOnly)
death counter the number ofdeaths.
fips counter FederalInformationProcessingStandard countycode (US Only)
latitude float Approximatelatitude of theentry
53
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
longitude float Approximatelongitude of theentry
province-state text province name;US/Canada/Australia/ - city name,state/provincename; Others -name of the event(e.g., "DiamondPrincess" cruiseship); othercountries - blank.
recovered counter the number ofrecovered cases.
update datetime Time of the lastupdate that day(UTC)
covid19-dxy-live-cityCOVID 19 from dxy.cn - Aggregation by city.
covid19-dxy-live-city is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
city text Name of theChinese city, inChinese.
current-confirmed counter Current numberof confirmed cases
total-confirmed counter Total number ofconfirmed cases.
54
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
total-cured counter Total number ofcured cases.
total-death counter Total number ofdeaths.
update datetime Approximate timeof the update(~hour)
covid19-dxy-live-provinceCOVID 19 from dxy.cn - Aggregation by province.
covid19-dxy-live-province is a MISP object available in JSON format at thislocation The JSON format can be freely reused in your application orautomatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
comment text Comment, inchinese
current-confirmed counter Current numberof confirmed cases
province text Name of theChinese province,in Chinese.
total-confirmed counter Total number ofconfirmed cases.
total-cured counter Total number ofcured cases.
total-death counter Total number ofdeaths.
55
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
update datetime Approximate timeof the update(~hour)
cowrieCowrie honeypot object template.
cowrie is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
compCS text SSH compressionalgorithmsupported in thesession
dst_ip ip-dst Destination IPaddress of thesession
dst_port port Destination portof the session
encCS text SSH symmetricencryptionalgorithmsupported in thesession
eventid text Eventid of thesession in thecowrie honeypot
hassh hassh-md5 HASSH of theclient SSH sessionfollowingSalesforcealgorithm
56
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
input text Input of thesession
isError text isError
keyAlgs text SSH public-keyalgorithmsupported in thesession
macCS text SSH MACsupported in thesesssion
message text Message of thecowrie honeypot
password text Password
protocol text Protocol used inthe cowriehoneypot
sensor text Cowrie sensorname
session text Session id
src_ip ip-src Source IP addressof the session
src_port port Source port of thesession
system text System origin incowrie honeypot
timestamp datetime When the eventhappened
username text Username relatedto the password(s)
57
cpe-assetAn asset which can be defined by a CPE. This can be a generic asset. CPE is a structured namingscheme for information technology systems, software, and packages.
cpe-asset is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
cpe cpe CPE—the well-formed CPEname(WFN).WFNs can be usedto describe a set ofproducts or toidentify anindividualproduct.
description text Complementarydescription of theasset
58
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
edition text The editionattribute isconsidereddeprecated in thisspecification, andit SHOULD beassigned thelogical value ANYexcept whererequired forbackwardcompatibility withversion 2.2 of theCPEspecification.Thisattribute isreferred to as the“legacyedition”attribute.If thisattribute isused,values forthis attributeSHOULD captureedition-relatedterms applied bythe vendor to theproduct. Valuesfor this attributeSHOULD beselected from anattribute-specificvalid-values list,which MAYbedefined by otherspecifications thatutilize thisspecification. Anycharacter stringmeeting therequirements forWFNs (cf. 5.3.2)MAY be specifiedas the value of theattribute.
59
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
language text Values forthisattributeSHALL be validlanguage tags asdefined by[RFC5646], andSHOULD be usedto define thelanguagesupported in theuser interface ofthe product beingdescribed.Although any validlanguage tag MAYbe used, only tagscontaininglanguage andregioncodesSHOULD beused.
60
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
other text Values for thisattribute SHOULDcapture any othergeneraldescriptive oridentifyinginformationwhich is vendor-or product-specific and whichdoes not logicallyfit in any otherattribute value.Values SHOULDNOT be used forstoring instance-specific data (e.g.,globally-uniqueidentifiers orInternet Protocoladdresses).Valuesfor this attributeSHOULD beselected from avalid-values listthat is refinedover time; this listMAYbe defined byotherspecifications thatutilize thisspecification. Anycharacter stringmeeting therequirements forWFNs (cf. 5.3.2)MAYbe specifiedas the value of theattribute.
part text Part - application,operating systemsor hardwaredevices ['a', 'o', 'h']
61
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
product text Values for thisattribute SHOULDdescribe oridentify the mostcommon andrecognizable titleor name of theproduct. Valuesfor this attributeSHOULD beselected from anattribute-specificvalid-values list,which MAYbedefined by otherspecifications thatutilize thisspecification. Anycharacter stringmeeting therequirements forWFNs(cf. 5.3.2)MAY be specifiedas the value of theattribute.
62
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
sw_edition text Values for thisattribute SHOULDcharacterize howthe product istailored to aparticular marketor class of endusers. Values forthis attributeSHOULD beselected from anattribute-specificvalid-values list,which MAYbedefined by otherspecifications thatutilize thisspecification. Anycharacter stringmeeting therequirements forWFNs(cf. 5.3.2)MAYbe specifiedas the value of theattribute.
63
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
target_hw text Values for thisattribute SHOULDcharacterize theinstruction setarchitecture (e.g.,x86) on which theproduct beingdescribed oridentified by theWFN operates.Bytecode-intermediatelanguages, such asJava bytecode forthe Java VirtualMachine orMicrosoftCommonIntermediateLanguage for theCommonLanguageRuntime virtualmachine, SHALLbe consideredinstruction setarchitectures.Values for thisattribute SHOULDbe selected froman attribute-specific valid-values list, whichMAYbe defined byotherspecifications thatutilize thisspecification. Anycharacter stringmeeting therequirements forWFNs(cf. 5.3.2)MAYbe specifiedas the value of theattribute.
64
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
target_sw text Values for thisattribute SHOULDicharacterize thesoftwarecomputingenvironmentwithin which theproductoperates.Valuesfor this attributeSHOULD beselected from anattribute-specificvalid-values list,which MAYbedefined by otherspecifications thatutilize thisspecification. Anycharacter stringmeeting therequirements forWFNs(cf. 5.3.2)MAYbe specifiedas the value of theattribute.
65
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
update text Values for thisattribute SHOULDbe vendor-specificalphanumericstringscharacterizing theparticular update,service pack, orpoint release ofthe product.Valuesfor this attributeSHOULD beselected from anattribute-specificvalid-values list,which MAYbedefined by otherspecifications thatutilize thisspecification. Anycharacter stringmeeting therequirements forWFNs (cf. 5.3.2)MAYbe specifiedas the value of theattribute.
66
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
vendor text Values for thisattribute SHOULDdescribe oridentify theperson ororganization thatmanufactured orcreated theproduct. Valuesfor this attributeSHOULD beselected from anattribute-specificvalid-values list,which MAYbedefined by otherspecifications thatutilize thisspecification. Anycharacter stringmeeting therequirements forWFNs (cf. 5.3.2)MAY be specifiedas the value of theattribute
67
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
version text Values for thisattribute SHOULDbe vendor-specificalphanumericstringscharacterizing theparticular releaseversion of theproduct.VersioninformationSHOULD becopied directly(with escaping ofprintable non-alphanumericcharacters asrequired) fromdiscoverable dataand SHOULDNOTbe truncatedor otherwisemodified. Anycharacter stringmeeting therequirements forWFNs (cf. 5.3.2)MAYbe specifiedas the value of theattribute.
credentialCredential describes one or more credential(s) including password(s), api key(s) or decryptionkey(s).
credential is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
68
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
format text Format of thepassword(s)['clear-text','hashed','encrypted','unknown']
notification text Mention of anynotification(s)towards thepotential owner(s)of thecredential(s)['victim-notified','service-notified','none']
origin text Origin of thecredential(s)['bruteforce-scanning','malware-analysis','memory-analysis','network-analysis','leak', 'unknown']
password text Password
text text A description ofthe credential(s)
type text Type ofpassword(s)['password', 'api-key', 'encryption-key', 'unknown']
username text Username relatedto the password(s)
69
credit-cardA payment card like credit card, debit card or any similar cards which can be used for financialtransactions.
credit-card is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
bank_name text Name of the bankwhich have issuedthe card
card-security-code text Card security code(CSC, CVD, CVV,CVC and SPC) asembossed orprinted on thecard.
cc-number cc-number credit-cardnumber asencoded on thecard.
comment comment A description ofthe card.
expiration datetime Maximum date ofvalidity
iin text InternationalIssuer Number(First eight digitsof the credit cardnumber
issued datetime Initial date ofvalidity or issueddate.
name text Name of the cardowner.
70
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
version text Version of thecard.
crypto-materialCryptographic materials such as public or/and private keys.
crypto-material is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
Gx text Curve Parameter -Gx in decimal
Gy text Curve Parameter -Gy in decimal
b text Curve Parameter -B in decimal
curve-length text Length of theCurve in bits
e text RSA publicexponent
71
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
ecdsa-type text Curve type of theECDSAcryptographicmaterials['Anomalous', 'M-221', 'E-222', 'NISTP-224','Curve1174','Curve25519','BN(2,254)','brainpoolP256t1','ANSSI FRP256v1','NIST P-256','secp256k1', 'E-382', 'M-383','Curve383187','brainpoolP384t1','NIST P-384','Curve41417','Ed448-Goldilocks','M-511', 'E-521']
g text Curve Parameter -G in decimal
generic-symmetric-key
text Genericsymmetric key(please precise thetype)
modulus text ModulusParameter - inhexadecimal - no0x, no :
n text Curve Parameter -N in decimal
72
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
origin text Origin of thecryptographicmaterials['mathematical-attack','exhaustive-search','bruteforce-attack', 'malware-extraction','memory-interception','network-interception','leak', 'unknown']
p text Prime Parameter -P in decimal
private text Private part of thecryptographicmaterials in PEMformat
public text Public part of thecryptographicmaterials in PEMformat
q text Prime Parameter -Q in decimal
rsa-modulus-size text RSA modulus sizein bits
text text A description ofthe cryptographicmaterials.
73
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
type text Type ofcrytographicmaterials ['RSA','DSA', 'ECDSA','RC4', 'XOR','unknown']
x text Curve Parameter -X in decimal
y text Curve Parameter -Y in decimal
cytomic-orion-fileCytomic Orion File Detection.
cytomic-orion-file is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
classification text File classification -number
classificationName text File classification
fileName filename Original filename
fileSize size-in-bytes Size of the file
first-seen datetime First seentimestamp of thefile
last-seen datetime Last seentimestamp of thefile
74
cytomic-orion-machineCytomic Orion File at Machine Detection.
cytomic-orion-machine is a MISP object available in JSON format at this locationThe JSON format can be freely reused in your application or automatically enabledin MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
clientCreationDateUTC
datetime Client creationdate UTC
clientId text Client id
clientName target-org Client name
creationDate datetime Client creationdate
first-seen datetime First seen onmachine
last-seen datetime Last seen onmachine
lastSeenUtc datetime Client last seenUTC
machineMuid text Machine UID
machineName target-machine Machine name
machinePath text Path of observable
dark-pattern-itemAn Item whose User Interface implements a dark pattern.
dark-pattern-item is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
75
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
comment text textual commentabout the item
gain text What is theimplementer isgaining bydeceiving the user['registration','personal data','money', 'contacts','audience']
implementer text Who is the vendor/ holder of theitem
location text Location where tofind the item
screenshot attachment A screencaptureor a screengrab ofthe item at work
time datetime Date and timewhen first-seen
user text who are the userof the item
ddosDDoS object describes a current DDoS activity from a specific or/and to a specific target. Type ofDDoS can be attached to the object as a taxonomy.
ddos is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
domain-dst domain Destinationdomain (victim)
76
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
dst-port port Destination portof the attack
first-seen datetime Beginning of theattack
ip-dst ip-dst Destination IP(victim)
ip-src ip-src IP addressoriginating theattack
last-seen datetime End of the attack
protocol text Protocol used forthe attack ['TCP','UDP', 'ICMP', 'IP']
src-port port Port originatingthe attack
text text Description of theDDoS
total-bps counter Bits per second
total-pps counter Packets persecond
deviceAn object to define a device.
device is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
MAC-address mac-address Device MACaddress
77
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
OS text OS of the device
alias text Alias of the Device
analysis-date datetime Date of deviceanalysis
attachment attachment An attachment
description text Description of theDevice
device-type text Type of the device['PC', 'Mobile','Laptop', 'HID','TV', 'IoT','Hardware','Other']
dns-name text Device DNS Name
hits counter Number of hits forthe device
78
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
infection_type text Type of infectionif the device is inInfected status['android_spams','android.bakdoor.prizmes','android.bankbot','android.banker.anubis','android.bankspy','android.cliaid','android.darksilent','android.fakeav','android.fakebank','android.fakedoc','android.fakeinst','android.fakemart','android.faketoken', 'android.fobus','android.fungram','android.geost','android.gopl','android.hiddad','android.hqwar','android.hummer','android.infosteal','android.iop','android.lockdroid','android.milipnot','android.nitmo','android.opfake','android.premiumtext','android.provar','android.pwstealer','android.rootnik','android.skyfin','android.smsbot','android.smssilence','android.smsspy','android.smsspy.be24',
79
'android.sssaaa','android.teleplus','android.uupay','android.voxv','avalanche-andromeda','banatrix','bankpatch','bebloh', 'bedep','betabot','bitcoinminer','blackbeard','blakamba','boinberg','buhtrap','caphaw','carberp', 'chafer','changeup','chinad', 'citadel','cobint','coinminer','conficker','cryptowall','cutwail', 'cycbot','diaminer','dimnie','dipverdle','dircrypt','dirtjumper','disorderstatus','dmsniff', 'dofoil','domreg','dorkbot','dorkbot-ssl','dresscode','dybalom','ek.fallout','emoted', 'emotet','esfury', 'expiro','exploitkit.fallout','extenbro','fake_cs_updater','fakerean','fallout.exploitkit','fast-flux', 'fast-flux-double', 'fast-flux;fast-flux-double',
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
ip-address ip-src Device IP address
name text Name of theDevice
status text Status of thedevice ['Infected','Exposed','Unknown','Clean']
version text Version of thedevice/ OS
diameter-attackAttack as seen on diameter authentication against a GSM, UMTS or LTE network.
diameter-attack is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
ApplicationId text Application-ID isused to identifyfor whichDiameterapplication themessage isapplicable.Application-ID is adecimalrepresentation.
CmdCode text A decimalrepresentation ofthe diameterCommand Code.
Destination-Host text Destination-Host.
80
'fleercivet','fobber','foxbantrix','foxbantrix-unknown','generic.malware','geodo', 'gonderici','gootkit', 'gozi','gspy', 'gtfobot','hancitor', 'harnig','htm5player.vast','ibanking', 'icedid','infected','iotreaper', 'ip-spoofer', 'ircbot','isfb', 'jadtre', 'jdk-update-apt','js.worm.bondat','junk-domains','kasidet', 'kbot','kelihos','kelihos.e','keylogger','keylogger-ftp','keylogger-vbklip','kidminer','kingminer','koobface','kraken', 'kronos','kwampirs','lethic','linux.backdoor.setag','linux.ngioweb','litemanager','loader', 'locky','loki', 'lokibot','luminositylink','lurkbanker','madominer','magecart','maliciouswebsites','malvertising.doubleclick','malwaretom','marcher','matrix', 'matsnu',
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
Destination-Realm text Destination-Realm.
IdrFlags text IDR-Flags.
Origin-Host text Origin-Host.
Origin-Realm text Origin-Realm.
SessionId text Session-ID.
Username text Username (in thiscase, usually theIMSI).
category text Category. ['Cat0','Cat1', 'Cat2', 'Cat3','CatSMS']
first-seen datetime When the attackhas been seen forthe first time.
text text A description ofthe attack seen.
dkimDomainKeys Identified Mail - DKIM.
dkim is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
d domain DKIM domainused for theselector record
81
'menupass','mewsspy','miner.monero','minr', 'mirai','mix2', 'mkero','monero', 'mozi','muddywater','murofet','mysafeproxymonitor', 'nametrick','necurs','netsupport','nettraveler','neurevt', 'nitol','nivdort','nukebot', 'null','nymaim','nymain','osx.fakeflash','palevo','pawnstorm','phishing','phishing.cobalt','phishing.cobalt_dickens', 'phorpiex','pitou', 'plasma-tomas','ponmocup','pony', 'poseidon','powerstats','proxyback','pushdo','pws.pony','pykspa', 'qadars','qakbot', 'qqblack','qrypter.rat','qsnatch', 'racoon','ramdo', 'ramnit','ranbyus','ransom.cerber','ransomware','ransomware.shade', 'rat.vermin','renocide', 'revil','rodecap', 'sality','sality-p2p','servhelper','sgminer', 'shifu',
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
dkim dkim DomainKeysIdentified Mail -DKIM full DNSTXT record
h text DKIM hash type['sha1', 'md5']
k text DKIM key type['rsa']
n text DKIMadministratornote
public-key text DKIM public key
s text DKIM servicerecord
t text DKIM domaintesting ['y', 's']
version text DKIM version['DKIM1']
dns-recordA set of DNS records observed for a specific domain.
dns-record is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
a-record ip-dst IPv4 addressassociated with Arecord
82
'shiz', 'sinowal','sisron','sodinokibi','spam', 'sphinx','spyeye', 'ssh-brute-force', 'ssl','ssl-az7', 'ssl-unknown-bot-test','ssl-vmzeus','stantinko', 'tdss','teleru', 'telnet-brute-force','tinba', 'tinba-dga','trickbot', 'triton','trojan.click3','trojan.fakeav','trojan.includer','trojan.win32.razy.gen', 'unknown','unknown-bot-test', 'valak','vawtrak', 'vbklip','verst','victorygate.a','victorygate.b','victorygate.c','virut', 'vmzeus','vobfus','volatile_cedar','vpnfilter_stage3','wannacrypt','wauchos','webminer.cdn','win.neurevt','worm.kasidet','worm.phorpiex','wowlik', 'wrokni','xbash','xmrminer', 'xpaj','xshellghost','yoddos', 'zeus','zeus_gameover','zeus_panda','zloader']
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
aaaa-record ip-dst IPv6 addressassociated withAAAA record
cname-record domain Domainassociated withCNAME record
mx-record domain Domainassociated withMX record
ns-record domain Domainassociated with NSrecord
ptr-record domain Domainassociated withPTR record
queried-domain domain Domain name
soa-record domain Domainassociated withSOA record
spf-record ip-dst IP addressesassociated withSPF record
srv-record domain Domainassociated withSRV record
text text A description ofthe records
txt-record text Content associatedwith TXT record
83
domain-crawledA domain crawled over time.
domain-crawled is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
domain domain Domain name
text text A description ofthe tuple
url url domain url
domain-ipA domain/hostname and IP address seen as a tuple in a specific time frame.
domain-ip is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
domain domain Domain name
first-seen datetime First time thetuple has beenseen
hostname hostname Hostname relatedto the IP
ip ip-dst IP Address
last-seen datetime Last time the tuplehas been seen
84
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
port port Associated TCPport with thedomain
registration-date datetime Registration dateof domain
text text A description ofthe tuple
edr-reportAn Object Template to encode an EDR detection report.
edr-report is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
additional-file attachment Additional fileinvolved indetection
command attachment JSON filecontaining theoutput of acommand ran atreport generation
comment text Any valuablecomment aboutthe report
drivers attachment JSON filecontainingmetadata aboutdrivers loaded onthe system
85
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
endpoint-id text Unique identifierof the endpointconcerned by thereport
event attachment Raw EDR eventwhich triggeredreporting
executable attachment Executable fileinvolved indetection
hostname text Endpointhostname
id text Report uniqueidentifier
ip ip-src Endpoint IPaddress
modules attachment JSON filecontainingmetadata aboutmodules loadedon the system
processes attachment JSON filecontainingmetadata aboutrunning processesat the time ofdetection
product text EDR productname
elfObject describing a Executable and Linkable Format.
86
elf is a MISP object available in JSON format at this location The JSON format canbe freely reused in your application or automatically enabled in MISP.
87
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
arch text Architecture ofthe ELF file['None', 'M32','SPARC', 'i386','ARCH_68K','ARCH_88K','IAMCU','ARCH_860', 'MIPS','S370','MIPS_RS3_LE','PARISC', 'VPP500','SPARC32PLUS','ARCH_960', 'PPC','PPC64', 'S390','SPU', 'V800','FR20', 'RH32','RCE', 'ARM','ALPHA', 'SH','SPARCV9','TRICORE', 'ARC','H8_300','H8_300H', 'H8S','H8_500', 'IA_64','MIPS_X','COLDFIRE','ARCH_68HC12','MMA', 'PCP','NCPU', 'NDR1','STARCORE','ME16', 'ST100','TINYJ', 'x86_64','PDSP', 'PDP10','PDP11', 'FX66','ST9PLUS', 'ST7','ARCH_68HC16','ARCH_68HC11','ARCH_68HC08','ARCH_68HC05','SVX', 'ST19', 'VAX','CRIS', 'JAVELIN','FIREPATH', 'ZSP','MMIX', 'HUANY','PRISM', 'AVR','FR30', 'D10V','D30V', 'V850','M32R', 'MN10300','MN10200', 'PJ','OPENRISC',
89
'ARC_COMPACT','XTENSA','VIDEOCORE','TMM_GPP','NS32K', 'TPC','SNP1K', 'ST200','IP2K', 'MAX', 'CR','F2MC16','MSP430','BLACKFIN','SE_C33', 'SEP','ARCA', 'UNICORE','EXCESS', 'DXP','ALTERA_NIOS2','CRX', 'XGATE','C166', 'M16C','DSPIC30F', 'CE','M32C', 'TSK3000','RS08', 'SHARC','ECOG2', 'SCORE7','DSP24','VIDEOCORE3','LATTICEMICO32','SE_C17','TI_C6000','TI_C2000','TI_C5500','MMDSP_PLUS','CYPRESS_M8C','R32C','TRIMEDIA','HEXAGON','ARCH_8051','STXP7X', 'NDS32','ECOG1', 'ECOG1X','MAXQ30','XIMO16','MANIK','CRAYNV2', 'RX','METAG','MCST_ELBRUS','ECOG16', 'CR16','ETPU', 'SLE9X','L10M', 'K10M','AARCH64','AVR32', 'STM8','TILE64','TILEPRO', 'CUDA',
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
entrypoint-address
text Address of theentry point
number-sections counter Number ofsections
os_abi text Header operatingsystem applicationbinary interface(ABI) ['AIX', 'ARM','AROS','C6000_ELFABI','C6000_LINUX','CLOUDABI','FENIXOS','FREEBSD', 'GNU','HPUX', 'HURD','IRIX', 'MODESTO','NETBSD', 'NSK','OPENBSD','OPENVMS','SOLARIS','STANDALONE','SYSTEMV','TRU64']
text text Free text value toattach to the ELF
type text Type of ELF['CORE','DYNAMIC','EXECUTABLE','HIPROC','LOPROC', 'NONE','RELOCATABLE']
elf-sectionObject describing a section of an Executable and Linkable Format.
elf-section is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
90
'TILEGX','CLOUDSHIELD','COREA_1ST','COREA_2ND','ARC_COMPACT2','OPEN8', 'RL78','VIDEOCORE5','ARCH_78KOR','ARCH_56800EX','BA1', 'BA2','XCORE','MCHP_PIC','INTEL205','INTEL206','INTEL207','INTEL208','INTEL209','KM32', 'KMX32','KMX16', 'KMX8','KVARC', 'CDP','COGE', 'COOL','NORC','CSR_KALIMBA','AMDGPU']
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
entropy float Entropy of thewhole section
flag text Flag of the section['ALLOC','EXCLUDE','EXECINSTR','GROUP','HEX_GPREL','INFO_LINK','LINK_ORDER','MASKOS','MASKPROC','MERGE','MIPS_ADDR','MIPS_LOCAL','MIPS_MERGE','MIPS_NAMES','MIPS_NODUPES','MIPS_NOSTRIP','NONE','OS_NONCONFORMING', 'STRINGS','TLS', 'WRITE','XCORE_SHF_CP_SECTION']
md5 md5 [Insecure] MD5hash (128 bits)
name text Name of thesection
sha1 sha1 [Insecure] SecureHash Algorithm 1(160 bits)
sha224 sha224 Secure HashAlgorithm 2 (224bits)
91
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
sha256 sha256 Secure HashAlgorithm 2 (256bits)
sha384 sha384 Secure HashAlgorithm 2 (384bits)
sha512 sha512 Secure HashAlgorithm 2 (512bits)
sha512/224 sha512/224 Secure HashAlgorithm 2 (224bits)
sha512/256 sha512/256 Secure HashAlgorithm 2 (256bits)
size-in-bytes size-in-bytes Size of the section,in bytes
ssdeep ssdeep Fuzzy hash usingcontext triggeredpiecewise hashes(CTPH)
text text Free text value toattach to thesection
92
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
type text Type of thesection ['NULL','PROGBITS','SYMTAB','STRTAB', 'RELA','HASH','DYNAMIC','NOTE', 'NOBITS','REL', 'SHLIB','DYNSYM','INIT_ARRAY','FINI_ARRAY','PREINIT_ARRAY','GROUP','SYMTAB_SHNDX','LOOS','GNU_ATTRIBUTES', 'GNU_HASH','GNU_VERDEF','GNU_VERNEED','GNU_VERSYM','HIOS', 'LOPROC','ARM_EXIDX','ARM_PREEMPTMAP','HEX_ORDERED','X86_64_UNWIND','MIPS_REGINFO','MIPS_OPTIONS','MIPS_ABIFLAGS','HIPROC','LOUSER','HIUSER']
emailEmail object describing an email with meta-information.
email is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
93
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
attachment email-attachment Attachment
bcc email-dst Blind carbon copy
bcc-display-name email-dst-display-name
Display name ofthe blind carboncopy
cc email-dst Carbon copy
cc-display-name email-dst-display-name
Display name ofthe carbon copy
email-body email-body Body of the email
eml attachment Full EML
from email-src Sender emailaddress
from-display-name
email-src-display-name
Display name ofthe sender
from-domain domain Sender domainaddress (whenonly the sourcedomain is known)
header email-header Full headers
ip-src ip-src Source IP addressof the emailsender
message-id email-message-id Message ID
mime-boundary email-mime-boundary
MIME Boundary
msg attachment Full MSG
94
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
received-header-hostname
hostname Extractedhostname fromparsed headers
received-header-ip ip-src Extracted IPaddress fromparsed headers
reply-to email-reply-to Email address thereply will be sentto
reply-to-display-name
email-dst-display-name
Display name ofthe email addressthe reply will besent to
return-path email-src Message returnpath
screenshot attachment Screenshot ofemail
send-date datetime Date the email hasbeen sent
subject email-subject Subject
thread-index email-thread-index
Identifies aparticularconversationthread
to email-dst Destination emailaddress
to-display-name email-dst-display-name
Display name ofthe receiver
user-agent text User Agent of thesender
95
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
x-mailer email-x-mailer X-Mailer generallytells the programthat was used todraft and send theoriginal email
employeeAn employee and related data points.
employee is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
business-unit target-org the organizationalbusiness unitassociated withthe employee
email-address target-email Employee EmailAddress
employee-type text type of employee['Mid-LevelManager', 'SeniorManager', 'Non-Manager','Supervisor', 'First-Line Manager','Director']
first-name first-name First name ofEmployee
last-name last-name Last nameEmployee
96
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
primary-asset target-machine Asset tag of theprimary assetassigned toemployee
text text A description ofthe person oridentity.
userid target-user EMployee useridentification
exploit-pocExploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often arelationship with a vulnerability object.
exploit-poc is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
author text Author of theexploit - proof ofconcept
description text Description of theexploit - proof ofconcept
poc attachment Proof of Conceptor exploit (as ascript, binary ordescribed process)
references link Externalreferences
97
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
vulnerable_configuration
text The vulnerableconfigurationdescribed in CPEformat where theexploit/proof ofconcept is valid
facebook-accountFacebook account.
facebook-account is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
account-id text Account id.
account-name text Account name.
archive link Archive of theaccount (InternetArchive,Archive.is, etc).
attachment attachment A screen captureor exported list ofcontacts etc.
description text A description ofthe user.
link link Original link tothe page(supposedharmless).
98
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
url url Original URLlocation of thepage (potentiallymalicious).
user-avatar attachment A user profilepicture or avatar.
facebook-groupPublic or private facebook group.
facebook-group is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
administrator text A user accountwho is an owneror admin of thegroup.
archive link Archive of theoriginal group(Internet Archive,Archive.is, etc).
attachment attachment A screen captureor exported list ofcontacts, groupmembers, etc.
creator text The user accountthat created thegroup.
description text A description ofthe group,channel orcommunity.
99
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
embedded-link url Link embedded inthe groupdescription(potentiallymalicious).
embedded-safe-link
link Link embedded inthe groupdescription(supposed safe).
group-alias text Aliases orprevious names ofgroup.
group-name text The name of thegroup, channel orcommunity.
group-type text Facebook grouptype, e.g. general,buy and sell etc.
hashtag text Hashtag used toidentify orpromote thegroup.
link link Original link tothe group(supposedharmless).
privacy text Group privacy:public, closed,secret. ['Public','Closed', 'Secret']
url url Original URLlocation of thegroup (potentiallymalicious).
100
facebook-pageFacebook page.
facebook-page is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
archive link Archive of theoriginal page(Internet Archive,Archive.is, etc).
attachment attachment A screen captureor exported list ofcontacts, pagemembers, etc.
contact-detail url Contact url listedon about page.
creator text The user accountthat created thepage.
description text A description ofthe page.
embedded-link url Link embedded inthe pagedescription(potentiallymalicious).
embedded-safe-link
link Link embedded inthe pagedescription(supposed safe).
event text Eventannouncement onpage.
101
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
hashtag text Hashtag used toidentify orpromote the page.
link link Original link tothe page(supposedharmless).
page-alias text Aliases orprevious names ofpage.
page-id text Page id (withoutthe @).
page-name text The name of thepage.
page-type text Facebook pagetype, e.g.community,product etc.
related-page-id text id of a page listedas related to thisone (without the@).
related-page-name text name of a pagelisted as related tothis one.
team-member text A user accountwho is a memberof the page.
url url Original URLlocation of thepage (potentiallymalicious).
102
facebook-postPost on a Facebook wall.
facebook-post is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
archive link Archive of theoriginal document(Internet Archive,Archive.is, etc).
attachment attachment The facebook postfile or screencapture.
embedded-link url Link in thefacebook post
embedded-safe-link
link Safe link in thefacebook post
hashtag text Hashtagembedded in thefacebook post
in-reply-to-display-name
text The user displayname of thefacebook this postshares.
in-reply-to-status-id
text The facebook ID ofthe post that thispost shares.
in-reply-to-user-id text The user ID of thefacebook this postshares.
language text The language ofthe post.
103
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
link link Original link tothe facebook post(supposedharmless).
post text Raw text of thepost.
post-id text The facebook postid.
post-location text id of the group,page or wall thepost was postedto.
removal-date datetime When thefacebook post wasremoved.
url url Original URL ofthe facebook post,e.g. link shortener(potentiallymalicious).
user-id text Id of the accountwho posted.
user-name text Display name ofthe account whoposted.
username text Username whoposted thefacebook post
username-quoted text Username who isquoted in thefacebook post.
104
facial-compositeAn object which describes a facial composite.
facial-composite is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
facial-composite attachment Facial compositeimage.
technique text Constructiontechnique of thefacial composite.['E-FIT', 'PROfit','Sketch', 'Photofit','EvoFIT','PortraitPad']
text text A description ofthe facialcomposite.
fail2banFail2ban event.
fail2ban is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
attack-type text Type of the attack
banned-ip ip-src IP Address bannedby fail2ban
failures counter Amount offailures that leadto the ban.
105
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
logfile attachment Full logfile relatedto the attack.
logline text Example log linethat caused theban.
processing-timestamp
datetime Timestamp of thereport
sensor text Identifier of thesensor
victim text Identifier of thevictim
faviconA favicon, also known as a shortcut icon, website icon, tab icon, URL icon, or bookmark icon, is afile containing one or more small icons, associated with a particular website or web page. Theobject template can include the murmur3 hash of the favicon to facilitate correlation.
favicon is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
favicon attachment The raw faviconfile.
favicon-mmh3 favicon-mmh3 favicon-mmh3 isthe murmur3hash of a faviconas used in Shodan.
link link The original linkwhere the faviconwas seen.
106
fileFile object describing a file with meta-information.
file is a MISP object available in JSON format at this location The JSON format canbe freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
attachment attachment A non-maliciousfile.
authentihash authentihash Authenticodeexecutablesignature hash
certificate x509-fingerprint-sha1
Certificate value ifthe binary issigned withanotherauthenticationscheme thanauthenticode
compilation-timestamp
datetime Compilationtimestamp
entropy float Entropy of thewhole file
107
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
file-encoding text Encoding formatof the file ['Adobe-Standard-Encoding', 'Adobe-Symbol-Encoding','Amiga-1251','ANSI_X3.110-1983', 'ASMO_449','Big5', 'Big5-HKSCS', 'BOCU-1','BRF', 'BS_4730','BS_viewdata','CESU-8','CP50220','CP51932','CSA_Z243.4-1985-1', 'CSA_Z243.4-1985-2','CSA_Z243.4-1985-gr', 'CSN_369103','DEC-MCS','DIN_66003', 'dk-us', 'DS_2089','EBCDIC-AT-DE','EBCDIC-AT-DE-A','EBCDIC-CA-FR','EBCDIC-DK-NO','EBCDIC-DK-NO-A','EBCDIC-ES','EBCDIC-ES-A','EBCDIC-ES-S','EBCDIC-FI-SE','EBCDIC-FI-SE-A','EBCDIC-FR','EBCDIC-IT','EBCDIC-PT','EBCDIC-UK','EBCDIC-US','ECMA-cyrillic','ES', 'ES2', 'EUC-KR','Extended_UNIX_Code_Fixed_Width_for_Japanese','Extended_UNIX_Code_Packed_Format_for_Japanese','GB18030',
108
'GB_1988-80','GB2312','GB_2312-80','GBK','GOST_19768-74','greek7', 'greek7-old', 'greek-ccitt','HP-DeskTop', 'HP-Legal', 'HP-Math8','HP-Pi-font', 'hp-roman8', 'HZ-GB-2312', 'IBM00858','IBM00924','IBM01140','IBM01141','IBM01142','IBM01143','IBM01144','IBM01145','IBM01146','IBM01147','IBM01148','IBM01149','IBM037', 'IBM038','IBM1026','IBM1047','IBM273', 'IBM274','IBM275', 'IBM277','IBM278', 'IBM280','IBM281', 'IBM284','IBM285', 'IBM290','IBM297', 'IBM420','IBM423', 'IBM424','IBM437', 'IBM500','IBM775', 'IBM850','IBM851', 'IBM852','IBM855', 'IBM857','IBM860', 'IBM861','IBM862', 'IBM863','IBM864', 'IBM865','IBM866', 'IBM868','IBM869', 'IBM870','IBM871', 'IBM880','IBM891', 'IBM903','IBM904', 'IBM905','IBM918', 'IBM-Symbols', 'IBM-Thai', 'IEC_P27-1',
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
filename filename Filename on disk
fullpath text Complete path ofthe filenameincluding thefilename
imphash imphash Hash (md5)calculated fromthe PE importtable
malware-sample malware-sample The file itself(binary)
md5 md5 [Insecure] MD5hash (128 bits)
mimetype mime-type Mime type
path text Path of thefilename completeor partial
pattern-in-file pattern-in-file Pattern that canbe found in thefile
sha1 sha1 [Insecure] SecureHash Algorithm 1(160 bits)
sha224 sha224 Secure HashAlgorithm 2 (224bits)
sha256 sha256 Secure HashAlgorithm 2 (256bits)
109
'INIS', 'INIS-8','INIS-cyrillic','INVARIANT','ISO_10367-box','ISO-10646-J-1','ISO-10646-UCS-2','ISO-10646-UCS-4','ISO-10646-UCS-Basic', 'ISO-10646-Unicode-Latin1','ISO-10646-UTF-1','ISO-11548-1', 'ISO-2022-CN', 'ISO-2022-CN-EXT','ISO-2022-JP', 'ISO-2022-JP-2', 'ISO-2022-KR','ISO_2033-1983','ISO_5427','ISO_5427:1981','ISO_5428:1980','ISO_646.basic:1983','ISO_646.irv:1983','ISO_6937-2-25','ISO_6937-2-add','ISO-8859-10','ISO_8859-1:1987','ISO-8859-13', 'ISO-8859-14', 'ISO-8859-15', 'ISO-8859-16', 'ISO-8859-1-Windows-3.0-Latin-1', 'ISO-8859-1-Windows-3.1-Latin-1','ISO_8859-2:1987','ISO-8859-2-Windows-Latin-2','ISO_8859-3:1988','ISO_8859-4:1988','ISO_8859-5:1988','ISO_8859-6:1987','ISO_8859-6-E','ISO_8859-6-I','ISO_8859-7:1987','ISO_8859-8:1988','ISO_8859-8-E',
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
sha3-224 sha3-224 Secure HashAlgorithm 3 (224bits)
sha3-256 sha3-256 Secure HashAlgorithm 3 (256bits)
sha3-384 sha3-384 Secure HashAlgorithm 3 (384bits)
sha3-512 sha3-512 Secure HashAlgorithm 3 (512bits)
sha384 sha384 Secure HashAlgorithm 2 (384bits)
sha512 sha512 Secure HashAlgorithm 2 (512bits)
sha512/224 sha512/224 Secure HashAlgorithm 2 (224bits)
sha512/256 sha512/256 Secure HashAlgorithm 2 (256bits)
size-in-bytes size-in-bytes Size of the file, inbytes
ssdeep ssdeep Fuzzy hash usingcontext triggeredpiecewise hashes(CTPH)
110
'ISO_8859-8-I','ISO_8859-9:1989','ISO-8859-9-Windows-Latin-5','ISO_8859-supp','iso-ir-90', 'ISO-Unicode-IBM-1261', 'ISO-Unicode-IBM-1264', 'ISO-Unicode-IBM-1265', 'ISO-Unicode-IBM-1268', 'ISO-Unicode-IBM-1276', 'IT','JIS_C6220-1969-jp', 'JIS_C6220-1969-ro','JIS_C6226-1978','JIS_C6226-1983','JIS_C6229-1984-a','JIS_C6229-1984-b','JIS_C6229-1984-b-add', 'JIS_C6229-1984-hand','JIS_C6229-1984-hand-add','JIS_C6229-1984-kana','JIS_Encoding','JIS_X0201','JIS_X0212-1990','JUS_I.B1.002','JUS_I.B1.003-mac','JUS_I.B1.003-serb','KOI7-switched','KOI8-R', 'KOI8-U','KS_C_5601-1987','KSC5636', 'KZ-1048', 'latin-greek','Latin-greek-1','latin-lap','macintosh','Microsoft-Publishing','MNEM','MNEMONIC',
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
state text State of the file['Malicious','Harmless','Signed', 'Revoked','Expired','Trusted']
telfhash telfhash telfhash - Symbolhash for ELF files.
text text Free text value toattach to the file
tlsh tlsh Fuzzy hash byTrend Micro:Locality SensitiveHash
vhash vhash vhash byVirusTotal
forensic-caseAn object template to describe a digital forensic case.
forensic-case is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
additional-comments
text Comments.
analysis-start-date datetime Date when theanalysis began.
case-name text Name to addressthe case.
111
'MSZ_7795.3','Name', 'NATS-DANO', 'NATS-DANO-ADD','NATS-SEFI','NATS-SEFI-ADD','NC_NC00-10:81','NF_Z_62-010','NF_Z_62-010_(1973)','NS_4551-1','NS_4551-2','OSD_EBCDIC_DF03_IRV','OSD_EBCDIC_DF04_1','OSD_EBCDIC_DF04_15', 'PC8-Danish-Norwegian', 'PC8-Turkish', 'PT','PT2', 'PTCP154','SCSU','SEN_850200_B','SEN_850200_C','Shift_JIS', 'T.101-G2', 'T.61-7bit','T.61-8bit', 'TIS-620', 'TSCII','UNICODE-1-1','UNICODE-1-1-UTF-7','UNKNOWN-8BIT','US-ASCII', 'us-dk','UTF-16', 'UTF-16BE', 'UTF-16LE','UTF-32', 'UTF-32BE', 'UTF-32LE','UTF-7', 'UTF-8','Ventura-International','Ventura-Math','Ventura-US','videotex-suppl','VIQR', 'VISCII','windows-1250','windows-1251','windows-1252','windows-1253',
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
case-number text Any uniquenumber assignedto the case foruniqueidentification.
name-of-the-analyst
text Name(s) of theanalyst assignedto the case.
references link Externalreferences
forensic-evidenceAn object template to describe a digital forensic evidence.
forensic-evidence is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
acquisition-method
text Method used foracquisition of theevidence. ['Liveacquisition','Dead/Offlineacquisition','Physicalcollection','Logicalcollection', 'Filesystem extraction','Chip-off', 'Other']
112
'windows-1254','windows-1255','windows-1256','windows-1257','windows-1258','Windows-31J','windows-874']
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
acquisition-tools text Tools used foracquisition of theevidence. ['dd','dc3dd', 'dcfldd','EnCase', 'FTKImager', 'FDAS','TrueBack','Guymager','IXimager', 'Other']
additional-comments
text Comments.
case-number text A unique numberassigned to thecase for uniqueidentification.
evidence-number text A unique numberassigned to theevidence foruniqueidentification.
name text Name of theevidenceacquired.
references link Externalreferences
type text Evidence type.['Computer','Network', 'MobileDevice','Multimedia','Cloud', 'IoT','Other']
forged-documentObject describing a forged document.
113
forged-document is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
archive link Archive of theoriginal document(Internet Archive,Archive.is, etc).
attachment attachment The forgeddocument file.
document-name text Title of thedocument.
document-text text Raw text ofdocument
document-type text The type ofdocument (not thefile type). ['email','letterhead','speech','literature', 'blog','microblog','photo', 'audio','invoice', 'receipt','other']
first-seen datetime When thedocument hasbeen accessible orseen for the firsttime.
last-seen datetime When thedocument hasbeen accessible orseen for the lasttime.
114
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
link link Original link intothe document(Supposedharmless)
objective text Objective of theforged document.['Disinformation','Advertising','Parody', 'Other']
purpose-of-document
text What thedocument is usedfor.['Identification','Travel', 'Health','Legal', 'Financial','Government','Military', 'Media','Communication','Other']
url url Original URLlocation of thedocument(potentiallymalicious)
ftm-Airplane.
ftm-Airplane is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Address
alephUrl url Aleph URL
115
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
alias text Other name
amount float Amount
amountEur float Amount in EUR
amountUsd float Amount in USD
buildDate text Build Date
country text Country
currency text Currency
description text Description
icaoCode text ICAO aircraft typedesignator
indexText text Index text
indexUpdatedAt text Index updated at
keywords text Keywords
manufacturer text Manufacturer
model text Model
modifiedAt text Modified on
name text Name
notes text Notes
previousName text Previous name
program text Program
publisher text Publishing source
116
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
publisherUrl url Publishing sourceURL
registrationDate text Registration Date
registrationNumber
text RegistrationNumber
retrievedAt text Retrieved on
serialNumber text Serial Number
sourceUrl url Source link
summary text Summary
topics text Topics
type text Type
weakAlias text Weak alias
wikidataId text Wikidata ID
wikipediaUrl url Wikipedia Article
ftm-Assessment.
ftm-Assessment is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Address
alephUrl url Aleph URL
117
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
alias text Other name
assessmentId text Assessment ID
country text Country
description text Description
indexText text Index text
indexUpdatedAt text Index updated at
keywords text Keywords
modifiedAt text Modified on
name text Name
notes text Notes
previousName text Previous name
program text Program
publishDate text Date of publishing
publisher text Publishing source
publisherUrl url Publishing sourceURL
retrievedAt text Retrieved on
sourceUrl url Source link
summary text Summary
topics text Topics
weakAlias text Weak alias
118
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
wikidataId text Wikidata ID
wikipediaUrl url Wikipedia Article
ftm-Asset.
ftm-Asset is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Address
alephUrl url Aleph URL
alias text Other name
amount float Amount
amountEur float Amount in EUR
amountUsd float Amount in USD
country text Country
currency text Currency
description text Description
indexText text Index text
indexUpdatedAt text Index updated at
keywords text Keywords
modifiedAt text Modified on
name text Name
119
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
notes text Notes
previousName text Previous name
program text Program
publisher text Publishing source
publisherUrl url Publishing sourceURL
retrievedAt text Retrieved on
sourceUrl url Source link
summary text Summary
topics text Topics
weakAlias text Weak alias
wikidataId text Wikidata ID
wikipediaUrl url Wikipedia Article
ftm-AssociateNon-family association between two people.
ftm-Associate is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
alephUrl url Aleph URL
date text Date
description text Description
120
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
endDate text End date
indexText text Index text
modifiedAt text Modified on
publisher text Publishing source
publisherUrl url Publishing sourceURL
recordId text Record ID
relationship text Nature of theassociation
retrievedAt text Retrieved on
sourceUrl url Source URL
startDate text Start date
summary text Summary
ftm-Audio.
ftm-Audio is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Address
alephUrl url Aleph URL
alias text Other name
121
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
author text The originalauthor, not theuploader
authoredAt text Authored on
companiesMentioned
text Detectedcompanies
contentHash sha1 SHA1 hash of thedata
country text Country
crawler text The crawler usedto acquire this file
date text If not otherwisespecified
description text Description
detectedCountry text Detected country
detectedLanguage text Detected language
duration float Duration of theaudio in ms
emailMentioned email-src Detected e-mailaddresses
encoding text File encoding
extension text File extension
fileName text File name
fileSize float File size
122
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
generator text The program usedto generate thisfile
ibanMentioned iban Detected IBANs
indexText text Index text
indexUpdatedAt text Index updated at
ipMentioned ip-src Detected IPaddresses
keywords text Keywords
language text Language
locationMentioned text Detected locations
messageId text Message ID of adocument; uniquein most cases
mimeType mime-type MIME type
modifiedAt text Modified on
name text Name
namesMentioned text Detected names
notes text Notes
peopleMentioned text Detected people
phoneMentioned phone-number Detected phones
previousName text Previous name
processingError text Processing error
123
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
processingStatus text Processing status
program text Program
publishedAt text Published on
publisher text Publishing source
publisherUrl url Publishing sourceURL
retrievedAt text Retrieved on
samplingRate float Sampling rate ofthe audio in Hz
sourceUrl url Source link
summary text Summary
title text Title
topics text Topics
weakAlias text Weak alias
wikidataId text Wikidata ID
wikipediaUrl url Wikipedia Article
ftm-BankAccount.
ftm-BankAccount is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
124
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
accountNumber text Account Number
accountType text Account Type
address text Address
alephUrl url Aleph URL
alias text Other name
amount float Amount
amountEur float Amount in EUR
amountUsd float Amount in USD
balance float Balance
bankAddress text Bank Address
bankName text Bank Name
bic text Bank IdentifierCode
country text Country
currency text Currency
description text Description
iban iban IBAN
indexText text Index text
indexUpdatedAt text Index updated at
keywords text Keywords
modifiedAt text Modified on
125
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
name text Name
notes text Notes
previousName text Previous name
program text Program
publisher text Publishing source
publisherUrl url Publishing sourceURL
retrievedAt text Retrieved on
sourceUrl url Source link
summary text Summary
topics text Topics
weakAlias text Weak alias
wikidataId text Wikidata ID
wikipediaUrl url Wikipedia Article
ftm-Call.
ftm-Call is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
alephUrl url Aleph URL
callerNumber phone-number Caller’s Number
126
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
date text Date
description text Description
duration float Call Duration inseconds
endDate text End date
indexText text Index text
modifiedAt text Modified on
publisher text Publishing source
publisherUrl url Publishing sourceURL
receiverNumber phone-number Receiver’sNumber
recordId text Record ID
retrievedAt text Retrieved on
sourceUrl url Source URL
startDate text Start date
summary text Summary
ftm-Company.
ftm-Company is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
127
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Address
alephUrl url Aleph URL
alias text Other name
amount float Amount
amountEur float Amount in EUR
amountUsd float Amount in USD
bikCode text Russian bankaccount code
bvdId text Bureau van DijkID
caemCode text (RO) What kind ofactivity a legalentity is allowedto develop
capital text Capital
cikCode text US SEC CentralIndex Key
classification text Classification
coatoCode text COATO / SOATO /OKATO
country text Country
currency text Currency
description text Description
128
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
dissolutionDate text The date the legalentity wasdissolved, ifapplicable
dunsCode text Dun & Bradstreetidentifier
email email-src Email address
fnsCode text (RU, ФНС) FederalTax Servicerelated info
fssCode text (RU, ФСС) SocialSecurity
ibcRuc text ibcRUC
icijId text ID according toInternationalConsortium forInvestigativeJournalists
idNumber text ID number of anyapplicable ID
incorporationDate text The date the legalentity wasincorporated
indexText text Index text
indexUpdatedAt text Index updated at
innCode text Russian companyID
ipoCode text IPO
irsCode text US tax ID
129
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
jibCode text Yugoslaviacompany ID
jurisdiction text Jurisdiction
keywords text Keywords
kppCode text (RU, КПП) inaddition to INNfor orgs; reasonfor registration atFNS
legalForm text Legal form
mainCountry text Primary countryof this entity
mbsCode text MBS
modifiedAt text Modified on
name text Name
notes text Notes
ogrnCode text Major StateRegistrationNumber
okopfCode text (RU, ОКОПФ)What kind ofbusiness entity
okpoCode text Russian industryclassifier
oksmCode text Russian (ОКСМ)countries classifer
130
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
okvedCode text (RU, ОКВЭД)Economicalactivity classifier.OKVED2 is thesame but newer
opencorporatesUrl url OpenCorporatesURL
pfrNumber text (RU, ПФР) PensionFund Registrationnumber. AAA-BBB-CCCCCC,where AAA isorganisationregion, BBB isdistrict, CCCCCCnumber at aspecific branch
phone phone-number Phone number
previousName text Previous name
program text Program
publisher text Publishing source
publisherUrl url Publishing sourceURL
registrationNumber
text Registrationnumber
retrievedAt text Retrieved on
sector text Sector
sourceUrl url Source link
status text Status
131
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
summary text Summary
swiftBic text Bank identifiercode
taxNumber text Tax identificationnumber
taxStatus text Tax status
topics text Topics
vatCode text (EU) VAT number
voenCode text Azerbaijantaxpayer ID
weakAlias text Weak alias
website url Website address
wikidataId text Wikidata ID
wikipediaUrl url Wikipedia Article
ftm-ContractAn contract or contract lot issued by an authority. Multiple lots may be awarded to differentsuppliers (see ContractAward). .
ftm-Contract is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Address
alephUrl url Aleph URL
alias text Other name
132
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
amount float Amount
amountEur float Amount in EUR
amountUsd float Amount in USD
cancelled text Cancelled?
classification text Classification
contractDate text Contract date
country text Country
criteria text Contract awardcriteria
currency text Currency
description text Description
indexText text Index text
indexUpdatedAt text Index updated at
keywords text Keywords
language text Language
method text Procurementmethod
modifiedAt text Modified on
name text Contract name
notes text Notes
noticeId text Contract AwardNotice ID
133
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
numberAwards text Number ofawards
previousName text Previous name
procedure text Contractprocedure
procedureNumber text Procedurenumber
program text Program
publisher text Publishing source
publisherUrl url Publishing sourceURL
retrievedAt text Retrieved on
sourceUrl url Source link
status text Procurementstatus
summary text Summary
title text Contract title
topics text Topics
type text Type of contract.Potentially W(Works), U(Supplies), S(Services).
weakAlias text Weak alias
wikidataId text Wikidata ID
wikipediaUrl url Wikipedia Article
134
ftm-ContractAwardA contract or contract lot as awarded to a supplier.
ftm-ContractAward is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
alephUrl url Aleph URL
amended text Was this awardamended,modified orupdated by asubsequentdocument?
amount float Amount
amountEur float Amount in EUR
amountUsd float Amount in USD
cpvCode text ContractProcurementVocabulary (whattype ofgoods/services,EU)
currency text Currency
date text Date
decisionReason text Decision reason
description text Description
documentNumber text Documentnumber
documentType text Document type
135
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
endDate text End date
indexText text Index text
lotNumber text Lot number
modifiedAt text Modified on
nutsCode text Nomencalture ofTerritorial Unitsfor Statistics(NUTS)
publisher text Publishing source
publisherUrl url Publishing sourceURL
recordId text Record ID
retrievedAt text Retrieved on
role text Role
sourceUrl url Source URL
startDate text Start date
status text Status
summary text Summary
ftm-CourtCase.
ftm-CourtCase is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
136
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Address
alephUrl url Aleph URL
alias text Other name
caseNumber text Case number
category text Category
closeDate text Close date
country text Country
court text Court
description text Description
fileDate text File date
indexText text Index text
indexUpdatedAt text Index updated at
keywords text Keywords
modifiedAt text Modified on
name text Name
notes text Notes
previousName text Previous name
program text Program
publisher text Publishing source
publisherUrl url Publishing sourceURL
137
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
retrievedAt text Retrieved on
sourceUrl url Source link
status text Status
summary text Summary
topics text Topics
type text Type
weakAlias text Weak alias
wikidataId text Wikidata ID
wikipediaUrl url Wikipedia Article
ftm-CourtCaseParty.
ftm-CourtCaseParty is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
alephUrl url Aleph URL
date text Date
description text Description
endDate text End date
indexText text Index text
modifiedAt text Modified on
138
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
publisher text Publishing source
publisherUrl url Publishing sourceURL
recordId text Record ID
retrievedAt text Retrieved on
role text Role
sourceUrl url Source URL
startDate text Start date
status text Status
summary text Summary
ftm-DebtA monetary debt between two parties.
ftm-Debt is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
alephUrl url Aleph URL
amount float Amount
amountEur float Amount in EUR
amountUsd float Amount in USD
currency text Currency
date text Date
139
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
description text Description
endDate text End date
indexText text Index text
modifiedAt text Modified on
publisher text Publishing source
publisherUrl url Publishing sourceURL
recordId text Record ID
retrievedAt text Retrieved on
sourceUrl url Source URL
startDate text Start date
summary text Summary
ftm-Directorship.
ftm-Directorship is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
alephUrl url Aleph URL
date text Date
description text Description
endDate text End date
140
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
indexText text Index text
modifiedAt text Modified on
publisher text Publishing source
publisherUrl url Publishing sourceURL
recordId text Record ID
retrievedAt text Retrieved on
role text Role
secretary text Secretary
sourceUrl url Source URL
startDate text Start date
status text Status
summary text Summary
ftm-Document.
ftm-Document is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Address
alephUrl url Aleph URL
alias text Other name
141
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
author text The originalauthor, not theuploader
authoredAt text Authored on
companiesMentioned
text Detectedcompanies
contentHash sha1 SHA1 hash of thedata
country text Country
crawler text The crawler usedto acquire this file
date text If not otherwisespecified
description text Description
detectedCountry text Detected country
detectedLanguage text Detected language
emailMentioned email-src Detected e-mailaddresses
encoding text File encoding
extension text File extension
fileName text File name
fileSize float File size
generator text The program usedto generate thisfile
ibanMentioned iban Detected IBANs
142
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
indexText text Index text
indexUpdatedAt text Index updated at
ipMentioned ip-src Detected IPaddresses
keywords text Keywords
language text Language
locationMentioned text Detected locations
messageId text Message ID of adocument; uniquein most cases
mimeType mime-type MIME type
modifiedAt text Modified on
name text Name
namesMentioned text Detected names
notes text Notes
peopleMentioned text Detected people
phoneMentioned phone-number Detected phones
previousName text Previous name
processingError text Processing error
processingStatus text Processing status
program text Program
publishedAt text Published on
143
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
publisher text Publishing source
publisherUrl url Publishing sourceURL
retrievedAt text Retrieved on
sourceUrl url Source link
summary text Summary
title text Title
topics text Topics
weakAlias text Weak alias
wikidataId text Wikidata ID
wikipediaUrl url Wikipedia Article
ftm-Documentation.
ftm-Documentation is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
alephUrl url Aleph URL
date text Date
description text Description
endDate text End date
indexText text Index text
144
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
modifiedAt text Modified on
publisher text Publishing source
publisherUrl url Publishing sourceURL
recordId text Record ID
retrievedAt text Retrieved on
role text Role
sourceUrl url Source URL
startDate text Start date
status text Status
summary text Summary
ftm-EconomicActivityA foreign economic activity.
ftm-EconomicActivity is a MISP object available in JSON format at this locationThe JSON format can be freely reused in your application or automatically enabledin MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
alephUrl url Aleph URL
ccdNumber text Customs CargoDeclarationNumber
ccdValue text Declaration Value
145
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
customsAmount text Customs Value ofgoods
customsProcedure text CustomsProcedure — typeof customsclearance
date text Date
departureCountry text Country out ofwhich the goodsare transported
description text Description
destinationCountry
text Final destinationfor the goods
directionOfTransportation
text Direction oftransportation(import/export)
dollarExchRate text USD ExchangeRate for theactivity
endDate text End date
goodsDescription text Description ofgoods
indexText text Index text
invoiceAmount text Invoice Value ofgoods
modifiedAt text Modified on
originCountry text Country of originof goods
146
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
publisher text Publishing source
publisherUrl url Publishing sourceURL
recordId text Record ID
retrievedAt text Retrieved on
sourceUrl url Source URL
startDate text Start date
summary text Summary
tradingCountry text Trading Countryof the companywhich transportsthe goods viaRussian border
vedCode text (Код ТН ВЭД)Foreign EconomicActivityCommodity Code
vedCodeDescription
text (Описание кодаТН ВЭД) ForeignEconomic ActivityCommodity Codedescription
ftm-Email.
ftm-Email is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
147
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Address
alephUrl url Aleph URL
alias text Other name
author text The originalauthor, not theuploader
authoredAt text Authored on
bcc text Blind carbon copy
bodyHtml text HTML
bodyText text Text
cc text Carbon copy
companiesMentioned
text Detectedcompanies
contentHash sha1 SHA1 hash of thedata
country text Country
crawler text The crawler usedto acquire this file
date text If not otherwisespecified
description text Description
detectedCountry text Detected country
detectedLanguage text Detected language
emailMentioned email-src Detected e-mailaddresses
148
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
encoding text File encoding
extension text File extension
fileName text File name
fileSize float File size
from text From
generator text The program usedto generate thisfile
headers text Raw headers
ibanMentioned iban Detected IBANs
inReplyTo text Message ID of thepreceding email inthe thread
indexText text Index text
indexUpdatedAt text Index updated at
ipMentioned ip-src Detected IPaddresses
keywords text Keywords
language text Language
locationMentioned text Detected locations
messageId text Message ID of adocument; uniquein most cases
mimeType mime-type MIME type
modifiedAt text Modified on
149
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
name text Name
namesMentioned text Detected names
notes text Notes
peopleMentioned text Detected people
phoneMentioned phone-number Detected phones
previousName text Previous name
processingError text Processing error
processingStatus text Processing status
program text Program
publishedAt text Published on
publisher text Publishing source
publisherUrl url Publishing sourceURL
retrievedAt text Retrieved on
sender text Sender
sourceUrl url Source link
subject text Subject
summary text Summary
threadTopic text Thread topic
title text Title
to text To
150
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
topics text Topics
weakAlias text Weak alias
wikidataId text Wikidata ID
wikipediaUrl url Wikipedia Article
ftm-Event.
ftm-Event is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Address
alephUrl url Aleph URL
alias text Other name
companiesMentioned
text Detectedcompanies
country text Country
date text Date
description text Description
detectedCountry text Detected country
detectedLanguage text Detected language
emailMentioned email-src Detected e-mailaddresses
endDate text End date
151
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
ibanMentioned iban Detected IBANs
important text Important
indexText text Index text
indexUpdatedAt text Index updated at
ipMentioned ip-src Detected IPaddresses
keywords text Keywords
location text Location
locationMentioned text Detected locations
modifiedAt text Modified on
name text Name
namesMentioned text Detected names
notes text Notes
peopleMentioned text Detected people
phoneMentioned phone-number Detected phones
previousName text Previous name
program text Program
publisher text Publishing source
publisherUrl url Publishing sourceURL
recordId text Record ID
retrievedAt text Retrieved on
152
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
sourceUrl url Source link
startDate text Start date
summary text Summary
topics text Topics
weakAlias text Weak alias
wikidataId text Wikidata ID
wikipediaUrl url Wikipedia Article
ftm-FamilyFamily relationship between two people.
ftm-Family is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
alephUrl url Aleph URL
date text Date
description text Description
endDate text End date
indexText text Index text
modifiedAt text Modified on
publisher text Publishing source
publisherUrl url Publishing sourceURL
153
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
recordId text Record ID
relationship text Nature of therelationship, fromthe person’sperspective eg.'mother', where'relative' is motherof 'person'.
retrievedAt text Retrieved on
sourceUrl url Source URL
startDate text Start date
summary text Summary
ftm-Folder.
ftm-Folder is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Address
alephUrl url Aleph URL
alias text Other name
author text The originalauthor, not theuploader
authoredAt text Authored on
154
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
companiesMentioned
text Detectedcompanies
contentHash sha1 SHA1 hash of thedata
country text Country
crawler text The crawler usedto acquire this file
date text If not otherwisespecified
description text Description
detectedCountry text Detected country
detectedLanguage text Detected language
emailMentioned email-src Detected e-mailaddresses
encoding text File encoding
extension text File extension
fileName text File name
fileSize float File size
generator text The program usedto generate thisfile
ibanMentioned iban Detected IBANs
indexText text Index text
indexUpdatedAt text Index updated at
155
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
ipMentioned ip-src Detected IPaddresses
keywords text Keywords
language text Language
locationMentioned text Detected locations
messageId text Message ID of adocument; uniquein most cases
mimeType mime-type MIME type
modifiedAt text Modified on
name text Name
namesMentioned text Detected names
notes text Notes
peopleMentioned text Detected people
phoneMentioned phone-number Detected phones
previousName text Previous name
processingError text Processing error
processingStatus text Processing status
program text Program
publishedAt text Published on
publisher text Publishing source
publisherUrl url Publishing sourceURL
156
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
retrievedAt text Retrieved on
sourceUrl url Source link
summary text Summary
title text Title
topics text Topics
weakAlias text Weak alias
wikidataId text Wikidata ID
wikipediaUrl url Wikipedia Article
ftm-HyperText.
ftm-HyperText is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Address
alephUrl url Aleph URL
alias text Other name
author text The originalauthor, not theuploader
authoredAt text Authored on
bodyHtml text HTML
bodyText text Text
157
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
companiesMentioned
text Detectedcompanies
contentHash sha1 SHA1 hash of thedata
country text Country
crawler text The crawler usedto acquire this file
date text If not otherwisespecified
description text Description
detectedCountry text Detected country
detectedLanguage text Detected language
emailMentioned email-src Detected e-mailaddresses
encoding text File encoding
extension text File extension
fileName text File name
fileSize float File size
generator text The program usedto generate thisfile
ibanMentioned iban Detected IBANs
indexText text Index text
indexUpdatedAt text Index updated at
158
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
ipMentioned ip-src Detected IPaddresses
keywords text Keywords
language text Language
locationMentioned text Detected locations
messageId text Message ID of adocument; uniquein most cases
mimeType mime-type MIME type
modifiedAt text Modified on
name text Name
namesMentioned text Detected names
notes text Notes
peopleMentioned text Detected people
phoneMentioned phone-number Detected phones
previousName text Previous name
processingError text Processing error
processingStatus text Processing status
program text Program
publishedAt text Published on
publisher text Publishing source
publisherUrl url Publishing sourceURL
159
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
retrievedAt text Retrieved on
sourceUrl url Source link
summary text Summary
title text Title
topics text Topics
weakAlias text Weak alias
wikidataId text Wikidata ID
wikipediaUrl url Wikipedia Article
ftm-Image.
ftm-Image is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Address
alephUrl url Aleph URL
alias text Other name
author text The originalauthor, not theuploader
authoredAt text Authored on
bodyText text Text
160
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
companiesMentioned
text Detectedcompanies
contentHash sha1 SHA1 hash of thedata
country text Country
crawler text The crawler usedto acquire this file
date text If not otherwisespecified
description text Description
detectedCountry text Detected country
detectedLanguage text Detected language
emailMentioned email-src Detected e-mailaddresses
encoding text File encoding
extension text File extension
fileName text File name
fileSize float File size
generator text The program usedto generate thisfile
ibanMentioned iban Detected IBANs
indexText text Index text
indexUpdatedAt text Index updated at
161
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
ipMentioned ip-src Detected IPaddresses
keywords text Keywords
language text Language
locationMentioned text Detected locations
messageId text Message ID of adocument; uniquein most cases
mimeType mime-type MIME type
modifiedAt text Modified on
name text Name
namesMentioned text Detected names
notes text Notes
peopleMentioned text Detected people
phoneMentioned phone-number Detected phones
previousName text Previous name
processingError text Processing error
processingStatus text Processing status
program text Program
publishedAt text Published on
publisher text Publishing source
publisherUrl url Publishing sourceURL
162
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
retrievedAt text Retrieved on
sourceUrl url Source link
summary text Summary
title text Title
topics text Topics
weakAlias text Weak alias
wikidataId text Wikidata ID
wikipediaUrl url Wikipedia Article
ftm-Land.
ftm-Land is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Address
alephUrl url Aleph URL
alias text Other name
amount float Amount
amountEur float Amount in EUR
amountUsd float Amount in USD
area float Area
cadastralCode text Cadastral code
163
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
censusBlock text Census block
country text Country
createDate text Record date
currency text Currency
description text Description
encumbrance text An encumbranceis a right to,interest in, orlegal liability onreal property thatdoes not prohibitpassing title to theproperty but thatdiminishes itsvalue.
indexText text Index text
indexUpdatedAt text Index updated at
keywords text Keywords
landType text Land type
latitude float Latitude
longitude float Longitude
modifiedAt text Modified on
name text Name
notes text Notes
previousName text Previous name
program text Program
164
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
propertyType text Property type
publisher text Publishing source
publisherUrl url Publishing sourceURL
registrationNumber
text Registrationnumber
retrievedAt text Retrieved on
sourceUrl url Source link
summary text Summary
tenure text Tenure
titleNumber text Title number
topics text Topics
weakAlias text Weak alias
wikidataId text Wikidata ID
wikipediaUrl url Wikipedia Article
ftm-LegalEntityA legal entity may be a person or a company.
ftm-LegalEntity is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Address
165
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
alephUrl url Aleph URL
alias text Other name
bvdId text Bureau van DijkID
classification text Classification
country text Country
description text Description
dissolutionDate text The date the legalentity wasdissolved, ifapplicable
dunsCode text Dun & Bradstreetidentifier
email email-src Email address
icijId text ID according toInternationalConsortium forInvestigativeJournalists
idNumber text ID number of anyapplicable ID
incorporationDate text The date the legalentity wasincorporated
indexText text Index text
indexUpdatedAt text Index updated at
innCode text Russian companyID
166
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
jurisdiction text Country or regionin which thisentity operates
keywords text Keywords
legalForm text Legal form
mainCountry text Primary countryof this entity
modifiedAt text Modified on
name text Name
notes text Notes
okpoCode text Russian industryclassifier
opencorporatesUrl url OpenCorporatesURL
phone phone-number Phone number
previousName text Previous name
program text Program
publisher text Publishing source
publisherUrl url Publishing sourceURL
registrationNumber
text Companyregistrationnumber
retrievedAt text Retrieved on
sector text Sector
167
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
sourceUrl url Source link
status text Status
summary text Summary
swiftBic text Bank identifiercode
taxNumber text Tax identificationnumber
taxStatus text Tax status
topics text Topics
vatCode text (EU) VAT number
weakAlias text Weak alias
website url Website address
wikidataId text Wikidata ID
wikipediaUrl url Wikipedia Article
ftm-LicenseA grant of land, rights or property. A type of Contract.
ftm-License is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Address
alephUrl url Aleph URL
alias text Other name
168
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
amount float Amount
amountEur float Amount in EUR
amountUsd float Amount in USD
area text Area
cancelled text Cancelled?
classification text Classification
commodities text Commodities
contractDate text Contract date
country text Country
criteria text Contract awardcriteria
currency text Currency
description text Description
indexText text Index text
indexUpdatedAt text Index updated at
keywords text Keywords
language text Language
method text Procurementmethod
modifiedAt text Modified on
name text Contract name
notes text Notes
169
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
noticeId text Contract AwardNotice ID
numberAwards text Number ofawards
previousName text Previous name
procedure text Contractprocedure
procedureNumber text Procedurenumber
program text Program
publisher text Publishing source
publisherUrl url Publishing sourceURL
retrievedAt text Retrieved on
reviewDate text License reviewdate
sourceUrl url Source link
status text Procurementstatus
summary text Summary
title text Contract title
topics text Topics
type text Type of contract.Potentially W(Works), U(Supplies), S(Services).
170
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
weakAlias text Weak alias
wikidataId text Wikidata ID
wikipediaUrl url Wikipedia Article
ftm-Membership.
ftm-Membership is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
alephUrl url Aleph URL
date text Date
description text Description
endDate text End date
indexText text Index text
modifiedAt text Modified on
publisher text Publishing source
publisherUrl url Publishing sourceURL
recordId text Record ID
retrievedAt text Retrieved on
role text Role
sourceUrl url Source URL
171
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
startDate text Start date
status text Status
summary text Summary
ftm-Message.
ftm-Message is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Address
alephUrl url Aleph URL
alias text Other name
author text The originalauthor, not theuploader
authoredAt text Authored on
bodyHtml text HTML
bodyText text Text
companiesMentioned
text Detectedcompanies
contentHash sha1 SHA1 hash of thedata
country text Country
172
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
crawler text The crawler usedto acquire this file
date text If not otherwisespecified
description text Description
detectedCountry text Detected country
detectedLanguage text Detected language
emailMentioned email-src Detected e-mailaddresses
encoding text File encoding
endDate text End date
extension text File extension
fileName text File name
fileSize float File size
generator text The program usedto generate thisfile
ibanMentioned iban Detected IBANs
inReplyTo text Message ID of theprecedingmessage in thethread
indexText text Index text
indexUpdatedAt text Index updated at
ipMentioned ip-src Detected IPaddresses
173
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
keywords text Keywords
language text Language
locationMentioned text Detected locations
messageId text Message ID of adocument; uniquein most cases
metadata text Metadata
mimeType mime-type MIME type
modifiedAt text Modified on
name text Name
namesMentioned text Detected names
notes text Notes
peopleMentioned text Detected people
phoneMentioned phone-number Detected phones
previousName text Previous name
processingError text Processing error
processingStatus text Processing status
program text Program
publishedAt text Published on
publisher text Publishing source
publisherUrl url Publishing sourceURL
174
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
recordId text Record ID
retrievedAt text Retrieved on
sourceUrl url Source link
startDate text Start date
subject text Subject
summary text Summary
threadTopic text Thread topic
title text Title
topics text Topics
weakAlias text Weak alias
wikidataId text Wikidata ID
wikipediaUrl url Wikipedia Article
ftm-Organization.
ftm-Organization is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Address
alephUrl url Aleph URL
alias text Other name
175
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
bvdId text Bureau van DijkID
classification text Classification
country text Country
description text Description
dissolutionDate text The date the legalentity wasdissolved, ifapplicable
dunsCode text Dun & Bradstreetidentifier
email email-src Email address
icijId text ID according toInternationalConsortium forInvestigativeJournalists
idNumber text ID number of anyapplicable ID
incorporationDate text The date the legalentity wasincorporated
indexText text Index text
indexUpdatedAt text Index updated at
innCode text Russian companyID
jurisdiction text Country or regionin which thisentity operates
176
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
keywords text Keywords
legalForm text Legal form
mainCountry text Primary countryof this entity
modifiedAt text Modified on
name text Name
notes text Notes
okpoCode text Russian industryclassifier
opencorporatesUrl url OpenCorporatesURL
phone phone-number Phone number
previousName text Previous name
program text Program
publisher text Publishing source
publisherUrl url Publishing sourceURL
registrationNumber
text Companyregistrationnumber
retrievedAt text Retrieved on
sector text Sector
sourceUrl url Source link
status text Status
177
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
summary text Summary
swiftBic text Bank identifiercode
taxNumber text Tax identificationnumber
taxStatus text Tax status
topics text Topics
vatCode text (EU) VAT number
weakAlias text Weak alias
website url Website address
wikidataId text Wikidata ID
wikipediaUrl url Wikipedia Article
ftm-Ownership.
ftm-Ownership is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
alephUrl url Aleph URL
date text Date
description text Description
endDate text End date
indexText text Index text
178
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
legalBasis text Legal basis
modifiedAt text Modified on
ownershipType text Type of ownership
percentage text Percentage held
publisher text Publishing source
publisherUrl url Publishing sourceURL
recordId text Record ID
retrievedAt text Retrieved on
role text Role
sharesCount text Number of shares
sharesCurrency text Currency ofshares
sharesType text Type of shares
sharesValue text Value of shares
sourceUrl url Source URL
startDate text Start date
status text Status
summary text Summary
ftm-Package.
179
ftm-Package is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Address
alephUrl url Aleph URL
alias text Other name
author text The originalauthor, not theuploader
authoredAt text Authored on
companiesMentioned
text Detectedcompanies
contentHash sha1 SHA1 hash of thedata
country text Country
crawler text The crawler usedto acquire this file
date text If not otherwisespecified
description text Description
detectedCountry text Detected country
detectedLanguage text Detected language
emailMentioned email-src Detected e-mailaddresses
encoding text File encoding
extension text File extension
180
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
fileName text File name
fileSize float File size
generator text The program usedto generate thisfile
ibanMentioned iban Detected IBANs
indexText text Index text
indexUpdatedAt text Index updated at
ipMentioned ip-src Detected IPaddresses
keywords text Keywords
language text Language
locationMentioned text Detected locations
messageId text Message ID of adocument; uniquein most cases
mimeType mime-type MIME type
modifiedAt text Modified on
name text Name
namesMentioned text Detected names
notes text Notes
peopleMentioned text Detected people
phoneMentioned phone-number Detected phones
181
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
previousName text Previous name
processingError text Processing error
processingStatus text Processing status
program text Program
publishedAt text Published on
publisher text Publishing source
publisherUrl url Publishing sourceURL
retrievedAt text Retrieved on
sourceUrl url Source link
summary text Summary
title text Title
topics text Topics
weakAlias text Weak alias
wikidataId text Wikidata ID
wikipediaUrl url Wikipedia Article
ftm-Page.
ftm-Page is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
182
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
bodyText text Text
detectedLanguage text Auto-detectedlanguage
index float Index
indexText text Index text
ftm-Pages.
ftm-Pages is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Address
alephUrl url Aleph URL
alias text Other name
author text The originalauthor, not theuploader
authoredAt text Authored on
companiesMentioned
text Detectedcompanies
contentHash sha1 SHA1 hash of thedata
country text Country
crawler text The crawler usedto acquire this file
183
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
date text If not otherwisespecified
description text Description
detectedCountry text Detected country
detectedLanguage text Detected language
emailMentioned email-src Detected e-mailaddresses
encoding text File encoding
extension text File extension
fileName text File name
fileSize float File size
generator text The program usedto generate thisfile
ibanMentioned iban Detected IBANs
indexText text Index text
indexUpdatedAt text Index updated at
ipMentioned ip-src Detected IPaddresses
keywords text Keywords
language text Language
locationMentioned text Detected locations
messageId text Message ID of adocument; uniquein most cases
184
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
mimeType mime-type MIME type
modifiedAt text Modified on
name text Name
namesMentioned text Detected names
notes text Notes
pdfHash sha1 PDF alternativeversion checksum
peopleMentioned text Detected people
phoneMentioned phone-number Detected phones
previousName text Previous name
processingError text Processing error
processingStatus text Processing status
program text Program
publishedAt text Published on
publisher text Publishing source
publisherUrl url Publishing sourceURL
retrievedAt text Retrieved on
sourceUrl url Source link
summary text Summary
title text Title
topics text Topics
185
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
weakAlias text Weak alias
wikidataId text Wikidata ID
wikipediaUrl url Wikipedia Article
ftm-PassportPassport.
ftm-Passport is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
alephUrl url Aleph URL
authority text Authority
birthDate text Date of birth
birthPlace text Place of birth
country text Country
date text Date
description text Description
endDate text End date
gender text Gender
givenName text Given name
indexText text Index text
modifiedAt text Modified on
passportNumber text Passport number
186
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
personalNumber text Personal number
publisher text Publishing source
publisherUrl url Publishing sourceURL
recordId text Record ID
retrievedAt text Retrieved on
sourceUrl url Source URL
startDate text Start date
summary text Summary
surname text Surname
type text Document type
ftm-PaymentA monetary payment between two parties.
ftm-Payment is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
alephUrl url Aleph URL
amount float Amount
amountEur float Amount in EUR
amountUsd float Amount in USD
currency text Currency
187
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
date text Date
description text Description
endDate text End date
indexText text Index text
modifiedAt text Modified on
programme text Programme name,funding code,categoryidentifier, etc.
publisher text Publishing source
publisherUrl url Publishing sourceURL
purpose text Payment purpose
recordId text Record ID
retrievedAt text Retrieved on
sequenceNumber text Sequence number
sourceUrl url Source URL
startDate text Start date
summary text Summary
transactionNumber
text Transactionnumber
ftm-PersonAn individual.
188
ftm-Person is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Address
alephUrl url Aleph URL
alias text Other name
birthDate text Birth date
birthPlace text Place of birth
bvdId text Bureau van DijkID
classification text Classification
country text Country
deathDate text Death date
description text Description
dissolutionDate text The date the legalentity wasdissolved, ifapplicable
dunsCode text Dun & Bradstreetidentifier
email email-src Email address
fatherName text Patronymic
firstName text First name
gender text Gender
189
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
icijId text ID according toInternationalConsortium forInvestigativeJournalists
idNumber text ID number of anyapplicable ID
incorporationDate text The date the legalentity wasincorporated
indexText text Index text
indexUpdatedAt text Index updated at
innCode text Russian companyID
jurisdiction text Country or regionin which thisentity operates
keywords text Keywords
lastName text Last name
legalForm text Legal form
mainCountry text Primary countryof this entity
middleName text Middle name
modifiedAt text Modified on
motherName text Matronymic
name text Name
nationality text Nationality
190
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
notes text Notes
okpoCode text Russian industryclassifier
opencorporatesUrl url OpenCorporatesURL
passportNumber text Passport
phone phone-number Phone number
position text Position
previousName text Previous name
program text Program
publisher text Publishing source
publisherUrl url Publishing sourceURL
registrationNumber
text Companyregistrationnumber
retrievedAt text Retrieved on
secondName text Second name
sector text Sector
sourceUrl url Source link
status text Status
summary text Summary
swiftBic text Bank identifiercode
191
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
taxNumber text Tax identificationnumber
taxStatus text Tax status
title text Title
topics text Topics
vatCode text (EU) VAT number
weakAlias text Weak alias
website url Website address
wikidataId text Wikidata ID
wikipediaUrl url Wikipedia Article
ftm-PlainText.
ftm-PlainText is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Address
alephUrl url Aleph URL
alias text Other name
author text The originalauthor, not theuploader
authoredAt text Authored on
192
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
bodyText text Text
companiesMentioned
text Detectedcompanies
contentHash sha1 SHA1 hash of thedata
country text Country
crawler text The crawler usedto acquire this file
date text If not otherwisespecified
description text Description
detectedCountry text Detected country
detectedLanguage text Detected language
emailMentioned email-src Detected e-mailaddresses
encoding text File encoding
extension text File extension
fileName text File name
fileSize float File size
generator text The program usedto generate thisfile
ibanMentioned iban Detected IBANs
indexText text Index text
indexUpdatedAt text Index updated at
193
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
ipMentioned ip-src Detected IPaddresses
keywords text Keywords
language text Language
locationMentioned text Detected locations
messageId text Message ID of adocument; uniquein most cases
mimeType mime-type MIME type
modifiedAt text Modified on
name text Name
namesMentioned text Detected names
notes text Notes
peopleMentioned text Detected people
phoneMentioned phone-number Detected phones
previousName text Previous name
processingError text Processing error
processingStatus text Processing status
program text Program
publishedAt text Published on
publisher text Publishing source
publisherUrl url Publishing sourceURL
194
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
retrievedAt text Retrieved on
sourceUrl url Source link
summary text Summary
title text Title
topics text Topics
weakAlias text Weak alias
wikidataId text Wikidata ID
wikipediaUrl url Wikipedia Article
ftm-PublicBodyA public body, such as a ministry, department or state company.
ftm-PublicBody is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Address
alephUrl url Aleph URL
alias text Other name
bvdId text Bureau van DijkID
classification text Classification
country text Country
description text Description
195
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
dissolutionDate text The date the legalentity wasdissolved, ifapplicable
dunsCode text Dun & Bradstreetidentifier
email email-src Email address
icijId text ID according toInternationalConsortium forInvestigativeJournalists
idNumber text ID number of anyapplicable ID
incorporationDate text The date the legalentity wasincorporated
indexText text Index text
indexUpdatedAt text Index updated at
innCode text Russian companyID
jurisdiction text Country or regionin which thisentity operates
keywords text Keywords
legalForm text Legal form
mainCountry text Primary countryof this entity
modifiedAt text Modified on
196
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
name text Name
notes text Notes
okpoCode text Russian industryclassifier
opencorporatesUrl url OpenCorporatesURL
phone phone-number Phone number
previousName text Previous name
program text Program
publisher text Publishing source
publisherUrl url Publishing sourceURL
registrationNumber
text Companyregistrationnumber
retrievedAt text Retrieved on
sector text Sector
sourceUrl url Source link
status text Status
summary text Summary
swiftBic text Bank identifiercode
taxNumber text Tax identificationnumber
taxStatus text Tax status
197
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
topics text Topics
vatCode text (EU) VAT number
weakAlias text Weak alias
website url Website address
wikidataId text Wikidata ID
wikipediaUrl url Wikipedia Article
ftm-RealEstateA piece of land or property.
ftm-RealEstate is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Address
alephUrl url Aleph URL
alias text Other name
amount float Amount
amountEur float Amount in EUR
amountUsd float Amount in USD
area float Area
cadastralCode text Cadastral code
censusBlock text Census block
country text Country
198
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
createDate text Record date
currency text Currency
description text Description
encumbrance text An encumbranceis a right to,interest in, orlegal liability onreal property thatdoes not prohibitpassing title to theproperty but thatdiminishes itsvalue.
indexText text Index text
indexUpdatedAt text Index updated at
keywords text Keywords
landType text Land type
latitude float Latitude
longitude float Longitude
modifiedAt text Modified on
name text Name
notes text Notes
previousName text Previous name
program text Program
propertyType text Property type
publisher text Publishing source
199
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
publisherUrl url Publishing sourceURL
registrationNumber
text Registrationnumber
retrievedAt text Retrieved on
sourceUrl url Source link
summary text Summary
tenure text Tenure
titleNumber text Title number
topics text Topics
weakAlias text Weak alias
wikidataId text Wikidata ID
wikipediaUrl url Wikipedia Article
ftm-RepresentationA mediatory, intermediary, middleman, or broker acting on behalf of a legal entity.
ftm-Representation is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
alephUrl url Aleph URL
date text Date
description text Description
200
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
endDate text End date
indexText text Index text
modifiedAt text Modified on
publisher text Publishing source
publisherUrl url Publishing sourceURL
recordId text Record ID
retrievedAt text Retrieved on
role text Role
sourceUrl url Source URL
startDate text Start date
status text Status
summary text Summary
ftm-Row.
ftm-Row is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
cells text Cells
index float Index
indexText text Index text
201
ftm-SanctionA sanction designation.
ftm-Sanction is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
alephUrl url Aleph URL
authority text Authority
country text Country
date text Date
description text Description
duration text Duration
endDate text End date
indexText text Index text
modifiedAt text Modified on
program text Program
publisher text Publishing source
publisherUrl url Publishing sourceURL
reason text Reason
recordId text Record ID
retrievedAt text Retrieved on
sourceUrl url Source URL
startDate text Start date
202
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
status text Status
summary text Summary
ftm-SuccessionTwo entities that legally succeed each other.
ftm-Succession is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
alephUrl url Aleph URL
date text Date
description text Description
endDate text End date
indexText text Index text
modifiedAt text Modified on
publisher text Publishing source
publisherUrl url Publishing sourceURL
recordId text Record ID
retrievedAt text Retrieved on
role text Role
sourceUrl url Source URL
startDate text Start date
203
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
status text Status
summary text Summary
ftm-Table.
ftm-Table is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Address
alephUrl url Aleph URL
alias text Other name
author text The originalauthor, not theuploader
authoredAt text Authored on
columns text Column headings
companiesMentioned
text Detectedcompanies
contentHash sha1 SHA1 hash of thedata
country text Country
crawler text The crawler usedto acquire this file
csvHash sha1 CSV alternativeversion checksum
204
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
date text If not otherwisespecified
description text Description
detectedCountry text Detected country
detectedLanguage text Detected language
emailMentioned email-src Detected e-mailaddresses
encoding text File encoding
extension text File extension
fileName text File name
fileSize float File size
generator text The program usedto generate thisfile
ibanMentioned iban Detected IBANs
indexText text Index text
indexUpdatedAt text Index updated at
ipMentioned ip-src Detected IPaddresses
keywords text Keywords
language text Language
locationMentioned text Detected locations
messageId text Message ID of adocument; uniquein most cases
205
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
mimeType mime-type MIME type
modifiedAt text Modified on
name text Name
namesMentioned text Detected names
notes text Notes
peopleMentioned text Detected people
phoneMentioned phone-number Detected phones
previousName text Previous name
processingError text Processing error
processingStatus text Processing status
program text Program
publishedAt text Published on
publisher text Publishing source
publisherUrl url Publishing sourceURL
retrievedAt text Retrieved on
rowCount float Number of rows
sourceUrl url Source link
summary text Summary
title text Title
topics text Topics
206
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
weakAlias text Weak alias
wikidataId text Wikidata ID
wikipediaUrl url Wikipedia Article
ftm-TaxRollA tax declaration of an individual.
ftm-TaxRoll is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
alephUrl url Aleph URL
birthDate text Date of birth
country text Country
date text Date
description text Description
endDate text End date
givenName text Given name
income text Registered income
indexText text Index text
modifiedAt text Modified on
publisher text Publishing source
publisherUrl url Publishing sourceURL
207
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
recordId text Record ID
retrievedAt text Retrieved on
sourceUrl url Source URL
startDate text Start date
summary text Summary
surname text Surname
taxPaid text Amount of taxpaid
wealth text Registered wealth
ftm-UnknownLink.
ftm-UnknownLink is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
alephUrl url Aleph URL
date text Date
description text Description
endDate text End date
indexText text Index text
modifiedAt text Modified on
publisher text Publishing source
208
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
publisherUrl url Publishing sourceURL
recordId text Record ID
retrievedAt text Retrieved on
role text Role
sourceUrl url Source URL
startDate text Start date
status text Status
summary text Summary
ftm-UserAccount.
ftm-UserAccount is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Address
alephUrl url Aleph URL
alias text Other name
country text Country
description text Description
email email-src E-mail
indexText text Index text
209
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
indexUpdatedAt text Index updated at
keywords text Keywords
modifiedAt text Modified on
name text Name
notes text Notes
number phone-number Phone Number
password text Password
previousName text Previous name
program text Program
publisher text Publishing source
publisherUrl url Publishing sourceURL
retrievedAt text Retrieved on
service text Service
sourceUrl url Source link
summary text Summary
topics text Topics
username text Username
weakAlias text Weak alias
wikidataId text Wikidata ID
wikipediaUrl url Wikipedia Article
210
ftm-Vehicle.
ftm-Vehicle is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Address
alephUrl url Aleph URL
alias text Other name
amount float Amount
amountEur float Amount in EUR
amountUsd float Amount in USD
buildDate text Build Date
country text Country
currency text Currency
description text Description
indexText text Index text
indexUpdatedAt text Index updated at
keywords text Keywords
model text Model
modifiedAt text Modified on
name text Name
notes text Notes
211
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
previousName text Previous name
program text Program
publisher text Publishing source
publisherUrl url Publishing sourceURL
registrationDate text Registration Date
registrationNumber
text RegistrationNumber
retrievedAt text Retrieved on
sourceUrl url Source link
summary text Summary
topics text Topics
type text Type
weakAlias text Weak alias
wikidataId text Wikidata ID
wikipediaUrl url Wikipedia Article
ftm-VesselA boat or ship.
ftm-Vessel is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Address
212
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
alephUrl url Aleph URL
alias text Other name
amount float Amount
amountEur float Amount in EUR
amountUsd float Amount in USD
buildDate text Build Date
callSign text Call Sign
country text Country
crsNumber text CRS Number
currency text Currency
description text Description
flag text Flag
grossRegisteredTonnage
float Gross RegisteredTonnage
imoNumber text IMO Number
indexText text Index text
indexUpdatedAt text Index updated at
keywords text Keywords
mmsi text MMSI
model text Model
modifiedAt text Modified on
213
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
name text Name
nameChangeDate text Date of NameChange
navigationArea text Navigation Area
notes text Notes
pastFlags text Past Flags
pastNames text Past Names
pastTypes text Past Types
previousName text Previous name
program text Program
publisher text Publishing source
publisherUrl url Publishing sourceURL
registrationDate text Registration Date
registrationNumber
text RegistrationNumber
registrationPort text Port ofRegistration
retrievedAt text Retrieved on
sourceUrl url Source link
summary text Summary
tonnage text Tonnage
topics text Topics
214
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
type text Type
weakAlias text Weak alias
wikidataId text Wikidata ID
wikipediaUrl url Wikipedia Article
ftm-Video.
ftm-Video is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Address
alephUrl url Aleph URL
alias text Other name
author text The originalauthor, not theuploader
authoredAt text Authored on
companiesMentioned
text Detectedcompanies
contentHash sha1 SHA1 hash of thedata
country text Country
crawler text The crawler usedto acquire this file
215
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
date text If not otherwisespecified
description text Description
detectedCountry text Detected country
detectedLanguage text Detected language
duration float Duration of thevideo in ms
emailMentioned email-src Detected e-mailaddresses
encoding text File encoding
extension text File extension
fileName text File name
fileSize float File size
generator text The program usedto generate thisfile
ibanMentioned iban Detected IBANs
indexText text Index text
indexUpdatedAt text Index updated at
ipMentioned ip-src Detected IPaddresses
keywords text Keywords
language text Language
locationMentioned text Detected locations
216
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
messageId text Message ID of adocument; uniquein most cases
mimeType mime-type MIME type
modifiedAt text Modified on
name text Name
namesMentioned text Detected names
notes text Notes
peopleMentioned text Detected people
phoneMentioned phone-number Detected phones
previousName text Previous name
processingError text Processing error
processingStatus text Processing status
program text Program
publishedAt text Published on
publisher text Publishing source
publisherUrl url Publishing sourceURL
retrievedAt text Retrieved on
sourceUrl url Source link
summary text Summary
title text Title
217
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
topics text Topics
weakAlias text Weak alias
wikidataId text Wikidata ID
wikipediaUrl url Wikipedia Article
ftm-Workbook.
ftm-Workbook is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Address
alephUrl url Aleph URL
alias text Other name
author text The originalauthor, not theuploader
authoredAt text Authored on
companiesMentioned
text Detectedcompanies
contentHash sha1 SHA1 hash of thedata
country text Country
crawler text The crawler usedto acquire this file
218
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
date text If not otherwisespecified
description text Description
detectedCountry text Detected country
detectedLanguage text Detected language
emailMentioned email-src Detected e-mailaddresses
encoding text File encoding
extension text File extension
fileName text File name
fileSize float File size
generator text The program usedto generate thisfile
ibanMentioned iban Detected IBANs
indexText text Index text
indexUpdatedAt text Index updated at
ipMentioned ip-src Detected IPaddresses
keywords text Keywords
language text Language
locationMentioned text Detected locations
messageId text Message ID of adocument; uniquein most cases
219
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
mimeType mime-type MIME type
modifiedAt text Modified on
name text Name
namesMentioned text Detected names
notes text Notes
peopleMentioned text Detected people
phoneMentioned phone-number Detected phones
previousName text Previous name
processingError text Processing error
processingStatus text Processing status
program text Program
publishedAt text Published on
publisher text Publishing source
publisherUrl url Publishing sourceURL
retrievedAt text Retrieved on
sourceUrl url Source link
summary text Summary
title text Title
topics text Topics
weakAlias text Weak alias
220
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
wikidataId text Wikidata ID
wikipediaUrl url Wikipedia Article
geolocationAn object to describe a geographic location.
geolocation is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
accuracy-radius float The approximateaccuracy radius,in kilometers,around thelatitude andlongitude for thegeographicalentity (country,subdivision, cityor postal code)associated withthe related object.(based on geoip2accuracy ofmaxmind)
address text Address.
altitude float The altitude is thedecimal value ofthe altitude in theWorld GeodeticSystem 84(WGS84)reference.
city text City.
221
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
country text Country.
countrycode text Country code inISO 3166-1 alpha-2
epsg text EPSG GeodeticParameter value.This is an integervalue of the EPSG.
first-seen datetime When the locationwas seen for thefirst time.
last-seen datetime When the locationwas seen for thelast time.
latitude float The latitude is thedecimal value ofthe latitude in theWorld GeodeticSystem 84(WGS84)reference.
longitude float The longitude isthe decimal valueof the longitude inthe WorldGeodetic System84 (WGS84)reference
neighborhood text Neighborhood.
region text Region.
222
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
spacial-reference text Default spacial orprojection refencefor this object.['WGS84EPSG:4326','MercatorEPSG:3857']
text text A genericdescription of thelocation.
zipcode text Zip Code.
git-vuln-finderExport from git-vuln-finder.
git-vuln-finder is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
author text Commit author
author-email email-src Commit authorsemail
authored_date datetime Date the commitwas originallymade
branches text Branches thecommit is on
commit-id git-commit-id Commit ID wherethe vulnerabilityis fixed.
committed_date datetime Date the commitwas modified last
223
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
cve vulnerability CVE associated tothe vulnerability
language text Language of thecommit (ISO 639-1codes)
message text Commit message
origin text Origin of therepository
origin-github-api url Full path to thecommit on github
pattern-matches text Pattern matchingfor thevulnerability
pattern-selected text Pattern used tofind thevulnerability
state text State of thevulnerability['under-review','cve-assigned']
stats.deletions counter Number ofdeletions in thecommit
stats.files counter Number of fileschanged in thecommit
stats.insertions counter Number ofinsertions in thecommit
224
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
stats.lines counter Number of linechanges in thecommit
summary text Commit summary
tags text User defined tags
github-userGitHub user.
github-user is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
avatar_url link Avatar URL
bio text Biography of theGitHub user.
blog text Blog - often usedas website field ofthe user
company text Company
follower github-username GitHub user isfollowed by.
following github-username Followed GitHubusers by theGitHub user.
link link Original Link tothe GitHubaccount.
location text Location given bythe GitHub user
225
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
node_id text GitHub GraphQLnode_id
organisation github-organisation
Organisationaffiliation of theGitHub user (itcan be multiple).
profile-image attachment Profile image ofthe GitHub user (itcan be multiple).
public_gists text
public_repos text
repository github-repository GitHub repositoryunder the GitHubuser.
ssh-public-key text SSH public keyassociated to theGitHub user.
twitter_username text Associated twitteraccount
user-fullname text Fullname of theGitHub user.
username github-username GitHub username.
verified text User verified.['True', 'False']
gitlab-userGitLab user. Gitlab.com user or self-hosted GitLab instance.
gitlab-user is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
226
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
avatar_url link Avatar url of theGitLab User
id text GitLab User id
name text Complete Name ofthe GitLab User Id
state text State of the GitLabUser ['active','inactive','blocked']
username text Username of theGitLab User
web_url link Profile url of theGitLab User
gtp-attackGTP attack object as seen on a GSM, UMTS or LTE network.
gtp-attack is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
GtpImei text GTP IMEI(InternationalMobile EquipmentIdentity).
GtpImsi text GTP IMSI(Internationalmobile subscriberidentity).
GtpInterface text GTP interface.['S5', 'S11', 'S10','S8', 'Gn', 'Gp']
227
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
GtpMessageType text GTP defines a setof messagesbetween twoassociated GSNsor an SGSN and anRNC. Message typeis described as adecimal value.
GtpMsisdn text GTP MSISDN.
GtpServingNetwork
text GTP ServingNetwork.
GtpVersion text GTP version ['0','1', '2']
PortDest text Destination port.
PortSrc port Source port.
first-seen datetime When the attackhas been seen forthe first time.
ipDest ip-dst IP destinationaddress.
ipSrc ip-src IP source address.
text text A description ofthe GTP attack.
hashlookuphashlookup object as described on hashlookup services from circl.lu - https://www.circl.lu/services/hashlookup.
hashlookup is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
228
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
FileName filename Complete path ofthe filenameincluding thefilename
FileSize size-in-bytes Size of the file, inbytes
KnownMalicious text Source of thehashlookuprecord if it’s aknown maliciousfile
MD5 md5 MD5 hash (128bits) in hexrepresentation
PackageArch text Packagearchitecture
PackageDescription
text Packagedescription andinformation
PackageMaintainer
text PackageMaintainer(s)
PackageName text Package Name
PackageRelease text Package Release
PackageVersion text Package Version
SHA-1 sha1 Secure HashAlgorithm 1 (160bits) in hexrepresentation
229
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
SHA-256 sha256 Secure HashAlgorithm 2 (256bits) in hexrepresentation
SSDEEP ssdeep SSDEEP - Fuzzyhashing
TLSH tlsh TLSH - TrendMicro LocalitySensitive Hash
source text Source of thehashlookuprecord
http-requestA single HTTP request header.
http-request is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
basicauth-password
text HTTP BasicAuthenticationPassword
basicauth-user text HTTP BasicAuthenticationUsername
content-type other The MIME type ofthe body of therequest
cookie text An HTTP cookiepreviously sent bythe server withSet-Cookie
230
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
header text An HTTP headersent during HTTPrequest
host hostname The domain nameof the server
ip-dst ip-dst The IP address ofthe server
ip-src ip-src The IP address ofthe client
method http-method HTTP Methodinvoked (one ofGET, POST, PUT,HEAD, DELETE,OPTIONS,CONNECT)
proxy-password text HTTP ProxyPassword
proxy-user text HTTP ProxyUsername
referer other This is the addressof the previousweb page fromwhich a link to thecurrentlyrequested pagewas followed
text text HTTP Requestcomment
uri uri Request URI
url url Full HTTP RequestURL
231
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
user-agent user-agent The user agentstring of the useragent
ilr-impactInstitut Luxembourgeois de Regulation - Impact.
ilr-impact is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
duree text Duree del’incident en hh :mm
nombre-utilisateurs-touches
text Nombred’utilisateurstouches parl’incident
pourcentage-utilisateurs-touches
text Pourcentaged’utilisateurs duservice touchespar l’incident
service text Service impactepar l’incident['Telephonie fixe','Acces Internetfixe', 'Telephoniemobile', 'AccesInternet mobile']
ilr-notification-incidentInstitut Luxembourgeois de Regulation - Notification d’incident.
232
ilr-notification-incident is a MISP object available in JSON format at this locationThe JSON format can be freely reused in your application or automatically enabledin MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
actions-corrective text Actionscorrectives a longterme
actions-posterieur text Actionsposterieures del’incident pourminimiser lerisque
autres-informations
text Autresinformationsconcernant lanature del’incidentnotamment la listedes actifs affecteset les causessubsequenteseventuelles,declenches par lacause initiale
cause-initiale-incident
text Cause initiale del’incident ['rreurhumaine', "Defautsysteme'hardware','software','procedures'",'Attaquemalveillante','Defaut d’unepartie tierce ouexterne','Catastrophenaturelle']
233
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
date-incident datetime Date/heure de ladetection del’incident:
date-pre-notification
text Date de la pre-notification
delimitation-geographique
text Delimitationgeographique['Nationale','Regionale']
description-incident
text Descriptiongenerale del’incident
description-probleme-services-urgence
text Description duprobleme sur lesservicesd’urgencesimpactes
details-service text Details relatifs auservice concerneet a l’impact del’incident
email-contact-incident
text Email de lapersonne decontact en rapportavec l’incident
impact-servicesw-urgence
text Servicesd’urgencesimpactes ? ['Oui','Non']
interconnections-affectees
text Interconnectionsnationales et/ouinternationalesaffectees
234
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
nom-contact-incident
text Nom de lapersonne decontact en rapportavec l’incident
nom-entreprise text Nom del’entreprisenotifiee
remarques text Remarque(s),notamment lesexperiencesgagnees et lesleçons tirees del’incident
telephone-contact-incident
text Telephone de lapersonne decontact en rapportavec l’incident
traitement-incident
text Traitement del’incident etactions effectueesen ordrechronologique
zone-impactee text zones/communes/villes impactees
imageObject describing an image file.
image is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
235
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
archive link Archive of theimage (InternetArchive,Archive.is, etc).
attachment attachment The image file.
filename filename The imagefilename.
image-text text Raw text of image
link link Original link intothe image(Supposedharmless)
url url Original URLlocation of theimage (potentiallymalicious)
username text Username whoposted the image.
impersonationRepresent an impersonating account.
impersonation is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
account-name text Name of theimpersonatingaccount
account-url url url of theimpersonatingaccount
236
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
impersonated-account-name
text Name of theimpersonatedaccount
impersonated-account-url
link url of theimpersonatedaccount
objective text Objective of theimpersonation['Informationstealing','Disinformation','Distrusting','Advertising','Parody', 'Other']
real-name text Real name of theimpersonatedperson or entity
type text Type of theaccount ['Person','Association','Enterprise','Other']
type-of-account text Type of theimpersonatedaccount ['Twitter','Facebook','LinkedIn','Reddit', 'Google+','Instagram','Forum', 'Other']
imsi-catcherIMSI Catcher entry object based on the open source IMSI cather.
imsi-catcher is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
237
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
brand text Brand associatedwith the IMSIregistration.
cellid text CellID
country text Country wherethe IMSI isregistered.
first-seen datetime When the IMSIhas beenaccessible or seenfor the first time.
imsi text A usually uniqueInternationalMobile SubscriberIdentity (IMSI) isallocated to eachmobile subscriberin theGSM/UMTS/EPSsystem. IMSI canalso refer toInternationalMobile StationIdentity in the ITUnomenclature.
lac text LAC - LocationArea Code
mcc text MCC - MobileCountry Code
mnc text MNC - MobileNetwork Code
operator text Operatorassociated withthe IMSIregistration.
238
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
seq counter A sequencenumber for thecollection
text text A description ofthe IMSI record.
tmsi-1 text Temporary MobileSubscriberIdentities (TMSI)to visiting mobilesubscribers can beallocated.
tmsi-2 text Temporary MobileSubscriberIdentities (TMSI)to visiting mobilesubscribers can beallocated.
instant-messageInstant Message (IM) object template describing one or more IM message.
instant-message is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
239
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
app-used text The IMapplication usedto send themessage.['WhatsApp','Google Hangouts','FacebookMessenger','Telegram','Signal', 'WeChat','BlackBerryMessenger','TeamSpeak','TorChat','RetroShare','Slack']
archive link Archive of theoriginal message(Internet Archive,Archive.is, etc).
attachment attachment The message fileor screen capture.
body text Message body ofthe IM.
from-name text Name of theperson that sentthe message.
from-number phone-number Phone numberused to send themessage.
from-user text User account thatsent the message.
link link Original link intothe message(Supposedharmless).
240
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
received-date datetime Received date ofthe message.
sent-date datetime Initial sent date ofthe message.
subject text Subject of themessage if any.
to-name text Name of theperson thatreceived themessage.
to-number phone-number Phone numberreceiving themessage.
to-user text User account thatreceived themessage.
url url Original URLlocation of themessage(potentiallymalicious).
instant-message-groupInstant Message (IM) group object template describing a public or private IM group, channel orconversation.
instant-message-group is a MISP object available in JSON format at this locationThe JSON format can be freely reused in your application or automatically enabledin MISP.
241
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
app-used text The IMapplication usedto send themessage.['WhatsApp','Google Hangouts','FacebookMessenger','Telegram','Signal', 'WeChat','BlackBerryMessenger','TeamSpeak','TorChat','RetroShare','Slack']
archive link Archive of theoriginal group(Internet Archive,Archive.is, etc).
attachment attachment A screen captureor exported list ofcontacts, groupmembers, etc.
group-alias text Aliases of group,channel orcommunity.
group-name text The name of thegroup, channel orcommunity.
link link Original link intothe group(Supposedharmless).
person-name text A person who is amember of thegroup.
242
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
url url Original URLlocation of thegroup (potentiallymalicious).
username text A user accountwho is a memberof the group.
intel471-vulnerability-intelligenceIntel 471 vulnerability intelligence object.
intel471-vulnerability-intelligence is a MISP object available in JSON format at thislocation The JSON format can be freely reused in your application orautomatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
activity-location-open-source
boolean The vulnerabilityis being discussedin open source.['True', 'False']
activity-location-private
boolean The vulnerabilityis being discussedin private/directcommunications.['True', 'False']
activity-location-underground
boolean The vulnerabilityis being discussedin theunderground.['True', 'False']
countermeasures text Summary ofcountermeasuresto protect againstthe vulnerability.
243
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
cve-id text Thevulnerability’sCVE ID.
cvss-score-v2 float CVSS score(version 2).
cvss-score-v3 float CVSS score(version 3).
detection text Detectionsignatures/definitions exist for thevulnerability.
exploit-status-available
boolean Exploit code forthe vulnerabilityis available.['True', 'False']
exploit-status-not-observed
boolean Exploit code orusage has notbeen observed forthe vulnerability.['True', 'False']
exploit-status-productized
boolean There is a modulefor thevulnerability incommercialexploit kits ornetwork securitytools. ['True','False']
exploit-status-weaponized
boolean The vulnerabilityhas been used inan attack or hasbeen included inan exploit kit.['True', 'False']
244
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
interest-level-disclosed-publicly
boolean The vulnerabilityhas been disclosedpublicly. ['True','False']
interest-level-exploit-sought
boolean An exploit for thevulnerability isbeing sought.['True', 'False']
interest-level-researched-publicly
boolean The vulnerabilityhas beenresearched ordocumentedpublicly. ['True','False']
modified datetime Last modificationdate.
patch-status text Availability of apatch for thevulnerability.
product-name text Product name.
proof-of-concept text Proof of conceptcode ordemonstrationexists.
published datetime Initial publicationdate.
references link Externalreferences.
risk-level text Risk level of thevulnerability.
summary text Summary of thevulnerability.
245
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
underground-activity-status
text Indicates ifundergroundactivity has beenobserved for thevulnerability.
underground-activity-summary
text Description ofundergroundactivity related tothe vulnerability.
vendor-name text Vendor name.
vulnerability-status
text The status ofvulnerability.
vulnerability-type text The type ofvulnerability.
vulnerable-configuration
text Vulnerableconfiguration inCPE format.
intelmq_eventIntelMQ Event.
intelmq_event is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
246
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
classification.identifier
text The lowercaseidentifier definesthe actualsoftware orservice (e.g.'heartbleed' or'ntp_version') orstandardizedmalware name(e.g. 'zeus'). Notethat you MAYoverwrite thisfield duringprocessing foryour individualsetup. This field isnot standardizedacross IntelMQsetups/users.
247
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
classification.taxonomy
text We recognize theneed for the CSIRTteams to apply astatic (incident)taxonomy toabuse data. Withthis goal in mindthe type IOC willserve as a basisfor this activity.Each value of thedynamic typemappingtranslates to a anelement in thestatic taxonomy.The EuropeanCSIRT teams forexample havedecided to applythe eCSIRT.netincidentclassification. Thevalue of thetaxonomy key isthus a derivativeof the dynamictype above. Formore informationabout check[ENISAtaxonomies](http://www.enisa.europa.eu/activities/cert/support/incident-management/browsable/incident-handling-process/incident-taxonomy/existing-taxonomies).
248
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
classification.type text The abuse typeIOC is one of themost crucialpieces ofinformation forany given abuseevent. The mainidea of dynamictyping is to keepour ontologyflexible, since weneed to evolvewith the evolvingthreatscape ofabuse data. Incontrast with thestatic taxonomybelow, thedynamic typing isused to performbusiness decisionsin the abusehandling pipeline.Furthermore, thevalue data setshould be kept asminimal aspossible to avoid'type explosion',which in turndilutes thebusiness value ofthe dynamictyping. In general,we normally havetwo types of abusetype IOC: onesreferring to acompromisedresource or onesreferring to piecesof the criminalinfrastructure,such as acommand andcontrol servers forexample.
249
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
comment text Free textcommentaryabout the abuseevent inserted byan analyst.
destination.abuse_contact
text Abuse contact fordestinationaddress. A commaseparated list.
destination.account
text An account nameor email address,which has beenidentified to relateto the destinationof an abuse event.
destination.allocated
datetime Allocation datecorresponding toBGP prefix.
destination.as_name
text The autonomoussystem name towhich theconnectionheaded.
destination.asn AS The autonomoussystem number towhich theconnectionheaded.
destination.domain_suffix
text The suffix of thedomain from thepublic suffix list.
250
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
destination.fqdn domain A DNS namerelated to the hostfrom which theconnectionoriginated. DNSallows evenbinary data inDNS, so we haveto alloweverything. A finalpoint is stripped,string is convertedto lower casecharacters.
destination.geolocation.cc
text Country-Codeaccording toISO3166-1 alpha-2for the destinationIP.
destination.geolocation.city
text Some geolocationservices refer tocity-levelgeolocation.
destination.geolocation.country
text The country namederived from theISO3166 countrycode (assigned tocc field).
destination.geolocation.latitude
float Latitudecoordinatesderived from ageolocationservice, such asMaxMind geoipdb.
251
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
destination.geolocation.longitude
float Longitudecoordinatesderived from ageolocationservice, such asMaxMind geoipdb.
destination.geolocation.region
text Some geolocationservices refer toregion-levelgeolocation.
destination.geolocation.state
text Some geolocationservices refer tostate-levelgeolocation.
destination.ip ip-dst The IP which isthe target of theobservedconnections.
destination.local_hostname
hostname Some sourcesreport a internalhostname within aNAT related to thename configuredfor acompromizedsystem
destination.local_ip
ip-dst Some sourcesreport a internal(NATed) IPaddress related acompromizedsystem. N.B.RFC1918 IPs areOK here.
252
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
destination.network
ip-dst CIDR for anautonomoussystem. Alsoknown as BGPprefix. If multiplevalues arepossible, select themost specific.
destination.port counter The port to whichthe connectionheaded.
destination.registry
text The IP registry agiven ip address isallocated by.
destination.reverse_dns
text Reverse DNSname acquiredthrough a reverseDNS query on anIP address. N.B.Record typesother than PTRrecords may alsoappear in thereverse DNS tree.Furthermore,unfortunately,there is no ruleprohibiting peoplefrom writinganything in a PTRrecord. EvenJavaScript willwork. A finalpoint is stripped,string is convertedto lower casecharacters.
253
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
destination.tor_node
boolean If the destinationIP was a knowntor node. ['True','False']
destination.url url A URL denotes onIOC, which refersto a maliciousresource, whoseinterpretation isdefined by theabuse type. A URLwith the abusetype phishingrefers to aphishing resource.
destination.urlpath
text The path portionof an HTTP orrelated networkrequest.
event_description.target
text Some sourcesdenominate thetarget(organization) of aan attack.
event_description.text
text A free-formtextualdescription of anabuse event.
event_description.url
url A description URLis a link to afurtherdescription of thethe abuse event inquestion.
254
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
event_hash text Computed eventhash with specifickeys and valuesthat identify aunique event. Atpresent, the hashshould default tousing the SHA1function. Pleasenote that for anevent hash to beable to matchmore than oneevent(deduplication)the receiver of anevent shouldcalculate it basedon a minimal setof keys and valuespresent in theevent. Using forexample theobservation timein the calculationwill most likelyrender thechecksum uselessfor deduplicationpurposes.
255
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
extra text All anecdotalinformation,which cannot beparsed into thedataharmonizationelements. E.g.os.name,os.version, etc.Note: this is onlyintended formapping anyfields which cannot map naturallyinto the dataharmonization. Itis not intended forextending the dataharmonizationwith your ownfields.
feed.accuracy float A float between 0and 100 thatrepresents howaccurate the datain the feed is
feed.code text Code name for thefeed, e.g. DFGS,HSDAG etc.
feed.documentation
text A URL or hintwhere to find thedocumentation ofthis feed.
feed.name text Name for the feed,usually found incollector botconfiguration.
256
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
feed.provider text Name for theprovider of thefeed, usuallyfound in collectorbot configuration.
feed.url url The URL of agiven abuse feed,where applicable
malware.hash.md5
md5 A string depictingan MD5 checksumfor a file, be it amalware samplefor example.
malware.hash.sha1
sha1 A string depictinga SHA1 checksumfor a file, be it amalware samplefor example.
malware.hash.sha256
sha256 A string depictinga SHA256checksum for afile, be it amalware samplefor example.
malware.name text The malwarename in lowercase.
malware.version text A version stringfor an identifiedartifactgeneration, e.g. acrime-ware kit.
257
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
misp.attribute_uuid
text MISP - MalwareInformationSharing Platform& Threat SharingUUID of anattribute.
misp.event_uuid text MISP - MalwareInformationSharing Platform& Threat SharingUUID.
output text Event dataconverted intoforeign format,intended to beexported byoutput plugin.
protocol.application
text e.g. vnc, ssh, sip,irc, http or smtp.
protocol.transport text e.g. tcp, udp, icmp.
raw text The original lineof the event fromencoded inbase64.
rtir_id counter Request TrackerIncident Responseticket id.
258
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
screenshot_url url Some source mayreport URLsrelated to a animage generatedof a resourcewithout anymetadata. Or anURL pointing toresource, whichhas been renderedinto a webshot,e.g. a PNG imageand the relevantmetadata relatedto itsretrieval/generation.
source.abuse_contact
text Abuse contact forsource address. Acomma separatedlist.
source.account text An account nameor email address,which has beenidentified to relateto the source of anabuse event.
source.allocated datetime Allocation datecorresponding toBGP prefix.
source.as_name text The autonomoussystem name fromwhich theconnectionoriginated.
259
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
source.asn AS The autonomoussystem numberfrom whichoriginated theconnection.
source.domain_suffix
text The suffix of thedomain from thepublic suffix list.
source.fqdn domain A DNS namerelated to the hostfrom which theconnectionoriginated. DNSallows evenbinary data inDNS, so we haveto alloweverything. A finalpoint is stripped,string is convertedto lower casecharacters.
source.geolocation.cc
text Country-Codeaccording toISO3166-1 alpha-2for the source IP.
source.geolocation.city
text Some geolocationservices refer tocity-levelgeolocation.
source.geolocation.country
text The country namederived from theISO3166 countrycode (assigned tocc field).
260
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
source.geolocation.cymru_cc
text The country codedenoted for the ipby the TeamCymru asn to ipmapping service.
source.geolocation.geoip_cc
text MaxMind CountryCode (ISO3166-1alpha-2).
source.geolocation.latitude
float Latitudecoordinatesderived from ageolocationservice, such asMaxMind geoipdb.
source.geolocation.longitude
float Longitudecoordinatesderived from ageolocationservice, such asMaxMind geoipdb.
source.geolocation.region
text Some geolocationservices refer toregion-levelgeolocation.
source.geolocation.state
text Some geolocationservices refer tostate-levelgeolocation.
source.ip ip-src The ip observed toinitiate theconnection
261
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
source.local_hostname
hostname Some sourcesreport a internalhostname within aNAT related to thename configuredfor acompromisedsystem
source.local_ip ip-src Some sourcesreport a internal(NATed) IPaddress related acompromisedsystem. N.B.RFC1918 IPs areOK here.
source.network ip-src CIDR for anautonomoussystem. Alsoknown as BGPprefix. If multiplevalues arepossible, select themost specific.
source.port counter The port fromwhich theconnectionoriginated.
source.registry text The IP registry agiven ip address isallocated by.
262
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
source.reverse_dns
text Reverse DNSname acquiredthrough a reverseDNS query on anIP address. N.B.Record typesother than PTRrecords may alsoappear in thereverse DNS tree.Furthermore,unfortunately,there is no ruleprohibiting peoplefrom writinganything in a PTRrecord. EvenJavaScript willwork. A finalpoint is stripped,string is convertedto lower casecharacters.
source.tor_node boolean If the source IPwas a known tornode. ['True','False']
source.url url A URL denotes anIOC, which refersto a maliciousresource, whoseinterpretation isdefined by theabuse type. A URLwith the abusetype phishingrefers to aphishing resource.
263
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
source.urlpath text The path portionof an HTTP orrelated networkrequest.
status text Status of themaliciousresource(phishing,dropzone, etc), e.g.online, offline.
time.observation datetime The time thecollector of thelocal instanceprocessed(observed) theevent.
time.source datetime The time ofoccurence of theevent as reportedthe feed (source).
tlp text Traffic LightProtocol level ofthe event.
intelmq_reportIntelMQ Report.
intelmq_report is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
264
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
extra text All anecdotalinformation of thereport, whichcannot be parsedinto the dataharmonizationelements. E.g.subject of mails,etc. This is data isnot automaticallypropagated to theevents.
feed.accuracy float A float between 0and 100 thatrepresents howaccurate the datain the feed is
feed.code text Code name for thefeed, e.g. DFGS,HSDAG etc.
feed.documentation
text A URL or hintwhere to find thedocumentation ofthis feed.
feed.name text Name for the feed,usually found incollector botconfiguration.
feed.provider text Name for theprovider of thefeed, usuallyfound in collectorbot configuration.
feed.url url The URL of agiven abuse feed,where applicable
265
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
raw text The original rawand unparseddata encoded inbase64.
rtir_id counter Request TrackerIncident Responseticket id.
time.observation datetime The time thecollector of thelocal instanceprocessed(observed) theevent.
internal-referenceInternal reference.
internal-reference is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
comment comment Commentassociated to theidentifier.
identifier text Identifier of thereference. Shouldbe unique in yoursystem.
link link Link associated tothe identifier.
type text Type of internalreference.
266
interpol-noticeAn object which describes a Interpol notice.
interpol-notice is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
alias text Alias name orknown as.
charges text Charges publishedas provided byrequesting entity
colour-of-eyes text Description of aperson’s colour ofeyes.
colour-of-hair text Description of aperson’s colour ofhair.
date-of-birth date-of-birth Date of birth of anatural person (inYYYY-MM-DDformat).
date-of-disappearance
text Date ofdisappearance ofa missing person.
distinguishing-marks-and-characteristics
text Distinguishingmarks andcharacteristics ofa person.
father-s-family-name-&-forename
text Father’s familyname & forename.
forename first-name First name of anatural person.
267
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
height text Height of aperson.
language-spoken text Languages spokenby a person.
mother-s-family-name-&-forename
text Mother’s familyname & forename.
nationality nationality The nationality ofa natural person.
notice-color text The color/type ofthe notice ['Red','Yellow', 'Blue','Black', 'Green','Orange', 'Purple']
place-of-birth place-of-birth Place of birth of anatural person.
place-of-disappearance
text Place of birth of anatural person.
portrait attachment Portrait of theperson.
present-family-name
last-name Last name of anatural person.
sex gender The gender of anatural person.['Male', 'Female','Other', 'Prefer notto say']
weight text weight of aperson.
iot-deviceAn IoT device.
268
iot-device is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
architecture text architecture of theIoT device ['ARC','ARM', 'M68000','MicroBlaze','MIPS', 'NSD32','Nios II','PowerPC', 'RISC-V', 'Sandbox', 'SH','x86', 'Xtensa']
boot-log attachment Boot log of the IoTdevice
fcc-id text FCC-ID of the IoTdevice
jtag-interface text JTAG interface ofthe IoT device['Yes', 'No','Unknown','Disabled']
model text Model of the IoTdevice
picture-device attachment Picture of the IoTdevice
picture-pcb attachment Picture of the IoTdevice PCB
269
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
platform text Platform of of theIoT device ['mach-aspeed', 'mach-at91', 'mach-bcm283x', 'mach-bcmstb', 'mach-cortina', 'mach-davinci', 'mach-exynos', 'mach-highbank', 'mach-imx', 'mach-integrator', 'mach-k3', 'mach-keystone', 'mach-kirkwood', 'mach-mediatek', 'mach-meson', 'mach-mvebu', 'mach-omap2', 'mach-orion5x', 'mach-owl', 'mach-qemu','mach-rmobile','mach-rockchip','mach-s5pc1xx','mach-snapdragon','mach-socfpga','mach-sti', 'mach-stm32', 'mach-stm32mp', 'mach-sunxi', 'mach-tegra', 'mach-u8500', 'mach-uniphier', 'mach-versal', 'mach-versatile', 'mach-zynq', 'mach-zynqmp', 'mach-zynqmp-r5','mcf5227x','mcf523x','mcf52x2','mcf530x','mcf532x','mcf5445x','mcf547x_8x','mach-ath79','mach-bmips',
270
'mach-jz47xx','mach-mscc','mach-mtmips','mach-pic32']
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
reference link Reference of theIoT device
serial-interface text Serial interface ofthe IoT device['Yes', 'No','Unknown','Disabled']
spi-interface text SPI interface ofthe IoT device['Yes', 'No','Unknown','Disabled']
vendor text Vendor of the IoTdevice
iot-firmwareA firmware for an IoT device.
iot-firmware is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
binwalk-entropy-graph
attachment Entropy graph ofthe firmware
binwalk-output attachment Binwalk output ofthe firmwareimage
boot-log attachment Boot log of the IoTdevice for thisfirmware
filename text Filename of thefirmware
271
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
firmware attachment Firmware of theIoT device
format text Format of thefirmware ['raw','Intel hex','Motorola S-Record','Unknown']
md5 md5 [Insecure] MD5hash (128 bits)
sha1 sha1 [Insecure] SecureHash Algorithm 1(160 bits)
sha224 sha224 Secure HashAlgorithm 2 (224bits)
sha256 sha256 Secure HashAlgorithm 2 (256bits)
sha384 sha384 Secure HashAlgorithm 2 (384bits)
sha512 sha512 Secure HashAlgorithm 2 (512bits)
size-in-bytes size-in-bytes Size of the file, inbytes
version text Version of thefirmware
ip-api-addressIP Address information. Useful if you are pulling your ip information from ip-api.com.
272
ip-api-address is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
ISP text ISP.
asn AS AutonomousSystem Number
city text City.
country text Country name
country-code text Country code
first-seen datetime First time the ASNwas seen
ip-src ip-src Source IP addressof the networkconnection.
last-seen datetime Last time the ASNwas seen
latitude float The latitude is thedecimal value ofthe latitude in theWorld GeodeticSystem 84(WGS84)reference.
longitude float The longitude isthe decimal valueof the longitude inthe WorldGeodetic System84 (WGS84)reference
organization text organization
273
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
region text Region. example:California.
region-code text Region code.example: CA
state text State.
zipcode text Zip Code.
ip-portAn IP address (or domain or hostname) and a port seen as a tuple (or as a triple) in a specific timeframe.
ip-port is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
domain domain Domain
dst-port port Destination port
first-seen datetime First time thetuple has beenseen
hostname hostname Hostname
ip ip-dst IP Address
ip-dst ip-dst destination IPaddress
ip-src ip-src source IP address
last-seen datetime Last time the tuplehas been seen
274
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
src-port port Source port
text text Description of thetuple
ircAn IRC object to describe an IRC server and the associated channels.
irc is a MISP object available in JSON format at this location The JSON format canbe freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
channel text IRC channelassociated to theIRC server
dst-port port Destination portto reach the IRCserver
first-seen datetime First time the IRCserver with theassociatedchannels has beenseen
hostname hostname Hostname of theIRC server
ip ip-dst IP address of theIRC server
last-seen datetime Last time the IRCserver with theassociatedchannels has beenseen
275
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
nickname text IRC nicknameused to connect tothe associated IRCserver andchannels
text text Description of theIRC server
ja3JA3 is a new technique for creating SSL client fingerprints that are easy to produce and can beeasily shared for threat intelligence. Fingerprints are composed of Client Hello packet; SSL Version,Accepted Ciphers, List of Extensions, Elliptic Curves, and Elliptic Curve Formats. https://github.com/salesforce/ja3.
ja3 is a MISP object available in JSON format at this location The JSON format canbe freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
description text Type of detectedsoftware iesoftware,malware
first-seen datetime First seen of theSSL/TLShandshake
ip-dst ip-dst Destination IPaddress
ip-src ip-src Source IP Address
ja3-fingerprint-md5
ja3-fingerprint-md5
Hash identifyingsource
last-seen datetime Last seen of theSSL/TLShandshake
276
ja3sJA3S is JA3 for the Server side of the SSL/TLS communication and fingerprints how servers respondto particular clients. JA3S fingerprints are composed of Server Hello packet; SSL Version, Cipher,SSLExtensions. https://github.com/salesforce/ja3.
ja3s is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
description text Type of detectedsoftware iesoftware,malware, c&c
first-seen datetime First seen of theSSL/TLShandshake
ip-dst ip-dst Destination IPaddress
ip-src ip-src Source IP Address
ja3-fingerprint-md5
ja3-fingerprint-md5
Hash identifyingclient
ja3s-fingerprint-md5
ja3-fingerprint-md5
Hash identifyingserver
last-seen datetime Last seen of theSSL/TLShandshake
jarmJarm object to describe an TLS/SSL implementation used for malicious or legitimate use-case.
jarm is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
277
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
jarm jarm-fingerprint JARM Hash of thisimplementation
reference link Reference to thetool matching thisfingerprint
scope text Scope of the tool['Malicious - C2','Malicious - Client','Malicious -Unknown','Legitimate','Undefined']
tls-implementation
text SSL/TLSimplementationmatching thisobject
tool text Tool having thisjarm fingerprint
keybase-accountInformation related to a keybase account, from API Users Object.
keybase-account is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
bio text Bio of the keybaseuser
cryptocurrency_addresses
btc Associatedcryptocurrencyaddress with thekeybase user
278
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
emails text Emails associatedwith the keybaseuser
full_name text Full name
id text Keybase useridentifier
location text Location
private_keys text OpenPGP privatekeys associatedwith the keybaseuser
public_keys text OpenPGP publickeys associatedwith the keybaseuser
username text Keybaseusername
leaked-documentObject describing a leaked document.
leaked-document is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
archive link Archive of theoriginal document(Internet Archive,Archive.is, etc).
attachment attachment The leakeddocument file.
279
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
document-name text Title of thedocument.
document-text text Raw text ofdocument
document-type text The type ofdocument (not thefile type). ['email','letterhead','speech','literature', 'photo','audio', 'invoice','receipt', 'other']
first-seen datetime When thedocument hasbeen accessible orseen for the firsttime.
last-seen datetime When thedocument hasbeen accessible orseen for the lasttime.
link link Original link intothe document(Supposedharmless)
objective text Reason for leakingthe document.['Disinformation','Influence','Whistleblowing','Extortion','Other']
origin text Original source ofleaked document.
280
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
purpose-of-document
text What thedocument is usedfor.['Identification','Travel', 'Health','Legal', 'Financial','Government','Military', 'Media','Communication','Other']
url url Original URLlocation of thedocument(potentiallymalicious)
legal-entityAn object to describe a legal entity.
legal-entity is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
business text Business area ofthe entity.
commercial-name text Commercial nameof the entity.
legal-form text Legal form of theentity.
logo attachment Logo of the entity.
name text Name of theentity.
281
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
phone-number phone-number Phone number ofthe entity.
registration-number
text Registrationnumber of theentity in therelevant authority.
text text A description ofthe entity.
website link Website of theentity.
lnkLNK object describing a Windows LNK binary file (aka Windows shortcut).
lnk is a MISP object available in JSON format at this location The JSON format canbe freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
birth-droid-file-identifier
text Birth droidvolume identifier(UUIDv1 whereMAC can beextracted)
birth-droid-volume-identifier
text Droid volumeidentifier
droid-file-identifier
text Droid fileidentifier (UUIDv1where MAC can beextracted)
droid-volume-identifier
text Droid volumeidentifier
282
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
entropy float Entropy of thewhole file
filename filename Filename on disk
fullpath text Complete path ofthe LNK filenameincluding thefilename
lnk-access-time datetime Access time of theLNK
lnk-command-line-arguments
text LNK commandline arguments
lnk-creation-time datetime Creation time ofthe LNK
lnk-description text LNK description
lnk-drive-serial-number
text Drive serialnumber
lnk-drive-type text Drive type
lnk-file-attribute-flags
text File attribute flags
lnk-file-size size-in-bytes Size of the targetfile, in bytes
lnk-hot-key-value text Hot Key value
lnk-icon-index text Icon index
lnk-local-path text Local path
lnk-modification-time
datetime Modification timeof the LNK
lnk-relative-path text Relative path
283
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
lnk-show-window-value
text Show Windowvalue
lnk-volume-label text Volume label
lnk-working-directory
text LNK working path
machine-identifier text Machine identifier
malware-sample malware-sample The LNK file itself(binary)
md5 md5 [Insecure] MD5hash (128 bits)
path text Path of the LNKfilename completeor partial
pattern-in-file pattern-in-file Pattern that canbe found in thefile
sha1 sha1 [Insecure] SecureHash Algorithm 1(160 bits)
sha224 sha224 Secure HashAlgorithm 2 (224bits)
sha256 sha256 Secure HashAlgorithm 2 (256bits)
sha384 sha384 Secure HashAlgorithm 2 (384bits)
sha512 sha512 Secure HashAlgorithm 2 (512bits)
284
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
sha512/224 sha512/224 Secure HashAlgorithm 2 (224bits)
sha512/256 sha512/256 Secure HashAlgorithm 2 (256bits)
size-in-bytes size-in-bytes Size of the LNKfile, in bytes
ssdeep ssdeep Fuzzy hash usingcontext triggeredpiecewise hashes(CTPH)
state text State of the LNKfile ['Malicious','Harmless','Trusted']
text text Free text value toattach to the file
tlsh tlsh Fuzzy hash byTrend Micro:Locality SensitiveHash
machoObject describing a file in Mach-O format.
macho is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
entrypoint-address
text Address of theentry point
285
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
name text Binary’s name
number-sections counter Number ofsections
text text Free text value toattach to theMach-O file
type text Type of Mach-O['BUNDLE', 'CORE','DSYM', 'DYLIB','DYLIB_STUB','DYLINKER','EXECUTE','FVMLIB','KEXT_BUNDLE','OBJECT','PRELOAD']
macho-sectionObject describing a section of a file in Mach-O format.
macho-section is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
entropy float Entropy of thewhole section
md5 md5 [Insecure] MD5hash (128 bits)
name text Name of thesection
sha1 sha1 [Insecure] SecureHash Algorithm 1(160 bits)
286
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
sha224 sha224 Secure HashAlgorithm 2 (224bits)
sha256 sha256 Secure HashAlgorithm 2 (256bits)
sha384 sha384 Secure HashAlgorithm 2 (384bits)
sha512 sha512 Secure HashAlgorithm 2 (512bits)
sha512/224 sha512/224 Secure HashAlgorithm 2 (224bits)
sha512/256 sha512/256 Secure HashAlgorithm 2 (256bits)
size-in-bytes size-in-bytes Size of the section,in bytes
ssdeep ssdeep Fuzzy hash usingcontext triggeredpiecewise hashes(CTPH)
text text Free text value toattach to thesection
mactime-timeline-analysisMactime template, used in forensic investigations to describe the timeline of a file activity.
287
mactime-timeline-analysis is a MISP object available in JSON format at thislocation The JSON format can be freely reused in your application orautomatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
activityType text Determines thetype of activityconducted on thefile at a given time['Accessed','Created','Changed','Modified', 'Other']
datetime datetime Date and timewhen theoperation wasconducted on thefile
file attachment Mactime outputfile
file-path text Location of the fileon the disc
filePermissions text Describespermissionsassigned the file
file_size text Determines thefile size in bytes
malware-configMalware configuration recovered or extracted from a malicious binary.
malware-config is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
288
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
config text Raw (decrypted,decoded) text ofthe malwareconfiguration.
encrypted text Encrypted orencoded text ofthe malwareconfiguration inbase64.
first-seen datetime When themalwareconfiguration hasbeen seen for thefirst time.
format text Original format ofthe malwareconfiguration.['JSON', 'yaml','INI', 'other']
last-seen datetime When themalwareconfiguration hasbeen seen for thelast time.
password text Password orencryption keyused to encryptthe malwareconfiguration.
meme-imageObject describing a meme (image).
meme-image is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
289
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
5Ds-of-propaganda
text 5 D’s ofpropaganda aretactics of rebuttalused to defendagainst criticismand adversarialnarratives.['dismiss', 'distort','distract', 'dismay','divide']
a/b-test boolean A flag to define ifthis meme is partof an a/b test. If setto true, it is part ofan a/b test set.['True', 'False']
archive link Archive of theoriginal document(Internet Archive,Archive.is, etc).
attachment attachment The image file.
crosspost link Safe site wherethe meme hasbeen posted.
crosspost-unsafe url Unsafe site wherethe meme hasbeen posted.
document-text text Raw text of meme
first-seen datetime When the memehas beenaccessible or seenfor the first time.
290
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
last-seen datetime When the memehas beenaccessible or seenfor the last time.
link link Original link intothe meme(Supposedharmless)
meme-reference link A link to know-your-meme orsimilar referencematerial.
objective text Objective of thememe.['Disinformation','Advertising','Parody', 'Other']
url url Original URLlocation of thememe (potentiallymalicious)
username text Username whoposted the meme.
microblogMicroblog post like a Twitter tweet or a post on a Facebook wall.
microblog is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
291
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
archive link Archive of theoriginal document(Internet Archive,Archive.is, etc).
attachment attachment The microblogpost file or screencapture.
creation-date datetime Initial creation ofthe microblog post
display-name text Display name ofthe account whoposted themicroblog.
embedded-link url Link into themicroblog post
embedded-safe-link
link Safe link into themicroblog post
hashtag text Hashtagembedded in themicroblog post
in-reply-to-display-name
text The user displayname of themicroblog thispost replies to.
in-reply-to-status-id
text The microblog IDof the microblogthis post repliesto.
in-reply-to-user-id text The user ID of themicroblog thispost replies to.
language text The language ofthe post.
292
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
link link Original link tothe microblog post(supposedharmless).
modification-date datetime Last update of themicroblog post
post text Raw text of thepost.
removal-date datetime When themicroblog postwas removed.
state text State of themicroblog post['Informative','Malicious','Misinformation','Disinformation','Unknown']
title text Title of the post.
twitter-id twitter-id The microblogpost id.
type text Type of themicroblog post['Twitter','Facebook','LinkedIn','Reddit', 'Google+','Instagram','Forum', 'Other']
url url Original URL ofthe microblog post(potentiallymalicious).
293
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
username text Username whoposted themicroblog post(without the @prefix)
username-quoted text Username whoare quoted in themicroblog post.
verified-username text Is the usernameaccount verifiedby the operator ofthe microblogplatform['Verified','Unverified','Unknown']
mutexObject to describe mutual exclusion locks (mutex) as seen in memory or computer program.
mutex is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
description text Description
name text name of themutex
operating-system text Operating systemwhere the mutexhas been seen['Windows', 'Unix']
294
narrativeObject describing a narrative.
narrative is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
5Ds-of-propaganda
text 5 D’s ofpropaganda aretactics of rebuttalused to defendagainst criticismand adversarialnarratives.['dismiss', 'distort','distract', 'dismay','divide']
archive link Archive of theoriginal narrativesource (InternetArchive,Archive.is, etc).
attachment attachment Documentsrelated to thenarrative.
external-references
link Link to externalreferences.
link link Original link tothe narrativesource (Supposedharmless)
narrative-disproof text Disproof orevidence againstthe narrative.
narrative-summary
text A summary of thenarrative.
295
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
objective text Objective of thenarrative.['Disinformation','Advertising','Parody', 'Other']
url url Original link tothe narrativesource (Supposedmalicious)
netflowNetflow object describes an network object based on the Netflowv5/v9 minimal definition.
netflow is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
byte-count counter Bytes counted inthis flow
community-id community-id Community id ofthe representedflow
direction text Direction of thisflow ['Ingress','Egress']
dst-as AS Destination ASnumber for thisflow
dst-port port Destination portof the netflow
first-packet-seen datetime First packet seenin this flow
296
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
flow-count counter Flows counted inthis flow
icmp-type text ICMP type of theflow (if the trafficis ICMP)
ip-dst ip-dst IP addressdestination of thenetflow
ip-protocol-number
size-in-bytes IP protocolnumber of thisflow
ip-src ip-src IP address sourceof the netflow
ip_version counter IP version of thisflow
last-packet-seen datetime Last packet seenin this flow
packet-count counter Packets counted inthis flow
protocol text Protocol used forthis flow ['TCP','UDP', 'ICMP', 'IP']
src-as AS Source AS numberfor this flow
src-port port Source port of thenetflow
tcp-flags text TCP flags of theflow
297
network-connectionA local or remote network connection.
network-connection is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
community-id community-id Flow descriptionas a community IDhash value
dst-port port Destination portof the neworkconnection.
first-packet-seen datetime Datetime of thefirst packet seen.
hostname-dst hostname Destinationhostname of thenetworkconnection.
hostname-src hostname Source hostnameof the networkconnection.
ip-dst ip-dst Destination IPaddress of theneworkconnection.
ip-src ip-src Source IP addressof the neworkconnection.
layer3-protocol text Layer 3 protocolof the networkconnection. ['IP','ICMP', 'ARP']
298
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
layer4-protocol text Layer 4 protocolof the networkconnection. ['TCP','UDP']
layer7-protocol text Layer 7 protocolof the networkconnection.['HTTP', 'HTTPS','FTP']
src-port port Source port of theneworkconnection.
network-profileElements that can be used to profile, pivot or identify a network infrastructure, including domains,ip and urls.
network-profile is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
asn AS ASN where thecontent is hosted
certificate-common-name
text Certificatecommon name
certificate-country text Certificate countryname
certificate-creation-date
datetime Certificate date itwas created
certificate-expiry-date
datetime Certificate date itwill expire
299
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
certificate-issuer text Certificate Issuer
certificate-organization
text Certificateorganization
certificate-organization-locality
text Certificate locality
certificate-organization-state
text Certificate state orprovincy name
certificate-organization-unit
text Certificateorganization unit
dns-server hostname DNS server
domain domain Domain of thewhois entry
evidences attachment Screenshot of thenetworkresources.
google-analytics-id text Google analyticsIDS
hosting-provider text The hostingprovider/ISPwhere theresources are.
ip-address ip-src IP address of thewhois entry
jarm jarm-fingerprint JARM Footprintstring
port port Port number
query_string text Query (after path,preceded by '?')
300
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
resource_path text Path (betweenhostname:portand query)
service-abuse text Service abused bythreat actors aspart of theirinfrastructure.['OneDrive','Google Drive','Dropbox','Microsoft','Google','DuckDNS','Cloudflare', 'AWS']
subdomain text Subdomain
text text Full whois entry
threat-actor-infrastructure-pattern
text Patterns found onthreat actorinfrastructure thatcan correlate withother analysis.
threat-actor-infrastructure-value
text Unique valeufound on threatactorinfrastructureidentified throughan investigation.
tld text Top-Level Domain
url url Full URL
whois-creation-date
datetime Initial creation ofthe whois entry
whois-expiration-date
datetime Expiration of thewhois entry
301
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
whois-registrant-email
whois-registrant-email
Registrant emailaddress
whois-registrant-name
whois-registrant-name
Registrant name
whois-registrant-org
whois-registrant-org
Registrantorganisation
whois-registrant-phone
whois-registrant-phone
Registrant phonenumber
whois-registrar whois-registrar Registrar of thewhois entry
network-socketNetwork socket object describes a local or remote network connections based on the socket datastructure.
network-socket is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
302
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address-family text Address familywho specifies theaddress familytype (AF_*) of thesocket connection.['AF_UNSPEC','AF_LOCAL','AF_UNIX','AF_FILE','AF_INET','AF_AX25','AF_IPX','AF_APPLETALK','AF_NETROM','AF_BRIDGE','AF_ATMPVC','AF_X25','AF_INET6','AF_ROSE','AF_DECnet','AF_NETBEUI','AF_SECURITY','AF_KEY','AF_NETLINK','AF_ROUTE','AF_PACKET','AF_ASH','AF_ECONET','AF_ATMSVC','AF_RDS', 'AF_SNA','AF_IRDA','AF_PPPOX','AF_WANPIPE','AF_LLC', 'AF_IB','AF_MPLS','AF_CAN','AF_TIPC','AF_BLUETOOTH','AF_IUCV','AF_RXRPC','AF_ISDN','AF_PHONET','AF_IEEE802154','AF_CAIF','AF_ALG','AF_NFC','AF_VSOCK','AF_KCM',
304
'AF_MAX']
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
domain-family text Domain familywho specifies thecommunicationdomain (PF_*) ofthe socketconnection.['PF_UNSPEC','PF_LOCAL','PF_UNIX','PF_FILE','PF_INET','PF_AX25','PF_IPX','PF_APPLETALK','PF_NETROM','PF_BRIDGE','PF_ATMPVC','PF_X25','PF_INET6','PF_ROSE','PF_DECnet','PF_NETBEUI','PF_SECURITY','PF_KEY','PF_NETLINK','PF_ROUTE','PF_PACKET','PF_ASH','PF_ECONET','PF_ATMSVC','PF_RDS', 'PF_SNA','PF_IRDA','PF_PPPOX','PF_WANPIPE','PF_LLC', 'PF_IB','PF_MPLS','PF_CAN','PF_TIPC','PF_BLUETOOTH','PF_IUCV','PF_RXRPC','PF_ISDN','PF_PHONET','PF_IEEE802154','PF_CAIF','PF_ALG','PF_NFC','PF_VSOCK',
305
'PF_KCM','PF_MAX']
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
dst-port port Destination portof the networksocket connection.
filename filename Socket usingfilename
hostname-dst hostname Destinationhostname of thenetwork socketconnection.
hostname-src hostname Source (local)hostname of thenetwork socketconnection.
ip-dst ip-dst Destination IPaddress of thenetwork socketconnection.
ip-src ip-src Source (local) IPaddress of thenetwork socketconnection.
option text Option on thesocket connection.
protocol text Protocol used bythe networksocket. ['TCP','UDP', 'ICMP', 'IP']
socket-type text Type of the socket.['SOCK_STREAM','SOCK_DGRAM','SOCK_RAW','SOCK_RDM','SOCK_SEQPACKET']
306
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
src-port port Source (local) portof the networksocket connection.
state text State of the socketconnection.['blocking','listening']
news-agencyNews agencies compile news and disseminate news in bulk.
news-agency is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Postal address ofthe news agency.
alias text Alias of the newsagency.
archive link Archive of theoriginal document(Internet Archive,Archive.is, etc).
attachment attachment The news file,screen capture,audio, etc.
e-mail email-src Email address ofthe organization.
fax-number phone-number Fax number of thenews agency.
307
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
link link Original link tothe news agency(Supposedharmless).
name text Name of the newsagency.
phone-number phone-number Phone number ofthe news agency.
url url Original URLlocation of thenews agency(potentiallymalicious).
news-mediaNews media are forms of mass media delivering news to the general public.
news-media is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Postal address ofthe news source.
alias text Alias of the newssource.
archive link Archive of thenews (InternetArchive,Archive.is, etc).
attachment attachment The news file,screen capture,audio, etc.
308
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
content text Raw content of thenews.
e-mail email-src Email address ofthe news source.
embedded-link url Site linked by theblog post.
embedded-safe-link
link Safe site linked bythe blog post.
fax-number phone-number Fax number of thenews source.
link link Original link tonews (Supposedharmless).
phone-number phone-number Phone number ofthe news source.
source text Name of the newssource.
sub-type text Format of thenews post(business daily,local news,metasite, etc).['Business Daily','Local News','State News','National News','Metasite','PoliticalCommentary','Clipper', 'PressureGroup', 'Staging','Trade Site','Other']
title text Title of the post.
309
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
transcription text Transcribedaudio/visualcontent.
type text Type of newsmedia(newspaper, TV,podcast, etc).['Newspaper','Newspaper(Online)','Magazine','Magazine(Online)', 'TV','Tube', 'Radio','Radio (Online)','Podcast','AlternativeMedia', 'Other']
url url Original URLlocation of news(potentiallymalicious).
username text Username whoposted the blogpost.
open-data-securityAn object describing an open dataset available and described under the open data security model.ref. https://github.com/CIRCL/open-data-security.
open-data-security is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
310
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
description comment an exhaustivedescription of thedataset includingmethods ofcollection,extraction oranalysis
frequency text frequency of thedataset generationwhich MUST beexpressed inyearly, monthly,daily, hourly['yearly','monthly', 'daily','hourly']
human-validated text human-validateddescribes if thedataset has beenmanuallyvalidated ['true','false', 'unknown']
license text license MUST beexpressed in SPDXformat to describeunder whichlicense the datasetis distributed
link link link to opendataset
machine-validated text machine-validateddescribes if thedataset has beenautomaticallyvalidated ['true','false', 'unknown']
311
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
producer link producer MUST beexpressed as anURI to referencethe originalproducer of thedataset
source text original source ofthe dataset
subtitle text an extended titleof the dataset
time-precision text time-precisionMUST beexpressed inyears, months,days, hours,minutes orseconds todescribe theprecision of thetime expressed['years', 'months','days', 'hours','minutes','seconds']
title text a comprehensiveand concise title ofthe dataset
organizationAn object which describes an organization.
organization is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
312
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
VAT text VAT or TAX-ID ofthe organization
address text Postal address ofthe organization.
alias text Alias of theorganization
date-of-inception date-of-birth Date of inceptionof theorganization
description text Description of theorganization
e-mail email-src Email address ofthe organization.
fax-number phone-number Fax number of theorganization.
name text Name of theorganization
phone-number phone-number Phone number ofthe organization.
role text The role of theorganization.['Suspect', 'Victim','Defendent','Accused', 'Culprit','Accomplice','Target', 'Source','Originator','Informant','Emitter']
type-of-organization
text Type of theorganization
313
original-imported-fileObject describing the original file used to import data in MISP.
original-imported-file is a MISP object available in JSON format at this locationThe JSON format can be freely reused in your application or automatically enabledin MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
format text Format of dataimported. ['STIX1.0', 'STIX 1.1','STIX 1.2', 'STIX2.0', 'OpenIOC']
imported-sample attachment The originalimported file itself(binary).
uri uri URI related to theimported file.
paloalto-threat-eventPalo Alto Threat Log Event.
paloalto-threat-event is a MISP object available in JSON format at this locationThe JSON format can be freely reused in your application or automatically enabledin MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
app text The applicationidentified (e.g.vnc, ssh, sip, irc,http or smtp).
direction text The Direction ofthe Event.
314
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
dport counter The port to whichthe connectionheaded.
dst ip-dst The Destination IPwhich is the targetof the observedconnections.
dstloc text The DestinationLocation of theevent.
proto text The transportprotocol (e.g. tcp,udp, icmp).
sport counter The port fromwhich theconnectionoriginated.
src ip-src The ip observed toinitiate theconnection
srcloc text The SourceLocation of theevent.
subtype text The subtype of theLog Event.
thr_category text The ThreatCategory.
threatid text The Threat ID.
time_generated datetime The datetime ofthe event.
315
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
type text The type of theLog Event
parler-accountParler account.
parler-account is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
account-id text Numeric id of theaccount.
account-name text Name of theaccount.
archive link Archive of theoriginal parley(Internet Archive,Archive.is, etc).
attachment attachment The parley file orscreen capture.
badge float Post badge.
bio text The account bio.
comments text The number ofuser comments.
cover-photo attachment Commentcontroversy.
followers text Number offollowers.
following text Number user isfollowing.
316
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
human boolean Account 'human'bool. ['True','False']
interactions float Accountinteractions.
likes text Number userlikes.
link link Original URL ofthe parley(supposedharmless).
posts text Number userposts.
profile-photo attachment Commentcontroversy.
score text User score.
url url Original URL ofthe parley, e.g.link shortener(potentiallymalicious).
verified boolean Account 'verified'bool. ['True','False']
parler-commentParler comment.
parler-comment is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
317
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
archive link Archive of theoriginal parley(Internet Archive,Archive.is, etc).
attachment attachment The parley file orscreen capture.
badge float Comment badge.
body text Raw text of thepost.
comment-depth float Comment nestingdepth.
comments text Comments on thisobject.
controversy float Commentcontroversy.
creator text Name of theaccount thatposted this parley.
creator-id text ID of the accountthat posted thisparley.
downvotes text Commentdownvotes.
embedded-link url Link in the parley
embedded-safe-link
link Safe link in theparley
hashtag text Hashtagembedded in theparley.
318
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
in-reply-to-display-name
text The user displayname of theparley this postshares.
in-reply-to-parley-id
text The Parler ID ofthe parley thatthis post shares.
in-reply-to-user-id text The user ID of theparley this postshares.
link link Original link tothe post (supposedharmless).
post-id text Numeric id of theparley.
score text Comment score.
upvotes text Comment upvotes.
url url Original URL ofthe parley, e.g.link shortener(potentiallymalicious).
username-quoted text Username who isquoted in theparley.
parler-postParler post (parley).
parler-post is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
319
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
archive link Archive of theoriginal parley(Internet Archive,Archive.is, etc).
article boolean Indicates if thepost is an article.['True', 'False']
attachment attachment The parley file orscreen capture.
badge float Post badge.
body text Raw text of thepost.
comments text Number ofcomments on thisobject.
creator text Name of theaccount thatposted this parley.
creator-id text ID of the accountthat posted thisparley.
depth float Post nestingdepth.
embedded-link url Link in the parley
embedded-safe-link
link Safe link in theparley
hashtag text Hashtagembedded in theparley.
320
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
impressions text Number ofimpressions.
in-reply-to-display-name
text The user displayname of theparley this postshares.
in-reply-to-parley-id
text The Parler ID ofthe parley thatthis post shares.
in-reply-to-user-id text The user ID of theparley this postshares.
link link Original link tothe post (supposedharmless).
post-id text Numeric id of theparley.
share-link link Sharable linkgenerated byParler (supposedharmless).
upvotes text Comment upvotes.
url url Original URL ofthe parley, e.g.link shortener(potentiallymalicious).
username-quoted text Username who isquoted in theparley.
321
passive-dnsPassive DNS records as expressed in draft-dulaunoy-dnsop-passive-dns-cof-07. Seehttps://tools.ietf.org/id/draft-dulaunoy-dnsop-passive-dns-cof-07.html.
passive-dns is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
bailiwick domain Best estimate ofthe apex of thezone where thisdata isauthoritative
count counter How manyauthoritative DNSanswers werereceived at thePassive DNSServer’s collectorswith exactly thegiven set of valuesas answers.
origin text Origin of thePassive DNSresponse. Thisfield isrepresented as aUniform ResourceIdentifier (URI)
raw_rdata text Resource recordsof the queriedresource, inhexadecimal. Allrdata entries atonce.
322
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
rdata text Resource recordsof the queriedresource. Notethat this field isadded for eachrdata entry in therrset.
rrname text Resource Recordname of thequeried resource.
rrtype text Resource Recordtype as seen bythe passive DNS.['A', 'AAAA','CNAME', 'PTR','SOA', 'TXT','DNAME', 'NS','SRV', 'RP','NAPTR', 'HINFO','A6']
sensor_id text Sensorinformationwhere the recordwas seen
text text Description of thepassive DNSrecord.
time_first datetime First time that theunique tuple(rrname, rrtype,rdata) has beenseen by thepassive DNS
323
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
time_first_ms datetime Same meaning asthe field'time_first', withthe onlydifference, thatthe resolution is inmilliseconds since1st of January1970 (UTC)
time_last datetime Last time that theunique tuple(rrname, rrtype,rdata) record hasbeen seen by thepassive DNS
time_last_ms datetime Same meaning asthe field'time_last', withthe onlydifference, thatthe resolution is inmilliseconds since1st of January1970 (UTC)
zone_time_first datetime First time that theunique tuple(rrname, rrtype,rdata) record hasbeen seen viamaster file import
zone_time_last datetime Last time that theunique tuple(rrname, rrtype,rdata) record hasbeen seen viamaster file import.
324
passive-dns-dnsdbflexDNSDBFLEX object. This object is used at farsight security. Roughly based on Passive DNS records asexpressed in draft-dulaunoy-dnsop-passive-dns-cof-07. See https://tools.ietf.org/id/draft-dulaunoy-dnsop-passive-dns-cof-07.html.
passive-dns-dnsdbflex is a MISP object available in JSON format at this locationThe JSON format can be freely reused in your application or automatically enabledin MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
rrname text Resource Recordname of thequeried resource.
rrtype text Resource Recordtype as seen bythe passive DNS.['A', 'AAAA','CNAME', 'PTR','SOA', 'TXT','DNAME', 'NS','SRV', 'RP','NAPTR', 'HINFO','A6']
passive-sshPassive-ssh object as described on passive-ssh services from circl.lu - https://github.com/D4-project/passive-ssh.
passive-ssh is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
base64 text Base64representation ofthe ssh-key
fingerprint ssh-fingerprint Fingerprint of theSSH key
325
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
first_seen datetime First time that thepassive-ssh objecthas been seen bythe passive SSH
host ip-dst IP Address of thehost(s) thatexposed this SSHkey
last_seen datetime Last time that thepassive-ssh objecthas been seen bythe passive SSH
pastePaste or similar post from a website allowing to share privately or publicly posts.
paste is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
first-seen datetime When the pastehas beenaccessible or seenfor the first time.
last-seen datetime When the pastehas beenaccessible or seenfor the last time.
link link Link to theoriginal source ofthe source or post(when usedlegitimately forOSINT source oralike).
326
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
origin text Original source ofthe paste or post.['pastebin.com','pastebin.com_pro', 'pastebin.fr','pastie.org','slexy.org','gist.github.com','codepad.org','safebin.net','hastebin.com','ghostbin.com','paste.ee','0bin.net']
paste text Raw text of thepaste or post
paste-file attachment Content of thepaste in file
title text Title of the pasteor post.
url url Link to theoriginal source ofthe paste or post(when usedmaliciously).
username text User who postedthe post.
pcap-metadataNetwork packet capture metadata.
pcap-metadata is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
327
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
capture-interface text Interface namewhere the packetcapture wasrunning.
capture-length text Capture length seton the capturedinterface.
first-packet-seen datetime When the firstpacket has beenseen.
last-packet-seen datetime When the lastpacket has beenseen.
328
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
protocol text Capture protocol(linktype name).['PER_PACKET','UNKNOWN','ETHERNET','TOKEN_RING','SLIP', 'PPP','FDDI','FDDI_BITSWAPPED', 'RAW_IP','ARCNET','ARCNET_LINUX','ATM_RFC1483','LINUX_ATM_CLIP', 'LAPB','ATM_PDUS','ATM_PDUS_UNTRUNCATED', 'NULL','ASCEND', 'ISDN','IP_OVER_FC','PPP_WITH_PHDR', 'IEEE_802_11','IEEE_802_11_PRISM','IEEE_802_11_WITH_RADIO','IEEE_802_11_RADIOTAP','IEEE_802_11_AVS', 'SLL', 'FRELAY','FRELAY_WITH_PHDR', 'CHDLC','CISCO_IOS','LOCALTALK','OLD_PFLOG','HHDLC', 'DOCSIS','COSINE','WFLEET_HDLC','SDLC', 'TZSP','ENC', 'PFLOG','CHDLC_WITH_PHDR','BLUETOOTH_H4','MTP2', 'MTP3','IRDA', 'USER0','USER1', 'USER2','USER3', 'USER4','USER5', 'USER6',
329
'USER7', 'USER8','USER9', 'USER10','USER11','USER12','USER13','USER14','USER15','SYMANTEC','APPLE_IP_OVER_IEEE1394','BACNET_MS_TP','NETTL_RAW_ICMP','NETTL_RAW_ICMPV6', 'GPRS_LLC','JUNIPER_ATM1','JUNIPER_ATM2','REDBACK','NETTL_RAW_IP','NETTL_ETHERNET','NETTL_TOKEN_RING','NETTL_FDDI','NETTL_UNKNOWN','MTP2_WITH_PHDR','JUNIPER_PPPOE','GCOM_TIE1','GCOM_SERIAL','NETTL_X25', 'K12','JUNIPER_MLPPP','JUNIPER_MLFR','JUNIPER_ETHER','JUNIPER_PPP','JUNIPER_FRELAY','JUNIPER_CHDLC','JUNIPER_GGSN','LINUX_LAPD','CATAPULT_DCT2000', 'BER','JUNIPER_VP','USB_FREEBSD','IEEE802_16_MAC_CPS','NETTL_RAW_TEL
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
text text A description ofthe packetcapture.
peObject describing a Portable Executable.
pe is a MISP object available in JSON format at this location The JSON format canbe freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
authentihash authentihash Authenticodeexecutablesignature hash(sha256)
company-name text CompanyName inthe resources
compilation-timestamp
datetime Compilationtimestampdefined in the PEheader
entrypoint-address
text Address of theentry point
entrypoint-section-at-position
text Name of thesection andposition of thesection in the PE
file-description text FileDescription inthe resources
file-version text FileVersion in theresources
330
NET', 'USB_LINUX','MPEG', 'PPI', 'ERF','BLUETOOTH_H4_WITH_PHDR','SITA', 'SCCP','BLUETOOTH_HCI', 'IPMB','IEEE802_15_4','X2E_XORAYA','FLEXRAY', 'LIN','MOST', 'CAN20B','LAYER1_EVENT','X2E_SERIAL','I2C','IEEE802_15_4_NONASK_PHY','TNEF','USB_LINUX_MMAPPED', 'GSM_UM','DPNSS','PACKETLOGGER','NSTRACE_1_0','NSTRACE_2_0','FIBRE_CHANNEL_FC2','FIBRE_CHANNEL_FC2_WITH_FRAME_DELIMS','JPEG_JFIF','IPNET','SOCKETCAN','IEEE_802_11_NETMON','IEEE802_15_4_NOFCS', 'RAW_IPFIX','RAW_IP4','RAW_IP6', 'LAPD','DVBCI','MUX27010','MIME','NETANALYZER','NETANALYZER_TRANSPARENT','IP_OVER_IB_SNOOP', 'MPEG_2_TS','PPP_ETHER','NFC_LLCP','NFLOG', 'V5_EF',
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
impfuzzy impfuzzy Fuzzy Hash(ssdeep)calculated fromthe import table
imphash imphash Hash (md5)calculated fromthe import table
internal-filename filename InternalFilenamein the resources
lang-id text Lang ID in theresources
legal-copyright text LegalCopyright inthe resources
number-sections counter Number ofsections
original-filename filename OriginalFilenamein the resources
pehash pehash Hash of thestructuralinformation abouta sample. Seehttps://www.usenix.org/legacy/event/leet09/tech/full_papers/wicherski/wicherski_html/
product-name text ProductName inthe resources
product-version text ProductVersion inthe resources
richpe md5 RichPE metadatahash
331
'BACNET_MS_TP_WITH_PHDR','IXVERIWAVE','SDH', 'DBUS','AX25_KISS','AX25', 'SCTP','INFINIBAND','JUNIPER_SVCS','USBPCAP','RTAC_SERIAL','BLUETOOTH_LE_LL','WIRESHARK_UPPER_PDU','STANAG_4607','STANAG_5066_D_PDU', 'NETLINK','BLUETOOTH_LINUX_MONITOR','BLUETOOTH_BREDR_BB','BLUETOOTH_LE_LL_WITH_PHDR','NSTRACE_3_0','LOGCAT','LOGCAT_BRIEF','LOGCAT_PROCESS', 'LOGCAT_TAG','LOGCAT_THREAD', 'LOGCAT_TIME','LOGCAT_THREADTIME','LOGCAT_LONG','PKTAP', 'EPON','IPMI_TRACE','LOOP', 'JSON','NSTRACE_3_5','ISO14443','GFP_T', 'GFP_F','IP_OVER_IB_PCAP', 'JUNIPER_VN','USB_DARWIN','LORATAP','3MB_ETHERNET','VSOCK','NORDIC_BLE','NETMON_NET_NETEVENT',
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
text text Free text value toattach to the PE
type text Type of PE ['exe','dll', 'driver','unknown']
pe-sectionObject describing a section of a Portable Executable.
pe-section is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
characteristic text Characteristic ofthe section ['read','write','executable']
entropy float Entropy of thewhole section
md5 md5 [Insecure] MD5hash (128 bits)
name text Name of thesection ['.rsrc','.reloc', '.rdata','.data', '.text']
offset hex Section’s offset
sha1 sha1 [Insecure] SecureHash Algorithm 1(160 bits)
sha224 sha224 Secure HashAlgorithm 2 (224bits)
332
'NETMON_HEADER','NETMON_NET_FILTER','NETMON_NETWORK_INFO_EX','MA_WFP_CAPTURE_V4','MA_WFP_CAPTURE_V6','MA_WFP_CAPTURE_2V4','MA_WFP_CAPTURE_2V6','MA_WFP_CAPTURE_AUTH_V4','MA_WFP_CAPTURE_AUTH_V6','JUNIPER_ST','ETHERNET_MPACKET','DOCSIS31_XRA31']
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
sha256 sha256 Secure HashAlgorithm 2 (256bits)
sha384 sha384 Secure HashAlgorithm 2 (384bits)
sha512 sha512 Secure HashAlgorithm 2 (512bits)
sha512/224 sha512/224 Secure HashAlgorithm 2 (224bits)
sha512/256 sha512/256 Secure HashAlgorithm 2 (256bits)
size-in-bytes size-in-bytes Size of the section,in bytes
ssdeep ssdeep Fuzzy hash usingcontext triggeredpiecewise hashes(CTPH)
text text Free text value toattach to thesection
virtual_address hex Section’s virtualaddress
virtual_size size-in-bytes Section’s virtualsize
personAn object which describes a person or an identity.
333
person is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Postal address ofthe person.
alias text Alias name orknown as.
birth-certificate-number
text Birth CertificateNumber
date-of-birth date-of-birth Date of birth of anatural person (inYYYY-MM-DDformat).
dni text Spanish NationalID
e-mail email-src Email address ofthe person.
fax-number phone-number Fax number of theperson.
first-name first-name First name of anatural person.
full-name full-name Full name of anatural personusually composedof first-name,middle-name andlast-name.
function text Function of thenatural personsuch as analyst,cyber operator,lawyer.
334
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
gender gender The gender of anatural person.['Male', 'Female','Other', 'Prefer notto say', 'Unknown']
identity-card-number
identity-card-number
The identity cardnumber of anatural person.
last-name last-name Last name of anatural person.
middle-name middle-name Middle name of anatural person.
mothers-name text Mother name,father, secondname or othernames followingcountry’sregulation.
nationality nationality The nationality ofa natural person.
nic-hdl text NIC Handle(NetworkInformationCentre handle) ofthe person.
nie text Foreign NationalID (Spain)
nif text Tax ID Number(Spain)
occupation text Work oroccupation of theperson or identity.
335
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
ofac-identification-number
text ofac-identificationNumber
passport-country passport-country The country inwhich thepassport wasissued.
passport-expiration
passport-expiration
The expirationdate of a passport.
passport-number passport-number The passportnumber of anatural person.
phone-number phone-number Phone number ofthe person.
place-of-birth place-of-birth Place of birth of anatural person.
portrait attachment Portrait of theperson.
336
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
redress-number redress-number The RedressControl Number isthe recordidentifier forpeople who applyfor redressthrough the DHSTravel RedressInquiry Program(DHS TRIP). DHSTRIP is fortravelers whohave beenrepeatedlyidentified foradditionalscreening andwho want to filean inquiry to haveerroneousinformationcorrected in DHSsystems.
role text The role of aperson. ['Suspect','Victim','Defendent','Accused', 'Culprit','Accomplice','Witness', 'Target','Source','Originator','Informant','Emitter']
social-security-number
text Social securitynumber.
text text A description ofthe person oridentity.
337
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
title text Title of the naturalperson such as Dr.or equivalent.
pgp-metaMetadata extracted from a PGP keyblock, message or signature.
pgp-meta is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
key-id text Key ID inhexadecimal
user-id-email text User ID packet,email address ofthe key holder(UTF-8 text)
user-id-name text User ID packet,name of the keyholder
phishingPhishing template to describe a phishing website and its analysis.
phishing is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
hostname hostname host of thephishing website
internal-reference text Internal referencesuch as ticket ID
338
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
online text If the phishing isonline andoperational, bydefault is yes['Yes', 'No']
phishtank-detail-url
link Phishtank detailURL to thereported phishing
phishtank-id text Phishtank ID ofthe reportedphishing
screenshot attachment Screenshot ofphishing site
submission-time datetime When thephishing wassubmitted and/orreported
takedown-request datetime When thephishing wasrequested to betaken down
takedown-request-to
text Destination emailaddress for take-down request
takedown-time datetime When thephishing wastaken down
target text Targetedorganisation bythe phishing
url url Original URL ofthe phishingwebsite
339
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
url-redirect url Redirect URL ofthe phishingwebsite
verification-time datetime When thephishing wasverified
verified text The phishing hasbeen verified bythe team handlingthe phishing ['No','Yes']
phishing-kitObject to describe a phishing-kit.
phishing-kit is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
date-found datetime Date when thephishing kit wasfound
email-type text Type of the Email
internal-reference text Internal referencesuch as ticket ID
kit-mailer text Mailer Kit Used
kit-name text Name of thePhishing Kit
kit-url url URL of PhishingKit
340
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
online text If the phishing kitis online andoperational, bydefault is yes['Yes', 'No']
phishing-domain url Domain used forPhishing
reference-link link Link where thePhishing Kit wasobserved
target text What wastargeted using thisphishing kit
threat-actor text Identified threatactor
threat-actor-email email-src Email of theThreat Actor
phoneA phone or mobile phone object which describe a phone.
phone is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
brand text Brand of thephone.
first-seen datetime When the phonehas beenaccessible or seenfor the first time.
341
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
gummei text Globally UniqueMME Identifier(GUMMEI) iscomposed fromMCC, MNC andMME Identifier(MMEI).
guti text Globally UniqueTemporary UEIdentity (GUTI) isa temporaryidentification tonot reveal thephone (userequipment in3GPP jargon)composed ofGUMMEI and theM-TMSI.
imei text InternationalMobile EquipmentIdentity (IMEI) is anumber, usuallyunique, to identify3GPP and iDENmobile phones, aswell as somesatellite phones.
342
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
imsi text A usually uniqueInternationalMobile SubscriberIdentity (IMSI) isallocated to eachmobile subscriberin theGSM/UMTS/EPSsystem. IMSI canalso refer toInternationalMobile StationIdentity in the ITUnomenclature.
last-seen datetime When the phonehas beenaccessible or seenfor the last time.
model text Model of thephone.
343
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
msisdn text MSISDN(pronounced as/'em es ai es di en/or misden) is anumber uniquelyidentifying asubscription in aGSM or a UMTSmobile network.Simply put, it isthe mapping ofthe telephonenumber to the SIMcard in amobile/cellularphone. Thisabbreviation has aseveralinterpretations,the most commonone being MobileStationInternationalSubscriberDirectoryNumber.
serial-number text Serial Number.
text text A description ofthe phone.
tmsi text Temporary MobileSubscriberIdentities (TMSI)to visiting mobilesubscribers can beallocated.
postal-addressA postal address.
344
postal-address is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
apartment text Apartment / suitenumber
city text City or town name
country text Country
description text Description of theaddress
number text House number
postal-code text ZIP / postal code
province text Province
state text State
street text Street name
processObject describing a system process.
process is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
args text Arguments of theprocess
child-pid text Process ID of thechild(ren) process
command-line text Command line ofthe process
345
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
creation-time datetime Local date/time atwhich the processwas created
current-directory text Current workingdirectory of theprocess
fake-process-name boolean Is the processspawned under afalse name. ['1', '0']
guid text The globallyunique identifierof the assigned bythe vendorproduct
hidden boolean Specifies whetherthe process ishidden ['True','False']
image filename Path of processimage
integrity-level text Integrity level ofthe process['system', 'high','medium', 'low','untrusted']
name text Name of theprocess
parent-command-line
text Command line ofthe parent process
346
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
parent-guid text The globallyunique idenifierof the parentprocess assignedby the vendorproduct
parent-image filename Path of parentprocess image
parent-pid text Process ID of theparent process
parent-process-name
text Process name ofthe parent
parent-process-path
text Parent processpath of the parent
pgid text Identifier of thegroup of processesthe process belongto
pid text Process ID of theprocess
port port Port(s) owned bythe process
process-state process-state State of process.['D', 'R', 'S', 'T', 't','W', 'X', 'Z', '<', 'N','L', 's', 'l', '+']
start-time datetime Local date/time atwhich the processwas started
user-creator text User who createdof the process
347
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
user-process text User who isrunning theprocess at thetime of theanalysis
publicationAn object to describe a book, journal, or academic publication.
publication is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
DOI text DOI System isused to identifydigital resources.
ISBN text InternationalStandard BookNumber.
academic-institution
text Academicinstitutionassociated withthe publisher orauthors.
archive link Archive of theoriginal document(Internet Archive,Archive.is, etc).
attachment attachment The publicationfile or screencapture.
author text Author of thepublication.
348
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
content text Content of thepublication.
contributor text Contributorsinclude editors,compilers, andtranslators.
description text A description ofthe publication.
edition text Edition of thepublication.
embedded-link url Link contained inthe publication(possiblymalicious).
embedded-safe-link
link Link contained inthe publication(assumed safe).
link link Original link tothe publication(supposedharmless).
publisher text Publisher of thedocument.
series text Series of thepublication.
title text Content of thepublication.
url url Original link tothe publication(possiblymalicious).
349
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
volume text Volume of thepublication.
website link Website of thepublisher.
year text Year ofpublication.
python-etvx-event-logEvent log object template to share information of the activities conducted on a system. .
python-etvx-event-log is a MISP object available in JSON format at this locationThe JSON format can be freely reused in your application or automatically enabledin MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
Computer text Computer nameon which theevent occurred
Correlation-ID text Unique activityidentity whichrelates the eventto a process.
Event-data text Event datadescription.
Keywords text Tags used for theevent for thepurpose offiltering orsearching.['Network','Security','Resource notfound', 'other']
350
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
Operational-code text The opcode(numeric value orname) associatedwith the activitycarried out by theevent.
Processor-ID text ID of theprocessor thatprocessed theevent.
Relative-Correlation-ID
text Related activity IDwhich identitysimilar activitieswhich occurred asa part of theevent.
Session-ID text Terminal serversession ID.
Thread-ID text Thread id thatgenerated theevent.
User text Name or the UserID the event isassociated with.
comment text Additionalcomments.
event-channel text Channel throughwhich the eventoccurred['Application','System', 'Security','Setup', 'other']
event-date-time datetime Date and timewhen the eventwas logged.
351
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
event-id text A unique numberwhich identifiesthe event.
event-type text Event-typeassigned to theevent ['Admin','Operational','Audit', 'Analytic','Debug', 'other']
kernel-time datetime Execution time ofthe kernel modeinstruction.
level text Determines theevent severity.['Information','Warning', 'Error','Critical', 'SuccessAudit', 'FailureAudit']
log text Log file where theevent wasrecorded.
name text Name of theevent.
source text The source of theevent log -application/software that logged theevent.
task-category text Activity by theevent publisher
user-time datetime Date and timewhen the userinstruction wasexecuted.
352
r2graphityIndicators extracted from files using radare2 and graphml.
r2graphity is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
callback-average counter Average size of acallback
callback-largest counter Largest callback
callbacks counter Amount ofcallbacks(functions startedas thread)
create-thread counter Amount of calls toCreateThread
dangling-strings counter Amount ofdangling strings(string with a codecross reference,that is not withina function.Radare2 failed todetect thatfunction.)
get-proc-address counter Amount of calls toGetProcAddress
gml attachment Graph export inG>raph ModellingLanguage format
local-references counter Amount of APIcalls inside a codesection
353
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
memory-allocations
counter Amount ofmemoryallocations
miss-api counter Amount of APIcall reference thatdoes not resolve toa function offset
not-referenced-strings
counter Amount of notreferenced strings
r2-commit-version text Radare2 commitID used togenerate thisobject
ratio-api float Ratio: amount ofAPI calls perkilobyte of codesection
ratio-functions float Ratio: amount offunctions perkilobyte of codesection
ratio-string float Ratio: amount ofreferenced stringsper kilobyte ofcode section
referenced-strings counter Amount ofreferenced strings
refsglobalvar counter Amount of APIcalls outside ofcode section (globvar, dynamic API)
354
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
shortest-path-to-create-thread
counter Shortest path tothe first time thebinary callsCreateThread
text text Description of ther2graphity object
total-api counter Total amount ofAPI calls
total-functions counter Total amount offunctions in thefile.
unknown-references
counter Amount of APIcalls not ending ina function(Radare2 bug,probalby)
reddit-accountReddit account.
reddit-account is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
account-avatar attachment A screen captureor exportedaccount avatar.
account-avatar-url url A user profilepicture or avatar.
account-id text Account id.
account-name text Account name (donot include u/).
355
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
archive link Archive of theaccount (InternetArchive,Archive.is, etc).
attachment attachment A screen captureor exported list ofcontacts etc.
description text A description ofthe user.
link link Original link tothe account page(supposedharmless).
moderator-of text Subreddits ofwhich thisaccount is amoderator(exclude the r/).
trophies text Trophies listed inthe accountTrophy Case.
url url Original URLlocation of thepage (potentiallymalicious).
reddit-commentA Reddit post comment.
reddit-comment is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
356
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
archive link Archive of theoriginal comment(Internet Archive,Archive.is, etc).
attachment attachment A screen captureor exported filefrom thecomment.
author text The user accountthat created thepost (do notinclude u/).
body text The raw text ofthe comment.
description text A description ofthe comment.
embedded-link url Link embedded inthe subredditdescription(potentiallymalicious).
embedded-safe-link
link Link embedded inthe subredditdescription(supposed safe).
hashtag text Hashtag used toidentify orpromote thecomment.
link link Original link tothe comment(supposedharmless).
357
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
subreddit-name text The name of thesubreddit where itwas posted(exclude the r/).
url url Original URLlocation of thecomment(potentiallymalicious).
username-quoted text Username whoare quoted in thecomment (do notinclude u/).
reddit-postA Reddit post.
reddit-post is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
archive link Archive of theoriginal Redditpost (InternetArchive,Archive.is, etc).
attachment attachment A screen captureor exported filefrom the Redditpost.
author text The user accountthat created thepost (do notinclude u/).
358
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
description text A description ofthe post.
edited text Has the post beenedited? ['True','False']
embedded-link url Link embedded inthe subredditdescription(potentiallymalicious).
embedded-safe-link
link Link embedded inthe subredditdescription(supposed safe).
hashtag text Hashtag used toidentify orpromote theReddit post.
link link Original link tothe Reddit post(supposedharmless).
post-content text The raw text ofthe Reddit post.
post-title text The title of theReddit post.
subreddit-name text The name of thesubreddit where itwas posted(exclude the r/).
thumbnail attachment Screen capture orexported postthumbnail.
359
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
thumbnail-url url Link to postthumbnail.
url url Original URLlocation of theReddit post(potentiallymalicious).
username-quoted text Username whoare quoted in theReddit post (donot include u/).
reddit-subredditPublic or private subreddit.
reddit-subreddit is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
active-user-count text Number of activeaccounts in thesubreddit.
archive link Archive of theoriginal subreddit(Internet Archive,Archive.is, etc).
attachment attachment A screen captureor exported list ofcontacts,subredditmembers, etc.
360
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
banner-background-image
attachment A screen captureor exportedsubreddit header.
banner-background-url
url A link to thesubreddit header.
creator text The user accountthat created thesubreddit (do notinclude u/).
description text A description ofthe subreddit.
display-name text The name of thesubreddit (excludethe r/).
embedded-link url Link embedded inthe subredditdescription(potentiallymalicious).
embedded-safe-link
link Link embedded inthe subredditdescription(supposed safe).
hashtag text Hashtag used toidentify orpromote thesubreddit.
header-title text A title of thesubreddit.
icon-img attachment A screen captureor exportedsubredditcommunity icon.
361
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
icon-img-url url A link to thesubredditcommunity icon.
link link Original link tothe subreddit(supposedharmless).
moderator text A user accountwho is amoderator of thesubreddit (do notinclude u/).
privacy text Subreddit privacy.['Public', 'Private']
rules text Raw text of therules of thesubreddit.
submit-text text The submissionform raw textwhen posting tothe subreddit.
subreddit-alias text Aliases orprevious names ofsubreddit.
subreddit-type text Subreddit type,e.g. general, buyand sell etc.
url url Original URLlocation of thesubreddit(potentiallymalicious).
362
regexpAn object describing a regular expression (regex or regexp). The object can be linked via arelationship to other attributes or objects to describe how it can be represented as a regularexpression.
regexp is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
comment comment A description ofthe regularexpression.
regexp text regexp
regexp-type text Type of theregularexpression syntax.['PCRE', 'PCRE2','POSIX BRE','POSIX ERE', 'FCRE(FarsightCompatibleRegularExpressions)']
type text Specify whichtype correspondsto this regex.['hostname','domain', 'email-src', 'email-dst','email-subject','url', 'user-agent','regkey', 'cookie','uri', 'filename','windows-service-name', 'windows-scheduled-task']
363
registry-keyRegistry key object describing a Windows registry key with value and last-modified timestamp.
registry-key is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
data text Data stored in theregistry key
data-type text Registry valuetype ['REG_NONE','REG_SZ','REG_EXPAND_SZ','REG_BINARY','REG_DWORD','REG_DWORD_LITTLE_ENDIAN','REG_DWORD_BIG_ENDIAN','REG_LINK','REG_MULTI_SZ','REG_RESOURCE_LIST','REG_FULL_RESOURCE_DESCRIPTOR','REG_RESOURCE_REQUIREMENTS_LIST','REG_QWORD','REG_QWORD_LITTLE_ENDIAN']
hive text Hive used to storethe registry key(file on disk)
key regkey Full key path
last-modified datetime Last time theregistry key hasbeen modified
364
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
name text Name of theregistry key
root-keys text Root key of theWindows registry(extracted fromthe key) ['HKCC','HKCR', 'HKCU','HKDD','HKEY_CLASSES_ROOT','HKEY_CURRENT_CONFIG','HKEY_CURRENT_USER','HKEY_DYN_DATA','HKEY_LOCAL_MACHINE','HKEY_PERFORMANCE_DATA','HKEY_USERS','HKLM', 'HKPD','HKU']
regripper-NTUserRegripper Object template designed to present user specific configuration details extracted fromthe NTUSER.dat hive.
regripper-NTUser is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
applications-installed
text List ofapplicationsinstalled.
365
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
applications-run text List ofapplications set torun on the system.
comments text Additionalinformationrelated to the userprofile
external-devices text List of externaldevices connectedto the system bythe user.
key text Registry keywhere theinformation isretrieved from.
key-last-write-time datetime Date and timewhen the key waslast updated.
logon-user-name text Name assigned tothe user profile.
mount-points text Details of themount pointscreated on thesystem.
network-connected-to
text List of networksthe userconnected thesystem to.
nukeOnDelete boolean Determines if theRecycle bin optionhas been disabled.['True', 'False']
366
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
recent-files-accessed
text List of recent filesaccessed by theuser.
recent-folders-accessed
text List of recentfolders accessedby the user.
typed-urls text Urls typed by theuser in internetexplorer
user-init text Applications orprocesses set torun when the userlogs onto thewindows system.
regripper-sam-hive-single-userRegripper Object template designed to present user profile details extracted from the SAM hive.
regripper-sam-hive-single-user is a MISP object available in JSON format at thislocation The JSON format can be freely reused in your application orautomatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
comments text Full nameassigned to theuser profile.
full-user-name text Full nameassigned to theuser profile.
key text Registry keywhere theinformation isretrieved from.
367
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
key-last-write-time datetime Date and timewhen the key waslast updated.
last-login-time datetime Date and timewhen the user lastlogged onto thesystem.
login-count counter Number of timesthe user logged-inonto the system.
pwd-fail-date datetime Date and timewhen a passwordlast failed for thisuser profile.
pwd-reset-time datetime Date and timewhen thepassword was lastreset.
user-name text User nameassigned to theuser profile.
regripper-sam-hive-user-groupRegripper Object template designed to present group profile details extracted from the SAM hive.
regripper-sam-hive-user-group is a MISP object available in JSON format at thislocation The JSON format can be freely reused in your application orautomatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
full-name text Full nameassigned to theprofile.
368
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
group-comment text Any groupcomment added.
group-name text Name assigned tothe profile.
group-users text Users belonging tothe group
key text Registry keywhere theinformation isretrieved from.
key-last-write-time datetime Date and timewhen the key waslast updated.
last-write-date-time
datetime Date and timewhen the groupkey was updated.
regripper-software-hive-BHORegripper Object template designed to gather information of the browser helper objects installedon the system.
regripper-software-hive-BHO is a MISP object available in JSON format at thislocation The JSON format can be freely reused in your application orautomatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
BHO-key-last-write-time
datetime Date and timewhen the BHO keywas last updated.
BHO-name text Name of thebrowser helperobject.
369
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
class text Class to which theBHO belongs to.
comments text Additionalcomments.
key text Software hive keywhere theinformation isretrieved from.
last-write-time datetime Date and timewhen the key waslast updated.
module text DLL module theBHO belongs to.
references link References to theBHO.
regripper-software-hive-appInit-DLLSRegripper Object template designed to gather information of the DLL files installed on the system.
regripper-software-hive-appInit-DLLS is a MISP object available in JSON format atthis location The JSON format can be freely reused in your application orautomatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
DLL-last-write-time
datetime Date and timewhen the DLL filewas last updated.
DLL-name text Name of the DLLfile.
DLL-path text Path where theDLL file is stored.
370
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
comments text Additionalcomments.
key text Software hive keywhere theinformation isretrieved from.
last-write-time datetime Date and timewhen the key waslast updated.
references link References to theDLL file.
regripper-software-hive-application-pathsRegripper Object template designed to gather information of the application paths.
regripper-software-hive-application-paths is a MISP object available in JSONformat at this location The JSON format can be freely reused in your applicationor automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
comments text Additionalcomments.
executable-file-name
text Name of theexecutable file.
key text Software hive keywhere theinformation isretrieved from.
last-write-time datetime Date and timewhen the key waslast updated.
371
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
path text Path of theexecutable file.
references link References to theapplicationinstalled.
regripper-software-hive-applications-installedRegripper Object template designed to gather information of the applications installed on thesystem.
regripper-software-hive-applications-installed is a MISP object available in JSONformat at this location The JSON format can be freely reused in your applicationor automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
app-last-write-time
datetime Date and timewhen theapplication keywas last updated.
app-name text Name of theapplication.
comments text Additionalcomments.
key text Software hive keywhere theinformation isretrieved from.
key-path text Path of the key.
last-write-time datetime Date and timewhen the key waslast updated.
372
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
references link References to theapplicationinstalled.
version text Version of theapplication.
regripper-software-hive-command-shellRegripper Object template designed to gather information of the shell commands executed on thesystem.
regripper-software-hive-command-shell is a MISP object available in JSON formatat this location The JSON format can be freely reused in your application orautomatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
command text Commandexecuted.
comments text Additionalcomments.
key text Software hive keywhere theinformation isretrieved from.
last-write-time datetime Date and timewhen the key waslast updated.
shell text Type of shell usedto execute thecommand. ['exe','cmd', 'bat', 'hta','pif', 'Other']
shell-path text Path of the shell.
373
regripper-software-hive-software-runRegripper Object template designed to gather information of the applications set to run on thesystem.
regripper-software-hive-software-run is a MISP object available in JSON format atthis location The JSON format can be freely reused in your application orautomatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
application-name text Name of theapplication run.
application-path text Path where theapplication isinstalled.
comments text Additionalcomments.
key text Software hive keywhere theinformation isretrieved from.['Run', 'RunOnce','Runservices','Terminal', 'Other']
key-path text Path of the key.
last-write-time datetime Date and timewhen the key waslast updated.
references link References to theapplications.
regripper-software-hive-userprofile-winlogonRegripper Object template designed to gather user profile information when the user logs onto thesystem, gathered from the software hive.
374
regripper-software-hive-userprofile-winlogon is a MISP object available in JSONformat at this location The JSON format can be freely reused in your applicationor automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
AutoAdminLogon boolean Flag value todetermine ifautologon isenabled for a userwithout enteringthe password.['True', 'False']
AutoRestartShell boolean Value of the flagset to auto restartthe shell if itcrashes or shutsdownautomatically.['True', 'False']
CachedLogonCount
counter Number of timesthe user haslogged into thesystem.
Comments text Additionalcomments.
DefaultUserName text user-name of thedefault user.
DisableCAD boolean Flag to determineif user login isenabled bypressingCtrl+ALT+Delete.['True', 'False']
Legal-notice-caption
text Message title set todisplay when theuser logs-in.
375
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
Legal-notice-text text Message set todisplay when theuser logs-in.
PasswordExpiryWarining
counter Number of timesthe passwordexpiry warningappeared.
PowerdownAfterShutDown
boolean Flag value- if thesystem is set topower down afterit is shutdown.['True', 'False']
PreCreateKnownFolders
text create knownfolders key
ReportBootOk boolean Flag to check if thereboot wassuccessful. ['True','False']
SID text Security identifierassigned to theuser profile.
Shell text Shell set to runwhen the userlogs onto thesystem.
ShutdownFlags counter Number of timesshutdown isinitiated from aprocess when theuser is logged-in.
376
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
ShutdownWithoutLogon
boolean Value of the flagset to enableshutdown withoutrequiring a user tologin. ['True','False']
UserInit text Applications andfiles set to runwhen the userlogs onto thesystem (Userlogon activity).
WinStationsDisabled
boolean Flag value set toenable/disablelogons to thesystem. ['True','False']
user-profile-key-last-write-time
datetime Date and timewhen the key waslast updated.
user-profile-key-path
text key where theuser-profileinformation isretrieved from.
user-profile-last-write-time
datetime Date and timewhen the userprofile was lastupdated.
user-profile-path text Path of the userprofile on thesystem
winlogon-key-last-write-time
datetime Date and timewhen thewinlogon key waslast updated.
377
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
winlogon-key-path text winlogon keyreferred in orderto retrieve defaultuser information
regripper-software-hive-windows-general-infoRegripper Object template designed to gather general windows information extracted from thesoftware-hive.
regripper-software-hive-windows-general-info is a MISP object available in JSONformat at this location The JSON format can be freely reused in your applicationor automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
BuildGUID text Build ID.
BuildLab text WindowsBuildLab string.
BuildLabEx text WindowsBuildLabEx string.
CSDVersion text Version of theservice packinstalled.
CurrentBuild text Build number ofthe windows OS.
CurrentBuildType text Current build typeof the OS.
CurrentVersion text Current version ofwindows
EditionID text Windows edition.
378
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
InstallDate datetime Date whenwindows wasinstalled.
InstallationType text Type of windowsinstallation.
PathName text Path to the rootdirectory.
ProductID text ID of the productversion.
ProductName text Name of thewindows version.
RegisteredOrganization
text Name of theregisteredorganization.
RegisteredOwner text Name of theregistered owner.
SoftwareType text Software type ofwindows.['System','Application','other']
SystemRoot text Root directory.
comment comment Additionalcomments.
last-write-time datetime Date and timewhen the key waslast updated.
win-cv-path text key where thewindowsinformation isretrieved from
379
regripper-system-hive-firewall-configurationRegripper Object template designed to present firewall configuration information extracted fromthe system-hive.
regripper-system-hive-firewall-configuration is a MISP object available in JSONformat at this location The JSON format can be freely reused in your applicationor automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
comment text Additionalcomments.
disable-notification
boolean Boolean flag todetermine iffirewallnotifications areenabled. ['True','False']
enbled-firewall boolean Boolean flag todetermine if thefirewall isenabled. ['True','False']
last-write-time datetime Date and timewhen the firewallprofile policy waslast updated.
profile text Firewall Profiletype ['DomainProfile', 'StandardProfile', 'NetworkProfile', 'PublicProfile', 'PrivateProfile', 'other']
380
regripper-system-hive-general-configurationRegripper Object template designed to present general system properties extracted from thesystem-hive.
regripper-system-hive-general-configuration is a MISP object available in JSONformat at this location The JSON format can be freely reused in your applicationor automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
comment text Additionalcomments.
computer-name text name of thecomputer underanalysis
fDenyTSConnections:
boolean Specifies whetherremoteconnections areenabled ordisabled on thesystem. ['True','False']
last-write-time datetime Date and timewhen the key waslast updated.
shutdown-time datetime Date and timewhen the systemwas shutdown.
timezone-bias text Offset in minutesfrom UTC. Offsetadded to the localtime to get a UTCvalue.
381
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
timezone-daylight-bias
text value in minutesto be added to thevalue of timezone-bias to generatethe bias usedduring daylighttime.
timezone-daylight-date
datetime Daylight date -daylight savingmonths
timezone-daylight-name
text Timezone nameused duringdaylight savingmonths.
timezone-last-write-time
datetime Date and timewhen thetimezone key waslast updated.
timezone-standard-bias
text value in minutesto be added to thevalue of timezone-bias to generatethe bias usedduring standardtime.
timezone-standard-date
datetime Standard date -non daylightsaving months
timezone-standard-name
text Timezonestandard nameused during non-daylight savingmonths.
382
regripper-system-hive-network-informationRegripper object template designed to gather network information from the system-hive.
regripper-system-hive-network-information is a MISP object available in JSONformat at this location The JSON format can be freely reused in your applicationor automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
DHCP-IP-address ip-dst DHCP service - IPaddress
DHCP-domain text Name of the DHCPdomain service
DHCP-name-server
ip-dst DHCP Nameserver - IPaddress.
DHCP-server ip-dst DHCP server - IPaddress.
DHCP-subnet-mask
ip-dst DHCP subnetmask - IP address.
TCPIP-key text TCPIP key
TCPIP-key-last-write-time
datetime Datetime whenthe key was lastupdated.
additional-comments
text Comments.
interface-GUID text GUID valueassigned to theinterface.
interface-IPcheckingEnabled
boolean
interface-MediaSubType
text
383
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
interface-PnpInstanceID
text Plug and Playinstance IDassigned to theinterface.
interface-last-write-time
datetime Last date and timewhen theinterface key wasupdated.
interface-name text Name of theinterface.
network-key text Registry keyassigned to thenetwork
network-key-last-write-time
datetime Date and timewhen the networkkey was lastupdated.
network-key-path text Path of the keywhere theinformation isretrieved from.
regripper-system-hive-services-driversRegripper Object template designed to gather information regarding the services/drivers from thesystem-hive.
regripper-system-hive-services-drivers is a MISP object available in JSON format atthis location The JSON format can be freely reused in your application orautomatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
comment text Additionalcomments.
384
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
display text Displayname/informationof the service orthe driver.
group text Group to whichthe system/driverbelong to. ['Base','Boot BusExtender', 'BootFile System','Cryptography','Extended base','Event Log','Filter', 'FSFilterBottom', 'FSFilterInfrastructure','File System','FSFilterVirtualization','Keyboard Port','Network', 'NDIS','Parallelarbitrator','Pointer Port', 'PnPFilter','ProfSvc_Group','PNP_TDI', 'SCSIMiniport', 'SCSICDROM Class','System BusExtender', 'VideoSave', 'other']
image-path text Path of theservice/drive
last-write-time datetime Date and timewhen the key waslast updated.
name text name of the key
385
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
start text When theservice/driverstarts or executes.['Boot start','System start','Auto start','Manual','Disabled']
type text Service/drivertype. ['Kerneldriver', 'Filesystem driver','Own process','Share process','Interactive','Other']
reportMetadata used to generate an executive level report.
report is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
case-number text Case number
link link Link to the reportmentioned
report-file attachment Attachment(s) thatis related to thereport
summary text Free textsummary of thereport
386
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
type text Type of report['Report', 'Alert','Incident','Operation', 'PressArticle', 'PressRelease', 'OnlineArticle', 'Blogpost']
research-scannerInformation related to known scanning activity (e.g. from research projects).
research-scanner is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
asn AS AutonomousSystem Numberrelated to project
contact_email email-dst Project contactinformation
contact_phone phone-number Phone numberrelated to project
domain domain Domain related toproject
project text Description ofscanning project
project_url link URL related toproject
scanning_ip ip-src IP address used byproject
387
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
scheduled_end datetime Scheduled end ofscanning activity
scheduled_start datetime Scheduled start ofscanning activity
rogue-dnsRogue DNS as defined by CERT.br.
rogue-dns is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
hijacked-domain hostname Domain/hostnamehijacked by thethe rogue DNS
phishing-ip ip-dst Resource recordsreturns by therogue DNS
rogue-dns ip-dst IP address of therogue DNS
status text How manyauthoritative DNSanswers werereceived at thePassive DNSServer’s collectorswith exactly thegiven set of valuesas answers.['ROGUE DNS','Unknown']
timestamp datetime Last time that therogue DNS valuewas seen.
388
rtirRTIR - Request Tracker for Incident Response.
rtir is a MISP object available in JSON format at this location The JSON format canbe freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
classification text Classification ofthe RTIR ticket
constituency text Constituency ofthe RTIR ticket
ip ip-dst IPs automaticallyextracted from theRTIR ticket
queue text Queue of the RTIRticket ['incident','investigations','blocks', 'incidentreports']
status text Status of the RTIRticket ['new','open', 'stalled','resolved','rejected','deleted']
subject text Subject of theRTIR ticket
ticket-number text ticket-number ofthe RTIR ticket
sandbox-reportSandbox report.
389
sandbox-report is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
on-premise-sandbox
text The on-premisesandbox used['cuckoo','symantec-cas-on-premise','bluecoat-maa','trendmicro-deep-discovery-analyzer', 'fireeye-ax', 'vmray', 'joe-sandbox-on-premise']
permalink link Permalinkreference
raw-report text Raw report fromsandbox
results text Freetext resultvalues
saas-sandbox text A non-on-premisesandbox, alsoresults are notpublicly available['forticloud-sandbox', 'joe-sandbox-cloud','symantec-cas-cloud']
sandbox-file attachment File related tosandbox run
sandbox-type text The type ofsandbox used ['on-premise', 'web','saas']
390
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
score text Score
web-sandbox text A web sandboxwhere results arepublicly availablevia an URL['malwr', 'hybrid-analysis']
sb-signatureSandbox detection signature.
sb-signature is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
datetime datetime Datetime
signature text Name of detectionsignature - set thedescription of thedetectionsignature as acomment
software text Name of Sandboxsoftware
text text Additionalsignaturedescription
scheduled-eventEvent object template describing a gathering of individuals in meatspace.
391
scheduled-event is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text Postal address ofthe event.
administrator text A user accountwho is an owneror admin of theevent.
archive link Archive of theoriginal event(Internet Archive,Archive.is, etc).
attachment attachment A screen captureor otherattachmentrelevant to theevent.
e-mail email-src Email address ofthe event contact.
embedded-link url Link embedded inthe eventdescription(potentiallymalicious).
embedded-safe-link
link Link embedded inthe eventdescription(supposed safe).
event-alias text Aliases of event.
392
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
event-listing text Social media andother platformson which theevent isadvertised.['Twitter','Facebook','Meetup','Eventbrite','Other']
event-name text The name of theevent.
fax-number phone-number Fax number of theevent contact.
hashtag text Hashtag used toidentify orpromote theevent.
link link Original link intothe event(supposedharmless).
person-name text A person who isgoing to the event.
phone-number phone-number Phone number ofthe event contact.
scheduled-date datetime Initial creation ofthe microblog post
url url Original URLlocation of theevent (potentiallymalicious).
393
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
username text A user accountwho is going tothe event.
scrippsco2-c13-dailyDaily average C13 concentrations (ppm) derived from flask air samples.
scrippsco2-c13-daily is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
c13-value float C13 value (ppm) -C13concentrations aremeasured on the'08A' CalibrationScale
flag counter Flag (seetaxonomy fordetails).
number-flask counter Number of flasksused in dailyaverage.
sample-date-excel float M$Excelspreadsheet dateformat.
sample-date-fractional
float Decimal year andfractional year.
sample-datetime datetime Datetime thesample has beentaken
394
scrippsco2-c13-monthlyMonthly average C13 concentrations (ppm) derived from flask air samples.
scrippsco2-c13-monthly is a MISP object available in JSON format at this locationThe JSON format can be freely reused in your application or automatically enabledin MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
monthly-c13 float Monthly C13concentrations inmicro-mol C13 permole (ppm)reported on the2008A SIOmanometric molefraction scale. Thisis the standardversion of the datamost often sought.
monthly-c13-seasonal-adjustment
float Same data after aseasonaladjustment toremove the quasi-regular seasonalcycle. Theadjustmentinvolvessubtracting fromthe data a 4-harmonic fit witha linear gainfactor.
monthly-c13-smoothed
float Smoothed versionof the datagenerated from astiff cubic splinefunction plus 4-harmonicfunctions withlinear gain.
395
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
monthly-c13-smoothed-seasonal-adjustment
float Same smoothedversion with theseasonal cycleremoved.
sample-date-excel float M$Excelspreadsheet dateformat.
sample-date-fractional
float Decimal year andfractional year.
sample-datetime datetime The monthlyvalues have beenadjusted to 24:00hours on the 15thof each month.
scrippsco2-co2-dailyDaily average CO2 concentrations (ppm) derived from flask air samples.
scrippsco2-co2-daily is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
co2-value float CO2 value (ppm) -CO2concentrations aremeasured on the'08A' CalibrationScale
flag counter Flag (seetaxonomy fordetails).
396
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
number-flask counter Number of flasksused in dailyaverage.
sample-date-excel float M$Excelspreadsheet dateformat.
sample-date-fractional
float Decimal year andfractional year.
sample-datetime datetime Datetime thesample has beentaken
scrippsco2-co2-monthlyMonthly average CO2 concentrations (ppm) derived from flask air samples.
scrippsco2-co2-monthly is a MISP object available in JSON format at this locationThe JSON format can be freely reused in your application or automatically enabledin MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
monthly-co2 float Monthly CO2concentrations inmicro-mol CO2per mole (ppm)reported on the2008A SIOmanometric molefraction scale. Thisis the standardversion of the datamost often sought.
397
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
monthly-co2-seasonal-adjustment
float Same data after aseasonaladjustment toremove the quasi-regular seasonalcycle. Theadjustmentinvolvessubtracting fromthe data a 4-harmonic fit witha linear gainfactor.
monthly-co2-smoothed
float Smoothed versionof the datagenerated from astiff cubic splinefunction plus 4-harmonicfunctions withlinear gain.
monthly-co2-smoothed-seasonal-adjustment
float Same smoothedversion with theseasonal cycleremoved.
sample-date-excel float M$Excelspreadsheet dateformat.
sample-date-fractional
float Decimal year andfractional year.
sample-datetime datetime The monthlyvalues have beenadjusted to 24:00hours on the 15thof each month.
398
scrippsco2-o18-dailyDaily average O18 concentrations (ppm) derived from flask air samples.
scrippsco2-o18-daily is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
flag counter Flag (seetaxonomy fordetails).
number-flask counter Number of flasksused in dailyaverage.
o18-value float O18 value (ppm) -O18concentrations aremeasured on the'08A' CalibrationScale
sample-date-excel float M$Excelspreadsheet dateformat.
sample-date-fractional
float Decimal year andfractional year.
sample-datetime datetime Datetime thesample has beentaken
scrippsco2-o18-monthlyMonthly average O18 concentrations (ppm) derived from flask air samples.
scrippsco2-o18-monthly is a MISP object available in JSON format at this locationThe JSON format can be freely reused in your application or automatically enabledin MISP.
399
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
monthly-o18 float Monthly O18concentrations inmicro-mol O18per mole (ppm)reported on the2008A SIOmanometric molefraction scale. Thisis the standardversion of the datamost often sought.
monthly-o18-seasonal-adjustment
float Same data after aseasonaladjustment toremove the quasi-regular seasonalcycle. Theadjustmentinvolvessubtracting fromthe data a 4-harmonic fit witha linear gainfactor.
monthly-o18-smoothed
float Smoothed versionof the datagenerated from astiff cubic splinefunction plus 4-harmonicfunctions withlinear gain.
monthly-o18-smoothed-seasonal-adjustment
float Same smoothedversion with theseasonal cycleremoved.
sample-date-excel float M$Excelspreadsheet dateformat.
400
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
sample-date-fractional
float Decimal year andfractional year.
sample-datetime datetime The monthlyvalues have beenadjusted to 24:00hours on the 15thof each month.
scriptObject describing a computer program written to be run in a special run-time environment. Thescript or shell script can be used for malicious activities but also as support tools for threat analysts.
script is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
comment text Commentassociated to thescript.
filename filename Filename used forthe script.
language text Scripting languageused for the script.['PowerShell','VBScript', 'Bash','Lua', 'JavaScript','AppleScript','AWK', 'Python','Perl', 'Ruby','Winbatch','AutoIt', 'PHP','Nim']
script text Free text of thescript.
401
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
script-as-attachment
attachment Attachment of thescript.
state text Known state of thescript. ['Malicious','Unknown','Harmless','Trusted']
security-playbookAn object to manage, represent, and share course of action playbooks (security playbooks) forcyberspace defense.
security-playbook is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
created datetime The time at whichthe playbook wasoriginally created.
creator text The entity thatcreated thisplaybook. It canbe a naturalperson or anorganization. Itmay berepresented usingan id thatidentifies thecreator.
402
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
description text More details,context, andpossibly anexplanation aboutwhat thisplaybook does andtries toaccomplish.
id text A value thatuniquelyidentifies theplaybook.
impact counter An integer thatrepresents theimpact theplaybook has onthe organizationfrom 0 to 100. Avalue of 0 meansspecificallyundefined. Valuesrange from 1, thelowest impact, to avalue of 100, thehighest. Forexample, a purelyinvestigativeplaybook that isnon-invasivewould have a lowimpact value of 1,whereas aplaybook thatperforms changessuch as addingrules into afirewall wouldhave a higherimpact value.
403
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
label text An optional set ofterms, labels ortags associatedwith this playbook(e.g., aliases ofadversary groupsor operations thatthis playbook isrelated to).
modified datetime The time that thisparticular versionof the playbookwas last modified.
organization-type text Type of anorganization, thatthe playbook isintended for. Thiscan be an industrysector.
playbook attachment The wholeplaybook in itsnative format(e.g., CACAOJSON). Producersand consumers ofplaybooks use thisproperty to shareand retrieveplaybooks.
playbook-abstraction
text Identifies the levelof completeness ofthe playbook.['guideline','playbooktemplate','playbook', 'partialworkflow', 'fullworkflow', 'fullyscripted']
404
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
playbook-standard text Identification ofthe playbookstandard.
playbook-type text The securityoperationalfunctions theplaybookaddresses. Aplaybook mayaccount formultiple types(e.g., detection,investigation).['notificationplaybook','detectionplaybook','investigationplaybook','preventionplaybook','mitigationplaybook','remediationplaybook', 'attackplaybook']
priority counter An integer thatrepresents thepriority of thisplaybook relativeto other definedplaybooks. A valueof 0 meansspecificallyundefined. Valuesrange from 1, thehighest priority, toa value of 100, thelowest.
405
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
revoked boolean A boolean thatidentifies if theplaybook creatordeems that thisplaybook is nolonger valid.['True', 'False']
severity counter A positive integerthat representsthe seriousness ofthe conditions thatthis playbookaddresses. A valueof 0 meansspecificallyundefined. Valuesrange from 1, thelowest severity, toa value of 100, thehighest.
valid-from datetime The time fromwhich theplaybook isconsidered validand the steps thatit contains can beexecuted.
valid-until datetime The time at whichthis playbookshould no longerbe considered avalid playbook tobe executed.
shell-commandsObject describing a series of shell commands executed. This object can be linked with maliciousfiles in order to describe a specific execution of shell commands.
406
shell-commands is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
comment text Commentassociated to theshell commandsexecuted.
language text Scripting languageused for the shellcommandsexecuted.['PowerShell','VBScript', 'Bash','Lua', 'JavaScript','AppleScript','AWK', 'Python','Perl', 'Ruby','Winbatch','AutoIt', 'PHP']
script text Free text of thescript if availablewhich executedthe shellcommands.
shell-command text
state text Known state of thescript. ['Malicious','Unknown','Harmless','Trusted']
shodan-reportShodan Report for a given IP.
shodan-report is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
407
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
banner text server bannerreported
hostname domain Hostnames found
ip ip-dst IP AddressQueried
org text AssociatedOrganization
port port Listening Port
text text A description ofthe report
short-message-serviceShort Message Service (SMS) object template describing one or more SMS message. Restriction ofthe initial format 3GPP 23.038 GSM character set doesn’t apply.
short-message-service is a MISP object available in JSON format at this locationThe JSON format can be freely reused in your application or automatically enabledin MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
body text Message body ofthe SMS
from phone-number Phone numberused to send theSMS
name text Sender name
phone-company text Phone company ofthe number usedto send the SMS
408
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
received-date datetime Received date ofthe SMS
sent-date datetime Initial sent date ofthe SMS
smsc phone-number SMS MessageCenter
to phone-number Phone numberreceiving the SMS
url-rfc5724 url url representingSMS using RFC5724 (not urlcontained in theSMS which shoulduse an url object)
shortened-linkShortened link and its redirect target.
shortened-link is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
credential text Credential(username,password)
domain domain Full domain
first-seen datetime First time thisshortened URLhas been seen
redirect-url url Redirected to URL
shortened-url url Shortened URL
409
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
text text Description andcontext of theshortened URL
social-media-groupSocial media group object template describing a public or private group or channel.
social-media-group is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
administrator text A user accountwho is an owneror admin of thegroup.
archive link Archive of theoriginal group(Internet Archive,Archive.is, etc).
attachment attachment A screen captureor exported list ofcontacts, groupmembers, etc.
description text A description ofthe group,channel orcommunity.
embedded-link url Link embedded inthe groupdescription(potentiallymalicious).
410
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
embedded-safe-link
link Link embedded inthe groupdescription(supposed safe).
group-alias text Aliases of group,channel orcommunity.
group-name text The name of thegroup, channel orcommunity.
hashtag text Hashtag used toidentify orpromote thegroup.
link link Original link intothe group(supposedharmless).
person-name text A person who is amember of thegroup.
platform text The social mediaplatform used.['Facebook','Twitter']
url url Original URLlocation of thegroup (potentiallymalicious).
username text A user accountwho is a memberof the group.
411
splunkSplunk / Splunk ES object.
splunk is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
description comment Description
drill-down text Drilldown
earliest text Earliest time
latest text Latest time
response-action text Response action['notable', 'risk']
schedule other Schedule
search text Search /Correlation search
ss7-attackSS7 object of an attack seen on a GSM, UMTS or LTE network via SS7 logging.
ss7-attack is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
Category text Category ['Cat0','Cat1', 'Cat2.1','Cat2.2', 'Cat3.1','Cat3.2', 'Cat3.3','CatSMS','CatSpoofing']
412
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
GtAssignee text GT Assignee this isthe party that gotthe GT rangeassigned by theirRegulator.
GtLessee text GT Lessee is athird party whowill use a leasedglobal title from aGT Lessor.
GtLessor text GT Lessor is a GTAssignee that hasdecided to leaseone or more oftheir GTs to athird party, the GTLessee, typicallyon a commercialbasis.
GtSubLessee text GT Sub-Lessee –this is anadditional thirdparty who hasentered into anagreement withthe GT Lessee tosub-lease a GTfrom them.
MapApplicationContext
text MAP applicationcontext in OIDformat.
MapGmlc text MAP GMLC. Phonenumber.
MapGsmscfGT text MAP GSMSCF GT.Phone number.
413
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
MapImsi text MAP IMSI. Phonenumber startingwith MCC/MNC.
MapMscGT text MAP MSC GT.Phone number.
MapMsisdn text MAP MSISDN.Phone number.
MapOpCode text MAP operationcodes - Decimalvalue between 0-99.
MapSmsTP-DCS text MAP SMS TP-DCS.
MapSmsTP-OA text MAP SMS TP-OA.Phone number.
MapSmsTP-PID text MAP SMS TP-PID.
MapSmsText text MAP SMS Text.Importantindicators in SMStext.
MapSmsTypeNumber
text MAP SMSTypeNumber.
MapSmscGT text MAP SMSC. Phonenumber.
MapUssdCoding text MAP USSDContent.
MapUssdContent text MAP USSDContent.
MapVersion text Map version. ['1','2', '3']
414
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
MapVlrGT text MAP VLR GT.Phone number.
SccpCdGT text SignalingConnectionControl Part(SCCP) CdGT -Phone number.
SccpCdPC text SignalingConnectionControl Part(SCCP) CdPC -Phone number.
SccpCdSSN text SignalingConnectionControl Part(SCCP) - Decimalvalue between 0-255.
SccpCgGT text SignalingConnectionControl Part(SCCP) CgGT -Phone number.
SccpCgPC text SignalingConnectionControl Part(SCCP) CgPC -Phone number.
SccpCgSSN text SignalingConnectionControl Part(SCCP) - Decimalvalue between 0-255.
415
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
first-seen datetime When the attackhas been seen forthe first time.
text text A description ofthe attack seen viaSS7 logging.
ssh-authorized-keysAn object to store ssh authorized keys file.
ssh-authorized-keys is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
first-seen datetime First time the sshauthorized keysfile has been seen
full-line text One full-line of theauthorized key file
hostname hostname hostname
ip ip-dst IP Address
key text Public key inbase64 as found inthe authorized keyfile
key-id text Key-id and optionpart of the publickey line
last-seen datetime Last time the sshauthorized keysfile has been seen
416
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
text text A description ofthe ssh authorizedkeys
stix2-patternAn object describing a STIX pattern. The object can be linked via a relationship to other attributesor objects to describe how it can be represented as a STIX pattern.
stix2-pattern is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
comment comment A description ofthe stix2-pattern.
stix2-pattern stix2-pattern STIX 2 pattern
version text Version of STIX 2pattern. ['stix 2.0']
submarineSubmarine description.
submarine is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
active counter The number ofsubmarines of thisclass in activeservice
armament text Armamentscarried by thesubmarine
417
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
beam float The beammeasurement ofthe submarine inmeters
builders text The organisationbuilding this classof submarines
cancelled counter The number ofsubmarines of thisclass cancelled
class text Submarine class
complement counter Crew size
completed counter The number ofsubmarines of thisclass built
displacement counter Displacement intonns
draught float The draughtmeasurement ofthe submarine inmeters
endurance counter Expectedsubmergedendurance in days
in_service_from counter The year thesubmarineentered service
in_service_until counter The year thesubmarine leftservice
418
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
length float The lengthmeasurement ofthe submarine inmeters
operator text The countriesoperating suchvessels (can bemultiple)
planned counter The number ofsubmarines of thisclass planned tobe built
predecessor text Predecessor class
propulsion text The propulsion ofthe submarine,add multiple ifapplicabe
retired counter The number ofsubmarines of thisclass that has beenretired
speed_submerged float Surfaced topspeed in knots
speed_surfaced float Surfaced topspeed in knots
successor text Successor class
419
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
type text Submarine type['Ballistic missilesubmarine','Cruise missilesubmarine','Nuclear-poweredattack submarine','Non-nuclearattack submarinewith air-independentpropulsion','Diesel-electricattack submarine','Midgetsubmarine','Special missionsubmarine']
suricataAn object describing one or more Suricata rule(s) along with version and contextual information.
suricata is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
comment comment A description ofthe Suricatarule(s).
ref link Reference to theSuricata rule suchas origin of therule or alike.
suricata snort Suricata rule.
420
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
version text Version of theSuricata ruledepending wherethe suricata rule isknown to work asexpected.
target-systemDescription about an targeted system, this could potentially be a compromissed internal system.
target-system is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
targeted_ip_of_system
ip-src Targeted systemIP address
targeted_machine target-machine Targeted system
timestamp_seen datetime Registered dateand time
telegram-accountInformation related to a telegram account.
telegram-account is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
first_name text First name
id text Telegram useridentifier
421
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
last_name text Last name
phone text Phone associatedwith the telegramuser
username text Telegramusername
verified text Verified
temporal-eventA temporal event consists of some temporal and spacial boundaries. Spacial boundaries can bephysical, virtual or hybrid.
temporal-event is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
description text Free textdescription of thetemporal event.
link link Link or referenceto the temporalevent mentioned.
summary text One line summaryof the temporalevent.
type text Type of temporalevent. ['PhysicalEvent', 'VirtualEvent', 'HybridEvent', 'Unknown']
422
threatgrid-reportThreatGrid report.
threatgrid-report is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
analysis_submitted_at
text Submission date
heuristic_raw_score
text heuristic_raw_score
heuristic_score text heuristic_score
id text ThreatGrid ID
iocs text iocs
original_filename text Original filename
permalink text permalink
threat_score text threat_score
timecodeTimecode object to describe a start of video sequence (e.g. CCTV evidence) and the end of the videosequence.
timecode is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
description text Description of thevideo sequence
423
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
end-marker-timecode
text End markertimecode in theformathh:mm:ss;ff
end-timecode text End markertimecode in theformathh:mm:ss.mms
recording-date datetime Date of recordingof the videosequence
start-marker-timecode
text Start markertimecode in theformathh:mm:ss;ff
start-timecode text Start markertimecode in theformathh:mm:ss.mms
timesketch-timelineA timesketch timeline object based on mandatory field in timesketch to describe a log entry.
timesketch-timeline is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
datetime datetime When the logentry was seen
message text Informativemessage of theevent
424
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
timestamp text When the logentry was seen inmicrosecondssince Unix epoch
timestamp_desc text Text explainingwhat type oftimestamp is it
timesketch_messageA timesketch message entry.
timesketch_message is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
datetime datetime datetime of themessage
message text message
timestampA generic timestamp object to represent time including first time and last time seen. Relationshipwill then define the kind of time relationship.
timestamp is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
first-seen datetime First time that thelinked object orattribute has beenseen.
425
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
last-seen datetime First time that thelinked object orattribute has beenseen.
precision text Timestampprecisionrepresents theprecision given tofirst_seen and/orlast_seen in thisobject. ['year','month', 'day','hour', 'minute','full']
text text Description of thetime object.
tor-hiddenserviceTor hidden service (onion service) object.
tor-hiddenservice is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address text onion address ofthe Tor node seen.
description text Tor onion servicecomment.
first-seen datetime When the Torhidden servicewas been seen forthe first time.
426
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
last-seen datetime When the Torhidden servicewas seen for thelast time.
tor-nodeTor node (which protects your privacy on the internet by hiding the connection between usersInternet address and the services used by the users) description which are part of the Tor networkat a time.
tor-node is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
address ip-src IP address of theTor node seen.
description text Tor nodedescription.
document text Raw documentfrom theconsensus.
fingerprint text router’sfingerprint.
first-seen datetime When the Tornode designed bythe IP address hasbeen seen for thefirst time.
flags text list of flagassociated withthe node.
427
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
last-seen datetime When the Tornode designed bythe IP address hasbeen seen for thelast time.
nickname text router’snickname.
published datetime router’spublication time.This can bedifferent fromfirst-seen and last-seen.
text text Tor nodecomment.
version text parsed version oftor, this is None ifthe relay’s using anew versioningscheme.
version_line text versioninginformationreported by thenode.
tracking-idAnalytics and tracking ID such as used in Google Analytics or other analytic platform.
tracking-id is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
description text Description of thetracking id.
428
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
first-seen datetime First time thetracking code wasseen.
hostname hostname Hostname wherethe tracking idwas found(assumed safe).
id text Tracking code.
last-seen datetime Last time thetracking code wasseen.
tracker text Name of thetracker -organisationdoing the trackingand/or analytics.['GoogleAnalytics', 'Piwik','Kissmetrics','Woopra','Chartbeat']
url url URL where thetracking id wasfound (potentiallymalicious).
transactionAn object to describe a financial transaction.
transaction is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
429
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
amount text The value of thetransaction inlocal currency.
authorized text Person whoautorized thetransaction.
date datetime Date and time ofthe transaction.
date-posting datetime Date of posting, ifdifferent fromdate oftransaction.
from-country text Origin country ofa transaction.
from-funds-code text Type of fundsused to initiate atransaction. ['ADeposit', 'CCurrencyexchange', 'DCasino chips', 'EBank draft', 'FMoney order', 'GTraveler’scheques', 'H Lifeinsurance policy','I Real estate', 'JSecurities', 'KCash', 'O Other', 'PCheque']
location text Location wherethe transactiontook place.
teller text Person whoconducted thetransaction.
430
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
text text A description ofthe transaction.
to-country text Target country ofa transaction.
to-funds-code text Type of fundsused to finalize atransaction. ['ADeposit', 'CCurrencyexchange', 'DCasino chips', 'EBank draft', 'FMoney order', 'GTraveler’scheques', 'H Lifeinsurance policy','I Real estate', 'JSecurities', 'KCash', 'O Other', 'PCheque']
transaction-number
text A unique numberidentifying atransaction.
transmode-code text How thetransaction wasconducted.
transmode-comment
text Commentdescribingtransmode-code, ifneeded.
translationUsed to keep a text and its translation.
translation is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
431
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
original-language text Language of theoriginal text['Mandarin(language family)','Spanish', 'English','Hindi', 'Bengali','Portuguese','Russian','Japanese','Western Punjabi','Marathi', 'Telugu','Wu (languagefamily)', 'Turkish','Korean', 'French','German','Vietnamese','Tamil', 'Yue(language family)','Urdu', 'Javanese','Italian', 'EgyptianArabic', 'Gujarati','Iranian Persian','Bhojpuri', 'MinNan (languagefamily)', 'Hakka','Jinyu', 'Hausa','Kannada','Indonesian(IndonesianMalay)', 'Polish','Yoruba', 'XiangChinese (languagefamily)','Malayalam','Odia', 'Maithili','Burmese','Eastern Punjabi','Sunda', 'SudaneseArabic', 'AlgerianArabic', 'MoroccanArabic','Ukrainian', 'Igbo','Northern Uzbek','Sindhi', 'NorthLevantine Arabic','Romanian','Tagalog', 'Dutch','Saʽidi Arabic',
433
'Gan', 'Amharic','Northern Pashto','Magahi', 'Thai','Saraiki', 'Khmer','Chhattisgarhi','Somali', 'Malay(MalaysianMalay)', 'Cebuano','Nepali','MesopotamianArabic','Assamese','Sinhala','NorthernKurdish', 'HejaziArabic', 'NigerianFulfulde', 'SouthAzerbaijani','Greek','Chittagonian','Kazakh', 'Deccan','Hungarian','Kinyarwanda','Zulu', 'SouthLevantine Arabic','Tunisian Arabic','Sanaani SpokenArabic', 'Min BeiChinese (languagefamily)', 'SouthernPashto', 'Rundi','Czech', 'Taʽizzi-Adeni Arabic','Uyghur', 'MinDong Chinese(language family)','Sylheti ']
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
original-text text Original text
translated-text text Text aftertranslation
434
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
translation-language
text Language oftranslation['Mandarin(language family)','Spanish', 'English','Hindi', 'Bengali','Portuguese','Russian','Japanese','Western Punjabi','Marathi', 'Telugu','Wu (languagefamily)', 'Turkish','Korean', 'French','German','Vietnamese','Tamil', 'Yue(language family)','Urdu', 'Javanese','Italian', 'EgyptianArabic', 'Gujarati','Iranian Persian','Bhojpuri', 'MinNan (languagefamily)', 'Hakka','Jinyu', 'Hausa','Kannada','Indonesian(IndonesianMalay)', 'Polish','Yoruba', 'XiangChinese (languagefamily)','Malayalam','Odia', 'Maithili','Burmese','Eastern Punjabi','Sunda', 'SudaneseArabic', 'AlgerianArabic', 'MoroccanArabic','Ukrainian', 'Igbo','Northern Uzbek','Sindhi', 'NorthLevantine Arabic','Romanian','Tagalog', 'Dutch','Saʽidi Arabic',
435
'Gan', 'Amharic','Northern Pashto','Magahi', 'Thai','Saraiki', 'Khmer','Chhattisgarhi','Somali', 'Malay(MalaysianMalay)', 'Cebuano','Nepali','MesopotamianArabic','Assamese','Sinhala','NorthernKurdish', 'HejaziArabic', 'NigerianFulfulde', 'SouthAzerbaijani','Greek','Chittagonian','Kazakh', 'Deccan','Hungarian','Kinyarwanda','Zulu', 'SouthLevantine Arabic','Tunisian Arabic','Sanaani SpokenArabic', 'Min BeiChinese (languagefamily)', 'SouthernPashto', 'Rundi','Czech', 'Taʽizzi-Adeni Arabic','Uyghur', 'MinDong Chinese(language family)','Sylheti ']
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
translation-service text translation serviceused for thetranslation['GoogleTranslate','MicrosoftTranslator','Babelfish','Reverso', 'Dict.cc','Linguee','unknown']
translation-type text type of translation['Automatedtranslation','Manualtranslation']
trustar_reportTruStar Report.
trustar_report is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
BITCOIN_ADDRESS
btc A bitcoin addressis an identifier of26-35alphanumericcharacters,beginning withthe number 1 or 3,that represents apossibledestination for abitcoin payment.
436
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
CIDR_BLOCK ip-src CIDR (ClasslessInter-DomainRouting) identifiesa range of IPaddresses, andwas introduced asa way to allowmore flexibleallocation ofInternet Protocol(IP) addressesthan was possiblewith the originalsystem of IPaddress classes.
COMMENTS text A space foradditionalcomments.
CVE vulnerability The CommonVulnerabilitiesand Exposures(CVE) systemprovides areference-methodfor publiclyknowninformation-securityvulnerabilitiesand exposures.
EMAIL_ADDRESS email-src An email addressis a uniqueidentifier for anemail account.
437
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
INDICATOR_SUMMARY
text Free textsummary datarelated to anindicator. Thisshould include anormalized scoreif one exists.
IP ip-dst An InternetProtocol address(IP address) is anumerical labelassigned to eachdeviceparticipating in acomputer networkthat uses theInternet Protocolforcommunication.
MALWARE malware-type Names of softwarethat are intendedto damage ordisable computersand computersystems.
MD5 md5 The MD5algorithm is awidely used hashfunctionproducing a 128-bit hash value.
438
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
REGISTRY_KEY regkey The registry is ahierarchicaldatabase thatcontains data thatis critical for theoperation ofWindows and theapplications andservices that runon Windows.
REPORT_LINK link A link to theTruSTAR report.Access may berestricteddepending on userpermissions.
SHA1 sha1 SHA-1 (SecureHash Algorithm 1)is a cryptographichash functionwhich takes aninput andproduces a 160-bit(20-byte) hashvalue known as amessage digest -typically renderedas a hexadecimalnumber, 40 digitslong. SHA-1 isprone to lengthextension attacks.
439
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
SHA256 sha256 SHA-256 is amember of theSHA-2cryptographichash functionsdesigned by theNSA, which arethe successors toSHA-1. It isrepresented as a64-characterhexadecimalstring.
SOFTWARE filename The name of a fileon a filesystem.
THREAT_ACTOR threat-actor A stringidentifying thethreat actor.
URL url A UniformResource Locator(URL) is areference to a webresource thatspecifies itslocation on acomputer networkand a mechanismfor retrieving it.
tsk-chatsAn Object Template to gather information from evidential or interesting exchange of messagesidentified during a digital forensic investigation.
tsk-chats is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
440
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
Source text Source of themessage.(Contactdetails)
additional-comments
text Comments.
app-used text Application usedto send themessage.
attachments link Externalreferences
datetime-received datetime date and timewhen the messagewas received.
datetime-sent datetime date and the timewhen the messagewas sent.
destination text Destination of themessage.(Contactdetails)
message text Messageexchanged.
message-type text the type ofmessage extractedfrom the forensic-evidence. ['SMS','MMS', 'InstantMessage (IM)','Voice Message']
subject text Subject of themessage if any.
tsk-web-bookmarkAn Object Template to add evidential bookmarks identified during a digital forensic investigation.
441
tsk-web-bookmark is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
URL link The URL saved asbookmark.
additional-comments
text Comments.
browser text Browser used toaccess the URL.['IE', 'Safari','Chrome', 'Firefox','Opera mini','Chromium']
datetime-bookmarked
datetime date and timewhen the URL wasadded to favorites.
domain-ip ip-src IP of the URLdomain.
domain-name text Domain of theURL.
name text Book mark name.
title text Title of the webpage
tsk-web-cookieAn TSK-Autopsy Object Template to represent cookies identified during a forensic investigation.
tsk-web-cookie is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
442
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
URL link The website URLthat created thecookie.
additional-comments
text Comments.
browser text Browser on whichthe cookie wascreated. ['IE','Safari', 'Chrome','Firefox', 'Operamini', 'Chromium']
datetime-created datetime date and timewhen the cookiewas created.
domain-ip ip-src IP of the domainthat created theURL.
domain-name text Domain of theURL that createdthe cookie.
name text Name of thecookie
value text Value assigned tothe cookie.
tsk-web-downloadsAn Object Template to add web-downloads.
tsk-web-downloads is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
443
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
additional-comments
text Comments.
attachment attachment The downloadedfile itself.
datetime-accessed datetime date and timewhen the file wasdownloaded.
name text Name of the filedownloaded.
path-downloadedTo
text Location the filewas downloadedto.
pathID text Id of the attributefile where theinformation isgathered from.
url url The URL used todownload the file.
tsk-web-historyAn Object Template to share web history information.
tsk-web-history is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
URL link The URL accessed.
additional-comments
text Comments.
444
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
browser text Browser used toaccess the URL.['IE', 'Safari','Chrome', 'Firefox','Opera mini','Chromium']
datetime-accessed datetime date and the timewhen the URL wasaccessed.
domain-ip ip-src IP of the URLdomain.
domain-name text Domain of theURL.
referrer text where the URLwas referred from
title text Title of the webpage
tsk-web-search-queryAn Object Template to share web search query information.
tsk-web-search-query is a MISP object available in JSON format at this locationThe JSON format can be freely reused in your application or automatically enabledin MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
additional-comments
text Comments.
browser text Browser used.['IE', 'Safari','Chrome', 'Firefox','Opera mini','Chromium']
445
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
datetime-searched datetime date and timewhen the searchwas conducted.
domain text The domain of thesearch engine.['Google', 'Yahoo','Bing', 'Alta Vista','MSN']
text text the search wordor sentence.
username text User name or IDassociated withthe search.
twitter-accountTwitter account.
twitter-account is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
archive link Archive of theaccount (InternetArchive,Archive.is, etc).
attachment attachment A screen captureor exported list ofcontacts etc.
bio text Displayedbiography of theuser.
description text A description ofthe user.
446
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
displayed-name text Displayed name.
embedded-link url Link embedded inthe userdescription(potentiallymalicious).
embedded-safe-link
link Link embedded inthe userdescription(supposed safe).
followers text Number offollowers.
following text Number ofaccounts thisaccounts isfollowing.
hashtag text Hashtagembedded in theuser description.
id text Numeric accountid.
joined-date datetime When the accountwas created
likes text Number of likesthis account has.
link link Original link tothe user(supposedharmless).
listed text Number of liststhe user is on.
447
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
location text User descriptionof location.
media text Number of imagesand videos posted.
name text User’s screenname (without the@).
private text User verified.['True', 'False']
profile-banner attachment A screenshot orexported useravatar.
profile-banner-url url A link to the user’sbackgroundimage.
profile-image attachment A screenshot orexported useravatar.
profile-image-url url A link to the user’savatar.
tweets text Number of tweetsposted.
twitter-followers text followers accountsof interest
twitter-following text followingaccounts ofinterest
url url Original URLlocation of theuser (potentiallymalicious).
448
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
verified text User verified.['True', 'False']
twitter-listTwitter list.
twitter-list is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
archive link Archive of theaccount (InternetArchive,Archive.is, etc).
attachment attachment A screen captureor exported list ofcontacts etc.
description text A description ofthe list.
embedded-link url Link embedded inthe description(potentiallymalicious).
embedded-safe-link
link Link embedded inthe description(supposed safe).
hashtag text Hashtagembedded in thedescription.
id text Numeric list id.
449
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
link link Original link tothe list (supposedharmless).
member-count text Number ofaccountsfollowing this list.
name text List’s screen name(without the @).
subscriber-count text Number ofaccountssubscribing to thislist.
url url Original URLlocation of the list(potentiallymalicious).
user-id text Id of the accountthat manages thislist.
user-name text Name of theaccount thatmanages this list(without the @).
twitter-postTwitter post (tweet).
twitter-post is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
450
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
archive link Archive of theoriginal tweet(Internet Archive,Archive.is, etc).
attachment attachment The tweet file orscreen capture.
created-at datetime Datetime of Tweetpublication
embedded-link url Link in the tweet
embedded-safe-link
link Safe link in thetweet
favorite-count text Number offavorites.
geo text Geolocation data.
hashtag text Hashtagembedded in thetweet
in-reply-to-display-name
text The user displayname of the tweetthis post shares.
in-reply-to-status-id
text The twitter ID ofthe tweet that thispost shares.
in-reply-to-user-id text The user ID of thetweet this postshares.
language text The language ofthe post.
451
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
link link Original link tothe post (supposedharmless).
media attachment Media (Photos,videos) present intweet
name text Name of theaccount thatposted this tweet.
possibly-sensitive text Does this postcontain sensitivecontent?
possibly-sensitive-appealable
text Is the sensitivecontent of thispost appealable?
post text Raw text of thepost.
post-id text Numeric id of thetweet.
removal-date datetime When the tweetwas removed.
retweet-count text Number ofretweets.
source text Source of tweet(android, web etc).
url url Original URL ofthe tweet, e.g. linkshortener(potentiallymalicious).
452
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
user-id text Id of the accountthat posted thistweet.
username-quoted text Username who isquoted in thetweet.
urlurl object describes an url along with its normalized field (like extracted using faup parsing library)and its metadata.
url is a MISP object available in JSON format at this location The JSON format canbe freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
credential text Credential(username,password)
domain domain Full domain
domain_without_tld
text Domain withoutTop-Level Domain
first-seen datetime First time this URLhas been seen
fragment text Fragmentidentifier is ashort string ofcharacters thatrefers to aresource that issubordinate toanother, primaryresource.
host hostname Full hostname
453
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
ip ip-dst Better type whenthe host is an IP.
last-seen datetime Last time this URLhas been seen
port port Port number
query_string text Query (after path,preceded by '?')
resource_path text Path (betweenhostname:portand query)
scheme text Scheme ['http','https', 'ftp','gopher', 'sip']
subdomain text Subdomain
text text Description of theURL
tld text Top-Level Domain
url url Full URL
user-accountUser-account object, defining aspects of user identification, authentication, privileges and otherrelevant data points.
user-account is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
454
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
account-type text Type of theaccount.['facebook', 'ldap','nis', 'openid','radius', 'skype','tacacs', 'twitter','unix', 'windows-local', 'windows-domain']
can_escalate_privs boolean Specifies if theaccount has theability to escalateprivileges. ['True','False']
created datetime Creation time ofthe account.
description text A description ofthe user account.
disabled boolean Specifies if theaccount isdesabled. ['True','False']
display-name text Display name ofthe account.
expires datetime Expiration time ofthe account
first_login datetime First timesomeone logged into the account.
group text UNIX group(s) theaccount ismember of.
455
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
group-id text Identifier of theprimary group ofthe account, incase of a UNIXaccount.
home_dir text Home directory ofthe UNIX account.
is_service_account boolean Specifies if theaccount isassociated with anetwork service.['True', 'False']
last_login datetime Last time someonelogged in to theaccount.
link link Original link intothe account page(Supposedharmless)
password text Password relatedto the username.
password_last_changed
datetime Last time thepassword hasbeen changed.
privileged boolean Specifies if theaccount hasprivileges such asroot rights. ['True','False']
shell text UNIX commandshell of theaccount.
user-avatar attachment A user profilepicture or avatar.
456
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
user-id text Identifier of theaccount.
username text Username relatedto the password.
vehicleVehicle object template to describe a vehicle information and registration.
vehicle is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
date-first-registration
text Date of firstregistration
description text Description of thevehicle
dyno-power text Dyno poweroutput
exterior-color text Exterior color ofthe vehicule
gearbox text Gearbox
image attachment Image of thevehicle.
image-url text Image URL
indicative-value text Indicative value
interior-color text Interior color ofthe vehicule
457
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
license-plate-number
text License platenumber
make text Manufacturer ofthe vehicle
model text Model of thevehicle
state text State of thevehicule (stolen orrecovered)
type text Type of thevehicule ['car','bus', 'caravan','bicycle', 'boat','taxi', 'campervan', 'motorcycle','truck', 'scooter','tractor', 'trailer','van']
vin text Vehicleidentificationnumber (VIN)
victimVictim object describes the target of an attack or abuse.
victim is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
458
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
classification text The type of entitybeing targeted.['individual','group','organization','class', 'unknown']
description text Description of thevictim
domain domain Domain name ofthe organisationtargeted.
email target-email The emailaddress(es) of theuser targeted.
external target-external External targetorganisationsaffected by thisattack.
ip-address ip-dst IP address(es) ofthe node targeted.
name target-org The name of thedepartment(s) ororganisation(s)targeted.
node target-machine Name(s) of nodethat was targeted.
reference text External referenceto the victim/case.
regions target-location The list of regionsor locations fromthe victimtargeted. ISO 3166should be used.
459
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
roles text The list of rolestargeted withinthe victim.
sectors text The list of sectorsthat the victimbelong to['agriculture','aerospace','automotive','communications','construction','defence','education','energy','engineering','entertainment','financialservices','governmentnational','governmentregional','governmentlocal','governmentpublic services','healthcare','hospitalityleisure','infrastructure','insurance','manufacturing','mining', 'nonprofit','pharmaceuticals','retail','technology','telecommunications','transportation','utilities']
460
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
user target-user The username(s)of the usertargeted.
virustotal-graphVirusTotal graph.
virustotal-graph is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
access text Access to theVirusTotal graph['Private', 'Public']
comment text Comment relatedto this VirusTotalgraph
permalink link PermalinkReference to theVirusTotal graph
screenshot attachment Screenshot of theVirusTotal graph
virustotal-reportVirusTotal report.
virustotal-report is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
461
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
comment text Comment relatedto this hash
community-score text Community Score
detection-ratio text Detection Ratio
first-submission datetime First Submission
last-submission datetime Last Submission
permalink link PermalinkReference
vulnerabilityVulnerability object describing a common vulnerability enumeration which can describepublished, unpublished, under review or embargo vulnerability for software, equipments orhardware.
vulnerability is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
created datetime First time whenthe vulnerabilitywas discovered
credit text Whoreported/foundthe vulnerabilitysuch as anorganisation,person ornickname.
462
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
cvss-score float Score of theCommonVulnerabilityScoring System(version 3).
cvss-string text String of theCommonVulnerabilityScoring System(version 3).
description text Description of thevulnerability
id vulnerability Vulnerability ID(generally CVE,but notnecessarely). Theid is not requiredas the object itselfhas an UUID andthe CVE id can beupdate orassigned later.
modified datetime Last modificationdate
published datetime Initial publicationdate
references link Externalreferences
463
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
state text State of thevulnerability. Avulnerability canhave multiplestates dependingof the currentactionsperformed.['Published','Embargo','Reviewed','Vulnerability IDAssigned','Reported', 'Fixed']
summary text Summary of thevulnerability
vulnerable-configuration
cpe The vulnerableconfiguration isdescribed in CPEformat
weaknessWeakness object describing a common weakness enumeration which can describe usable,incomplete, draft or deprecated weakness for software, equipment of hardware.
weakness is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
description text Description of theweakness.
id weakness Weakness ID(generally CWE).
name text Name of theweakness.
464
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
status text Status of theweakness.['Incomplete','Deprecated','Draft', 'Usable']
weakness-abs text Abstraction of theweakness. ['Class','Base', 'Variant']
whoisWhois records information for a domain name or an IP address.
whois is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
comment text Comment of thewhois entry
creation-date datetime Initial creation ofthe whois entry
domain domain Domain of thewhois entry
expiration-date datetime Expiration of thewhois entry
ip-address ip-src IP address of thewhois entry
modification-date datetime Last update of thewhois entry
nameserver hostname Nameserver
registrant-email whois-registrant-email
Registrant emailaddress
465
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
registrant-name whois-registrant-name
Registrant name
registrant-org whois-registrant-org
Registrantorganisation
registrant-phone whois-registrant-phone
Registrant phonenumber
registrar whois-registrar Registrar of thewhois entry
text text Full whois entry
windows-serviceWindows service and detailed about a service running a Windows operating system.
windows-service is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
comment text Additionalcomments.
display windows-service-displayname
Displayname/informationof the service.
466
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
group text Group to whichthe system/driverbelong to. ['Base','Boot BusExtender', 'BootFile System','Cryptography','Extended base','Event Log','Filter', 'FSFilterBottom', 'FSFilterInfrastructure','File System','FSFilterVirtualization','Keyboard Port','Network', 'NDIS','Parallelarbitrator','Pointer Port', 'PnPFilter','ProfSvc_Group','PNP_TDI', 'SCSIMiniport', 'SCSICDROM Class','System BusExtender', 'VideoSave', 'other']
image-path text Path of theservice/drive
name windows-service-name
name of theservice
start text When theservice/driverstarts or executes.['Boot start','System start','Auto start','Manual','Disabled']
467
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
type text Service/drivertype. ['Kerneldriver', 'Filesystem driver','Own process','Share process','Interactive','Other']
x509x509 object describing a X.509 certificate.
x509 is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
dns_names hostname SubjectAlternative Name- DNS names
email email-dst SubjectAlternative Name- emails
ip ip-dst SubjectAlternative Name- IP
is_ca boolean CA certificate['True', 'False']
issuer text Issuer of thecertificate
pem text Raw certificate inPEM formati(Unix-likenewlines)
468
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
pubkey-info-algorithm
text Algorithm of thepublic key
pubkey-info-exponent
text Exponent of thepublic key - indecimal
pubkey-info-modulus
text Modulus of thepublic key - inHexadecimal - no0x, no :
pubkey-info-size text Length of thepublic key (in bitsexpressed indecimal: eg. 256bits)
raw-base64 text Raw certificatebase64 encoded(DER format)
rid text SubjectAlternative Name- RID
self_signed boolean Self-signedcertificate ['True','False']
serial-number text Serial number ofthe certificate
signature_algorithm
text Signaturealgorithm['SHA1_WITH_RSA_ENCRYPTION','SHA256_WITH_RSA_ENCRYPTION']
subject text Subject of thecertificate
469
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
text text Free textdescription of thecertificate
uri uri SubjectAlternative Name- URI
validity-not-after datetime Certificate invalidafter that date
validity-not-before datetime Certificate invalidbefore that date
version text Version of thecertificate
x509-fingerprint-md5
x509-fingerprint-md5
[Insecure] MD5hash (128 bits)
x509-fingerprint-sha1
x509-fingerprint-sha1
[Insecure] SecureHash Algorithm 1(160 bits)
x509-fingerprint-sha256
x509-fingerprint-sha256
Secure HashAlgorithm 2 (256bits)
yabinyabin.py generates Yara rules from function prologs, for matching and hunting binaries. ref:https://github.com/AlienVault-OTX/yabin.
yabin is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
comment comment A description ofYara rulegenerated.
470
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
version comment yabin.py andregex.txt versionused for thegeneration of theyara rules.
whitelist comment Whitelist nameused to generatethe rules.
yara yara Yara rulegenerated from -y.
yara-hunt yara Wide yara rulegenerated from-yh.
yaraAn object describing a YARA rule (or a YARA rule name) along with its version.
yara is a MISP object available in JSON format at this location The JSON formatcan be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
comment comment A description ofthe YARA rule.
context text Context where theYARA rule can beapplied ['all','disk', 'memory','network']
version text Version of theYARA ruledepending wherethe yara rule isknown to work asexpected. ['3.7.1']
471
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
yara yara YARA rule.
yara-rule-name text YARA rule name.
youtube-channelA YouTube channel.
youtube-channel is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
about text About page of thechannel.
archive link Archive of thechannel (InternetArchive,Archive.is, etc).
attachment attachment A screen captureor exported list ofcontacts etc.
channel-avatar attachment A screen captureor exportedchannel avatar.
channel-banner attachment A screen captureor exportedchannel header.
channel-id text Channel id.
channel-name text Channel name.
description text A description ofthe channel.
472
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
featured-channel text Featured channelnames.
link link Original link tothe channel page(supposedharmless).
url url Original URLlocation of thepage (potentiallymalicious).
youtube-commentA YouTube video comment.
youtube-comment is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
archive link Archive of theoriginal comment(Internet Archive,Archive.is, etc).
attachment attachment A screen captureor exportedcomment.
channel-name text The name of thechannel where itwas posted.
comment text The raw text ofthe YouTube videocomment.
473
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
description text A description ofthe comment.
embedded-link url Link embedded inthe comment(potentiallymalicious).
embedded-safe-link
link Link embedded inthe comment(supposed safe).
hashtag text Hashtag used inthe comment.
link link Original link tothe comment(supposedharmless).
url url Original URLlocation of thecomment(potentiallymalicious).
user-account text The user accountthat commentedon the YouTubevideo.
username-quoted text Username whoare quoted in thecomment.
video-title text The title of theYouTube video.
youtube-playlistA YouTube playlist.
474
youtube-playlist is a MISP object available in JSON format at this location TheJSON format can be freely reused in your application or automatically enabled inMISP.
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
archive link Archive of theplaylist (InternetArchive,Archive.is, etc).
attachment attachment A screen captureor exported list ofcontacts etc.
description text A description ofthe playlist.
link link Original link tothe playlist page(supposedharmless).
playlist-id text Playlist id.
playlist-name text Playlist name.
url url Original URLlocation of thepage (potentiallymalicious).
video-link link Link to the videoin playlist(supposedharmless).
youtube-videoA YouTube video.
youtube-video is a MISP object available in JSON format at this location The JSONformat can be freely reused in your application or automatically enabled in MISP.
475
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
archive link Archive of theoriginal YouTubevideo (InternetArchive,Archive.is, etc).
attachment attachment A screen captureor exportedYouTube video.
channel-name text The name of thechannel where itwas posted.
creator text The user accountthat created theYouTube video.
description text A description ofthe YouTubevideo.
embedded-link url Link embedded inthe YouTube videodescription(potentiallymalicious).
embedded-safe-link
link Link embedded inthe YouTube videodescription(supposed safe).
hashtag text Hashtag used toidentify orpromote theYouTube video.
link link Original link tothe YouTube video(supposedharmless).
476
Object attribute MISP attributetype
Description Disablecorrelation
Multiple
url url Original URLlocation of theYouTube video(potentiallymalicious).
username-quoted text Username whoare quoted in theYouTube video ordescription.
video-title text The title of theYouTube video.
video-transcript text The YouTubevideo transcript(closed captions).
RelationshipsDefault type of relationships in MISP objects.
Relationships are part of MISP object and available in JSON format at this location. The JSON formatcan be freely reused in your application or automatically enabled in MISP.
Name of relationship Description Format
derived-from The information in the targetobject is based on informationfrom the source object.
['misp', 'stix-2.0', 'alfred']
executes This relationship describes anobject which executes anotherobject
['misp']
duplicate-of The referenced source andtarget objects are semanticallyduplicates of each other.
['misp', 'stix-2.0']
related-to The referenced source is relatedto the target object.
['alfred', 'followthemoney','misp', 'stix-2.0']
connected-to The referenced source isconnected to the target object.
['misp', 'stix-1.1']
477
Name of relationship Description Format
connected-from The referenced source isconnected from the targetobject.
['misp', 'stix-1.1']
contains The referenced source iscontaining the target object.
['misp', 'stix-1.1', 'alfred']
contained-by The referenced source iscontained by the target object.
['misp', 'stix-1.1']
contained-within The referenced source iscontained within the targetobject.
['misp', 'stix-1.1']
characterized-by The referenced source ischaracterized by the targetobject.
['misp', 'stix-1.1']
characterizes The referenced source ischaracterizing the target object.
['misp', 'stix-1.1']
properties-queried The referenced source hasqueried the target object.
['misp', 'stix-1.1']
properties-queried-by The referenced source isqueried by the target object.
['misp', 'stix-1.1']
extracted-from The referenced source isextracted from the target object.
['misp', 'stix-1.1']
supra-domain-of The referenced source is asupra domain of the targetobject.
['misp', 'stix-1.1']
sub-domain-of The referenced source is a subdomain of the target object.
['misp', 'stix-1.1']
dropped The referenced source hasdropped the target object.
['misp', 'stix-1.1']
dropped-by The referenced source isdropped by the target object.
['misp', 'stix-1.1']
downloaded The referenced source hasdownloaded the target object.
['misp', 'stix-1.1']
downloaded-from The referenced source has beendownloaded from the targetobject.
['misp', 'stix-1.1']
resolved-to The referenced source isresolved to the target object.
['misp', 'stix-1.1']
attributed-to This referenced source isattributed to the target object.
['misp', 'stix-2.0']
478
Name of relationship Description Format
targets This relationship describes thatthe source object targets thetarget object.
['misp', 'stix-2.0']
uses This relationship describes theuse by the source object of thetarget object.
['misp', 'stix-2.0', 'alfred']
indicates This relationship describes thatthe source object indicates thetarget object.
['misp', 'stix-2.0']
mentions This relationship describes thatthe source object mentions thetarget object.
['misp']
mitigates This relationship describes asource object which mitigatesthe target object.
['misp', 'stix-2.0']
variant-of This relationship describes asource object which is a variantof the target object
['misp', 'stix-2.0', 'alfred']
impersonates This relationship describes asource object whichimpersonates the target object
['misp', 'stix-2.0']
retrieved-from This relationship describes anobject retrieved from the targetobject.
['misp']
authored-by This relationship describes theauthor of a specific object.
['misp']
is-author-of This relationship describes anobject being author bysomeone.
['misp']
located This relationship describes thelocation (of any type) of aspecific object.
['misp']
included-in This relationship describes anobject included in anotherobject.
['misp']
includes This relationship describes anobject that includes an otherobject.
['misp']
analysed-with This relationship describes anobject analysed by anotherobject.
['misp']
479
Name of relationship Description Format
claimed-by This relationship describes anobject claimed by anotherobject.
['misp']
communicates-with This relationship describes anobject communicating withanother object.
['misp']
drops This relationship describes anobject which drops anotherobject
['misp']
executed-by This relationship describes anobject executed by anotherobject.
['misp']
affects This relationship describes anobject affected by anotherobject.
['misp', 'alfred']
beacons-to This relationship describes anobject beaconing to anotherobject.
['misp', 'alfred']
abuses This relationship describes anobject which abuses anotherobject.
['misp']
exfiltrates-to This relationship describes anobject exfiltrating to anotherobject.
['misp', 'alfred']
identifies This relationship describes anobject which identifies anotherobject.
['misp', 'alfred']
intercepts This relationship describes anobject which intercepts anotherobject.
['misp', 'alfred']
calls This relationship describes anobject which calls anotherobjects.
['misp']
detected-as This relationship describes anobject which is detected asanother object.
['misp']
480
Name of relationship Description Format
followed-by This relationship describes anobject which is followed byanother object. This can be usedwhen a time reference ismissing but a sequence isknown.
['misp']
preceding-by This relationship describes anobject which is preceded byanother object. This can be usedwhen a time reference ismissing but a sequence isknown.
['misp']
triggers This relationship describes anobject which triggers anotherobject.
['misp']
vulnerability-of This relationship describes anobject which is a vulnerabilityof another object.
['cert-eu']
works-like This relationship describes anobject which works like anotherobject.
['cert-eu']
seller-of This relationship describes anobject which is selling anotherobject.
['cert-eu']
seller-on This relationship describes anobject which is selling onanother object.
['cert-eu']
trying-to-obtain-the-exploit This relationship describes anobject which is trying to obtainthe exploit described byanother object
['cert-eu']
used-by This relationship describes anobject which is used by anotherobject.
['cert-eu']
affiliated This relationship describes anobject which is affiliated withanother object.
['cert-eu']
alleged-founder-of This relationship describes anobject which is the allegedfounder of another object.
['cert-eu']
481
Name of relationship Description Format
attacking-other-group This relationship describes anobject which attacks anotherobject.
['cert-eu']
belongs-to This relationship describes anobject which belongs to anotherobject.
['cert-eu', 'followthemoney']
business-relations This relationship describes anobject which has businessrelations with another object.
['cert-eu']
claims-to-be-the-founder-of This relationship describes anobject which claims to be thefounder of another object.
['cert-eu']
cooperates-with This relationship describes anobject which cooperates withanother object.
['cert-eu']
former-member-of This relationship describes anobject which is a formermember of another object.
['cert-eu']
successor-of This relationship describes anobject which is a successor ofanother object.
['cert-eu']
has-joined This relationship describes anobject which has joined anotherobject.
['cert-eu']
member-of This relationship describes anobject which is a member ofanother object.
['cert-eu']
primary-member-of This relationship describes anobject which is a primarymember of another object.
['cert-eu']
administrator-of This relationship describes anobject which is anadministrator of another object.
['cert-eu']
is-in-relation-with This relationship describes anobject which is in relation withanother object,
['cert-eu']
provide-support-to This relationship describes anobject which provides supportto another object.
['cert-eu']
482
Name of relationship Description Format
regional-branch This relationship describes anobject which is a regionalbranch of another object.
['cert-eu']
similar This relationship describes anobject which is similar toanother object.
['cert-eu']
subgroup This relationship describes anobject which is a subgroup ofanother object.
['cert-eu']
suspected-link This relationship describes anobject which is suspected to belinked with another object.
['misp']
same-as This relationship describes anobject which is the same asanother object.
['misp']
creator-of This relationship describes anobject which is the creator ofanother object.
['cert-eu']
developer-of This relationship describes anobject which is a developer ofanother object.
['cert-eu']
uses-for-recon This relationship describes anobject which uses anotherobject for recon.
['cert-eu']
operator-of This relationship describes anobject which is an operator ofanother object.
['cert-eu']
overlaps This relationship describes anobject which overlaps anotherobject.
['cert-eu']
owner-of This relationship describes anobject which owns anotherobject.
['cert-eu', 'alfred']
publishes-method-for This relationship describes anobject which publishes methodfor another object.
['cert-eu']
recommends-use-of This relationship describes anobject which recommends theuse of another object.
['cert-eu']
483
Name of relationship Description Format
released-source-code This relationship describes anobject which released sourcecode of another object.
['cert-eu']
released This relationship describes anobject which release anotherobject.
['cert-eu']
exploits This relationship describes anobject (like a PoC/exploit) whichexploits another object (such asa vulnerability object).
['misp']
signed-by This relationship describes anobject signed by another object.
['misp']
delivered-by This relationship describes anobject by another object (suchas exploit kit, dropper).
['misp']
controls This relationship describes anobject which controls anotherobject.
['misp']
annotates This relationships describes anobject which annotates anotherobject.
['misp']
references This relationships describes anobject which referencesanother object or attribute.
['misp']
child-of A child semantic link to aparent.
['alfred']
parent-of A parent semantic link to achild.
['alfred', 'misp']
compromised Represents the semantic link ofhaving compromisedsomething.
['alfred']
connects The initiator of a connection. ['alfred']
connects-to The destination or target of aconnection.
['alfred']
cover-term-for Represents the semantic link ofone thing being the cover termfor another.
['alfred']
disclosed-to Semantic link indicating whereinformation is disclosed to.
['alfred']
484
Name of relationship Description Format
downloads Represents the semantic link ofone thing downloading another.
['alfred']
downloads-from Represents the semantic link ofmalware being downloadedfrom a location.
['alfred']
generated Represents the semantic link ofan alert generated from asignature.
['alfred']
implements One data object implementsanother.
['alfred']
initiates Represents the semantic link ofa communication initiating anevent.
['alfred']
instance-of Represents the semantic linkbetween a FILE andFILE_BINARY.
['alfred']
issuer-of Represents the semantic link ofbeing the issuer of something.
['alfred']
linked-to Represents the semantic link ofbeing associated withsomething.
['alfred', 'followthemoney']
not-relevant-to Represents the semantic link ofa comm that is not relevant toan EVENT.
['alfred']
part-of Represents the semantic linkthat defines one thing to be partof another in a hierachialstructure from the child to theparent.
['alfred']
processed-by Represents the semantic link ofsomething has been processedby another program.
['alfred']
produced Represents the semantic link ofsomething having producedsomething else.
['alfred']
queried-for The IP Address or domain beingqueried for.
['alfred']
query-returned The IP Address or domainreturned as the result of aquery.
['alfred']
485
Name of relationship Description Format
registered Represents the semantic link ofsomeone registered some thing.
['alfred']
registered-to Represents the semantic link ofsomething being registered to.
['alfred']
relates Represents the semantic linkbetween HBS Comms andcommunication addresses.
['alfred']
relevant-to Represents the semantic link ofa comm that is relevant to anEVENT.
['alfred']
resolves-to Represents the semantic link ofresolving to something.
['alfred']
responsible-for Represents the semantic link ofsome entity being responsiblefor something.
['alfred']
seeded Represents the semantic link ofa seeded domain redirecting toanother site.
['alfred']
sends A sends semantic link meaning'who sends what'.
['alfred']
sends-as-bcc-to A sends to as BCC semantic linkmeaning 'what sends to who asBCC'.
['alfred']
sends-as-cc-to A sends to as CC semantic linkmeaning 'what sends to who asCC'.
['alfred']
sends-to A sends to semantic linkmeaning 'what sends to who'.
['alfred']
spoofer-of The represents the semanticlink of having spoofedsomething.
['alfred']
subdomain-of Represents a domain being asubdomain of another.
['alfred']
supersedes One data object supersedesanother.
['alfred']
triggered-on Represents the semantic link ofan alert triggered on an event.
['alfred']
uploads Represents the semantic link ofone thing uploading another.
['alfred']
486
Name of relationship Description Format
user-of The represents the semanticlink of being the user ofsomething.
['alfred']
works-for Represents the semantic link ofworking for something.
['alfred']
works-with Represents an object workingwith another one.
['misp']
witness-of Represents an object being awitness of something.
['misp']
injects-into Represents an object injectingsomething into something
['misp']
injected-into Represents an object which isinjected something intosomething
['misp']
creates Represents an object thatcreates something.
['misp', 'haxpak']
screenshot-of Represents an object being thescreenshot of something.
['misp']
knows Represents an object having theknowledge of another object.
['misp']
describes Represents the semantic link ofdescribing another object.
['misp']
extends Represents the semantic link ofextending another object.
['misp']
writes Reprensents an object whichwrites towards another objector attribute
['misp']
ranked-with Represents the semantic link ofan asn object being ranked witha bgp-ranking object
['misp']
owns owns ['followthemoney']
awarded-to awarded-to ['followthemoney']
directs directs ['followthemoney']
involved-in involved-in ['followthemoney']
associated-with associated-with ['followthemoney']
represents represents ['followthemoney']
owes owes ['followthemoney']
preceeds preceeds ['followthemoney']
487
Name of relationship Description Format
documents documents ['followthemoney']
paid paid ['followthemoney']
leaks leaks ['misp']
leaked-by leaked-by ['misp']
doxed-by doxed-by ['misp']
alerts alerts about a specific object ['misp']
legal-address-of The referenced source object isthe legal address of the target.
['misp']
shipping-address-of The referenced source object isa shipping address of the target.
['misp']
visited The referenced source objectvisited the target (for examplean address).
['misp']
office-of The referenced source object isan office of the target.
['misp']
picture-of The referenced source object isa picture (photo/image) of thetarget.
['misp']
pictured-by The referenced source object ispictured by the target(photo/image).
['misp']
found-on The referenced source objecthas been found on the target(device, server).
['misp']
found-in The referenced source objecthas been found in the target(document).
['misp']
drives The referenced source objectdrives the target described(often a vehicule).
['misp']
488