Introduction

MISP logo

The MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators, financial fraud or counter-terrorism information. The MISP project includes multiple sub-projects to support the operational requirements of analysts and improve the overall quality of information shared.

MISP objects are used in MISP (starting from version 2.4.80) system and can be used by other information sharing tool. MISP objects are in addition to MISP attributes to allow advanced combinations of attributes. The creation of these objects and their associated attributes are based on real cyber security use-cases and existing practices in information sharing. The objects are just shared like any other attributes in MISP even if the other MISP instances don’t have the template of the object. The following document is generated from the machine-readable JSON describing the MISP objects.

Funding and Support

The MISP project is financially and resource supported by CIRCL Computer Incident Response Center Luxembourg .

CIRCL logo

A CEF (Connecting Europe Facility) funding under CEF-TC-2016-3 - Cyber Security has been granted from 1st September 2017 until 31th August 2019 as Improving MISP as building blocks for next-generation information sharing.

CEF funding

If you are interested to co-fund projects around MISP, feel free to get in touch with us.

MISP objects

ADS

An object defining ADS - Alerting and Detection Strategy by PALANTIR. Can be used for detection engineering.

ADS is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

acd-element

text

lists the steps required to generate a representative true positive event which triggers this alert.

additional_resources

url

Any other internal, external, or technical references that may be useful for understanding the ADS.

blind_spots_and_assumptions

text

Recognized issues, assumptions, and areas where an ADS may not fire.

categorization

text

Provides a mapping of the ADS to the relevant entry in the Att&CK.

date

datetime

Enter date, when ADS has been created or edited.

false_positives

text

Known instances of an ADS misfiring due to a misconfiguration, idiosyncrasy in the environment, or other non-malicious scenario.

goal

text

Short, plaintext description of the type of behavior the ADS is supposed to detect.

priority

text

Describes the various alerting levels that an ADS may be tagged with.

responses

text

General response steps in the event that this alert fired.

sigma_rule

sigma

Rule in SIGMA format.

strategy_abstract

text

High-level walkthrough of how the ADS functions.

technical_context

text

Detailed information and background needed for a responder to understand all components of the alert.

validation

text

lists the steps required to generate a representative true positive event which triggers this alert.

abuseipdb

AbuseIPDB checks an ip address, domain name, or subnet against a central blacklist.

abuseipdb is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

abuse-confidence-score

integer

Rating (0-100) of how confident AbuseIPDB is that an IP address is entirely malicious

is-malicious

boolean

If the IP is malicious based on the abuse-confidence-score and threshold

is-public

boolean

If an IP is public

is-tor

boolean

If Tor (The Onion Router) was used

is-whitelisted

boolean

If an IP is spotted in any of AbuseIPDB’s whitelists

ai-chat-prompt

Object describing an AI prompt such as ChatGPT.

ai-chat-prompt is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

act-as

text

Act as a specific person. ['Security Analysts', 'Incident Responder', 'IT Expert', 'Cyber Security Specialists', 'Technical Writer']

comment

text

Comment associated to the AI chat prompt.

model

text

AI chatbot model used for the prompt. ['GPT 3.5', 'GPT 4.0', 'GPT 3.0', 'DALL-E', 'Whisper', 'Embeddings', 'Moderation', 'Codex', 'BioGPT', 'LLaMA', 'GPT4ALL', 'Bing AI', 'Google Bard AI']

prompt

text

Prompt text used for a specific AI chat.

result

text

Result ['Unknown', 'Harmless', 'Correct', 'Dangerous', 'Incorrect']

role

text

Role as defined in OpenAI or similar API. ['system', 'user', 'assistant']

ail-leak

An information leak as defined by the AIL Analysis Information Leak framework.

ail-leak is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

duplicate

text

Duplicate of the existing leaks.

duplicate_number

counter

Number of known duplicates.

first-seen

datetime

When the leak has been accessible or seen for the first time.

last-seen

datetime

When the leak has been accessible or seen for the last time.

origin

text

The link where the leak is (or was) accessible at first-seen.

original-date

datetime

When the information available in the leak was created. It’s usually before the first-seen.

raw-data

attachment

Raw data as received by the AIL sensor compressed and encoded in Base64.

sensor

text

The AIL sensor uuid where the leak was processed and analysed.

text

text

A description of the leak which could include the potential victim(s) or description of the leak.

ais

Automatic Identification System (AIS) is an automatic tracking system that uses transceivers on ships.

ais is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

ETA

datetime

Estimated time of arrival at destination

IMO-number

text

IMO ship identification number: a seven digit number that remains unchanged upon transfer of the ship’s registration to another country

MMSI

text

Vessel Maritime Maritime Mobile Service Identity (MMSI): a unique nine digit identification number.

call-sign

text

International radio call-sign, up to 7 characters.

course-over-ground

float

The course of the vessel, relative to true north to 0.1 degree

destination

text

Destination of the vessel in max 20 characters

dimension-a

float

Distance in meters from Forward Perpendicular (FP)

dimension-b

float

Distance in meters from After Perpendicular (AP)

dimension-c

float

Distance in meters inboard from port side

dimension-d

float

Distance in meters inboard from starboard side

draught

float

Draught of ship. 0.1-25.5 meters

first-seen

datetime

When the location was seen for the first time.

last-seen

datetime

When the location was seen for the last time.

latitude

float

The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference.

longitude

float

The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference

name

text

20 characters to represent the name of the vessel

navigational-status

float

  1. at anchor, 2. under command, 3. Restricted Manoeuvrability, etc.

rate-of-turn

text

right or left, from 0 to 720 degrees per minute

speed-over-ground

float

0.1 knot resolution from 0 to 102 knots

true-heading

float

The true heading of the vessel. 0 to 359 degrees

true-heading-at-own-position

float

The true heading at own position of the vessel. 0 to 359 degrees

type-of-ship

text

Type of ship/cargo

ais-info

Automated Indicator Sharing (AIS) Information Source Markings.

ais-info is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

administrative-area

text

AIS Administrative Area represented using ISO-3166-2.

country

text

AIS Country represented using ISO-3166-1_alpha-2.

industry

text

AIS IndustryType. ['Chemical Sector', 'Commercial Facilities Sector', 'Communications Sector', 'Critical Manufacturing Sector', 'Dams Sector', 'Defense Industrial Base Sector', 'Emergency Services Sector', 'Energy Sector', 'Financial Services Sector', 'Food and Agriculture Sector', 'Government Facilities Sector', 'Healthcare and Public Health Sector', 'Information Technology Sector', 'Nuclear Reactors, Materials, and Waste Sector', 'Transportation Systems Sector', 'Water and Wastewater Systems Sector', 'Other']

organisation

text

AIS Organisation Name.

android-app

Indicators related to an Android app.

android-app is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

appid

text

Application ID

certificate

sha1

Android certificate

domain

domain

Domain used by the app

name

text

Generic name of the application

sha256

sha256

SHA256 of the APK.

android-permission

A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. malware, app).

android-permission is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

comment

comment

Comment about the set of android permission(s)

permission

text

Android permission ['ACCESS_CHECKIN_PROPERTIES', 'ACCESS_COARSE_LOCATION', 'ACCESS_FINE_LOCATION', 'ACCESS_LOCATION_EXTRA_COMMANDS', 'ACCESS_NETWORK_STATE', 'ACCESS_NOTIFICATION_POLICY', 'ACCESS_WIFI_STATE', 'ACCOUNT_MANAGER', 'ADD_VOICEMAIL', 'ANSWER_PHONE_CALLS', 'BATTERY_STATS', 'BIND_ACCESSIBILITY_SERVICE', 'BIND_APPWIDGET', 'BIND_AUTOFILL_SERVICE', 'BIND_CARRIER_MESSAGING_SERVICE', 'BIND_CHOOSER_TARGET_SERVICE', 'BIND_CONDITION_PROVIDER_SERVICE', 'BIND_DEVICE_ADMIN', 'BIND_DREAM_SERVICE', 'BIND_INCALL_SERVICE', 'BIND_INPUT_METHOD', 'BIND_MIDI_DEVICE_SERVICE', 'BIND_NFC_SERVICE', 'BIND_NOTIFICATION_LISTENER_SERVICE', 'BIND_PRINT_SERVICE', 'BIND_QUICK_SETTINGS_TILE', 'BIND_REMOTEVIEWS', 'BIND_SCREENING_SERVICE', 'BIND_TELECOM_CONNECTION_SERVICE', 'BIND_TEXT_SERVICE', 'BIND_TV_INPUT', 'BIND_VISUAL_VOICEMAIL_SERVICE', 'BIND_VOICE_INTERACTION', 'BIND_VPN_SERVICE', 'BIND_VR_LISTENER_SERVICE', 'BIND_WALLPAPER', 'BLUETOOTH', 'BLUETOOTH_ADMIN', 'BLUETOOTH_PRIVILEGED', 'BODY_SENSORS', 'BROADCAST_PACKAGE_REMOVED', 'BROADCAST_SMS', 'BROADCAST_STICKY', 'BROADCAST_WAP_PUSH', 'CALL_PHONE', 'CALL_PRIVILEGED', 'CAMERA', 'CAPTURE_AUDIO_OUTPUT', 'CAPTURE_SECURE_VIDEO_OUTPUT', 'CAPTURE_VIDEO_OUTPUT', 'CHANGE_COMPONENT_ENABLED_STATE', 'CHANGE_CONFIGURATION', 'CHANGE_NETWORK_STATE', 'CHANGE_WIFI_MULTICAST_STATE', 'CHANGE_WIFI_STATE', 'CLEAR_APP_CACHE', 'CONTROL_LOCATION_UPDATES', 'DELETE_CACHE_FILES', 'DELETE_PACKAGES', 'DIAGNOSTIC', 'DISABLE_KEYGUARD', 'DUMP', 'EXPAND_STATUS_BAR', 'FACTORY_TEST', 'GET_ACCOUNTS', 'GET_ACCOUNTS_PRIVILEGED', 'GET_PACKAGE_SIZE', 'GET_TASKS', 'GLOBAL_SEARCH', 'INSTALL_LOCATION_PROVIDER', 'INSTALL_PACKAGES', 'INSTALL_SHORTCUT', 'INSTANT_APP_FOREGROUND_SERVICE', 'INTERNET', 'KILL_BACKGROUND_PROCESSES', 'LOCATION_HARDWARE', 'MANAGE_DOCUMENTS', 'MANAGE_OWN_CALLS', 'MASTER_CLEAR', 'MEDIA_CONTENT_CONTROL', 'MODIFY_AUDIO_SETTINGS', 'MODIFY_PHONE_STATE', 'MOUNT_FORMAT_FILESYSTEMS', 'MOUNT_UNMOUNT_FILESYSTEMS', 'NFC', 'PACKAGE_USAGE_STATS', 'PERSISTENT_ACTIVITY', 'PROCESS_OUTGOING_CALLS', 'READ_CALENDAR', 'READ_CALL_LOG', 'READ_CONTACTS', 'READ_EXTERNAL_STORAGE', 'READ_FRAME_BUFFER', 'READ_INPUT_STATE', 'READ_LOGS', 'READ_PHONE_NUMBERS', 'READ_PHONE_STATE', 'READ_SMS', 'READ_SYNC_SETTINGS', 'READ_SYNC_STATS', 'READ_VOICEMAIL', 'REBOOT', 'RECEIVE_BOOT_COMPLETED', 'RECEIVE_MMS', 'RECEIVE_SMS', 'RECEIVE_WAP_PUSH', 'RECORD_AUDIO', 'REORDER_TASKS', 'REQUEST_COMPANION_RUN_IN_BACKGROUND', 'REQUEST_COMPANION_USE_DATA_IN_BACKGROUND', 'REQUEST_DELETE_PACKAGES', 'REQUEST_IGNORE_BATTERY_OPTIMIZATIONS', 'REQUEST_INSTALL_PACKAGES', 'RESTART_PACKAGES', 'SEND_RESPOND_VIA_MESSAGE', 'SEND_SMS', 'SET_ALARM', 'SET_ALWAYS_FINISH', 'SET_ANIMATION_SCALE', 'SET_DEBUG_APP', 'SET_PREFERRED_APPLICATIONS', 'SET_PROCESS_LIMIT', 'SET_TIME', 'SET_TIME_ZONE', 'SET_WALLPAPER', 'SET_WALLPAPER_HINTS', 'SIGNAL_PERSISTENT_PROCESSES', 'STATUS_BAR', 'SYSTEM_ALERT_WINDOW', 'TRANSMIT_IR', 'UNINSTALL_SHORTCUT', 'UPDATE_DEVICE_STATS', 'USE_FINGERPRINT', 'USE_SIP', 'VIBRATE', 'WAKE_LOCK', 'WRITE_APN_SETTINGS', 'WRITE_CALENDAR', 'WRITE_CALL_LOG', 'WRITE_CONTACTS', 'WRITE_EXTERNAL_STORAGE', 'WRITE_GSERVICES', 'WRITE_SECURE_SETTINGS', 'WRITE_SETTINGS', 'WRITE_SYNC_SETTINGS', 'WRITE_VOICEMAIL']

annotation

An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes.

annotation is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

attachment

attachment

An attachment to support the annotation

creation-date

datetime

Initial creation of the annotation

format

text

Format of the annotation ['text', 'markdown', 'asciidoctor', 'MultiMarkdown', 'GFM', 'pandoc', 'Fountain', 'CommonWork', 'kramdown-rfc2629', 'rfc7328', 'Extra']

modification-date

datetime

Last update of the annotation

ref

link

Reference(s) to the annotation

text

text

Raw text of the annotation

type

text

Type of the annotation ['Annotation', 'Executive Summary', 'Introduction', 'Conclusion', 'Disclaimer', 'Keywords', 'Acknowledgement', 'Other', 'Copyright', 'Authors', 'Logo', 'Full Report']

anonymisation

Anonymisation object describing an anonymisation technique used to encode MISP attribute values. Reference: https://www.caida.org/tools/taxonomy/anonymization.xml.

anonymisation is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

description

text

Description of the anonymisation technique or tool used

encryption-function

text

Encryption function or algorithm used to anonymise the attribute ['aes128', 'aes-128-cbc', 'aes-128-cfb', 'aes-128-cfb1', 'aes-128-cfb8', 'aes-128-ctr', 'aes-128-ecb', 'aes-128-ofb', 'aes192', 'aes-192-cbc', 'aes-192-cfb', 'aes-192-cfb1', 'aes-192-cfb8', 'aes-192-ctr', 'aes-192-ecb', 'aes-192-ofb', 'aes-256-cfb', 'aes-256-cfb1', 'aes-256-cfb8', 'aes-256-ctr', 'aes-256-ecb', 'aes-256-ofb', 'bf', 'bf-cbc', 'bf-cfb', 'bf-ecb', 'bf-ofb', 'blowfish', 'camellia128', 'camellia-128-cbc', 'camellia-128-cfb', 'camellia-128-cfb1', 'camellia-128-cfb8', 'camellia-128-ctr', 'camellia-128-ecb', 'camellia-128-ofb', 'camellia192', 'camellia-192-cbc', 'camellia-192-cfb', 'camellia-192-cfb1', 'camellia-192-cfb8', 'camellia-192-ctr', 'camellia-192-ecb', 'camellia-192-ofb', 'camellia256', 'camellia-256-cbc', 'camellia-256-cfb', 'camellia-256-cfb1', 'camellia-256-cfb8', 'camellia-256-ctr', 'camellia-256-ecb', 'camellia-256-ofb', 'cast', 'cast5-cbc', 'cast5-cfb', 'cast5-ecb', 'cast5-ofb', 'cast-cbc', 'des', 'des3', 'des-cbc', 'des-cfb', 'des-ecb', 'des-ede', 'des-ede3', 'des-ede3-cbc', 'des-ede3-cfb', 'des-ede3-ofb', 'des-ede-cbc', 'des-ede-cfb', 'des-ede-ofb', 'des-ofb', 'desx', 'gost89', 'gost89-cnt', 'idea', 'idea-cbc', 'idea-cfb', 'idea-ecb', 'idea-ofb', 'rc2', 'rc2-40-cbc', 'rc2-64-cbc', 'rc2-cbc', 'rc2-cfb', 'rc2-ecb', 'rc2-ofb', 'rc4', 'rc4-40', 'rc4-64', 'rc5', 'rc5-cbc', 'rc5-cfb', 'rc5-ecb', 'rc5-ofb', 'seed', 'seed-cbc', 'seed-cfb', 'seed-ecb', 'seed-ofb', 'sm4', 'sm4-cbc', 'sm4-cfb', 'sm4-ctr', 'sm4-ecb', 'sm4-ofb']

iv

text

Initialisation vector for the encryption function used to anonymise the attribute

key

text

Key (such as a PSK in a keyed-hash-function) used to anonymise the attribute

keyed-hash-function

text

Keyed-hash function used to anonymise the attribute ['hmac-sha1', 'hmac-md5', 'hmac-sha256', 'hmac-sha384', 'hmac-sha512']

level-of-knowledge

text

Level of knowledge of the organisation who created this object ['Only the anonymised data is known', 'Deanonymised data is known']

method

text

Anonymisation (or pseudo-anonymisation) method(s) used ["hiding - Attribute is replaced with a constant value (typically 0) of the same size. Sometimes called 'black marker'.", 'hash - A hash function maps each attribute to a new (not necessarily unique) attribute.', 'permutation - Maps each original value to a unique new value.', "prefix-preserving - Any two values that had the same n-bit prefix before anonymisation will still have the same n-bit prefix as each other after anonymization. (Would be more accurately called 'prefix-relationship-preserving', because the actual prefix values are not preserved.) ", 'shift - Adds a fixed offset to each value/attribute.', 'enumeration - Map each original value to a new value such that their ordering is preserved.', 'partitioning - Possible values are partitioned into meaningful sets; actual values are replaced with a fixed value from the same set. E.g., TCP port numbers 0 to 1023 are replaced with 0, and 1024 to 65535 replaced with 65535.', 'updated - Checksums are recalculated to reflect changes made to other fields.', 'truncation - Field is shortened, losing data at the end.', 'encryption - Attribute is encrypted.']

regexp

text

Regular expression to perfom the anonymisation (reversible or not)

apivoid-email-verification

Apivoid email verification API result. Reference: https://www.apivoid.com/api/email-verify/.

apivoid-email-verification is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

china_free_email

boolean

True if email is a free China email, i.e 163.com.

comment

text

Field for comments or correlating text

dirty_words_domain

boolean

True if domain contains dirty/bad words.

dirty_words_username

boolean

True if username contains dirty/bad words.

disposable

boolean

True if email is disposable, i.e yopmail.com.

dmarc_configured

boolean

True if domain has DMARC records configured.

dmarc_enforced

boolean

True if domain is configured for DMARC and set to an enforcement policy.

domain

domain

Email domain.

domain_popular

boolean

True if domain is a known popular domain.

educational_domain

boolean

True if domain is an educational domain, i.e .edu

email

email

The email address that was queried.

free_email

boolean

True if email is a free email, i.e gmail.com.

government_domain

boolean

True if domain is a government domain, i.e .gov

has_a_records

boolean

True if domain has A records configured.

has_mx_records

boolean

True if domain has MX records configured.

has_spf_records

boolean

True if domain has SPF records configured.

is_spoofable

boolean

True if domain does not have SPF records or if ~all is not configured.

police_domain

boolean

True if domain is a police domain (such as polizei, police, etc).

risky_tld

boolean

True if domain TLD is risky, i.e .top or .pro.

role_address

boolean

True if email is a role address, i.e admin@website.com

russian_free_email

boolean

True if email is a free Russian email, i.e mail.ru.

score

float

A number between 0 (bad) and 100 (good).

should_block

boolean

True if the score is bad (⇐ 70) and thus it should be blocked.

suspicious_domain

boolean

True if domain is suspicious, i.e known spam or parked.

suspicious_email

boolean

True if email is considered suspicious.

suspicious_username

boolean

True if username is suspicious, i.e only numbers.

username

text

Username part of the email address (email prefix)

valid_format

boolean

True if email has a valid format.

valid_tld

boolean

True if domain TLD is valid, i.e .com or .co.uk

artifact

The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. From STIX 2.1 (6.1).

artifact is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

decryption_key

text

Specifies the decryption key for the encrypted binary data (either via payload_bin or url). For example, this may be useful in cases of sharing malware samples, which are often encoded in an encrypted archive.

encryption_algorithm

text

If the artifact is encrypted, specifies the type of encryption algorithm the binary data (either via payload_bin or url) is encoded in.

md5

md5

[Insecure] MD5 hash (128 bits)

mime_type

mime-type

Whenever feasible, this value SHOULD be one of the values defined in the Template column in the IANA media type registry [Media Types]. Maintaining a comprehensive universal catalog of all extant file types is obviously not possible. When specifying a MIME Type not included in the IANA registry, implementers should use their best judgement so as to facilitate interoperability.

payload_bin

attachment

Specifies the binary data contained in the artifact as a base64-encoded string.

sha1

sha1

[Insecure] Secure Hash Algorithm 1 (160 bits)

sha256

sha256

Secure Hash Algorithm 2 (256 bits)

sha3-256

sha3-256

Secure Hash Algorithm 3 (256 bits)

sha3-512

sha3-512

Secure Hash Algorithm 3 (512 bits)

sha512

sha512

Secure Hash Algorithm 2 (512 bits)

ssdeep

ssdeep

Fuzzy hash using context triggered piecewise hashes (CTPH)

tlsh

tlsh

Fuzzy hash by Trend Micro: Locality Sensitive Hash

url

url

The value of this property MUST be a valid URL that resolves to the unencoded content. When present, at least one hash value MUST be present too.

asn

Autonomous system object describing an autonomous system which can include one or more network operators managing an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.

asn is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

asn

AS

Autonomous System Number

country

text

Country code of the main location of the autonomous system

description

text

Description of the autonomous system

export

text

The outbound routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format

first-seen

datetime

First time the ASN was seen

import

text

The inbound IPv4 routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format

last-seen

datetime

Last time the ASN was seen

mp-export

text

This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format

mp-import

text

The inbound IPv4 or IPv6 routing policy of the AS in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format

subnet-announced

ip-src

Subnet announced

attack-pattern

Attack pattern describing a common attack pattern enumeration and classification.

attack-pattern is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

id

text

CAPEC ID.

name

text

Name of the attack pattern.

prerequisites

text

Prerequisites for the attack pattern to succeed.

references

link

External references

related-weakness

weakness

Weakness related to the attack pattern.

solutions

text

Solutions for the attack pattern to be countered.

summary

text

Summary description of the attack pattern.

attack-step

An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks.

attack-step is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

command-line

text

Command line used to execute attack step, if any.

description

text

Description of the attack step

detections

text

Detections by the victim’s monitoring capabilities.

dst-domain

domain

Domain destination of the attack step, if any.

dst-ip

ip-dst

IP destination of the attack step, if any.

dst-misc

text

Other type of destination of the attack step, if any. This can be e.g. localhost.

expected-response

text

Response or detection expected (in case of purple teaming)

key-step

boolean

Was this attack step object a key step within the context of the incident/event? ['True', 'False']

source-domain

domain

Domain source of the attack step, if any.

source-ip

ip-src

IP source of the attack step, if any.

source-misc

text

Other type of source of the attack step, if any. This can be e.g. rotating ip from cloud providers such as AWS, or localhost.

succesful

boolean

Was this attack step succesful? ['True', 'False']

authentication-failure-report

Authentication Failure Report.

authentication-failure-report is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

ip-dst

ip-dst

Destination IP.

ip-src

ip-src

IP address originating the authentication failure.

total

counter

the number of authentication failures reported.

type

text

the type of authentication failure. ['ssh']

username

text

the username used.

authenticode-signerinfo

Authenticode Signer Info.

authenticode-signerinfo is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

content-type

text

Content type

digest-base64

text

Signature created by the signing certificate’s private key

digest_algorithm

text

Algorithm used to hash the file.

encryption_algorithm

text

Algorithm used to encrypt the digest

issuer

text

Issuer of the certificate

program-name

text

Program name

serial-number

text

Serial number of the certificate

signature_algorithm

text

Signature algorithm ['SHA1_WITH_RSA_ENCRYPTION', 'SHA256_WITH_RSA_ENCRYPTION']

text

text

Free text description of the signer info

url

url

Url

version

text

Version of the certificate

av-signature

Antivirus detection signature.

av-signature is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

datetime

datetime

Datetime

signature

text

Name of detection signature

software

text

Name of antivirus software

text

text

Free text value to attach to the file

availability-impact

Availability Impact object as described in STIX 2.1 Incident object extension.

availability-impact is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

availability_impact

text

The availability impact. ['Not Specified', 'None', 'Minimal', 'Significant', 'Denial', 'Loss of Control']

criticality

text

Criticality of the impact ['Not Specified', 'False Positive', 'Low', 'Moderate', 'High', 'Extreme']

description

text

Additional details about the impact.

end_time

datetime

The date and time the impact was last recorded.

end_time_fidelity

text

Level of fidelity that the end_time is recorded in. ['day', 'hour', 'minute', 'month', 'second', 'year']

recoverability

text

Recoverability of this particular impact with respect to feasibility and required time and resources. ['extended', 'not-applicable', 'not-recoverable', 'regular', 'supplemented']

start_time

datetime

The date and time the impact was first recorded.

start_time_fidelity

text

Level of fidelity that the start_time is recorded in. ['day', 'hour', 'minute', 'month', 'second', 'year']

bank-account

An object describing bank account information based on account description from goAML 4.0.

bank-account is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

aba-rtn

aba-rtn

ABA routing transit number

account

bank-account-nr

Account number

account-name

text

A field to freely describe the bank account details.

balance

text

The balance of the account after the suspicious transaction was processed.

beneficiary

text

Final beneficiary of the bank account.

beneficiary-comment

text

Comment about the final beneficiary.

branch

text

Branch code or name

client-number

text

Client number as seen by the bank.

closed

datetime

When the account was closed.

comments

text

Comments about the bank account.

currency-code

text

Currency of the account. ['USD', 'EUR']

date-balance

datetime

When the balance was reported.

iban

iban

IBAN of the bank account.

institution-code

text

Institution code of the bank.

institution-name

text

Name of the bank or financial organisation.

non-banking-institution

boolean

A flag to define if this account belong to a non-banking organisation. If set to true, it’s a non-banking organisation. ['True', 'False']

opened

datetime

When the account was opened.

personal-account-type

text

Account type. ['A - Business', 'B - Personal Current', 'C - Savings', 'D - Trust Account', 'E - Trading Account', 'O - Other']

report-code

text

Report code of the bank account. ['CTR Cash Transaction Report', 'STR Suspicious Transaction Report', 'EFT Electronic Funds Transfer', 'IFT International Funds Transfer', 'TFR Terror Financing Report', 'BCR Border Cash Report', 'UTR Unusual Transaction Report', 'AIF Additional Information File – Can be used for example to get full disclosure of transactions of an account for a period of time without reporting it as a CTR.', 'IRI Incoming Request for Information – International', 'ORI Outgoing Request for Information – International', 'IRD Incoming Request for Information – Domestic', 'ORD Outgoing Request for Information – Domestic']

status-code

text

Account status at the time of the transaction processed. ['A - Active', 'B - Inactive', 'C - Dormant']

swift

bic

SWIFT or BIC as defined in ISO 9362.

text

text

A description of the bank account.

bgp-hijack

Object encapsulating BGP Hijack description as specified, for example, by bgpstream.com.

bgp-hijack is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

country

text

Country code of the main location of the attacking autonomous system

description

text

BGP Hijack details

detected-asn

AS

Detected Autonomous System Number

end

datetime

Last time the Prefix hijack was seen

expected-asn

AS

Expected Autonomous System Number

start

datetime

First time the Prefix hijack was seen

subnet-announced

ip-src

Subnet announced

bgp-ranking

BGP Ranking object describing the ranking of an ASN for a given day, along with its position, 1 being the most malicious ASN of the day, with the highest ranking. This object is meant to have a relationship with the corresponding ASN object and represents its ranking for a specific date.

bgp-ranking is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

address-family

text

The IP address family concerned by the ranking. ['v4', 'v6']

date

datetime

Date fo the ranking.

position

float

Position of the ASN for a given day.

ranking

float

Ranking of the Autonomous System number.

blog

Blog post like Medium or WordPress.

blog is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

archive

link

Archive of the original document (Internet Archive, Archive.is, etc).

creation-date

datetime

Initial creation of the blog post.

embedded-link

url

Site linked by the blog post.

embedded-safe-link

link

Safe site linked by the blog post.

link

link

Original link into the blog post (Supposed harmless).

modification-date

datetime

Last update of the blog post.

post

text

Raw post.

removal-date

datetime

When the blog post was removed.

title

text

Title of blog post.

type

text

Type of blog post. ['Medium', 'WordPress', 'Blogger', 'Tumbler', 'LiveJournal', 'Forum', 'Other']

url

url

Original URL location of the blog post (potentially malicious).

username

text

Username who posted the blog post.

username-quoted

text

Username who are quoted into the blog post.

verified-username

text

Is the username account verified by the operator of the blog platform. ['Verified', 'Unverified', 'Unknown']

boleto

A common form of payment used in Brazil.

boleto is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

beneficiary

text

Final beneficiary of the boleto.

beneficiary-bank-account

bank-account-nr

Recipient bank account number

beneficiary-bank-agency

bank-account-nr

Recipient bank agency number

boleto-number

text

Boleto code numbers

creation-date

datetime

Date the boleto was created

febraban-code

text

Financial institution code in Brazil that created the boleto.

generator-financial-institution

text

Name of the bank or financial organisation that created the boleto.

payment-due-date

datetime

Boleto payment date

payment-status

text

Inform if boleto was as paid or not ['Not Paid', 'Paid']

payment-value

float

The payment boleto value in Brazilian Reais

requester

text

Organisation, service or affiliated person that requested creation of the boleto.

btc-transaction

An object to describe a Bitcoin transaction. Best to be used with bitcoin-wallet.

btc-transaction is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

btc-address

btc

A Bitcoin transactional address

time

datetime

Date and time of transaction

transaction-number

text

A Bitcoin transaction number in a sequence of transactions

value_BTC

float

Value in BTC at date/time displayed in field 'time'

value_EUR

float

Value in EUR with conversion rate as of date/time displayed in field 'time'

value_USD

float

Value in USD with conversion rate as of date/time displayed in field 'time'

btc-wallet

An object to describe a Bitcoin wallet. Best to be used with btc-transaction object.

btc-wallet is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

BTC_received

float

Value of received BTC

BTC_sent

float

Value of sent BTC

balance_BTC

float

Value in BTC at date/time displayed in field 'time'

time

datetime

Date and time of lookup/conversion

wallet-address

btc

A Bitcoin wallet address

c2-list

List of C2-servers with common ground, e.g. extracted from a blog post or ransomware analysis.

c2-list is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

c2-ip

ip-src

IP of C2 server with unknown port

c2-ipport

ip-src

port

IP:Port of C2 server

report-url

link

URL of source of information, e.g. blog post, ransomware analysis

threat

text

threat actor or malware

cap-alert

Common Alerting Protocol Version (CAP) alert object.

cap-alert is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

addresses

text

The group listing of intended recipients of the alert message. (1) Required when <scope> is “Private”, optional when <scope> is “Public” or “Restricted”. (2) Each recipient SHALL be identified by an identifier or an address. (3) Multiple space-delimited addresses MAY be included. Addresses including whitespace MUST be enclosed in double-quotes.

code

text

The code denoting the special handling of the alert message.

identifier

text

The identifier of the alert message in a number or string uniquely identifying this message, assigned by the sender.

incident

text

The group listing naming the referent incident(s) of the alert message. (1) Used to collate multiple messages referring to different aspects of the same incident. (2) If multiple incident identifiers are referenced, they SHALL be separated by whitespace. Incident names including whitespace SHALL be surrounded by double-quotes.

msgType

text

The code denoting the nature of the alert message. ['Alert', 'Update', 'Cancel', 'Ack', 'Error']

note

text

The text describing the purpose or significance of the alert message.

references

text

The group listing identifying earlier message(s) referenced by the alert message. (1) The extended message identifier(s) (in the form sender,identifier,sent) of an earlier CAP message or messages referenced by this one. (2) If multiple messages are referenced, they SHALL be separated by whitespace.

restriction

text

The text describing the rule for limiting distribution of the restricted alert message.

scope

text

The code denoting the intended distribution of the alert message. ['Public', 'Restricted', 'Private']

sender

text

The identifier of the sender of the alert message which identifies the originator of this alert. Guaranteed by assigner to be unique globally; e.g., may be based on an Internet domain name.

sent

datetime

The time and date of the origination of the alert message.

source

text

The text identifying the source of the alert message. The particular source of this alert; e.g., an operator or a specific device.

status

text

The code denoting the appropriate handling of the alert message. ['Actual', 'Exercise', 'System', 'Test', 'Draft']

cap-info

Common Alerting Protocol Version (CAP) info object.

cap-info is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

audience

text

The text describing the intended audience of the alert message.

category

text

The code denoting the category of the subject event of the alert message. ['Geo', 'Met', 'Safety', 'Security', 'Rescue', 'Fire', 'Health', 'Env', 'Transport', 'Infra', 'CBRNE', 'Other']

certainty

text

The code denoting the certainty of the subject event of the alert message. For backward compatibility with CAP 1.0, the deprecated value of “Very Likely” SHOULD be treated as equivalent to “Likely”. ['Likely', 'Possible', 'Unlikely', 'Unknown']

contact

text

The text describing the contact for follow-up and confirmation of the alert message.

description

text

The text describing the subject event of the alert message.

effective

datetime

The effective time of the information of the alert message.

event

text

The text denoting the type of the subject event of the alert message.

eventCode

text

A system-specific code identifying the event type of the alert message.

expires

datetime

The expiry time of the information of the alert message.

headline

text

The text headline of the alert message.

instruction

text

The text describing the recommended action to be taken by recipients of the alert message.

language

text

The code denoting the language of the info sub-element of the alert message.

onset

datetime

The expected time of the beginning of the subject event of the alert message.

parameter

text

A system-specific additional parameter associated with the alert message.

responseType

text

The code denoting the type of action recommended for the target audience. ['Shelter', 'Evacuate', 'Prepare', 'Execute', 'Avoid', 'Monitor', 'Assess', 'AllClear', 'None']

senderName

text

The text naming the originator of the alert message.

severity

text

The code denoting the severity of the subject event of the alert message. ['Extreme', 'Severe', 'Moderate', 'Minor', 'Unknown']

urgency

text

The code denoting the urgency of the subject event of the alert message. ['Immediate', 'Expected', 'Future', 'Past', 'Unknown']

web

link

The identifier of the hyperlink associating additional information with the alert message.

cap-resource

Common Alerting Protocol Version (CAP) resource object.

cap-resource is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

derefUri

attachment

The base-64 encoded data content of the resource file.

digest

sha1

The code representing the digital digest (“hash”) computed from the resource file (OPTIONAL).

mimeType

mime-type

The identifier of the MIME content type and sub-type describing the resource file.

resourceDesc

text

The text describing the type and content of the resource file.

size

text

The integer indicating the size of the resource file.

uri

link

The identifier of the hyperlink for the resource file.

cert-pl-phishing

cert.pl phishing object template representing an url along with some metadata as such phash, html-structure or partial-hash.

cert-pl-phishing is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

favicon-mmh3

text

Favicon of the phishing url in Murmurhash3 format (base64).

html-structure

text

HTML tags defining the structure of the HTML page.

phash-dct-base64

text

pHash (DCT hash) - as described in https://github.com/thorn-oss/perception.

truncated-hash-html-structure

text

Truncated hash value of the html-structure.

url

url

Full URL of the phishing object.

cloth

Describes clothes a natural person wears.

cloth is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

bottom-accessories

text

Cloth and accessories on the bottom part of the body ['trousers', 'skirt', 'underpants / panties', 'shorts', 'boxer shorts', 'body stocking', 'sock', 'shoe', 'boot', 'sandal', 'slipper', 'sneaker', 'hiking boot', 'high tops']

cloth-color

text

Cloth’s colors ['black', 'white', 'red', 'green', 'blue', 'cyan', 'orange', 'violet', 'pink', 'yellow', 'brown', 'grey']

cloth-picture

attachment

Cloth’s pictures

description

text

Cloth’s Description of a natural person

head-accessories

text

Cloth and accessories on the head ['hat', 'cap', 'bonnet', 'glasses', 'bandeau']

top-accessories

text

Cloth and accessories on the top part of the body ['jacket', 'coat', 'dress', 'shirt', 'top', 'pullover', 'sweatshirt', 'suit', 'tie', 'bow tie', "lady’s suit", 'waistcoat', 'cardigan', 'undershirt', 't-shirt', 'bra', 'scarf', 'glove']

coin-address

An address used in a cryptocurrency.

coin-address is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

address

btc

Bitcoin address used as a payment destination in a cryptocurrency

address-crypto

text

Generic cryptocurrency address if the format is not a standard BTC or XMR address

address-xmr

xmr

Monero address used as a payment destination in a cryptocurrency

current-balance

float

Current balance of address

first-seen

datetime

First time this payment destination address has been seen

last-seen

datetime

Last time this payment destination address has been seen

last-updated

datetime

Last time the balances and totals have been updated

symbol

text

The (uppercase) symbol of the cryptocurrency used. Symbol should be from https://coinmarketcap.com/all/views/all/ ['BTC', 'ETH', 'BCH', 'XRP', 'MIOTA', 'DASH', 'BTG', 'LTC', 'ADA', 'XMR', 'ETC', 'NEO', 'NEM', 'EOS', 'XLM', 'BCC', 'LSK', 'OMG', 'QTUM', 'ZEC', 'USDT', 'HSR', 'STRAT', 'WAVES', 'PPT', 'ETN']

text

text

Free text value

total-received

float

Total balance received

total-sent

float

Total balance sent

total-transactions

text

Total transactions performed

command

Command functionalities related to specific commands executed by a program, whether it is malicious or not. Command-line are attached to this object for the related commands.

command is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

description

text

Description of the command functionalities

location

text

Location of the command functionality ['Bundled', 'Module', 'Libraries', 'Unknown']

trigger

text

How the commands are triggered ['Local', 'Network', 'Unknown']

command-line

Command line and options related to a specific command executed by a program, whether it is malicious or not.

command-line is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

command_line

text

command code line

description

text

description of the command

software

text

type of shell (bash/sh,powershell,cmd.exe) ['Shell', 'Bash', 'zsh', 'Powershell', 'cmd.exe']

concordia-mtmf-intrusion-set

Intrusion Set - Phase Description.

concordia-mtmf-intrusion-set is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

AttackName

text

Name of the Attack

CMTMF_ATCKID

integer

Identifier of the Attack

FeedbackLoop

integer

Feedback Loop Sequence

PhName

text

Name of the Phase (Tactic)

PhSequence

integer

Phase Sequence

description

text

Description of the phase

confidentiality-impact

Confidentiality Impact object as described in STIX 2.1 Incident object extension.

confidentiality-impact is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

criticality

text

Criticality of the impact ['Not Specified', 'False Positive', 'Low', 'Moderate', 'High', 'Extreme']

description

text

Additional details about the impact.

end_time

datetime

The date and time the impact was last recorded.

end_time_fidelity

text

Level of fidelity that the end_time is recorded in. ['day', 'hour', 'minute', 'month', 'second', 'year']

information_type

text

Type of information that had its confidentiality compromised. ['classified-material', 'communication', 'credentials-admin', 'credentials-user', 'financial', 'leval', 'payment', 'phi', 'pii', 'proprietary']

loss_type

text

The type of loss that occurred to the relevant information. ['confirmed-loss', 'contained', 'exploited-loss', 'none', 'suspected-loss']

record_count

counter

The number of records of this type that were compromised.

record_size

size-in-bytes

The amount of data that was compromised in bytes.

recoverability

text

Recoverability of this particular impact with respect to feasibility and required time and resources. ['extended', 'not-applicable', 'not-recoverable', 'regular', 'supplemented']

start_time

datetime

The date and time the impact was first recorded.

start_time_fidelity

text

Level of fidelity that the start_time is recorded in. ['day', 'hour', 'minute', 'month', 'second', 'year']

An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user’s web browser. The browser may store it and send it back with the next request to the same server. Typically, it’s used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol. As defined by the Mozilla foundation.

cookie is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

cookie

cookie

Full cookie

cookie-name

text

Name of the cookie (if splitted)

cookie-value

text

Value of the cookie (if splitted)

expires

datetime

Expiration date/time of the cookie

http-only

boolean

True if send only through HTTP ['True', 'False']

path

text

Path defined in the cookie

secure

boolean

True if cookie is sent over TLS ['True', 'False']

text

text

A description of the cookie.

type

text

Type of cookie and how it’s used in this specific object. ['Session management', 'Personalization', 'Tracking', 'Exfiltration', 'Malicious Payload', 'Beaconing']

cortex

Cortex object describing a complete Cortex analysis. Observables would be attribute with a relationship from this object.

cortex is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

full

text

Cortex report object (full report) in JSON

name

text

Cortex analyser/worker name

server-name

text

Name of the cortex server

start-date

datetime

When the Cortex analyser was started

success

boolean

Result of the cortex job ['True', 'False']

summary

text

Cortex summary object (summary) in JSON

cortex-taxonomy

Cortex object describing a Cortex Taxonomy (or mini report).

cortex-taxonomy is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

cortex_url

link

URL to the Cortex job

level

text

Cortex Taxonomy Level ['info', 'safe', 'suspicious', 'malicious']

namespace

text

Cortex Taxonomy Namespace

predicate

text

Cortex Taxonomy Predicate

value

text

Cortex Taxonomy Value

course-of-action

An object describing a specific measure taken to prevent or respond to an attack.

course-of-action is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

cost

text

The estimated cost of applying the course of action. ['High', 'Medium', 'Low', 'None', 'Unknown']

description

text

A description of the course of action.

efficacy

text

The estimated efficacy of applying the course of action. ['High', 'Medium', 'Low', 'None', 'Unknown']

impact

text

The estimated impact of applying the course of action. ['High', 'Medium', 'Low', 'None', 'Unknown']

name

text

The name used to identify the course of action.

objective

text

The objective of the course of action.

stage

text

The stage of the threat management lifecycle that the course of action is applicable to. ['Remedy', 'Response', 'Further Analysis Required']

type

text

The type of the course of action. ['Perimeter Blocking', 'Internal Blocking', 'Redirection', 'Redirection (Honey Pot)', 'Hardening', 'Patching', 'Eradication', 'Rebuilding', 'Training', 'Monitoring', 'Physical Access Restrictions', 'Logical Access Restrictions', 'Public Disclosure', 'Diplomatic Actions', 'Policy Actions', 'Other']

covid19-csse-daily-report

CSSE COVID-19 Daily report.

covid19-csse-daily-report is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

active

counter

the number of active cases.

confirmed

counter

the number of confirmed cases. For Hubei Province: from Feb 13 (GMT +8), we report both clinically diagnosed and lab-confirmed cases. For lab-confirmed cases only (Before Feb 17), please refer to https://github.com/CSSEGISandData/COVID-19/tree/master/who_covid_19_situation_reports.

country-region

text

country/region name conforming to WHO (will be updated).

county

integer

US County (US Only)

death

counter

the number of deaths.

fips

integer

Federal Information Processing Standard county code (US Only)

latitude

float

Approximate latitude of the entry

longitude

float

Approximate longitude of the entry

province-state

text

province name; US/Canada/Australia/ - city name, state/province name; Others - name of the event (e.g., "Diamond Princess" cruise ship); other countries - blank.

recovered

counter

the number of recovered cases.

update

datetime

Time of the last update that day (UTC)

covid19-dxy-live-city

COVID 19 from dxy.cn - Aggregation by city.

covid19-dxy-live-city is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

city

text

Name of the Chinese city, in Chinese.

current-confirmed

counter

Current number of confirmed cases

total-confirmed

counter

Total number of confirmed cases.

total-cured

counter

Total number of cured cases.

total-death

counter

Total number of deaths.

update

datetime

Approximate time of the update (~hour)

covid19-dxy-live-province

COVID 19 from dxy.cn - Aggregation by province.

covid19-dxy-live-province is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

comment

text

Comment, in chinese

current-confirmed

counter

Current number of confirmed cases

province

text

Name of the Chinese province, in Chinese.

total-confirmed

counter

Total number of confirmed cases.

total-cured

counter

Total number of cured cases.

total-death

counter

Total number of deaths.

update

datetime

Approximate time of the update (~hour)

cowrie

Cowrie honeypot object template.

cowrie is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

compCS

text

SSH compression algorithm supported in the session

dst_ip

ip-dst

Destination IP address of the session

dst_port

port

Destination port of the session

encCS

text

SSH symmetric encryption algorithm supported in the session

eventid

text

Eventid of the session in the cowrie honeypot

hassh

hassh-md5

HASSH of the client SSH session following Salesforce algorithm

input

text

Input of the session

isError

text

isError

keyAlgs

text

SSH public-key algorithm supported in the session

macCS

text

SSH MAC supported in the sesssion

message

text

Message of the cowrie honeypot

password

text

Password

protocol

text

Protocol used in the cowrie honeypot

sensor

text

Cowrie sensor name

session

text

Session id

src_ip

ip-src

Source IP address of the session

src_port

port

Source port of the session

system

text

System origin in cowrie honeypot

timestamp

datetime

When the event happened

username

text

Username related to the password(s)

cpe-asset

An asset which can be defined by a CPE. This can be a generic asset. CPE is a structured naming scheme for information technology systems, software, and packages.

cpe-asset is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

cpe

cpe

CPE—the well-formed CPE name(WFN). WFNs can be used to describe a set of products or to identify an individual product.

description

text

Complementary description of the asset

edition

text

The edition attribute is considered deprecated in this specification, and it SHOULD be assigned the logical value ANY except where required for backward compatibility with version 2.2 of the CPE specification.This attribute is referred to as the “legacyedition”attribute.If this attribute is used,values for this attribute SHOULD capture edition-related terms applied by the vendor to the product. Values for this attribute SHOULD be selected from an attribute-specific valid-values list, which MAYbe defined by other specifications that utilize this specification. Any character string meeting the requirements for WFNs (cf. 5.3.2) MAY be specified as the value of the attribute.

language

text

Values for thisattribute SHALL be valid language tags as defined by [RFC5646], and SHOULD be used to define the language supported in the user interface of the product being described.Although any valid language tag MAY be used, only tags containing language and region codesSHOULD be used.

other

text

Values for this attribute SHOULD capture any other general descriptive or identifying information which is vendor-or product-specific and which does not logically fit in any other attribute value. Values SHOULD NOT be used for storing instance-specific data (e.g., globally-unique identifiers or Internet Protocol addresses).Values for this attribute SHOULD be selected from a valid-values list that is refined over time; this list MAYbe defined by other specifications that utilize this specification. Any character string meeting the requirements for WFNs (cf. 5.3.2) MAYbe specified as the value of the attribute.

part

text

Part - application, operating systems or hardware devices ['a', 'o', 'h']

product

text

Values for this attribute SHOULD describe or identify the most common and recognizable title or name of the product. Values for this attribute SHOULD be selected from an attribute-specific valid-values list, which MAYbe defined by other specifications that utilize this specification. Any character string meeting the requirements for WFNs(cf. 5.3.2) MAY be specified as the value of the attribute.

sw_edition

text

Values for this attribute SHOULD characterize how the product is tailored to a particular market or class of end users. Values for this attribute SHOULD be selected from an attribute-specific valid-values list, which MAYbe defined by other specifications that utilize this specification. Any character string meeting the requirements for WFNs(cf. 5.3.2) MAYbe specified as the value of the attribute.

target_hw

text

Values for this attribute SHOULD characterize the instruction set architecture (e.g., x86) on which the product being described or identified by the WFN operates. Bytecode-intermediate languages, such as Java bytecode for the Java Virtual Machine or Microsoft Common Intermediate Language for the Common Language Runtime virtual machine, SHALL be considered instruction set architectures. Values for this attribute SHOULD be selected from an attribute-specific valid-values list, which MAYbe defined by other specifications that utilize this specification. Any character string meeting the requirements for WFNs(cf. 5.3.2) MAYbe specified as the value of the attribute.

target_sw

text

Values for this attribute SHOULDi characterize the software computing environment within which the product operates.Values for this attribute SHOULD be selected from an attribute-specific valid-values list, which MAYbe defined by other specifications that utilize this specification. Any character string meeting the requirements for WFNs(cf. 5.3.2) MAYbe specified as the value of the attribute.

update

text

Values for this attribute SHOULD be vendor-specific alphanumeric strings characterizing the particular update, service pack, or point release of the product.Values for this attribute SHOULD be selected from an attribute-specific valid-values list, which MAYbe defined by other specifications that utilize this specification. Any character string meeting the requirements for WFNs (cf. 5.3.2) MAYbe specified as the value of the attribute.

vendor

text

Values for this attribute SHOULD describe or identify the person or organization that manufactured or created the product. Values for this attribute SHOULD be selected from an attribute-specific valid-values list, which MAYbe defined by other specifications that utilize this specification. Any character string meeting the requirements for WFNs (cf. 5.3.2) MAY be specified as the value of the attribute

version

text

Values for this attribute SHOULD be vendor-specific alphanumeric strings characterizing the particular release version of the product.Version information SHOULD be copied directly (with escaping of printable non-alphanumeric characters as required) from discoverable data and SHOULD NOTbe truncated or otherwise modified. Any character string meeting the requirements for WFNs (cf. 5.3.2) MAYbe specified as the value of the attribute.

credential

Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).

credential is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

format

text

Format of the password(s) ['clear-text', 'hashed', 'encrypted', 'unknown']

notification

text

Mention of any notification(s) towards the potential owner(s) of the credential(s) ['victim-notified', 'service-notified', 'none']

origin

text

Origin of the credential(s) ['bruteforce-scanning', 'malware-analysis', 'memory-analysis', 'network-analysis', 'leak', 'unknown']

password

text

Password

text

text

A description of the credential(s)

type

text

Type of password(s) ['password', 'api-key', 'encryption-key', 'unknown']

username

text

Username related to the password(s)

credit-card

A payment card like credit card, debit card or any similar cards which can be used for financial transactions.

credit-card is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

bank_name

text

Name of the bank which have issued the card

card-security-code

text

Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card.

cc-number

cc-number

credit-card number as encoded on the card.

comment

comment

A description of the card.

expiration

datetime

Maximum date of validity

iin

text

International Issuer Number (First eight digits of the credit card number

issued

datetime

Initial date of validity or issued date.

name

text

Name of the card owner.

version

text

Version of the card.

crowdsec-ip-context

CrowdSec Threat Intelligence - IP CTI search.

crowdsec-ip-context is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

as-name

text

Autonomous system name

as-num

AS

Autonomous system number

attack-details

text

Triggered scenarios

background-noise

float

Background noise

behaviors

text

Attack categories

city

text

City of origin

classifications

text

Classification category of the IP address

country

text

Country of origin

country-code

text

Country Code

dst-port

port

Destination port

false-positives

text

False positive category of the IP address

ip

ip-src

IP Address

ip-range

ip-src

destination IP address

ip-range-score

float

destination IP address

latitude

float

Latitude of origin

longitude

float

Longitude of origin

reverse-dns

hostname

Reverse DNS name

scores

text

Scores

target-countries

text

Target countries (top 10)

trust

float

Trust level

crowdstrike-report

An Object Template to encode an Crowdstrike detection report.

crowdstrike-report is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

command

text

Commandline triggering the detection

file-hash

sha256

Unique file hash

filename

filename

Filename on disk

fullpath

text

Complete path of the filename including the filename

ip

ip-src

Source IP address

parent-command

text

Commandline of the parent process

process-name

text

Name of the process trigerring the detection

crypto-material

Cryptographic materials such as public or/and private keys.

crypto-material is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

Gx

text

Curve Parameter - Gx in decimal

Gy

text

Curve Parameter - Gy in decimal

b

text

Curve Parameter - B in decimal

curve-length

text

Length of the Curve in bits

e

text

RSA public exponent

ecdsa-type

text

Curve type of the ECDSA cryptographic materials ['Anomalous', 'M-221', 'E-222', 'NIST P-224', 'Curve1174', 'Curve25519', 'BN(2,254)', 'brainpoolP256t1', 'ANSSI FRP256v1', 'NIST P-256', 'secp256k1', 'E-382', 'M-383', 'Curve383187', 'brainpoolP384t1', 'NIST P-384', 'Curve41417', 'Ed448-Goldilocks', 'M-511', 'E-521']

g

text

Curve Parameter - G in decimal

generic-symmetric-key

text

Generic symmetric key (please precise the type)

modulus

text

Modulus Parameter - in hexadecimal - no 0x, no :

n

text

Curve Parameter - N in decimal

origin

text

Origin of the cryptographic materials ['mathematical-attack', 'exhaustive-search', 'bruteforce-attack', 'malware-extraction', 'memory-interception', 'network-interception', 'leak', 'unknown']

p

text

Prime Parameter - P in decimal

private

text

Private part of the cryptographic materials in PEM format

public

text

Public part of the cryptographic materials in PEM format

q

text

Prime Parameter - Q in decimal

rsa-modulus-size

text

RSA modulus size in bits

text

text

A description of the cryptographic materials.

type

text

Type of crytographic materials ['RSA', 'DSA', 'ECDSA', 'RC4', 'XOR', 'unknown']

x

text

Curve Parameter - X in decimal

y

text

Curve Parameter - Y in decimal

cryptocurrency-transaction

An object to describe a cryptocurrency transaction.

cryptocurrency-transaction is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

address

btc

A cryptocurrency transactional address

symbol

text

The (uppercase) symbol of the cryptocurrency used. Symbol should be from https://coinmarketcap.com/all/views/all/ ['BTC', 'ETH', 'BCH', 'XRP', 'MIOTA', 'DASH', 'BTG', 'LTC', 'ADA', 'XMR', 'ETC', 'NEO', 'NEM', 'EOS', 'XLM', 'BCC', 'LSK', 'OMG', 'QTUM', 'ZEC', 'USDT', 'HSR', 'STRAT', 'WAVES', 'PPT', 'ETN']

time

datetime

Date and time of transaction

transaction-number

text

A transaction number in a sequence of transactions

value

float

Value in cryptocurrency at date/time displayed in field 'time'

value_EUR

float

Value in EUR with conversion rate as of date/time displayed in field 'time'

value_USD

float

Value in USD with conversion rate as of date/time displayed in field 'time'

cs-beacon-config

Cobalt Strike Beacon Config.

cs-beacon-config is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

architecture

text

Hardware architecture of the sample

asn

AS

Originating ASN for the CS Beacon Config

beacon-host

ip-dst

Beacon host IP

beacon-type

text

Beacon type used

binary-md5

md5

MD5 of the binary delivered

binary-sha1

sha1

SHA1 of the binary delivered

binary-sha256

sha256

SHA256 of the binary delivered

c2

url

The C2 sample communicates with

city

text

City location of the CS Beacon Config in question

config-md5

md5

MD5 of the configuration

config-sha1

sha1

SHA1 of the configuration

config-sha256

sha256

SHA256 of the configuration

content-length

size-in-bytes

Content length of the payload

content-type

text

Content/type received

encoded-data

attachment

Encoded payload data in Base64 as file attachment

encoded-length

size-in-bytes

Length of the encoded data

geo

text

Country location of the CS Beacon Config

http

text

HTTP protocol used

http-code

integer

HTTP return code

http-url

text

HTTP url path of the beacon

ip

ip-dst

IP of the C2

jar-md5

md5

MD5 of adversary cobaltstrike.jar file

license-id

text

License ID of the Colbalt Strike

md5

md5

MD5 of sample containing the Cobalt Strike shellcode

naics

text

North American Industry Classification System Code (NAICS)

sector

text

Sector of for the CS Beacon Config in question

sha1

sha1

SHA1 of sample containing the Cobalt Strike shellcode

sha256

sha256

SHA256 of sample containing the Cobalt Strike shellcode

vt-sha256

sha256

SHA256 of sample uploaded to VirusTotal

watermark

text

The watermark of sample

cytomic-orion-file

Cytomic Orion File Detection.

cytomic-orion-file is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

classification

text

File classification - number

classificationName

text

File classification

fileName

filename

Original filename

fileSize

size-in-bytes

Size of the file

first-seen

datetime

First seen timestamp of the file

last-seen

datetime

Last seen timestamp of the file

cytomic-orion-machine

Cytomic Orion File at Machine Detection.

cytomic-orion-machine is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

clientCreationDateUTC

datetime

Client creation date UTC

clientId

text

Client id

clientName

target-org

Client name

creationDate

datetime

Client creation date

first-seen

datetime

First seen on machine

last-seen

datetime

Last seen on machine

lastSeenUtc

datetime

Client last seen UTC

machineMuid

text

Machine UID

machineName

target-machine

Machine name

machinePath

text

Path of observable

dark-pattern-item

An Item whose User Interface implements a dark pattern.

dark-pattern-item is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

comment

text

textual comment about the item

gain

text

What is the implementer is gaining by deceiving the user ['registration', 'personal data', 'money', 'contacts', 'audience']

implementer

text

Who is the vendor / holder of the item

location

text

Location where to find the item

screenshot

attachment

A screencapture or a screengrab of the item at work

time

datetime

Date and time when first-seen

user

text

who are the user of the item

ddos

DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy or using the type field.

ddos is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

backscatter-threshold

integer

The minimum amount of backscatter received in 5 minutes / day. This field is only used when the capture origin is indirect network capture such as backscatter.

capture-origin

text

Origin of the (D)DoS evidences ['Direct network capture', 'Logs', 'Indirect network capture (e.g. backscatter)', 'Unknown']

domain-dst

domain

Destination domain (victim)

dst-port

port

Destination port of the attack

first-seen

datetime

Beginning of the attack

ip-dst

ip-dst

Destination IP (victim)

ip-src

ip-src

IP address originating the attack

last-seen

datetime

End of the attack

protocol

text

Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP']

src-port

port

Port originating the attack

text

text

Description of the DDoS

total-bps

integer

Bits per second (maximum rate of bits per second measured)

total-bytes-sent

size-in-bytes

Total number of bytes sent by the sources mentioned

total-packets-sent

counter

Total number of packets sent by the source mentioned

total-pps

integer

Packets per second (maximum rate of packets per second measured)

type

text

Type(s) or Technique(s) of Denial of Service ['amplification-attack', 'reflected-spoofed-attack', 'slow-read-attack', 'flooding-attack', 'post-attack', 'chargen-amplification', 'dns', 'dns-amplification', 'ip-fragmentation', 'ip-private', 'icmp', 'memcached-amplification', 'ms-sql-rs-amplification', 'ntp-amplification', 'snmp-amplification', 'ssdp-amplification', 'tcp-null', 'tcp-rst', 'tcp-syn', 'udp']

ddos-claim

DDoS-claim object describes a current claim of DDoS activity.

ddos-claim is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

claim-validity

text

Validity of the claim. Valid means, a trusted entity having the technical capabilities to perform analysis confirmed the detection of DDoS activities. ['Unknown', 'Valid', 'Invalid']

proof

text

The claim in text format.

proof-screenshot

attachment

Screenshot of the claim.

reference

link

Reference to the DDoS claim.

target

text

Target of the DDoS claim.

ddos-config

DDoS-claim object describes a current claim of DDoS activity.

ddos-config is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

body

text

Payload used for the DDos

ddos-tool

text

headers

text

Headers used in the DDoS requests

host

hostname

Hostname used as target of the DDoS attack

ip

ip-dst

IP address used as target of the DDoS attack

method

text

Method of DDoS attack used ['ack', 'GET', 'method', 'PING', 'POST', 'syn', 'SYN', 'syn_ack', 'udp_flood']

path

text

URL path used for the DDoS attack (excluded hostname)

port

port

Port used for attack (when the type and method requires it)

request-id

text

request id

target-id

text

target id

type

text

Type of network protocol used for the DDoS attack ['http', 'http2', 'http3', 'nginx_loris', 'tcp', 'type', 'udp']

use-ssl

text

TLS/SSL used for the attack ['true', 'false']

device

An object to define a device.

device is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

MAC-address

mac-address

Device MAC address

OS

text

OS of the device

alias

text

Alias of the Device

analysis-date

datetime

Date of device analysis

attachment

attachment

An attachment

description

text

Description of the Device

device-type

text

Type of the device ['PC', 'Mobile', 'Laptop', 'HID', 'TV', 'IoT', 'Hardware', 'Other']

dns-name

text

Device DNS Name

hits

counter

Number of hits for the device

infection_type

text

Type of infection if the device is in Infected status ['android_spams', 'android.bakdoor.prizmes', 'android.bankbot', 'android.banker.anubis', 'android.bankspy', 'android.cliaid', 'android.darksilent', 'android.fakeav', 'android.fakebank', 'android.fakedoc', 'android.fakeinst', 'android.fakemart', 'android.faketoken', 'android.fobus', 'android.fungram', 'android.geost', 'android.gopl', 'android.hiddad', 'android.hqwar', 'android.hummer', 'android.infosteal', 'android.iop', 'android.lockdroid', 'android.milipnot', 'android.nitmo', 'android.opfake', 'android.premiumtext', 'android.provar', 'android.pwstealer', 'android.rootnik', 'android.skyfin', 'android.smsbot', 'android.smssilence', 'android.smsspy', 'android.smsspy.be24', 'android.sssaaa', 'android.teleplus', 'android.uupay', 'android.voxv', 'avalanche-andromeda', 'banatrix', 'bankpatch', 'bebloh', 'bedep', 'betabot', 'bitcoinminer', 'blackbeard', 'blakamba', 'boinberg', 'buhtrap', 'caphaw', 'carberp', 'chafer', 'changeup', 'chinad', 'citadel', 'cobint', 'coinminer', 'conficker', 'cryptowall', 'cutwail', 'cycbot', 'diaminer', 'dimnie', 'dipverdle', 'dircrypt', 'dirtjumper', 'disorderstatus', 'dmsniff', 'dofoil', 'domreg', 'dorkbot', 'dorkbot-ssl', 'dresscode', 'dybalom', 'ek.fallout', 'emoted', 'emotet', 'esfury', 'expiro', 'exploitkit.fallout', 'extenbro', 'fake_cs_updater', 'fakerean', 'fallout.exploitkit', 'fast-flux', 'fast-flux-double', 'fast-flux;fast-flux-double', 'fleercivet', 'fobber', 'foxbantrix', 'foxbantrix-unknown', 'generic.malware', 'geodo', 'gonderici', 'gootkit', 'gozi', 'gspy', 'gtfobot', 'hancitor', 'harnig', 'htm5player.vast', 'ibanking', 'icedid', 'infected', 'iotreaper', 'ip-spoofer', 'ircbot', 'isfb', 'jadtre', 'jdk-update-apt', 'js.worm.bondat', 'junk-domains', 'kasidet', 'kbot', 'kelihos', 'kelihos.e', 'keylogger', 'keylogger-ftp', 'keylogger-vbklip', 'kidminer', 'kingminer', 'koobface', 'kraken', 'kronos', 'kwampirs', 'lethic', 'linux.backdoor.setag', 'linux.ngioweb', 'litemanager', 'loader', 'locky', 'loki', 'lokibot', 'luminositylink', 'lurkbanker', 'madominer', 'magecart', 'maliciouswebsites', 'malvertising.doubleclick', 'malwaretom', 'marcher', 'matrix', 'matsnu', 'menupass', 'mewsspy', 'miner.monero', 'minr', 'mirai', 'mix2', 'mkero', 'monero', 'mozi', 'muddywater', 'murofet', 'mysafeproxymonitor', 'nametrick', 'necurs', 'netsupport', 'nettraveler', 'neurevt', 'nitol', 'nivdort', 'nukebot', 'null', 'nymaim', 'nymain', 'osx.fakeflash', 'palevo', 'pawnstorm', 'phishing', 'phishing.cobalt', 'phishing.cobalt_dickens', 'phorpiex', 'pitou', 'plasma-tomas', 'ponmocup', 'pony', 'poseidon', 'powerstats', 'proxyback', 'pushdo', 'pws.pony', 'pykspa', 'qadars', 'qakbot', 'qqblack', 'qrypter.rat', 'qsnatch', 'racoon', 'ramdo', 'ramnit', 'ranbyus', 'ransom.cerber', 'ransomware', 'ransomware.shade', 'rat.vermin', 'renocide', 'revil', 'rodecap', 'sality', 'sality-p2p', 'servhelper', 'sgminer', 'shifu', 'shiz', 'sinowal', 'sisron', 'sodinokibi', 'spam', 'sphinx', 'spyeye', 'ssh-brute-force', 'ssl', 'ssl-az7', 'ssl-unknown-bot-test', 'ssl-vmzeus', 'stantinko', 'tdss', 'teleru', 'telnet-brute-force', 'tinba', 'tinba-dga', 'trickbot', 'triton', 'trojan.click3', 'trojan.fakeav', 'trojan.includer', 'trojan.win32.razy.gen', 'unknown', 'unknown-bot-test', 'valak', 'vawtrak', 'vbklip', 'verst', 'victorygate.a', 'victorygate.b', 'victorygate.c', 'virut', 'vmzeus', 'vobfus', 'volatile_cedar', 'vpnfilter_stage3', 'wannacrypt', 'wauchos', 'webminer.cdn', 'win.neurevt', 'worm.kasidet', 'worm.phorpiex', 'wowlik', 'wrokni', 'xbash', 'xmrminer', 'xpaj', 'xshellghost', 'yoddos', 'zeus', 'zeus_gameover', 'zeus_panda', 'zloader']

ip-address

ip-src

Device IP address

name

text

Name of the Device

status

text

Status of the device ['Infected', 'Exposed', 'Unknown', 'Clean']

version

text

Version of the device/ OS

diameter-attack

Attack as seen on the diameter signaling protocol supporting LTE networks.

diameter-attack is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

ApplicationId

text

Application-ID is used to identify for which Diameter application the message is applicable. Application-ID is a decimal representation.

CmdCode

text

A decimal representation of the diameter Command Code.

Destination-Host

text

Destination-Host.

Destination-Realm

text

Destination-Realm.

IdrFlags

text

IDR-Flags.

Origin-Host

text

Origin-Host.

Origin-Realm

text

Origin-Realm.

SessionId

text

Session-ID.

Username

text

Username (in this case, usually the IMSI).

category

text

Category. ['Cat0', 'Cat1', 'Cat2', 'Cat3', 'CatSMS']

first-seen

datetime

When the attack has been seen for the first time.

text

text

A description of the attack seen.

diamond-event

A diamond model event object consisting of the four diamond features advesary, infrastructure, capability and victim, several meta-features and ioc attributes.

diamond-event is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

Advesary

text

The advesary who attacks the victim

Capability

text

The capability used to attack the victim

Description

text

Further context to the event

Direction

text

The network-based direction of the event ['Victim-to-Infrastructure', 'Infrastructure-to-Victim', 'Infrastructure-to-Infrastructure', 'Adversary-to-Infrastructure', 'Infrastructure-to-Adversary', 'Bidirectional', 'Unknown']

EventID

integer

Id of the event

Infrastructure

text

The infrastructure used in the attack

Methodology

text

Mitre-Attack mapping of the event

Phase

text

The event mapped to a phase of the killchain ['Reconnaissance', 'Weaponization', 'Delivery', 'Exploitation', 'Installation', 'C2', 'Action on Objectives']

Resources

text

The resources the attacker needed for the event to succeed

Result

text

The result of the event

Timestamp

datetime

Timestamp when the event happened

Victim

text

The attacked victim

ioc

text

Generic IOC

textfield

text

Generic textfield

directory

Directory object describing a directory with meta-information.

directory is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

access-time

datetime

The last time the directory was accessed

creation-time

datetime

Creation time of the directory

modification-time

datetime

Modification time of the directory

path

text

Path of the directory, complete or partial

path-encoding

text

Encoding format of the directory ['Adobe-Standard-Encoding', 'Adobe-Symbol-Encoding', 'Amiga-1251', 'ANSI_X3.110-1983', 'ASMO_449', 'Big5', 'Big5-HKSCS', 'BOCU-1', 'BRF', 'BS_4730', 'BS_viewdata', 'CESU-8', 'CP50220', 'CP51932', 'CSA_Z243.4-1985-1', 'CSA_Z243.4-1985-2', 'CSA_Z243.4-1985-gr', 'CSN_369103', 'DEC-MCS', 'DIN_66003', 'dk-us', 'DS_2089', 'EBCDIC-AT-DE', 'EBCDIC-AT-DE-A', 'EBCDIC-CA-FR', 'EBCDIC-DK-NO', 'EBCDIC-DK-NO-A', 'EBCDIC-ES', 'EBCDIC-ES-A', 'EBCDIC-ES-S', 'EBCDIC-FI-SE', 'EBCDIC-FI-SE-A', 'EBCDIC-FR', 'EBCDIC-IT', 'EBCDIC-PT', 'EBCDIC-UK', 'EBCDIC-US', 'ECMA-cyrillic', 'ES', 'ES2', 'EUC-KR', 'Extended_UNIX_Code_Fixed_Width_for_Japanese', 'Extended_UNIX_Code_Packed_Format_for_Japanese', 'GB18030', 'GB_1988-80', 'GB2312', 'GB_2312-80', 'GBK', 'GOST_19768-74', 'greek7', 'greek7-old', 'greek-ccitt', 'HP-DeskTop', 'HP-Legal', 'HP-Math8', 'HP-Pi-font', 'hp-roman8', 'HZ-GB-2312', 'IBM00858', 'IBM00924', 'IBM01140', 'IBM01141', 'IBM01142', 'IBM01143', 'IBM01144', 'IBM01145', 'IBM01146', 'IBM01147', 'IBM01148', 'IBM01149', 'IBM037', 'IBM038', 'IBM1026', 'IBM1047', 'IBM273', 'IBM274', 'IBM275', 'IBM277', 'IBM278', 'IBM280', 'IBM281', 'IBM284', 'IBM285', 'IBM290', 'IBM297', 'IBM420', 'IBM423', 'IBM424', 'IBM437', 'IBM500', 'IBM775', 'IBM850', 'IBM851', 'IBM852', 'IBM855', 'IBM857', 'IBM860', 'IBM861', 'IBM862', 'IBM863', 'IBM864', 'IBM865', 'IBM866', 'IBM868', 'IBM869', 'IBM870', 'IBM871', 'IBM880', 'IBM891', 'IBM903', 'IBM904', 'IBM905', 'IBM918', 'IBM-Symbols', 'IBM-Thai', 'IEC_P27-1', 'INIS', 'INIS-8', 'INIS-cyrillic', 'INVARIANT', 'ISO_10367-box', 'ISO-10646-J-1', 'ISO-10646-UCS-2', 'ISO-10646-UCS-4', 'ISO-10646-UCS-Basic', 'ISO-10646-Unicode-Latin1', 'ISO-10646-UTF-1', 'ISO-11548-1', 'ISO-2022-CN', 'ISO-2022-CN-EXT', 'ISO-2022-JP', 'ISO-2022-JP-2', 'ISO-2022-KR', 'ISO_2033-1983', 'ISO_5427', 'ISO_5427:1981', 'ISO_5428:1980', 'ISO_646.basic:1983', 'ISO_646.irv:1983', 'ISO_6937-2-25', 'ISO_6937-2-add', 'ISO-8859-10', 'ISO_8859-1:1987', 'ISO-8859-13', 'ISO-8859-14', 'ISO-8859-15', 'ISO-8859-16', 'ISO-8859-1-Windows-3.0-Latin-1', 'ISO-8859-1-Windows-3.1-Latin-1', 'ISO_8859-2:1987', 'ISO-8859-2-Windows-Latin-2', 'ISO_8859-3:1988', 'ISO_8859-4:1988', 'ISO_8859-5:1988', 'ISO_8859-6:1987', 'ISO_8859-6-E', 'ISO_8859-6-I', 'ISO_8859-7:1987', 'ISO_8859-8:1988', 'ISO_8859-8-E', 'ISO_8859-8-I', 'ISO_8859-9:1989', 'ISO-8859-9-Windows-Latin-5', 'ISO_8859-supp', 'iso-ir-90', 'ISO-Unicode-IBM-1261', 'ISO-Unicode-IBM-1264', 'ISO-Unicode-IBM-1265', 'ISO-Unicode-IBM-1268', 'ISO-Unicode-IBM-1276', 'IT', 'JIS_C6220-1969-jp', 'JIS_C6220-1969-ro', 'JIS_C6226-1978', 'JIS_C6226-1983', 'JIS_C6229-1984-a', 'JIS_C6229-1984-b', 'JIS_C6229-1984-b-add', 'JIS_C6229-1984-hand', 'JIS_C6229-1984-hand-add', 'JIS_C6229-1984-kana', 'JIS_Encoding', 'JIS_X0201', 'JIS_X0212-1990', 'JUS_I.B1.002', 'JUS_I.B1.003-mac', 'JUS_I.B1.003-serb', 'KOI7-switched', 'KOI8-R', 'KOI8-U', 'KS_C_5601-1987', 'KSC5636', 'KZ-1048', 'latin-greek', 'Latin-greek-1', 'latin-lap', 'macintosh', 'Microsoft-Publishing', 'MNEM', 'MNEMONIC', 'MSZ_7795.3', 'Name', 'NATS-DANO', 'NATS-DANO-ADD', 'NATS-SEFI', 'NATS-SEFI-ADD', 'NC_NC00-10:81', 'NF_Z_62-010', 'NF_Z_62-010_(1973)', 'NS_4551-1', 'NS_4551-2', 'OSD_EBCDIC_DF03_IRV', 'OSD_EBCDIC_DF04_1', 'OSD_EBCDIC_DF04_15', 'PC8-Danish-Norwegian', 'PC8-Turkish', 'PT', 'PT2', 'PTCP154', 'SCSU', 'SEN_850200_B', 'SEN_850200_C', 'Shift_JIS', 'T.101-G2', 'T.61-7bit', 'T.61-8bit', 'TIS-620', 'TSCII', 'UNICODE-1-1', 'UNICODE-1-1-UTF-7', 'UNKNOWN-8BIT', 'US-ASCII', 'us-dk', 'UTF-16', 'UTF-16BE', 'UTF-16LE', 'UTF-32', 'UTF-32BE', 'UTF-32LE', 'UTF-7', 'UTF-8', 'Ventura-International', 'Ventura-Math', 'Ventura-US', 'videotex-suppl', 'VIQR', 'VISCII', 'windows-1250', 'windows-1251', 'windows-1252', 'windows-1253', 'windows-1254', 'windows-1255', 'windows-1256', 'windows-1257', 'windows-1258', 'Windows-31J', 'windows-874']

dkim

DomainKeys Identified Mail - DKIM.

dkim is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

d

domain

DKIM domain used for the selector record

dkim

dkim

DomainKeys Identified Mail - DKIM full DNS TXT record

h

text

DKIM hash type ['sha1', 'md5']

k

text

DKIM key type ['rsa']

n

text

DKIM administrator note

public-key

text

DKIM public key

s

text

DKIM service record

t

text

DKIM domain testing ['y', 's']

version

text

DKIM version ['DKIM1']

dns-record

A set of DNS records observed for a specific domain.

dns-record is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

a-record

ip-dst

IPv4 address associated with A record

aaaa-record

ip-dst

IPv6 address associated with AAAA record

cname-record

domain

Domain associated with CNAME record

mx-record

domain

Domain associated with MX record

ns-record

domain

Domain associated with NS record

ptr-record

domain

Domain associated with PTR record

queried-domain

domain

Domain name

soa-record

domain

Domain associated with SOA record

spf-record

ip-dst

IP addresses associated with SPF record

srv-record

domain

Domain associated with SRV record

text

text

A description of the records

txt-record

text

Content associated with TXT record

domain-crawled

A domain crawled over time.

domain-crawled is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

domain

domain

Domain name

text

text

A description of the tuple

url

url

domain url

domain-ip

A domain/hostname and IP address seen as a tuple in a specific time frame.

domain-ip is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

domain

domain

Domain name

first-seen

datetime

First time the tuple has been seen

hostname

hostname

Hostname related to the IP

ip

ip-dst

IP Address

last-seen

datetime

Last time the tuple has been seen

port

port

Associated TCP port with the domain

registration-date

datetime

Registration date of domain

text

text

A description of the tuple

edr-report

An Object Template to encode an EDR detection report.

edr-report is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

additional-file

attachment

Additional file involved in detection

command

attachment

JSON file containing the output of a command ran at report generation

comment

text

Any valuable comment about the report

drivers

attachment

JSON file containing metadata about drivers loaded on the system

endpoint-id

text

Unique identifier of the endpoint concerned by the report

event

attachment

Raw EDR event which triggered reporting

executable

attachment

Executable file involved in detection

hostname

text

Endpoint hostname

id

text

Report unique identifier

ip

ip-src

Endpoint IP address

modules

attachment

JSON file containing metadata about modules loaded on the system

processes

attachment

JSON file containing metadata about running processes at the time of detection

product

text

EDR product name

elf

Object describing a Executable and Linkable Format.

elf is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

arch

text

Architecture of the ELF file ['None', 'M32', 'SPARC', 'i386', 'ARCH_68K', 'ARCH_88K', 'IAMCU', 'ARCH_860', 'MIPS', 'S370', 'MIPS_RS3_LE', 'PARISC', 'VPP500', 'SPARC32PLUS', 'ARCH_960', 'PPC', 'PPC64', 'S390', 'SPU', 'V800', 'FR20', 'RH32', 'RCE', 'ARM', 'ALPHA', 'SH', 'SPARCV9', 'TRICORE', 'ARC', 'H8_300', 'H8_300H', 'H8S', 'H8_500', 'IA_64', 'MIPS_X', 'COLDFIRE', 'ARCH_68HC12', 'MMA', 'PCP', 'NCPU', 'NDR1', 'STARCORE', 'ME16', 'ST100', 'TINYJ', 'x86_64', 'PDSP', 'PDP10', 'PDP11', 'FX66', 'ST9PLUS', 'ST7', 'ARCH_68HC16', 'ARCH_68HC11', 'ARCH_68HC08', 'ARCH_68HC05', 'SVX', 'ST19', 'VAX', 'CRIS', 'JAVELIN', 'FIREPATH', 'ZSP', 'MMIX', 'HUANY', 'PRISM', 'AVR', 'FR30', 'D10V', 'D30V', 'V850', 'M32R', 'MN10300', 'MN10200', 'PJ', 'OPENRISC', 'ARC_COMPACT', 'XTENSA', 'VIDEOCORE', 'TMM_GPP', 'NS32K', 'TPC', 'SNP1K', 'ST200', 'IP2K', 'MAX', 'CR', 'F2MC16', 'MSP430', 'BLACKFIN', 'SE_C33', 'SEP', 'ARCA', 'UNICORE', 'EXCESS', 'DXP', 'ALTERA_NIOS2', 'CRX', 'XGATE', 'C166', 'M16C', 'DSPIC30F', 'CE', 'M32C', 'TSK3000', 'RS08', 'SHARC', 'ECOG2', 'SCORE7', 'DSP24', 'VIDEOCORE3', 'LATTICEMICO32', 'SE_C17', 'TI_C6000', 'TI_C2000', 'TI_C5500', 'MMDSP_PLUS', 'CYPRESS_M8C', 'R32C', 'TRIMEDIA', 'HEXAGON', 'ARCH_8051', 'STXP7X', 'NDS32', 'ECOG1', 'ECOG1X', 'MAXQ30', 'XIMO16', 'MANIK', 'CRAYNV2', 'RX', 'METAG', 'MCST_ELBRUS', 'ECOG16', 'CR16', 'ETPU', 'SLE9X', 'L10M', 'K10M', 'AARCH64', 'AVR32', 'STM8', 'TILE64', 'TILEPRO', 'CUDA', 'TILEGX', 'CLOUDSHIELD', 'COREA_1ST', 'COREA_2ND', 'ARC_COMPACT2', 'OPEN8', 'RL78', 'VIDEOCORE5', 'ARCH_78KOR', 'ARCH_56800EX', 'BA1', 'BA2', 'XCORE', 'MCHP_PIC', 'INTEL205', 'INTEL206', 'INTEL207', 'INTEL208', 'INTEL209', 'KM32', 'KMX32', 'KMX16', 'KMX8', 'KVARC', 'CDP', 'COGE', 'COOL', 'NORC', 'CSR_KALIMBA', 'AMDGPU']

entrypoint-address

text

Address of the entry point

number-sections

counter

Number of sections

os_abi

text

Header operating system application binary interface (ABI) ['AIX', 'ARM', 'AROS', 'C6000_ELFABI', 'C6000_LINUX', 'CLOUDABI', 'FENIXOS', 'FREEBSD', 'GNU', 'HPUX', 'HURD', 'IRIX', 'MODESTO', 'NETBSD', 'NSK', 'OPENBSD', 'OPENVMS', 'SOLARIS', 'STANDALONE', 'SYSTEMV', 'TRU64']

text

text

Free text value to attach to the ELF

type

text

Type of ELF ['CORE', 'DYNAMIC', 'EXECUTABLE', 'HIPROC', 'LOPROC', 'NONE', 'RELOCATABLE']

elf-section

Object describing a section of an Executable and Linkable Format.

elf-section is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

entropy

float

Entropy of the whole section

flag

text

Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION']

md5

md5

[Insecure] MD5 hash (128 bits)

name

text

Name of the section

sha1

sha1

[Insecure] Secure Hash Algorithm 1 (160 bits)

sha224

sha224

Secure Hash Algorithm 2 (224 bits)

sha256

sha256

Secure Hash Algorithm 2 (256 bits)

sha384

sha384

Secure Hash Algorithm 2 (384 bits)

sha512

sha512

Secure Hash Algorithm 2 (512 bits)

sha512/224

sha512/224

Secure Hash Algorithm 2 (224 bits)

sha512/256

sha512/256

Secure Hash Algorithm 2 (256 bits)

size-in-bytes

size-in-bytes

Size of the section, in bytes

ssdeep

ssdeep

Fuzzy hash using context triggered piecewise hashes (CTPH)

text

text

Free text value to attach to the section

type

text

Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER']

email

Email object describing an email with meta-information.

email is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

attachment

email-attachment

Attachment

bcc

email-dst

Blind carbon copy

bcc-display-name

email-dst-display-name

Display name of the blind carbon copy

cc

email-dst

Carbon copy

cc-display-name

email-dst-display-name

Display name of the carbon copy

email-body

email-body

Body of the email

email-body-attachment

attachment

Body of the email as an attachment

eml

attachment

Full EML

from

email-src

Sender email address

from-display-name

email-src-display-name

Display name of the sender

from-domain

domain

Sender domain address (when only the source domain is known)

header

email-header

Full headers

ip-src

ip-src

Source IP address of the email sender

message-id

email-message-id

Message ID

mime-boundary

email-mime-boundary

MIME Boundary

msg

attachment

Full MSG

received-header-hostname

hostname

Extracted hostname from parsed headers

received-header-ip

ip-src

Extracted IP address from parsed headers

reply-to

email-reply-to

Email address the reply will be sent to

reply-to-display-name

email-dst-display-name

Display name of the email address the reply will be sent to

return-path

email-src

Message return path

screenshot

attachment

Screenshot of email

send-date

datetime

Date the email has been sent

subject

email-subject

Subject

thread-index

email-thread-index

Identifies a particular conversation thread

to

email-dst

Destination email address

to-display-name

email-dst-display-name

Display name of the receiver

user-agent

text

User Agent of the sender

x-mailer

email-x-mailer

X-Mailer generally tells the program that was used to draft and send the original email

employee

An employee and related data points.

employee is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

business-unit

target-org

the organizational business unit associated with the employee

email-address

target-email

Employee Email Address

employee-type

text

type of employee ['Mid-Level Manager', 'Senior Manager', 'Non-Manager', 'Supervisor', 'First-Line Manager', 'Director']

first-name

first-name

Employee’s first name

full-name

full-name

Employee’s full name

last-name

last-name

Employee’s last name

primary-asset

target-machine

Asset tag of the primary asset assigned to employee

text

text

A description of the person or identity.

userid

target-user

EMployee user identification

error-message

An error message which can be related to the processing of data such as import, export scripts from the original MISP instance.

error-message is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

message

text

Content of the error message.

source

text

Source of the error message. ['misp-stix', 'lief', 'other']

event

Event object as described in STIX 2.1 Incident object extension.

event is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

description

text

Description of the event.

end_time

datetime

The date and time the event was last recorded.

end_time_fidelity

text

Level of fidelity that the end_time is recorded in. ['day', 'hour', 'minute', 'month', 'second', 'year']

event_type

text

Type of event. ['aggregation-information-phishing-schemes', 'benign', 'blocked', 'brute-force-attempt', 'c&c-server-hosting', 'compromised-system', 'confirmed', 'connection-malware-port', 'connection-malware-system', 'content-forbidden-by-law', 'control-system-bypass', 'copyrighted-content', 'data-exfiltration', 'deferred', 'deletion-information', 'denial-of-service', 'destruction', 'dictionary-attack-attempt', 'discarded', 'disruption-data-transmission', 'dissemination-malware-email', 'dissemination-phishing-emails', 'dns-cache-poisoning', 'dns-local-resolver-hijacking', 'dns-spoofing-registered', 'dns-rebinding', 'dns-server-compromise', 'dns-spoofing-unregistered', 'dns-stub-resolver-hijacking', 'dns-zone-transfer', 'domain-name-compromise', 'duplicate', 'email-flooding', 'equipment-loss', 'equipment-theft', 'exploit', 'exploit-attempt', 'exploit-framework-exhausting-resources', 'exploit-tool-exhausting-resources', 'failed', 'file-inclusion', 'file-inclusion-attempt', 'hosting-malware-webpage', 'hosting-phishing-sites', 'illegitimate-use-name', 'illegitimate-use-resources', 'infected-by-known-malware', 'insufficient-data', 'known-malware', 'lame-delegations', 'major', 'modification-information', 'misconfiguration', 'natural', 'network-scanning', 'no-apt', 'packet-flood', 'password-cracking-attempt', 'ransomware', 'refuted', 'scan-probe', 'silently-discarded', 'supply-chain-customer', 'supply-chain-vendor', 'spam', 'sql-injection', 'sql-injection-attempt', 'successful', 'system-probe', 'theft-access-credentials', 'unattributed', 'unauthorized-access-information', 'unauthorized-access-system', 'unauthorized-equipment', 'unauthorized-release', 'unauthorized-use', 'undetermined', 'unintentional', 'unknown-apt', 'unspecified', 'vandalism', 'wiretapping', 'worm-spreading', 'xss', 'xss-attempt']

goal

text

The assumed objective of the event.

name

text

Name of the event.

start_time

datetime

The date and time the event was first recorded.

start_time_fidelity

text

Level of fidelity that the start_time is recorded in. ['day', 'hour', 'minute', 'month', 'second', 'year']

status

text

Current status of the event. ['not-occurred', 'ongoing', 'occurred', 'pending', 'undetermined']

exploit

Exploit object describes a program in binary or source code form used to abuse one or more vulnerabilities.

exploit is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

0day-today-id

text

Reference to the 0day.today referencing this exploit.

accessibility

text

Accessibility of the exploit. ['Unknown', 'Public', 'Limited', 'Paid']

comment

text

Comment associated to the exploit.

credit

text

Credit(s) for the exploit (such as author, distributor or original source).

cve-id

vulnerability

Reference to the CVE value targeted by the exploit.

description

text

Description of the exploit.

exploit

text

Free text of the exploit.

exploit-as-attachment

attachment

Attachment of the exploit.

exploitdb-id

text

Reference to the ExploitDB referencing this exploit.

filename

filename

Filename used for the exploit.

level

text

Level of the exploit. ['Unknown', 'Proof-of-Concept', 'Functional', 'Production-ready']

reference

link

Reference to the exploit.

software

text

Software impacted

title

text

Title of the exploit.

exploit-poc

Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object.

exploit-poc is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

author

text

Author of the exploit - proof of concept

description

text

Description of the exploit - proof of concept

poc

attachment

Proof of Concept or exploit (as a script, binary or described process)

references

link

External references

vulnerable_configuration

text

The vulnerable configuration described in CPE format where the exploit/proof of concept is valid

external-impact

External Impact object as described in STIX 2.1 Incident object extension.

external-impact is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

criticality

text

Criticality of the impact ['Not Specified', 'False Positive', 'Low', 'Moderate', 'High', 'Extreme']

description

text

Additional details about the impact.

end_time

datetime

The date and time the impact was last recorded.

end_time_fidelity

text

Level of fidelity that the end_time is recorded in. ['day', 'hour', 'minute', 'month', 'second', 'year']

impact_type

text

Type of impact. ['economic', 'emergency-services', 'foreign-relations', 'national-secuirty', 'public-confidence', 'public-health', 'public-safety']

recoverability

text

Recoverability of this particular impact with respect to feasibility and required time and resources. ['extended', 'not-applicable', 'not-recoverable', 'regular', 'supplemented']

start_time

datetime

The date and time the impact was first recorded.

start_time_fidelity

text

Level of fidelity that the start_time is recorded in. ['day', 'hour', 'minute', 'month', 'second', 'year']

facebook-account

Facebook account.

facebook-account is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

account-id

text

Account id.

account-name

text

Account name.

archive

link

Archive of the account (Internet Archive, Archive.is, etc).

attachment

attachment

A screen capture or exported list of contacts etc.

description

text

A description of the user.

link

link

Original link to the page (supposed harmless).

url

url

Original URL location of the page (potentially malicious).

user-avatar

attachment

A user profile picture or avatar.

facebook-group

Public or private facebook group.

facebook-group is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

administrator

text

A user account who is an owner or admin of the group.

archive

link

Archive of the original group (Internet Archive, Archive.is, etc).

attachment

attachment

A screen capture or exported list of contacts, group members, etc.

creator

text

The user account that created the group.

description

text

A description of the group, channel or community.

embedded-link

url

Link embedded in the group description (potentially malicious).

embedded-safe-link

link

Link embedded in the group description (supposed safe).

group-alias

text

Aliases or previous names of group.

group-name

text

The name of the group, channel or community.

group-type

text

Facebook group type, e.g. general, buy and sell etc.

hashtag

text

Hashtag used to identify or promote the group.

id

text

Unique identified of the group.

link

link

Original link to the group (supposed harmless).

privacy

text

Group privacy: public, closed, secret. ['Public', 'Closed', 'Secret']

url

url

Original URL location of the group (potentially malicious).

facebook-page

Facebook page.

facebook-page is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

archive

link

Archive of the original page (Internet Archive, Archive.is, etc).

attachment

attachment

A screen capture or exported list of contacts, page members, etc.

contact-detail

url

Contact url listed on about page.

creator

text

The user account that created the page.

description

text

A description of the page.

embedded-link

url

Link embedded in the page description (potentially malicious).

embedded-safe-link

link

Link embedded in the page description (supposed safe).

event

text

Event announcement on page.

hashtag

text

Hashtag used to identify or promote the page.

link

link

Original link to the page (supposed harmless).

page-alias

text

Aliases or previous names of page.

page-id

text

Page id (without the @).

page-name

text

The name of the page.

page-type

text

Facebook page type, e.g. community, product etc.

related-page-id

text

id of a page listed as related to this one (without the @).

related-page-name

text

name of a page listed as related to this one.

team-member

text

A user account who is a member of the page.

url

url

Original URL location of the page (potentially malicious).

facebook-post

Post on a Facebook wall.

facebook-post is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

archive

link

Archive of the original document (Internet Archive, Archive.is, etc).

attachment

attachment

The facebook post file or screen capture.

embedded-link

url

Link in the facebook post

embedded-safe-link

link

Safe link in the facebook post

hashtag

text

Hashtag embedded in the facebook post

in-reply-to-display-name

text

The user display name of the facebook this post shares.

in-reply-to-status-id

text

The facebook ID of the post that this post shares.

in-reply-to-user-id

text

The user ID of the facebook this post shares.

language

text

The language of the post.

link

link

Original link to the facebook post (supposed harmless).

post

text

Raw text of the post.

post-id

text

The facebook post id.

post-location

text

id of the group, page or wall the post was posted to.

removal-date

datetime

When the facebook post was removed.

url

url

Original URL of the facebook post, e.g. link shortener (potentially malicious).

user-id

text

Id of the account who posted.

user-name

text

Display name of the account who posted.

username

text

Username who posted the facebook post

username-quoted

text

Username who is quoted in the facebook post.

facebook-reaction

Reaction to facebook posts.

facebook-reaction is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

link

link

Link to the user account which did the reaction.

name

text

The name of A user account which did the reaction.

type

text

Type of reaction. ['like', 'love', 'sad', 'haha', 'wow', 'care']

facial-composite

An object which describes a facial composite.

facial-composite is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

facial-composite

attachment

Facial composite image.

technique

text

Construction technique of the facial composite. ['E-FIT', 'PROfit', 'Sketch', 'Photofit', 'EvoFIT', 'PortraitPad']

text

text

A description of the facial composite.

fail2ban

Fail2ban event.

fail2ban is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

attack-type

text

Type of the attack

banned-ip

ip-src

IP Address banned by fail2ban

failures

counter

Amount of failures that lead to the ban.

logfile

attachment

Full logfile related to the attack.

logline

text

Example log line that caused the ban.

processing-timestamp

datetime

Timestamp of the report

sensor

text

Identifier of the sensor

victim

text

Identifier of the victim

favicon

A favicon, also known as a shortcut icon, website icon, tab icon, URL icon, or bookmark icon, is a file containing one or more small icons, associated with a particular website or web page. The object template can include the murmur3 hash of the favicon to facilitate correlation.

favicon is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

favicon

attachment

The raw favicon file.

favicon-mmh3

favicon-mmh3

favicon-mmh3 is the murmur3 hash of a favicon as used in Shodan.

link

link

The original link where the favicon was seen.

file

File object describing a file with meta-information.

file is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

access-time

datetime

The last time the file was accessed

attachment

attachment

A non-malicious file.

authentihash

authentihash

Authenticode executable signature hash

certificate

x509-fingerprint-sha1

Certificate value if the binary is signed with another authentication scheme than authenticode

compilation-timestamp

datetime

Compilation timestamp

creation-time

datetime

Creation time of the file

entropy

float

Entropy of the whole file

file-encoding

text

Encoding format of the file ['Adobe-Standard-Encoding', 'Adobe-Symbol-Encoding', 'Amiga-1251', 'ANSI_X3.110-1983', 'ASMO_449', 'Big5', 'Big5-HKSCS', 'BOCU-1', 'BRF', 'BS_4730', 'BS_viewdata', 'CESU-8', 'CP50220', 'CP51932', 'CSA_Z243.4-1985-1', 'CSA_Z243.4-1985-2', 'CSA_Z243.4-1985-gr', 'CSN_369103', 'DEC-MCS', 'DIN_66003', 'dk-us', 'DS_2089', 'EBCDIC-AT-DE', 'EBCDIC-AT-DE-A', 'EBCDIC-CA-FR', 'EBCDIC-DK-NO', 'EBCDIC-DK-NO-A', 'EBCDIC-ES', 'EBCDIC-ES-A', 'EBCDIC-ES-S', 'EBCDIC-FI-SE', 'EBCDIC-FI-SE-A', 'EBCDIC-FR', 'EBCDIC-IT', 'EBCDIC-PT', 'EBCDIC-UK', 'EBCDIC-US', 'ECMA-cyrillic', 'ES', 'ES2', 'EUC-KR', 'Extended_UNIX_Code_Fixed_Width_for_Japanese', 'Extended_UNIX_Code_Packed_Format_for_Japanese', 'GB18030', 'GB_1988-80', 'GB2312', 'GB_2312-80', 'GBK', 'GOST_19768-74', 'greek7', 'greek7-old', 'greek-ccitt', 'HP-DeskTop', 'HP-Legal', 'HP-Math8', 'HP-Pi-font', 'hp-roman8', 'HZ-GB-2312', 'IBM00858', 'IBM00924', 'IBM01140', 'IBM01141', 'IBM01142', 'IBM01143', 'IBM01144', 'IBM01145', 'IBM01146', 'IBM01147', 'IBM01148', 'IBM01149', 'IBM037', 'IBM038', 'IBM1026', 'IBM1047', 'IBM273', 'IBM274', 'IBM275', 'IBM277', 'IBM278', 'IBM280', 'IBM281', 'IBM284', 'IBM285', 'IBM290', 'IBM297', 'IBM420', 'IBM423', 'IBM424', 'IBM437', 'IBM500', 'IBM775', 'IBM850', 'IBM851', 'IBM852', 'IBM855', 'IBM857', 'IBM860', 'IBM861', 'IBM862', 'IBM863', 'IBM864', 'IBM865', 'IBM866', 'IBM868', 'IBM869', 'IBM870', 'IBM871', 'IBM880', 'IBM891', 'IBM903', 'IBM904', 'IBM905', 'IBM918', 'IBM-Symbols', 'IBM-Thai', 'IEC_P27-1', 'INIS', 'INIS-8', 'INIS-cyrillic', 'INVARIANT', 'ISO_10367-box', 'ISO-10646-J-1', 'ISO-10646-UCS-2', 'ISO-10646-UCS-4', 'ISO-10646-UCS-Basic', 'ISO-10646-Unicode-Latin1', 'ISO-10646-UTF-1', 'ISO-11548-1', 'ISO-2022-CN', 'ISO-2022-CN-EXT', 'ISO-2022-JP', 'ISO-2022-JP-2', 'ISO-2022-KR', 'ISO_2033-1983', 'ISO_5427', 'ISO_5427:1981', 'ISO_5428:1980', 'ISO_646.basic:1983', 'ISO_646.irv:1983', 'ISO_6937-2-25', 'ISO_6937-2-add', 'ISO-8859-10', 'ISO_8859-1:1987', 'ISO-8859-13', 'ISO-8859-14', 'ISO-8859-15', 'ISO-8859-16', 'ISO-8859-1-Windows-3.0-Latin-1', 'ISO-8859-1-Windows-3.1-Latin-1', 'ISO_8859-2:1987', 'ISO-8859-2-Windows-Latin-2', 'ISO_8859-3:1988', 'ISO_8859-4:1988', 'ISO_8859-5:1988', 'ISO_8859-6:1987', 'ISO_8859-6-E', 'ISO_8859-6-I', 'ISO_8859-7:1987', 'ISO_8859-8:1988', 'ISO_8859-8-E', 'ISO_8859-8-I', 'ISO_8859-9:1989', 'ISO-8859-9-Windows-Latin-5', 'ISO_8859-supp', 'iso-ir-90', 'ISO-Unicode-IBM-1261', 'ISO-Unicode-IBM-1264', 'ISO-Unicode-IBM-1265', 'ISO-Unicode-IBM-1268', 'ISO-Unicode-IBM-1276', 'IT', 'JIS_C6220-1969-jp', 'JIS_C6220-1969-ro', 'JIS_C6226-1978', 'JIS_C6226-1983', 'JIS_C6229-1984-a', 'JIS_C6229-1984-b', 'JIS_C6229-1984-b-add', 'JIS_C6229-1984-hand', 'JIS_C6229-1984-hand-add', 'JIS_C6229-1984-kana', 'JIS_Encoding', 'JIS_X0201', 'JIS_X0212-1990', 'JUS_I.B1.002', 'JUS_I.B1.003-mac', 'JUS_I.B1.003-serb', 'KOI7-switched', 'KOI8-R', 'KOI8-U', 'KS_C_5601-1987', 'KSC5636', 'KZ-1048', 'latin-greek', 'Latin-greek-1', 'latin-lap', 'macintosh', 'Microsoft-Publishing', 'MNEM', 'MNEMONIC', 'MSZ_7795.3', 'Name', 'NATS-DANO', 'NATS-DANO-ADD', 'NATS-SEFI', 'NATS-SEFI-ADD', 'NC_NC00-10:81', 'NF_Z_62-010', 'NF_Z_62-010_(1973)', 'NS_4551-1', 'NS_4551-2', 'OSD_EBCDIC_DF03_IRV', 'OSD_EBCDIC_DF04_1', 'OSD_EBCDIC_DF04_15', 'PC8-Danish-Norwegian', 'PC8-Turkish', 'PT', 'PT2', 'PTCP154', 'SCSU', 'SEN_850200_B', 'SEN_850200_C', 'Shift_JIS', 'T.101-G2', 'T.61-7bit', 'T.61-8bit', 'TIS-620', 'TSCII', 'UNICODE-1-1', 'UNICODE-1-1-UTF-7', 'UNKNOWN-8BIT', 'US-ASCII', 'us-dk', 'UTF-16', 'UTF-16BE', 'UTF-16LE', 'UTF-32', 'UTF-32BE', 'UTF-32LE', 'UTF-7', 'UTF-8', 'Ventura-International', 'Ventura-Math', 'Ventura-US', 'videotex-suppl', 'VIQR', 'VISCII', 'windows-1250', 'windows-1251', 'windows-1252', 'windows-1253', 'windows-1254', 'windows-1255', 'windows-1256', 'windows-1257', 'windows-1258', 'Windows-31J', 'windows-874']

filename

filename

Filename on disk

fullpath

text

Complete path of the filename including the filename

imphash

imphash

Hash (md5) calculated from the PE import table

malware-sample

malware-sample

The file itself (binary)

md5

md5

[Insecure] MD5 hash (128 bits)

mimetype

mime-type

Mime type

modification-time

datetime

Last time the file was modified

path

text

Path of the filename complete or partial

pattern-in-file

pattern-in-file

Pattern that can be found in the file

sha1

sha1

[Insecure] Secure Hash Algorithm 1 (160 bits)

sha224

sha224

Secure Hash Algorithm 2 (224 bits)

sha256

sha256

Secure Hash Algorithm 2 (256 bits)

sha3-224

sha3-224

Secure Hash Algorithm 3 (224 bits)

sha3-256

sha3-256

Secure Hash Algorithm 3 (256 bits)

sha3-384

sha3-384

Secure Hash Algorithm 3 (384 bits)

sha3-512

sha3-512

Secure Hash Algorithm 3 (512 bits)

sha384

sha384

Secure Hash Algorithm 2 (384 bits)

sha512

sha512

Secure Hash Algorithm 2 (512 bits)

sha512/224

sha512/224

Secure Hash Algorithm 2 (224 bits)

sha512/256

sha512/256

Secure Hash Algorithm 2 (256 bits)

size-in-bytes

size-in-bytes

Size of the file, in bytes

ssdeep

ssdeep

Fuzzy hash using context triggered piecewise hashes (CTPH)

state

text

State of the file ['Malicious', 'Harmless', 'Signed', 'Revoked', 'Expired', 'Trusted']

telfhash

telfhash

telfhash - Symbol hash for ELF files.

text

text

Free text value to attach to the file

tlsh

tlsh

Fuzzy hash by Trend Micro: Locality Sensitive Hash

vhash

vhash

vhash by VirusTotal

flowintel-cm-case

A case as defined by flowintel-cm.

flowintel-cm-case is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

case-owner-org-name

text

Name of the organisation that created the case.

case-owner-org-uuid

text

UUID of the organisation that created the case.

case-uuid

text

UUID of the case

creation-date

datetime

Creation date of the case

deadline

datetime

Deadline of the case

description

text

A description of the case

finish-date

datetime

Finish date of the case

notes

text

Notes of the case

origin-url

url

Origin of the case

recurring-type

text

Recurring type ['once', 'weekly', 'daily', 'monthly']

status

text

Status of the case ['created', 'ongoing', 'recurring', 'unavailable', 'rejected', 'finished']

title

text

Title of the case

flowintel-cm-task

A task as defined by flowintel-cm.

flowintel-cm-task is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

case-uuid

text

UUID of the parent case

creation-date

datetime

Creation date of the task

deadline

datetime

Deadline of the task

description

text

A description of the task

file

attachment

File

finish-date

datetime

Finish date of the task

origin-url

url

Origin of the task

status

text

Status of the task ['created', 'ongoing', 'recurring', 'unavailable', 'rejected', 'finished']

task-uuid

text

UUID of the task

title

text

Title of the task

url

url

An url to an external tool

flowintel-cm-task-note

A task’s note as defined by flowintel-cm.

flowintel-cm-task-note is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

note

text

Notes of the task

note-uuid

text

UUID of the note

origin-url

url

Origin of the task

task-uuid

text

UUID of the parent task

forensic-case

An object template to describe a digital forensic case.

forensic-case is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

additional-comments

text

Comments.

analysis-start-date

datetime

Date when the analysis began.

case-name

text

Name to address the case.

case-number

text

Any unique number assigned to the case for unique identification.

name-of-the-analyst

text

Name(s) of the analyst assigned to the case.

references

link

External references

forensic-evidence

An object template to describe a digital forensic evidence.

forensic-evidence is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

acquisition-method

text

Method used for acquisition of the evidence. ['Live acquisition', 'Dead/Offline acquisition', 'Physical collection', 'Logical collection', 'File system extraction', 'Chip-off', 'Other']

acquisition-tools

text

Tools used for acquisition of the evidence. ['dd', 'dc3dd', 'dcfldd', 'EnCase', 'FTK Imager', 'FDAS', 'TrueBack', 'Guymager', 'IXimager', 'Other']

additional-comments

text

Comments.

case-number

text

A unique number assigned to the case for unique identification.

evidence-number

text

A unique number assigned to the evidence for unique identification.

name

text

Name of the evidence acquired.

references

link

External references

type

text

Evidence type. ['Computer', 'Network', 'Mobile Device', 'Multimedia', 'Cloud', 'IoT', 'Other']

forged-document

Object describing a forged document.

forged-document is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

archive

link

Archive of the original document (Internet Archive, Archive.is, etc).

attachment

attachment

The forged document file.

document-name

text

Title of the document.

document-text

text

Raw text of document

document-type

text

The type of document (not the file type). ['email', 'letterhead', 'speech', 'literature', 'blog', 'microblog', 'photo', 'audio', 'invoice', 'receipt', 'other']

first-seen

datetime

When the document has been accessible or seen for the first time.

last-seen

datetime

When the document has been accessible or seen for the last time.

link

link

Original link into the document (Supposed harmless)

objective

text

Objective of the forged document. ['Disinformation', 'Advertising', 'Parody', 'Other']

purpose-of-document

text

What the document is used for. ['Identification', 'Travel', 'Health', 'Legal', 'Financial', 'Government', 'Military', 'Media', 'Communication', 'Other']

url

url

Original URL location of the document (potentially malicious)

ftm-Airplane

An airplane, helicopter or other flying vehicle.

ftm-Airplane is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

address

text

Address

alephUrl

url

Aleph URL

alias

text

Other name

amount

float

Amount

amountEur

float

Amount in EUR

amountUsd

float

Amount in USD

buildDate

text

Build Date

country

text

Country

currency

text

Currency

description

text

Description

icaoCode

text

ICAO aircraft type designator

indexText

text

Index text

indexUpdatedAt

text

Index updated at

keywords

text

Keywords

manufacturer

text

Manufacturer

model

text

Model

modifiedAt

text

Modified on

name

text

Name

notes

text

Notes

previousName

text

Previous name

program

text

Program

publisher

text

Publishing source

publisherUrl

url

Publishing source URL

registrationDate

text

Registration Date

registrationNumber

text

Registration Number

retrievedAt

text

Retrieved on

serialNumber

text

Serial Number

sourceUrl

url

Source link

summary

text

Summary

topics

text

Topics

type

text

Type

weakAlias

text

Weak alias

wikidataId

text

Wikidata ID

wikipediaUrl

url

Wikipedia Article

ftm-Assessment

Assessment with meta-data.

ftm-Assessment is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

address

text

Address

alephUrl

url

Aleph URL

alias

text

Other name

assessmentId

text

Assessment ID

country

text

Country

description

text

Description

indexText

text

Index text

indexUpdatedAt

text

Index updated at

keywords

text

Keywords

modifiedAt

text

Modified on

name

text

Name

notes

text

Notes

previousName

text

Previous name

program

text

Program

publishDate

text

Date of publishing

publisher

text

Publishing source

publisherUrl

url

Publishing source URL

retrievedAt

text

Retrieved on

sourceUrl

url

Source link

summary

text

Summary

topics

text

Topics

weakAlias

text

Weak alias

wikidataId

text

Wikidata ID

wikipediaUrl

url

Wikipedia Article

ftm-Asset

A piece of property which can be owned and assigned a monetary value.

ftm-Asset is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

address

text

Address

alephUrl

url

Aleph URL

alias

text

Other name

amount

float

Amount

amountEur

float

Amount in EUR

amountUsd

float

Amount in USD

country

text

Country

currency

text

Currency

description

text

Description

indexText

text

Index text

indexUpdatedAt

text

Index updated at

keywords

text

Keywords

modifiedAt

text

Modified on

name

text

Name

notes

text

Notes

previousName

text

Previous name

program

text

Program

publisher

text

Publishing source

publisherUrl

url

Publishing source URL

retrievedAt

text

Retrieved on

sourceUrl

url

Source link

summary

text

Summary

topics

text

Topics

weakAlias

text

Weak alias

wikidataId

text

Wikidata ID

wikipediaUrl

url

Wikipedia Article

ftm-Associate

Non-family association between two people.

ftm-Associate is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

alephUrl

url

Aleph URL

date

text

Date

description

text

Description

endDate

text

End date

indexText

text

Index text

modifiedAt

text

Modified on

publisher

text

Publishing source

publisherUrl

url

Publishing source URL

recordId

text

Record ID

relationship

text

Nature of the association

retrievedAt

text

Retrieved on

sourceUrl

url

Source URL

startDate

text

Start date

summary

text

Summary

ftm-Audio

Audio with meta-data.

ftm-Audio is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

address

text

Address

alephUrl

url

Aleph URL

alias

text

Other name

author

text

The original author, not the uploader

authoredAt

text

Authored on

companiesMentioned

text

Detected companies

contentHash

sha1

SHA1 hash of the data

country

text

Country

crawler

text

The crawler used to acquire this file

date

text

If not otherwise specified

description

text

Description

detectedCountry

text

Detected country

detectedLanguage

text

Detected language

duration

float

Duration of the audio in ms

emailMentioned

email-src

Detected e-mail addresses

encoding

text

File encoding

extension

text

File extension

fileName

text

File name

fileSize

float

File size

generator

text

The program used to generate this file

ibanMentioned

iban

Detected IBANs

indexText

text

Index text

indexUpdatedAt

text

Index updated at

ipMentioned

ip-src

Detected IP addresses

keywords

text

Keywords

language

text

Language

locationMentioned

text

Detected locations

messageId

text

Message ID of a document; unique in most cases

mimeType

mime-type

MIME type

modifiedAt

text

Modified on

name

text

Name

namesMentioned

text

Detected names

notes

text

Notes

peopleMentioned

text

Detected people

phoneMentioned

phone-number

Detected phones

previousName

text

Previous name

processingError

text

Processing error

processingStatus

text

Processing status

program

text

Program

publishedAt

text

Published on

publisher

text

Publishing source

publisherUrl

url

Publishing source URL

retrievedAt

text

Retrieved on

samplingRate

float

Sampling rate of the audio in Hz

sourceUrl

url

Source link

summary

text

Summary

title

text

Title

topics

text

Topics

weakAlias

text

Weak alias

wikidataId

text

Wikidata ID

wikipediaUrl

url

Wikipedia Article

ftm-BankAccount

An account held at a bank and controlled by an owner. This may also be used to describe more complex arrangements like correspondent bank settlement accounts.

ftm-BankAccount is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

accountNumber

text

Account Number

accountType

text

Account Type

address

text

Address

alephUrl

url

Aleph URL

alias

text

Other name

amount

float

Amount

amountEur

float

Amount in EUR

amountUsd

float

Amount in USD

balance

float

Balance

bankAddress

text

Bank Address

bankName

text

Bank Name

bic

text

Bank Identifier Code

country

text

Country

currency

text

Currency

description

text

Description

iban

iban

IBAN

indexText

text

Index text

indexUpdatedAt

text

Index updated at

keywords

text

Keywords

modifiedAt

text

Modified on

name

text

Name

notes

text

Notes

previousName

text

Previous name

program

text

Program

publisher

text

Publishing source

publisherUrl

url

Publishing source URL

retrievedAt

text

Retrieved on

sourceUrl

url

Source link

summary

text

Summary

topics

text

Topics

weakAlias

text

Weak alias

wikidataId

text

Wikidata ID

wikipediaUrl

url

Wikipedia Article

ftm-Call

Phone call object template including the call and all associated meta-data.

ftm-Call is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

alephUrl

url

Aleph URL

callerNumber

phone-number

Caller’s Number

date

text

Date

description

text

Description

duration

float

Call Duration in seconds

endDate

text

End date

indexText

text

Index text

modifiedAt

text

Modified on

publisher

text

Publishing source

publisherUrl

url

Publishing source URL

receiverNumber

phone-number

Receiver’s Number

recordId

text

Record ID

retrievedAt

text

Retrieved on

sourceUrl

url

Source URL

startDate

text

Start date

summary

text

Summary

ftm-Company

A legal entity representing an association of people, whether natural, legal or a mixture of both, with a specific objective.

ftm-Company is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

address

text

Address

alephUrl

url

Aleph URL

alias

text

Other name

amount

float

Amount

amountEur

float

Amount in EUR

amountUsd

float

Amount in USD

bikCode

text

Russian bank account code

bvdId

text

Bureau van Dijk ID

caemCode

text

(RO) What kind of activity a legal entity is allowed to develop

capital

text

Capital

cikCode

text

US SEC Central Index Key

classification

text

Classification

coatoCode

text

COATO / SOATO / OKATO

country

text

Country

currency

text

Currency

description

text

Description

dissolutionDate

text

The date the legal entity was dissolved, if applicable

dunsCode

text

Dun & Bradstreet identifier

email

email-src

Email address

fnsCode

text

(RU, ФНС) Federal Tax Service related info

fssCode

text

(RU, ФСС) Social Security

ibcRuc

text

ibcRUC

icijId

text

ID according to International Consortium for Investigative Journalists

idNumber

text

ID number of any applicable ID

incorporationDate

text

The date the legal entity was incorporated

indexText

text

Index text

indexUpdatedAt

text

Index updated at

innCode

text

Russian company ID

ipoCode

text

IPO

irsCode

text

US tax ID

jibCode

text

Yugoslavia company ID

jurisdiction

text

Jurisdiction

keywords

text

Keywords

kppCode

text

(RU, КПП) in addition to INN for orgs; reason for registration at FNS

legalForm

text

Legal form

mainCountry

text

Primary country of this entity

mbsCode

text

MBS

modifiedAt

text

Modified on

name

text

Name

notes

text

Notes

ogrnCode

text

Major State Registration Number

okopfCode

text

(RU, ОКОПФ) What kind of business entity

okpoCode

text

Russian industry classifier

oksmCode

text

Russian (ОКСМ) countries classifer

okvedCode

text

(RU, ОКВЭД) Economical activity classifier. OKVED2 is the same but newer

opencorporatesUrl

url

OpenCorporates URL

pfrNumber

text

(RU, ПФР) Pension Fund Registration number. AAA-BBB-CCCCCC, where AAA is organisation region, BBB is district, CCCCCC number at a specific branch

phone

phone-number

Phone number

previousName

text

Previous name

program

text

Program

publisher

text

Publishing source

publisherUrl

url

Publishing source URL

registrationNumber

text

Registration number

retrievedAt

text

Retrieved on

sector

text

Sector

sourceUrl

url

Source link

status

text

Status

summary

text

Summary

swiftBic

text

Bank identifier code

taxNumber

text

Tax identification number

taxStatus

text

Tax status

topics

text

Topics

vatCode

text

(EU) VAT number

voenCode

text

Azerbaijan taxpayer ID

weakAlias

text

Weak alias

website

url

Website address

wikidataId

text

Wikidata ID

wikipediaUrl

url

Wikipedia Article

ftm-Contract

An contract or contract lot issued by an authority. Multiple lots may be awarded to different suppliers (see ContractAward). .

ftm-Contract is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.
Object attribute MISP attribute type Description Disable correlation Multiple

address

text

Address

alephUrl

url

Aleph URL

alias

text

Other name

amount

float

Amount

amountEur

float

Amount in EUR

amountUsd

float

Amount in USD

cancelled

text

Cancelled?

classification

text

Classification

contractDate

text

Contract date

country

text

Country

criteria

text

Contract award criteria

currency

text

Currency

description

text

Description

indexText

text

Index text

indexUpdatedAt

text

Index updated at

keywords

text

Keywords

language

text

Language

method

text

Procurement method

modifiedAt

text

Modified on

name

text

Contract name

notes

text

Notes

noticeId

text

Contract Award Notice ID

numberAwards

text

Number of awards