Introduction
The MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators, financial fraud or counter-terrorism information. The MISP project includes multiple sub-projects to support the operational requirements of analysts and improve the overall quality of information shared.
MISP objects are used in MISP (starting from version 2.4.80) system and can be used by other information sharing tool. MISP objects are in addition to MISP attributes to allow advanced combinations of attributes. The creation of these objects and their associated attributes are based on real cyber security use-cases and existing practices in information sharing. The objects are just shared like any other attributes in MISP even if the other MISP instances don’t have the template of the object. The following document is generated from the machine-readable JSON describing the MISP objects.
Funding and Support
The MISP project is financially and resource supported by CIRCL Computer Incident Response Center Luxembourg .
A CEF (Connecting Europe Facility) funding under CEF-TC-2016-3 - Cyber Security has been granted from 1st September 2017 until 31th August 2019 as Improving MISP as building blocks for next-generation information sharing.
If you are interested to co-fund projects around MISP, feel free to get in touch with us.
MISP objects
ADS
An object defining ADS - Alerting and Detection Strategy by PALANTIR. Can be used for detection engineering.
ADS is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
acd-element |
text |
lists the steps required to generate a representative true positive event which triggers this alert. |
|
|
additional_resources |
url |
Any other internal, external, or technical references that may be useful for understanding the ADS. |
|
|
blind_spots_and_assumptions |
text |
Recognized issues, assumptions, and areas where an ADS may not fire. |
|
|
categorization |
text |
Provides a mapping of the ADS to the relevant entry in the Att&CK. |
|
|
date |
datetime |
Enter date, when ADS has been created or edited. |
|
|
false_positives |
text |
Known instances of an ADS misfiring due to a misconfiguration, idiosyncrasy in the environment, or other non-malicious scenario. |
|
|
goal |
text |
Short, plaintext description of the type of behavior the ADS is supposed to detect. |
|
|
priority |
text |
Describes the various alerting levels that an ADS may be tagged with. |
|
|
responses |
text |
General response steps in the event that this alert fired. |
|
|
sigma_rule |
sigma |
Rule in SIGMA format. |
|
|
strategy_abstract |
text |
High-level walkthrough of how the ADS functions. |
|
|
technical_context |
text |
Detailed information and background needed for a responder to understand all components of the alert. |
|
|
validation |
text |
lists the steps required to generate a representative true positive event which triggers this alert. |
|
|
abuseipdb
AbuseIPDB checks an ip address, domain name, or subnet against a central blacklist.
abuseipdb is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
abuse-confidence-score |
integer |
Rating (0-100) of how confident AbuseIPDB is that an IP address is entirely malicious |
|
|
is-malicious |
boolean |
If the IP is malicious based on the abuse-confidence-score and threshold |
|
|
is-public |
boolean |
If an IP is public |
|
|
is-tor |
boolean |
If Tor (The Onion Router) was used |
|
|
is-whitelisted |
boolean |
If an IP is spotted in any of AbuseIPDB’s whitelists |
|
|
ai-chat-prompt
Object describing an AI prompt such as ChatGPT.
ai-chat-prompt is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
act-as |
text |
Act as a specific person. ['Security Analysts', 'Incident Responder', 'IT Expert', 'Cyber Security Specialists', 'Technical Writer'] |
|
|
comment |
text |
Comment associated to the AI chat prompt. |
|
|
model |
text |
AI chatbot model used for the prompt. ['GPT 3.5', 'GPT 4.0', 'GPT 3.0', 'DALL-E', 'Whisper', 'Embeddings', 'Moderation', 'Codex', 'BioGPT', 'LLaMA', 'GPT4ALL', 'Bing AI', 'Google Bard AI'] |
|
|
prompt |
text |
Prompt text used for a specific AI chat. |
|
|
result |
text |
Result ['Unknown', 'Harmless', 'Correct', 'Dangerous', 'Incorrect'] |
|
|
role |
text |
Role as defined in OpenAI or similar API. ['system', 'user', 'assistant'] |
|
|
ail-leak
An information leak as defined by the AIL Analysis Information Leak framework.
ail-leak is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
duplicate |
text |
Duplicate of the existing leaks. |
|
|
duplicate_number |
counter |
Number of known duplicates. |
|
|
first-seen |
datetime |
When the leak has been accessible or seen for the first time. |
|
|
last-seen |
datetime |
When the leak has been accessible or seen for the last time. |
|
|
origin |
text |
The link where the leak is (or was) accessible at first-seen. |
|
|
original-date |
datetime |
When the information available in the leak was created. It’s usually before the first-seen. |
|
|
raw-data |
attachment |
Raw data as received by the AIL sensor compressed and encoded in Base64. |
|
|
sensor |
text |
The AIL sensor uuid where the leak was processed and analysed. |
|
|
text |
text |
A description of the leak which could include the potential victim(s) or description of the leak. |
|
|
ais
Automatic Identification System (AIS) is an automatic tracking system that uses transceivers on ships.
ais is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
ETA |
datetime |
Estimated time of arrival at destination |
|
|
IMO-number |
text |
IMO ship identification number: a seven digit number that remains unchanged upon transfer of the ship’s registration to another country |
|
|
MMSI |
text |
Vessel Maritime Maritime Mobile Service Identity (MMSI): a unique nine digit identification number. |
|
|
call-sign |
text |
International radio call-sign, up to 7 characters. |
|
|
course-over-ground |
float |
The course of the vessel, relative to true north to 0.1 degree |
|
|
destination |
text |
Destination of the vessel in max 20 characters |
|
|
dimension-a |
float |
Distance in meters from Forward Perpendicular (FP) |
|
|
dimension-b |
float |
Distance in meters from After Perpendicular (AP) |
|
|
dimension-c |
float |
Distance in meters inboard from port side |
|
|
dimension-d |
float |
Distance in meters inboard from starboard side |
|
|
draught |
float |
Draught of ship. 0.1-25.5 meters |
|
|
first-seen |
datetime |
When the location was seen for the first time. |
|
|
last-seen |
datetime |
When the location was seen for the last time. |
|
|
latitude |
float |
The latitude is the decimal value of the latitude in the World Geodetic System 84 (WGS84) reference. |
|
|
longitude |
float |
The longitude is the decimal value of the longitude in the World Geodetic System 84 (WGS84) reference |
|
|
name |
text |
20 characters to represent the name of the vessel |
|
|
navigational-status |
float |
|
|
|
rate-of-turn |
text |
right or left, from 0 to 720 degrees per minute |
|
|
speed-over-ground |
float |
0.1 knot resolution from 0 to 102 knots |
|
|
true-heading |
float |
The true heading of the vessel. 0 to 359 degrees |
|
|
true-heading-at-own-position |
float |
The true heading at own position of the vessel. 0 to 359 degrees |
|
|
type-of-ship |
text |
Type of ship/cargo |
|
|
ais-info
Automated Indicator Sharing (AIS) Information Source Markings.
ais-info is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
administrative-area |
text |
AIS Administrative Area represented using ISO-3166-2. |
|
|
country |
text |
AIS Country represented using ISO-3166-1_alpha-2. |
|
|
industry |
text |
AIS IndustryType. ['Chemical Sector', 'Commercial Facilities Sector', 'Communications Sector', 'Critical Manufacturing Sector', 'Dams Sector', 'Defense Industrial Base Sector', 'Emergency Services Sector', 'Energy Sector', 'Financial Services Sector', 'Food and Agriculture Sector', 'Government Facilities Sector', 'Healthcare and Public Health Sector', 'Information Technology Sector', 'Nuclear Reactors, Materials, and Waste Sector', 'Transportation Systems Sector', 'Water and Wastewater Systems Sector', 'Other'] |
|
|
organisation |
text |
AIS Organisation Name. |
|
|
android-app
Indicators related to an Android app.
android-app is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
appid |
text |
Application ID |
|
|
certificate |
sha1 |
Android certificate |
|
|
domain |
domain |
Domain used by the app |
|
|
name |
text |
Generic name of the application |
|
|
sha256 |
sha256 |
SHA256 of the APK. |
|
|
android-permission
A set of android permissions - one or more permission(s) which can be linked to other objects (e.g. malware, app).
android-permission is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
comment |
comment |
Comment about the set of android permission(s) |
|
|
permission |
text |
Android permission ['ACCESS_CHECKIN_PROPERTIES', 'ACCESS_COARSE_LOCATION', 'ACCESS_FINE_LOCATION', 'ACCESS_LOCATION_EXTRA_COMMANDS', 'ACCESS_NETWORK_STATE', 'ACCESS_NOTIFICATION_POLICY', 'ACCESS_WIFI_STATE', 'ACCOUNT_MANAGER', 'ADD_VOICEMAIL', 'ANSWER_PHONE_CALLS', 'BATTERY_STATS', 'BIND_ACCESSIBILITY_SERVICE', 'BIND_APPWIDGET', 'BIND_AUTOFILL_SERVICE', 'BIND_CARRIER_MESSAGING_SERVICE', 'BIND_CHOOSER_TARGET_SERVICE', 'BIND_CONDITION_PROVIDER_SERVICE', 'BIND_DEVICE_ADMIN', 'BIND_DREAM_SERVICE', 'BIND_INCALL_SERVICE', 'BIND_INPUT_METHOD', 'BIND_MIDI_DEVICE_SERVICE', 'BIND_NFC_SERVICE', 'BIND_NOTIFICATION_LISTENER_SERVICE', 'BIND_PRINT_SERVICE', 'BIND_QUICK_SETTINGS_TILE', 'BIND_REMOTEVIEWS', 'BIND_SCREENING_SERVICE', 'BIND_TELECOM_CONNECTION_SERVICE', 'BIND_TEXT_SERVICE', 'BIND_TV_INPUT', 'BIND_VISUAL_VOICEMAIL_SERVICE', 'BIND_VOICE_INTERACTION', 'BIND_VPN_SERVICE', 'BIND_VR_LISTENER_SERVICE', 'BIND_WALLPAPER', 'BLUETOOTH', 'BLUETOOTH_ADMIN', 'BLUETOOTH_PRIVILEGED', 'BODY_SENSORS', 'BROADCAST_PACKAGE_REMOVED', 'BROADCAST_SMS', 'BROADCAST_STICKY', 'BROADCAST_WAP_PUSH', 'CALL_PHONE', 'CALL_PRIVILEGED', 'CAMERA', 'CAPTURE_AUDIO_OUTPUT', 'CAPTURE_SECURE_VIDEO_OUTPUT', 'CAPTURE_VIDEO_OUTPUT', 'CHANGE_COMPONENT_ENABLED_STATE', 'CHANGE_CONFIGURATION', 'CHANGE_NETWORK_STATE', 'CHANGE_WIFI_MULTICAST_STATE', 'CHANGE_WIFI_STATE', 'CLEAR_APP_CACHE', 'CONTROL_LOCATION_UPDATES', 'DELETE_CACHE_FILES', 'DELETE_PACKAGES', 'DIAGNOSTIC', 'DISABLE_KEYGUARD', 'DUMP', 'EXPAND_STATUS_BAR', 'FACTORY_TEST', 'GET_ACCOUNTS', 'GET_ACCOUNTS_PRIVILEGED', 'GET_PACKAGE_SIZE', 'GET_TASKS', 'GLOBAL_SEARCH', 'INSTALL_LOCATION_PROVIDER', 'INSTALL_PACKAGES', 'INSTALL_SHORTCUT', 'INSTANT_APP_FOREGROUND_SERVICE', 'INTERNET', 'KILL_BACKGROUND_PROCESSES', 'LOCATION_HARDWARE', 'MANAGE_DOCUMENTS', 'MANAGE_OWN_CALLS', 'MASTER_CLEAR', 'MEDIA_CONTENT_CONTROL', 'MODIFY_AUDIO_SETTINGS', 'MODIFY_PHONE_STATE', 'MOUNT_FORMAT_FILESYSTEMS', 'MOUNT_UNMOUNT_FILESYSTEMS', 'NFC', 'PACKAGE_USAGE_STATS', 'PERSISTENT_ACTIVITY', 'PROCESS_OUTGOING_CALLS', 'READ_CALENDAR', 'READ_CALL_LOG', 'READ_CONTACTS', 'READ_EXTERNAL_STORAGE', 'READ_FRAME_BUFFER', 'READ_INPUT_STATE', 'READ_LOGS', 'READ_PHONE_NUMBERS', 'READ_PHONE_STATE', 'READ_SMS', 'READ_SYNC_SETTINGS', 'READ_SYNC_STATS', 'READ_VOICEMAIL', 'REBOOT', 'RECEIVE_BOOT_COMPLETED', 'RECEIVE_MMS', 'RECEIVE_SMS', 'RECEIVE_WAP_PUSH', 'RECORD_AUDIO', 'REORDER_TASKS', 'REQUEST_COMPANION_RUN_IN_BACKGROUND', 'REQUEST_COMPANION_USE_DATA_IN_BACKGROUND', 'REQUEST_DELETE_PACKAGES', 'REQUEST_IGNORE_BATTERY_OPTIMIZATIONS', 'REQUEST_INSTALL_PACKAGES', 'RESTART_PACKAGES', 'SEND_RESPOND_VIA_MESSAGE', 'SEND_SMS', 'SET_ALARM', 'SET_ALWAYS_FINISH', 'SET_ANIMATION_SCALE', 'SET_DEBUG_APP', 'SET_PREFERRED_APPLICATIONS', 'SET_PROCESS_LIMIT', 'SET_TIME', 'SET_TIME_ZONE', 'SET_WALLPAPER', 'SET_WALLPAPER_HINTS', 'SIGNAL_PERSISTENT_PROCESSES', 'STATUS_BAR', 'SYSTEM_ALERT_WINDOW', 'TRANSMIT_IR', 'UNINSTALL_SHORTCUT', 'UPDATE_DEVICE_STATS', 'USE_FINGERPRINT', 'USE_SIP', 'VIBRATE', 'WAKE_LOCK', 'WRITE_APN_SETTINGS', 'WRITE_CALENDAR', 'WRITE_CALL_LOG', 'WRITE_CONTACTS', 'WRITE_EXTERNAL_STORAGE', 'WRITE_GSERVICES', 'WRITE_SECURE_SETTINGS', 'WRITE_SETTINGS', 'WRITE_SYNC_SETTINGS', 'WRITE_VOICEMAIL'] |
|
|
annotation
An annotation object allowing analysts to add annotations, comments, executive summary to a MISP event, objects or attributes.
annotation is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
attachment |
attachment |
An attachment to support the annotation |
|
|
creation-date |
datetime |
Initial creation of the annotation |
|
|
format |
text |
Format of the annotation ['text', 'markdown', 'asciidoctor', 'MultiMarkdown', 'GFM', 'pandoc', 'Fountain', 'CommonWork', 'kramdown-rfc2629', 'rfc7328', 'Extra'] |
|
|
modification-date |
datetime |
Last update of the annotation |
|
|
ref |
link |
Reference(s) to the annotation |
|
|
text |
text |
Raw text of the annotation |
|
|
type |
text |
Type of the annotation ['Annotation', 'Executive Summary', 'Introduction', 'Conclusion', 'Disclaimer', 'Keywords', 'Acknowledgement', 'Other', 'Copyright', 'Authors', 'Logo', 'Full Report'] |
|
|
anonymisation
Anonymisation object describing an anonymisation technique used to encode MISP attribute values. Reference: https://www.caida.org/tools/taxonomy/anonymization.xml.
anonymisation is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
description |
text |
Description of the anonymisation technique or tool used |
|
|
encryption-function |
text |
Encryption function or algorithm used to anonymise the attribute ['aes128', 'aes-128-cbc', 'aes-128-cfb', 'aes-128-cfb1', 'aes-128-cfb8', 'aes-128-ctr', 'aes-128-ecb', 'aes-128-ofb', 'aes192', 'aes-192-cbc', 'aes-192-cfb', 'aes-192-cfb1', 'aes-192-cfb8', 'aes-192-ctr', 'aes-192-ecb', 'aes-192-ofb', 'aes-256-cfb', 'aes-256-cfb1', 'aes-256-cfb8', 'aes-256-ctr', 'aes-256-ecb', 'aes-256-ofb', 'bf', 'bf-cbc', 'bf-cfb', 'bf-ecb', 'bf-ofb', 'blowfish', 'camellia128', 'camellia-128-cbc', 'camellia-128-cfb', 'camellia-128-cfb1', 'camellia-128-cfb8', 'camellia-128-ctr', 'camellia-128-ecb', 'camellia-128-ofb', 'camellia192', 'camellia-192-cbc', 'camellia-192-cfb', 'camellia-192-cfb1', 'camellia-192-cfb8', 'camellia-192-ctr', 'camellia-192-ecb', 'camellia-192-ofb', 'camellia256', 'camellia-256-cbc', 'camellia-256-cfb', 'camellia-256-cfb1', 'camellia-256-cfb8', 'camellia-256-ctr', 'camellia-256-ecb', 'camellia-256-ofb', 'cast', 'cast5-cbc', 'cast5-cfb', 'cast5-ecb', 'cast5-ofb', 'cast-cbc', 'des', 'des3', 'des-cbc', 'des-cfb', 'des-ecb', 'des-ede', 'des-ede3', 'des-ede3-cbc', 'des-ede3-cfb', 'des-ede3-ofb', 'des-ede-cbc', 'des-ede-cfb', 'des-ede-ofb', 'des-ofb', 'desx', 'gost89', 'gost89-cnt', 'idea', 'idea-cbc', 'idea-cfb', 'idea-ecb', 'idea-ofb', 'rc2', 'rc2-40-cbc', 'rc2-64-cbc', 'rc2-cbc', 'rc2-cfb', 'rc2-ecb', 'rc2-ofb', 'rc4', 'rc4-40', 'rc4-64', 'rc5', 'rc5-cbc', 'rc5-cfb', 'rc5-ecb', 'rc5-ofb', 'seed', 'seed-cbc', 'seed-cfb', 'seed-ecb', 'seed-ofb', 'sm4', 'sm4-cbc', 'sm4-cfb', 'sm4-ctr', 'sm4-ecb', 'sm4-ofb'] |
|
|
iv |
text |
Initialisation vector for the encryption function used to anonymise the attribute |
|
|
key |
text |
Key (such as a PSK in a keyed-hash-function) used to anonymise the attribute |
|
|
keyed-hash-function |
text |
Keyed-hash function used to anonymise the attribute ['hmac-sha1', 'hmac-md5', 'hmac-sha256', 'hmac-sha384', 'hmac-sha512'] |
|
|
level-of-knowledge |
text |
Level of knowledge of the organisation who created this object ['Only the anonymised data is known', 'Deanonymised data is known'] |
|
|
method |
text |
Anonymisation (or pseudo-anonymisation) method(s) used ["hiding - Attribute is replaced with a constant value (typically 0) of the same size. Sometimes called 'black marker'.", 'hash - A hash function maps each attribute to a new (not necessarily unique) attribute.', 'permutation - Maps each original value to a unique new value.', "prefix-preserving - Any two values that had the same n-bit prefix before anonymisation will still have the same n-bit prefix as each other after anonymization. (Would be more accurately called 'prefix-relationship-preserving', because the actual prefix values are not preserved.) ", 'shift - Adds a fixed offset to each value/attribute.', 'enumeration - Map each original value to a new value such that their ordering is preserved.', 'partitioning - Possible values are partitioned into meaningful sets; actual values are replaced with a fixed value from the same set. E.g., TCP port numbers 0 to 1023 are replaced with 0, and 1024 to 65535 replaced with 65535.', 'updated - Checksums are recalculated to reflect changes made to other fields.', 'truncation - Field is shortened, losing data at the end.', 'encryption - Attribute is encrypted.'] |
|
|
regexp |
text |
Regular expression to perfom the anonymisation (reversible or not) |
|
|
apivoid-email-verification
Apivoid email verification API result. Reference: https://www.apivoid.com/api/email-verify/.
apivoid-email-verification is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
china_free_email |
boolean |
True if email is a free China email, i.e 163.com. |
|
|
comment |
text |
Field for comments or correlating text |
|
|
dirty_words_domain |
boolean |
True if domain contains dirty/bad words. |
|
|
dirty_words_username |
boolean |
True if username contains dirty/bad words. |
|
|
disposable |
boolean |
True if email is disposable, i.e yopmail.com. |
|
|
dmarc_configured |
boolean |
True if domain has DMARC records configured. |
|
|
dmarc_enforced |
boolean |
True if domain is configured for DMARC and set to an enforcement policy. |
|
|
domain |
domain |
Email domain. |
|
|
domain_popular |
boolean |
True if domain is a known popular domain. |
|
|
educational_domain |
boolean |
True if domain is an educational domain, i.e .edu |
|
|
The email address that was queried. |
|
|
||
free_email |
boolean |
True if email is a free email, i.e gmail.com. |
|
|
government_domain |
boolean |
True if domain is a government domain, i.e .gov |
|
|
has_a_records |
boolean |
True if domain has A records configured. |
|
|
has_mx_records |
boolean |
True if domain has MX records configured. |
|
|
has_spf_records |
boolean |
True if domain has SPF records configured. |
|
|
is_spoofable |
boolean |
True if domain does not have SPF records or if ~all is not configured. |
|
|
police_domain |
boolean |
True if domain is a police domain (such as polizei, police, etc). |
|
|
risky_tld |
boolean |
True if domain TLD is risky, i.e .top or .pro. |
|
|
role_address |
boolean |
True if email is a role address, i.e admin@website.com |
|
|
russian_free_email |
boolean |
True if email is a free Russian email, i.e mail.ru. |
|
|
score |
float |
A number between 0 (bad) and 100 (good). |
|
|
should_block |
boolean |
True if the score is bad (⇐ 70) and thus it should be blocked. |
|
|
suspicious_domain |
boolean |
True if domain is suspicious, i.e known spam or parked. |
|
|
suspicious_email |
boolean |
True if email is considered suspicious. |
|
|
suspicious_username |
boolean |
True if username is suspicious, i.e only numbers. |
|
|
username |
text |
Username part of the email address (email prefix) |
|
|
valid_format |
boolean |
True if email has a valid format. |
|
|
valid_tld |
boolean |
True if domain TLD is valid, i.e .com or .co.uk |
|
|
artifact
The Artifact object permits capturing an array of bytes (8-bits), as a base64-encoded string, or linking to a file-like payload. From STIX 2.1 (6.1).
artifact is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
decryption_key |
text |
Specifies the decryption key for the encrypted binary data (either via payload_bin or url). For example, this may be useful in cases of sharing malware samples, which are often encoded in an encrypted archive. |
|
|
encryption_algorithm |
text |
If the artifact is encrypted, specifies the type of encryption algorithm the binary data (either via payload_bin or url) is encoded in. |
|
|
md5 |
md5 |
[Insecure] MD5 hash (128 bits) |
|
|
mime_type |
mime-type |
Whenever feasible, this value SHOULD be one of the values defined in the Template column in the IANA media type registry [Media Types]. Maintaining a comprehensive universal catalog of all extant file types is obviously not possible. When specifying a MIME Type not included in the IANA registry, implementers should use their best judgement so as to facilitate interoperability. |
|
|
payload_bin |
attachment |
Specifies the binary data contained in the artifact as a base64-encoded string. |
|
|
sha1 |
sha1 |
[Insecure] Secure Hash Algorithm 1 (160 bits) |
|
|
sha256 |
sha256 |
Secure Hash Algorithm 2 (256 bits) |
|
|
sha3-256 |
sha3-256 |
Secure Hash Algorithm 3 (256 bits) |
|
|
sha3-512 |
sha3-512 |
Secure Hash Algorithm 3 (512 bits) |
|
|
sha512 |
sha512 |
Secure Hash Algorithm 2 (512 bits) |
|
|
ssdeep |
ssdeep |
Fuzzy hash using context triggered piecewise hashes (CTPH) |
|
|
tlsh |
tlsh |
Fuzzy hash by Trend Micro: Locality Sensitive Hash |
|
|
url |
url |
The value of this property MUST be a valid URL that resolves to the unencoded content. When present, at least one hash value MUST be present too. |
|
|
asn
Autonomous system object describing an autonomous system which can include one or more network operators managing an entity (e.g. ISP) along with their routing policy, routing prefixes or alike.
asn is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
asn |
AS |
Autonomous System Number |
|
|
country |
text |
Country code of the main location of the autonomous system |
|
|
description |
text |
Description of the autonomous system |
|
|
export |
text |
The outbound routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format |
|
|
first-seen |
datetime |
First time the ASN was seen |
|
|
import |
text |
The inbound IPv4 routing policy of the AS in RFC 2622 – Routing Policy Specification Language (RPSL) format |
|
|
last-seen |
datetime |
Last time the ASN was seen |
|
|
mp-export |
text |
This attribute performs the same function as the export attribute above. The difference is that mp-export allows both IPv4 and IPv6 address families to be specified. The export is described in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format |
|
|
mp-import |
text |
The inbound IPv4 or IPv6 routing policy of the AS in RFC 4012 – Routing Policy Specification Language next generation (RPSLng), section 4.5. format |
|
|
subnet-announced |
ip-src |
Subnet announced |
|
|
attack-pattern
Attack pattern describing a common attack pattern enumeration and classification.
attack-pattern is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
id |
text |
CAPEC ID. |
|
|
name |
text |
Name of the attack pattern. |
|
|
prerequisites |
text |
Prerequisites for the attack pattern to succeed. |
|
|
references |
link |
External references |
|
|
related-weakness |
weakness |
Weakness related to the attack pattern. |
|
|
solutions |
text |
Solutions for the attack pattern to be countered. |
|
|
summary |
text |
Summary description of the attack pattern. |
|
|
attack-step
An object defining a singular attack-step. Especially useful for red/purple teaming, but can also be used for actual attacks.
attack-step is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
command-line |
text |
Command line used to execute attack step, if any. |
|
|
description |
text |
Description of the attack step |
|
|
detections |
text |
Detections by the victim’s monitoring capabilities. |
|
|
dst-domain |
domain |
Domain destination of the attack step, if any. |
|
|
dst-ip |
ip-dst |
IP destination of the attack step, if any. |
|
|
dst-misc |
text |
Other type of destination of the attack step, if any. This can be e.g. localhost. |
|
|
expected-response |
text |
Response or detection expected (in case of purple teaming) |
|
|
key-step |
boolean |
Was this attack step object a key step within the context of the incident/event? ['True', 'False'] |
|
|
source-domain |
domain |
Domain source of the attack step, if any. |
|
|
source-ip |
ip-src |
IP source of the attack step, if any. |
|
|
source-misc |
text |
Other type of source of the attack step, if any. This can be e.g. rotating ip from cloud providers such as AWS, or localhost. |
|
|
succesful |
boolean |
Was this attack step succesful? ['True', 'False'] |
|
|
authentication-failure-report
Authentication Failure Report.
authentication-failure-report is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
ip-dst |
ip-dst |
Destination IP. |
|
|
ip-src |
ip-src |
IP address originating the authentication failure. |
|
|
total |
counter |
the number of authentication failures reported. |
|
|
type |
text |
the type of authentication failure. ['ssh'] |
|
|
username |
text |
the username used. |
|
|
authenticode-signerinfo
Authenticode Signer Info.
authenticode-signerinfo is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
content-type |
text |
Content type |
|
|
digest-base64 |
text |
Signature created by the signing certificate’s private key |
|
|
digest_algorithm |
text |
Algorithm used to hash the file. |
|
|
encryption_algorithm |
text |
Algorithm used to encrypt the digest |
|
|
issuer |
text |
Issuer of the certificate |
|
|
program-name |
text |
Program name |
|
|
serial-number |
text |
Serial number of the certificate |
|
|
signature_algorithm |
text |
Signature algorithm ['SHA1_WITH_RSA_ENCRYPTION', 'SHA256_WITH_RSA_ENCRYPTION'] |
|
|
text |
text |
Free text description of the signer info |
|
|
url |
url |
Url |
|
|
version |
text |
Version of the certificate |
|
|
av-signature
Antivirus detection signature.
av-signature is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
datetime |
datetime |
Datetime |
|
|
signature |
text |
Name of detection signature |
|
|
software |
text |
Name of antivirus software |
|
|
text |
text |
Free text value to attach to the file |
|
|
availability-impact
Availability Impact object as described in STIX 2.1 Incident object extension.
availability-impact is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
availability_impact |
text |
The availability impact. ['Not Specified', 'None', 'Minimal', 'Significant', 'Denial', 'Loss of Control'] |
|
|
criticality |
text |
Criticality of the impact ['Not Specified', 'False Positive', 'Low', 'Moderate', 'High', 'Extreme'] |
|
|
description |
text |
Additional details about the impact. |
|
|
end_time |
datetime |
The date and time the impact was last recorded. |
|
|
end_time_fidelity |
text |
Level of fidelity that the |
|
|
recoverability |
text |
Recoverability of this particular impact with respect to feasibility and required time and resources. ['extended', 'not-applicable', 'not-recoverable', 'regular', 'supplemented'] |
|
|
start_time |
datetime |
The date and time the impact was first recorded. |
|
|
start_time_fidelity |
text |
Level of fidelity that the |
|
|
bank-account
An object describing bank account information based on account description from goAML 4.0.
bank-account is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
aba-rtn |
aba-rtn |
ABA routing transit number |
|
|
account |
bank-account-nr |
Account number |
|
|
account-name |
text |
A field to freely describe the bank account details. |
|
|
balance |
text |
The balance of the account after the suspicious transaction was processed. |
|
|
beneficiary |
text |
Final beneficiary of the bank account. |
|
|
beneficiary-comment |
text |
Comment about the final beneficiary. |
|
|
branch |
text |
Branch code or name |
|
|
client-number |
text |
Client number as seen by the bank. |
|
|
closed |
datetime |
When the account was closed. |
|
|
comments |
text |
Comments about the bank account. |
|
|
currency-code |
text |
Currency of the account. ['USD', 'EUR'] |
|
|
date-balance |
datetime |
When the balance was reported. |
|
|
iban |
iban |
IBAN of the bank account. |
|
|
institution-code |
text |
Institution code of the bank. |
|
|
institution-name |
text |
Name of the bank or financial organisation. |
|
|
non-banking-institution |
boolean |
A flag to define if this account belong to a non-banking organisation. If set to true, it’s a non-banking organisation. ['True', 'False'] |
|
|
opened |
datetime |
When the account was opened. |
|
|
personal-account-type |
text |
Account type. ['A - Business', 'B - Personal Current', 'C - Savings', 'D - Trust Account', 'E - Trading Account', 'O - Other'] |
|
|
report-code |
text |
Report code of the bank account. ['CTR Cash Transaction Report', 'STR Suspicious Transaction Report', 'EFT Electronic Funds Transfer', 'IFT International Funds Transfer', 'TFR Terror Financing Report', 'BCR Border Cash Report', 'UTR Unusual Transaction Report', 'AIF Additional Information File – Can be used for example to get full disclosure of transactions of an account for a period of time without reporting it as a CTR.', 'IRI Incoming Request for Information – International', 'ORI Outgoing Request for Information – International', 'IRD Incoming Request for Information – Domestic', 'ORD Outgoing Request for Information – Domestic'] |
|
|
status-code |
text |
Account status at the time of the transaction processed. ['A - Active', 'B - Inactive', 'C - Dormant'] |
|
|
swift |
bic |
SWIFT or BIC as defined in ISO 9362. |
|
|
text |
text |
A description of the bank account. |
|
|
bgp-hijack
Object encapsulating BGP Hijack description as specified, for example, by bgpstream.com.
bgp-hijack is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
country |
text |
Country code of the main location of the attacking autonomous system |
|
|
description |
text |
BGP Hijack details |
|
|
detected-asn |
AS |
Detected Autonomous System Number |
|
|
end |
datetime |
Last time the Prefix hijack was seen |
|
|
expected-asn |
AS |
Expected Autonomous System Number |
|
|
start |
datetime |
First time the Prefix hijack was seen |
|
|
subnet-announced |
ip-src |
Subnet announced |
|
|
bgp-ranking
BGP Ranking object describing the ranking of an ASN for a given day, along with its position, 1 being the most malicious ASN of the day, with the highest ranking. This object is meant to have a relationship with the corresponding ASN object and represents its ranking for a specific date.
bgp-ranking is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
address-family |
text |
The IP address family concerned by the ranking. ['v4', 'v6'] |
|
|
date |
datetime |
Date fo the ranking. |
|
|
position |
float |
Position of the ASN for a given day. |
|
|
ranking |
float |
Ranking of the Autonomous System number. |
|
|
blog
Blog post like Medium or WordPress.
blog is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
archive |
link |
Archive of the original document (Internet Archive, Archive.is, etc). |
|
|
creation-date |
datetime |
Initial creation of the blog post. |
|
|
embedded-link |
url |
Site linked by the blog post. |
|
|
embedded-safe-link |
link |
Safe site linked by the blog post. |
|
|
link |
link |
Original link into the blog post (Supposed harmless). |
|
|
modification-date |
datetime |
Last update of the blog post. |
|
|
post |
text |
Raw post. |
|
|
removal-date |
datetime |
When the blog post was removed. |
|
|
title |
text |
Title of blog post. |
|
|
type |
text |
Type of blog post. ['Medium', 'WordPress', 'Blogger', 'Tumbler', 'LiveJournal', 'Forum', 'Other'] |
|
|
url |
url |
Original URL location of the blog post (potentially malicious). |
|
|
username |
text |
Username who posted the blog post. |
|
|
username-quoted |
text |
Username who are quoted into the blog post. |
|
|
verified-username |
text |
Is the username account verified by the operator of the blog platform. ['Verified', 'Unverified', 'Unknown'] |
|
|
boleto
A common form of payment used in Brazil.
boleto is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
beneficiary |
text |
Final beneficiary of the boleto. |
|
|
beneficiary-bank-account |
bank-account-nr |
Recipient bank account number |
|
|
beneficiary-bank-agency |
bank-account-nr |
Recipient bank agency number |
|
|
boleto-number |
text |
Boleto code numbers |
|
|
creation-date |
datetime |
Date the boleto was created |
|
|
febraban-code |
text |
Financial institution code in Brazil that created the boleto. |
|
|
generator-financial-institution |
text |
Name of the bank or financial organisation that created the boleto. |
|
|
payment-due-date |
datetime |
Boleto payment date |
|
|
payment-status |
text |
Inform if boleto was as paid or not ['Not Paid', 'Paid'] |
|
|
payment-value |
float |
The payment boleto value in Brazilian Reais |
|
|
requester |
text |
Organisation, service or affiliated person that requested creation of the boleto. |
|
|
btc-transaction
An object to describe a Bitcoin transaction. Best to be used with bitcoin-wallet.
btc-transaction is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
btc-address |
btc |
A Bitcoin transactional address |
|
|
time |
datetime |
Date and time of transaction |
|
|
transaction-number |
text |
A Bitcoin transaction number in a sequence of transactions |
|
|
value_BTC |
float |
Value in BTC at date/time displayed in field 'time' |
|
|
value_EUR |
float |
Value in EUR with conversion rate as of date/time displayed in field 'time' |
|
|
value_USD |
float |
Value in USD with conversion rate as of date/time displayed in field 'time' |
|
|
btc-wallet
An object to describe a Bitcoin wallet. Best to be used with btc-transaction object.
btc-wallet is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
BTC_received |
float |
Value of received BTC |
|
|
BTC_sent |
float |
Value of sent BTC |
|
|
balance_BTC |
float |
Value in BTC at date/time displayed in field 'time' |
|
|
time |
datetime |
Date and time of lookup/conversion |
|
|
wallet-address |
btc |
A Bitcoin wallet address |
|
|
c2-list
List of C2-servers with common ground, e.g. extracted from a blog post or ransomware analysis.
c2-list is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
c2-ip |
ip-src |
IP of C2 server with unknown port |
|
|
c2-ipport |
ip-src |
port |
IP:Port of C2 server |
|
|
report-url |
link |
URL of source of information, e.g. blog post, ransomware analysis |
|
|
threat |
text |
threat actor or malware |
|
cap-alert
Common Alerting Protocol Version (CAP) alert object.
cap-alert is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
addresses |
text |
The group listing of intended recipients of the alert message. (1) Required when <scope> is “Private”, optional when <scope> is “Public” or “Restricted”. (2) Each recipient SHALL be identified by an identifier or an address. (3) Multiple space-delimited addresses MAY be included. Addresses including whitespace MUST be enclosed in double-quotes. |
|
|
code |
text |
The code denoting the special handling of the alert message. |
|
|
identifier |
text |
The identifier of the alert message in a number or string uniquely identifying this message, assigned by the sender. |
|
|
incident |
text |
The group listing naming the referent incident(s) of the alert message. (1) Used to collate multiple messages referring to different aspects of the same incident. (2) If multiple incident identifiers are referenced, they SHALL be separated by whitespace. Incident names including whitespace SHALL be surrounded by double-quotes. |
|
|
msgType |
text |
The code denoting the nature of the alert message. ['Alert', 'Update', 'Cancel', 'Ack', 'Error'] |
|
|
note |
text |
The text describing the purpose or significance of the alert message. |
|
|
references |
text |
The group listing identifying earlier message(s) referenced by the alert message. (1) The extended message identifier(s) (in the form sender,identifier,sent) of an earlier CAP message or messages referenced by this one. (2) If multiple messages are referenced, they SHALL be separated by whitespace. |
|
|
restriction |
text |
The text describing the rule for limiting distribution of the restricted alert message. |
|
|
scope |
text |
The code denoting the intended distribution of the alert message. ['Public', 'Restricted', 'Private'] |
|
|
sender |
text |
The identifier of the sender of the alert message which identifies the originator of this alert. Guaranteed by assigner to be unique globally; e.g., may be based on an Internet domain name. |
|
|
sent |
datetime |
The time and date of the origination of the alert message. |
|
|
source |
text |
The text identifying the source of the alert message. The particular source of this alert; e.g., an operator or a specific device. |
|
|
status |
text |
The code denoting the appropriate handling of the alert message. ['Actual', 'Exercise', 'System', 'Test', 'Draft'] |
|
|
cap-info
Common Alerting Protocol Version (CAP) info object.
cap-info is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
audience |
text |
The text describing the intended audience of the alert message. |
|
|
category |
text |
The code denoting the category of the subject event of the alert message. ['Geo', 'Met', 'Safety', 'Security', 'Rescue', 'Fire', 'Health', 'Env', 'Transport', 'Infra', 'CBRNE', 'Other'] |
|
|
certainty |
text |
The code denoting the certainty of the subject event of the alert message. For backward compatibility with CAP 1.0, the deprecated value of “Very Likely” SHOULD be treated as equivalent to “Likely”. ['Likely', 'Possible', 'Unlikely', 'Unknown'] |
|
|
contact |
text |
The text describing the contact for follow-up and confirmation of the alert message. |
|
|
description |
text |
The text describing the subject event of the alert message. |
|
|
effective |
datetime |
The effective time of the information of the alert message. |
|
|
event |
text |
The text denoting the type of the subject event of the alert message. |
|
|
eventCode |
text |
A system-specific code identifying the event type of the alert message. |
|
|
expires |
datetime |
The expiry time of the information of the alert message. |
|
|
headline |
text |
The text headline of the alert message. |
|
|
instruction |
text |
The text describing the recommended action to be taken by recipients of the alert message. |
|
|
language |
text |
The code denoting the language of the info sub-element of the alert message. |
|
|
onset |
datetime |
The expected time of the beginning of the subject event of the alert message. |
|
|
parameter |
text |
A system-specific additional parameter associated with the alert message. |
|
|
responseType |
text |
The code denoting the type of action recommended for the target audience. ['Shelter', 'Evacuate', 'Prepare', 'Execute', 'Avoid', 'Monitor', 'Assess', 'AllClear', 'None'] |
|
|
senderName |
text |
The text naming the originator of the alert message. |
|
|
severity |
text |
The code denoting the severity of the subject event of the alert message. ['Extreme', 'Severe', 'Moderate', 'Minor', 'Unknown'] |
|
|
urgency |
text |
The code denoting the urgency of the subject event of the alert message. ['Immediate', 'Expected', 'Future', 'Past', 'Unknown'] |
|
|
web |
link |
The identifier of the hyperlink associating additional information with the alert message. |
|
|
cap-resource
Common Alerting Protocol Version (CAP) resource object.
cap-resource is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
derefUri |
attachment |
The base-64 encoded data content of the resource file. |
|
|
digest |
sha1 |
The code representing the digital digest (“hash”) computed from the resource file (OPTIONAL). |
|
|
mimeType |
mime-type |
The identifier of the MIME content type and sub-type describing the resource file. |
|
|
resourceDesc |
text |
The text describing the type and content of the resource file. |
|
|
size |
text |
The integer indicating the size of the resource file. |
|
|
uri |
link |
The identifier of the hyperlink for the resource file. |
|
|
cert-pl-phishing
cert.pl phishing object template representing an url along with some metadata as such phash, html-structure or partial-hash.
cert-pl-phishing is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
favicon-mmh3 |
text |
Favicon of the phishing url in Murmurhash3 format (base64). |
|
|
html-structure |
text |
HTML tags defining the structure of the HTML page. |
|
|
phash-dct-base64 |
text |
pHash (DCT hash) - as described in https://github.com/thorn-oss/perception. |
|
|
truncated-hash-html-structure |
text |
Truncated hash value of the html-structure. |
|
|
url |
url |
Full URL of the phishing object. |
|
|
cloth
Describes clothes a natural person wears.
cloth is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
bottom-accessories |
text |
Cloth and accessories on the bottom part of the body ['trousers', 'skirt', 'underpants / panties', 'shorts', 'boxer shorts', 'body stocking', 'sock', 'shoe', 'boot', 'sandal', 'slipper', 'sneaker', 'hiking boot', 'high tops'] |
|
|
cloth-color |
text |
Cloth’s colors ['black', 'white', 'red', 'green', 'blue', 'cyan', 'orange', 'violet', 'pink', 'yellow', 'brown', 'grey'] |
|
|
cloth-picture |
attachment |
Cloth’s pictures |
|
|
description |
text |
Cloth’s Description of a natural person |
|
|
head-accessories |
text |
Cloth and accessories on the head ['hat', 'cap', 'bonnet', 'glasses', 'bandeau'] |
|
|
top-accessories |
text |
Cloth and accessories on the top part of the body ['jacket', 'coat', 'dress', 'shirt', 'top', 'pullover', 'sweatshirt', 'suit', 'tie', 'bow tie', "lady’s suit", 'waistcoat', 'cardigan', 'undershirt', 't-shirt', 'bra', 'scarf', 'glove'] |
|
|
coin-address
An address used in a cryptocurrency.
coin-address is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
address |
btc |
Bitcoin address used as a payment destination in a cryptocurrency |
|
|
address-crypto |
text |
Generic cryptocurrency address if the format is not a standard BTC or XMR address |
|
|
address-xmr |
xmr |
Monero address used as a payment destination in a cryptocurrency |
|
|
current-balance |
float |
Current balance of address |
|
|
first-seen |
datetime |
First time this payment destination address has been seen |
|
|
last-seen |
datetime |
Last time this payment destination address has been seen |
|
|
last-updated |
datetime |
Last time the balances and totals have been updated |
|
|
symbol |
text |
The (uppercase) symbol of the cryptocurrency used. Symbol should be from https://coinmarketcap.com/all/views/all/ ['BTC', 'ETH', 'BCH', 'XRP', 'MIOTA', 'DASH', 'BTG', 'LTC', 'ADA', 'XMR', 'ETC', 'NEO', 'NEM', 'EOS', 'XLM', 'BCC', 'LSK', 'OMG', 'QTUM', 'ZEC', 'USDT', 'HSR', 'STRAT', 'WAVES', 'PPT', 'ETN'] |
|
|
text |
text |
Free text value |
|
|
total-received |
float |
Total balance received |
|
|
total-sent |
float |
Total balance sent |
|
|
total-transactions |
text |
Total transactions performed |
|
|
command
Command functionalities related to specific commands executed by a program, whether it is malicious or not. Command-line are attached to this object for the related commands.
command is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
description |
text |
Description of the command functionalities |
|
|
location |
text |
Location of the command functionality ['Bundled', 'Module', 'Libraries', 'Unknown'] |
|
|
trigger |
text |
How the commands are triggered ['Local', 'Network', 'Unknown'] |
|
|
command-line
Command line and options related to a specific command executed by a program, whether it is malicious or not.
command-line is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
command_line |
text |
command code line |
|
|
description |
text |
description of the command |
|
|
software |
text |
type of shell (bash/sh,powershell,cmd.exe) ['Shell', 'Bash', 'zsh', 'Powershell', 'cmd.exe'] |
|
|
concordia-mtmf-intrusion-set
Intrusion Set - Phase Description.
concordia-mtmf-intrusion-set is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
AttackName |
text |
Name of the Attack |
|
|
CMTMF_ATCKID |
integer |
Identifier of the Attack |
|
|
FeedbackLoop |
integer |
Feedback Loop Sequence |
|
|
PhName |
text |
Name of the Phase (Tactic) |
|
|
PhSequence |
integer |
Phase Sequence |
|
|
description |
text |
Description of the phase |
|
|
confidentiality-impact
Confidentiality Impact object as described in STIX 2.1 Incident object extension.
confidentiality-impact is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
criticality |
text |
Criticality of the impact ['Not Specified', 'False Positive', 'Low', 'Moderate', 'High', 'Extreme'] |
|
|
description |
text |
Additional details about the impact. |
|
|
end_time |
datetime |
The date and time the impact was last recorded. |
|
|
end_time_fidelity |
text |
Level of fidelity that the |
|
|
information_type |
text |
Type of information that had its confidentiality compromised. ['classified-material', 'communication', 'credentials-admin', 'credentials-user', 'financial', 'leval', 'payment', 'phi', 'pii', 'proprietary'] |
|
|
loss_type |
text |
The type of loss that occurred to the relevant information. ['confirmed-loss', 'contained', 'exploited-loss', 'none', 'suspected-loss'] |
|
|
record_count |
counter |
The number of records of this type that were compromised. |
|
|
record_size |
size-in-bytes |
The amount of data that was compromised in bytes. |
|
|
recoverability |
text |
Recoverability of this particular impact with respect to feasibility and required time and resources. ['extended', 'not-applicable', 'not-recoverable', 'regular', 'supplemented'] |
|
|
start_time |
datetime |
The date and time the impact was first recorded. |
|
|
start_time_fidelity |
text |
Level of fidelity that the |
|
|
cookie
An HTTP cookie (web cookie, browser cookie) is a small piece of data that a server sends to the user’s web browser. The browser may store it and send it back with the next request to the same server. Typically, it’s used to tell if two requests came from the same browser — keeping a user logged-in, for example. It remembers stateful information for the stateless HTTP protocol. As defined by the Mozilla foundation.
cookie is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
cookie |
cookie |
Full cookie |
|
|
cookie-name |
text |
Name of the cookie (if splitted) |
|
|
cookie-value |
text |
Value of the cookie (if splitted) |
|
|
expires |
datetime |
Expiration date/time of the cookie |
|
|
http-only |
boolean |
True if send only through HTTP ['True', 'False'] |
|
|
path |
text |
Path defined in the cookie |
|
|
secure |
boolean |
True if cookie is sent over TLS ['True', 'False'] |
|
|
text |
text |
A description of the cookie. |
|
|
type |
text |
Type of cookie and how it’s used in this specific object. ['Session management', 'Personalization', 'Tracking', 'Exfiltration', 'Malicious Payload', 'Beaconing'] |
|
|
cortex
Cortex object describing a complete Cortex analysis. Observables would be attribute with a relationship from this object.
cortex is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
full |
text |
Cortex report object (full report) in JSON |
|
|
name |
text |
Cortex analyser/worker name |
|
|
server-name |
text |
Name of the cortex server |
|
|
start-date |
datetime |
When the Cortex analyser was started |
|
|
success |
boolean |
Result of the cortex job ['True', 'False'] |
|
|
summary |
text |
Cortex summary object (summary) in JSON |
|
|
cortex-taxonomy
Cortex object describing a Cortex Taxonomy (or mini report).
cortex-taxonomy is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
cortex_url |
link |
URL to the Cortex job |
|
|
level |
text |
Cortex Taxonomy Level ['info', 'safe', 'suspicious', 'malicious'] |
|
|
namespace |
text |
Cortex Taxonomy Namespace |
|
|
predicate |
text |
Cortex Taxonomy Predicate |
|
|
value |
text |
Cortex Taxonomy Value |
|
|
course-of-action
An object describing a specific measure taken to prevent or respond to an attack.
course-of-action is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
cost |
text |
The estimated cost of applying the course of action. ['High', 'Medium', 'Low', 'None', 'Unknown'] |
|
|
description |
text |
A description of the course of action. |
|
|
efficacy |
text |
The estimated efficacy of applying the course of action. ['High', 'Medium', 'Low', 'None', 'Unknown'] |
|
|
impact |
text |
The estimated impact of applying the course of action. ['High', 'Medium', 'Low', 'None', 'Unknown'] |
|
|
name |
text |
The name used to identify the course of action. |
|
|
objective |
text |
The objective of the course of action. |
|
|
stage |
text |
The stage of the threat management lifecycle that the course of action is applicable to. ['Remedy', 'Response', 'Further Analysis Required'] |
|
|
type |
text |
The type of the course of action. ['Perimeter Blocking', 'Internal Blocking', 'Redirection', 'Redirection (Honey Pot)', 'Hardening', 'Patching', 'Eradication', 'Rebuilding', 'Training', 'Monitoring', 'Physical Access Restrictions', 'Logical Access Restrictions', 'Public Disclosure', 'Diplomatic Actions', 'Policy Actions', 'Other'] |
|
|
covid19-csse-daily-report
CSSE COVID-19 Daily report.
covid19-csse-daily-report is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
active |
counter |
the number of active cases. |
|
|
confirmed |
counter |
the number of confirmed cases. For Hubei Province: from Feb 13 (GMT +8), we report both clinically diagnosed and lab-confirmed cases. For lab-confirmed cases only (Before Feb 17), please refer to https://github.com/CSSEGISandData/COVID-19/tree/master/who_covid_19_situation_reports. |
|
|
country-region |
text |
country/region name conforming to WHO (will be updated). |
|
|
county |
integer |
US County (US Only) |
|
|
death |
counter |
the number of deaths. |
|
|
fips |
integer |
Federal Information Processing Standard county code (US Only) |
|
|
latitude |
float |
Approximate latitude of the entry |
|
|
longitude |
float |
Approximate longitude of the entry |
|
|
province-state |
text |
province name; US/Canada/Australia/ - city name, state/province name; Others - name of the event (e.g., "Diamond Princess" cruise ship); other countries - blank. |
|
|
recovered |
counter |
the number of recovered cases. |
|
|
update |
datetime |
Time of the last update that day (UTC) |
|
|
covid19-dxy-live-city
COVID 19 from dxy.cn - Aggregation by city.
covid19-dxy-live-city is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
city |
text |
Name of the Chinese city, in Chinese. |
|
|
current-confirmed |
counter |
Current number of confirmed cases |
|
|
total-confirmed |
counter |
Total number of confirmed cases. |
|
|
total-cured |
counter |
Total number of cured cases. |
|
|
total-death |
counter |
Total number of deaths. |
|
|
update |
datetime |
Approximate time of the update (~hour) |
|
|
covid19-dxy-live-province
COVID 19 from dxy.cn - Aggregation by province.
covid19-dxy-live-province is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
comment |
text |
Comment, in chinese |
|
|
current-confirmed |
counter |
Current number of confirmed cases |
|
|
province |
text |
Name of the Chinese province, in Chinese. |
|
|
total-confirmed |
counter |
Total number of confirmed cases. |
|
|
total-cured |
counter |
Total number of cured cases. |
|
|
total-death |
counter |
Total number of deaths. |
|
|
update |
datetime |
Approximate time of the update (~hour) |
|
|
cowrie
Cowrie honeypot object template.
cowrie is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
compCS |
text |
SSH compression algorithm supported in the session |
|
|
dst_ip |
ip-dst |
Destination IP address of the session |
|
|
dst_port |
port |
Destination port of the session |
|
|
encCS |
text |
SSH symmetric encryption algorithm supported in the session |
|
|
eventid |
text |
Eventid of the session in the cowrie honeypot |
|
|
hassh |
hassh-md5 |
HASSH of the client SSH session following Salesforce algorithm |
|
|
input |
text |
Input of the session |
|
|
isError |
text |
isError |
|
|
keyAlgs |
text |
SSH public-key algorithm supported in the session |
|
|
macCS |
text |
SSH MAC supported in the sesssion |
|
|
message |
text |
Message of the cowrie honeypot |
|
|
password |
text |
Password |
|
|
protocol |
text |
Protocol used in the cowrie honeypot |
|
|
sensor |
text |
Cowrie sensor name |
|
|
session |
text |
Session id |
|
|
src_ip |
ip-src |
Source IP address of the session |
|
|
src_port |
port |
Source port of the session |
|
|
system |
text |
System origin in cowrie honeypot |
|
|
timestamp |
datetime |
When the event happened |
|
|
username |
text |
Username related to the password(s) |
|
|
cpe-asset
An asset which can be defined by a CPE. This can be a generic asset. CPE is a structured naming scheme for information technology systems, software, and packages.
cpe-asset is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
cpe |
cpe |
CPE—the well-formed CPE name(WFN). WFNs can be used to describe a set of products or to identify an individual product. |
|
|
description |
text |
Complementary description of the asset |
|
|
edition |
text |
The edition attribute is considered deprecated in this specification, and it SHOULD be assigned the logical value ANY except where required for backward compatibility with version 2.2 of the CPE specification.This attribute is referred to as the “legacyedition”attribute.If this attribute is used,values for this attribute SHOULD capture edition-related terms applied by the vendor to the product. Values for this attribute SHOULD be selected from an attribute-specific valid-values list, which MAYbe defined by other specifications that utilize this specification. Any character string meeting the requirements for WFNs (cf. 5.3.2) MAY be specified as the value of the attribute. |
|
|
language |
text |
Values for thisattribute SHALL be valid language tags as defined by [RFC5646], and SHOULD be used to define the language supported in the user interface of the product being described.Although any valid language tag MAY be used, only tags containing language and region codesSHOULD be used. |
|
|
other |
text |
Values for this attribute SHOULD capture any other general descriptive or identifying information which is vendor-or product-specific and which does not logically fit in any other attribute value. Values SHOULD NOT be used for storing instance-specific data (e.g., globally-unique identifiers or Internet Protocol addresses).Values for this attribute SHOULD be selected from a valid-values list that is refined over time; this list MAYbe defined by other specifications that utilize this specification. Any character string meeting the requirements for WFNs (cf. 5.3.2) MAYbe specified as the value of the attribute. |
|
|
part |
text |
Part - application, operating systems or hardware devices ['a', 'o', 'h'] |
|
|
product |
text |
Values for this attribute SHOULD describe or identify the most common and recognizable title or name of the product. Values for this attribute SHOULD be selected from an attribute-specific valid-values list, which MAYbe defined by other specifications that utilize this specification. Any character string meeting the requirements for WFNs(cf. 5.3.2) MAY be specified as the value of the attribute. |
|
|
sw_edition |
text |
Values for this attribute SHOULD characterize how the product is tailored to a particular market or class of end users. Values for this attribute SHOULD be selected from an attribute-specific valid-values list, which MAYbe defined by other specifications that utilize this specification. Any character string meeting the requirements for WFNs(cf. 5.3.2) MAYbe specified as the value of the attribute. |
|
|
target_hw |
text |
Values for this attribute SHOULD characterize the instruction set architecture (e.g., x86) on which the product being described or identified by the WFN operates. Bytecode-intermediate languages, such as Java bytecode for the Java Virtual Machine or Microsoft Common Intermediate Language for the Common Language Runtime virtual machine, SHALL be considered instruction set architectures. Values for this attribute SHOULD be selected from an attribute-specific valid-values list, which MAYbe defined by other specifications that utilize this specification. Any character string meeting the requirements for WFNs(cf. 5.3.2) MAYbe specified as the value of the attribute. |
|
|
target_sw |
text |
Values for this attribute SHOULDi characterize the software computing environment within which the product operates.Values for this attribute SHOULD be selected from an attribute-specific valid-values list, which MAYbe defined by other specifications that utilize this specification. Any character string meeting the requirements for WFNs(cf. 5.3.2) MAYbe specified as the value of the attribute. |
|
|
update |
text |
Values for this attribute SHOULD be vendor-specific alphanumeric strings characterizing the particular update, service pack, or point release of the product.Values for this attribute SHOULD be selected from an attribute-specific valid-values list, which MAYbe defined by other specifications that utilize this specification. Any character string meeting the requirements for WFNs (cf. 5.3.2) MAYbe specified as the value of the attribute. |
|
|
vendor |
text |
Values for this attribute SHOULD describe or identify the person or organization that manufactured or created the product. Values for this attribute SHOULD be selected from an attribute-specific valid-values list, which MAYbe defined by other specifications that utilize this specification. Any character string meeting the requirements for WFNs (cf. 5.3.2) MAY be specified as the value of the attribute |
|
|
version |
text |
Values for this attribute SHOULD be vendor-specific alphanumeric strings characterizing the particular release version of the product.Version information SHOULD be copied directly (with escaping of printable non-alphanumeric characters as required) from discoverable data and SHOULD NOTbe truncated or otherwise modified. Any character string meeting the requirements for WFNs (cf. 5.3.2) MAYbe specified as the value of the attribute. |
|
|
credential
Credential describes one or more credential(s) including password(s), api key(s) or decryption key(s).
credential is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
format |
text |
Format of the password(s) ['clear-text', 'hashed', 'encrypted', 'unknown'] |
|
|
notification |
text |
Mention of any notification(s) towards the potential owner(s) of the credential(s) ['victim-notified', 'service-notified', 'none'] |
|
|
origin |
text |
Origin of the credential(s) ['bruteforce-scanning', 'malware-analysis', 'memory-analysis', 'network-analysis', 'leak', 'unknown'] |
|
|
password |
text |
Password |
|
|
text |
text |
A description of the credential(s) |
|
|
type |
text |
Type of password(s) ['password', 'api-key', 'encryption-key', 'unknown'] |
|
|
username |
text |
Username related to the password(s) |
|
|
credit-card
A payment card like credit card, debit card or any similar cards which can be used for financial transactions.
credit-card is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
bank_name |
text |
Name of the bank which have issued the card |
|
|
card-security-code |
text |
Card security code (CSC, CVD, CVV, CVC and SPC) as embossed or printed on the card. |
|
|
cc-number |
cc-number |
credit-card number as encoded on the card. |
|
|
comment |
comment |
A description of the card. |
|
|
expiration |
datetime |
Maximum date of validity |
|
|
iin |
text |
International Issuer Number (First eight digits of the credit card number |
|
|
issued |
datetime |
Initial date of validity or issued date. |
|
|
name |
text |
Name of the card owner. |
|
|
version |
text |
Version of the card. |
|
|
crowdsec-ip-context
CrowdSec Threat Intelligence - IP CTI search.
crowdsec-ip-context is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
as-name |
text |
Autonomous system name |
|
|
as-num |
AS |
Autonomous system number |
|
|
attack-details |
text |
Triggered scenarios |
|
|
background-noise |
float |
Background noise |
|
|
behaviors |
text |
Attack categories |
|
|
city |
text |
City of origin |
|
|
classifications |
text |
Classification category of the IP address |
|
|
country |
text |
Country of origin |
|
|
country-code |
text |
Country Code |
|
|
dst-port |
port |
Destination port |
|
|
false-positives |
text |
False positive category of the IP address |
|
|
ip |
ip-src |
IP Address |
|
|
ip-range |
ip-src |
destination IP address |
|
|
ip-range-score |
float |
destination IP address |
|
|
latitude |
float |
Latitude of origin |
|
|
longitude |
float |
Longitude of origin |
|
|
reverse-dns |
hostname |
Reverse DNS name |
|
|
scores |
text |
Scores |
|
|
target-countries |
text |
Target countries (top 10) |
|
|
trust |
float |
Trust level |
|
|
crowdstrike-report
An Object Template to encode an Crowdstrike detection report.
crowdstrike-report is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
command |
text |
Commandline triggering the detection |
|
|
file-hash |
sha256 |
Unique file hash |
|
|
filename |
filename |
Filename on disk |
|
|
fullpath |
text |
Complete path of the filename including the filename |
|
|
ip |
ip-src |
Source IP address |
|
|
parent-command |
text |
Commandline of the parent process |
|
|
process-name |
text |
Name of the process trigerring the detection |
|
|
crypto-material
Cryptographic materials such as public or/and private keys.
crypto-material is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
Gx |
text |
Curve Parameter - Gx in decimal |
|
|
Gy |
text |
Curve Parameter - Gy in decimal |
|
|
b |
text |
Curve Parameter - B in decimal |
|
|
curve-length |
text |
Length of the Curve in bits |
|
|
e |
text |
RSA public exponent |
|
|
ecdsa-type |
text |
Curve type of the ECDSA cryptographic materials ['Anomalous', 'M-221', 'E-222', 'NIST P-224', 'Curve1174', 'Curve25519', 'BN(2,254)', 'brainpoolP256t1', 'ANSSI FRP256v1', 'NIST P-256', 'secp256k1', 'E-382', 'M-383', 'Curve383187', 'brainpoolP384t1', 'NIST P-384', 'Curve41417', 'Ed448-Goldilocks', 'M-511', 'E-521'] |
|
|
g |
text |
Curve Parameter - G in decimal |
|
|
generic-symmetric-key |
text |
Generic symmetric key (please precise the type) |
|
|
modulus |
text |
Modulus Parameter - in hexadecimal - no 0x, no : |
|
|
n |
text |
Curve Parameter - N in decimal |
|
|
origin |
text |
Origin of the cryptographic materials ['mathematical-attack', 'exhaustive-search', 'bruteforce-attack', 'malware-extraction', 'memory-interception', 'network-interception', 'leak', 'unknown'] |
|
|
p |
text |
Prime Parameter - P in decimal |
|
|
private |
text |
Private part of the cryptographic materials in PEM format |
|
|
public |
text |
Public part of the cryptographic materials in PEM format |
|
|
q |
text |
Prime Parameter - Q in decimal |
|
|
rsa-modulus-size |
text |
RSA modulus size in bits |
|
|
text |
text |
A description of the cryptographic materials. |
|
|
type |
text |
Type of crytographic materials ['RSA', 'DSA', 'ECDSA', 'RC4', 'XOR', 'unknown'] |
|
|
x |
text |
Curve Parameter - X in decimal |
|
|
y |
text |
Curve Parameter - Y in decimal |
|
|
cryptocurrency-transaction
An object to describe a cryptocurrency transaction.
cryptocurrency-transaction is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
address |
btc |
A cryptocurrency transactional address |
|
|
symbol |
text |
The (uppercase) symbol of the cryptocurrency used. Symbol should be from https://coinmarketcap.com/all/views/all/ ['BTC', 'ETH', 'BCH', 'XRP', 'MIOTA', 'DASH', 'BTG', 'LTC', 'ADA', 'XMR', 'ETC', 'NEO', 'NEM', 'EOS', 'XLM', 'BCC', 'LSK', 'OMG', 'QTUM', 'ZEC', 'USDT', 'HSR', 'STRAT', 'WAVES', 'PPT', 'ETN'] |
|
|
time |
datetime |
Date and time of transaction |
|
|
transaction-number |
text |
A transaction number in a sequence of transactions |
|
|
value |
float |
Value in cryptocurrency at date/time displayed in field 'time' |
|
|
value_EUR |
float |
Value in EUR with conversion rate as of date/time displayed in field 'time' |
|
|
value_USD |
float |
Value in USD with conversion rate as of date/time displayed in field 'time' |
|
|
cs-beacon-config
Cobalt Strike Beacon Config.
cs-beacon-config is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
architecture |
text |
Hardware architecture of the sample |
|
|
asn |
AS |
Originating ASN for the CS Beacon Config |
|
|
beacon-host |
ip-dst |
Beacon host IP |
|
|
beacon-type |
text |
Beacon type used |
|
|
binary-md5 |
md5 |
MD5 of the binary delivered |
|
|
binary-sha1 |
sha1 |
SHA1 of the binary delivered |
|
|
binary-sha256 |
sha256 |
SHA256 of the binary delivered |
|
|
c2 |
url |
The C2 sample communicates with |
|
|
city |
text |
City location of the CS Beacon Config in question |
|
|
config-md5 |
md5 |
MD5 of the configuration |
|
|
config-sha1 |
sha1 |
SHA1 of the configuration |
|
|
config-sha256 |
sha256 |
SHA256 of the configuration |
|
|
content-length |
size-in-bytes |
Content length of the payload |
|
|
content-type |
text |
Content/type received |
|
|
encoded-data |
attachment |
Encoded payload data in Base64 as file attachment |
|
|
encoded-length |
size-in-bytes |
Length of the encoded data |
|
|
geo |
text |
Country location of the CS Beacon Config |
|
|
http |
text |
HTTP protocol used |
|
|
http-code |
integer |
HTTP return code |
|
|
http-url |
text |
HTTP url path of the beacon |
|
|
ip |
ip-dst |
IP of the C2 |
|
|
jar-md5 |
md5 |
MD5 of adversary cobaltstrike.jar file |
|
|
license-id |
text |
License ID of the Colbalt Strike |
|
|
md5 |
md5 |
MD5 of sample containing the Cobalt Strike shellcode |
|
|
naics |
text |
North American Industry Classification System Code (NAICS) |
|
|
sector |
text |
Sector of for the CS Beacon Config in question |
|
|
sha1 |
sha1 |
SHA1 of sample containing the Cobalt Strike shellcode |
|
|
sha256 |
sha256 |
SHA256 of sample containing the Cobalt Strike shellcode |
|
|
vt-sha256 |
sha256 |
SHA256 of sample uploaded to VirusTotal |
|
|
watermark |
text |
The watermark of sample |
|
|
cytomic-orion-file
Cytomic Orion File Detection.
cytomic-orion-file is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
classification |
text |
File classification - number |
|
|
classificationName |
text |
File classification |
|
|
fileName |
filename |
Original filename |
|
|
fileSize |
size-in-bytes |
Size of the file |
|
|
first-seen |
datetime |
First seen timestamp of the file |
|
|
last-seen |
datetime |
Last seen timestamp of the file |
|
|
cytomic-orion-machine
Cytomic Orion File at Machine Detection.
cytomic-orion-machine is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
clientCreationDateUTC |
datetime |
Client creation date UTC |
|
|
clientId |
text |
Client id |
|
|
clientName |
target-org |
Client name |
|
|
creationDate |
datetime |
Client creation date |
|
|
first-seen |
datetime |
First seen on machine |
|
|
last-seen |
datetime |
Last seen on machine |
|
|
lastSeenUtc |
datetime |
Client last seen UTC |
|
|
machineMuid |
text |
Machine UID |
|
|
machineName |
target-machine |
Machine name |
|
|
machinePath |
text |
Path of observable |
|
|
dark-pattern-item
An Item whose User Interface implements a dark pattern.
dark-pattern-item is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
comment |
text |
textual comment about the item |
|
|
gain |
text |
What is the implementer is gaining by deceiving the user ['registration', 'personal data', 'money', 'contacts', 'audience'] |
|
|
implementer |
text |
Who is the vendor / holder of the item |
|
|
location |
text |
Location where to find the item |
|
|
screenshot |
attachment |
A screencapture or a screengrab of the item at work |
|
|
time |
datetime |
Date and time when first-seen |
|
|
user |
text |
who are the user of the item |
|
|
ddos
DDoS object describes a current DDoS activity from a specific or/and to a specific target. Type of DDoS can be attached to the object as a taxonomy or using the type field.
ddos is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
backscatter-threshold |
integer |
The minimum amount of backscatter received in 5 minutes / day. This field is only used when the capture origin is indirect network capture such as backscatter. |
|
|
capture-origin |
text |
Origin of the (D)DoS evidences ['Direct network capture', 'Logs', 'Indirect network capture (e.g. backscatter)', 'Unknown'] |
|
|
domain-dst |
domain |
Destination domain (victim) |
|
|
dst-port |
port |
Destination port of the attack |
|
|
first-seen |
datetime |
Beginning of the attack |
|
|
ip-dst |
ip-dst |
Destination IP (victim) |
|
|
ip-src |
ip-src |
IP address originating the attack |
|
|
last-seen |
datetime |
End of the attack |
|
|
protocol |
text |
Protocol used for the attack ['TCP', 'UDP', 'ICMP', 'IP'] |
|
|
src-port |
port |
Port originating the attack |
|
|
text |
text |
Description of the DDoS |
|
|
total-bps |
integer |
Bits per second (maximum rate of bits per second measured) |
|
|
total-bytes-sent |
size-in-bytes |
Total number of bytes sent by the sources mentioned |
|
|
total-packets-sent |
counter |
Total number of packets sent by the source mentioned |
|
|
total-pps |
integer |
Packets per second (maximum rate of packets per second measured) |
|
|
type |
text |
Type(s) or Technique(s) of Denial of Service ['amplification-attack', 'reflected-spoofed-attack', 'slow-read-attack', 'flooding-attack', 'post-attack', 'chargen-amplification', 'dns', 'dns-amplification', 'ip-fragmentation', 'ip-private', 'icmp', 'memcached-amplification', 'ms-sql-rs-amplification', 'ntp-amplification', 'snmp-amplification', 'ssdp-amplification', 'tcp-null', 'tcp-rst', 'tcp-syn', 'udp'] |
|
|
ddos-claim
DDoS-claim object describes a current claim of DDoS activity.
ddos-claim is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
claim-validity |
text |
Validity of the claim. Valid means, a trusted entity having the technical capabilities to perform analysis confirmed the detection of DDoS activities. ['Unknown', 'Valid', 'Invalid'] |
|
|
proof |
text |
The claim in text format. |
|
|
proof-screenshot |
attachment |
Screenshot of the claim. |
|
|
reference |
link |
Reference to the DDoS claim. |
|
|
target |
text |
Target of the DDoS claim. |
|
|
ddos-config
DDoS-claim object describes a current claim of DDoS activity.
ddos-config is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
body |
text |
Payload used for the DDos |
|
|
ddos-tool |
text |
|
|
|
headers |
text |
Headers used in the DDoS requests |
|
|
host |
hostname |
Hostname used as target of the DDoS attack |
|
|
ip |
ip-dst |
IP address used as target of the DDoS attack |
|
|
method |
text |
Method of DDoS attack used ['ack', 'GET', 'method', 'PING', 'POST', 'syn', 'SYN', 'syn_ack', 'udp_flood'] |
|
|
path |
text |
URL path used for the DDoS attack (excluded hostname) |
|
|
port |
port |
Port used for attack (when the type and method requires it) |
|
|
request-id |
text |
request id |
|
|
target-id |
text |
target id |
|
|
type |
text |
Type of network protocol used for the DDoS attack ['http', 'http2', 'http3', 'nginx_loris', 'tcp', 'type', 'udp'] |
|
|
use-ssl |
text |
TLS/SSL used for the attack ['true', 'false'] |
|
|
device
An object to define a device.
device is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
MAC-address |
mac-address |
Device MAC address |
|
|
OS |
text |
OS of the device |
|
|
alias |
text |
Alias of the Device |
|
|
analysis-date |
datetime |
Date of device analysis |
|
|
attachment |
attachment |
An attachment |
|
|
description |
text |
Description of the Device |
|
|
device-type |
text |
Type of the device ['PC', 'Mobile', 'Laptop', 'HID', 'TV', 'IoT', 'Hardware', 'Other'] |
|
|
dns-name |
text |
Device DNS Name |
|
|
hits |
counter |
Number of hits for the device |
|
|
infection_type |
text |
Type of infection if the device is in Infected status ['android_spams', 'android.bakdoor.prizmes', 'android.bankbot', 'android.banker.anubis', 'android.bankspy', 'android.cliaid', 'android.darksilent', 'android.fakeav', 'android.fakebank', 'android.fakedoc', 'android.fakeinst', 'android.fakemart', 'android.faketoken', 'android.fobus', 'android.fungram', 'android.geost', 'android.gopl', 'android.hiddad', 'android.hqwar', 'android.hummer', 'android.infosteal', 'android.iop', 'android.lockdroid', 'android.milipnot', 'android.nitmo', 'android.opfake', 'android.premiumtext', 'android.provar', 'android.pwstealer', 'android.rootnik', 'android.skyfin', 'android.smsbot', 'android.smssilence', 'android.smsspy', 'android.smsspy.be24', 'android.sssaaa', 'android.teleplus', 'android.uupay', 'android.voxv', 'avalanche-andromeda', 'banatrix', 'bankpatch', 'bebloh', 'bedep', 'betabot', 'bitcoinminer', 'blackbeard', 'blakamba', 'boinberg', 'buhtrap', 'caphaw', 'carberp', 'chafer', 'changeup', 'chinad', 'citadel', 'cobint', 'coinminer', 'conficker', 'cryptowall', 'cutwail', 'cycbot', 'diaminer', 'dimnie', 'dipverdle', 'dircrypt', 'dirtjumper', 'disorderstatus', 'dmsniff', 'dofoil', 'domreg', 'dorkbot', 'dorkbot-ssl', 'dresscode', 'dybalom', 'ek.fallout', 'emoted', 'emotet', 'esfury', 'expiro', 'exploitkit.fallout', 'extenbro', 'fake_cs_updater', 'fakerean', 'fallout.exploitkit', 'fast-flux', 'fast-flux-double', 'fast-flux;fast-flux-double', 'fleercivet', 'fobber', 'foxbantrix', 'foxbantrix-unknown', 'generic.malware', 'geodo', 'gonderici', 'gootkit', 'gozi', 'gspy', 'gtfobot', 'hancitor', 'harnig', 'htm5player.vast', 'ibanking', 'icedid', 'infected', 'iotreaper', 'ip-spoofer', 'ircbot', 'isfb', 'jadtre', 'jdk-update-apt', 'js.worm.bondat', 'junk-domains', 'kasidet', 'kbot', 'kelihos', 'kelihos.e', 'keylogger', 'keylogger-ftp', 'keylogger-vbklip', 'kidminer', 'kingminer', 'koobface', 'kraken', 'kronos', 'kwampirs', 'lethic', 'linux.backdoor.setag', 'linux.ngioweb', 'litemanager', 'loader', 'locky', 'loki', 'lokibot', 'luminositylink', 'lurkbanker', 'madominer', 'magecart', 'maliciouswebsites', 'malvertising.doubleclick', 'malwaretom', 'marcher', 'matrix', 'matsnu', 'menupass', 'mewsspy', 'miner.monero', 'minr', 'mirai', 'mix2', 'mkero', 'monero', 'mozi', 'muddywater', 'murofet', 'mysafeproxymonitor', 'nametrick', 'necurs', 'netsupport', 'nettraveler', 'neurevt', 'nitol', 'nivdort', 'nukebot', 'null', 'nymaim', 'nymain', 'osx.fakeflash', 'palevo', 'pawnstorm', 'phishing', 'phishing.cobalt', 'phishing.cobalt_dickens', 'phorpiex', 'pitou', 'plasma-tomas', 'ponmocup', 'pony', 'poseidon', 'powerstats', 'proxyback', 'pushdo', 'pws.pony', 'pykspa', 'qadars', 'qakbot', 'qqblack', 'qrypter.rat', 'qsnatch', 'racoon', 'ramdo', 'ramnit', 'ranbyus', 'ransom.cerber', 'ransomware', 'ransomware.shade', 'rat.vermin', 'renocide', 'revil', 'rodecap', 'sality', 'sality-p2p', 'servhelper', 'sgminer', 'shifu', 'shiz', 'sinowal', 'sisron', 'sodinokibi', 'spam', 'sphinx', 'spyeye', 'ssh-brute-force', 'ssl', 'ssl-az7', 'ssl-unknown-bot-test', 'ssl-vmzeus', 'stantinko', 'tdss', 'teleru', 'telnet-brute-force', 'tinba', 'tinba-dga', 'trickbot', 'triton', 'trojan.click3', 'trojan.fakeav', 'trojan.includer', 'trojan.win32.razy.gen', 'unknown', 'unknown-bot-test', 'valak', 'vawtrak', 'vbklip', 'verst', 'victorygate.a', 'victorygate.b', 'victorygate.c', 'virut', 'vmzeus', 'vobfus', 'volatile_cedar', 'vpnfilter_stage3', 'wannacrypt', 'wauchos', 'webminer.cdn', 'win.neurevt', 'worm.kasidet', 'worm.phorpiex', 'wowlik', 'wrokni', 'xbash', 'xmrminer', 'xpaj', 'xshellghost', 'yoddos', 'zeus', 'zeus_gameover', 'zeus_panda', 'zloader'] |
|
|
ip-address |
ip-src |
Device IP address |
|
|
name |
text |
Name of the Device |
|
|
status |
text |
Status of the device ['Infected', 'Exposed', 'Unknown', 'Clean'] |
|
|
version |
text |
Version of the device/ OS |
|
|
diameter-attack
Attack as seen on the diameter signaling protocol supporting LTE networks.
diameter-attack is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
ApplicationId |
text |
Application-ID is used to identify for which Diameter application the message is applicable. Application-ID is a decimal representation. |
|
|
CmdCode |
text |
A decimal representation of the diameter Command Code. |
|
|
Destination-Host |
text |
Destination-Host. |
|
|
Destination-Realm |
text |
Destination-Realm. |
|
|
IdrFlags |
text |
IDR-Flags. |
|
|
Origin-Host |
text |
Origin-Host. |
|
|
Origin-Realm |
text |
Origin-Realm. |
|
|
SessionId |
text |
Session-ID. |
|
|
Username |
text |
Username (in this case, usually the IMSI). |
|
|
category |
text |
Category. ['Cat0', 'Cat1', 'Cat2', 'Cat3', 'CatSMS'] |
|
|
first-seen |
datetime |
When the attack has been seen for the first time. |
|
|
text |
text |
A description of the attack seen. |
|
|
diamond-event
A diamond model event object consisting of the four diamond features advesary, infrastructure, capability and victim, several meta-features and ioc attributes.
diamond-event is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
Advesary |
text |
The advesary who attacks the victim |
|
|
Capability |
text |
The capability used to attack the victim |
|
|
Description |
text |
Further context to the event |
|
|
Direction |
text |
The network-based direction of the event ['Victim-to-Infrastructure', 'Infrastructure-to-Victim', 'Infrastructure-to-Infrastructure', 'Adversary-to-Infrastructure', 'Infrastructure-to-Adversary', 'Bidirectional', 'Unknown'] |
|
|
EventID |
integer |
Id of the event |
|
|
Infrastructure |
text |
The infrastructure used in the attack |
|
|
Methodology |
text |
Mitre-Attack mapping of the event |
|
|
Phase |
text |
The event mapped to a phase of the killchain ['Reconnaissance', 'Weaponization', 'Delivery', 'Exploitation', 'Installation', 'C2', 'Action on Objectives'] |
|
|
Resources |
text |
The resources the attacker needed for the event to succeed |
|
|
Result |
text |
The result of the event |
|
|
Timestamp |
datetime |
Timestamp when the event happened |
|
|
Victim |
text |
The attacked victim |
|
|
ioc |
text |
Generic IOC |
|
|
textfield |
text |
Generic textfield |
|
|
directory
Directory object describing a directory with meta-information.
directory is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
access-time |
datetime |
The last time the directory was accessed |
|
|
creation-time |
datetime |
Creation time of the directory |
|
|
modification-time |
datetime |
Modification time of the directory |
|
|
path |
text |
Path of the directory, complete or partial |
|
|
path-encoding |
text |
Encoding format of the directory ['Adobe-Standard-Encoding', 'Adobe-Symbol-Encoding', 'Amiga-1251', 'ANSI_X3.110-1983', 'ASMO_449', 'Big5', 'Big5-HKSCS', 'BOCU-1', 'BRF', 'BS_4730', 'BS_viewdata', 'CESU-8', 'CP50220', 'CP51932', 'CSA_Z243.4-1985-1', 'CSA_Z243.4-1985-2', 'CSA_Z243.4-1985-gr', 'CSN_369103', 'DEC-MCS', 'DIN_66003', 'dk-us', 'DS_2089', 'EBCDIC-AT-DE', 'EBCDIC-AT-DE-A', 'EBCDIC-CA-FR', 'EBCDIC-DK-NO', 'EBCDIC-DK-NO-A', 'EBCDIC-ES', 'EBCDIC-ES-A', 'EBCDIC-ES-S', 'EBCDIC-FI-SE', 'EBCDIC-FI-SE-A', 'EBCDIC-FR', 'EBCDIC-IT', 'EBCDIC-PT', 'EBCDIC-UK', 'EBCDIC-US', 'ECMA-cyrillic', 'ES', 'ES2', 'EUC-KR', 'Extended_UNIX_Code_Fixed_Width_for_Japanese', 'Extended_UNIX_Code_Packed_Format_for_Japanese', 'GB18030', 'GB_1988-80', 'GB2312', 'GB_2312-80', 'GBK', 'GOST_19768-74', 'greek7', 'greek7-old', 'greek-ccitt', 'HP-DeskTop', 'HP-Legal', 'HP-Math8', 'HP-Pi-font', 'hp-roman8', 'HZ-GB-2312', 'IBM00858', 'IBM00924', 'IBM01140', 'IBM01141', 'IBM01142', 'IBM01143', 'IBM01144', 'IBM01145', 'IBM01146', 'IBM01147', 'IBM01148', 'IBM01149', 'IBM037', 'IBM038', 'IBM1026', 'IBM1047', 'IBM273', 'IBM274', 'IBM275', 'IBM277', 'IBM278', 'IBM280', 'IBM281', 'IBM284', 'IBM285', 'IBM290', 'IBM297', 'IBM420', 'IBM423', 'IBM424', 'IBM437', 'IBM500', 'IBM775', 'IBM850', 'IBM851', 'IBM852', 'IBM855', 'IBM857', 'IBM860', 'IBM861', 'IBM862', 'IBM863', 'IBM864', 'IBM865', 'IBM866', 'IBM868', 'IBM869', 'IBM870', 'IBM871', 'IBM880', 'IBM891', 'IBM903', 'IBM904', 'IBM905', 'IBM918', 'IBM-Symbols', 'IBM-Thai', 'IEC_P27-1', 'INIS', 'INIS-8', 'INIS-cyrillic', 'INVARIANT', 'ISO_10367-box', 'ISO-10646-J-1', 'ISO-10646-UCS-2', 'ISO-10646-UCS-4', 'ISO-10646-UCS-Basic', 'ISO-10646-Unicode-Latin1', 'ISO-10646-UTF-1', 'ISO-11548-1', 'ISO-2022-CN', 'ISO-2022-CN-EXT', 'ISO-2022-JP', 'ISO-2022-JP-2', 'ISO-2022-KR', 'ISO_2033-1983', 'ISO_5427', 'ISO_5427:1981', 'ISO_5428:1980', 'ISO_646.basic:1983', 'ISO_646.irv:1983', 'ISO_6937-2-25', 'ISO_6937-2-add', 'ISO-8859-10', 'ISO_8859-1:1987', 'ISO-8859-13', 'ISO-8859-14', 'ISO-8859-15', 'ISO-8859-16', 'ISO-8859-1-Windows-3.0-Latin-1', 'ISO-8859-1-Windows-3.1-Latin-1', 'ISO_8859-2:1987', 'ISO-8859-2-Windows-Latin-2', 'ISO_8859-3:1988', 'ISO_8859-4:1988', 'ISO_8859-5:1988', 'ISO_8859-6:1987', 'ISO_8859-6-E', 'ISO_8859-6-I', 'ISO_8859-7:1987', 'ISO_8859-8:1988', 'ISO_8859-8-E', 'ISO_8859-8-I', 'ISO_8859-9:1989', 'ISO-8859-9-Windows-Latin-5', 'ISO_8859-supp', 'iso-ir-90', 'ISO-Unicode-IBM-1261', 'ISO-Unicode-IBM-1264', 'ISO-Unicode-IBM-1265', 'ISO-Unicode-IBM-1268', 'ISO-Unicode-IBM-1276', 'IT', 'JIS_C6220-1969-jp', 'JIS_C6220-1969-ro', 'JIS_C6226-1978', 'JIS_C6226-1983', 'JIS_C6229-1984-a', 'JIS_C6229-1984-b', 'JIS_C6229-1984-b-add', 'JIS_C6229-1984-hand', 'JIS_C6229-1984-hand-add', 'JIS_C6229-1984-kana', 'JIS_Encoding', 'JIS_X0201', 'JIS_X0212-1990', 'JUS_I.B1.002', 'JUS_I.B1.003-mac', 'JUS_I.B1.003-serb', 'KOI7-switched', 'KOI8-R', 'KOI8-U', 'KS_C_5601-1987', 'KSC5636', 'KZ-1048', 'latin-greek', 'Latin-greek-1', 'latin-lap', 'macintosh', 'Microsoft-Publishing', 'MNEM', 'MNEMONIC', 'MSZ_7795.3', 'Name', 'NATS-DANO', 'NATS-DANO-ADD', 'NATS-SEFI', 'NATS-SEFI-ADD', 'NC_NC00-10:81', 'NF_Z_62-010', 'NF_Z_62-010_(1973)', 'NS_4551-1', 'NS_4551-2', 'OSD_EBCDIC_DF03_IRV', 'OSD_EBCDIC_DF04_1', 'OSD_EBCDIC_DF04_15', 'PC8-Danish-Norwegian', 'PC8-Turkish', 'PT', 'PT2', 'PTCP154', 'SCSU', 'SEN_850200_B', 'SEN_850200_C', 'Shift_JIS', 'T.101-G2', 'T.61-7bit', 'T.61-8bit', 'TIS-620', 'TSCII', 'UNICODE-1-1', 'UNICODE-1-1-UTF-7', 'UNKNOWN-8BIT', 'US-ASCII', 'us-dk', 'UTF-16', 'UTF-16BE', 'UTF-16LE', 'UTF-32', 'UTF-32BE', 'UTF-32LE', 'UTF-7', 'UTF-8', 'Ventura-International', 'Ventura-Math', 'Ventura-US', 'videotex-suppl', 'VIQR', 'VISCII', 'windows-1250', 'windows-1251', 'windows-1252', 'windows-1253', 'windows-1254', 'windows-1255', 'windows-1256', 'windows-1257', 'windows-1258', 'Windows-31J', 'windows-874'] |
|
|
dkim
DomainKeys Identified Mail - DKIM.
dkim is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
d |
domain |
DKIM domain used for the selector record |
|
|
dkim |
dkim |
DomainKeys Identified Mail - DKIM full DNS TXT record |
|
|
h |
text |
DKIM hash type ['sha1', 'md5'] |
|
|
k |
text |
DKIM key type ['rsa'] |
|
|
n |
text |
DKIM administrator note |
|
|
public-key |
text |
DKIM public key |
|
|
s |
text |
DKIM service record |
|
|
t |
text |
DKIM domain testing ['y', 's'] |
|
|
version |
text |
DKIM version ['DKIM1'] |
|
|
dns-record
A set of DNS records observed for a specific domain.
dns-record is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
a-record |
ip-dst |
IPv4 address associated with A record |
|
|
aaaa-record |
ip-dst |
IPv6 address associated with AAAA record |
|
|
cname-record |
domain |
Domain associated with CNAME record |
|
|
mx-record |
domain |
Domain associated with MX record |
|
|
ns-record |
domain |
Domain associated with NS record |
|
|
ptr-record |
domain |
Domain associated with PTR record |
|
|
queried-domain |
domain |
Domain name |
|
|
soa-record |
domain |
Domain associated with SOA record |
|
|
spf-record |
ip-dst |
IP addresses associated with SPF record |
|
|
srv-record |
domain |
Domain associated with SRV record |
|
|
text |
text |
A description of the records |
|
|
txt-record |
text |
Content associated with TXT record |
|
|
domain-crawled
A domain crawled over time.
domain-crawled is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
domain |
domain |
Domain name |
|
|
text |
text |
A description of the tuple |
|
|
url |
url |
domain url |
|
|
domain-ip
A domain/hostname and IP address seen as a tuple in a specific time frame.
domain-ip is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
domain |
domain |
Domain name |
|
|
first-seen |
datetime |
First time the tuple has been seen |
|
|
hostname |
hostname |
Hostname related to the IP |
|
|
ip |
ip-dst |
IP Address |
|
|
last-seen |
datetime |
Last time the tuple has been seen |
|
|
port |
port |
Associated TCP port with the domain |
|
|
registration-date |
datetime |
Registration date of domain |
|
|
text |
text |
A description of the tuple |
|
|
edr-report
An Object Template to encode an EDR detection report.
edr-report is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
additional-file |
attachment |
Additional file involved in detection |
|
|
command |
attachment |
JSON file containing the output of a command ran at report generation |
|
|
comment |
text |
Any valuable comment about the report |
|
|
drivers |
attachment |
JSON file containing metadata about drivers loaded on the system |
|
|
endpoint-id |
text |
Unique identifier of the endpoint concerned by the report |
|
|
event |
attachment |
Raw EDR event which triggered reporting |
|
|
executable |
attachment |
Executable file involved in detection |
|
|
hostname |
text |
Endpoint hostname |
|
|
id |
text |
Report unique identifier |
|
|
ip |
ip-src |
Endpoint IP address |
|
|
modules |
attachment |
JSON file containing metadata about modules loaded on the system |
|
|
processes |
attachment |
JSON file containing metadata about running processes at the time of detection |
|
|
product |
text |
EDR product name |
|
|
elf
Object describing a Executable and Linkable Format.
elf is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
arch |
text |
Architecture of the ELF file ['None', 'M32', 'SPARC', 'i386', 'ARCH_68K', 'ARCH_88K', 'IAMCU', 'ARCH_860', 'MIPS', 'S370', 'MIPS_RS3_LE', 'PARISC', 'VPP500', 'SPARC32PLUS', 'ARCH_960', 'PPC', 'PPC64', 'S390', 'SPU', 'V800', 'FR20', 'RH32', 'RCE', 'ARM', 'ALPHA', 'SH', 'SPARCV9', 'TRICORE', 'ARC', 'H8_300', 'H8_300H', 'H8S', 'H8_500', 'IA_64', 'MIPS_X', 'COLDFIRE', 'ARCH_68HC12', 'MMA', 'PCP', 'NCPU', 'NDR1', 'STARCORE', 'ME16', 'ST100', 'TINYJ', 'x86_64', 'PDSP', 'PDP10', 'PDP11', 'FX66', 'ST9PLUS', 'ST7', 'ARCH_68HC16', 'ARCH_68HC11', 'ARCH_68HC08', 'ARCH_68HC05', 'SVX', 'ST19', 'VAX', 'CRIS', 'JAVELIN', 'FIREPATH', 'ZSP', 'MMIX', 'HUANY', 'PRISM', 'AVR', 'FR30', 'D10V', 'D30V', 'V850', 'M32R', 'MN10300', 'MN10200', 'PJ', 'OPENRISC', 'ARC_COMPACT', 'XTENSA', 'VIDEOCORE', 'TMM_GPP', 'NS32K', 'TPC', 'SNP1K', 'ST200', 'IP2K', 'MAX', 'CR', 'F2MC16', 'MSP430', 'BLACKFIN', 'SE_C33', 'SEP', 'ARCA', 'UNICORE', 'EXCESS', 'DXP', 'ALTERA_NIOS2', 'CRX', 'XGATE', 'C166', 'M16C', 'DSPIC30F', 'CE', 'M32C', 'TSK3000', 'RS08', 'SHARC', 'ECOG2', 'SCORE7', 'DSP24', 'VIDEOCORE3', 'LATTICEMICO32', 'SE_C17', 'TI_C6000', 'TI_C2000', 'TI_C5500', 'MMDSP_PLUS', 'CYPRESS_M8C', 'R32C', 'TRIMEDIA', 'HEXAGON', 'ARCH_8051', 'STXP7X', 'NDS32', 'ECOG1', 'ECOG1X', 'MAXQ30', 'XIMO16', 'MANIK', 'CRAYNV2', 'RX', 'METAG', 'MCST_ELBRUS', 'ECOG16', 'CR16', 'ETPU', 'SLE9X', 'L10M', 'K10M', 'AARCH64', 'AVR32', 'STM8', 'TILE64', 'TILEPRO', 'CUDA', 'TILEGX', 'CLOUDSHIELD', 'COREA_1ST', 'COREA_2ND', 'ARC_COMPACT2', 'OPEN8', 'RL78', 'VIDEOCORE5', 'ARCH_78KOR', 'ARCH_56800EX', 'BA1', 'BA2', 'XCORE', 'MCHP_PIC', 'INTEL205', 'INTEL206', 'INTEL207', 'INTEL208', 'INTEL209', 'KM32', 'KMX32', 'KMX16', 'KMX8', 'KVARC', 'CDP', 'COGE', 'COOL', 'NORC', 'CSR_KALIMBA', 'AMDGPU'] |
|
|
entrypoint-address |
text |
Address of the entry point |
|
|
number-sections |
counter |
Number of sections |
|
|
os_abi |
text |
Header operating system application binary interface (ABI) ['AIX', 'ARM', 'AROS', 'C6000_ELFABI', 'C6000_LINUX', 'CLOUDABI', 'FENIXOS', 'FREEBSD', 'GNU', 'HPUX', 'HURD', 'IRIX', 'MODESTO', 'NETBSD', 'NSK', 'OPENBSD', 'OPENVMS', 'SOLARIS', 'STANDALONE', 'SYSTEMV', 'TRU64'] |
|
|
text |
text |
Free text value to attach to the ELF |
|
|
type |
text |
Type of ELF ['CORE', 'DYNAMIC', 'EXECUTABLE', 'HIPROC', 'LOPROC', 'NONE', 'RELOCATABLE'] |
|
|
elf-section
Object describing a section of an Executable and Linkable Format.
elf-section is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
entropy |
float |
Entropy of the whole section |
|
|
flag |
text |
Flag of the section ['ALLOC', 'EXCLUDE', 'EXECINSTR', 'GROUP', 'HEX_GPREL', 'INFO_LINK', 'LINK_ORDER', 'MASKOS', 'MASKPROC', 'MERGE', 'MIPS_ADDR', 'MIPS_LOCAL', 'MIPS_MERGE', 'MIPS_NAMES', 'MIPS_NODUPES', 'MIPS_NOSTRIP', 'NONE', 'OS_NONCONFORMING', 'STRINGS', 'TLS', 'WRITE', 'XCORE_SHF_CP_SECTION'] |
|
|
md5 |
md5 |
[Insecure] MD5 hash (128 bits) |
|
|
name |
text |
Name of the section |
|
|
sha1 |
sha1 |
[Insecure] Secure Hash Algorithm 1 (160 bits) |
|
|
sha224 |
sha224 |
Secure Hash Algorithm 2 (224 bits) |
|
|
sha256 |
sha256 |
Secure Hash Algorithm 2 (256 bits) |
|
|
sha384 |
sha384 |
Secure Hash Algorithm 2 (384 bits) |
|
|
sha512 |
sha512 |
Secure Hash Algorithm 2 (512 bits) |
|
|
sha512/224 |
sha512/224 |
Secure Hash Algorithm 2 (224 bits) |
|
|
sha512/256 |
sha512/256 |
Secure Hash Algorithm 2 (256 bits) |
|
|
size-in-bytes |
size-in-bytes |
Size of the section, in bytes |
|
|
ssdeep |
ssdeep |
Fuzzy hash using context triggered piecewise hashes (CTPH) |
|
|
text |
text |
Free text value to attach to the section |
|
|
type |
text |
Type of the section ['NULL', 'PROGBITS', 'SYMTAB', 'STRTAB', 'RELA', 'HASH', 'DYNAMIC', 'NOTE', 'NOBITS', 'REL', 'SHLIB', 'DYNSYM', 'INIT_ARRAY', 'FINI_ARRAY', 'PREINIT_ARRAY', 'GROUP', 'SYMTAB_SHNDX', 'LOOS', 'GNU_ATTRIBUTES', 'GNU_HASH', 'GNU_VERDEF', 'GNU_VERNEED', 'GNU_VERSYM', 'HIOS', 'LOPROC', 'ARM_EXIDX', 'ARM_PREEMPTMAP', 'HEX_ORDERED', 'X86_64_UNWIND', 'MIPS_REGINFO', 'MIPS_OPTIONS', 'MIPS_ABIFLAGS', 'HIPROC', 'LOUSER', 'HIUSER'] |
|
|
Email object describing an email with meta-information.
email is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
attachment |
email-attachment |
Attachment |
|
|
bcc |
email-dst |
Blind carbon copy |
|
|
bcc-display-name |
email-dst-display-name |
Display name of the blind carbon copy |
|
|
cc |
email-dst |
Carbon copy |
|
|
cc-display-name |
email-dst-display-name |
Display name of the carbon copy |
|
|
email-body |
email-body |
Body of the email |
|
|
email-body-attachment |
attachment |
Body of the email as an attachment |
|
|
eml |
attachment |
Full EML |
|
|
from |
email-src |
Sender email address |
|
|
from-display-name |
email-src-display-name |
Display name of the sender |
|
|
from-domain |
domain |
Sender domain address (when only the source domain is known) |
|
|
header |
email-header |
Full headers |
|
|
ip-src |
ip-src |
Source IP address of the email sender |
|
|
message-id |
email-message-id |
Message ID |
|
|
mime-boundary |
email-mime-boundary |
MIME Boundary |
|
|
msg |
attachment |
Full MSG |
|
|
received-header-hostname |
hostname |
Extracted hostname from parsed headers |
|
|
received-header-ip |
ip-src |
Extracted IP address from parsed headers |
|
|
reply-to |
email-reply-to |
Email address the reply will be sent to |
|
|
reply-to-display-name |
email-dst-display-name |
Display name of the email address the reply will be sent to |
|
|
return-path |
email-src |
Message return path |
|
|
screenshot |
attachment |
Screenshot of email |
|
|
send-date |
datetime |
Date the email has been sent |
|
|
subject |
email-subject |
Subject |
|
|
thread-index |
email-thread-index |
Identifies a particular conversation thread |
|
|
to |
email-dst |
Destination email address |
|
|
to-display-name |
email-dst-display-name |
Display name of the receiver |
|
|
user-agent |
text |
User Agent of the sender |
|
|
x-mailer |
email-x-mailer |
X-Mailer generally tells the program that was used to draft and send the original email |
|
|
employee
An employee and related data points.
employee is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
business-unit |
target-org |
the organizational business unit associated with the employee |
|
|
email-address |
target-email |
Employee Email Address |
|
|
employee-type |
text |
type of employee ['Mid-Level Manager', 'Senior Manager', 'Non-Manager', 'Supervisor', 'First-Line Manager', 'Director'] |
|
|
first-name |
first-name |
Employee’s first name |
|
|
full-name |
full-name |
Employee’s full name |
|
|
last-name |
last-name |
Employee’s last name |
|
|
primary-asset |
target-machine |
Asset tag of the primary asset assigned to employee |
|
|
text |
text |
A description of the person or identity. |
|
|
userid |
target-user |
EMployee user identification |
|
|
error-message
An error message which can be related to the processing of data such as import, export scripts from the original MISP instance.
error-message is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
message |
text |
Content of the error message. |
|
|
source |
text |
Source of the error message. ['misp-stix', 'lief', 'other'] |
|
|
event
Event object as described in STIX 2.1 Incident object extension.
event is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
description |
text |
Description of the event. |
|
|
end_time |
datetime |
The date and time the event was last recorded. |
|
|
end_time_fidelity |
text |
Level of fidelity that the |
|
|
event_type |
text |
Type of event. ['aggregation-information-phishing-schemes', 'benign', 'blocked', 'brute-force-attempt', 'c&c-server-hosting', 'compromised-system', 'confirmed', 'connection-malware-port', 'connection-malware-system', 'content-forbidden-by-law', 'control-system-bypass', 'copyrighted-content', 'data-exfiltration', 'deferred', 'deletion-information', 'denial-of-service', 'destruction', 'dictionary-attack-attempt', 'discarded', 'disruption-data-transmission', 'dissemination-malware-email', 'dissemination-phishing-emails', 'dns-cache-poisoning', 'dns-local-resolver-hijacking', 'dns-spoofing-registered', 'dns-rebinding', 'dns-server-compromise', 'dns-spoofing-unregistered', 'dns-stub-resolver-hijacking', 'dns-zone-transfer', 'domain-name-compromise', 'duplicate', 'email-flooding', 'equipment-loss', 'equipment-theft', 'exploit', 'exploit-attempt', 'exploit-framework-exhausting-resources', 'exploit-tool-exhausting-resources', 'failed', 'file-inclusion', 'file-inclusion-attempt', 'hosting-malware-webpage', 'hosting-phishing-sites', 'illegitimate-use-name', 'illegitimate-use-resources', 'infected-by-known-malware', 'insufficient-data', 'known-malware', 'lame-delegations', 'major', 'modification-information', 'misconfiguration', 'natural', 'network-scanning', 'no-apt', 'packet-flood', 'password-cracking-attempt', 'ransomware', 'refuted', 'scan-probe', 'silently-discarded', 'supply-chain-customer', 'supply-chain-vendor', 'spam', 'sql-injection', 'sql-injection-attempt', 'successful', 'system-probe', 'theft-access-credentials', 'unattributed', 'unauthorized-access-information', 'unauthorized-access-system', 'unauthorized-equipment', 'unauthorized-release', 'unauthorized-use', 'undetermined', 'unintentional', 'unknown-apt', 'unspecified', 'vandalism', 'wiretapping', 'worm-spreading', 'xss', 'xss-attempt'] |
|
|
goal |
text |
The assumed objective of the event. |
|
|
name |
text |
Name of the event. |
|
|
start_time |
datetime |
The date and time the event was first recorded. |
|
|
start_time_fidelity |
text |
Level of fidelity that the |
|
|
status |
text |
Current status of the event. ['not-occurred', 'ongoing', 'occurred', 'pending', 'undetermined'] |
|
|
exploit
Exploit object describes a program in binary or source code form used to abuse one or more vulnerabilities.
exploit is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
0day-today-id |
text |
Reference to the 0day.today referencing this exploit. |
|
|
accessibility |
text |
Accessibility of the exploit. ['Unknown', 'Public', 'Limited', 'Paid'] |
|
|
comment |
text |
Comment associated to the exploit. |
|
|
credit |
text |
Credit(s) for the exploit (such as author, distributor or original source). |
|
|
cve-id |
vulnerability |
Reference to the CVE value targeted by the exploit. |
|
|
description |
text |
Description of the exploit. |
|
|
exploit |
text |
Free text of the exploit. |
|
|
exploit-as-attachment |
attachment |
Attachment of the exploit. |
|
|
exploitdb-id |
text |
Reference to the ExploitDB referencing this exploit. |
|
|
filename |
filename |
Filename used for the exploit. |
|
|
level |
text |
Level of the exploit. ['Unknown', 'Proof-of-Concept', 'Functional', 'Production-ready'] |
|
|
reference |
link |
Reference to the exploit. |
|
|
software |
text |
Software impacted |
|
|
title |
text |
Title of the exploit. |
|
|
exploit-poc
Exploit-poc object describing a proof of concept or exploit of a vulnerability. This object has often a relationship with a vulnerability object.
exploit-poc is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
author |
text |
Author of the exploit - proof of concept |
|
|
description |
text |
Description of the exploit - proof of concept |
|
|
poc |
attachment |
Proof of Concept or exploit (as a script, binary or described process) |
|
|
references |
link |
External references |
|
|
vulnerable_configuration |
text |
The vulnerable configuration described in CPE format where the exploit/proof of concept is valid |
|
|
external-impact
External Impact object as described in STIX 2.1 Incident object extension.
external-impact is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
criticality |
text |
Criticality of the impact ['Not Specified', 'False Positive', 'Low', 'Moderate', 'High', 'Extreme'] |
|
|
description |
text |
Additional details about the impact. |
|
|
end_time |
datetime |
The date and time the impact was last recorded. |
|
|
end_time_fidelity |
text |
Level of fidelity that the |
|
|
impact_type |
text |
Type of impact. ['economic', 'emergency-services', 'foreign-relations', 'national-secuirty', 'public-confidence', 'public-health', 'public-safety'] |
|
|
recoverability |
text |
Recoverability of this particular impact with respect to feasibility and required time and resources. ['extended', 'not-applicable', 'not-recoverable', 'regular', 'supplemented'] |
|
|
start_time |
datetime |
The date and time the impact was first recorded. |
|
|
start_time_fidelity |
text |
Level of fidelity that the |
|
|
facebook-account
Facebook account.
facebook-account is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
account-id |
text |
Account id. |
|
|
account-name |
text |
Account name. |
|
|
archive |
link |
Archive of the account (Internet Archive, Archive.is, etc). |
|
|
attachment |
attachment |
A screen capture or exported list of contacts etc. |
|
|
description |
text |
A description of the user. |
|
|
link |
link |
Original link to the page (supposed harmless). |
|
|
url |
url |
Original URL location of the page (potentially malicious). |
|
|
user-avatar |
attachment |
A user profile picture or avatar. |
|
|
facebook-group
Public or private facebook group.
facebook-group is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
administrator |
text |
A user account who is an owner or admin of the group. |
|
|
archive |
link |
Archive of the original group (Internet Archive, Archive.is, etc). |
|
|
attachment |
attachment |
A screen capture or exported list of contacts, group members, etc. |
|
|
creator |
text |
The user account that created the group. |
|
|
description |
text |
A description of the group, channel or community. |
|
|
embedded-link |
url |
Link embedded in the group description (potentially malicious). |
|
|
embedded-safe-link |
link |
Link embedded in the group description (supposed safe). |
|
|
group-alias |
text |
Aliases or previous names of group. |
|
|
group-name |
text |
The name of the group, channel or community. |
|
|
group-type |
text |
Facebook group type, e.g. general, buy and sell etc. |
|
|
hashtag |
text |
Hashtag used to identify or promote the group. |
|
|
id |
text |
Unique identified of the group. |
|
|
link |
link |
Original link to the group (supposed harmless). |
|
|
privacy |
text |
Group privacy: public, closed, secret. ['Public', 'Closed', 'Secret'] |
|
|
url |
url |
Original URL location of the group (potentially malicious). |
|
|
facebook-page
Facebook page.
facebook-page is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
archive |
link |
Archive of the original page (Internet Archive, Archive.is, etc). |
|
|
attachment |
attachment |
A screen capture or exported list of contacts, page members, etc. |
|
|
contact-detail |
url |
Contact url listed on about page. |
|
|
creator |
text |
The user account that created the page. |
|
|
description |
text |
A description of the page. |
|
|
embedded-link |
url |
Link embedded in the page description (potentially malicious). |
|
|
embedded-safe-link |
link |
Link embedded in the page description (supposed safe). |
|
|
event |
text |
Event announcement on page. |
|
|
hashtag |
text |
Hashtag used to identify or promote the page. |
|
|
link |
link |
Original link to the page (supposed harmless). |
|
|
page-alias |
text |
Aliases or previous names of page. |
|
|
page-id |
text |
Page id (without the @). |
|
|
page-name |
text |
The name of the page. |
|
|
page-type |
text |
Facebook page type, e.g. community, product etc. |
|
|
related-page-id |
text |
id of a page listed as related to this one (without the @). |
|
|
related-page-name |
text |
name of a page listed as related to this one. |
|
|
team-member |
text |
A user account who is a member of the page. |
|
|
url |
url |
Original URL location of the page (potentially malicious). |
|
|
facebook-post
Post on a Facebook wall.
facebook-post is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
archive |
link |
Archive of the original document (Internet Archive, Archive.is, etc). |
|
|
attachment |
attachment |
The facebook post file or screen capture. |
|
|
embedded-link |
url |
Link in the facebook post |
|
|
embedded-safe-link |
link |
Safe link in the facebook post |
|
|
hashtag |
text |
Hashtag embedded in the facebook post |
|
|
in-reply-to-display-name |
text |
The user display name of the facebook this post shares. |
|
|
in-reply-to-status-id |
text |
The facebook ID of the post that this post shares. |
|
|
in-reply-to-user-id |
text |
The user ID of the facebook this post shares. |
|
|
language |
text |
The language of the post. |
|
|
link |
link |
Original link to the facebook post (supposed harmless). |
|
|
post |
text |
Raw text of the post. |
|
|
post-id |
text |
The facebook post id. |
|
|
post-location |
text |
id of the group, page or wall the post was posted to. |
|
|
removal-date |
datetime |
When the facebook post was removed. |
|
|
url |
url |
Original URL of the facebook post, e.g. link shortener (potentially malicious). |
|
|
user-id |
text |
Id of the account who posted. |
|
|
user-name |
text |
Display name of the account who posted. |
|
|
username |
text |
Username who posted the facebook post |
|
|
username-quoted |
text |
Username who is quoted in the facebook post. |
|
|
facebook-reaction
Reaction to facebook posts.
facebook-reaction is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
link |
link |
Link to the user account which did the reaction. |
|
|
name |
text |
The name of A user account which did the reaction. |
|
|
type |
text |
Type of reaction. ['like', 'love', 'sad', 'haha', 'wow', 'care'] |
|
|
facial-composite
An object which describes a facial composite.
facial-composite is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
facial-composite |
attachment |
Facial composite image. |
|
|
technique |
text |
Construction technique of the facial composite. ['E-FIT', 'PROfit', 'Sketch', 'Photofit', 'EvoFIT', 'PortraitPad'] |
|
|
text |
text |
A description of the facial composite. |
|
|
fail2ban
Fail2ban event.
fail2ban is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
attack-type |
text |
Type of the attack |
|
|
banned-ip |
ip-src |
IP Address banned by fail2ban |
|
|
failures |
counter |
Amount of failures that lead to the ban. |
|
|
logfile |
attachment |
Full logfile related to the attack. |
|
|
logline |
text |
Example log line that caused the ban. |
|
|
processing-timestamp |
datetime |
Timestamp of the report |
|
|
sensor |
text |
Identifier of the sensor |
|
|
victim |
text |
Identifier of the victim |
|
|
favicon
A favicon, also known as a shortcut icon, website icon, tab icon, URL icon, or bookmark icon, is a file containing one or more small icons, associated with a particular website or web page. The object template can include the murmur3 hash of the favicon to facilitate correlation.
favicon is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
favicon |
attachment |
The raw favicon file. |
|
|
favicon-mmh3 |
favicon-mmh3 |
favicon-mmh3 is the murmur3 hash of a favicon as used in Shodan. |
|
|
link |
link |
The original link where the favicon was seen. |
|
|
file
File object describing a file with meta-information.
file is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
access-time |
datetime |
The last time the file was accessed |
|
|
attachment |
attachment |
A non-malicious file. |
|
|
authentihash |
authentihash |
Authenticode executable signature hash |
|
|
certificate |
x509-fingerprint-sha1 |
Certificate value if the binary is signed with another authentication scheme than authenticode |
|
|
compilation-timestamp |
datetime |
Compilation timestamp |
|
|
creation-time |
datetime |
Creation time of the file |
|
|
entropy |
float |
Entropy of the whole file |
|
|
file-encoding |
text |
Encoding format of the file ['Adobe-Standard-Encoding', 'Adobe-Symbol-Encoding', 'Amiga-1251', 'ANSI_X3.110-1983', 'ASMO_449', 'Big5', 'Big5-HKSCS', 'BOCU-1', 'BRF', 'BS_4730', 'BS_viewdata', 'CESU-8', 'CP50220', 'CP51932', 'CSA_Z243.4-1985-1', 'CSA_Z243.4-1985-2', 'CSA_Z243.4-1985-gr', 'CSN_369103', 'DEC-MCS', 'DIN_66003', 'dk-us', 'DS_2089', 'EBCDIC-AT-DE', 'EBCDIC-AT-DE-A', 'EBCDIC-CA-FR', 'EBCDIC-DK-NO', 'EBCDIC-DK-NO-A', 'EBCDIC-ES', 'EBCDIC-ES-A', 'EBCDIC-ES-S', 'EBCDIC-FI-SE', 'EBCDIC-FI-SE-A', 'EBCDIC-FR', 'EBCDIC-IT', 'EBCDIC-PT', 'EBCDIC-UK', 'EBCDIC-US', 'ECMA-cyrillic', 'ES', 'ES2', 'EUC-KR', 'Extended_UNIX_Code_Fixed_Width_for_Japanese', 'Extended_UNIX_Code_Packed_Format_for_Japanese', 'GB18030', 'GB_1988-80', 'GB2312', 'GB_2312-80', 'GBK', 'GOST_19768-74', 'greek7', 'greek7-old', 'greek-ccitt', 'HP-DeskTop', 'HP-Legal', 'HP-Math8', 'HP-Pi-font', 'hp-roman8', 'HZ-GB-2312', 'IBM00858', 'IBM00924', 'IBM01140', 'IBM01141', 'IBM01142', 'IBM01143', 'IBM01144', 'IBM01145', 'IBM01146', 'IBM01147', 'IBM01148', 'IBM01149', 'IBM037', 'IBM038', 'IBM1026', 'IBM1047', 'IBM273', 'IBM274', 'IBM275', 'IBM277', 'IBM278', 'IBM280', 'IBM281', 'IBM284', 'IBM285', 'IBM290', 'IBM297', 'IBM420', 'IBM423', 'IBM424', 'IBM437', 'IBM500', 'IBM775', 'IBM850', 'IBM851', 'IBM852', 'IBM855', 'IBM857', 'IBM860', 'IBM861', 'IBM862', 'IBM863', 'IBM864', 'IBM865', 'IBM866', 'IBM868', 'IBM869', 'IBM870', 'IBM871', 'IBM880', 'IBM891', 'IBM903', 'IBM904', 'IBM905', 'IBM918', 'IBM-Symbols', 'IBM-Thai', 'IEC_P27-1', 'INIS', 'INIS-8', 'INIS-cyrillic', 'INVARIANT', 'ISO_10367-box', 'ISO-10646-J-1', 'ISO-10646-UCS-2', 'ISO-10646-UCS-4', 'ISO-10646-UCS-Basic', 'ISO-10646-Unicode-Latin1', 'ISO-10646-UTF-1', 'ISO-11548-1', 'ISO-2022-CN', 'ISO-2022-CN-EXT', 'ISO-2022-JP', 'ISO-2022-JP-2', 'ISO-2022-KR', 'ISO_2033-1983', 'ISO_5427', 'ISO_5427:1981', 'ISO_5428:1980', 'ISO_646.basic:1983', 'ISO_646.irv:1983', 'ISO_6937-2-25', 'ISO_6937-2-add', 'ISO-8859-10', 'ISO_8859-1:1987', 'ISO-8859-13', 'ISO-8859-14', 'ISO-8859-15', 'ISO-8859-16', 'ISO-8859-1-Windows-3.0-Latin-1', 'ISO-8859-1-Windows-3.1-Latin-1', 'ISO_8859-2:1987', 'ISO-8859-2-Windows-Latin-2', 'ISO_8859-3:1988', 'ISO_8859-4:1988', 'ISO_8859-5:1988', 'ISO_8859-6:1987', 'ISO_8859-6-E', 'ISO_8859-6-I', 'ISO_8859-7:1987', 'ISO_8859-8:1988', 'ISO_8859-8-E', 'ISO_8859-8-I', 'ISO_8859-9:1989', 'ISO-8859-9-Windows-Latin-5', 'ISO_8859-supp', 'iso-ir-90', 'ISO-Unicode-IBM-1261', 'ISO-Unicode-IBM-1264', 'ISO-Unicode-IBM-1265', 'ISO-Unicode-IBM-1268', 'ISO-Unicode-IBM-1276', 'IT', 'JIS_C6220-1969-jp', 'JIS_C6220-1969-ro', 'JIS_C6226-1978', 'JIS_C6226-1983', 'JIS_C6229-1984-a', 'JIS_C6229-1984-b', 'JIS_C6229-1984-b-add', 'JIS_C6229-1984-hand', 'JIS_C6229-1984-hand-add', 'JIS_C6229-1984-kana', 'JIS_Encoding', 'JIS_X0201', 'JIS_X0212-1990', 'JUS_I.B1.002', 'JUS_I.B1.003-mac', 'JUS_I.B1.003-serb', 'KOI7-switched', 'KOI8-R', 'KOI8-U', 'KS_C_5601-1987', 'KSC5636', 'KZ-1048', 'latin-greek', 'Latin-greek-1', 'latin-lap', 'macintosh', 'Microsoft-Publishing', 'MNEM', 'MNEMONIC', 'MSZ_7795.3', 'Name', 'NATS-DANO', 'NATS-DANO-ADD', 'NATS-SEFI', 'NATS-SEFI-ADD', 'NC_NC00-10:81', 'NF_Z_62-010', 'NF_Z_62-010_(1973)', 'NS_4551-1', 'NS_4551-2', 'OSD_EBCDIC_DF03_IRV', 'OSD_EBCDIC_DF04_1', 'OSD_EBCDIC_DF04_15', 'PC8-Danish-Norwegian', 'PC8-Turkish', 'PT', 'PT2', 'PTCP154', 'SCSU', 'SEN_850200_B', 'SEN_850200_C', 'Shift_JIS', 'T.101-G2', 'T.61-7bit', 'T.61-8bit', 'TIS-620', 'TSCII', 'UNICODE-1-1', 'UNICODE-1-1-UTF-7', 'UNKNOWN-8BIT', 'US-ASCII', 'us-dk', 'UTF-16', 'UTF-16BE', 'UTF-16LE', 'UTF-32', 'UTF-32BE', 'UTF-32LE', 'UTF-7', 'UTF-8', 'Ventura-International', 'Ventura-Math', 'Ventura-US', 'videotex-suppl', 'VIQR', 'VISCII', 'windows-1250', 'windows-1251', 'windows-1252', 'windows-1253', 'windows-1254', 'windows-1255', 'windows-1256', 'windows-1257', 'windows-1258', 'Windows-31J', 'windows-874'] |
|
|
filename |
filename |
Filename on disk |
|
|
fullpath |
text |
Complete path of the filename including the filename |
|
|
imphash |
imphash |
Hash (md5) calculated from the PE import table |
|
|
malware-sample |
malware-sample |
The file itself (binary) |
|
|
md5 |
md5 |
[Insecure] MD5 hash (128 bits) |
|
|
mimetype |
mime-type |
Mime type |
|
|
modification-time |
datetime |
Last time the file was modified |
|
|
path |
text |
Path of the filename complete or partial |
|
|
pattern-in-file |
pattern-in-file |
Pattern that can be found in the file |
|
|
sha1 |
sha1 |
[Insecure] Secure Hash Algorithm 1 (160 bits) |
|
|
sha224 |
sha224 |
Secure Hash Algorithm 2 (224 bits) |
|
|
sha256 |
sha256 |
Secure Hash Algorithm 2 (256 bits) |
|
|
sha3-224 |
sha3-224 |
Secure Hash Algorithm 3 (224 bits) |
|
|
sha3-256 |
sha3-256 |
Secure Hash Algorithm 3 (256 bits) |
|
|
sha3-384 |
sha3-384 |
Secure Hash Algorithm 3 (384 bits) |
|
|
sha3-512 |
sha3-512 |
Secure Hash Algorithm 3 (512 bits) |
|
|
sha384 |
sha384 |
Secure Hash Algorithm 2 (384 bits) |
|
|
sha512 |
sha512 |
Secure Hash Algorithm 2 (512 bits) |
|
|
sha512/224 |
sha512/224 |
Secure Hash Algorithm 2 (224 bits) |
|
|
sha512/256 |
sha512/256 |
Secure Hash Algorithm 2 (256 bits) |
|
|
size-in-bytes |
size-in-bytes |
Size of the file, in bytes |
|
|
ssdeep |
ssdeep |
Fuzzy hash using context triggered piecewise hashes (CTPH) |
|
|
state |
text |
State of the file ['Malicious', 'Harmless', 'Signed', 'Revoked', 'Expired', 'Trusted'] |
|
|
telfhash |
telfhash |
telfhash - Symbol hash for ELF files. |
|
|
text |
text |
Free text value to attach to the file |
|
|
tlsh |
tlsh |
Fuzzy hash by Trend Micro: Locality Sensitive Hash |
|
|
vhash |
vhash |
vhash by VirusTotal |
|
|
flowintel-cm-case
A case as defined by flowintel-cm.
flowintel-cm-case is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
case-owner-org-name |
text |
Name of the organisation that created the case. |
|
|
case-owner-org-uuid |
text |
UUID of the organisation that created the case. |
|
|
case-uuid |
text |
UUID of the case |
|
|
creation-date |
datetime |
Creation date of the case |
|
|
deadline |
datetime |
Deadline of the case |
|
|
description |
text |
A description of the case |
|
|
finish-date |
datetime |
Finish date of the case |
|
|
notes |
text |
Notes of the case |
|
|
origin-url |
url |
Origin of the case |
|
|
recurring-type |
text |
Recurring type ['once', 'weekly', 'daily', 'monthly'] |
|
|
status |
text |
Status of the case ['created', 'ongoing', 'recurring', 'unavailable', 'rejected', 'finished'] |
|
|
title |
text |
Title of the case |
|
|
flowintel-cm-task
A task as defined by flowintel-cm.
flowintel-cm-task is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
case-uuid |
text |
UUID of the parent case |
|
|
creation-date |
datetime |
Creation date of the task |
|
|
deadline |
datetime |
Deadline of the task |
|
|
description |
text |
A description of the task |
|
|
file |
attachment |
File |
|
|
finish-date |
datetime |
Finish date of the task |
|
|
origin-url |
url |
Origin of the task |
|
|
status |
text |
Status of the task ['created', 'ongoing', 'recurring', 'unavailable', 'rejected', 'finished'] |
|
|
task-uuid |
text |
UUID of the task |
|
|
title |
text |
Title of the task |
|
|
url |
url |
An url to an external tool |
|
|
flowintel-cm-task-note
A task’s note as defined by flowintel-cm.
flowintel-cm-task-note is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
note |
text |
Notes of the task |
|
|
note-uuid |
text |
UUID of the note |
|
|
origin-url |
url |
Origin of the task |
|
|
task-uuid |
text |
UUID of the parent task |
|
|
forensic-case
An object template to describe a digital forensic case.
forensic-case is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
additional-comments |
text |
Comments. |
|
|
analysis-start-date |
datetime |
Date when the analysis began. |
|
|
case-name |
text |
Name to address the case. |
|
|
case-number |
text |
Any unique number assigned to the case for unique identification. |
|
|
name-of-the-analyst |
text |
Name(s) of the analyst assigned to the case. |
|
|
references |
link |
External references |
|
|
forensic-evidence
An object template to describe a digital forensic evidence.
forensic-evidence is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
acquisition-method |
text |
Method used for acquisition of the evidence. ['Live acquisition', 'Dead/Offline acquisition', 'Physical collection', 'Logical collection', 'File system extraction', 'Chip-off', 'Other'] |
|
|
acquisition-tools |
text |
Tools used for acquisition of the evidence. ['dd', 'dc3dd', 'dcfldd', 'EnCase', 'FTK Imager', 'FDAS', 'TrueBack', 'Guymager', 'IXimager', 'Other'] |
|
|
additional-comments |
text |
Comments. |
|
|
case-number |
text |
A unique number assigned to the case for unique identification. |
|
|
evidence-number |
text |
A unique number assigned to the evidence for unique identification. |
|
|
name |
text |
Name of the evidence acquired. |
|
|
references |
link |
External references |
|
|
type |
text |
Evidence type. ['Computer', 'Network', 'Mobile Device', 'Multimedia', 'Cloud', 'IoT', 'Other'] |
|
|
forged-document
Object describing a forged document.
forged-document is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
archive |
link |
Archive of the original document (Internet Archive, Archive.is, etc). |
|
|
attachment |
attachment |
The forged document file. |
|
|
document-name |
text |
Title of the document. |
|
|
document-text |
text |
Raw text of document |
|
|
document-type |
text |
The type of document (not the file type). ['email', 'letterhead', 'speech', 'literature', 'blog', 'microblog', 'photo', 'audio', 'invoice', 'receipt', 'other'] |
|
|
first-seen |
datetime |
When the document has been accessible or seen for the first time. |
|
|
last-seen |
datetime |
When the document has been accessible or seen for the last time. |
|
|
link |
link |
Original link into the document (Supposed harmless) |
|
|
objective |
text |
Objective of the forged document. ['Disinformation', 'Advertising', 'Parody', 'Other'] |
|
|
purpose-of-document |
text |
What the document is used for. ['Identification', 'Travel', 'Health', 'Legal', 'Financial', 'Government', 'Military', 'Media', 'Communication', 'Other'] |
|
|
url |
url |
Original URL location of the document (potentially malicious) |
|
|
ftm-Airplane
An airplane, helicopter or other flying vehicle.
ftm-Airplane is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
address |
text |
Address |
|
|
alephUrl |
url |
Aleph URL |
|
|
alias |
text |
Other name |
|
|
amount |
float |
Amount |
|
|
amountEur |
float |
Amount in EUR |
|
|
amountUsd |
float |
Amount in USD |
|
|
buildDate |
text |
Build Date |
|
|
country |
text |
Country |
|
|
currency |
text |
Currency |
|
|
description |
text |
Description |
|
|
icaoCode |
text |
ICAO aircraft type designator |
|
|
indexText |
text |
Index text |
|
|
indexUpdatedAt |
text |
Index updated at |
|
|
keywords |
text |
Keywords |
|
|
manufacturer |
text |
Manufacturer |
|
|
model |
text |
Model |
|
|
modifiedAt |
text |
Modified on |
|
|
name |
text |
Name |
|
|
notes |
text |
Notes |
|
|
previousName |
text |
Previous name |
|
|
program |
text |
Program |
|
|
publisher |
text |
Publishing source |
|
|
publisherUrl |
url |
Publishing source URL |
|
|
registrationDate |
text |
Registration Date |
|
|
registrationNumber |
text |
Registration Number |
|
|
retrievedAt |
text |
Retrieved on |
|
|
serialNumber |
text |
Serial Number |
|
|
sourceUrl |
url |
Source link |
|
|
summary |
text |
Summary |
|
|
topics |
text |
Topics |
|
|
type |
text |
Type |
|
|
weakAlias |
text |
Weak alias |
|
|
wikidataId |
text |
Wikidata ID |
|
|
wikipediaUrl |
url |
Wikipedia Article |
|
|
ftm-Assessment
Assessment with meta-data.
ftm-Assessment is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
address |
text |
Address |
|
|
alephUrl |
url |
Aleph URL |
|
|
alias |
text |
Other name |
|
|
assessmentId |
text |
Assessment ID |
|
|
country |
text |
Country |
|
|
description |
text |
Description |
|
|
indexText |
text |
Index text |
|
|
indexUpdatedAt |
text |
Index updated at |
|
|
keywords |
text |
Keywords |
|
|
modifiedAt |
text |
Modified on |
|
|
name |
text |
Name |
|
|
notes |
text |
Notes |
|
|
previousName |
text |
Previous name |
|
|
program |
text |
Program |
|
|
publishDate |
text |
Date of publishing |
|
|
publisher |
text |
Publishing source |
|
|
publisherUrl |
url |
Publishing source URL |
|
|
retrievedAt |
text |
Retrieved on |
|
|
sourceUrl |
url |
Source link |
|
|
summary |
text |
Summary |
|
|
topics |
text |
Topics |
|
|
weakAlias |
text |
Weak alias |
|
|
wikidataId |
text |
Wikidata ID |
|
|
wikipediaUrl |
url |
Wikipedia Article |
|
|
ftm-Asset
A piece of property which can be owned and assigned a monetary value.
ftm-Asset is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
address |
text |
Address |
|
|
alephUrl |
url |
Aleph URL |
|
|
alias |
text |
Other name |
|
|
amount |
float |
Amount |
|
|
amountEur |
float |
Amount in EUR |
|
|
amountUsd |
float |
Amount in USD |
|
|
country |
text |
Country |
|
|
currency |
text |
Currency |
|
|
description |
text |
Description |
|
|
indexText |
text |
Index text |
|
|
indexUpdatedAt |
text |
Index updated at |
|
|
keywords |
text |
Keywords |
|
|
modifiedAt |
text |
Modified on |
|
|
name |
text |
Name |
|
|
notes |
text |
Notes |
|
|
previousName |
text |
Previous name |
|
|
program |
text |
Program |
|
|
publisher |
text |
Publishing source |
|
|
publisherUrl |
url |
Publishing source URL |
|
|
retrievedAt |
text |
Retrieved on |
|
|
sourceUrl |
url |
Source link |
|
|
summary |
text |
Summary |
|
|
topics |
text |
Topics |
|
|
weakAlias |
text |
Weak alias |
|
|
wikidataId |
text |
Wikidata ID |
|
|
wikipediaUrl |
url |
Wikipedia Article |
|
|
ftm-Associate
Non-family association between two people.
ftm-Associate is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
alephUrl |
url |
Aleph URL |
|
|
date |
text |
Date |
|
|
description |
text |
Description |
|
|
endDate |
text |
End date |
|
|
indexText |
text |
Index text |
|
|
modifiedAt |
text |
Modified on |
|
|
publisher |
text |
Publishing source |
|
|
publisherUrl |
url |
Publishing source URL |
|
|
recordId |
text |
Record ID |
|
|
relationship |
text |
Nature of the association |
|
|
retrievedAt |
text |
Retrieved on |
|
|
sourceUrl |
url |
Source URL |
|
|
startDate |
text |
Start date |
|
|
summary |
text |
Summary |
|
|
ftm-Audio
Audio with meta-data.
ftm-Audio is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
address |
text |
Address |
|
|
alephUrl |
url |
Aleph URL |
|
|
alias |
text |
Other name |
|
|
author |
text |
The original author, not the uploader |
|
|
authoredAt |
text |
Authored on |
|
|
companiesMentioned |
text |
Detected companies |
|
|
contentHash |
sha1 |
SHA1 hash of the data |
|
|
country |
text |
Country |
|
|
crawler |
text |
The crawler used to acquire this file |
|
|
date |
text |
If not otherwise specified |
|
|
description |
text |
Description |
|
|
detectedCountry |
text |
Detected country |
|
|
detectedLanguage |
text |
Detected language |
|
|
duration |
float |
Duration of the audio in ms |
|
|
emailMentioned |
email-src |
Detected e-mail addresses |
|
|
encoding |
text |
File encoding |
|
|
extension |
text |
File extension |
|
|
fileName |
text |
File name |
|
|
fileSize |
float |
File size |
|
|
generator |
text |
The program used to generate this file |
|
|
ibanMentioned |
iban |
Detected IBANs |
|
|
indexText |
text |
Index text |
|
|
indexUpdatedAt |
text |
Index updated at |
|
|
ipMentioned |
ip-src |
Detected IP addresses |
|
|
keywords |
text |
Keywords |
|
|
language |
text |
Language |
|
|
locationMentioned |
text |
Detected locations |
|
|
messageId |
text |
Message ID of a document; unique in most cases |
|
|
mimeType |
mime-type |
MIME type |
|
|
modifiedAt |
text |
Modified on |
|
|
name |
text |
Name |
|
|
namesMentioned |
text |
Detected names |
|
|
notes |
text |
Notes |
|
|
peopleMentioned |
text |
Detected people |
|
|
phoneMentioned |
phone-number |
Detected phones |
|
|
previousName |
text |
Previous name |
|
|
processingError |
text |
Processing error |
|
|
processingStatus |
text |
Processing status |
|
|
program |
text |
Program |
|
|
publishedAt |
text |
Published on |
|
|
publisher |
text |
Publishing source |
|
|
publisherUrl |
url |
Publishing source URL |
|
|
retrievedAt |
text |
Retrieved on |
|
|
samplingRate |
float |
Sampling rate of the audio in Hz |
|
|
sourceUrl |
url |
Source link |
|
|
summary |
text |
Summary |
|
|
title |
text |
Title |
|
|
topics |
text |
Topics |
|
|
weakAlias |
text |
Weak alias |
|
|
wikidataId |
text |
Wikidata ID |
|
|
wikipediaUrl |
url |
Wikipedia Article |
|
|
ftm-BankAccount
An account held at a bank and controlled by an owner. This may also be used to describe more complex arrangements like correspondent bank settlement accounts.
ftm-BankAccount is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
accountNumber |
text |
Account Number |
|
|
accountType |
text |
Account Type |
|
|
address |
text |
Address |
|
|
alephUrl |
url |
Aleph URL |
|
|
alias |
text |
Other name |
|
|
amount |
float |
Amount |
|
|
amountEur |
float |
Amount in EUR |
|
|
amountUsd |
float |
Amount in USD |
|
|
balance |
float |
Balance |
|
|
bankAddress |
text |
Bank Address |
|
|
bankName |
text |
Bank Name |
|
|
bic |
text |
Bank Identifier Code |
|
|
country |
text |
Country |
|
|
currency |
text |
Currency |
|
|
description |
text |
Description |
|
|
iban |
iban |
IBAN |
|
|
indexText |
text |
Index text |
|
|
indexUpdatedAt |
text |
Index updated at |
|
|
keywords |
text |
Keywords |
|
|
modifiedAt |
text |
Modified on |
|
|
name |
text |
Name |
|
|
notes |
text |
Notes |
|
|
previousName |
text |
Previous name |
|
|
program |
text |
Program |
|
|
publisher |
text |
Publishing source |
|
|
publisherUrl |
url |
Publishing source URL |
|
|
retrievedAt |
text |
Retrieved on |
|
|
sourceUrl |
url |
Source link |
|
|
summary |
text |
Summary |
|
|
topics |
text |
Topics |
|
|
weakAlias |
text |
Weak alias |
|
|
wikidataId |
text |
Wikidata ID |
|
|
wikipediaUrl |
url |
Wikipedia Article |
|
|
ftm-Call
Phone call object template including the call and all associated meta-data.
ftm-Call is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
alephUrl |
url |
Aleph URL |
|
|
callerNumber |
phone-number |
Caller’s Number |
|
|
date |
text |
Date |
|
|
description |
text |
Description |
|
|
duration |
float |
Call Duration in seconds |
|
|
endDate |
text |
End date |
|
|
indexText |
text |
Index text |
|
|
modifiedAt |
text |
Modified on |
|
|
publisher |
text |
Publishing source |
|
|
publisherUrl |
url |
Publishing source URL |
|
|
receiverNumber |
phone-number |
Receiver’s Number |
|
|
recordId |
text |
Record ID |
|
|
retrievedAt |
text |
Retrieved on |
|
|
sourceUrl |
url |
Source URL |
|
|
startDate |
text |
Start date |
|
|
summary |
text |
Summary |
|
|
ftm-Company
A legal entity representing an association of people, whether natural, legal or a mixture of both, with a specific objective.
ftm-Company is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
address |
text |
Address |
|
|
alephUrl |
url |
Aleph URL |
|
|
alias |
text |
Other name |
|
|
amount |
float |
Amount |
|
|
amountEur |
float |
Amount in EUR |
|
|
amountUsd |
float |
Amount in USD |
|
|
bikCode |
text |
Russian bank account code |
|
|
bvdId |
text |
Bureau van Dijk ID |
|
|
caemCode |
text |
(RO) What kind of activity a legal entity is allowed to develop |
|
|
capital |
text |
Capital |
|
|
cikCode |
text |
US SEC Central Index Key |
|
|
classification |
text |
Classification |
|
|
coatoCode |
text |
COATO / SOATO / OKATO |
|
|
country |
text |
Country |
|
|
currency |
text |
Currency |
|
|
description |
text |
Description |
|
|
dissolutionDate |
text |
The date the legal entity was dissolved, if applicable |
|
|
dunsCode |
text |
Dun & Bradstreet identifier |
|
|
email-src |
Email address |
|
|
|
fnsCode |
text |
(RU, ФНС) Federal Tax Service related info |
|
|
fssCode |
text |
(RU, ФСС) Social Security |
|
|
ibcRuc |
text |
ibcRUC |
|
|
icijId |
text |
ID according to International Consortium for Investigative Journalists |
|
|
idNumber |
text |
ID number of any applicable ID |
|
|
incorporationDate |
text |
The date the legal entity was incorporated |
|
|
indexText |
text |
Index text |
|
|
indexUpdatedAt |
text |
Index updated at |
|
|
innCode |
text |
Russian company ID |
|
|
ipoCode |
text |
IPO |
|
|
irsCode |
text |
US tax ID |
|
|
jibCode |
text |
Yugoslavia company ID |
|
|
jurisdiction |
text |
Jurisdiction |
|
|
keywords |
text |
Keywords |
|
|
kppCode |
text |
(RU, КПП) in addition to INN for orgs; reason for registration at FNS |
|
|
legalForm |
text |
Legal form |
|
|
mainCountry |
text |
Primary country of this entity |
|
|
mbsCode |
text |
MBS |
|
|
modifiedAt |
text |
Modified on |
|
|
name |
text |
Name |
|
|
notes |
text |
Notes |
|
|
ogrnCode |
text |
Major State Registration Number |
|
|
okopfCode |
text |
(RU, ОКОПФ) What kind of business entity |
|
|
okpoCode |
text |
Russian industry classifier |
|
|
oksmCode |
text |
Russian (ОКСМ) countries classifer |
|
|
okvedCode |
text |
(RU, ОКВЭД) Economical activity classifier. OKVED2 is the same but newer |
|
|
opencorporatesUrl |
url |
OpenCorporates URL |
|
|
pfrNumber |
text |
(RU, ПФР) Pension Fund Registration number. AAA-BBB-CCCCCC, where AAA is organisation region, BBB is district, CCCCCC number at a specific branch |
|
|
phone |
phone-number |
Phone number |
|
|
previousName |
text |
Previous name |
|
|
program |
text |
Program |
|
|
publisher |
text |
Publishing source |
|
|
publisherUrl |
url |
Publishing source URL |
|
|
registrationNumber |
text |
Registration number |
|
|
retrievedAt |
text |
Retrieved on |
|
|
sector |
text |
Sector |
|
|
sourceUrl |
url |
Source link |
|
|
status |
text |
Status |
|
|
summary |
text |
Summary |
|
|
swiftBic |
text |
Bank identifier code |
|
|
taxNumber |
text |
Tax identification number |
|
|
taxStatus |
text |
Tax status |
|
|
topics |
text |
Topics |
|
|
vatCode |
text |
(EU) VAT number |
|
|
voenCode |
text |
Azerbaijan taxpayer ID |
|
|
weakAlias |
text |
Weak alias |
|
|
website |
url |
Website address |
|
|
wikidataId |
text |
Wikidata ID |
|
|
wikipediaUrl |
url |
Wikipedia Article |
|
|
ftm-Contract
An contract or contract lot issued by an authority. Multiple lots may be awarded to different suppliers (see ContractAward). .
ftm-Contract is a MISP object available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP. |
Object attribute | MISP attribute type | Description | Disable correlation | Multiple |
---|---|---|---|---|
address |
text |
Address |
|
|
alephUrl |
url |
Aleph URL |
|
|
alias |
text |
Other name |
|
|
amount |
float |
Amount |
|
|
amountEur |
float |
Amount in EUR |
|
|
amountUsd |
float |
Amount in USD |
|
|
cancelled |
text |
Cancelled? |
|
|
classification |
text |
Classification |
|
|
contractDate |
text |
Contract date |
|
|
country |
text |
Country |
|
|
criteria |
text |
Contract award criteria |
|
|
currency |
text |
Currency |
|
|
description |
text |
Description |
|
|
indexText |
text |
Index text |
|
|
indexUpdatedAt |
text |
Index updated at |
|
|
keywords |
text |
Keywords |
|
|
language |
text |
Language |
|
|
method |
text |
Procurement method |
|
|
modifiedAt |
text |
Modified on |
|
|
name |
text |
Contract name |
|
|
notes |
text |
Notes |
|
|
noticeId |
text |
Contract Award Notice ID |
|
|
numberAwards |
text |
Number of awards |
|